Flickr/EFF photos. Creative commons.
The House of Commons Science and Technology Committee has today published its analysis of the UK Home Office’s Investigatory Powers Bill – the new successor to RIPA and the Snooper’s Charter. Although they don’t comment on the non-technical decisions in the bill, to be considered by another committee, they raise a number of concerns.
Select committees can be rather cautious bodies, partly because they always seek cross-party agreement. When on an issue like this, they agree unanimously, that should be a message for government. When on an issue like this, they agree unanimously, that should be a message for government. In their summary, they refer to ‘widespread doubts’ about the terms used in the bill, and ‘uncertainties over the likely scope and costs’. As they say, ‘Such uncertainty is unhelpful to businesses trying to compete in a global communications market and risks undermining our strongly performing tech sector.’
Many people interested in this area will be particularly delighted by the words they use to conclude the summary: ‘It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.’
The report looks in more detail at ‘Internet Connection Records’, encryption, equipment interference and the effects on communications business on this bill, and in each area it expresses concerns and makes strong recommendations.
On Internet Connection Records – the only piece of data collection the Home Office say is new – they cite many critics of the Home Office proposals, and highlight in both recommendations the confusion that there still is about what these really are, what data they will cover, and who will have to collect them.The flaws they point to in the proposals so far are serious, and should make it easier for Parliament to resist them. As I argued in my evidence to the committee, which they refer to, this can include incredibly intrusive data. A web log history, even reduced to only show the sites you went to and not the exact page, can tell someone a vast amount about you. This committee was not considering whether or not these powers should be allowed – but the flaws they point to in the proposals so far are serious, and should make it easier for parliament to resist them.
Encryption has been a major concern of many – this legislation could be used to force companies to prevent secure communication, by requiring them to be able to decrypt any communication. Civil liberty campaigners and technologists have rightly been concerned about this, and this is widely shared – the former director of GCHQ, Sir David Omand, said explicitly ‘I am certainly not advocating back doors being mandated, things which would weaken the integrity of the internet’.
This committee report comes out firmly against compulsory backdoors, calling on the government to clarify that it will not seek to decrypt end-to-end encrypted messages. They say ‘It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.’
On equipment interference, powers which are apparently already used without explicit legislation, the committee says that ‘the industry case regarding public fear about ‘equipment interference’ is well founded’. Part of the concern surrounds what devices could be targeted under these powers. Part of the concern surrounds what devices could be targeted under these powers – hacking someone’s personal laptop has certain limited and understandable consequences, but hacking a device that turns out to control a medical implant, or is part of an autonomous vehicle, or is part of the switches that underpin the internet, could have much greater repercussions.
One concern many companies had was the cost of the legislation, and whether they would be reimbursed for it. The legislation is alarmingly worded – it doesn’t guarantee that they would be reimbursed in full, just that ‘the appropriate contribution must never be nil’. We run the risk of jeopardizing our tech sector if we require them to do work on command, and don’t pay the costs. Even if we do pay, there will still be deleterious effects, such as delays in implementation. The committee calls on the government to reconsider, and say it will pay all the relevant costs. The bill is currently deficient, and without fixing could damage the UK.
Lastly, the committee discuss the codes of practice that will underpin how the legislation works. They insist the codes be published alongside the bill so they can be properly considered – it is very common for the government to publish them far too late. They also suggest they should be reviewed annually by the Technical Advisory Board; I would go further and suggest they could be looked at by the Privacy and Civil Liberties Oversight Board, for which legislation exists but which has not been created. The MPs who look at science and technology have spoken – the bill is currently deficient, and without fixing could damage the UK. We wait now for the overall analysis from the Joint Committee. Will they have the confidence to echo this critique? We all hope they will, so the home secretary will be forced to fix this legislation, ensuring that we can both be safer and reduce intrusion and inadvertent harm to UK businesses, privacy, and the future of the internet.