Microsoft, Google, Facebook, Twitter and Yahoo have criticised several aspects of the proposed Draft Investigatory Powers Bill in a joint submission to the government as opposition to the controversial legislation continues to mount.
The companies have warned that user trust, information security and the privacy of the public will be at risk if the law is introduced as currently proposed.
“The actions the UK government takes here could have far-reaching implications for our customers, for your own citizens, and for the future of the global technology industry,” the companies warn at the start of the submission.
No encryption backdoors
On the topic of encryption, the submission argues that the current wording of the draft bill could force companies to create ‘backdoors’ that allow access to data, which they say would be disastrous.
“We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption or any other means,” they said.
“We therefore have concerns that the bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’ and that these are explicitly intended to apply extraterritorially with limited protections for overseas providers.”
Similarly, on the topic of access to user machines via backdoors built-in by technology companies, ambiguously dubbed ‘computer network exploitation’ in the draft bill, the firms warn that this could have far-reaching and unintended consequences.
“We are concerned that some of the authorities contained in the bill, as currently drafted, represent a step in the wrong direction,” the submission said.
“The clearest example is the authority to engage in computer network exploitation, or equipment interference. To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your government to reconsider.”
The submission also raised concerns that the law could require firms to generate new data on customers purely to aid law enforcement as and when required, which they believe should not be allowed to happen.
“Some language under the retention part of the bill suggests that a company could be required to generate data, and perhaps even reconfigure their networks or services to generate data, for the purposes of retention,” the firms said.
"No business should be compelled to generate and retain data that it does not ordinarily generate in the course of its business."
The companies also raised concerns that the law could be used to arrest UK employees when seeking data in a way that is not dissimilar to oppressive regimes around the world.
“The bill permits warrants to be served on companies outside the UK in a number of ways, including serving it on principal offices in the UK. Despite Extraterritorial Jurisdiction language, this presents a risk to UK employees of our companies," the submission said.
“We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information.”
The firms also warned that if the UK embarks on such measures it is likely that other nations will adopt similar practices, again putting UK citizens at risk.
"Key elements of whatever legislation is passed by the UK are likely to be replicated by other countries, including with respect to UK citizens’ data," the firms said.
The response from the tech companies is just the latest in a long line of submissions that have warned the government about risks in the proposals.
Information commissioner Christopher Graham gave evidence to parliament on Wednesday, questioning the need for a 12-month bulk data retention requirement on communication service providers, arguing that it will create many risks for UK citizens.
Apple has already raised concerns with any plans to weaken encryption, claiming that it would have several negative effects.
"The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," the firm said in a written submission published in December.
"A key left under the doormat would not just be there for the good guys. The bad guys would find it too."
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix