Investigatory Powers: Expect less scrutiny now Theresa May is Prime Minister

With Theresa May becoming Prime Minister, the Investigatory Powers Bill (IP Bill), which she championed as Home Secretary, raises serious questions as it heads to becoming law.

The controversial plan to put surveillance on a stronger legal footing would compel internet service providers to store people's web browsing histories for up to one year, and force software providers to build backdoors into encryption.

The so-called 'Snooper's Charter' may be under the aegis of new Home Secretary Amber Rudd, but plans have changed little, and with an opposition in disarray, look unlikely to be questioned as much as it should.

"Theresa May is the poster girl for UK surveillance and she will no doubt continue this approach as Prime Minister," says Brian Spector, CEO at online identity firm Miracl. "When it comes to the IP Bill, we can only hope that the peers and lawyers who have final review can scupper its passage through Parliament with more scrutiny and conviction than our MPs did back in March [when 444 MPs voted it through the House of Commons]."

He says that given that most people now place all their personal data online, the IP bill would grant enormous surveillance capabilities to the government.

"If the legislation proceeds, it could undermine trust in the internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives," he adds.

Serious implications

There are also serious implications, warns Spector. "Under the proposals, [companies] would be legally bound to help UK police and security services access an individual's device. What's more, the current wording of the bill means that any software made by a British company could soon be perceived to be facilitating government spying on its customer's data."

This would have enormous repercussions by making it much harder for British technology and information security companies to compete globally, according to Spector.

Dave Levy, associate partner at IT advisory group Citihub Consulting, tells IT Pro that MPs were unlikely to give the bill the proper scrutiny it needs.

"I don't think the change in Prime Minister will make much difference except that May is the ex-Home Secretary and will have a much finer and more accurate judgement about the feasibility and political cost of getting the bill through," he says.

"Also, it's gone through the Commons and so it will only require to be considered again if the Lords make amendments, which given the majority it had in the Commons on the third reading because Labour supported it, I think it's unlikely."

One worrying aspect, much underestimated, is that the IP Bill proposes giving the intelligence services immunity from criminal liability for actions such as hacking that would be illegal if conducted by others, he points out.

"This throws up a civil liberties issue. Possibly, it will make IT security research harder to perform within the law. If so, researchers will move to a more conducive regulatory jurisdiction," says Levy.

Encryption issues

Jake Madders, director at managed cloud hosting company Hyve, believes the policies around data protection and encryption present particular challenges.

"Cybersecurity and data protection are core considerations for a huge range of digital businesses, with encryption of data being among the most pertinent," he says. "Removing encryption could mean that tech companies become an even bigger target for hackers. Organisations like ours adhere to the governance provided by the Data Protection Act, ISO 27001, PCI DSS standard, and via the government accreditation, G-Cloud, among others. This would all have to be reconsidered if the 'back door' to encryption the bill seeks was to appear."

Jacob Ginsberg, senior director at email encryption firm Echoworx, says that the bill undermines the fundamental right to privacy.

"There is a severe lack of clarity around encryption backdoors and bulk data collection in the bill, which will have far-reaching ramifications," he says. "Businesses need to be reassured that backdoors will not be built into encryption solutions.

"If this is not clearly defined, cloud and hosting companies will simply move their data to jurisdictions that the bill cannot influence. This could destroy the UK's data storage market, driving out over 10 billion worth of business."

Ginsberg adds that the speed at which the bill was rushed through parliament, and now through the House of Lords, undermines all of these concerns. "With Theresa May's recent appointment, further scrutiny and changes are extremely unlikely."

Handing our data to cybercriminals

Valuing anti-terrorism above encryption does not mean the government is making our data more susceptible to hacking, according to Jonathan Parker-Bray, CEO and founder of encryption app Pryvate.

"Business interests are quite selfish in this regard and will ensure that they have sufficient levels of protection in place for their customers to protect them from cyber attacks," he says.

The culpability in a breach falls on the company, not with the government, he adds, saying this means that companies have lots of incentive to defend their users from attacks or risk losing business.

"Whilst the government wishes to create a situation where data can be requested from companies with a warrant, the fact is that in many cases this won't be possible, and any attempt to weaken encryption will receive massive pushback from businesses throughout the country and their international partners," he says.

What next?

The issue of Brexit has grabbed most of the government's time now and for the foreseeable future. Lee Munson, security researcher at Comparitech.com, says he suspects that the IP Bill may not be quite as high on the agenda as it otherwise would have been.

"It may also no longer be a legacy the new PM wishes to associate with she has, after all, quickly demonstrated how she wishes to separate herself from the Cameronista policies of yesterday," he points out.