The Investigatory Powers Bill could end up costing the UK government more than 1 billion, according to campaigners.
While the Home Office has set aside 174 million over 10 years to reimburse internet service providers required to collect the web browsing histories of all UK citizens, one of the bill's proposals, the Don't Spy On Us coalition said today that the cost will exceed 1 billion.
Basing its figures on a similar scheme that was recently rejected on cost grounds in Denmark, the coalition scaled up the costs proportionally for the UK.
The Danish Government decided to scrap the monitoring plans when Enrst & Young confirmed it would cost 105 million to set up the necessary infrastructure to support the scheme.
With Denmark's population numbering 5.6 million, Don't Spy On Us pegged the costs for the UK's 64 million population at 10 times that figure.
Director of the campaign group, Eric King, called on the government to get an independent cost analysis, saying: "The government is trying to force internet service providers to collect all of our internet connection records but refuses to listen when they express concerns about the cost and feasibility of their proposals.
"As in Denmark, the government should commission an independent cost analysis to clarify the true cost of collecting Internet Connection Records (ICRs). There is no evidence that collecting ICRs makes us safer."
BT Security president Mark Hughes told the Joint Committee of Parliament looking into the Investigatory Powers Bill last December that the 174 million earmarked by the government would only cover BT's costs of creating the infrastructure necessary to comply with the bill, also dubbed the Snooper's Charter.
Virgin Media believes its owns costs will hit tens of millions of pounds.
Lord Paddick, Liberal Democrats spokesman on Home Affairs in the House of Lords, said: "Now that we have a professional estimate that it would cost well over 1 billion in set-up costs alone and could be easily circumvented by criminals for just a few pounds a week, apart from anything else, this represents appallingly bad value for money."
A Home Office spokesman said: ""There are a number of fundamental differences between our Bill and the Danish model, and the independent Joint Committee of Parliament acknowledged this. It is absolutely incorrect to suggest we are implementing the Danish model.
"We have worked closely with communications service providers (CSPs) to carefully estimate the cost of implementing a system to retain internet connection records. And we will continue to work with CSPs to refine that cost as the Bill progresses.
"We are determined to implement the legislation in a way that will deliver the maximum operational benefit for the police and law enforcement agencies. Our proposals provide a comprehensive and comprehensible framework for investigatory powers, with robust safeguards and world-leading oversight."
01/03/2016: Home Office introduces Investigatory Powers bill to Parliament
The Home Office introduced its controversial Investigatory Powers Bill to Parliament today with a number of amendments, amid fears that it is trying to rush the bill through the House without subjecting it to democratic scrutiny.
The government claimed the latest version of the bill, also known as the Snooper's Charter, addresses concerns raised by three separate committees, the last of which, the Joint Select Committee, called it "flawed" and recommended 86 amendments.
"This is vital legislation and we are determined to get it right. Our proposals have been studied in detail by a Joint Committee of both Houses of Parliament established to provide rigorous scrutiny, and two further committees," said Home Secretary Theresa May.
"The revised bill we introduced today reflects the majority of the committees' recommendations we have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements.
"Terrorists and criminals are operating online and we need to ensure the police and security services can keep pace with the modern world and continue to protect the British public from the many serious threats we face."
However, the majority of the amendments do not change the bill itself, rather creating additional oversight for the proposed legislation.
Key changes include:
- The security agencies will be required to reapply for equipment interference warrants the power to hack computers and telephones every three days, rather than every five days.
- UK security and intelligence agencies cannot request foreign agencies to conduct intelligence for the UK government unless they have a warrant from a Secretary of State and judicial commissioner.
- The government will work with the tech industry to implement the retention of internet connection records (ICRs) by telecoms companies. Six draft statutory codes of practice related to "bulk powers" have also been published alongside the bill.
- It will allow for ICRs gathered by ISPs to be used in "the pursuit of investigative leads".
- Companies will be asked to remove encryption they have applied themselves and "where it is practical to do so".
- Extra protection for journalists' sources
- The Lord Chief Justice will have the power to inform people who have suffered as a result of the inappropriate use of powers.
The government claimed that recommendations that were not implemented were turned down because they "would compromise the capabilities of law enforcement and the security and intelligence agencies".
Following the bill's publication this afternoon, Nigel Hawthorn, European spokesperson for cloud software company Skyhigh Networks, accused the government of risking the wellbeing of British businesses.
"Using the argument of national security as a battering ram, the government is once again taking an approach that will cause more harm than good for businesses," he said. "Encryption is a key capability that makes business traffic safe from prying eyes, and asking companies to weaken, restrict or introduce backdoors is a sure fire way to ensure that sensitive data will find its way into the wrong hands.
"Everyone has a right to privacy, but the government is doing its utmost to take that away."
Antony Walker, deputy CEO of business association TechUK, called for assurances that MPs would have enough time to debate the bill, saying: "The test now is to understand if this bill addresses the very serious concerns that have been laid out by the tech industry and three Parliamentary committees.
"This is a complex bill, with significance for all of us. Parliamentarians must have time necessary to subject it to the maximum parliamentary scrutiny' the Home Office has promised.
"As more details emerge, tech companies are urgently seeking to understand what is being asked of them and the implications for their business, their customers and the security of our digital economy."
29/02/2016: Gov 'rushing Investigatory Powers bill through Parliament'
The government is set to officially introduce the Investigatory Powers bill in Parliament tomorrow, amid claims it is rushing the bill through in order to avoid scrutiny.
The news comes just two weeks after the Joint Select Committee ripped apart the proposed Snooper's Charter, calling it "flawed" and recommending 86 changes to the legislation.
Were it passed in its latest form, the bill would require ISPs to hold details on people's web browsing history for up to 12 months, and force companies to build backdoors into their encryption to give spies access to users' data.
Despite the criticism the bill has received, Home Secretary Theresa May plans to publish it tomorrow, according to the Independent.
A line-by-line debate will then take place on 14 March before the committee scrutinises it on 22 March. A final vote is expected by the end of April.
However, Tory backbencher David Davis accused the government of rushing the legislation through Parliament, giving MPs little time to properly debate the bill.
He told the Independent: "When you work it out, it's a 300-page bill so that's something like five seconds to consider each line on second reading.
"It all keeps with their strategy, which is to rush everything through. They know when they engage with experts they lose. This is the way they will try to get this through on the rush. There's no doubt about it."
The Joint Select Committee has delivered three damaging reports on the bill, criticising a perceived lack of clarity on key issues including encryption, internet connection records, bulk equipment interference powers and extraterritorial reach.
Chairman of the committee, Lord Murphy of Torfaen, said earlier this month: "The Home Office has a significant amount of further work to do before Parliament can be confident that the provisions have been fully thought through."
11/02/2016: "Significant changes" needed in Investigatory Powers Bill
The Investigatory Powers Bill needs a significant amount of work before it can become law, the Joint Select Committee set up to review the proposed legislation has found.
In its report on the bill he committee has made 86 detailed recommendations to the government for revisions to the bill "aimed at ensuring that the powers within [it] are workable, can be clearly understood by those affected by them and have proper safeguards"
These include making it clearer in the text of the bill that companies will not be required to install 'backdoors' in their encryption to enable law enforcement automatic access, which had been a major concern amongst technology firms and civil liberties groups alike.
Other key recommendations include fuller justification of bulk collection of data - an issue that was also raised by the Intelligence and Security Select Committee in its report at the beginning of February - and the need to properly define the Internet Connections Record provision as well as determining if it is, in its current form, actually feasible.
The Joint Select Committee also said it should be illegal for the UK to ask foreign intelligence agencies, such as the NSA, to undertake intrusion they do not have permission to do.
ISPs should also be given financial support by the government to safeguard the security of the data they are forced to retain, however, this should not cover 100 per cent of all the costs data storage.
"There is much to be commended in the draft Bill, but the Home Office has a significant amount of further work to do before Parliament can be confident that the provisions have been fully thought through," said Lord Murphy of Torfaen, the chairman of the Committee.
"In some important cases, such as the proposal for communications service providers to create and store users' internet connection records, the Committee saw the potential value of the proposal but also that the cost and other practical implications are still being worked out," he added.
The industry reaction has largely reacted positively to the report and the recommendations contained within it.
Antony Walker, deputy CEO of industry body techUK said: "We've now had three Parliamentary reports raising serious concerns with this draft Bill. On vital issues like encryption, internet connection records, bulk equipment interference powers and extraterritorial reach all three reports have said that there are still too many aspects that are unclear, poorly defined or just wrong. The Home Office must recognise this and address the fundamental concerns raised by expert witnesses, MPs and Lords."
"We fully support the concerns and recommendations raised by the Joint Committee in the latest parliamentary report. There is a severe lack of clarity around encryption and bulk data collection in the current proposal," said Jacob Ginsberg, senior director of security firm Echoworx.
He reiterated comments made to Cloud Pro earlier in the year that a lack of clarity around backdoors in end-to-end encryption could drive businesses, particularly those involved in storage and the cloud, from the UK, costing the Treasury tens-of-millions of pounds.
Mike Weston, CEO of data science consultancy Profusion also welcomed the report but ultimately said the government "should tear up the IP Bill and start again, developing new legislation in partnership with the tech industry and privacy bodies" adding that the proposed legislation "is in stark contrast with the approach taken by the EU's new data protection legislation".
"While imperfect, [the EU legislation: is, at least, a step towards reinforcing data privacy tor European citizens," said Weston. "The Bill is in closer standing with America's approach to data protection, which is extremely worrying."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.