Snooper's Charter 'could destroy customer trust in UK products'
Investigatory Powers Bill would taint UK firms with security backdoor fears, say experts
The Investigatory Powers Bill risks destroying UK technology firms' reputations on cybersecurity and privacy, according to experts, civil liberties campaigners and industry trade bodies.
The bill, also known as the Snooper's Charter, could have a serious negative effect on UK business and the economy, in addition to potentially damaging the country's reputation for democracy and human rights, various parties warned IT Pro.
Proposals included in the bill range from compelling internet service providers to hold onto users' website data for 12 months, to forcing cybersecurity firms to build backdoors into their encryption, but making it illegal for them to warn customers of such backdoors.
Erka Koivunen, a cybersecurity advisor at security firm F-Secure, said this would mean that customers of his company's Freedome VPN who accessed the internet via a UK exit node "would know that somebody else, and in this context it would be the UK government, is doing their utmost to undermine that privacy promise that we as a company try to provide".
"That itself should be a strong argument for the UK government to consider, because this same smell, if you will, will stick to other businesses that operate from the UK," added Koivunen. "If you are providing cryptography products and you say that the company originated in the UK, nobody in the future is going to believe that this is not backdoored."
Chris Boyd, malware intelligence analyst at security firm Malwarebytes, added: "Asking companies to ensure they can 'remove electronic protection' is going to cause a huge rift between product makers and consumers. They may feel that the tools they trust and use on a daily basis are somehow booby-trapped in a way that potentially works against their best interests."
Koivunen and Boyd's comments come after the publication of the House of Commons Science and Technology Committee's third report on the bill, this time addressing technological issues.
Nicola Blackwood MP, the chair of the Science & Technology Committee, said the UK's growing tech sector would be stifled by the cost burden of meeting such demands.
She said: "We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK's rapidly growing Tech sector."
"The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers.
"The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals."
Similar concerns were raised by numerous other bodies who spoke with IT Pro.
Antony Walker, deputy CEO of trade body techUK, said: "There are several important recommendations in this report that we urge the Home Office to take on board. In particular we need more clarity on fundamental issues, such as core definitions, encryption and equipment interference.
"Without that additional detail, too much of the bill will be open to interpretation, which undermines trust in both the legislation and the reputation of companies that have to comply with it."
Jim Killock, executive director of civil liberties organisation the Open Rights Group, added: "David Cameron needs to consider whether he wants to be the Conservative Prime Minister that jeopardised the success of the UK tech industry. As it stands, the Investigatory Powers Bill will be bad for business, bad for citizens and bad for UK democracy."
Lack of trust in the UK tech industry is only one way in which the Snooper's Charter could damage the UK economy, IT Pro has been told.
Speaking to sister title Cloud Pro, Michael Ginsberg, CEO of cloud-based encryption service Echoworx, said his company is ready to abandon its UK datacentres and move to Ireland if the bill becomes law.
He added that his business is not unique in this regard and that the Snooper's Charter could cost the UK $15 billion a year by driving hosting businesses abroad.
"Apart from any moral problems about snooping on its citizens and enterprises, there's some real financial risk," he said. "It has already activated us so we can imagine what larger hosting companies plans are [doing] in anticipation of this legislation, and once that data moves it won't come back. That's a real problem."
One of the most serious concerns around the Snooper's Charter, is the possibility that the massive amounts of data ISPs will be required to hold onto could be a very attractive target for cyber criminals.
In its report, the Commons Science and Technology Committee said: "It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy."
But Matthew Rice, advocacy officer at civil rights organisation Privacy International, warned: "The committee's report shows that the safety and security of users' data may be threatened."
"The draft Bill must be substantially revised or it will put the UK economy, as well as our privacy and security, at risk," he added.
Putting a finer point on the matter, Malwarebytes' researcher, Boyd, told IT Pro: "I would be very concerned that a large dump of internet records would be an immediately attractive proposition for those with the talent to compromise a database. The only real question is who would get there first - someone who did it for bragging rights and no real interest in the data, or somebody with more malicious intent."
Counting the cost
Much has been made of the potential cost ISPs would face by having to store the vast amounts of data required by the Snooper's Charter.
But the Committee's report said that the government should bear these costs.
It read: "While we well understand the security challenges of communications data, we strongly believe UK businesses must not be placed at a commercial disadvantage by measures to tackle security risks and that the full costs of implementing the additional measures in the draft bill should be met by government."
"Given that the cost of being able to do this is directly related to any future changes or developments in technology, we recognise this makes predicting accurately the cost of these measures difficult," it added. "This therefore raises concerns over any assessment of the costs of this scheme, which could increase or decrease, and so the value for money of this proposed legislation."
While the government pegs the cost of meeting the bill's requirements in the range of 250,000, previous attempts at this type of dragnet surveillance, such as the now abandoned Draft Communications Data Bill (also known as the Snooper's Charter), have carried an estimated cost of 2 billion.
Requiring that the government foot the bill for ISPs' costs could significantly increase this figure, particularly because ISPs such as BT have claimed in evidence submitted to the committee that it would cost "many tens of millions of pounds" to implement the technology.
The committee's latest report about the Investigatory Powers Bill can be read in full here (PDF).