Following the publication of the second draft of the Investigatory Powers Bill, techUK has pulled together a summary of the changes that have been made. These relate to recommendations made by the three committees that scrutinised the bill.
Privacy
- Committee recommendations: The Intelligence & Security Committee called for an entire section of the Bill dedicated to addressing privacy safeguards, clearly setting out the universal privacy protections which apply across all the investigatory powers.
- Key changes: Part 1 now contains a short overview of the safeguards throughout the Bill. This doesn’t go as far as the ISC’s recommendation that privacy protections should form the backbone of the deal. The Home Office has instead simply added the word “privacy” to the subheading and provided a summary of privacy protections rather than an overarching statement recognising the supremacy of privacy.
Encryption
- Committee recommendations: Reports called for further clarity and reassurance on the face of the Bill or within the Codes of Practice that end-to-end encrypted services and products would not be affected by Section 189 notices in the Bill.
- Key changes: The language on encryption has been amended, section 189 proposing that obligations be placed on CSPs – “relating to the removal of electronic protection applied by a relevant operator to any communications or data” – has been changed. Obligations now apply “to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.
Definitions
- Committee recommendations: Highlighted the concerns within industry as to the overly broad and confusing definitions of terms such as “data”, “internet connection records” (ICRs) and “related communications data”.
- Key changes: The definition of the term “data” has been changed in line with the Joint Committee’s recommendation. The new definition makes clear that the term “data” in the revised Bill includes “data which is not electronic data and any information (whether or not electronic)”.
Extraterritoriality
- Committee recommendations: The bill must complement rather than conflict with the aim of creating an international legal framework for the lawful acquisition of data by government agencies. The Bill should be viewed as an international piece of legislation, with global implications.
- Key changes: Little has changed, although there are greater and more consistent safeguards on proportionality and conflicts of law for overseas providers, extraterritorial provisions that undermine long term objectives still remain.
Internet Connection Records
Committee recommendations: Reports expressed concerns about the definitions and technical feasibility of retaining ICRs. The draft Bill contained inconsistent definitions of ICRs that created uncertainty within industry as to their technical feasibility.
Key changes: The Bill now has a single definition of ICRs that remains consistent throughout the course of the Bill, with references to internet connection records appearing in both the authorisation and retention sections of the Bill.
[su_box title=”About techUK” style=”noise” box_color=”#0e0d0d”]
techUK represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 850 companies are members of techUK. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.