ISPs tell Commons select committee that £175m budgeted by government for implementation will not cover ‘massive costs’ of collecting everyone’s data

Consumers’ broadband bills will have to go up if the investigatory powers bill is passed due to the “massive cost” of implementation, MPs have been warned.

Internet service providers (ISP) told a Commons select committee that the legislation, commonly known as the snooper’s charter, does not properly acknowledge the “sheer quantity” of data generated by a typical internet user, nor the basic difficulty of distinguishing between content and metadata.

As a result, the cost of implementing plans to make ISPs store communications data for up to 12 months are likely to be far in excess of the £175m the government has budgeted for the task, said Matthew Hare, the chief executive of ISP Gigaclear.

Hare and James Blessing, the chair of the Internet Service Providers’ Association (ISPA), also warned the science and technology committee on Tuesday of the technical challenges the government would face in implementing the bill.

Hare said: “On a typical 1 gigabit connection we see over 15TB of data per year passing over that connection … If you say that a proportion of that is going to be the communications data, it’s going to be the most massive amount of data that you’d be expected to keep in the future.

“The indiscriminate collection of mass data is going to have a massive cost,” he added.

When asked by Labour’s Jim Dowd MP whether it would be feasible to comply with the collection regime, Blessing said that ISPs would “find it very feasible – with an infinite budget”.

“The bill appears to be limiting the amount of funds available to a figure that we don’t recognise would be suitable for the entire industry to do it,” he said, adding that “the ongoing costs of looking after the data … will have to come out of price-rises”. The government’s proposal to pay for the up-front equipment costs would not cover ongoing expenses such as power or cooling, Blessing told MPs.

For Hare, the other major problem is that separating “metadata” from “content”, as the law mandates for the purposes of mass surveillance, is a very difficult technical challenge.

Facebook Twitter Pinterest ‘The bill appears to be limiting the amount of funds available to a figure that we don’t recognise would be suitable for the entire industry to do it,’ said chair of the Internet Service Providers’ Association, James Blessing. Photograph: Philip Toscano/PA

For a simple connection like a phone call, the difference is easy: information like the number dialled and length of the call is clearly metadata, while the audio transmitted over the line is clearly content. But for a typical internet user, a number of different services are being used at any one time, and they all blur the lines between the two categories.

“The web isn’t a single application, that’s the fundamental problem I’ve got,” Hare said. He outlined a common scenario: “A teenager is currently playing a game using Steam, that’s not a web application … and then they’re broadcasting the game they’re playing using something called Twitch. They may well also be doing a voice call where they’re shouting at their friends, and those are all running simultaneously. At any one time any of those services could drop in, drop out, be replaced.”

John Shaw, the vice president of product management at British security firm Sophos, added another concern from his industry: that other requirements in the bill could scare custom away from the UK.

The law incorporates language which requires communications service providers to obey government requests for building ongoing technical capability for the enactment of interception warrants, including by removing “electronic protection” from their communications.

Shaw warned that “for UK-based companies that serve non-UK customers, there’s some evidence, from what is happening to Microsoft right now in the US, that that can really undermine the trust of non-UK customers” in the ability of the British companies to do their work without government interference.

Hare added: “if I was a software business, I would be very worried my customers would not buy my software, because [they] would be worried that there was a backdoor built into this software that would allow the UK to look into my software”.

While the so-called “technical capability” clauses are similar to those already on the books through 2000’s Ripa legislation, Shaw warned that the definitions applied in the new bill had the potential to expand the remit far beyond traditional ISPs. Other technology firms have told the Guardian that the clause could effectively end strong encryption in the UK.

Meanwhile, in a presentation in Brazil, the UN’s special rapporteur on privacy, Joe Cannataci, attacked the government’s defence of the data-collection aspects of the bill.

“One of the most misleading comments I have heard about this,” he said, “is one which said we don’t really have to worry about it, because all we are doing is giving our security services the same powers they have today over our telephone. Which sounds OK at first, but it’s not, because it takes it completely out of context.”