The wording of the UK's proposed surveillance law is so vague that tech companies have little idea what data it would require them to store, a new government report has said. Companies are also concerned about the cost and feasibility of collecting such data, and are unclear on the law's position regarding encryption.
“The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” wrote Nicola Blackwood MP, chair of the Science and Technology Committee, in a statement. The committee has been taking evidence from activists, academics, and tech companies around the draft Investigatory Powers Bill, a proposed piece of legislation that will force internet service providers (ISPs) to store all customers' browsing history for 12 months, among other things.
This data collection includes the creation of so-called internet connection records, or ICRs. An ICR is, according to Home Secretary Theresa May, “a record of the communications service that a person has used, not a record of every web page they have accessed.” That could include information such as a record of when you visit a specific website or when you use WhatsApp on your phone.
"The evidence we heard suggests there are still many unanswered questions about how this legislation will work in the fast evolving world of communications technology"
But members of the tech industry are not clear on what an ICR actually is, according to the Science and Technology Committee's report. “The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” Blackwood's statement continues.
This lack of clarity also covers costs associated with implementing the collection and storage of ICRs, and concerns about how ICRs will be kept out of the hands of hackers. In the report, the committee quotes Matthew Hare of ISP Gigaclear on whether keeping a database of everyone’s browsing activities “secure and safe is always going to be the case.”
There is also confusion around the tech industry's obligations around end-to-end encryption.
The draft Bill says that tech companies may be obligated to remove “electronic protection” from any communications or data. That sounds a lot like telling companies to decrypt their customers' communication, but this might not always be technically feasible due to the increased roll-out of end-to-end encryption. In this case, it is customers’ devices that hold the keys for decrypting data, and not the companies themselves.
“The Government should clarify and state clearly in the Codes of Practice [which will be published alongside the Bill itself] that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied,” the committee said.
"The evidence we heard suggests there are still many unanswered questions about how this legislation will work in the fast evolving world of communications technology,” Blackwood continued. “There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. The final version of the Bill will have to address this if it is [to] provide future-proofed legislation."