Facebook, Google, Microsoft, Twitter and Yahoo have banded together to list their concerns with the Investigatory Powers Bill, a proposed piece of legislation that would update and extend the UK government's surveillance powers. In a written piece of evidence, the group says they're worried about how the new law would affect companies based overseas, encryption and the nature of the judicial review system described as a "double-lock" for warrants. The Bill only explains so much about the extent of these powers -- the minutiae is often left to the Codes of Practice -- so above all the companies are asking for some clarifications.
One of the group's biggest issues is a potential "conflict of laws." All five companies have their headquarters based overseas, meaning requests for data could clash with the prevailing laws in other countries. If the UK government asked for information in a way that would break US rules, for instance, it could leave service providers in a difficult position deciding whose laws to violate. "If the UK legislation retains authority to reach extraterritorially," the group says, "the Bill should consistently and explicitly state that no company is required to comply with any notice."
The Investigatory Powers Bill is also unclear about its position on encryption. In an opening section called "Context," the Home Office says the proposals enforce "no additional requirements in relation to encryption over and above the existing obligations in RIPA." RIPA being an existing and primary piece of UK surveillance legislation (it acts as a foundation and would remain in place even if the new legislation is passed.) Later in the new Bill it does, however, refer to a "technical capability notice" which could demand "the removal of electronic protection applied by a relevant operator to any communications or data."
What this means for end-to-end encryption, a method which means operators are unable to decrypt, is uncertain. The group says it wants the Home Office to state definitively that "nothing in the Bill should be construed to require a company to weaken or defeat its security measures." In addition, the group thinks the UK government shouldn't be allowed to request data that wouldn't normally be retained.
When the new Bill was first unveiled, the Home Office was keen to promote its proposals for a judicial review system. In addition to a sign-off from the Secretary of State, this would force government agencies to gain approval from an independent judge. However, the idea has since been criticised. Some argue that these judges would only check the technicality of the application -- that proper procedures were followed, in other words -- rather than the nature of the case itself. The group writes:
"To truly serve as a second lock, this function must not just assess the rationality or reasonableness of the ministerial decision, but ensure that investigatory warrants under the Bill will withstand the full scrutiny of a court."
Another, probably unrealistic request is to have users notified when a government seeks access to their communications. In their written evidence, the five companies say this is important so that users can exercise their legal rights if they think the intrusion is unlawful. It's an unlikely concession, however, given it would upend the secretive nature by which government agencies currently monitor communications.
Last, but certainly not least is a complete dismissal of the government's plan to legalise equipment interference, which also covers hacking. These powers have reportedly been legal before now, but never specifically stated in legislation, so the Bill is an important moment for policymakers and privacy advocates to debate its restrictions. The group doesn't want it to be legalised at all, however: "This could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider."
Since the draft Bill was published in November, a cross-party committee has been collecting feedback from both the government and technology companies. It's been conducted through a combination of hearings and written evidence submissions, covering ISPs and mobile carriers, politicians, professors and members of the intelligence community. Almost everyone has concerns or questions -- it'll soon be down to the committee to report its findings and for the government to decide which, if any it should take action on before finalising the Bill.