The world’s biggest technology companies are concentrating their legal firepower on a controversial surveillance law being proposed by the UK government. If the law is passed, the companies say, it could have severe repercussions on their businesses globally—in some cases forcing them to hack their own users.
Yesterday (Jan. 7) the legislative body overseeing the Investigatory Powers draft bill published a joint submission from Google, Facebook, Microsoft, Twitter and Yahoo. Apple made an individual submission, as did Mozilla, the maker of the Firefox browser. The dozens of responses also included submissions from domestic carriers Vodafone and EE.
What’s making tech companies nervous are clauses in the bill that they say would lead to ”extraterritorial jurisdiction”. These clauses deal with warrants for targeted or bulk collection of data. If the bill is passed, companies outside the UK will have to comply with a warrant to intercept or provide decrypted data. In its submission, Apple gave the example (pdf) of its Irish subsidiary being made to hand over a German user’s data if it was served with a UK bulk warrant.
It means that a US firm would have to hand over data stored in a third country, even if it broke laws there, to the UK if a warrant is presented.
It also means warrants can be served to a US company’s employees in the UK, presenting a “risk” to those staffers, the companies said. They added that they had experience in other countries where their local staff were arrested or intimidated to supply information about their users.
“We do not believe that the UK wants to legitimize this lawless and heavy-handed practice,” the joint statement from Google, Facebook and the others (pdf) said.
The bill also provides for “equipment interference”—basically hacking—by the government in the event of a warrant being served, which Apple says is an unprecedented move. “We believe the UK is the first national government to attempt to provide a legislative basis for equipment interference,” the company said in its submission (pdf).
Mozilla’s submission noted that the draft law could force it to ship malware to its users without telling them, making it especially problematic since it’s an open source project that relies on the principle of transparency in its code.
“The simple truth is that the type of services and technologies that have emerged from places like Silicon Valley are now very directly affected by the public policy debate in the Palace of Westminster,” said Eduardo Ustaran, a Hogan Lovells partner who works on global privacy issues.
Domestic carriers Vodafone and EE also questioned whether the bill’s demands are even technically feasible. Since many of the Valley companies encrypt their data, the carriers say they can’t be held responsible for decrypting this data. “Removal of this third party encryption is likely to be close to impossible from a technical perspective,” Vodafone’s submission (pdf) warned.
The tech companies aren’t being entirely altruistic in maintaining user privacy. The more trusted they are by users, the better their accounts. But it’s not just the tech firms who should be worried about profits and costs. Both EE and Vodafone have made it clear in their individual submissions that they expect the UK government to pick up the tab for any work they’ll have to do if the new law is passed. That’s likely to be a hefty bill north of the £174 million initial estimate.