Sergey Nivens - Fotolia
Information security firm Sophos has raised concerns about the Investigatory Powers Bill – or "snoopers’ charter" – as it takes another step towards becoming law.
Although Sophos supports the concept of the bill as an initiative to help the police and intelligence forces investigate crime and terrorism while protecting the rights of individuals, the company says basic concerns have still to be addressed.
Elements of the proposed bill that would affect both the security of UK consumers’ data, and the competitiveness of UK service provider businesses, are of particular concern.
“We were disappointed to see that, in the revised Investigatory Powers Bill, although the government has made some small improvements, all our fundamental concerns remain,” said Shaw.
“We agree it is critical that the government get this bill right. Rushing it through in its current form will be a mistake.”
Shaw is concerned that the bill will be rejected, causing even greater delay to getting a proper regulatory framework in place, but is even more concerned that the bill will be passed into legislation in its current form.
“If it does become law, it will undermine both the security and privacy of UK citizens and affect the competitiveness of UK internet service providers,” he said.
Read more about the draft Investigatory Powers Bill
- The Home Office has tweaked the draft Investigatory Powers Bill, taking on committeerecommendations – but questions remain.
- Bulk data collection provided by the UK’s draft Investigatory Powers Bill is unnecessary for security and law enforcement surveillance, according to Erka Koivunen, cyber security adviser at F-Secure.
- The draft Investigatory Powers Bill could have major implications for telecommunication companies operating in the UK.
- Facebook, Google, Microsoft, Twitter and Yahoo say they are particularly concerned about six key aspects of the UK’s draft Investigatory Powers Bill.
Weak definitions and data security
Sophos details five areas of concern around weak definitions, judicial commissioners, data security, backdoors and the effect on UK technology businesses.
Weak definitions in the bill, said Shaw, open it to very broad interpretation and that the government could use this to force almost any company using technology to store 12 months’ worth of almost any data.
In the current draft, communications service providers (CSPs) are still obliged to store 12 months of data for every user, putting data at risk, according to Shaw.
“The unnecessary storage of data only gives the bad guys more opportunity to steal it, and places an increased burden on CSPs to protect it. High-profile data leaks occur all too often, so why put more data at risk? At the very least, it should mandate strong encryption to protect the data at rest in the event of a breach,” he said.
On the topic of judicial commissioners, Shaw said that while it is good to have these checks and balances in place and beneficial that they sit outside the government, commissioners are unlikely to be technical "whizz kids", so there is a question around whether they will fully understand what they are being asked to decide.
“Perhaps in addition to the ‘powerful new Investigatory Powers Commissioner’ there should also be a technical advisory board,” he said.
On the controversial topic of backdoors, Shaw notes that the Home Office’s summary of responses to the three parliamentary committees’ pre-legislative reviews says the revised bill makes clear that the requirement to remove encryption is limited only to encryption applied by the CSP, not to encryption applied by anyone else such as the user.
“This would indeed be an improvement over a more general requirement, but is not clearly evident in the bill. Previously home secretary Theresa May had stated that there would be no backdoor requirement so more clarity is required here,” he said.
Effect on UK technology businesses
The unfair disadvantage to UK-based CSPs still seems to apply, said Shaw.
“Section 223 clearly defines this as applying to UK-based operators. The response to the committees again claims that this has been addressed – but it is not clear how,” he said.
A recently-published survey reveals that only one in 10 UK citizens believes home secretary Theresa May has done enough to explain the full impact of the proposed bill.
Only one in five believes the introduction of the bill is justified, and just over a quarter believe the government has the right to pass legislation to access their mobile and internet data, according to the 2016 Consumer Openness Index surveyfrom open-source software provider Open-Xchange.