Investigatory Powers Bill: technology issues Contents

3Impacts on communications businesses

52.Before the publication of the draft Bill, the Internet Service Providers Association (ISPA) called for full consideration to be given to the impact on business:

Software, IT and telecoms services together generated 4.2% of UK gross value added (£59bn) in 2011 and provided 885,000 jobs … We call on all parliamentarians to ensure that the Investigatory Powers Bill does not put competiveness of the UK economy at a disadvantage. Online and digital business recognise their responsibilities but the impact of any new provision in the Bill needs to be clearly considered and costed.85

53.Many of our witnesses have raised issues about the technical feasibility and cost of the Bill’s measures. A globalised communications industry depends on the inherent globalised nature of the internet itself. The potential for differing—conflicting, even—national laws raises compliance issues and increases uncertainty for businesses. With compliance comes cost. We heard concerns, for example, about the potential costs associated with storing large amounts of data. Many complained about a lack of clarity in some definitions and terms.

54.Others worried about the potential knock-on effects for UK industry, such as those using open source software (paragraph 49). The Internet Infrastructure Coalition noted that “Those seeking to start businesses, or relocate them, look closely at whether the laws in a country are ‘tech positive’ and encourage the kind of innovation and imagination necessary to create a new business.”86 Matthew Hare of Gigaclear told us that:

The UK relies on the information industries in their broadest sense, from financial services through legal to software and gaming; it affects everyone in the information industry. If we make it appear that this is a worse place to do business, because of some rights that, as far as most of us know, the Government never take up—but we will never know because we are not even allowed to talk about it—it seems to me a massive own goal.87

Some saw potential for a commercially chilling effect for the UK. Exa Networks, an internet service provider, believed that “the Bill would weaken and worsen the competitiveness of the UK technology industry as it affects privacy protection, such as encryption, and the ability to use equipment free of interference”.88

55.BT considered that it was “appropriate to maintain a regime that permits access to content and communications data, provided that the circumstances are suitably circumscribed, and provided that all necessary checks and balances are in place to ensure the lawful and proportionate operation of that regime”,89 but BT’s Mark Hughes wanted clarity that “the Bill and the law should apply where we provide public networks, not private networks”.90 The Electronic Frontier Foundation pointed out that the draft Bill’s expansion of the definition of ‘telecommunications service’ (first introduced in the Data Retention and Investigatory Powers Act) means that even within the realm of ‘public networks’ individual internet services such as Facebook, Twitter, Dropbox, Microsoft Office Online, and others would now be included in the definition.91 Graham Smith wanted clarity about whether an ‘internet communications service’ was intended to be limited to human-to-human messaging.92

56.TechUK were concerned that business models might have to be changed. They worried that powers in the draft Bill, under Clause 71(8)(b), requiring retention of data by “collection, generation or otherwise” suggest that “the Government reserves the right to compel companies to change their business models in order to facilitate access to data that they would not have kept under standard business operations”.93

57.Several witnesses expressed concern about the potential impact on businesses of the Bill’s requirement for internet connection records. BT noted that “many of the powers contained in the Bill (e.g. lawful interception and obtaining of communications data) are derived from those already contained in RIPA and other associated legislation: These are well understood and should not pose difficulties from a technical perspective.”94 However, on the need for internet connection records, they cautioned that:

Whilst the concept of an ICR may seem relatively straightforward, the introduction of a capability to retain them will be less so. … BT does not currently generate (or retain) a single set of data that is capable of meeting the proposed requirement. We are currently scoping what data sources and methods we could employ to generate ICRs.95

John Shaw of Sophos told us: “The crucial difference with the new Bill is the requirement to hold 12 months of data on everyone all the time … It is not just the cost of the data; the exposure of everyone in the UK’s data to people trying to hack it to do bad things with it is a very meaningful difference”.96 BT reckoned that without further information “we cannot realistically scope technical feasibility or cost”.97

58.Below we discuss the particular potential impacts for communications businesses in terms of cost and compliance.

Costs

59.According to the Government, the only additional costs on communications service providers relate to the obligations that may be imposed on them for collecting internet connection records. It estimates the figure at £174.2 million in discounted net present value terms over the next 10 years,98 but there was uncertainty among the communications technical community on whether this would cover all the associated costs. BT was “not clear on what basis Government has decided to set aside £175m towards the costs of retaining ICRs.”99 JISC (which provides digital technology and resources to higher education, further education and researchers) told us that the costs arising from the Bill would depend on the extent to which the Secretary of State chooses to exercise her “wide powers”.100 The Home Secretary told us that the cost estimates set out in the Impact Assessments published alongside the draft Bill “continue to be refined in consultation with the companies that are likely to be subject to obligations under the Bill”.101

60.James Blessing of the Internet Service Providers Association (ISPA) calculated that “the Bill appears to be limiting the amount of funds available to a figure we do not recognise as one that would be suitable for the entire industry to be able to do it.”102 Andrews & Arnold Ltd told us of concerns among smaller ISPs that they could be subject to a retention notice which could require ‘deep packet inspection’ to produce the ICR, and which might have significant cost implications.103 Another ISP, Exa Networks, worried that technologies permitting the categorisation of the information in order to extract metadata only, are “extremely expensive, as they need to work on all the information passing through the network”.104

61.The bulk of the cost associated with ICRs relates to the capital costs of providing storage. We discussed above how witnesses had concerns about the feasibility of holding and keeping secure the “massive” volume of data involved (paragraph 27). Those concerns were as much about the costs involved as about technical and security issues. The draft Bill provides for CSPs to make representations to the Technical Advisory Board (which we discuss below).105 Richard Alcock from the Home Office told us that:

The fall-back, if there is a disagreement, is to go through the Technical Advisory Board, which will have considered the technical implementation. If it was not possible for a particular organisation to implement things for a certain cost, that would be addressed through the TAB.106

62.Clause 185 of the draft Bill provides that CSPs receive an “appropriate contribution” towards their compliance costs. As drafted, the clause promises that this contribution will “never be nil.” The IT-Political Association of Denmark told us how in that country the equipment cost of data retention systems is borne by the telecommunications companies (with access to the data billed to the police). If costs in the proposed UK system were not fully covered by the Government, a likely “substantial fixed element [of costs remaining with the companies] would effectively discriminate against smaller ISPs and new companies that consider entering the ISP business”.107

63.BT told us that “to ensure competitive fairness … it is imperative for the new regime to apply a level playing field for all providers of communications services in the UK. And we believe that it should be made expressly clear that all eligible costs incurred by those providers should be met by Government.”108 This is the view across businesses of all sizes. Andrews & Arnold Ltd told us that they had received indications from the Home Office that operators, as now, would receive 100% cost recovery.109 Richard Alcock from the Home Office assured us that so far the Government had indeed paid 100% of the costs “relating to implementation”.110 However, the Home Secretary appeared reluctant to include such a commitment on the face of the Bill when it comes forward:

The Government recognises that the obligations imposed on communications service providers incur additional cost and would not want those subject to such obligations to be put at commercial disadvantage. The Government’s current policy, and that of its predecessors, is that it would not be appropriate to expect companies to meet the costs themselves and that they will receive an appropriate contribution towards the costs of obligations in respect of both communications data and interception. The draft Bill maintains the position that CSPs should receive an appropriate contribution in respect of their costs in complying with the legislation.

Cost recovery arrangements are a matter of policy for the Government of the day. It would not be appropriate to tie future Governments to the existing policy by placing these arrangements on the face of the legislation.111

64.Apart from ICR costs, some costs are also envisaged for the operation of a ‘request filter’ which will be established and maintained by the Home Office (although there is provision to transfer its functions to another public authority).112 This is expected to cost £12.9m in discounted net present value terms over the next 10 years. Clauses 51–53 of the draft Bill would allow the Government to establish a filter system whereby when a complex request for communications data is made any material that is not directly relevant to the investigation or operation would be filtered out before the data is supplied. Data that is not relevant will be deleted. The Open Rights Group describes the filter as one of the most concerning aspects of the draft Bill in that it “would allow the police and authorised public bodies to search and analyse retained communications data”.113

65.Given the speed with which this legislation must be in force, the Government must work with industry to improve estimates of all of the compliance costs associated with the measures in the draft Bill, for meeting ICR-related and other obligations, as a matter of urgency. Should the measures in the draft Bill come into force, it will be important for Parliament to have access to information on actual costs incurred in order to assess the proportionality and economic impact of the investigatory powers regime and its effectiveness.

66.Larger CSPs may be able to take some assurance from the Government’s commitment to meet their “reasonable” costs and avoid putting any affected businesses “at commercial disadvantage”. However, smaller CSPs may not be certain that they will be served with a notice to collect ICRs and, if they do have to, whether their costs will in fact meet the Government’s ‘reasonable costs’ criteria for reimbursement. The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance.

Compliance

67.Clauses 29–31 of the draft Bill deal with the issuing and serving of warrants, and impose a duty on operators to assist with their implementation. The operator must take all reasonably practicable steps to give effect to the warrant, whether or not they are located in the UK. Any requirements or restrictions under the laws of the country in which the operator is based are relevant to determining what is ‘reasonable’. Engagement with overseas companies has to date been on an entirely voluntary basis.114

68.Mark Hughes of BT told us that:

Anyone providing services in the UK will come under the Investigatory Powers Bill, wherever they are located, and should do according to the draft legislation. However, there could be issues associated with those who provide services in the UK but are not located in the UK. Clearly, jurisdictionally, getting them to comply if they are located overseas is a clear challenge; a request from the UK may conflict with local laws.115

He did not think however that large ISPs based in the UK would be prompted by the legislation to re-locate overseas. The same might not be true of all ISPs. The Internet Infrastructure Coalition were concerned that those seeking to start businesses will look closely at whether the laws in this country are “tech positive” (paragraph 54).

69.The Royal United Services Institute’s Independent Surveillance Review concluded that the capability of the security and intelligence agencies to collect and analyse bulk data should be maintained (with stronger safeguards as set out in the Anderson Report).116 Clause 179 of the draft Bill provides for the Secretary of State to issue Codes of Practice governing the use of powers contained in the Bill. The Home Office told us that draft Codes of Practice will be published alongside the Bill itself when it is introduced.117 Mark Hughes of BT noted the need for a forum for:

robust exchanges in understanding some of the matters we are dealing with here: for example, how one can practically work through and then issue of codes of practice, which are important, and have examples before getting into issuance of either a technical capability notice or a data retention order, which obviously is the net result of the Bill being enacted.118

70.Professor Sir David Omand also explained the importance of such Codes of Practice:

If you try to nail everything down absolutely in the primary legislation, you will be revisiting this in a couple of years’ time and passing another Investigatory Powers Act. The answer is to learn from the mistake that the Home Office made over the last five years, which was not to update the Codes of Practice, so that we, the citizens, knew how the existing legislation was being used. They could have done that, in which case the Snowden case would not have been the shock, horror that apparently it was for many people. Those Codes of Practice are presented to Parliament. You can insist that they are revised. You could put that in your legislation. There are ways in which the Government at any one time can be quite precise about how it is interpreting them, which will help the judges very considerably. That can then be updated.119

71.The Government intends to publish draft Codes of Practice when it introduces the Bill itself, later this year. It is essential that this timetable does not slip and that the Codes of Practice are indeed published alongside the Bill so they can be fully scrutinised and debated. The Government should reduce uncertainty about compliance burdens for businesses, proportionality and about cost recovery, by explicitly addressing such issues in the Codes of Practice. These Codes of Practice should clearly address the requirements for protecting ICR data that will have to be retained and managed by CSPs, along with the security standards that will have to be applied to keep them safe. Businesses based in the UK and those serving UK customers should not be placed at a commercial disadvantage compared with their overseas competitors.

72.Detailed Codes of Practice will be needed to provide a more effective means of assisting compliance, and retaining business confidence in the feasibility of investigatory powers provisions, and their regular updating should be an explicit requirement in the Bill when it is introduced. Specifically, the Bill should require that at regular set intervals (perhaps yearly) the Technical Advisory Board (paragraph 79) is consulted about keeping the Codes of Practice up to date—a new role we propose for that body—and allowing both the Government and business representatives to bring forward amendments.

Consultation and technical advice

73.In 2012, the Joint Committee set up to scrutinise the Draft Communications Data Bill recommended that there should be much better consultation with industry, technical experts, civil liberties groups, public authorities and law enforcement bodies before any new Bill was introduced. The Intelligence and Security Committee also published a report in 2013 raising similar concerns, including that there had been insufficient consultation with CSPs.120 For the current draft Investigatory Powers Bill, the Home Secretary told us:

Over several months, policy officials have engaged with technical experts, both within the Home Office and externally, communication service providers and wider industry, and academics, to inform the drafting of the Bill. This consultation is ongoing, and has informed both the policy development process, and also the drawing up of costs and impact on business as set out in the accompanying Bill documentation.121

74.The vagueness of definitions and terms have been a constant feature in the evidence we have taken (paragraph 47). Martin Kleppmann found it understandable that, as he saw it, the Government did not wish to specify technical matters in fine-grained details, “since those details may be rendered obsolete by rapid shifts in technology, forcing the law to constantly catch up”.122 But he complained that:

The current proposed Bill errs too far on the side of generality: its widely criticised “fuzzy definitions” are open to wide-ranging interpretation, leaving technology implementers in doubt as to the legal status of their software, and deferring the important questions of interpretation to executive decisions by the government or to case law.123

75.From the evidence we have received, it is clear that the Home Office has engaged with communications businesses and the wider internet community. This should remain a central strand of the Government’s strategy to ensure effective implementation and for seeking to allay concerns over current uncertainties and confusion arising from the way some terms are defined in the draft Bill. (We have separately recommended clarifying definitions and strengthening consultation processes through the Technical Advisory Board (paragraph 79) once the Bill is enacted.)

76.Internet businesses and their users require assurances that investigatory powers will be imposed proportionately, and that the judgement as to what is proportionate should at all times be open to reasonable challenge. The proposed Investigatory Powers legislation, to the extent that it consolidates and clarifies mostly existing provisions, is itself an important response to that requirement. The Government should continue to consult and explain fully the likely implications of the proposed legislation.

77.The Royal United Services Institute’s Independent Surveillance Review recommended that the existing Technical Advisory Board should be replaced with an Advisory Council for Digital Technology and Engineering, which would be a statutory non-departmental public body.124 The Advisory Council, it concluded, should keep under review the domestic and international situation with respect to the evolution of the internet, digital technology and infrastructure. It should also provide advice to ministers and departments and manage complaints from CSPs on notices they consider unreasonable.

78.In the context of the potential requirements to store large amounts of communications data, we were told by the Internet Infrastructure Coalition that “small to medium sized Internet infrastructure providers must be included in the Technical Advisory Boards contemplated by the Draft Bill.”125 The Home Office’s Chief Scientific Adviser, Professor Bernard Silverman, thought that in principle the idea of a “broadly based advisory board is important, but it is key that its terms of reference should be properly laid out”.126 He added:

If you have a technical advisory board and it is going to mission-creep into legal issues, it is much better that it should have proper, formal legal terms of reference, rather than that it should be a scientific advisory board that then decides that it will have opinions about commercial and legal things.127

It would be a good idea, he told us, to have in place protocols to cover situations where members of the Board were in dispute.128

79.Clauses 181–183 of the draft Bill provide for oversight and advisory functions in relation to the retention of communications data under Part 4 of the Bill, including the continued operation of a Technical Advisory Board. The Technical Advisory Board currently comprises 13 people: six representatives of communications service providers, six representatives of the intercepting agencies and an independent Chair. The Home Secretary told us that it is the Government’s intention to maintain the size and balance of the TAB.129

80.The Government should review the composition of the Technical Advisory Board to ensure that it will have members from industry who will be able to give proper consideration, not just to the technical aspects of appeals submitted to it from CSPs concerned about ICR or other interception or ‘interference’ notices, but also any concerns raised about costs (paragraph 61). The Government should also produce an explicit framework for how mediation of disputes and challenge will be resolved. The Government should consider whether the Board will need stronger legal expertise in light of the new investigatory powers that it will have to deal with. Membership of the Board should also more generally reflect a wide range of internet industries and expertise, and be able to co-opt individuals from individual businesses likely to be directly affected.

81.The Government did not set up the ‘Advisory Council for Digital Technology and Engineering’ advocated by the Royal United Services Institute. It should nevertheless add to the remit of the Technical Advisory Board a role it envisaged for that Council—to keep under review the domestic and international implications of the evolution of the internet, digital technology and infrastructure.

86 Internet Infrastructure Coalition (I2Coalition) (IPB0015) para 8

87 Q 31

88 Exa Networks Limited (IPB0026) para 5

89 BT (IPB0061)

90 Q92

91 Electronic Frontier Foundation (IPB0017) para 27

92 Graham Smith (IPB0025) para 25

93 techUK (IPB0037)

94 BT (IPB0061)

95 BT (IPB0061)

96 Q21

97 BT (IPB0061)

98 Home Office (IPB0065)

99 BT (IPB0061)

100 Jisc (IPB0012) para 4

101 Home Office (IPB0065)

102 Q6

103 Andrews & Arnold Ltd (IPB0011)

104 Exa Networks Limited (IPB0026) para 25

105 See clause 73 (Review by the Secretary of State)

106 Q145

107 IT-Political Association of Denmark (IPB0051) para 24

108 BT (IPB0061)

109 Andrews & Arnold Ltd (IPB0011)

110 Q144

111 Home Office (IPB0065)

112 Home Office (IPB0065) Annex B

113 Open Rights Group (IPB0034)

114 David Anderson, A question of trust: report of the Investigatory Powers Review, June 2015 (para 11.18)

115 Q101

117 Home Office (IPB0065), Annex A

118 Q110

119 Q66

120 Intelligence and Security Committee, Access to communications data by the intelligence and security Agencies,
Cm 8514, February 2013

121 Home Secretary (IPB0030)

122 Martin Kleppmann (IPB0033) para 3

123 Martin Kleppmann (IPB0033) para 3.

125 Internet Infrastructure Coalition (I2Coalition) (IPB0015)

126 Q122

127 Q122

128 Q146

129 Home Office (IPB0065), Annex C




© Parliamentary copyright 2015

Prepared 30 January 2016