The government's proposed web surveillance legislation is unclear, has been hurried, and fails to provide enough privacy protections, according to an influential committee.
The Investigatory Powers Bill is the first major piece of legislation concerning the powers of the intelligence and security agencies in over 15 years, and aims to update them to take into account the rapid rise of internet communications. It seeks to provide clearer authority around hacking by law enforcement, and would also require communications companies to record much more data about their customers' internet usage.
But according to a report from the Intelligence and Security Committee (ISC), which oversees the UK intelligence agencies, the draft law "fails to deliver the clarity that is so badly needed in this area".
The report also noted that "it has been evident that even those working on the legislation have not always been clear as to what the provisions are intended to achieve," adding that "the draft Bill appears to have suffered from a lack of sufficient time and preparation".
The ISC's members are routinely given access to highly classified material, making them some of the best informed about the work of the UK's intelligence agencies.
The committee said the draft Bill doesn't include all the agencies' "intrusive capabilities", which means that it cannot provide a comprehensive legal framework.
In particular, the ISC recommended that the new legislation should have a section dedicated to overarching privacy protections "which should form the backbone of the draft legislation around which the exceptional powers are then built".
The committee also warns that the draft bill only covers the agencies' ability to conduct "equipment interference" (aka hacking), while other "IT operations" will be authorised under other laws, and said this "is unnecessary and counter to transparency".
The ISC report also cast doubt on the need for "bulk" equipment interference warrants, which would allow law enforcement to hack at massive scale, and said this should be removed from the legislation.
The report also said that the power for law enforcement to gain access to "bulk personal datasets" or huge databases containing vast amounts of information on the general public should also be removed from the law, noting that "each dataset is sufficiently intrusive that it should require a specific warrant".
The ISC report also warned that the approach to "communications data" -- one of the most controversial elements of the bill -- is "currently inconsistent and confusing".
"We consider these changes necessary if the government is to bring forward legislation which provides the security and intelligence agencies with the investigatory powers they require, while protecting our privacy through robust safeguards and controls," the report said.
Antony Walker, deputy CEO of techUK, which represents the interests of technology companies, said the report "again makes it clear" that the bill lacks clarity on fundamental issues, including core definitions of key terms within the draft bill such as encryption and equipment interference.
Read more on web surveillance
- The government's encryption plans remain impossible to decipher
- The new art of war: How trolls, hackers and spies are rewriting the rules of conflict
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- Surveillance laws need rethink, but bulk collection of web data will continue
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches