Home Secretary Theresa May's internet monitoring plans need "significant work", a committee has ruled.
The draft Investigatory Powers Bill will force internet service providers to store all web activity for a year.
It will also authorise the bulk collection of personal data and hacking of smartphones by Britain's spies.
Ministers say the changes will help to catch terrorists and tackle organised crime by updating laws to fit the new technology being used by criminals.
But civil liberties campaigners claim the measures contained in it amount to mass surveillance of UK citizens - and that the committee's report meant the home secretary needed to go "back to the drawing board".
Shami Chakrabarti, director of Liberty, said: "This report shows just how much homework the government has to do on this landmark legislation."
Labour's shadow home secretary Andy Burnham has written to Mrs May to say that while Labour supports the overall aim of the bill - to give police and security services the powers they need - the government must now take time to reconsider its plans to ensure they strike "the right balance for our security and privacy".
Mrs May said the government would "carefully consider" the conclusions of three committees which have reported on the Bill before presenting its final proposals.
"This is vital legislation, and we are absolutely determined to get it right.
"Our draft Bill followed three independent reports on investigatory powers, whose authors were unanimous a new law was necessary.
"We are clear we need to introduce legislation which responds to the threats we face in the digital age, protects both the privacy and security of the public, and provides world-leading oversight and safeguards."
Analysis by BBC Security Correspondent Gordon Corera
Everyone agrees a new law governing surveillance powers is required but the devil is in the detail, as a series of parliamentary reports have illustrated.
The existing law, all agree, is complex and lacking in transparency but all the signs are that the new one has not yet overcome this problem entirely.
The issue now is how far the Home Office takes on board some of the criticisms and whether there is enough time to do so - a final bill is due to be introduced soon so that it can be debated and passed by the end of the year.
The Joint Committee on the Draft Investigatory Powers Bill said in a 194 page report it was satisfied the value of so-called Internet Connection Records to law enforcement agencies "could outweigh the intrusiveness involved in collecting and using them".
But it echoed concerns from tech firms about the feasibility of protecting users' privacy in the way Mrs May has promised, by only collecting the names of websites visited, rather than individual web pages.
The committee was told this might not be technically possible, but it said the Home Office was working with the industry to find a solution.
Ministers must also spell out their plans on encryption to ensure that they will not force tech firms to provide a "back door" for spies, the parliamentary committee said.
And the Home Office must also provide greater justification for the sweeping up of emails and other internet traffic passing through the UK by the security services, as revealed by US whistleblower Edward Snowden, and other so-called "bulk" data gathering exercises.
Committee chairman Lord Murphy of Torfaen said the Home Office had a "significant amount of further work to do before Parliament can be confident that the provisions have been fully thought through".
The bill was criticised as "a dragnet approach" and "disproportionate" by former Deputy Prime Minister Nick Clegg, who blocked Mrs May's previous attempt to pass spying legislation, dubbed the "snooper's charter" by critics, when he was in government.
The Lib Dem MP told BBC Radio 4's Today programme the Home Office wanted to "collect everything on everyone" in order to find the information on suspected terrorists or criminals they are looking for.
"Implying that everyone may be guilty when millions of innocent people are just going about their everyday business free of any wrongdoing at all is... something which is not in keeping with long-standing British traditions," Mr Clegg said.
He asked if it was "proportionate in a liberal democracy to retain information on everything from the music you download on Spotify, to the app that you open, to the supermarket website that you visit, in order to go after the bad guys?"
He said he favoured a "narrower approach" to data retention, and that other countries concentrate on collecting data on those people who "flicker on the radar screen of security services in the first place."
Much of the vast bill is devoted to the activities of Britain's intelligence agencies, and is focused on making clear the legal basis under which they operate, following Edward Snowden's revelations.
It proposes "equipment interference" warrants, allowing spies to hack into suspects' smartphones and computers and download data from them. either within the UK or abroad.
Other warrants will cover the downloading of "bulk" databases of personal data, which could include medical records, and the sweeping up internet traffic passing through the UK for future analysis by GCHQ.
Some of these techniques were not known to the public until recently and were covered by disparate and obscure pieces of legislation, some of which predated the internet.
The draft bill also proposes:
- Giving a panel of judges the power to block spying operations authorised by the home secretary
- A new criminal offence of "knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority", carrying a prison sentence of up to two years
- Local councils to retain some investigatory powers, such as surveillance of benefit cheats, but they will not be able to access online data stored by internet firms
- The Wilson doctrine - preventing surveillance of Parliamentarians' communications - to be written into law
- Police will not be able to access journalistic sources without the authorisation of a judge
- A legal duty on British companies to help law enforcement agencies hack devices to acquire information if it is reasonably practical to do so
- Former Appeal Court judge Sir Stanley Burnton is appointed as the new interception of communications commissioner