Rough start of the week for the Home Office

Dubbing Theresa May's Investigatory Powers Bill as 'confusing', MPs in the science and technology committee released a report which says firms are fearing a rise in hacking due to encryption 'back doors'.

Home secretary Theresa May
Home secretary Theresa May

Dubbing Theresa May's Investigatory Powers Bill as ‘confusing', MPs in the science and technology committee released a report which says firms are fearing a rise in hacking.

The Home Office said it would study the report's findings.

Committee chairman Nicola Blackwood said: "There remain questions about the feasibility of collecting and storing internet connection records (ICRs), including concerns about ensuring security for the records from hackers.”

Fittingly, it was recently reported that the Home Office had managed to lose completed security vetting forms from within a Home Office building, and an FoI request showed that the Home Office suffered a total of 33 data breaches in 2015.

Although the Home Office was unable to estimate how many data subjects were affected by these breaches, it was confirmed that security vetting documents were "lost internally between the recipient of the postal package and the vetting team" within a Home Office government building, adding that "the contents had not been reviewed."

The Home Office was contacted and asked if it is going to make a serious commitment to keeping all ICRs safe from hackers and data breaches, but it did not respond to the question.

Estimated to cost to the industry will be £174 million over 10 years, the Home Office said it was important companies were not out of pocket and it still plans on reimbursing 100 percent of costs associated with data retention for the Investigatory Powers Bill.

Commenting on the report from the science and technology committee, security minister John Hayes said, "We are mindful of the need for legislation to provide law enforcement and the security and intelligence agencies with the powers they need to deal with the serious threats to our country in the modern age, subject to strict safeguards and world-leading oversight arrangements."

Service providers, such as BT and Sky, are concerned about the cost of storing internet records for 12 months and many are worried as the bill would strengthen the power to force firms to give up decryption keys so that coded messages might be read. The iPhone for example, which uses "end-to-end encryption",  would be forced to adopt weaker encryption standards.

Another issue highlighted in the report is the lack of clear definitions, highlighted by the New Stateman's legal correspondent David Allen Green QC, who said that we would need an explanation of what terms such as “communications content” actually is, especially when Theresa May said that the authorities would not be able to see individual web pages visited, just basic data, such as domain names like bbc.co.uk or facebook.com.

Commenting on the Investigatory Powers Bill, Michael Ginsberg, CEO of Echoworx said that, “Although data legislation plays a large part in driving data privacy awareness, the actions of Theresa May are not logical, and unfortunately if this law comes into power we're going to have to move our clients away from UK jurisdiction as the idea of a backdoor into our data simply makes no sense”.

He goes on to say that, “Even though NSA surveillance has caught [a] minimal amount of terrorists, and that legislation and security have always been behind technology, it is going to take a mammoth effort to show the world why a lack of privacy is a terrible idea”.

In an email to SC Antony Walker, deputy CEO of techUK commented: “There are several important recommendations in this report that we urge the Home Office to take on board. In particular we need more clarity on fundamental issues, such as core definitions, encryption and equipment interference. These are all issues that we highlighted to the Committee and can be addressed both in the Bill and in the Codes of Practice which we believe must be published alongside the Bill, and regularly updated, as recommended by the Committee. Without that additional detail, too much of the Bill will be open to interpretation, which undermines trust in both the legislation and the reputation of companies that have to comply with it.

“The draft Bill presents an opportunity for the UK government to develop a world leading legal framework that balances the security needs with democratic values and protects the health of our growing digital economy. But we have to get the details right.”