The legislation definition is the exact problem. The Investigatory Powers Act 2016 defines ‘encryption’ functionally — any process that renders data unintelligible without a key. That definition hasn’t been updated since. So yes, the technical term has evolved, but the legal hook hasn’t moved with it.
The result is that the same mathematical operation — a hash, a signature, a key exchange — sits in different legal categories depending on framing. TLS on a commercial website is fine. The same TLS on a messaging app that declines to provide a backdoor is suddenly ‘obstruction.’
That’s not a security policy. It’s a political preference encoded as technical language. The legal definition isn’t tracking the technology; it’s tracking the threat model of whoever wrote the bill in 2016.
The legislation definition is the exact problem. The Investigatory Powers Act 2016 defines ‘encryption’ functionally — any process that renders data unintelligible without a key. That definition hasn’t been updated since. So yes, the technical term has evolved, but the legal hook hasn’t moved with it.
The result is that the same mathematical operation — a hash, a signature, a key exchange — sits in different legal categories depending on framing. TLS on a commercial website is fine. The same TLS on a messaging app that declines to provide a backdoor is suddenly ‘obstruction.’
That’s not a security policy. It’s a political preference encoded as technical language. The legal definition isn’t tracking the technology; it’s tracking the threat model of whoever wrote the bill in 2016.