The Investigatory Powers bill – which will enforce the storage of internet browsing records for 12 months and allow the police to access people’s personal data – is going through its second reading in the House of Commons today.
The bill will help the police and intelligence forces investigate crime and terrorism, but Sophos’ product management VP John Shaw says that it could also ‘impact both the security of UK consumers’ data and the competitiveness of UK service provider businesses’.
"Sophos supports the concept of the Investigatory Powers Bill as an initiative to help the police and intelligence forces investigate crime and terrorism, whilst protecting the rights of individuals," Shaw said.
"However, we had a number of concerns about the initial draft of the Bill which we expressed to the Science and Technology Committee late last year, particularly elements of the proposed Bill that would impact both the security of UK consumers’ data and the competitiveness of UK service provider businesses.
"We were disappointed to see that in the revised Investigatory Powers Bill, although the government has made some small improvements, all our fundamental concerns remain.
"We agree it is critical that the government get this bill right. Rushing it through in its current form will be a mistake. We fear the bill will be rejected, causing even greater delay to getting a proper regulatory framework in place, or even worse it will be passed into legislation. If it does become law, it will undermine both the security and privacy of UK citizens and impact the competitiveness of UK Internet Service Providers."
Sophos’ top five areas of concerns are as follows:
1. "Weak definitions within the Bill could mean that it is open to very broad interpretation – the Government could use this to force pretty much any company using technology to store 12 months’ worth of just about any data."
2. "Our Data is at risk – in this draft Communications Service Providers (“CSPs”) are still obliged to store 12 months of data for every user. The unnecessary storage of data only gives the bad guys more opportunity to steal it, and therefore places an increased burden on CSPs to protect it.
"High profile data leaks occur all too often, so why put more data at risk? At the very least, it should mandate strong encryption to protect the data at rest in event of a breach."
3. "Judicial Commissioners – it’s great to have these checks and balances in place and beneficial that they sit outside the Government, however commissioners are unlikely to be technical ‘whizz kids’, so there is a question around whether they will fully understand what they are being asked to decide; perhaps in addition to the “powerful new Investigatory Powers Commissioner” there should also be a technical advisory board?"
4. "Backdoors – the Home Office’s summary of responses to the Committees’ pre-legislative reviews says the revised bill makes clear that the requirement to remove encryption is limited only to encryption applied by the CSP, not to encryption applied by anyone else e.g. the end user.
"This would indeed be an improvement over a more general requirement, but is not clearly evident in the Bill. Previously Theresa May had stated that there would be no backdoor requirement so more clarity is required here."
5. "UK disadvantage – The unfair disadvantage to UK-based CSPs still seems to apply. Section 223 clearly defines this as applying to UK based operators.
"The response to the Committees again claims that this has been addressed but it is not clear how."
Image source: Shutterstock (person using laptop)