Tech companies argue new investigatory powers proposals weaken data security
Published 1 February 2016
What does this cover?
Critical submissions against aspects of the Government's investigatory powers proposals have been aired by some of the world's largest technology companies.
Late last year, the controversial government proposals for a new surveillance law came one step closer to reality when on 4 November 2015 the Home Office published the Draft Investigatory Powers Bill (the Bill) - dubbed the "snoopers charter' by dissenting press. The Bill is currently under review for pre-legislative scrutiny by an appointed parliamentary committee.
Between late December last year and January 2016, media sources reported on a submission by Apple which argued that the Bill's provisions required communication software providers to implement software 'backdoors' to enable government access. Apple argued that such a requirement would impose an obligation on Apple to compromise the security of its products, some of which utilise end-to-end encryption (a process which scrambles communications data at both ends of the transmission in order to provide an enhanced level of security which even Apple can't even decrypt).
In a joint submission by Facebook, Google, Microsoft, Twitter and Yahoo, under the umbrella campaign group 'Reform Government Surveillance' (RGS), the concern was raised that "forced decryption" would oblige companies to weaken product security and argued that certain obligations under the retention part of the Bill seemed to require that companies "reconfigure their networks or services to generate data – for the purposes of retention". They contend that "No business should be compelled to generate and retain data that it does not ordinarily generate in the course of its business".
The RGS group have called for greater transparency of the rules under the proposals to users of their products – expressing that "As a general rule, users should be informed when the Government seeks access to account data. It is important both in terms of transparency, as well as affording users the right to protect their own legal rights".
On 6 January 2015, Christopher Graham - Information Commissioner, together with current and former IT and Security state representatives from New Zealand, the United States and Denmark, gave evidence to the Joint Committee on the Draft Bill. Graham had previously provided written submissions to the committee promoting the inclusion of a sunset clause in the Draft Bill (a clause requiring the mandatory review of the enacted legislation in order to access the necessity of keeping the legislation in force). In answer to the question of whether the Bill was needed, he stated that whilst "some legislation is clearly necessary, because the previous legislation was struck down by the courts… It is very difficult to judge whether the Bill gets the balance right between security and privacy".
About the Draft Bill
The Draft Bill contains provisions which can require that communications providers retain certain information about their customers' online activity for a maximum period of 12 months if issued with a retention notice requiring the same. This information might then be accessed by prescribed authorities in the interests of national security.
The Draft Bill further proposes to allow the collection and acquisition by intelligence agencies of 'bulk data sets' or BPDs– which the government defines (in a factsheet connected to the Draft Bill) as including "a large amount of personal information, the majority of which will relate to people who are not of security or intelligence interest." Including, for example, "Lists of people who have a passport or a licensed firearm …"
To view Chris Graham's oral submissions to the committee, please click here.
What action could be taken to manage risks that may arise from this development?
Communication companies affected by this Bill should continue to watch for developments as this passes through the legislative process.