The UK government’s crackdown on encryption threatens to undermine London’s fintech boom
Talk of calamity befalling corporate Britain as we negotiate our EU exit is typically overblown.
Nevertheless there is a potentially serious conflict in the making between the UK government’s stated desire to maintain access to certain online data for reasons of national security and the continental European determination to institute a modern system of information rights. This divergence, which lies at the heart of the Investigatory Powers Act, has the potential to inflict damage on London’s standing as a global financial centre post-Brexit.
In her final Home Office legislative initiative before entering Downing Street, Theresa May sought to weaken the global communication service providers’ stranglehold over “strong cryptography”. This came at precisely the time that the EU was moving towards enacting a General Data Protection Regulation (GDPR), an EU-wide protocol allowing individuals to control their data that depends implicitly on strong cryptography.
On the continent, the example of what happened in Estonia in 2007 still looms large. Following a Russian cyber-offensive that year, the Estonians created a much-admired national system of identity where individuals control their data and the state can only request access to it for transactions. Indeed, under the Estonian protocol, the state is only permitted to ask once for the recording of a particular data item and must request access to individuals’ data on a case-by-case basis.
Read more: An eye for an eye, a hack for a hack: The cyber arms race is heating up
The Estonian system was an early variant of distributed ledger technology (aka blockchain) – the fintech innovation that is designed to increase the security of financial and other security-conscious transactions. Indeed the UK Office of the Government Scientist recently praised the Estonian system for providing secure, cost-effective technological protection, and this approach is the model many EU technology specialists have in mind when they consider how to implement GDPR.
No one doubts that the field of secure technology is one of the most exciting in the fintech boom underway in London right now. Some commentators believe the financial technology revolution will have as transformative an impact on the City of London as Big Bang after 1986.
Yet London-based businesses, particularly international banks, are beginning to take the potential impact of the EU-wide GDPR extremely seriously. Established firms or startups naturally seek to serve not just the UK market but also the entire European continent, and are increasingly aware of the financial and legal costs of security violations.
Read more: Few businesses are ready for the biggest ever overhaul of data regulation
While the Data Protection Act 1998 allows the UK Information Commissioner to impose a monetary penalty on any firm breaching data rules, that fine is capped at a maximum of £500,000. The potential amount that can be fined under the GDPR, on the other hand, is now set at up to €20m or 4 per cent of total worldwide annual turnover of the preceding financial year – whichever is higher – for specified infringements.
Naturally any company handling money or requiring confidentiality online takes cryptography seriously since their entire business model and market reputation depends on it. The recent high-profile controversy between the FBI and Apple over iPhone security immediately resulted in some US technology firms relocating their data centres to Europe, most notably to Germany which has become known for its strong data protection laws and enforcement.
So to summarise the dilemma facing tech firms in dealing with these issues, one technologist recently advised Wired magazine, “the British Prime Minister wants to break crypto while my bosses tell me the gargantuan risk to our business is losing our customers’ faith through a data breach or being seen to pander to governments by handing over their personal data.”
Read more: Yahoo would be liable to pay a $198m fine were GDPR already enforced
Modern finance depends on cryptography, without which online services from credit card payments to derivatives trading would not function. The advent of GDPR is moving technologists across the EU to use blockchains much more widely, especially when it comes to establishing identity.
The claim by the UK government that cryptography can be compromised by the state without impairing commercial security and usability is simply not believed by technologists or businesses in this sector. If we continue to weaken encryption, or make it subject to greater scrutiny by law enforcement authorities, the simple and uncomfortable truth is that the UK will be risking the future of financial services businesses domiciled here.
This is the dilemma that faces the UK government as it rightly seeks to carve a dominant niche in the booming fintech industry. The public demands that government keeps a watchful eye on those seeking to use the web for altogether darker motivations. Yet citizens and businesses also expect the internet to be a secure place for day-to-day financial and social transactions.
The UK risks finding itself in the perverse situation of successfully negotiating a Brexit equivalence deal on financial services, but being unable to sell the products of our burgeoning tech industry into the EU by failing to qualify as an identity-and-data responsible country.