News: Science and Technology Committee has said that the surveillance bill lacks clarity.
The Science and Technology Committee has called on the UK Government to review the draft Investigatory Powers Bill to make the obligations on the industry clear and proportionate.
The Commons Select Committee has recommended that the Bill be more explicit regarding the obligations to be imposed on the technology industry, as the data collection and retention requirements could result in additional costs.
The government has to fully meet the costs that communication service providers (CSPs) could incur in maintaining data on internet connection records (ICR), otherwise UK businesses will be at a commercial disadvantage in the global market, the committee of MPs said.
Published in November 2015, the draft Investigatory Powers Bill, termed Snooper’s Charter by critics, seeks to consolidate the existing legislation on the interception and acquisition of communication data, in the wake of the changing security landscape.
According to the government, the bill provides intelligence and law enforcement agencies the ability to target online communications of terrorists, paedophiles and other serious criminals.
In order to avoid misuse of communications, the draft bill proposes a ‘double-lock’ for interception warrants, so that they are approved by the secretary of state as well as by a judge.
The draft bill makes provision for the retention of ICRs to identify the communications service to which a device has connected.
The committee report remarks that there is no clarity on certain terms such as "telecommunications service", "relevant communications data", "communications content", or "reasonably practicable".
Science and Technology Committee chair Nicola Blackwood said: "The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.
"There remain questions about the feasibility of collecting and storing ICRs, including concerns about ensuring security for the records from hackers.
"The bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals."
Detailed Codes of Practice need to be provided as an assurance to businesses, and they need to be periodically revisited, the committee said.
Other recommendations include a balance between the need to fight crime and the protection of commercial competitiveness; as well as the careful monitoring of public reaction to this power.
Blackwood said: "It is vital we get the balance right between protecting our security and the health of our economy. We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing tech sector."
Industry and technology experts have been opposing the bill for its sweeping powers to snoop on the public, in particular the element allowing for encryption backdoors, one of the most controversial elements of the bill. Backdoors will facilitate surveillance on encrypted communications such as WhatsApp.
The review committee has observed that there is confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a CSP that had not added the original encryption.
The government should clarify and state clearly in the codes of practice that it will not be seeking unencrypted content in such cases, the committee said.
Welcoming the Science & Technology Committee’s report, Antony Walker, deputy CEO of techUK, said: "There are several important recommendations in this report that we urge the Home Office to take on board. In particular we need more clarity on fundamental issues, such as core definitions, encryption and equipment interference.
"These are all issues that we highlighted to the Committee and can be addressed both in the Bill and in the Codes of Practice which we believe must be published alongside the Bill, and regularly updated, as recommended by the Committee. Without that additional detail, too much of the Bill will be open to interpretation, which undermines trust in both the legislation and the reputation of companies that have to comply with it.
"The draft Bill presents an opportunity for the UK government to develop a world leading legal framework that balances the security needs with democratic values and protects the health of our growing digital economy. But we have to get the details right."