Science and Technology Committee of Parliament slams Snoopers’ Charter

The Science and Technology Committee of Parliament has delivered a major blow to the Draft Investigatory Powers Bill (IPB) in its scrutiny report. The IPB will put into law the powers and capabilities revealed by Edward Snowden, and includes the latest incarnation of the Snoopers’ Charter. The Committee’s overall message to the Home Office is that uncertainty over costs and obligations in the Bill will harm UK companies and make Britain a less attractive place for foreign technology businesses.

The report says: 

“The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation. There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.”

The Committee only looked at the technical aspects, not considering whether measures are justified by threats or what the privacy implications may be. After taking evidence from dozens of expert witnesses – including ORG – they found the Bill lacking on several aspects.

Parliamentarians found that Internet Connection Records are not properly defined, and neither are other central concepts in the legislation such as: “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable”.

The Committee recommends that Government should be more explicit on the exact obligations the Bill will place on technology companies in order to to allay concerns about impact on businesses and competitiveness. Codes of practice need to be published with the Bill and be clear on compliance burdens, proportionality and cost recovery. These should be regularly updated.

The reports says that Government must urgently work with industry to improve estimates of all associated costs, which will likely include security and other areas besides simple storage, and assure companies that they will be fully reimbursed:

“The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance.”

Encryption

Encryption is another area singled out for criticism. The Committee asks Government to clarify the obligations to provide clear unencrypted data, when encryption would have to be removed and what happens with end to end encryption.

MPs and peers have picked up on a seemly narrow but important point. The Bill says that such technical measures must be put in place if it is “technically feasible”, but other measures in the Bill are only compulsory when it is “reasonably practicable” to do so. The Committee asks for this higher bar to be applied to the other cases as well. This example shows the importance of such small print, which is peppered throughout the Bill.

Unfortunately the Committee missed a beat on encryption. Reasonably, the report queries whether companies should be forced to remove protections applied by third parties, such as other companies or end users themselves. The main battleground though, is whether companies should be able to apply encryption that they themselves are not able to break if done properly.

Hacking

Equipment interference – hacking in common parlance – is also deemed problematic. The report relays widespread concerns from businesses about the obligations to assist authorities in their hacking activities, particularly from open source companies.

The report believes that there is a well-founded concern that that the perception that UK businesses are in cahoots with the spies will put British companies at a disadvantage. This means that more transparency over the extent of powers may be required.

The Committee pleads with the Home Office to continue to engage with “communications businesses and the wider internet community” to allay concerns and confusions. They also make an important point. It is not only internet businesses, but also their users who “require assurances that investigatory powers will be imposed proportionately, and that the judgement as to what is proportionate should at all times be open to reasonable challenge.“

Despite its narrow focus, the report shows the huge amount of work that needs to be carried out by the Home Office before the Bill is fit to be presented to Parliament.