U.K. committee studying surveillance bill warns against ban on strong encryption

The parliament committee with jurisdiction over the British government’s sweeping new counterterrorism bill issued a critical report Monday questioning its impact on the business community and the general public.

In a 38-page analysis of the Investigatory Powers Bill, the House of Commons’s Science and Technology Committee cited “concerns about what the new measures will mean for business plans, costs, and competitiveness.”

The Investigatory Powers Bill has attracted significant controversy from technology companies, privacy advocates, and technical experts. Its opponents worry that it would empower the British government to require tech companies to build “backdoors” in their encryption, thus guaranteeing that investigators can access suspects’ communications but also giving hackers a new way to exploit those products.

Opponents call the bill a “snoopers’ charter” that would expand government surveillance by expanding the bulk collection of telephone and Internet records. Beyond simple “metadata”—records of who called whom, when they spoke, and for how long—the legislation would also let the government sweep in “Internet connection records,” vaguely defined pieces of information that log “the Internet services a specific device has connected to,” including websites visited or chat applications opened.

“The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.”

Critics also point to provisions that allow the government to hack into commercial electronics to surveil suspects, a practice that they say would undermine the security of these products.

In its report, the technology committee noted the potent privacy and security concerns, and it sharply criticized the bill for being overly vague, saying companies needed clearer guidance in order to comply.

“Given the volume of data involved in the retention of [Internet connection records] and the security and cost implications associated with their collection and retention for the [companies] on whom ICR obligations might be placed,” the committee said, “it is essential that the Government [be] more explicit about the obligations it will and will not be placing on industry as a result of this legislation.”

The committee urged Home Secretary Theresa May and her staff to “review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate.”

The committee did not rebuke the bill’s drafters for including controversial provisions about encryption, but it did say that the government should only exercise its authority to require the decryption of communications “in tightly prescribed circumstances.”

“They should only seek such information where it is clearly feasible, and reasonably practicable, and where its provision would be consistent with the right to privacy in U.K. and E.U. law,” the report suggested.

More specifically, the committee noted the existence of “confusion” about whether the Investigatory Powers Bill would outlaw strong encryption, a form of protection that even tech companies cannot break. This is the issue at the center of the global encryption debate between intelligence officials and technologists, one that began in the 1990s but gained new prominence after the 2015 Paris and San Bernardino, California, terrorist attacks.

The committee recommended that the government “clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content” when doing so would require banning strong encryption.

“Encryption is important in providing the secure services on the Internet we all rely on, from credit card transactions and commerce to legal or medical communications,” Nicola Blackwood, a member of parliament who represents Oxford West and Abingdon and chairs the technology committee, said in a statement.

“It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy,” Blackwood added. “The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.”

The committee noted criticisms of the hacking authority, known as “equipment interference,” and said that “public fear” about this power was “well founded.” But it did not recommend removing the provision from the bill. Instead, it recommended “monitor[ing] public reaction to this power” and said the government should be ready to “refine its approach to ‘equipment interference’ if these fears are realised.”

In her statement, Blackwood said that government hacking might sometimes be necessary, but she added that technology companies had “legitimate concerns about the reaction of their customers to the possibility that electronic devices could be hacked by the security services.”

The bill’s authors, the committee suggested, had not properly addressed what the report called “the burdens that will arise from it—those that will be placed on communications businesses and those on law-abiding people who may suffer a loss of privacy.”

Photo via amateur photography by michel/Flickr (CC BY 2.0) | Remix via Max Fleishman