Thomas Trutschel/Getty

Last November, home secretary Theresa May published the draft Investigatory Powers Bill, a new law intended to firm up surveillance powers. Now the House of Commons Science and Technology Committee has published a report on the technical aspects of the bill – and found it wanting.

One of the bill’s most contentious elements is a requirement for internet service providers (ISPs) to keep a record of every website their customers have visited in the past 12 months, though not the particular pages within each site. These “internet connection records” (ICRs) would help the police and security services track what people are doing on the web and assist in investigations – and are simply the online equivalent of an itemised phone bill, says May.

Does not compute

The committee heard evidence from ISPs suggesting this is not the case, because ISPs do not routinely collect this data. “The whole idea of an internet connection record does not exist as far as internet service providers are concerned,” said James Blessing of the Internet Service Providers’ Association. The government has said it will provide £175 million over the next 10 years to cover the cost of collecting and storing ICRs, but ISPs fear this won’t be enough, putting their business models at risk.


MPs also expressed concerns that the bill fails to clarify the extent to which companies will be required to remove encryption on their customers’ communications – something that may not be technically feasible – and that collaborating with government hacking (known as “equipment interference”) could lose them customers.

“As legislators, we need to be careful not to inadvertently disadvantage the UK’s rapidly growing tech sector,” said committee chair Nicola Blackwood. “The bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the bill to achieve its stated security goals.”