“The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses” says MP
The Investigatory Powers Bill risks undermining the UK’s strongly performing tech sector because of uncertainty about the costs of complying with the new legislation, the Science and Technology Committee has warned.
UK businesses must not be placed at a relative commercial disadvantage to overseas competitors by the proposed measures, according to the MPs, and the costs of implementing the additional data storing measures in the draft Bill should be fully met by Government.
Nicola Blackwood MP, Chair of the Science & Technology Committee, said: “It is vital we get the balance right between protecting our security and the health of our economy. We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing tech sector.
“The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” she added, continuing, “There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals.”
A number of terms are poorly defined in the Bill, giving rise to uncertainties over the likely scope and costs associated with implementing the proposed measures. The Government claims that the only substantially new requirements provided for in the draft Bill relate to the retention of so-called ICRs.
However, the nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are the subject of uncertainty and concern from business due to lack of clarity in the draft Bill. This uncertainty is unhelpful to businesses trying to compete in a global communications market, the report warns. The report also raises concern about how costs of the legislation are to be assessed, given that they could increase or decrease depending on the rapid evolution of the technologies concerned.
Law enforcement or security services should, in tightly prescribed circumstances, be able to request unencrypted data from communication service providers. However, there is confusion about how the draft Bill would affect end to end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption. The Government should clarify and state clearly in the Codes of Practice (which will be published alongside the Bill itself) that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.
Blackwood noted: “Encryption is important in providing the secure services on the internet we all rely on, from credit card transactions and commerce to legal or medical communications. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy. The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.”
Some sectors of the communications industry have concerns that ‘equipment interference’ could jeopardise their business model, for example those using opensource software, like Mozilla. Clients of these companies may not be aware of when equipment interference happens because disclosure is not permitted. The new Investigatory Powers Commissioner should report to the public on the extent to which such measures are used and carefully monitor public reaction to this power.
Blackwood continued: “So called ‘equipment interference’ may occasionally be necessary for law enforcement agencies to do their job effectively, but the tech industry has legitimate concerns about the reaction of their customers to the possibility that electronic devices could be hacked by the security services. The Investigatory Powers Commissioner could have a role in informing the public about the extent, or the lack of it, of the actual use of equipment interference.”
Greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens without recompense, the report concludes. Detailed Codes of Practice will be needed to provide a more effective means of assisting compliance and retaining business confidence. These Codes of Practice should clearly set out the requirements for protecting ICR data that will have to be retained and managed by Communication Service Providers, along with the security standards to keep them safe.
Blackwood concluded: “The evidence we heard suggests there are still many unanswered questions about how this legislation will work in the fast evolving world of communications technology. There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. The final version of the Bill will have to address this if it is provide futureproofed legislation.”
The Government says that the draft Investigatory Powers Bill, published on 4 November 2015, is intended to consolidate, clarify and modernise existing legislation on the interception of communications and the acquisition of communications data. It says this is needed to maintain the operational capabilities of our security services and law enforcement agencies in light of developments in information technologies.
The Committee’s inquiry focused on technological aspects of the draft Bill in order to identify the main technological issues involved and how these might affect the communications businesses that will have to collect data and cooperate with the security authorities. It has not addressed the need or otherwise for the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. These matters will be covered by the Joint Committee established to scrutinise the draft Bill as a whole.