The cross-party Science and Technology Select Committee (House of Commons) has today warned that the Government’s controversial new Investigatory Powers Bill (IPB) could cost significantly more than claimed and needs to be clearer about what it expects ISPs to actually do.
The bill marks the third attempt by a Government to expand the United Kingdom’s existing telecoms snooping laws by forcing broadband ISPs into logging a bigger slice of everybody’s online activity and then keeping that log for up to 12 months, irrespective of whether or not you’ve committed a crime.
On top of that the IPB would also make this data (ICR – Internet Connection Records) more easily accessible for law enforcement agencies through a complex “Request Filter” (not unlike a central database) and Police would not require a full warrant in order to gain access. But a warrant would still be needed for more targeted and detailed interception of an individual’s communications.
More recently ISPs have also warned that the predicted costs of implementing the bill (upwards of£175m) are far too low (here) and that some of the measures could impose an effective ban on encrypted end-to-end communication services (not even the service provider can view these). A recent meeting between smaller ISPs and the Home Office also suggested that the Government didn’t yet have a full grasp of the technical challenges involved (here).
Into this battle steps the Science and Technology Committee, which has today published the outcome from their inquiry into the IPB and echoed the above concerns.
Nicola Blackwood MP, Chair of the Committee, said:
“It is vital we get the balance right between protecting our security and the health of our economy. We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing Tech sector.
The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.
There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals.”
Interestingly, on the subject of encryption, Blackwood states: “The Government needs to do more to allay unfounded concerns that encryption will no longer be possible,” particularly in regards to the impact upon end-to-end encryption. “The Government should … state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases,” says the report.
Blackwood also loosely notes the risk to international competition if UK tech companies are effectively required to limit the security of their hardware and software products in order to meet the Government’s new rules, particularly in regards to weakening encryption. Rival products from other countries that do not impose such measures would naturally look more competitive.
The Committee also ruled that the Government should pick up the tab for all of the additional data storing costs involved in the IPB’s implementation, especially for smaller ISPs, and clarify some of the bill’s more confusing terms (e.g. what exactly does an ICR constitute?). It also demands further examination of the costs in order to arrive at a more accurate figure.
In keeping with all that the report recommends that the bill adopt Detailed Codes of Practice, which should for example “clearly set out the requirements for protecting ICR data that will have to be retained and managed by [ISPs], along with the security standards to keep them safe“.
Finally the report calls on the Government to review the composition of its Technical Advisory Board to “ensure that it will have members from industry who will be able to give proper consideration, not just to the technical aspects of appeals submitted to it from CSPs concerned about ICR or other interception or ‘interference’ notices, but also any concerns raised about costs“.
Nicholas Lansman, ISPA Secretary General, said:
“We are pleased parliament recognises that the Bill, as drafted, risks undermining the competitiveness of the UK tech sector. We now expect the Home Office to take on board these recommendations, along with those of the upcoming Joint Committee report, to produce a clearer Bill that is clear, technically feasible, proportionate and maintains trust in online services.”
In Blackwood’s words, “There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation.”
Fibre optic ISP Gigaclear has added some thoughts.
Matthew Hare, CEO of Gigaclear, told ISPreview.co.uk:
“For the UK to remain the best place to do business online, investment and focus needs to be on building a better broadband infrastructure, not on data storage measures that are unlikely to deliver the security we all want.
Gigaclear will connect 55,000 properties to its pure fibre network this year, but if the data storage measures outlined in the IPB have to be enacted, we will have to divert resources away from this important work. The focus for our engineers will be on monitoring data, rather than the expansion of our network, which is so crucial to the UK.
I am also concerned that capturing and retaining Internet Connection Records (ICRs) will actually create a security risk, not solve one. The data could be vulnerable to criminals. It will also undermine trust in the use of the Internet in the UK. Businesses will be reluctant to base themselves here in Britain, which will have a hugely damaging knock on effect to the wider economy.
Finally, such data storage demands will only become more burdensome in the future. Our Gigaclear customers, who have ultrafast broadband with speeds of up to 1Gbps, use the Internet up to 15 times more than the UK average. This shows a direct correlation between broadband speeds and Internet use. As the UK infrastructure is updated during the BDUK rollout and more people have access to faster speeds, so data usage will rocket and the task will become even more onerous for companies like ours. This has to be taken into account.”