A group of five major tech companies, including Google, Facebook, Microsoft, Twitter, and Yahoo, provided written evidence to United Kingdom's Parliament criticizing the new Investigatory Powers Bill (IPB), which promises to expand the mass surveillance and hacking capabilities of the government and weaken the security of technology products.
As members of the Reform Government Surveillance (RGS) coalition, we believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent. These principles reflect the perspective of global companies that offer borderless technologies to billions of people around the globe.
The companies emphasized the point that user trust is very important for them, and that trust can be greatly degraded if the companies are forced to weaken their security to make government surveillance easier. They are also worried that if the UK passes such a law, then other countries will use that framework as a role model for its own legislation.
These mass surveillance-friendly laws could also create a conflict for companies, which would then have to decide whose country’s laws they should violate. For instance, the recent ruling from EU’s top court made it clear that mass surveillance is illegal under EU law, so the UK could pass a law that is in conflict with that decision. It would then put companies in the difficult position of choosing between the UK law and the EU law, or it could force them to leave the UK and possibly even stop offering their services there.
The companies said that the IPB should at least specify that where there is conflict with other jurisdictions, the companies would not be obligated to follow that law. Right now, the companies claim this part of the bill is confusing. They also say that countries should create an international agreement where they clarify the jurisdiction issue.
The companies are concerned with the following line from the IPB, which says they have "obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data". Although the UK’s Home Secretary, Theresa May, said that the government will not force companies to weaken their encryption, that’s exactly what that line seems to imply, along with the potential weakening of other security solutions.
The companies want the bill to make it clear that they won’t be forced to weaken their systems to provide the requested data. They also said they shouldn’t be forced to track or keep any additional information about the users that isn’t already part of the companies’ services or business model.
The tech companies want all data requests to be obtained with proper warrants from an independent judge that reviews the actual merits of the matter and not just the process through which the Home Secretary granted the warrant. The data request should withstand the full scrutiny of the Court.
Mass surveillance, or “bulk collection,” as it’s called in the Investigatory Powers Bill, should not be allowed to happen, according to the principles the “Reform Government Surveillance” alliance of companies agreed to promote. All surveillance should be targeted, and all additional information should be destroyed, even if it’s accidentally collected.
The group of companies wants the bill to be more clear in general, so that it’s easy for any intelligent reader to understand exactly the kind of powers the bill gives law enforcement and spy agencies. There shouldn’t be any room for interpretation. This would also make oversight more effective, which should be desirable in any democratic country.
The companies believe that as a general rule, their users should be notified when there’s a warrant on their name. This affords the users the right to protect their own legal rights, and it’s also useful for transparency purposes to see to what extent the government is using its surveillance and data requesting powers. This would make both citizens and members of Parliament more informed about the executive’s actions in the future.
The tech companies also want the UK government to first go to the intended target, and only if it can’t obtain the data this way, it should go to the most proximate source that has access to that data. For instance, if someone uses a smaller email provider that uses Microsoft’s Azure servers, law enforcement should first present the warrant to the user, then to the email provider, and if it can’t be obtained there for whatever reason, then it should go to Microsoft.
Cloud providers shouldn’t become the automatic one-stop shop for data requests from law enforcement just because that would be easier. After all, it’s not Microsoft or even that small email provider’s data - it’s the users’ own data, and they should be the ones targeted with the data request. The companies believe that if things were handled this way, it would accelerate the adoption of cloud services, and the UK could lead the world on this.
The tech companies urge the UK government to reconsider allowing its spy agencies to hack into their networks or to introduce new vulnerabilities that would put all users at risk. This would make everyone less safe, and it would also deteriorate the trust those users can have in their services, if some other actors find those vulnerabilities and exploit them.
The Investigatory Powers Bill is now undergoing scrutiny by UK's Parliament, and it should be put up for a vote later this year.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.