Category Archives: Draft investigatory powers bill

UK parliament warns against new Investigatory Powers Bill

security1The UK government must ‘urgently review’ the expensive obligations it is about to pass onto the cloud industry, according to a new report on the effects of the Investigatory Powers Bill.

The Investigatory Powers Bill Technology Issues report was compiled by a parliamentary select on science and technology after taking evidence from activists, academics and tech companies. The proposed legislation could prove painfully expensive for Britain’s service providers, by forcing them to incur the costs and extra work involved in storing every customer’s entire browsing history for 12 months, the report warns. It also identifies a problem over encryption, with many in the industry unclear over the legal obligations the new bill will create.

“The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” said Nicola Blackwood MP, chair of the Science and Technology Committee.

The draft bill calls for the collection by service providers of data on each user’s internet connection records (ICRs). According to the committee, industry feedback suggests there are too many unanswered questions over the practicalities of meeting this legal requirement. The technology industry is not clear about the meaning of the definition for ICRs framed by Home Secretary Theresa May, one of the co-authors of the draft bill.

According to May, an ICR is a record of the communications service that a person has used, but not a record of every web page they have accessed. “The current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” said Blackwood, in a statement.

The ambiguity is a critical problem because it leaves service provides unable to predict the time and money they need to meet their obligations, which leaves them unable to forecast and plan. It also introduces a potentially dangerous vulnerability by creating an opportunity for hackers to access that information. The report questions whether it is ‘practical to assume’ that databases of customer activity can be kept ‘secure and safe’.

The draft Bill, in its current form, appears to instruct service providers that customer information must be kept in an unencrypted state ready for inspection, according to the committee. “The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content,” said the statement, “there are still many unanswered questions about how this legislation will work.”

There are good grounds to believe that without further refinement there could be ‘many unintended consequences for commerce’ arising from the current lack of clarity of the legislation, the report concluded.

Snooper’s charter a potential disaster warns lobby of US firms

security1The ‘snooper’s charter’ could neutralise the contribution of Britain’s digital economy, according to a representation of US tech corporations including Facebook, Google, Microsoft, Twitter and Yahoo.

In a collective submission to the Draft Investigatory Powers Bill Joint Committee they argue that surveillance should be “is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent.”

These principles, the collective informs the parliamentary committee, reflect the perspective of global companies that offer “borderless technologies to billions of people around the globe”.

The extraterritorial jurisdiction will create ‘conflicting legal obligations’ for them, the collective said. If the UK government instructs foreign companies what to do, then foreign governments may follow suit, they warn. A better long term resolution might be the development of an ‘international framework’ with ‘a common set of rules’ to resolve jurisdictional conflicts.

“Encryption is a fundamental security tool, important to the security of the digital economy and crucial to the safety of web users worldwide,” the submission said. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption or any other means.”

Another area of concern mentioned is the bill’s proposed legislation on Computer Network Exploitation which, the companies say, gives intelligence services legal powers to break into any system. This would be a very dangerous precedent to set, the submission argues, “we would urge your Government to reconsider,” it said.

Finally, Facebook and co registered concern that the new law would prevent any discussion of government surveillance, even in court. “We urge the Government to make clear that actions taken under authorization do not introduce new risks or vulnerabilities for users or businesses, and that the goal of eliminating vulnerabilities is one shared by the UK Government. Without this, it would be impossible to see how these provisions could meet the proportionality test.”

The group submission joins other individual protest registered by Apple, EE, F-Secure, the Internet Service Providers’ Association, Mozilla, The Tor Project and Vodafone.

The interests of British citizens hang in a very tricky balance, according to analyst Clive Longbottom at Quocirca. “Forcing vendors to provide back door access to their systems and platforms is bloody stupid, as the bad guys will make just as much use of them. However, the problem with terrorism is that it respects no boundaries. Neither, to a greater extent, do any of these companies. They have built themselves on a basis of avoiding jurisdictions – only through such a means can they minimise their tax payments,” said Longbottom.