UK lawmakers say "vague" surveillance bill should not undermine encryption
The UK government should "clarify" a number of key provisions in a proposed draft surveillance law, according to the parliamentary joint committee charged with considering the bill.
In a short paragraph in the conclusion of a report, released early Monday, the committee said that the bill suffered as a result of "vagueness of definitions and terms" throughout the drafting of the legislation, leading to "confusion" over how the bill will be implemented if it becomes law.
The joint committee, made up of 11 cross-party members of the UK parliament, concluded that the government "should continue to consult and explain fully the likely implications of the proposed legislation."
In other words, the bill as it stands has a long way to go before it can become law.
The so-called Investigatory Powers Bill aims to reform and clarify fragmented parts of existing legislation. Much of the UK government's surveillance powers date back to 2000, and have been interpreted and since expanded by legal amendments and internal policies. The government said it would revisit the legislation in the wake of the Edward Snowden revelations, in which the UK and its American cousins were accused of hacking into computers, networks, and companies in order to further their mass surveillance efforts.
Among the various issues, one floated to the top: encryption. The bill currently allows the government to force UK companies to remove encryption on demand to help authorities intercept data -- a highly contentious point that threatens to undermine user and device security.
But there's a problem.
"There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption," said the report. "The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied."
Simply put: these communication providers, such as telcos and internet providers, might not be able to decrypt data as it flows across their networks because companies like Apple will scramble user data long before it hits the internet.
Putting limitations on devices that come with end-to-end encryption, such as iPhones and many Android devices, could put UK businesses at a "commercial disadvantage," said the report.
Read more on ZDNET:
The encryption challenge was one of many issues the committee had with the bill's text, in part because of the "vagueness of definitions and terms have been a constant feature in the evidence we have taken."
A number of tech companies, including Apple, Google, Facebook, Microsoft, Twitter, and Yahoo, submitted written evidence urging the government to "reconsider" the bill's provisions.
They echo a similar sentiment from a group of United Nations' experts, who have also warned of a "chilling effect" on freedoms of speech and expression should the draft surveillance bill become law.
In conclusory remarks, the committee said the government "should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate."