UK spying law would undermine tech industry, MPs warn
UK spying law would undermine tech industry, MPs warn
INVESTIGATORY POWERS BILL 01 FEBRUARY 16
The UK’s planned surveillance law is “unambiguous”, “confusing” and will cause disadvantages for technology companies in the country, according to a group of MPs looking at its implications.
Members of the science and technology committee raised a number issues with the Investigatory Powers Bill (IP Bill) which has been proposed by the Home Office, after it reviewed how the till would work technically.
MP Nicola Blackwood, the chair of the committee, said it had concerns with the cost of the law, encryption, hacking and the impact on businesses.
“There are good grounds to believe, that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation,” Blackwood said.
The IP bill, initially announced by Home Secretary Theresa May on 4 November, aims to reform surveillance powers that can be used by police, security services and also local councils. Included in the law — under varying circumstances governing their use — are powers for bulk hacking of devices and the collection of internet records.
The government committee, which only looked at the technological implications of the plans (another committee is looking at the ethical elements), took evidence from companies, researchers and individuals. It concluded that large changes to the law should be made to ensure it is “future proof”.
Anthony Walker, from techUK, an umbrella group that represents 900 technology firms, told WIRED the bill was “very open to interpretation” and that the committee’s recommendations should be followed by the Home Office to provide a greater clarity to the companies it effects.
The opinion was echoed by the Internet Services Providers’ Association (ISPA), the trade body for ISPs, which said it “strongly recommended” the suggestions put forward by the committee.
But some were more critical of the bill. Cambridge University academic and researcher Ross Anderson said the committee’s report was “disappointing,” in parts, as it focussed on reassuring customers rather than the industry. Security company Sophos said the recommendations should be welcomed as it previously had “significant” concerns about areas of all the Bill.
INTERNET CONNECTION RECORDS
Under the law, communications providers, such as Facebook, Twitter or BT broadband, would have to collect the metadata — the who, how, what and when — of usage of their networks. The Home Office told the committee that 200-300 communications providers currently exist and would have to collect the “internet connection records (ICRs)”.
However, “significant confusion” has been created by the Home Office over what the term specifically means and how often the records would have to be collected and which companies would have to collect them. Cisco previously told the MPs that the bill’s lack of clarity would result in all data being collected all the time.
The “volume of data involved in the retention of ICRs, security and cost implications” all needed to be made clear to companies, the committee said. Walker, from techUK, said more work on “tightening definitions is important, but the key issue for us [remains] around encryption and equipment interference”. While Sophos’ John Shaw told WIRED that the data collected should be well protected as it would be “valuable to hackers”.
End-to-end encryption, where data (such as messages and financial transactions) are only readable by recipients has been a sticking point of the bill. The draft law says companies will be required to decrypt all messages when they are asked to, which isn’t technically possible if end-to-end encryption is used. Apple’s iMessages and WhatsApp for Android are just two examples of services that use the technique.
The technology committee said the Home Office should “clarify and state clearly” that it “will not be seeking unencrypted content” when the communications use end-to-end encryption.
ISPA’s Andrew Kernahan said the recommendation was a “sensible and common sense” but “a lot more consultation is going to be required to fully address these proposals”.
There are “well founded” concerns from the communications industry that hacking (know as equipment interference and permitted in individual and bulk instances by the bill) could “jeopardise” businesses, according to the committee. It recommended these should be addressed. The committee said that public perception should be addressed if there is concern about devices being hacked.
The bill prohibits communications companies from telling those who have been hacked that they have been. Anderson said this has been made into an issue about consumer awareness rather than industry awareness.
Instead, Anderson claimed, the committee had “misrepresented this as being an issue of reassuring the public. “The public neither know or care about this stuff, it’s the opinions of businesses here and overseas that matter,” he added.
IMPACT ON BUSINESSES
“There are serious concerns about whether the issues raised by the committee can be resolved in such a short timeframe. There is too much at stake for the government to rush this law through”
Open Rights Group
One big area of criticism from the committee was the cost for communications companies installing hardware to record users’ data and gather ICRs. In total £174.2 million will be made available to help communications firms set-up and store the data, but ISPs have said this will not be enough and they will not be able to implement the systems until 2018.
The committee’s report said the Home Office “should reconsider its reluctance” to paying for the entire cost of collecting the data. Communications companies believe the costs should be covered entirely by the government. It also recommended the government review the membership of a technical board that monitors the provisions of the bill, adding that it should be regularly updated so the law keeps up with modern technology.
WHAT’S NEXT FOR THE IP BILL?
Next for the IP Bill will be the report of the Joint Select Committee of MPs and Lords, which is looking at the non-technical issues of the law. These will include whether the law and data collection may be compatible with other European laws, ethical considerations and an overall view of the bill’s impact. The joint committee is due to report on 11 February.
From that point the government will respond to both of the reports from the committee and present its findings as early as March.
A repurposed bill, which may take on the recommendations, will then be presented to parliament before it is debated and potentially amended further. It is expected to be passed into law by the end of 2016.
The Open Rights Group said the bill was now in the government’s court. “There are serious concerns about whether the issues raised by the committee can be resolved in such a short timeframe. There is too much at stake for the government to rush this law through,” the group said in a statement.