IPB still not fit for purpose, say tech firms

Houses of Parliament
News
15 Mar, 2016

Companies and trade bodies reiterate their concerns on day of Second Reading

The tech industry has once again hit out at the UK's Investigatory Powers Bill (IPB), ahead of its Second Reading in the House of Commons today.

The proposed legislation, also known as the Snooper's Charter, has come in for heavy criticism from tech companies and civil rights campaigners alike, who have claimed its powers are too broad, it is an invasion of privacy and that what it requires is not technically feasible.

While the Bill was revised following extensive investigations by two select committees, which heard from numerous witnesses across these groups, many are still unhappy with the current wording.

John Shaw, VP of product management at Sophos, said that while his company is supportive of the concept of the IPB, he and his colleagues are "disappointed to see that in the revised Investigatory Powers Bill, although the government has made some small improvements, all our fundamental concerns remain".

Shaw listed these concerns as weak definitions, leading to very broad interpretations of the bill; putting data at risk; the tech credentials of the proposed Judicial Commissioners; a continued potential for backdoors into encryption; and putting UK content service providers at a disadvantage, as the law will only apply to them.

"We agree it is critical that the government get this bill right. Rushing it through in its current form will be a mistake. We fear the Bill will be rejected, causing even greater delay to getting a proper regulatory framework in place, or even worse it will be passed into legislation. If it does become law, it will undermine both the security and privacy of UK citizens and impact the competitiveness of UK Internet Service Providers," said Shaw.

ISPA, the trade body representing ISPs in the UK, sounded a similar note of concern.

Chairman, James Blessing, said: "ISPA supports reform of investigatory powers through a new Bill, but we are a long way from having a Bill that is clear and workable.

"Government needs to address concerns around its intentions, definitions and costs to enable industry to make a proper assessment of the Bill and help Parliament scrutinise the complex proposals. Getting this right is essential for the UK digital economy and user trust in services."

ISPA said that, as it stands, the current bill "does not do what the Home Office says it does".

"On numerous occasions, there is a disconnect between what can be found on the face of the Bill and what the Government says the Bill will be used for. Given that the Bill is highly intrusive, the Government must put all of its intentions for how it plans to use the powers on to the face of the Bill," the organisation said.

"Reliance on speeches and non-legislative documents, such as codes of practice, to make clear what the Bill explicitly intends is unsatisfactory," it added.

ISPA also said significant questions remain over costs, definition of key terms and concepts, including Internet Connection Records and even data, how ISPs can recover costs from the government -- if, indeed, they can at all.

Parliament should be given sufficient time to scrutinise the Bill, ISPA said, as it is, in the words of the Prime Minister, "one of the most important bills [the House of Commons] will discuss".

Erka Koivunen, security advisor at F-Secure, took an even stronger tone, saying: "Let us be clear on the British Government's intentions and the consequences of those actions. 'Equipment interference' is hacking. There is a reason there is a very large security industry dedicated to protecting businesses and their digital assets -- because hacking damages businesses."

"No company wants their own government or government of a friendly partner to break into their systems or undermine the security of their services. We would encourage the Government to pause and consider the implications of its intentions before it irreparably damages British businesses," Koivunen concluded.