Tech firms critical of UK draft Investigatory Powers Bill

Network exploitation

The authority to engage in computer network exploitation, or equipment interference, is a “step in the wrong direction” and would be a “very dangerous precedent to set” because it could involve the introduction of risks or vulnerabilities into products or services, the companies said in a written submission to the Joint Committee on the draft Investigatory Powers Bill inquiry.

The Joint Committee, which is currently taking oral submissions, was appointed to consider the draft Investigatory Powers Bill, published on 4 November 2015, and will report in February 2016.

On the topic of network exploitation, the tech firms also expressed concern that there are no statutory provisions relating to the importance of network integrity and cyber security, nor a requirement for agencies to inform companies of vulnerabilities that may be exploited by other actors.

“We urge the government to make clear that actions taken under authorisation do not introduce risks or vulnerabilities for users or businesses, and that the goal of eliminating vulnerabilities is one shared by the UK government. Without this, it would be impossible to see how these provisions could meet the proportionality test,” the statement said.

Draft bill could conflict overseas providers

The tech firms also urged the UK government to take into consideration that user trust is essential to their ability to continue to innovate, and that governments’ surveillance authorities – even when transparent and enshrined in law – can undermine users’ trust in the security of their products and services.

The firms also reminded government that key elements of whatever legislation is passed by the UK are likely to be replicated by other countries, and that unilateral imposition of obligations on overseas providers will conflict with legal obligations such providers are subject to in other countries.

They said the government should also consider that “an increasingly chaotic international legal system will leave companies in the impossible position of deciding whose laws to violate”.

If the UK legislation retains authority to reach extraterritoriality, the companies said the bill should consistently and explicitly state that no company is required to comply with any warrant that would contravene its legal obligations in other jurisdictions. 

Encryption could be weakened

The submission calls for greater clarity around encryption, saying it is a fundamental security tool that is important to the security of the digital economy, as well as crucial to ensuring the safety of web users worldwide.

“We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption or any other means. We therefore have concerns that the Bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’, and that these are explicitly intended to apply extraterritoriality with limited protections for overseas providers,” they said.

In the light of statements by home secretary Theresa May that the bill is not intended to weaken the use of encryption, the tech firms suggest that the bill expressly state that nothing in the bill should be construed to require a company to weaken or defeat its security measures.

The tech firms expressed concerns that the bill suggests that a company could be required to generate data for retention. “No business should be compelled to generate and retain data that it does not ordinarily generate in the course of its business,” the statement said.

The tech firms call for the “judicial review” standard to be clarified to ensure that the judge reviews the actual merits of the matter, and not just the process by which decisions and actions were taken by the authorising secretary.

The tech firms state that surveillance laws should not permit bulk collection of information and call for the general safeguards sections to explicitly include “minimisation” provisions, ensuring that only the necessary and proportionate amount of data is obtained, analysed and retained, while all other data should be destroyed.

Tech firms call for clarity

According to the tech firms, many aspects of the bill are “opaque”, such as judicial authorisation and the extent of the obligations on companies outside of the UK.

“We urge the Joint Committee and the Home Office to do all that it can to ensure that the whole bill is written clearly and unambiguously,” the statement said.

The tech firms are all members of the Reform Government Surveillance (RGS) coalition, which has repeatedly called on the US government to reform National Security Agency (NSA) surveillance processes.

“We believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded and transparent,” the companies said.

“These principles reflect the perspective of global companies that offer borderless technologies to billions of people around the world.”

The tech firms said they want to help establish a framework for lawful requests for data that, consistent with principles of necessity and proportionality, protects the rights of the individual and supports legitimate investigations.

Security minister John Hayes said in a statement: “We are clear about the need for legislation that will provide law enforcement and the security and intelligence agencies with the powers they need in the digital age, subject to strict safeguards and world-leading oversight,” reports the Independent.