A second committee of the U.K. House of Commons has issued a critical report on the British government’s controversial surveillance legislation.
In a report issued Tuesday, Parliament’s Intelligence and Security Committee warned that the Investigatory Powers Bill, proposed by Home Secretary Theresa May, contained vague privacy language, worrisome provisions about legal government hacking and the bulk collection of data, and unclear obligations for tech companies.
“It appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation,” the report said, “and it is important that this lesson is learned prior to introduction of the new legislation.”
The bill, designed to enhance U.K. counter-terrorism powers, has faced scathing criticism for empowering British officials to engage in controversial new activities without clear-cut safeguards. Parliament’s technology committee raised its own concerns in a report issued last week.
The committee’s report did not suggest that all of these new powers—including hacking into commercial equipment and collecting Internet communications records in bulk—were inappropriate. But it identified several areas where the transparency of the process and the limitations on intelligence officials were severely lacking.
The bill creates two categories of warrant requests for hacking, which is referred to in the bill as “equipment interference.” Targeted warrants cover equipment that is linked based on its location or owners, such as all computers controlled by a particular terrorist network. The committee criticized this category for being too broad and noted that the government couldn’t even describe a situation that would require a bulk warrant.
“The Committee acknowledges that the Agencies need the capability to undertake Equipment Interference as necessary,” the report said. “However, the Committee has not been provided with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn.”
The report also suggested that the bill be rewritten to require a hacking warrant for overseas operations; it currently only requires one for hacking conducted in the United Kingdom.
Another controversial provision in the bill lets the government request a warrant to obtain large swaths of information connected only by theme, such as travel records, without regard to the individuals targeted. The committee urged the government to drop this provision and stick with the other, narrower type of warrant that only targets a specific database or group of records.
Committee members also criticized the “inconsistent and largely incomprehensible” restrictions on collecting and analyzing Britons’ communications data, including both the content of messages and “metadata” about them, such as who contacted whom, when the communication occurred, and how long it lasted.
One contradiction drew particular scorn: British spies cannot search the communications of U.K. residents that they accidentally collect in the process of unrelated operations, but they can search the metadata that describes those communications.
“The Committee recommends that the same process for authorizing the examination of any Communications Data (including [metadata]) is applied, irrespective of how the Agencies have acquired the data in the first instance,” the report said. “This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.”
The committee also noted tech companies’ concerns about a provision allowing the government to regulate the technical specifications of commercial code. “Some [companies] have expressed serious concern as to this seemingly open-ended and unconstrained power, suggesting that this may lead to banning end-to-end encryption,” the report said. “The Home Office must ensure that the legislation provides clarity as to the nature and scale of these obligations.”
Through this provision, the United Kingdom joined the list of countries considering legislation with encryption mandates. U.S. lawmakers are preparing a bill that could require tech companies to design their encryption so that government agents would be able to pierce it for investigations. Technical experts warn that such guaranteed-access schemes would undermine the strength of the encryption by presenting new avenues for hackers.
Photo via David Martyn Hunt/Flickr (CC BY 2.0)