The UK government must ‘urgently review’ the expensive obligations it is about to pass onto the cloud industry, according to a new report on the effects of the Investigatory Powers Bill.
The Investigatory Powers Bill Technology Issues report was compiled by a parliamentary select on science and technology after taking evidence from activists, academics and tech companies. The proposed legislation could prove painfully expensive for Britain’s service providers, by forcing them to incur the costs and extra work involved in storing every customer’s entire browsing history for 12 months, the report warns. It also identifies a problem over encryption, with many in the industry unclear over the legal obligations the new bill will create.
“The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” said Nicola Blackwood MP, chair of the Science and Technology Committee.
The draft bill calls for the collection by service providers of data on each user’s internet connection records (ICRs). According to the committee, industry feedback suggests there are too many unanswered questions over the practicalities of meeting this legal requirement. The technology industry is not clear about the meaning of the definition for ICRs framed by Home Secretary Theresa May, one of the co-authors of the draft bill.
According to May, an ICR is a record of the communications service that a person has used, but not a record of every web page they have accessed. “The current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” said Blackwood, in a statement.
The ambiguity is a critical problem because it leaves service provides unable to predict the time and money they need to meet their obligations, which leaves them unable to forecast and plan. It also introduces a potentially dangerous vulnerability by creating an opportunity for hackers to access that information. The report questions whether it is ‘practical to assume’ that databases of customer activity can be kept ‘secure and safe’.
The draft Bill, in its current form, appears to instruct service providers that customer information must be kept in an unencrypted state ready for inspection, according to the committee. “The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content,” said the statement, “there are still many unanswered questions about how this legislation will work.”
There are good grounds to believe that without further refinement there could be ‘many unintended consequences for commerce’ arising from the current lack of clarity of the legislation, the report concluded.