Lack of clarity in the Draft Investigatory Powers Bill continues to be an issue for industry, with Antony Walker, deputy CEO at trade body techUK (which represents more than 850 organisations) emailing SC to say that there are still too many aspects that are, “unclear, poorly defined or just wrong. The Home Office must recognise this and address the fundamental concerns raised by expert witnesses, MPs and Lords.”
Noting that the Joint Committee criticism of the bill is the third parliamentary report expressing major concerns with the new legislation, (The Science and Technology Committee said the Bill risks undermining the UK's technology and communications sectors and the Intelligence and Security Committee said the bill does not do enough to protect privacy), ISPA chair James Blessing said: “This report adds to the chorus of voices calling for the Home Office to change the legislation so it's feasible, proportionate and does not harm the UK Internet industry. ISPA believes a new framework is needed to replace the various outdated laws, but we need further clarity on Internet Connection Records, definitions and costs”. He aslo echoed Waker's concerns outlined below.
While a clear legal framework for investigatory is supported it is described as achievable only if the government takes on board some of the key recommendations that have been set out by the three Parliamentary reports below. But the expected EU referendum has raised concerns about the time left to ensure the proper parliamentary scrutiny.
Internet Connection Records (ICRs)
Walker said, “It is not clear what ICRs are and that there are significant security risks in retaining such sensitive data.” Clearer definitions are called for so that Parliament can make a “proper assessment of the technical feasibility and proportionality of these significant and intrusive powers.” Blessing adds, "We hope that the misleading allusion to ICRs being described as a mere itemised phone bill is no longer used."
Government commitments not to weaken encryption, or restrict the use of end-to-end encryption, must be laid out on the face of the Bill says Walker. Blessing also says, "We further support the call, also put forward by the Science and Technology Committee, that companies offering end-to-end encryption will not be expected to decrypt data if not practicable."
Powers that assert UK jurisdiction overseas are described by Walker as creating, “conflicting legal obligations for companies, infringe on the sovereign rights of other governments and risk retaliatory action against UK companies operating abroad.” Such provisions are not consistent with earlier recommendations made to the Prime Minister by Sir Nigel Sheinwald, which both Walker and Blessing felt should be implemented.
Bulk equipment interference
All three committees have raised concerns about equipment interference and the ISC said that bulk Equipment Interference powers are not necessary and should be removed from the Bill while Blessing suggest the impact they could have on system damage and collateral intrusion be reviewed.
Codes of practice
Codes of Practice should be published alongside the Bill so that the tech industry fully understands what is being asked of it and how it will impact its customers and its businesses suggests Walker.