UK parliamentary committee criticises encryption backdoor bill

A UK joint parliamentary committee reviewing the controversial draft Investigatory Powers Bill has called on the British government to ensure it will not force providers to decrypt communications or install backdoors. 

The bill, introduced by the ruling Conservatives, was nicknamed 'snoopers' charter' as it would greatly enhance government agencies' ability to conduct mass surveillance on the internet.

One of the issues the proposed law seeks to address is access for government agencies to encrypted communications between suspected criminals or terrorists. 

Although the UK government insistsit does not want backdoors or weakened encryption, the committee and the witnesses before it are concerned the bill would effectively provide that capability. 

Tech companies including Apple, Facebook, Google, Microsoft, Twitter, Yahoo, and Mozilla all provided testimonies to the committee stating that in its current form, the bill would allow the government to compel providers to require operators to remove or weaken encryption services. 

"In practice, it is equivalent to a government 'backdoor'," they said. 

This would undermine the security of online communications and transactions, and potentially ban the use of strong cryptography, tech companies stated. 

The committee said such backdoors should not be allowed. 

"We agree with the intention of the government’s policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems. The drafting of the bill should be amended to make this clear," it said. 

Furthermore, providers should not be forced to break encryption, something they may in fact be unable to do, the committee said. 

"The government still needs to make explicit on the face of the bill that [communications service providers] offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so."

Browsing history retention "desirable tool" for police 

The committee did however agree with the government that so-called internet connection records (ICRs), which would be used to identify communications between people and service providers, are an important tool for law enforcement. 

At the same time, witnesses appearing before the committee noted that ICRs as such do not exist today and the bill's definition of them is vague.  

Several witnesses warned that ICRs would be intrusive and said they carry significant privacy issues. 

“Analysing our internet history or what sites we have visited can provide a rich source of extremely revealing data which can be used to profile or create assumptions about an individual’s life, connections and behaviour,” privacy advocates Big Brother Watch said. 

There are also technical problems in attempting to resolve Internet Protocol (IP) addresses to specific devices. IP addresses can be shared, reused and transmit different streams of communications originating from sources other than the server a user connects to, the committee noted. 

Storing ICRs would be a technical challenge for providers, involving large amounts of data.

"We do not believe that ICRs are the equivalent of an itemised telephone bill. However well-intentioned, this comparison is not a helpful one," the committee said. 

The committee said the government must address the technical and privacy concerns around ICRs put forward by witnesses if the bill is to command the necessary support. 

On bulk communications interception, the committee said the government "must provide a meaningful and comprehensible definition of data when the bill is introduced".

Clause 195 of the draft legislation defined "data" to include "any information which is not data", a phrase that lobby group Open Intelligence slammed as "obvious paradoxical nonsense". 

Home secretary Theresa May acknowledged that people would be "raising an eyebrow or two at that particular sentence" and said she did so herself when she read it. 

May said the intention was to define "data" so that it would cover, for example, paper records. 

Minor public bodies had pressed for full access to communications data, which the proposed law provides for.

Evidence before the committee did not support that local authorities should have intrusive surveillance powers for minor infringements, but they should have access to support their law enforcement roles.