The Intelligence and Security Committee of Parliament has issued a report which is highly critical of the draft Investigatory Powers Bill, calling into question the government's commitment to safeguarding the privacy of the public.
The report says: “Given the background to the draft Bill and the public concern over the allegations made by Edward Snowden in 2013, it is surprising that the protection of people's privacy – which is enshrined in other legislation – does not feature more prominently.”
The members of the committee criticised the draft Bill for lacking an overarching statement of principles and for failing to apply universal privacy protections in all sections. It said “the reader has to search and analyse each investigatory power individually to understand the privacy protections which may apply”, resulting in “a lack of clarity”.
While acknowledging the vital role that the intelligence agencies play in averting acts of terrorism, “this cannot be used as an excuse to ignore such important underlying principles [of privacy protection] or unnecessarily to override them”.
Inconsistencies in the protections afforded to certain “sensitive professions”, such as journalists, means that a judicial commissioner must approve an authorisation in some cases but not in others. In the case of elected officials, the approval of the Prime Minister must be obtained in the case of targeted surveillance but not for bulk personal datasets or bulk acquisition warrants.
It calls on the government to add a new part of the Bill that addresses privacy safeguards and sets out universal privacy protections across the range of investigatory powers.
And protected professions should enjoy consistent safeguards, “no matter which investigatory power is used to obtain the information”.
The committee also raised a number of concerns about investigatory powers to do with equipment interference, bulk personal datasets, communications data and targeted interception warrants.
The report also notes that clause 39 of the draft Bill attempts to replicate existing RIPA legislation concerning the EU's Convention on Mutual Assistance in Criminal Matters. This allows interception in the UK to be conducted on behalf of a foreign partner.
“However, it omits the restriction in RIPA that the person being intercepted must be outside the UK,” the report says. “This therefore would allow for UK residents to be intercepted in the UK without a warrant being in place.”
The committee concludes charitably: “Given that the Committee has not been given a reason for this omission, we presume this is a drafting error: in our view it is essential that the original RIPA safeguard is reinstated…”
Antony Walker, deputy CEO of techUK, commented: “Today's report from the Intelligence and Security Committee of Parliament (ISC) again makes it clear that the bill lacks clarity on fundamental issues, such as core definitions of key terms within the draft Bill, encryption and equipment interference. Our members are unsure exactly what is meant by Internet Connection Records (ICRs), how they will be gathered, stored and accessed. This kind of detail is crucial to understanding the impact of the proposed Bill.”
Jacob Ginsberg, senior director at Echoworx, said that businesses should be concerned about the Bill. “It's hardly surprising that the ISC found next to no privacy protection statement in the draft bill. If backdoors are built into servers of ISPs and mobile phone companies for security services to access, what's to stop an attacker gleaning this treasure trove of personal information?” he said, adding: “This would have serious financial implications on the UK economy resulting from the destruction of the data storage market.”