Briefing on Investigatory Powers Bill Prepared for the Public Bill Committee March 2016

Transcription

1 Briefing on Investigatory Powers Bill Prepared for the Public Bill Committee March 2016 Talal Rajab Programme Manager Antony Walker Deputy CEO St Bride Street T London F EC4A 4AD

2 About techuk 1. techuk represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 850 companies are members of techuk. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses. Summary 2. On 1 st March, the Home Office published a revised Investigatory Powers Bill, alongside six Codes of Practice and the Government s response to pre-legislative scrutiny. 3. In response to three Parliamentary Committees, the Home Office has made a number of changes to the draft Bill, covering a number of areas that are directly of interest to techuk members such as encryption, extraterritoriality and privacy and security on the internet. 4. Despite these changes, techuk still has a number of concerns with the revised Bill that we would like to be considered by the Public Bill Committee. This informal briefing is intended to highlight to the Committee, ahead of the first evidence session tomorrow, some of the key concerns that they may wish to pay particular attention to. 5. techuk s members take their legal responsibilities to work with the security services extremely seriously. In light of recent events and the current climate of global security concerns, it is even more important that a clear legal framework for investigatory powers is established; one that is worthy of emulation around the world and is a cornerstone of an international framework that is transparent, workable and predictable for global companies, agencies and citizens. 6. This is a highly complex Bill, with significance for all of us. techuk looks forward to engaging with the Committee in their vital work of scrutinising this very important piece of legislation and giving the Bill the maximum parliamentary scrutiny the Home Office has promised. This document will be followed up with a more detailed briefing over the coming weeks as the Committee proceeds to line by line scrutiny. 2

3 Privacy and Transparency 7. Given the context in which the Bill was published and the importance that technology companies place in protecting their customers privacy and security, it is crucial that transparency forms the backbone of the powers that are afforded to the security services. 8. It is for this reason that the Intelligence and Security Committee (ISC), along with others, called for an overarching statement on the face of the Bill clearly setting out the universal privacy protections which apply across the full range of investigatory powers and for privacy protections to form the backbone of the Bill. 9. The Home Office, in response, has simply added the word privacy to the subheading in Part 1. This falls short of the recommendation put forward by the ISC and techuk calls on the Public Bill Committee to ensure that the Bill adequately addresses privacy safeguards. Extraterritoriality 10. The current legal framework for law enforcement to request lawful access to data from other jurisdictions is fragmented, with conflicts of law making it difficult for companies and users to navigate their way and understand their privacy rights. 11. Sir Nigel Sheinwald, in his report to the Prime Minister, stated that the only long term solution to this problem is through an international legal framework that takes into account issues of proportionality, necessity and transparency. He called on the Government to work with its overseas counterparts to establish a common set of rules to resolve these conflicts across jurisdictions. 12. This call was also reflected by the Joint Committee on the draft Investigatory Powers Bill and the ISC, which called for the Government to re-double its efforts to implement Sheinwald s recommendations. 13. Despite these concerns, little has changed in the revised Bill in relation to extraterritorial provisions. Extraterritorial provisions that undermine the long term objective of an international framework still remain, despite the Home Office s assertion that it is engaging in preliminary discussions with international partners. 14. The Public Bill Committee must put the proposed new international framework at the heart of the Bill and establish it on the face of the Bill as the primary mechanism for investigations involving overseas providers. Encryption 15. End to end encryption is essential in protecting sensitive personal information and securing online communications and transactions. It is increasingly the bedrock on which all secure communications rests and once it is undermined there can only be less confidence in transactions online. 3

4 16. Although the Government has stated that it is not seeking to restrict or weaken encryption, the Home Office has been reluctant to say explicitly whether they intend the Bill to give them the powers to demand the removal of end to end encryption. It therefore remains the case that the Bill does not provide clarity as to whether the government expects CSPs to provide data where their service is end to end encrypted in other words the government has ducked the question of whether it expects encryption keys to be compromised and back doors installed. This, despite the Joint Committee asking for it to be made explicit on the face of the bill that encryption keys should not be compromised and back doors not installed. 17. It should be noted that the Bill has been revised to make explicit the previously implicit understanding that where an obligation is placed on a CSP which includes the removal of encryption, the technical feasibility and likely cost of complying with those obligations must be taken into account. Although this is broadly welcome, this wording falls short of providing legal certainty for companies what constitutes technical feasibility and what compliance costs, for example, are acceptable? 18. It is therefore left implicit that the CSP will have to do weaken its encryption if the Home Secretary comes to the conclusion that it is justified. The process for reaching such a fundamental decision would be secret and without clear rules. Despite some requirements to consult, the Home Secretary is the final arbiter of her own decision. There is also no judicial oversight of this power. Equipment Interference and Bulk Equipment Interference 19. Technology companies have legal obligations to ensure the security of their networks and services. The resiliency of a company s security is a fundamental aspect of their ability to compete in a global market. Although the Government stresses it wants to improve UK cyber security, equipment interference (EI) has the potential to create risks or vulnerabilities for companies. It is one thing for the authorities to deploy methods to try to access information which may be immediately beyond their reach, but quite another to require the assistance of businesses who are dedicated to improving security in an attempt to undermine that very security. 20. Neither the face of the Bill nor the Codes of Practice acknowledge the dangers inherent within equipment interference provisions. In fact the key recommendations by the three Committees that scrutinised the Bill, that attempted to safeguard the use of equipment interference, have all been ignored and in some instances EI powers have been extended rather than limited. 21. For example, despite the draft Codes of Practice on Equipment Interference requiring EI warrants to include an assessment of any risks to the security or integrity of systems or networks, this assessment on the face of it seems different to the Joint Committee s recommendation of a detailed risk analysis of the possibilities of system damage and collateral intrusion and how such risks will be minimised. 22. Furthermore, under provisions in the new Bill police officers will now be able to use EI for threat to life situations. The new Bill also provides for the Secretary of State to authorise bulk EI warrants in urgent circumstances. 23. There are therefore no provisions within the Bill or Codes of Practice establishing the primacy of network integrity and cyber security. Neither is there a requirement for 4

5 agencies to inform companies of vulnerabilities that may be exploited by other actors. 24. It is important that the Committee considers whether there should be a provision within the Bill that guarantees that EI does not introduce new vulnerabilities into systems and that requires detailed risk analyses of the effects of EI as recommended by the Joint Committee. Internet Connection Records 25. One of the significant new powers proposed in the draft Bill is the extension of the definition of types of communications data that CSPs are required to retain to include what the Government has called internet connection records (ICR). 26. Although the revised Bill now has a single definition of ICRs that remains consistent throughout, with references to internet connection records appearing in both the authorisation and retention sections of the Bill, it should be noted that ICRs are not a term that industry has used before and requires a radical departure from normal business practices for industry. 27. Tellingly, the Codes of Practice admit this by stating that there will be no single set of data that constitutes an internet connection record and that in practice it will depend on the service and service provider concerned. This acknowledgement highlights the difficulties that industry will face if required to generate and retain ICRs. 28. It seems that rather than addressing the concerns of industry and the public about the scope of powers related to ICRs, the Home Office has responded by extending the powers rather than limiting them. 5