Sergey Nivens - Fotolia

UK surveillance bill could hurt tech sector, warn MPs

Parliament’s Science and Technology Committee says government's planned surveillance bill is too vague and needs to be redrafted to avoid economic damage

The UK government’s draft Investigatory Powers Bill could hurt the UK’s technology sector, MPs have warned, while some tech firms say the bill risks driving foreign investors away.

The government claims the legislation is necessary to maintain the operational capabilities of security services and law enforcement agencies in the digital age.

The draft bill is intended to consolidate, clarify and modernise existing legislation on the interception of communications and the acquisition of communications data.

But Parliament’s Science and Technology Committee said the bill is too vague and needs to be redrafted to avoid economic damage.

The call has been welcomed by technology industry association TechUK, which urged the government to “take on board” the committee’s recommendations.

Compliance costs

The committee is specifically calling for government to meet the full costs of collecting and storing electronic communications data for 12 months as required by the bill, which some commentators say is the committee’s most important recommendation.

Otherwise, the committee said in a report that uncertainty about the costs of complying with the new legislation risks undermining the UK’s strongly performing technologysector.

The government has said it will provide £175m over 10 years to cover the cost of collecting and storing internet connection records (ICRs), but internet service providers (ISPs) told the committee this will not be enough.

UK businesses must not be placed at a relative commercial disadvantage to overseas competitors by the proposed measures, the committee said in a report on its inquiry that focused on the technological aspects of the draft bill and heard evidence from a range of technology experts.

Committee chair Nicola Blackwood said it is vital to get the balance right between protecting security and the health of the UK economy. 

“We need our security services to be able to do their job and prevent terrorism but, as legislators, we need to be careful not to inadvertently disadvantage the UK’s rapidly growing technology sector,” she said.

Tech companies could leave the UK

Some technology firms that offer encryption services have warned that if the bill is enacted in its current form, they will be forced to withdraw operations from the UK.

Encryption firm Echoworx has made provisions to switch its UK operations to datacentres in Ireland if necessary.

“If the bill passes in its current form, then we are gone,” Michael Ginsberg, chief executive of Echoworx told Computer Weekly, and he claims his company is not alone.

“In its current form, the draft bill will have a huge economic impact on the UK because other companies, much bigger than mine, with leave if the bill passes,” he said.

Facebook, Google, Microsoft, Twitter and Yahoo have said they are particularly concerned about six key aspects of the bill, including encryption. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption or any other means,” they said in a joint statement.

Ginsberg said the law needs to give technology firms assurances that no backdoor access will be required to encrypted communications and that all data access requests will be approved by a judicial process and not by government ministers.

Blackwood said there are widespread doubts about the terms used in the draft bill and the current lack of clarity is causing concern among businesses.

The report warned that this uncertainty is unhelpful to businesses trying to compete in a global communications market.

Industry obligations need clarification

The report also raised concern about how the costs of the legislation are to be assessed, given that they could increase or decrease depending on the rapid evolution of the technologies concerned. 

“The government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” said Blackwood.

The committee said there remain questions about the feasibility and security of collecting and storing internet connection records.

The government must urgently review the legislation so that the obligations on the industry are clear and proportionate
Nicola Blackwood, Science and Technology Committee

The current draft of the bill contains very broad and ambiguous definitions of ICRs, said the committee, which are confusing and give rise to uncertainties over the likely scope and costs of implementing the proposed measures.

“This must be put right for the bill to achieve its stated security goals,” said Blackwood.

The committee said law enforcement or security services should, in tightly prescribed circumstances, be able to request unencrypted data from communications service providers.

However, the report said there is confusion about how the draft bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.

The report calls for the government to clarify and state clearly in the “codes of practice” – which will be published alongside the bill itself – that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied. 

Blackwood said encryption is important in providing secure services on the internet, from credit card transactions and commerce to legal or medical communications. 

“It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.

“The government needs to do more to allay unfounded concerns that encryption will no longer be possible,” she said.

Concerns over possible equipment hacking

Some sectors of the communications industry have concerns that equipment interference could jeopardise their business model, such as those using open source software.

Clients of these companies may not be aware of when equipment interference happens because disclosure is not permitted, the committee said, and therefore the new investigatory powers commissioner should report to the public on the extent to which such measures are used and carefully monitor public reaction to this power. 

The draft bill presents an opportunity for the UK government to develop a world-leading legal framework that balances security needs with democratic values and protects the health of our growing digital economy, but we have to get the details right
Antony Walker, TechUK

Blackwood said equipment interference may occasionally be necessary for law enforcement agencies to do their job effectively, but the technology industry has legitimate concerns about the reaction of customers to the possibility that electronic devices could be hacked by the security services.

“The Investigatory Powers Commissioner could have a role in informing the public about the extent, or the lack of it, of the actual use of equipment interference,” she said.

The committee said greater reassurance is needed in the bill, and in the codes of practice, that businesses will not be subject to disproportionate additional burdens without recompense.

The report said detailed codes of practice will be needed to provide a more effective means of assisting compliance and retaining business confidence. 

These codes of practice, the report said, should clearly set out the requirements for protecting ICR data that will have to be retained and managed by communications service providers, along with the security standards to keep them safe. 

Too many unanswered questions in draft Investigatory Powers Bill

Blackwood said the evidence the committee heard suggests there are still many unanswered questions about how this legislation will work in the fast-evolving world of communications technology.

“There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. The final version of the bill will have to address this if it is to provide future-proofed legislation,” she said.

Antony Walker, deputy CEO of TechUK, said without more detail and clarity on fundamental issues, such as core definitions, encryption and equipment interference, too much of the bill will be open to interpretation, which undermines trust in both the legislation and the reputation of companies that have to comply with it.

“The draft bill presents an opportunity for the UK government to develop a world-leading legal framework that balances security needs with democratic values and protects the health of our growing digital economy, but we have to get the details right,” he said.

The Science and Technology Committee’s inquiry focused on the technological aspects of the draft bill, but did not examine the need for communications monitoring and whether the provisions for monitoring in the draft bill are proportionate to the threats faced.

These issues were examined in the parallel inquiry by the Joint Committee set up by the House of Commons to consider all aspects of the draft Investigatory Powers Bill, published on 4 November 2015.

The Joint Committee’s investigation report is also due to be published in February 2016.

Read more about the draft Investigatory Powers Bill

Read more on Privacy and data protection