While acknowledging that oral assurances have been made by ministers that encrypted services are not at risk, the group has asked for clarity:
We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means. We therefore have concerns that the Bill includes “obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data” and that these are explicitly intended to apply extraterritorially with limited protections for overseas providers… [We] suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.
Echoing this in its own submission, Apple said:
By mandating weakened encryption in Apple products, this bill will put law-abiding citizens at risk, not the criminals, hackers and terrorists who will continue having access to encryption.
Among other issues raised by these companies, Apple outlines the specific problem it has with the fact that it may obliged to interfere with its customers’ devices on behalf of the British government.
It would place businesses like Apple – whose relationship with customers is in part built on a sense of trust about how data will be handled – in a very difficult position. For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.
Tor, in its evidence, specifically challenges the suggestion that as long as content is private, metadata is up for grabs.
After outlining the reasons that people may use a service like Tor, the document explains that “in many cases communications data can be as sensitive as content, and in some cases may be more sensitive than content.”
In another piece of written evidence released today, the government is critcized by the UK’s Internet Service Providers’ Association, which includes AOL and AT&T, for allowing just two weeks for the committee to hear evidence.
ISPA is concerned that the Government has set an expedited edited timetable for the consideration of the Draft Bill and has failed to reveal the level of detail that would be required to scrutinise the Bill in depth and properly assess its impact on businesses, customers and citizens both inside and outside of the UK.
With a more meaningful consultation process that would have involved a wide cross section of the internet community, the Draft Bill could not only have been improved and made easier to understand, but its cost assumptions could also have been put on a robust basis.
The ISPA also accuses the government of building “stretch” into the wording in order to future-proof the law in case the situation changes.
Mozilla, meanwhile, says a “comprehensive revision of the Investigatory Powers Bill is necessary to protect the internet and its users.”
Yesterday, the former tech head of the NSA William Binney appeared in person in front of UK lawmakers to raise his concerns about the feasibility of analyzing such large quantities of data, among other things proposed in the Bill.
➤ Draft Investigatory Powers Bill Joint Committee – publications [Parliament.UK]