The draft Investigatory Powers Bill was published by the Government on 4 November 2015. Ministers have been clear that the intention of this Bill is to consolidate and clarify existing legislation on the interception of communications and the acquisition of communications data and to modernise the law in the light of developments in communications technologies, in order to maintain the operational capabilities of law enforcement agencies and the intelligence and security services.
Previous attempts to legislate in this area have met with criticisms over the lack of consultation with communications service providers (CSPs) on matters of technical feasibility and cost. In our inquiry we have focused on technological aspects of the draft Bill in order to identify the main technological issues involved and how these might affect the communications businesses that will have to collect data and cooperate with the security authorities.
We have not addressed the need or otherwise for the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. We anticipate that these matters will be covered by the Joint Committee established to scrutinise the draft Bill as a whole.
Following the failure of previous attempts to introduce data legislation, the Government has made efforts to consult and engage with communications service providers likely to be most affected by the draft Bill. However, there remain widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. This has given rise to uncertainties over the likely scope and costs associated with implementing the proposed measures. Such uncertainty is unhelpful to businesses trying to compete in a global communications market and risks undermining our strongly performing Tech sector. The fast paced nature of technological development including the growing ‘internet of things’ and questions around encryption developments further limits the possibility of creating legislation that can keep up with these innovations. While we well understand the security challenges of communications data, we strongly believe UK businesses must not be placed at a commercial disadvantage by measures to tackle security risks and that the full costs of implementing the additional measures in the draft Bill should be met by Government. Given that the cost of being able to do this is directly related to any future changes or developments in technology, we recognise this makes predicting accurately the cost of these measures difficult. This therefore raises concerns over any assessment of the costs of this scheme, which could increase or decrease, and so the value for money of this proposed legislation.
The Government claims that the only substantially new requirements provided for in the draft Bill relate to the retention of so-called ‘internet connection records’ (ICRs). By implication, other high-profile powers relating to the ‘removal of electronic protection’ and ‘equipment interference’ are already in place. However, the nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are precisely the subject of uncertainty and concern from business due to lack of clarity in the Bill and in the consultation so far. It is clear that greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens that will not be fully paid for.
Detailed Codes of Practice will be needed to provide a more effective means of assisting compliance, and retaining business confidence in the feasibility of investigatory powers provisions, by making their regular updating an explicit requirement in the Bill when it is introduced. The Bill should also require that at regular set intervals the Technical Advisory Board is consulted about keeping the Codes of Practice up to date—a new role we propose for that body—and allowing both the Government and business representatives to bring forward amendments. Those Codes of Practice should clearly address the requirements for protecting ICR data that will have to be retained and managed by CSPs, along with the security standards that will have to be applied to keep them safe. It is essential that the timetable for producing draft Codes of Practice must not be allowed to slip; they should be produced and debated alongside the Bill due to their particular significance for ensuring that this legislation meets its security goals and represents value for money to the taxpayer while protecting our economic priorities.
Greater flexibility and inclusiveness will be needed in respect of the operation and makeup of the Technical Advisory Board to ensure that the draft Bill’s measures—if enacted—remain fit for purpose and technically feasible and subject to robust challenge. The Government should review the composition of the Board to ensure that it will have members from industry who will be able to give proper consideration, not just to the technical aspects of appeals submitted to it from CSPs concerned about ICRs or other matters, but also any concerns raised about costs. The Government should also develop a framework protocol for such mediations including any formal resolution process should disagreements regarding costs or technology persist. The Government should add to the remit of the Technical Advisory Board a role in keeping under review the domestic and international implications of the evolution of the internet, digital technology and infrastructure.
Some sectors of the communications industry have concerns that ‘equipment interference’ could jeopardise their business model, for example those producing and distributing open source data. Their clients may not be aware of when equipment interference happens because disclosure is not permitted. The Government should, as far as security considerations allow, produce regular information which gives the public an indication of the extent to which such measures are used and how any disagreements on this issue are resolved. This should be a core task of the new Investigatory Powers Commissioner.
If law enforcement agencies and the intelligence and security services are effectively to combat terrorism and serious crime, they must have the means to keep pace with developments in communications. They will doubtless need to continue to deploy a range of methods for intercepting and acquiring information about communications. The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation. There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.
Prepared 30 January 2016