The home secretary, Theresa May, has been told by peers and MPs that her £1.8bn internet monitoring proposals will be a "honeypot for hackers and criminals around the world" and that she must bring in prison sentences for those who hack databases.

May has spelled out for the first time the expected timetable for the introduction of the communications data bill, indicating that she intends it to reach the statute book before the next general election and be "in play" within a few years.

The controversial web monitoring proposals in the bill, which opponents call a "snooper's charter", will require internet and phone companies to track the records of every citizen's web and mobile phone use, including social networking sites, without retaining their content, and store them for 12 months.

May told parliament's joint committee scrutinising the draft version of the bill that she expects the actual legislation to be introduced later this parliamentary session, which is to run until next summer, and then be carried over to the next session, reaching the statute book by 2014.

The committee heard from senior police officers this week that the web monitoring plan was a vital operational tool in infiltrating criminal gangs and tackling security threats in a world where rapidly changing technology meant the authorities were losing the ability to keep track of criminal suspects.

Sir Peter Fahy, the Greater Manchester chief constable, said being able to monitor the basic details of who was talking to whom was "absolutely vital" in "proving associations between criminals". The Home Office has argued that, as technology changes and new platforms emerge, the authorities' ability to keep track of suspects has degraded by as much as 25%.

But peers and MPs on the joint committee raised fears that the massive increase in the storage of sensitive personal data required could lead to invasion of privacy on a new scale, and be open to criminal attack.

A Liberal Democrat peer, Lord Strasburger, described the proposals as a "honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states".

A former Labour minister, Nicholas Brown, said the public were frightened they "were going to be spied on" and that "illegally obtained" information would find its way to the public domain.

He supported a call from the Information Commissioner for the enactment of powers already on the statute book to impose prison sentences of up to 12 months, and not just heavy fines, for those who unlawfully obtain personal data.

The home secretary agreed to look at the detail of the custodial powers specified in sections 77 and 78 of the 2008 Criminal Justice and Immigration Act, which carry a public-interest and investigative-journalism defence for those who "blag" access to confidential personal information. The issue is one that Lord Justice Leveson is also expected to pronounce upon.

May also agreed to reconsider the terms of clause 1 of the bill, which would give her very widely drawn powers to make orders requiring internet and phone companies to hand over an individual's communications records to "relevant public authorities".

May said that this would mainly be used for tackling terrorism, serious crime and paedophilia, but added that the government needed flexibility in the legislation to meet rapid changes in technology and ensure the bill was not outdated by the time it passed. However, the committee made clear that it was this desire to "future-proof" the legislation that was causing the most public alarm.

The home secretary sidestepped questions about how she felt about Britain becoming the first democracy to use the kind of "deep packet inspection" web monitoring system so far only used in China, Iran and Kazakhstan.

But May insisted it was a myth that the state was going to read everyone's emails: "There is a limited scope for the data we want to have access to. We have been very clear about that at every stage. The police would have to make a clear case for requesting access to data when there was an investigation that required it.

"The aim of this is to ensure our law enforcement agencies can carry on having access to the data they find so necessary operationally in terms of investigation, catching criminals and saving lives."

Police made urgent requests for communications data in 30,000 cases last year and between 25% and 40% of them had resulted in lives being saved, May said. "I think that matters to the public," she told the committee.