Out-Law News 3 min. read
01 Feb 2016, 10:51 am
The Science and Technology Committee, which has assessed the technical feasibility of the draft Investigatory Powers Bill, said, though, that the new laws should allow intelligence agencies to request that communication providers decrypt data they have encrypted "in tightly prescribed circumstances".
"In tightly prescribed circumstances, law enforcement and security services should be able to seek to obtain unencrypted data from communications service providers," the Committee said in a report published at the end of its inquiry. "They should only seek such information where it is clearly feasible, and reasonably practicable, and where its provision would be consistent with the right to privacy in UK and EU law. The obligations on potential providers of such data should be clarified in the proposed codes of practice to be published in draft alongside the Bill later this year."
"There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption. The government should clarify and state clearly in the codes of practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied," it said.
Giving evidence in December to another parliamentary committee that is scrutinising the Bill, Mark Hughes, head of corporate security at Vodafone, raised concern about provisions of the draft laws that would force communication network operators to decrypt communications sent over their networks via other communication services, like Skype and WhatsApp, if requested to do so.
In its report, the Science and Technology Committee said that there is a lack of clarity in the current draft of the Bill with how some terms are defined as well as over "the extent to which ‘internet connection records’ (ICRs) will have to be collected" by communication providers.
This confusion is making it difficult to estimate how much it will cost communication service providers (CSPs) to comply with the new laws, the Committee said.
"Given the volume of data involved in the retention of ICRs and the security and cost implications associated with their collection and retention for the CSPs on whom ICR obligations might be placed, it is essential that the government is more explicit about the obligations it will and will not be placing on industry as a result of this legislation," it said.
"Given the speed with which this legislation must be in force, the government must work with industry to improve estimates of all of the compliance costs associated with the measures in the draft Bill, for meeting ICR-related and other obligations, as a matter of urgency," the Committee said.
The Committee said that the UK government should be ready to adapt rules relevant to the use of 'equipment interference' powers if the planned laws negatively impact on UK businesses.
"As ever, the fight against serious crime should be appropriately balanced with the requirement to protect and promote the UK’s commercial competitiveness," the Committee said. "We believe the industry case regarding public fear about ‘equipment interference’ is well founded. The investigatory powers commissioner should carefully monitor public reaction to this power and the government should stand ready to refine its approach to ‘equipment interference’ if these fears are realised."
The UK government has separately published a code of practice on equipment interference (44-page /341KB PDF).
MP Nicola Blackwood, chair of the Science and Technology Committee, said: "It is vital we get the balance right between protecting our security and the health of our economy. We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing tech sector… The government must urgently review the legislation so that the obligations on the industry are clear and proportionate."
"There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals," she said.