UPDATE Joint Committee Scalds UK Government’s ISP Internet Spying Bill

The cross-party Joint Committee, which was setup to review the Government’s controversial Investigatory Powers Bill (IPB) that aims to force broadband ISPs into logging and monitoring a bigger slice of your Internet activity, has criticised the bill and said that “significant” work will be needed to fix it.

The draft bill introduces a number of new powers which, among other things, would include measures that are designed to force broadband ISPs into logging a much bigger slice of everybody’s online activity (Internet Connection Records) and then keeping that log for up to 12 months (Data Retention); irrespective of whether or not you’ve committed a crime.

On top of that the bill would also make the related ICRs more easily accessible for law enforcement agencies through a complex “Request Filter” (not unlike a central database) and Police wouldn’t need a full warrant in order to gain access, although a warrant would still be needed for more targeted and detailed interception.

Furthermore some fear that the bill could also weaken the encryption of Internet based communication because it imposes an obligation upon companies to ensure that they can provide related content when requested by police. But this conflicts with end-to-end encryption, where not even the provider can see what is being said.

However a number of reports and experts have already criticised the bill (here, here, here and here), with most warning that it does not appear to provide adequate safeguards against abuse, hasn’t been given enough time for debate and could cost significantly more than the currently estimated £175m+.

The bill also fails to clarify precisely what an ICR should constitute and how it would expect Internet providers to actually go about the business of catching all the data. Suffice to say that there are a lot of concerns and so it’s no surprise to find that today’s huge report from the Joint Committee, which is the most important one of all, echoes many of the same gripes.

Lord Murphy of Torfaen, Chairman of the Committee, said:

“The Prime Minister described the draft Bill as being the most important in the current session. It is indeed significant in scale and scope and comes at a time when public debates over the tension between civil liberties and security are prominent.

There is much to be commended in the draft Bill, but the Home Office has a significant amount of further work to do before Parliament can be confident that the provisions have been fully thought through. In some important cases, such as the proposal for communications service providers to create and store users’ internet connection records, the Committee saw the potential value of the proposal but also that the cost and other practical implications are still being worked out. In a number of areas the definitions used in the Bill will be important, and we have asked the Home Office to do more to address these.

The creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities are both to be welcomed. We make a series of recommendations which aim to ensure that the new system will deliver the increased independence and oversight which has been promised.”

Overall the Committee makes 86 detailed recommendations, such as one that calls for the issue of encryption to be clarified in the bill and a “fuller justification” for the use of any so-called Bulk Powers. The report also says that ISPs should be provided with enough money to help safeguard the data they retain, but that the Government should NOT pay 100% of the costs (that could be a problem for smaller ISPs).

As hinted in the comment above, the report is “not persuaded that enough work has been done to conclusively prove the case” for ISPs to create Internet Connection Records (ICR) and if they are used then there is a need for a more robust oversight and approvals process. The committee also says that the bill, once enacted, should be reviewed every 5 years to ensure that it’s being used correctly (an annual report is also recommended).

Furthermore there’s a concern that interception warrants could be used to cover a very wide number of people and the report seeks safeguards to protect against such abuse, with a view to the legislation being more targeted.

No doubt many will welcome today’s report, although it’s important to stress that most of the key measures still have support and the questions tend to arise more around the correct definitions, costs and safeguards involved. In other words, there’s nothing here that would stop the bill, but it does need a lot of work.

Similarly the Committee appeared to have no major concerns about the feasibility of a “Request Filter” (i.e. an API style method by which ISPs must facilitate access to the data) and believes that ISPs will be able to solve the technical and security challenges involved in its implementation. Smaller providers may have some concerns about that one.

Suffice to say that the report is huge and you’ll probably need to set aside a full day to get through it all. The question now is whether the Home Office will make the necessary changes or adopt a more piecemeal approach, although this time around the bill appears to have a lot more support among the main political parties and it may thus survive its way into law.

UPDATE 11:55am

The ISPA have given their reaction.

James Blessing, ISPA Chair, said:

“This report adds to the chorus of voices calling for the Home Office to change the legislation so it’s feasible, proportionate and does not harm the UK Internet industry. ISPA believes a new framework is needed to replace the various outdated laws, but we need further clarity on Internet Connection Records, definitions and costs”.