The UK's Intelligence and Security Committee (ISC) has struck out at a controversial surveillance law being proposed by the UK government, the Investigatory Powers Bill (IP Bill). The response is notable because the Committee is one of three groups that were commissioned to look into the UK's patchwork of laws before the IP Bill was drafted. The authors believe the new bill has "suffered from a lack of sufficient time and preparation" and doesn't cover some important powers held by the UK's intelligence agencies. Given the purpose of the law is to collect, update and explain these abilities, the Committee calls the bill "a missed opportunity."
The new report delves deeper into the government's proposed legislation, taking issue with three specific capabilities -- equipment interference, more commonly known as hacking, bulk personal data datasets and communications data, which refers to peripheral information about our conversations such as where, when and how a message was sent or received. The Committee says these abilities are too broad and "lack sufficient clarity." In addition, the group says the bill has "a rather piecemeal approach" to privacy protections and that these should be written into its own, central section. Each of the proposed powers would then need to reference this like a checklist throughout the bill.
"Taken as a whole, the draft Bill fails to deliver the clarity that is so badly needed in this area. The issues under consideration are undoubtedly complex, however it has been evident that even those working on the legislation have not always been clear as to what the provisions are intended to achieve."
One of the biggest mysteries surrounding the IP Bill is its proposed impact on encryption. In an introductory section, the Home Office stresses that there will be "no additional requirements in relation to encryption over and above the existing obligations in RIPA." That last acronym being the the Regulation of Investigatory Powers Act, which is the UK's primary piece of surveillance legislation at the moment. It's already a murky subject, but in the new legislation there's also mention of a "technical capability notice" that asks for "the removal of electronic protection applied by a relevant operator to any communications or data."
Would that affect end-to-end encryption and if so, how? The purpose of such protection is to ensure the provider can't decrypt users' conversations, even if they want to or receive a request from the government. Under the draft IP Bill, are they banned from offering users this encryption in the first place? Or could they simply decline based on the fact it's impossible for them to comply? The Home Secretary Theresa May has provided some muddled answers, which worry the ISC:
"The Home Office must ensure that the legislation provides clarity as to the nature and scale of these obligations."
The report chimes with what plenty of companies have argued during the joint committee's investigation -- the IP Bill needs to be clearer with its proposals. The government has tried to defend its position, suggesting that if it's too specific the law will quickly become outdated. Then we'll be in this same position again, debating minutiae back and forth for months. Of course, that's no excuse for failing to provide adequate safeguards or a clear, accessible explanation of the general powers being awarded.
The joint committee is due to publish its own report later this week. It's a crucial document which the government will need to review before finalising the IP Bill. Based on the evidence that's been submitted, we're expecting a laundry list of criticisms to rival those set out by the ISC.