The draft bill has been introduced today and it is quite big, and will take some time to address all of the concerns. Do see Neil's comments as well. Here are just a couple of the concerns so far...
ISPs to generate new data and retain it!
At present it is possible for an ISP to be subject of an order requiring retention of certain data which it processes. This is data the ISP has, and it simply means the ISP has to keep it for 12 months. Thankfully AAISP has never been subject to such an order.
The new scheme seems to require an ISP to actually generate new data, Internet Connection Records which mean logs of the IP addresses and connections. This is a huge step - as an ISP we do not have that data or the equipment to generate or retain that data.
That data is also potentially very sensitive communications data - including details of every web site or service you ever access. Yes, the specific page on www.ashleymadison.com will not be logged, but the site you accessed would be.
Again, the scheme is based on an order to an ISP to retain data so may not extend to all small ISPs. The bill also provides options to challenge any such orders (73), which includes challenging the order on the likely cost and other effect of the notice on the operator (72). At A&A we are proud to state that we have no government snooping equipment or anything to collect and retain this sort of bulk data in our network. We have even made it a contract term that we will give 12 months notice when if we start doing this. Such an impact on our business must be considered as part of any order, as well as the proportionality and benefits of such an order. Of course the bill makes it a duty not to disclose the order - so it would be interested to ask what they want me to do when asked if we are subject to such an order. If you ask now I say no, we are not subject to an order. What is a concern is that, because the orders are secret, nobody knows what is actually being logged anyway!
Yes, they are talking about all sorts of safeguards on who can access this stored data and which data they can access, but that does not stop the fact that there is snooping in the first place.
There is a new definition of "content" of communication (which is not to be logged). It relates to the meaning of the communication itself. This could allow for deep packet inspection to unwrap L2TP, PPP and so on in back-haul carriers and so allow this monitoring to be done in BT or TalkTalk. One wonders if end users will be able to send DPA subject access requests to BT to get a copy of all such retained data.
But let us be clear - this is mass surveillance on everyone and holding that sensitive data in private companies (ISPs). With the recent Talk Talk issues, you can see that this is a concern. The data, even if just a list of web sites you have visited, is valuable to criminals and even marketeers! It will encourage much more sophisticated attacks, even infiltrating staff at companies, to get the data that the law will make ISPs retain.
And, of course, there is a cost to retaining all of this data. It is not a small amount.
The bill does not outlaw encryption or end to end encryption, it just leaves the same as now that a communications provider asked to intercept is expected, where possible, to provide data in an unencrypted form. Apple outside the UK do not have to take any notice of such a law, but if they wanted to, then they could change the keys on iMessage for an individual such that they can intercept. No idea if they would do so.
However, there are end to end encrypted messaging apps which do not make use of a communications provider's systems other than to pass the encrypted data, and such systems will clearly be both legal and safe - so if you respect your privacy (or are a criminal) you simply use such systems and the new law will not be an issue for you.
Will it get through?
The data retention directive was kicked out because it required logging of non-criminals data, so we can only hope this will fail too, but who knows. Talk to your MP!!!
Update: Best tweet I have seen on this:
All new computer science text books will have a chapter on how Alice and Bob can talk to each other without Theresa knowing #IPBill— Alan Bell (@alanbell_libsol) November 5, 2015