The committee focused on "critical technological aspects" of the draft legislation, volunteering no judgement on whether the extended powers are necessary or proportionate. As these things go, it's not a bad read, pulling in commentary from many experts and stakeholders. Noting plenty of confusion around the scope of surveillance powers and exactly what kind of data will be retained under the bill, the Science and Technology Committee (like many others) believes the Home Office could do more to clear up those concerns.
What exactly is an Internet Connection Record (ICR)? It's a question that's arisen time and time again. The government's definition is an ICR is the who, when, where and how of a connection or communication, but not the content. Who, when, where and how someone accessed Facebook, for example, but not the pages they visited, posts they made or messages they sent; or the record of a Skype call, but not the content of that conversation.
Image credit: Shutterstock
Nobody seems particularly satisfied with that definition, however. ISPs and mobile network operators, the companies that will be on the hook for storing and processing ICRs, have expressed only a basic understanding. And without explicit instructions on what kind of data they need to gather, they've been hesitant to confirm the technical feasibility and cost of setting up these systems.
In fact, there are several ambiguous definitions throughout the bill. Some of these are intentional, as Theresa May has explained, so that the legislation will remain relevant even as technology and communications evolve. The Science and Technology Committee, however, recommends these shouldn't be left open to interpretation, and that any loose wording be explained thoroughly "as a matter of urgency."
What companies will be served notices to retain ICRs is still largely unknown. The major ISPs and mobile carriers are a given, but smaller providers and siloed networks (like university networks) will be assessed on case-by-case basis. The Science and Technology Committee believes the government should be "more explicit about the obligations it will and will not be placing on the industry."
Protecting encryption, or not
The IP Bill states there will be "no addition requirements in relation to encryption over and above the existing obligations in RIPA," which outlines existing surveillance powers. Currently, communications providers are required to take "reasonable steps" to make encrypted data available. The bill, however, also introduces a "technical capability notice" that would order "the removal of electronic protection." Technology and internet heavyweights fear the government are quietly attacking encryption, and will push them to make their services less secure.
Image credit: Shutterstock
The Science and Technology Committee agrees decrypted data may be useful in some special circumstances, but that the government must spell out obligations on encrypted service providers in the bill's Codes of Practice, since they aren't clear currently. The committee also suggests the Codes of Practice clearly state that end-to-end encryption will be protected, which has been more or less confirmed by government, though it's nowhere in writing.
"Equipment interference," which is a fancy term for state-sponsored hacking, is another contentious point. Though the government has been interfering for some time, the IP Bill marks the first admission. As such, the committee is of the opinion the government needs to be transparent with the public about these powers, and to be prepared to change how they're deployed based on public reaction.
Who's paying for all this?
Unclear language that's important to the interpretation of the bill is one thing, but implementing the data-gathering systems proposed by it is an entirely different issue. Communications service providers are still wrestling with what exactly will be expected of them, and therefore the technical feasibility and cost of complying with the bill. Explicit Codes of Practice to complement the legislation should provide come clarification, but the Science and Technology Committee also believes the government should at least revisit the idea of including in the bill a commitment to fund the costs of data collection in its entirety.
The Home Office has budgeted £174 million to support companies, but evidence from the UK's ISPs and mobile operators suggests this is a serious underestimate. Should companies be required to use some of their own resources, there are concerns investment in their own services will suffer, and worst-case scenario, customers could see their bills increase to offset this shortfall. A commitment from the government should alleviate these and similar uncertainties on how the bill will impact smaller providers.
Image credit: Alamy
The committee urges the government to work with the industry to improve its estimates to have a better understanding of the economic impact of the powers, which should allow for a more detailed assessment of their proportionality, too. Oversight is also key to this discussion. "Internet businesses and their users require assurances that investigatory powers will be imposed proportionately, and that the judgement as to what is proportionate should at all times be open to reasonable challenge."
The Science and Technology Committee's report hasn't brought any new arguments or controversial points to light. It does, however, offer some formal recommendations based on concerns that have cropped up time and time again during the IP Bill debate. The Joint Committee on the Draft Investigatory Powers Bill has a much tougher job, as it's expected to look at the legislation from every angle, including whether there's enough justification for such a broad intrusion of civil liberties. It's due to present its recommendations next week, and will no doubt be using today's report as a crib sheet on the many technological concerns associated with the bill.