The Intelligence and Security Committee of Parliament (ISC) has branded key sections of the UK government's Snoopers' Charter "inconsistent and largely incomprehensible" in its latest assessment of the draft Investigatory Powers Bill.
The controversial surveillance proposals, first released in November 2015, aim to bulk up the powers available to government, police and UK intelligence agencies while putting existing spying techniques under one legal framework.
Now, the committee, which has oversight of the UK intelligence community including the activities of MI5 and the Government Communications Headquarters (GCHQ), has openly slammed a number of proposals included in the bill, including plans to enhance the collection of communication metadata.
"A missed opportunity"
For collection of this data, which is the information surrounding a communication – i.e. time, date, phone number – but not the content – law enforcement can use a number of methods from individual requests to service providers to so-called 'bulk interception'. Yet according to the committee, the different methods are not authorised in a consistent manner.
The committee argues that, in terms of collection, the channels available vary from agency to agency, leading to confusion and an uncertain 'authorisation procedure'. This, the committee argues, is a missed opportunity.
"For example, if an MI5 officer wishes to make a direct request to a CSP [communications service provider] for communications data, this request would be submitted to a Designated Senior Officer for authorisation. In contrast, where Communications Data is being examined under a Bulk Acquisition warrant, the draft Bill contains less detailed provisions as to how an MI5 officer is to obtain authorisation," the report explains.
"As a result, there are a variety of different safeguards and authorisation procedures for obtaining and examining the same information. This is a missed opportunity to clarify procedures and provide the 'enhanced, consistent safeguards' that the new legislation is intended to provide."
Furthermore, the report warns the complex nature of who can request or gather data as a result of 'bulk interception' is "inconsistent and largely incomprehensible".
"The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the agencies have acquired the data in the first instance," it adds.
Taking into account the Edward Snowden revelations in 2013, in which the former NSA-contractor-turned-whistleblower exposed the vast snooping apparatus used across the globe, the committee wrote in its assessment that privacy concerns do not appear to be a high priority for those sculpting the bill.
"Given the background to the draft Bill and the public concern over the allegations made by Edward Snowden in 2013, it is surprising that the protection of people's privacy – which is enshrined in other legislation – does not feature more prominently," the report states.
"One might have expected an overarching statement at the forefront of the legislation, or to find universal privacy protections applied consistently throughout the draft Bill.
"However, instead, the reader has to search and analyse each investigatory power individually to understand the privacy protections which may apply. This results in a lack of clarity which undermines the importance of the safeguards associated with these powers."
In light of this, the committee said that privacy protections should "form the backbone" of any further draft legislation. "Whilst recent terrorist attacks have shown the importance of the work the agencies do in protecting us, this cannot be used as an excuse to ignore such important underlying principles or unnecessarily override them. Privacy considerations must form an integral part of the legislation, not merely an add-on," the intelligence oversight experts state.
Other key sections that face increasing scrutiny include the collection of so-called internet connection records (ICRs), targeted interception by cyber spooks and the scooping up of controversial bulk datasets by GCHQ.
In response to the report, Antony Walker, deputy chief executive of techUK, which represents over 850 companies, agreed with the assessment of the committee that the bill still "lacks clarity on fundamental issues".
"As we move towards a more connected world, security is paramount. Anything that forces companies to create or allow vulnerabilities in their systems is a huge concern and could damage public trust and have a direct impact on global perception of the UK as a home for innovation and investment," he said.
"These concerns are reinforced by the ISC report, which calls for clarity on the effect on end to end encryption, and we urge the Home Office to take its findings on board."
The ISC is not the first committee to find concerns within the text of the draft legislation. Earlier in February the science and technology committee of the House of Commons claimed that, upon investigation, the proposals are ambiguous and lack transparency.