Update on proposed UK "snooper's charter"
Last year we looked at the United Kingdom’s draft Investigatory Powers Bill (known as the snooper's charter"), and criticized the requirement for vendors to install "back doors" into their software that governments could access to decrypt user data.
This would be costly for vendors to maintain, result in a significant security vulnerability, and drive users to products from other countries.
The latest government committee responsible for reviewing the draft bill has just reported back with a number of suggested amendments. It concluded there is a "significant amount of further work to do" before the bill is ready.
The report welcomes a clarification from the Home Secretary on the government stance on cryptographic backdoors, which are apparently not intended to be part of the legislation. The report quotes the Home Secretary as stating that “The Government do not need to know what the encryption is or to know the key to the encryption.” This is good news, and the committee is urging that this be made clear in the proposed legislation.
One of the main points of the bill is to legitimize the bulk collection of communications data, and this is not questioned. Of course, thanks to Edward Snowden we know our governments are doing this already - this legislation merely proposes to legalise the practice. This is rather brazenly admitted by the committee: "we believe that the security and intelligence agencies would not seek these powers if they did not believe they would be effective and that the fact that they have been operating for some time would give them the confidence to assess their merits"!
The other privacy-busting feature of the bill is the plan to force ISPs to collect their customers' Internet history and maintain records for 12 months. The committee is "satisfied that the potential value of [collecting this data] could outweigh the intrusiveness involved in collecting and using them." Given the costs this will force ISPs to incur, it is hoped that this will be softened or reconsidered as the committee suggests: "The Home Office has further work to do before Parliament can be confident that the scheme has been adequately thought through".
So on the positive side, mandated backdoors are not part of the bill, and the collection of individuals' Internet usage records needs to be re-examined. The downside is the legalisation of the snooping on telecommunications that we know is already happening. We will have to wait to see the form of the final legislation.