In November 2015, the United Kingdom drafted an Investigatory Powers Bill with the intention of updating its laws how police and intelligence agencies can collect private communications in order to support their abilities to counter crime, terrorism, or other national and economic security threats. The bill is partially designed to collate all pertinent and segmented powers that currently reside in different legislative acts. For example, the UK’s domestic security service, MI5, was empowered to collect and analyze “bulk” data from the Internet long before the invention of the World Wide Web, so the need to update roles and responsibilities is a driving catalyst for this piece of legislation.
Some key provisions in the draft bill include but are not limited to the following:
- Clearly empowers security services to conduct bulk collection of personal communications data;
- Gives legal power to security services to conduct cyber-based operations to access targeted computers including those of persons in sensitive professions for the purpose of surveillance and monitoring, as well a legally mandates companies to facilitate the bypassing of any existing encryption technologies;
- Internet and telecommunications companies are required to maintain “permanent capabilities” to intercept and collect data traversing their networks;
- Data interception warrants will require a judge’s authorization; and
- Enforcement of obligations on overseas web and phone companies, including the U.S. companies, in the courts will be limited to interception and targeted communications data requests. Bulk communications data requests, including internet connection records, will not be enforceable.
The UK government touts the bill as being more transparent and relevant to the existing realities of the digital age, measures intended to assuage concerns of government over reach while being better positioning authorities to address threats in cyber space. However, despite these reassurances, the bill has come under fire by opponents, particularly human rights groups as well as some IT companies. Even the UK government-appointed watchdog acknowledged that the powers could be damaging.
In its current form, human rights advocates believe that the bill threatens the rights to freedoms of expression and association. In their estimation, the bill retains many broad definitions that include mass surveillance and data retention, calling for a review to ensure the tenets are in accordance to international human rights law. Under its current draft, companies would be compelled to retain all activity records of every citizen for at least 12 months. Furthermore, civil liberty groups are concerned cite lack of official oversight as a grave issue that could be exploited to facilitate the type of blanket surveillance akin to police states and authoritarian regimes.
Members of Parliament share similar concerns over the vagueness in key term definitions, which were expressed, among other issues, in a published report. Chief among them is the potential impact that the bill would have against the UK’s tech sector as industry obligations under this current bill draft are unclear. According to one member of Parliament, the current draft does not resolve questions about the collection and storing of Internet Connection Records and how such records will be protected. This runs the risk of not only undermining the trust in the legislation itself, but in the reputation of the companies that will be required to do it.
Pushback is also being exerted by tech companies. In late December 2015, Apple criticized UK’s draft law, raising the question if such surveillance powers could incite international conflicts. Such stringent laws could influence other governments to enact similar type legislation for reciprocity purposes, creating a veritable quagmire for companies operating in several countries. Further complicating matters, the proposed law via search warrant could compel these companies to provide data held in other countries. But Apple is not alone. Microsoft, Google, and Facebook, among others, have also raised objections citing that the bill would potentially undermine customer confidence in the integrity of their brands. Although the UK Homeland Secretary claimed that encryption would not be banned, many of these companies worry that encryption would be weakened in order to provide access to authorities. The bill would potentially strengthen the authority to compel firms to give up decryption keys so that encrypted messages could be read. The argument here is that backdoors such as these could be potentially exploited by malicious actors as well as investigators.
The UK government is currently reviewing comment papers from all concerned stakeholders, as well as holding hearings, before the bill comes to a vote this spring. After the terrorist bombing in Paris where it’s believed the attackers communicated via encrypted channels, there may be enough support for this bill to be enacted without much editing. If so, this would be a disconcerting turn of events as transparency and clarity are integral in order to provide the government with necessary capabilities while assuring the public it won’t be at the expense of theirs or business interests. Rather than rush the bill to enactment, the UK needs to demonstrate that it’s listening to the very entities that will be invariably impacted by its passing, and in doing so, put all aspects of its constituency’s safety on the forefront of this legislation.