The Guardian
Highly critical report says proposed legislation must be reviewed to ensure obligations on tech industry are clear
A draft of the bill. MPs said there were still many unanswered questions about how the legislation would work. Photograph: Philip Toscano/PA
The government’s investigatory powers bill lacks clarity and is sowing confusion among tech firms about the extent to which “internet connection records” will be collected, a parliamentary select committee has warned.
The highly critical report by the House of Commons science and technology committee says there are widespread doubts about key definitions in the legislation, “not to mention the definability, of a number of the terms”.
The admission that many MPs and technology experts are baffled will reinforce political concerns that such a complex bill is being pushed through parliament at speed. Other select committees are meanwhile preparing assessments of different aspects of the bill.
Launching the report, the Conservative MP Nicola Blackwood, who is chair of the committee, said: “It is vital we get the balance right between protecting our security and the health of our economy. We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing tech sector.
“The current lack of clarity within the draft investigatory powers bill is causing concern amongst businesses… The government must urgently review the legislation so that the obligations on the industry are clear and proportionate.
“There remain questions about the feasibility of collecting and storing internet connection records (ICRs), including concerns about ensuring security for the records from hackers. The bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the bill to achieve its stated security goals.”
The collection of ICRs is to allow law enforcement agencies to identify the communications service to which a device has connected. The report calls on the government to ensure that obligations it is imposing on industry are both clear and proportionate.
The committee accepts the principle that intelligence and security agencies should “in tightly prescribed circumstances be able to seek to obtain unencrypted data from communications service providers”.
The report says: “However, there is confusion about how the draft bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.
“The government should clarify and state clearly in the codes of practice (which will be published alongside the bill itself) that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.”
Commenting on encryption, Blackwood said: “Encryption is important in providing the secure services on the internet we all rely on, from credit card transactions and commerce to legal or medical communications.
“It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy. The government needs to do more to allay unfounded concerns that encryption will no longer be possible.”
The MPs said the evidence they received suggested there were still many unanswered questions about how this legislation would work “in the fast moving world” of technological innovation. “There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation,” they added.
Antony Walker, deputy CEO of techUK, which represents the technology industry, said: “There are several important recommendations in this report that we urge the Home Office to take on board. In particular we need more clarity on fundamental issues, such as core definitions, encryption and equipment interference.
“These are all issues that we highlighted to the committee and can be addressed both in the bill and in the codes of practice which we believe must be published alongside the bill, and regularly updated, as recommended by the committee. Without that additional detail, too much of the bill will be open to interpretation, which undermines trust in both the legislation and the reputation of companies that have to comply with it.
“The draft bill presents an opportunity for the UK government to develop a world-leading legal framework that balances the security needs with democratic values and protects the health of our growing digital economy. But we have to get the details right.”
