UK’s House Science and Technology Committee looked into the Investigatory Powers bill, also called "Snoopers’ Charter," and found multiple provisions that could damage the country’s technology sector as well as customers’ trust in those companies. The new bill would also cost taxpayers an additional £2 billion ($2.88 billion USD) per year to implement all the new surveillance capabilities, at a time when the Conservative party has been calling for more austerity measures for social programs.
The Parliamentary committee found numerous issues with the bill, including the confusion or vagueness of some definitions, over-broad “equipment interference” (government hacking) powers, the banning of communication service providers from using end-to-end encryption, and even forcing companies to aid the government in hacking customers in another country, which on its own could spark international conflicts.
The UK government has said before that it’s not trying to ban end-to-end encryption or encryption in general, but the bill has some provisions in it that say the companies will be compelled to decrypt any communication. This will have virtually the same effect as banning end-to-end encryption, as no commercial company could legally offer end-to-end encrypted services anymore.
Although companies such as Google and Microsoft don’t use end-to-end encryption for their communication platforms, apps like iMessage and Whatsapp do. That means Apple and Facebook, as well as other companies that use end-to-end encryption, would have to replace that encryption with one that can be decrypted by the companies themselves and by the UK government.
The House Committee said that the communication service providers should only decrypt data where it’s technically feasible and practical to do so. This provision in the bill should also comply with both UK and EU law, which if respected, could limit abuses. The Committee also said the government should make it clear that it will not force companies to decrypt end-to-end encrypted communications.
The provision for equipment interference seems to be rather vague, and it could apply to virtually anything that "produces electromagnetic, acoustic or other emissions, or any device capable of being used in connection with such equipment."
This could refer to anything from microphones and sensors to smartphones to computers to connected or autonomous cars. The government could also compel companies to send malicious updates to their customers, which could damage their customers' trust in them.
Anthony Walker, deputy CEO of TechUK, said that for companies that offer open source products, such as Mozilla, any change in their products would have to be made open source. That means the government’s malware would also have to be made open source, and then others could view the code and see what it’s doing.
Big Brother Watch also told the House Committee that malicious hackers could also find these weaknesses in software, whether open source or not, and exploit them for their own purposes. Therefore, the UK government wouldn’t just damage the trust customers have in the tech companies, but it can also leave them vulnerable to data breaches by rogue attackers or nation states.
The Committee seems to mostly take the government’s word here that the “equipment interference” provision doesn’t actually change anything that the government wasn’t already able to do thanks to previous surveillance laws. However, it said that the Investigatory Powers Commissioner should balance the potential harm on the economy with the use of these powers, and that these powers should be restricted if the public is too outraged about them.
According to the current draft of the bill, the communication service providers will not be allowed to say when the government is using equipment interference, so UK users can just assume their devices or apps could be hacked with the help of the companies providing those products or services.
Even though the European Union Court of Justice has ruled that the previous EU data retention directive and all the national laws that came out of it were invalid, the UK has kept passing such laws, even as they get challenged in national and European courts.
The Investigatory Powers bill, which aims to put all surveillance laws under one umbrella, also states that communication service providers should store users’ metadata for 12 months. Some ISPs have complained that this will raise their customers’ bills if implemented, because it’s not just the storage of the data for 12 months that will raise costs, but also the protection of it. Rival nation states could be especially interested in getting access to that data, much like how the UK’s own GCHQ hacked into countries’ telecoms.
The Committee recommended that the UK government should guarantee a full reimbursement of costs to all providers that they are compelling to provide data. The government has set aside only £174.2 million for this purpose, but it’s not yet clear whether that will be enough. Making the government guarantee that its data requests are fully reimbursed could also ensure that the powers are not abused or are used only when necessary.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.