The U.K.’s Investigatory Powers Bill has already been widely condemned by civil liberty groups for undermining privacy rights. Now from a separate angle, Internet service providers are attacking the proposed surveillance legislation for being hamstrung by technical impracticalities.
Dubbed by its opponents as the Snooper’s Charter, the legislation would vastly expand the power of security agencies to monitor Web activities of British residents, hack into their devices, and force Internet service providers (ISP) to keep the Internet metadata of their customers for at least 12 months in case its needed by the police.
The last requirement of the bill has led some ISP heads to raise concerns about the technical and financial burdens that would be imposed on their companies.
Some $265 million is allotted in the legislation to compensate companies for the extra work needed to record and keep that data, but that’s hardly enough to pay the overhead costs, and what it will take to keep the data secure.
“Even if the hardware costs are met up front, which is the established method for cost recovery, the ongoing costs of storing and looking after that data will still have to come out of individual end-user customer price rises,” James Blessing, chair of the Internet Services Providers’ Association, said before British Parliament’s Science and Technology Committee earlier this month.
The costs involved in keeping Internet records are compounded by the security risks involved, as any large trove of personal information, which is very difficult to separate from the metadata the law requires collecting, is an enticing target for hackers.
“Even if you are not keeping the content … that data can be very meaningful for someone wanting to use it for nefarious purposes; for example, which bank someone uses would be very obvious,” John Shaw, vice president at the security firm Sophos, told the committee.
The bill has also faced criticism for vague and misleading language that creates a disconnect between the promised policy and what would actually be legislated. For instance, the legislators state that smaller ISPs that don’t have the capacity to store Internet metadata would be exempt from that requirement, but that isn’t made clear in the text of the bill.
“They have indicated … that ISPs would not be expected to log and retain data for which they simply do not have such a capability, and that they would not expect any collection of ‘third party data’ or information from ‘over the top services’,” Adrian Kennard, owner of the ISP Andrews & Arnold, wrote in a letter published on Nov. 25. “However, as the bill, as worded, does not embody these intentions.”
Kennard also objected to the term “Internet Connection Record,” which he regards as so vague to be practically meaningless.