Sergey Nivens - Fotolia

Sophos raises five concerns about snoopers’ charter

As the draft Investigatory Powers Bill takes another step to becoming law, Sophos raises five key concerns that remain even after its revision

Information security firm Sophos has raised concerns about the Investigatory Powers Bill – or "snoopers’ charter" – as it takes another step towards becoming law.

The proposed legislation marks another milestone with the second reading in the House of Commons on 15 March 2016 – but concerns remain about the controversial bill, even after its first revision

Although Sophos supports the concept of the bill as an initiative to help the police and intelligence forces investigate crime and terrorism while protecting the rights of individuals, the company says basic concerns have still to be addressed.

Elements of the proposed bill that would affect both the security of UK consumers’ data, and the competitiveness of UK service provider businesses, are of particular concern.

These concerns were raised by John Shaw, vice-president of product management at Sophos when he gave evidence at the Science and Technology Committee hearing about the draft bill on 10 November 2015.

“We were disappointed to see that, in the revised Investigatory Powers Bill, although the government has made some small improvements, all our fundamental concerns remain,” said Shaw.

“We agree it is critical that the government get this bill right. Rushing it through in its current form will be a mistake.” 

Shaw is concerned that the bill will be rejected, causing even greater delay to getting a proper regulatory framework in place, but is even more concerned that the bill will be passed into legislation in its current form. 

“If it does become law, it will undermine both the security and privacy of UK citizens and affect the competitiveness of UK internet service providers,” he said.

Weak definitions and data security

Sophos details five areas of concern around weak definitions, judicial commissioners, data security, backdoors and the effect on UK technology businesses.

Weak definitions in the bill, said Shaw, open it to very broad interpretation and that the government could use this to force almost any company using technology to store 12 months’ worth of almost any data.

In the current draft, communications service providers (CSPs) are still obliged to store 12 months of data for every user, putting data at risk, according to Shaw.

“The unnecessary storage of data only gives the bad guys more opportunity to steal it, and places an increased burden on CSPs to protect it. High-profile data leaks occur all too often, so why put more data at risk? At the very least, it should mandate strong encryption to protect the data at rest in the event of a breach,” he said.

Judicial commissioners

On the topic of judicial commissioners, Shaw said that while it is good to have these checks and balances in place and beneficial that they sit outside the government, commissioners are unlikely to be technical "whizz kids", so there is a question around whether they will fully understand what they are being asked to decide.

“Perhaps in addition to the ‘powerful new Investigatory Powers Commissioner’ there should also be a technical advisory board,” he said.


On the controversial topic of backdoors, Shaw notes that the Home Office’s summary of responses to the three parliamentary committees’ pre-legislative reviews says the revised bill makes clear that the requirement to remove encryption is limited only to encryption applied by the CSP, not to encryption applied by anyone else such as the user. 

“This would indeed be an improvement over a more general requirement, but is not clearly evident in the bill. Previously home secretary Theresa May had stated that there would be no backdoor requirement so more clarity is required here,” he said.

Effect on UK technology businesses

The unfair disadvantage to UK-based CSPs still seems to apply, said Shaw.

“Section 223 clearly defines this as applying to UK-based operators. The response to the committees again claims that this has been addressed – but it is not clear how,” he said.

A recently-published survey reveals that only one in 10 UK citizens believes home secretary Theresa May has done enough to explain the full impact of the proposed bill.

Only one in five believes the introduction of the bill is justified, and just over a quarter believe the government has the right to pass legislation to access their mobile and internet data, according to the 2016 Consumer Openness Index surveyfrom open-source software provider Open-Xchange.

Read more on Privacy and data protection