The Investigatory Powers Bill - Bad for People and Businesses

Placing a legal obligation on companies to snoop on their own customers is a recipe for disaster. Not only will it undermine trust, it also gives unscrupulous tech companies ample opportunity to exploit the data they collect for their own purposes under the guise of legal authority.
|

The last two weeks have seen a series of experts testify in front of the Joint Select Committee on the merits of the Government's new Investigatory Powers Bill (IP Bill). If that legislation sounds unfamiliar, it's because the media usually refer to it by the unflattering moniker the 'Snooper's Charter'. This nickname is well deserved because a number of the provisions contained in the Bill undermine online data protection and put many businesses in a difficult position.

The Bill is ostensibly designed to improve state security by making it easier for the security services to monitor and analyse online communication. For the first time, it enshrines the state's ability to collect, in bulk, large volumes of personal communications data. It requires tech companies to store personal information, such as website visits, for a year and make them accessible to the Government. Crucially, there is now an obligation on companies to assist security services in bypassing encryption. Put another way, it makes most encryption of personal information entirely meaningless - although, the Government disputes this. There are also proposed changes to judicial oversight and new powers to bug computers and phones.

Unsurprisingly, tech companies are not happy. However, tellingly, many security experts are also unconvinced. A former senior official at the National Security Agency, William Binney, told the Select Committee that the IP Bill was 'totalitarian' and that the "bulk acquisition is a major impediment to success by analysts and law enforcement."

The Information Commissioner's Office also weighed in, stating: "Notices requiring the removal of electronic protection should not be permitted to lead to the removal or weakening of encryption. This technique is vital to help ensure the security of personal data generally."

There is obviously a very clear case for improving the reach of security services online. So called Islamic State and other terrorist and criminal entities are purported to use online services to communicate and coordinate. However, completely eroding the meagre data protection afforded to UK citizens online is a very worrying proposition. So too is increasing the burden on businesses to work with security services to monitor, collect and decrypt their customers' personal data.

Legislating the tech sector is generally very difficult. Technology moves so quickly that legislation with specific provisions soon becomes obsolete, whereas, legislation that seeks to anticipate tech developments ends up being draconian. The IP Bill falls into the latter category. It is akin to using a sledgehammer to crack a nut. By undermining every citizen's right to privacy, while simultaneously reducing judicial oversight, it opens the door to countless unintended consequences and opportunities for state overreach. Binney rightly pointed out that bulk collection of data is inefficient and ineffective.

Placing a legal obligation on companies to snoop on their own customers is a recipe for disaster. Not only will it undermine trust, it also gives unscrupulous tech companies ample opportunity to exploit the data they collect for their own purposes under the guise of legal authority.

Watching the Joint Committee question its witnesses, I was struck by how little many of the MPs seemed to understand the implications of some of the provisions within the IP Bill. I believe this goes to the heart of the matter. However good the Government's intention, I believe the IP Bill was put together with little understanding of how many online services work or just how much you can learn about an individual from their personal data.

A better approach would be for the Government and security services to work closely with tech companies to build a legislative framework that affords more protection to the man or woman on the street while reducing the power of criminal or terrorist entities to hide their actions or intentions online. Sweeping powers are not the answer.

The UK already has some of the most limited data protection in Europe. With the collapse of Safe Harbour there is a clear divergence between the US and European approach. The US is making moves to further reduce online privacy while countries such as Germany seek to enhance personal protection. In the UK, we have a choice as to which approach we take. I worry that if we follow the US, we will not feel any safer but will instead fear that the state, and the companies we rely on, have destroyed our privacy.

Mike Weston is CEO of data science consultancy Profusion