The Investigatory Powers Bill was presented to the UK Parliament on Tuesday, after less than 120 days of consultation on the draft copy.
The amended 258 page document faced further industry criticisms that the government is trying to force it through without adequate scrutiny.
In the “Investigatory Powers Bill: Government Response to Pre-Legislative Scrutiny” - the government contends that the revised bill meets all concerns from three Parliamentary committees' calling for “greater clarity”, and warning of the harm that rushing the IP Bill to become law might cause.
Most changes occur through codes of practice published alongside the bill, not in the IP Bill itself.
Following a 14 March Parliamentary debate the bill undergoes further scrutiny on 22 March, with a vote expected before the end of April.
The three pillars of sanity
The Home Office had been tasked with taking into consideration warnings that the bill required serious revision. The ISC verdict was that, “Overall, the privacy protections are inconsistent and in our view need strengthening. We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to sensitive professions.”
In the revised document ‘privacy' still only applies to “Protections for communications involving sensitive professions”, the others discuss transparency, authorisation and oversight. Somewhat unsurprisingly there is little mention of privacy in a bill about spying.
The Science and Technology Committee warned of the bill's potential to damage Britain's technology industries. In January 2016, Michael Ginsberg, CEO of Echoworx told SCMagazineUK.com, “Although data legislation plays a large part in driving data privacy awareness, the actions of Theresa May are not logical, and unfortunately if this law comes into power we're going to have to move our clients away from UK jurisdiction as the idea of a backdoor into our data simply makes no sense”.
Taxpayers will pay £2 billion to cover the costs of helping ISPs comply with their obligation to collect and retain ICRs as the document says: “It would not be appropriate to commit future Governments to pay the full cost of compliance, as it would limit their discretion on this issue.”
The Joint Committee report repeated most claims of the preceding two committees – saying the first draft was produced in a rush to introduce the law, and called for more definition, clarity and explanation of exactly what the Home Office is planning to do.
To ICR, or not ICR, that is the question
May claimed the government has delivered “a single definition of an ICR” but the definition of internet connection records is described as vague. Section 7 of the draft Code of Practice on Communications Data, says an ICR can be any of:
- Data Retention & Disclosure system access audit records;
- IT Health Check security reports; Security incident logs;
- Data Retention volumes;
- Details of retained financial records (ie PCI-DSS implications and required exemptions);
- Data Deletion Records;
- Hardware (storage media) destruction records;
- and Documentary evidence to demonstrate how the CSP has fulfilled its responsibilities under chapter six.
So, many commentators say not much has changed, instead the important details are now in a draft code of practice, (the Code of Practice on Communications Data). What the draft bill originally noted was:
In this section “internet connection record” means data which –
(a) may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)
The final bill states:
In this Act “internet connection record” means data which –
(a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) comprises generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)
Oh, won't you think of the terrorists!
Theresa May commented that, “The new legislation needs to be in force by 31 December 2016 to ensure that powers which are essential to counter the threat from criminals and terrorists do not lapse.”
Speaking to SCMagazineUK.com yesterday, Mike Weston, CEO of Profusion, said that, “It's very concerning that the Government is pressing ahead with introducing the Investigatory Powers Bill. Three parliamentary reports have criticised nearly every aspect of the Bill; tech and security industry experts are pretty much unanimous that it is flawed and civil liberties groups have rightly pointed out that it is a serious assault on privacy."
“By introducing the IP Bill now, without making any serious revisions in line with the 86 recommendations of the Joint Select Committee, it seems that the Government is throwing caution to the wind to get it passed before the end of the year.”
“Make no mistake, this is a bad bill. It erodes the privacy of individuals online, it puts a huge burden on internet service providers and tech companies to snoop on their own customers, and it is questionable whether it will do anything to improve state security. The Government should admit that it has got it wrong, bin the Bill and start again.”
Commenting on the effects the bill will have on the tech industry, Dr Adrian Davis, European MD at (ISC)² spoke to SCMagazineUK.com and said that that, “The new draft Bill requires companies to make it possible to break their own encryption and hack their own devices, and even to seek assistance from others in hacking their own devices, making it more difficult for them to ensure the security of their customers' data. Astonishingly, it does not mandate any baseline level of data security precautions or include any infosecurity guidelines to cover all the companies and individuals that will now have to retain customer data and make their devices and encryption hackable. Yet, without proper data security safeguards, this is a warrant to make our data and personal devices less secure than ever before.
Amongst other issues, the Bill also has no universal privacy protections and does not define data in a meaningful manner. These two omissions may result in individuals, tech companies and law enforcement having to turn to the courts for guidance, with the cost, time and uncertainty this involves.
“Different companies covered by the Bill may have vastly divergent levels of data security. Most worryingly, the Bill says that bulk acquisition warrants can apply even to overseas firms, some of which are not governed by any data-protection laws and thus have vastly lower levels of protection around their data than British companies.
Consequently, malicious hackers may view foreign ISP's storing British citizens' data as an easy target because the levels of information security may be lower and the local legal penalties for stealing data may be lighter.
“We urgently need a minimum requirement for data security that applies to every company in every jurisdiction that is covered by this new Bill, or we could be creating a fragmented system of data security opening millions of people up to hackers. There is a significant body of knowledge and experience in the UK... that should be used to assist in the creation of a bill that both provides the UK government and the UK economy with a workable compromise. ... this latest draft should be the start of a collaborative process to create a law fit for the digital economy of the 21st century, not the start of a rushed approval process.”