Theresa May's internet spy powers bill 'confusing', say MPs

  • Published
Theresa May

The home secretary's plan to force internet service providers to store everyone's internet activity is vague and confusing, says a committee of MPs.

Police and security services will be able to see names of sites visited in the past year without a warrant, under the draft Investigatory Powers Bill.

The science and technology Committee says its requirements are confusing, and firms fear a rise in hacking.

The Home Office said it would study the report's findings, external.

When she announced the draft bill last year, Theresa May stressed that the authorities would not be able to see individual web pages visited, just basic data, such as domain names like bbc.co.uk or facebook.com.

'Security goals'

But tech firms have told MPs it may not be possible to separate out data in that way and the plans were not clear about was meant by "internet connection records".

Committee chairman Nicola Blackwood said: "There remain questions about the feasibility of collecting and storing internet connection records (ICRs), including concerns about ensuring security for the records from hackers.

"The bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers.

"This must be put right for the bill to achieve its stated security goals."

Mrs May insisted in January that the Home Office had been clear about what it meant by ICRs and was working closely with the industry on the legislation.

The science and technology committee also raised concerns about powers to allow spies to hack into suspects' smartphones or computers, known as "equipment interference".

Encryption concern

Ms Blackwood said the technique may "occasionally be necessary", but added: "The tech industry has legitimate concerns about the reaction of their customers to the possibility that electronic devices could be hacked by the security services."

There are also concerns, expressed by Apple and other tech giants, that the bill will force them to adopt weaker encryption standards.

Some products, such as the iPhone, allow people to communicate privately in a form that cannot be decoded, even by the company which makes the device, known as "end-to-end encryption".

The bill would strengthen the power to force firms to give up decryption keys so that coded messages might be read.

But Nicola Blackwood said the government had to do more to "allay unfounded concerns that encryption will no longer be possible".

Service providers, such as BT and Sky, are concerned about the cost of storing internet records for 12 months, something they do not routinely do at the moment.

'Strict safeguards'

The Home Office says the overall cost to the industry will be £174m over 10 years and "reasonable costs" will be reimbursed, but the industry has cast doubt on that estimate.

The committee said the government should make an "explicit commitment" to pay the full costs incurred by compliance," to protect smaller firms hit with demands to store records.

The Home Office said it was important companies did not suffer a commercial disadvantage and stressed there were no plans to change a long-standing position of reimbursing 100% of costs associated with data retention.

Security Minister John Hayes said: "We are mindful of the need for legislation to provide law enforcement and the security and intelligence agencies with the powers they need to deal with the serious threats to our country in the modern age, subject to strict safeguards and world-leading oversight arrangements."

The government's final proposals will be set out in the spring.

Related internet links

The BBC is not responsible for the content of external sites.