Analysis: Privacy concerns relating to the IP Bill are well documented – but is the charter ‘practicable’?
Not since Snowden has the data privacy discourse been so hotly debated.
Across the pond, Apple is advocating privacy in a fight with the FBI over the unlocking of an iPhone, while here at home the government is trying to step up the state’s surveillance powers and sign the Investigatory Powers Bill (IP Bill) into law.
Nicknamed the Snooper’s Charter, the IP Bill was introduced by Home Secretary Theresa May as a means to fight terrorism and serious crime by ratifying and defining the tools available to law enforcement. However, since its big reveal at the 2012 Queen’s Speech, it has been marred with controversy with tech companies, security experts and privacy advocates banding together to denounce the affront on citizens’ privacy.
The Bill has been criticized for its lack of clarity, its proposed weakening of encryption, and ISP data collection and retention – and this criticism only got louder after yesterday’s revised Bill was presented by Home Secretary May.
The revisions were designed to quell the derision of previous drafts, with the Home Office claiming that the technical definitions in the new draft provide much greater clarity, making privacy safeguards "clearer and stronger".
"The Bill ensures that the security and intelligence agencies and law enforcement continue to have the powers they need to keep us safe – and no more," Home Secretary Theresa May said in the pre-amble to the bill.
However, critics have been quick to point out that the revised draft has extended the scope of some of the proposed powers, allowing authorities access to all web browsing records in specific criminal investigations, while the original draft had only specified that this applied to illegal websites and communications services.
Organisations and companies have been quick to vocalise the privacy dangers of such an extension of powers, with SumOfUs, a consumer watchdog, saying: "Our private lives are under threat.
"The Home Secretary’s Investigatory Powers Bill is a cynical power-grab that would erode the fundamental privacy protections that are guaranteed to every citizen in the UK.
"Not only would the proposed Snoopers’ Charter open up our private data for government review, this dramatic increase in the State’s surveillance powers could shatter standard encryption protections that keep our data safe and make private communications more vulnerable to hacks and leaks."
Although the privacy concerns of the bill are well documented, it remains to be seen whether the Bill can actually be enforced. The word ‘practicable’ has been used in the cases of both the IP Bill and the ongoing fight between Apple and the FBI. Rafael Laguna, CEO, Open-Xchange, argues that the draft still lacks the clarity to be practicable.
"The latest draft she is attempting to force through parliament is still too vague to be ‘practicable’. Service providers have repeatedly said that they would be unable to store internet connection records without passing on substantial costs to customers. Similarly, the ongoing US legal battle between Apple and the FBI highlights the many dangers of governments forcing companies to crack their encryption technology."
Data is a key factor here – the sheer amount which the government is proposing to be collected and stored is vast. Companies such as BT will have to completely transform their current operations, in order to comply with the law. At the moment, it could be argued, that the vast majority of UK companies do not have the resources to collect and store this vast amount of date – it’s not practicable – but let’s argue that it were. If the Bill were to pass, then, as Richard Anstey, CTO at Intralinks EMEA, argues, the UK economy could face a very big problem.
"With an extreme interpretation of what is ‘practicable’ the conclusion could be that anyone providing a communication service must find a way to be able to break it, so the power of the algorithms will have to be downgraded or the keys would need to be stored in a different way.
"But even if the UK were to do this, what’s to stop someone jumping to another service run from another country? The nature of the internet is such that companies and individuals who don’t want to be subject to such rules are free to move to a service covered by an alternative jurisdiction – perhaps one which applies different relative values in the delicate balance between individual privacy and government control.
"This potentially poses a risk to the technology sector of the UK economy if there is an exodus of service providers to jurisdictions that allow the provision of the type of secure service customers want to buy.
"Quite simply, gaining access to end-to-end encryption won’t give the government any better access to criminal messages because those individuals are free to jump ship to an app or service that is not subject to the charter."
Those businesses are jumping ship to sit beside other companies – companies who the UK government has no legal authority over. One only need look at the current Apple vs FBI battle raging to see how hard the charter will be to implement. Douglas Crawford, Cyber Security Expert at BestVPN, said:
"What the dispute between Apple and the FBI amply demonstrates is the difficulty the UK government will have in coercing international tech companies to comply with its frankly outrageous demands that they provide it access to the communications of their users.
"After all, if the US government, issuing a valid and legally binding court order to a US company is facing an uphill battle for its demands to be met (a battle that many think Apple can win), what chance does the government of a small nation with no legal authority over Apple (or Google, or Facebook) have?
"The only leverage available to it is to force these tech products out of the UK market, and good luck with that. Not only do countless UK business rely on the technologies provided by global tech companies, but just imagine how a voting electorate will feel if the government takes away its iPhones and Facebook!"
With the latest iteration of the IP Bill, the calls for more clarity have not been silenced. This IP Bill is not just about privacy, but its ability to be practicable. How are companies going to collect and store all the data required? What about the costs involved? How is the Bill going to be enforced? Will businesses just jump ship when the IP Bill becomes law, causing an exodus of business and money from the UK? How will the law be enforced on international companies?
We are, as of yet, only in the middle of the Snooper’s Charter saga, with further revisions, committees, speeches, protests etc sure to be on their way. One thing is for sure – with a law set to transform the very nature of government-citizen relations, clarity and transparency must drive the discourse.