The draft internet monitoring bill needs “significant work”, a committee of MPs and peers has said.
The draft Investigatory Powers Bill will force internet service providers to store all web activity for a year.
It will also authorise the bulk collection of personal data and hacking of smartphones by Britain’s spies.
Ministers say the changes will help to catch terrorists and tackle organised crime by updating laws to fit the new technology being used by criminals.
But the Joint Committee on the Draft Investigatory Powers Bill said in a report that although the bill was on the right track, the government must address significant concerns if it is to command the support necessary for keeping the records.
The committee said it “has not been persuaded that enough work has been done to conclusively prove the case” for the plans to force communications service providers to collect and store data known as internet connection records.
Ministers must also spell out their plans on encryption to ensure that they will not force tech firms to provide a “back door” for spies, the parliamentary committee said.
The bill was earlier criticised as “a dragnet approach” and “disproportionate” by former Deputy Prime Minister Nick Clegg.
Mr Clegg told BBC Radio 4’s Today programme: “What the Home Office is in essence proposing is that in order to be able to surveil and analyse something, they’re saying they want to collect everything on everyone, and that is a dragnet approach which I’ve always felt is disproportionate.”
He said an analogy of finding terrorist or criminal activity on the internet as being like a needle in a haystack was “comforting”, but that “the reality is a little different.”
“Implying that everyone may be guilty when millions of innocent people are just going about their everyday business free of any wrongdoing at all is… something which is not in keeping with long-standing British traditions,” Mr Clegg said.
“The question is about proportionality. Is it proportionate in a liberal democracy to retain information on everything from the music you download on Spotify, to the app that you open, to the supermarket website that you visit, in order to go after the bad guys? Very few countries, other than Russia that I’m aware of, take this dragnet approach.”
He said he favoured a “narrower approach” to data retention, and that other countries concentrate on collecting data on those people who “flicker on the radar screen of security services in the first place.”
Mass surveillance claims have been hotly disputed by the Home Secretary Theresa May, who says the legislation includes tough new privacy safeguards, such as judicial oversight and warrants.
But her proposal to make service providers store “internet connection records” for 12 months, so that they can be accessed by investigators, have been criticised as vague and confusing.
Tech firms have told MPs it might not be possible to separate out domain names such as bbc.co.uk from individual web pages in the way the home secretary wants.
There are also concerns, expressed by Apple and other tech giants, that the bill will force them to adopt weaker encryption standards.
What new powers are being proposed?
Communications firms – such as your broadband or mobile phone providers – will be compelled to hold a year’s worth of your communications data. This new information will be details of services, websites and data sources you connect to when you go online and is called your “Internet Connection Record“. For instance, it could be your visit to the BBC website from a mobile phone at breakfast and then how you used an online chat service at lunch. It does not include the detail of what you then did within each service. There is no comparable legal duty to retain these records in the rest of Europe, the USA, Canada or Australia – this appears to be a world first.
In simple terms, police say they want to be able to get at these records, going back a year, so that if they get a lead on a suspect, they can establish more about their network or conspiracy.
Under existing law, agencies can already ask firms to start collecting this data – but they can’t access historic information because companies don’t keep it. Police argue that this means many investigations into crime with an online element go cold because they can’t link activity to specific people or devices.
Much of the vast bill is devoted to the activities of Britain’s intelligence agencies, and is focused on making clear the legal basis under which they operate, following revelations by US whistleblower Edward Snowden.
It proposes “equipment interference” warrants, allowing spies to hack into suspects’ smartphones and computers and download data from them. either within the UK or abroad.
Other warrants will cover the downloading of “bulk” databases of personal data, which could include medical records, and the sweeping up internet traffic passing through the UK for future analysis by GCHQ.
Some of these techniques were not known to the public until recently and were covered by disparate and obscure pieces of legislation, some of which predated the internet.
The draft bill also proposes:
- Giving a panel of judges the power to block spying operations authorised by the home secretary
- A new criminal offence of “knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority”, carrying a prison sentence of up to two years
- Local councils to retain some investigatory powers, such as surveillance of benefit cheats, but they will not be able to access online data stored by internet firms
- The Wilson doctrine – preventing surveillance of Parliamentarians’ communications – to be written into law
- Police will not be able to access journalistic sources without the authorisation of a judge
- A legal duty on British companies to help law enforcement agencies hack devices to acquire information if it is reasonably practical to do so
- Former Appeal Court judge Sir Stanley Burnton is appointed as the new interception of communications commissioner
Setting out the draft bill in November, Mrs May said it was a “significant departure” from previous plans, dubbed the “Snooper’s Charter” by critics, which were blocked by the Lib Dems.
She said it would “provide some of the strongest protections and safeguards anywhere in the democratic world and an approach that sets new standards for openness, transparency and oversight”.
But the Intelligence and Security Committee, chaired by Conservative MP Dominic Grieve, said earlier this week it did not do enough to protect privacy and “appears to have suffered from a lack of sufficient time and preparation”.
The Home Office will take the scrutiny committee’s report – and that of the ISC and two other committees – into account when drawing up the final legislation to be published later this year.