IPB The first Parliamentary report into the UK's draft Investigatory Powers Bill, commonly referred to as the "Snoopers' Charter", says it has great potential to damage the nation's technology sector and the public should therefore pick up the tab for the £2bn (US$2.85bn) or so it will require to implement the data-harvesting legislation.
That's the gist of the report into the Bill, issued today by the UK's Science and Technology Select Committee.
The report argues that complying with the Bill will cost business so much that they'll be disadvantaged when competing with foreign rivals. The report also worries about reputational costs associated with the Bill's provisions for state hacking and mandatory decryption.
Focusing on the technological aspects of the Snoopers' Charter, the inquiry assessed it only in terms of its feasibility and cost, rather than whether its legal powers were proportionate to the threats they were intended to address. That second assessment is being made by the Joint Committee on the Draft Investigatory Powers Bill which is likely to publish its report within the next fortnight.
Nicola Blackwood MP, the committee's chair, stressed the bill's poor definitions of matters like decryption-on-demand (the removal of electronic protection) and the state's legalised hacking abilities (equipment interference). The committee's greatest worry, however, regarded "the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers."
"The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs," wrote Blackwood, echoing the sentiments of the submissions her committee had received from almost every party except from the Home Office itself.
Does anyone here know what an 'Internet Connection Record' might be?
A consensus among those providing witness statements to the Science and Technology Committee's inquiry, as well as to the Joint Committee providing pre-legislative scrutiny of the draft legislation as a whole, criticised ICRs.
Some ISPs simply confessed ignorance as to what the Home Office could possible mean by the term, while other witnesses gave more robust denials regarding whether ICRs even existed. No witnesses believed they current possessed the capacity to collect ICRs, and there was much echo of The Register's analysis that £2bn was a far closer assessment of its implementation costs than £250m.
The report declared that “the Government must work with industry to improve estimates of all of the compliance costs associated with the measures in the draft Bill.”
Blackwood noted that there are "widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill”, and the report specifically highlighted that there are "questions as to how collecting and storing ICRs is technically possible, and whether Data Retention Notices to retain all user ICRs are 'necessary and proportionate'."
When such concerns were first raised, UK home secretary Theresa May dismissed them before Parliament by claiming that: “If someone has visited a social media website, an internet connection record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”
Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.
This has been disputed, however. As legal expert Graham Smith told The Register: “We didn't read books over the telephone, but as an entirely accidental by-product of communications technology, our reading habits are now trackable.”
Smith was further cited by the report as “pointing out that the draft Bill itself uses the term 'internet connection record' only in clause 47 and that this differs from the way in which 'relevant communications data' are defined in clause 71 (which details the powers to require retention of certain data).”
The report stated that Smith “described how the scope of 'relevant communications data' depended on thirteen interlinked definitions, and concluded that 'the clause 71 power looks as if it may cover a wider range of communications data than is achieved by adding 'Internet Connection Records' to the current list of retainable communications data.'”
All of which the committee found important, as any assessment of the feasibility of collecting and storing ICRs “depends on what they actually are.” The committee chair advocated that Government "urgently review the legislation so that the obligations on the industry are clear and proportionate."
Craptography, or: “Gov, your backdoor stinks!”
For many onlookers one of the most concerning clauses of the bill is 189(4)(c), as it provides the government with the ability to impose “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data.”
The Government's line on the matter is that it has no desire to “ban or limit cryptography”, and indeed this was trotted out recently in its response to a January petition on cryptography. How service providers were expected the fulfil their obligation under 189(4)(c) while transmitting end-to-end encrypted communications was unexplained.
The committee noted: “Apple and other communications companies have expressed concerns about whether the draft Bill might require them to adopt weaker standards of encryption. Apple have also reportedly stated that the draft Investigatory Powers Bill could be a catalyst for other countries to enact similar measures, leading to significant numbers of contradictory country-specific laws.”
As former MP for Cambridge, Dr Julian Huppert, noted, it is “unclear what would happen if a court were to be asked to take action against an operator who was unable to comply with this power because of the fundamental nature of their product: Any decentralised communications system is likely to render this clause impossible to comply with.”
The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.
The Home Office told the committee that communications service providers would be expected to serve up plaintext data when ordered to do so. The report understood that this “would not apply to content that is encrypted end-to-end before being passed to the communications provider for transmission: 'What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection.”
The report concluded that the Government “should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.”
Blackwood herself concurred: “Encryption is important in providing the secure services on the internet we all rely on, from credit card transactions and commerce to legal or medical communications. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.”
She asserted that: “The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.”
Hack, or “Interfere with the Equipment of” the Planet!
The report also considers "equipment interference" - hacking - and notes that it “encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search.” Such interference has been consistently defended in in an environment increasingly featuring the widespread use of cryptography.
In his submission, the University of Cambridge's Ross Anderson acknowledged that the “right way to get around encryption is targeted equipment interference, and that is hack the laptop, the phone, the car, the Barbie doll or whatever of the gang boss you are going after, so that you get access to the microphones, to the cameras, and to the stored data. The wrong way to do it is bulk equipment interference.”
The report cited Big Brother Watch, which noted that “weakening a system does not mean that only law enforcement or the intelligence agencies can exploit it—'The system can be exploited by anyone who uncovers the weakness, including malicious actors, rogue states, or non-Government hackers'.”
We believed the industry case regarding public fear about 'equipment interference' is well founded.
Alarmingly clause 99 of the Snoopers' Charter would oblige domestic communication service providers to assist the Government in its hacking activities, while clause 102 wold make it a criminal offence for “any person employed for the purposes of the business of the relevant telecommunications provider” to disclose “any steps taken in pursuance” of this assistance.
According to industry witnesses, this offence would be inevitable for companies who open source their code, and thus were unable to conceal anything which had been tampered with from the public. The committee reported that it believed “the industry case regarding public fear about 'equipment interference' is well founded.”
As such, the committee recommended that the new Investigatory Powers Commissioner should report to the public on the extent to which these measures are used for security reasons, and should also “carefully monitor public reaction to this power.”
Blackwood said: “It is vital we get the balance right between protecting our security and the health of our economy.We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing Tech sector.” ®