The bill needs further refinements to avoid placing a disproportionate burden on the tech sector, according to a House of Commons committee
The UK Government’s draft investigatory powers bill is vague in its provisions and would require detailed codes of practice in order to ensure it doesn’t prove a disastrous burden on the nation’s IT industry, according to a committee of MPs.
The House of Commons’ Science and Technology Committee said in a new report the draft bill, introduced in November, leaves key terms ill-defined and fails to allay concerns over how its measures will be paid for.
The government also needs to provide more clarity about how it plans to use device hacking powers – termed “equipment interference” – and powers that could limit technology providers’ ability to encrypt communications, the committee said.
The government has said the bill is intended to consolidate and clarify investigatory powers, and that the only substantially new requirement it introduces is for internet service providers to store users’ browsing records, termed internet connection records (ICRs), for 12 months. But the committee said the bill fails to clearly define what data needs to be stored, and which records will and will not require a warrant to access, the committee said.
“The bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers,” said committee chairman Nicola Blackwood.
She added that there remain questions about the feasibility of collecting and storing ICRs on the scale mandated by the bill and of keeping this data safe from hackers.
Service providers are also concerned about the potential expense associated with the scheme, the committee found.
The government has said it has always held to a committment to reimburse the full costs of compliance, but the committee said there was widespread uncertainty in the tech sector over this, and said the government must make an “explicit commitment” to pay all costs.
While the government has said the bill introduces no new powers related to hacking electronic devices and disabling protections such as encryption, the committee said there was a “lack of clarity” around this in the draft bill and in the consultation so far, spurring industry “uncertainty and concern”.
The bill’s device hacking powers had spurred “legitimate concerns” in the tech industry over “the reaction of their customers to the possibility that electronic devices could be hacked by the security services”, said Blackwood.
In response, the government should “produce regular information which gives the public an indication of the extent to which such measures are used and how any disagreements on this issue are resolved”, the committee’s report recommended.
Blackwood said the government must also do more to “allay unfounded concerns that encryption will no longer be possible”.
Apple and other companies currently make devices capable of sending and receiving communications that the company isn’t capable of providing access to. Such companies fear the bill could force them to create “back doors” in their devices for the use of law enforcement, but which could be misused by intruders.
The committee recommended that detailed codes of practice be formulated alongside the bill itself in order to clarify such issues, and that these codes of practice be regularly revised to keep up with technological changes.
“There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation,” the committee said in its report, adding that it is “essential” that the integrity of legitimate online transactions be protected to maintain trust in digital tools.
Security minister John Hayes said the bill is intended to help law enforcement and security and intelligence agencies deal with “the serious threats to our country in the modern age” and said the powers were “subject to strict safeguards and world-leading oversight arrangements”.
The government plans to set out its final proposals in the spring.
Are you a security pro? Try our quiz!