Investigatory Powers Bill: technology issues Contents

Conclusions and recommendations

Technology issues

1.While we are encouraged to learn of the Government’s ongoing engagement with the internet industry, there seems still to be confusion about the extent to which ‘internet connection records’ will have to be collected. This in turn is causing concerns about what the new measures will mean for business plans, costs and competitiveness. Although the Government maintains that ICR notices will be served on particular CSPs on a case by case basis in a way which takes account of the circumstances of the particular communications provider, based on the text of the draft Bill some envisage a situation where ICRs could be required from all CSPs. Given the volume of data involved in the retention of ICRs and the security and cost implications associated with their collection and retention for the CSPs on whom ICR obligations might be placed, it is essential that the Government is more explicit about the obligations it will and will not be placing on industry as a result of this legislation. (Paragraph 30)

2.The Government, in seeking to future-proof the proposed legislation, has produced definitions of internet connection records and other terms which have led to significant confusion on the part of communications service providers and others. Terms such as “telecommunications service”, “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable” need to be clarified as a matter of urgency. The Government should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate. Furthermore, the proposed draft Codes of Practice should include the helpful, detailed examples that the Home Office have provided to us. (Paragraph 31)

3.In tightly prescribed circumstances, law enforcement and security services should be able to seek to obtain unencrypted data from communications service providers. They should only seek such information where it is clearly feasible, and reasonably practicable, and where its provision would be consistent with the right to privacy in UK and EU law. The obligations on potential providers of such data should be clarified in the proposed Codes of Practice to be published in draft alongside the Bill later this year. (Paragraph 42)

4.There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption. The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied. (Paragraph 43)

5.The Government states that the draft Bill introduces no substantive changes to the existing ‘equipment interference’ regime. It has made the practices more visible to the public and industry, however, and it remains to be seen whether this greater visibility affects the nature or extent of such activity in practice. Some sectors of the communications industry have concerns that equipment interference could jeopardise their business model; for example those producing and distributing open source data. They have a concern that because, as now, CSPs will not be permitted to reveal any equipment interference, their clients may assume that it is used. (Paragraph 50)

6.As ever, the fight against serious crime should be appropriately balanced with the requirement to protect and promote the UK’s commercial competitiveness. We believe the industry case regarding public fear about ‘equipment interference’ is well founded. The Investigatory Powers Commissioner should carefully monitor public reaction to this power and the Government should stand ready to refine its approach to ‘equipment interference’ if these fears are realised. Taking into account security considerations, the Investigatory Powers Commissioner should report to the public on the extent to which such measures are used. (Paragraph 51)

Impacts on communications businesses

7.Given the speed with which this legislation must be in force, the Government must work with industry to improve estimates of all of the compliance costs associated with the measures in the draft Bill, for meeting ICR-related and other obligations, as a matter of urgency. Should the measures in the draft Bill come into force, it will be important for Parliament to have access to information on actual costs incurred in order to assess the proportionality and economic impact of the investigatory powers regime and its effectiveness. (Paragraph 65)

8.Larger CSPs may be able to take some assurance from the Government’s commitment to meet their “reasonable” costs and avoid putting any affected businesses “at commercial disadvantage”. However, smaller CSPs may not be certain that they will be served with a notice to collect ICRs and, if they do have to, whether their costs will in fact meet the Government’s ‘reasonable costs’ criteria for reimbursement. The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance. (Paragraph 66)

9.The Government intends to publish draft Codes of Practice when it introduces the Bill itself, later this year. It is essential that this timetable does not slip and that the Codes of Practice are indeed published alongside the Bill so they can be fully scrutinised and debated. The Government should reduce uncertainty about compliance burdens for businesses, proportionality and about cost recovery, by explicitly addressing such issues in the Codes of Practice. These Codes of Practice should clearly address the requirements for protecting ICR data that will have to be retained and managed by CSPs, along with the security standards that will have to be applied to keep them safe. Businesses based in the UK and those serving UK customers should not be placed at a commercial disadvantage compared with their overseas competitors. (Paragraph 71)

10.Detailed Codes of Practice will be needed to provide a more effective means of assisting compliance, and retaining business confidence in the feasibility of investigatory powers provisions, and their regular updating should be an explicit requirement in the Bill when it is introduced. Specifically, the Bill should require that at regular set intervals (perhaps yearly) the Technical Advisory Board is consulted about keeping the Codes of Practice up to date—a new role we propose for that body—and allowing both the Government and business representatives to bring forward amendments.
(Paragraph 72)

11.From the evidence we have received, it is clear that the Home Office has engaged with communications businesses and the wider internet community. This should remain a central strand of the Government’s strategy to ensure effective implementation and for seeking to allay concerns over current uncertainties and confusion arising from the way some terms are defined in the draft Bill. (We have separately recommended clarifying definitions and strengthening consultation processes through the Technical Advisory Board once the Bill is enacted.) (Paragraph 75)

12.Internet businesses and their users require assurances that investigatory powers will be imposed proportionately, and that the judgement as to what is proportionate should at all times be open to reasonable challenge. The proposed Investigatory Powers legislation, to the extent that it consolidates and clarifies mostly existing provisions, is itself an important response to that requirement. The Government should continue to consult and explain fully the likely implications of the proposed legislation. (Paragraph 76)

13.The Government should review the composition of the Technical Advisory Board to ensure that it will have members from industry who will be able to give proper consideration, not just to the technical aspects of appeals submitted to it from CSPs concerned about ICR or other interception or ‘interference’ notices, but also any concerns raised about costs. The Government should also produce an explicit framework for how mediation of disputes and challenge will be resolved. The Government should consider whether the Board will need stronger legal expertise in light of the new investigatory powers that it will have to deal with. Membership of the Board should also more generally reflect a wide range of internet industries and expertise, and be able to co-opt individuals from individual businesses likely to be directly affected. (Paragraph 80)

14.The Government did not set up the ‘Advisory Council for Digital Technology and Engineering’ advocated by the Royal United Services Institute. It should nevertheless add to the remit of the Technical Advisory Board a role it envisaged for that Council—to keep under review the domestic and international implications of the evolution of the internet, digital technology and infrastructure. (Paragraph 81)

© Parliamentary copyright 2015

Prepared 30 January 2016