The UK’s proposed surveillance legislation is littered with problems, according to several government reports.
After months of taking evidence from academics, activists, technologists, law enforcement and politicians, a government body tasked with assessing the draft Investigatory Powers Bill released its nearly-200 page report on Thursday. As with previous reports, two main areas of controversy centre around the collection and storage of citizens’ internet browsing histories, and the threat to robust encryption.
The Joint Committee, a group of 14 cross-party politicians from the House of Commons and House of Lords, is generally in favour of the powers the Bill would solidify, although it raised serious issues with the feasibility and scope of some aspects of the proposed legislation.
This is the third parliamentary report looking into the draft Bill: the others came from the Science and Technology Committee, and the Security and Intelligence Committee of Parliament. Throughout, the watchdogs have repeatedly highlighted two major issues.
Internet Connection Records
Perhaps the most controversial aspect of the draft Bill is that it would force internet service providers (ISPs) to store all customers’ browsing histories for 12 months. This data would be collected in the form of so-called Internet Connection Records, or ICRs, which are described in the legislation as “a record of the internet services a specific device has connected to, such as a website or instant messaging service.”
However, the definition of ICRs is so broad that tech firms have complained they don't exactly know what they would be supposed to collect.
"We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the internet works on a technical level."
“The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” reads the Science and Technology Committee's report published earlier this month.
“We recommend that the definition of Internet Connection Records should be made consistent throughout the Bill,” the latest report from the Joint Committee adds.
Then there’s the feasibility of collecting all of this data, and keeping it secure. Matthew Hare of ISP Gigaclear is quoted in the Science and Technology Committee report as asking whether storing everyone's browsing history “secure and safe is always going to be the case.” The Joint Committee adds that, “We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the internet works on a technical level.”
Finally, there's simply the cost of the ICR program. The Home Office has predicted that the whole thing will come in at £174 million over 10 years, but various ISPs have suggested the costs could go much higher than that.
Despite highlighting many of these problems, the latest report agrees that retaining browsing histories for 12 months is a good idea, and adds that perhaps law enforcement shouldn’t be restricted to accessing data related only to communications services or illegal websites, as is originally laid out in the Bill.
From the moment the draft Bill was announced by Home Secretary Theresa May in November 2015, there have not been clear answers about how the law would deal with end-to-end or hard-drive encryption.
"We agree with the intention of the Government's policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems."
The draft Bill says that tech companies may be forced to remove “electronic protection” of data. Naturally, that has been interpreted by tech firms and civil liberty groups as a demand to strip customer's communications or devices of encryption.
Over the last few months, the Home Office has tried to make it clear that it does not want to ban encryption, or to introduce encryption backdoors. But when May made this point in an evidence hearing in front of the Joint Select Committee, she quickly followed it up with a seemingly contradictory statement: that communication providers would still be expected to give the government access to plaintext data when required.
It appears that after weeks of hearings, and from consultations with dozens of experts, the Joint Committee is just as confused about encryption as the Home Office.
“We agree with the intention of the Government's policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems,” the report reads. “The drafting of the Bill should be amended to make this clear.”
Following the publication of the three parliamentary committees’ reports, the Home Office will now produce a redrafted version of the Bill (or scrap it—the 2013 Draft Communications Bill, also known as the Snooper's Charter, was ditched after widespread criticsm).
“The next stage will be for the two Houses to consider the Bill properly when it is introduced,” Lord Murphy of Torfaen, chairman of the Joint Committee, said in a statement. “We hope that both Houses, and the public, find our report a useful start to the Parliamentary debate.”