Apple, Vodafone, EE, O2 and Three identify concerns over draft Investigatory Powers Bill

Data retention, encryption, filtering and backdoors all problematic, parliamentary committee told

Apple and the UK's four biggest mobile network providers have all register their concern over the draft Investigatory Powers Bill - often referred to as the snoopers' charter.

The government has been trying to push through the snoopers' charter in various guises for many years, but hasn't managed to push ahead following vocal complaints from privacy experts that the powers would represent a gross invasion of privacy.

Apple has now passed on its thoughts to the parliamentary committee examining the legislation. It has three main issues. The first is encryption. Apple's iMessage, along with some of its other services, use end-to-end encryption. This means that the company itself, or indeed law enforcement agencies, cannot easily read any messages that they intercept.

At the moment, communications and technology companies are meant to take steps to provide the contents of communications on production of a warrant. However, that does not necessarily mean that companies such as Apple have to redesign their systems to make it possible.

But despite the government suggesting that the Bill wouldn't mean a change to existing legislation, Apple has suggested it is concerned that the Bill's language could mean that it is obliged to create a ‘backdoor' to provide the authorities with access.

"The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," the Cupertino, California-based firm said in its submission to the committee.

Apple, and its CEO Tim Cook have always maintained that the security and privacy of customer's information is the priority - and it believes that a backdoor would risk that data by creating a weakness that cyber criminals could exploit.

Apple is also concerned that it will be tasked with having to hack into devices remotely or interfere with the hardware itself in order to unearth information belonging to its customers, in secret.

"The Bill as it stands seems to threaten to extend responsibility for hacking from government to the private sector," the company's submission reads.

The final area of concern is of ‘extra-territoriality'. The government wants all companies, no matter where they are based or where the data resides, to comply with warrants for information.

This already exists within British legislation, and the Bill maintains that this will be the case, but US companies fear that if they comply with this then it would create a precedent for other countries too, and this could then conflict with the privacy laws of the countries in which the data is actually housed.

Retaining data will be complicated for mobile networks

Meanwhile, Vodafone's head of corporate security Mark Hughes has told the committee that forcing mobile network operators to be responsible for retention of data - including data from communications apps, such as WhatsApp and Skype - would raise technical difficulties, increase security risks and also make it harder to ensure that the data is accurate.

"At the moment we are really concerned about being able to keep data about a service that has nothing to do with our core business, generating new data about our customers and, especially, stripping electronic protection and decrypting communications passing through the internet," he said.

Hughes suggested that it would make more sense for third-party communication service providers to decrypt communications data for their services, and retain internet connection records (ICRs) under the Bill. This would help to address all of the potential issues that Vodafone and other mobile networks would have if they were responsible for the decryption and retention of data from third party services.

Jonathan Grayling, head of government liaison at EE said that it could take 18 months for it to build the technology that would enable it to retain ICRs because of the complexity involved. Meanwhile, Simon Miller, head of government and regulatory engagement at Three UK, suggested that the filtering system for communications data envisaged under the Bill brings to light a number of concerns.

Under the plans, mobile networks would provide bulk data to a ‘trusted' third party that would filter the data down before handing it over to law enforcement agencies. But Miller and Adrian Gorham, head of fraud and security at O2, were concerned that by sharing the bulk data initially, it could be in breach of their duty of care under the Data Protection Act and Electronic Communications Regulations.

Miller added that the mobile networks have absolutely no detail on what this ‘trusted' third party would look like, or the legal obligations that it would be under.

The mobile networks and Apple aren't the only companies that have filed their responses to the committee: Microsoft, Facebook, Google, Yahoo and Twitter will all also be giving their responses in due course, according to the Financial Times.