The Government-appointed information watchdog has criticised Theresa May’s spying plans, arguing that they could lead to the exposure of personal information and are of “real concern”.
The upcoming Investigatory Powers Bill gives spies sweeping new powers, and forces internet companies to keep records on all of their users. Parts of the law also seem to suggest that the Government will make companies weaken their security so that intelligence agencies can read messages.
The Government has claimed that the law is written to keep people safe and that the powers are limited and safeguarded. But the Government’s own appointed figure has said that the powers could be damaging.
On the day the Investigatory Powers Bill was presented to parliament, Theresa May claimed that encryption would not be banned and that the law would be safe.
“It will not compel overseas communications service providers to meet our domestic retention obligations for communications data,” Ms May said of the law. “And it will not ban encryption or do anything to undermine the security of people’s data.”
All of those claims have been criticised by a range of technology companies. And now the ICO has said that parts of the law that touch on encryption are of “real concern”.
“If the possible obligations surround the weakening or circumvention of encryption then this is matter of real concern,” the office writes in its submission to a parliamentary committee that is scrutinising the bill.
“The Information Commissioner has stressed the importance of encryption to guard against the compromise of personal information. Weakening encryption can have significant consequences for individuals.
“The constant stream of security breaches only serves to highlight how important encryption is towards safeguarding personal information. Weakened encryption safeguards could be exploited by hackers and nation states intent on harming the UK’s interests.”
The office also says that the way that the law is written is “unclear” and that it is not possible to assess the powers fully because they are not specific enough.
As well as the encryption parts of the law, the commissioner criticised the Government’s claims around internet connection records. If passed, internet companies will be required to store information about their users for a year, in case spies want to look over them.
The Government has likened that data to phone records, since it shows such limited information. But the submission criticises the argument and says that in fact they could be much more expansive.
“Although these are portrayed as conveying limited information about an individual they can, in reality, go much further and can reveal a great deal about the behaviours and activities of an individual,” the office wrote. “Such records would show particular services that are connected to and this could be a particular website visited although not the pages within them.
“This could lead to a detailed and intrusive picture of an individual’s interest or concerns being retained and then disclosed.”
The Information Commissioner’s Office is an independent body that was set up to look after the information of the public. It reports to parliament and is sponsored by the Department for Media, Culture and Sport.
The office is entirely independent but it is rare that members publicly criticise government decisions.
The submission were presented to the same committee that has heard criticism of the bill from companies including Apple and Google. Those companies have raised some of the same concerns — that they may be forced to hack into people’s phones and make them less secure so that spies could have access to communications.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies