The Draft Investigatory Powers Bill finally sets out the powers government authorities have to ‘intercept communications, acquire communications data and interfere with equipment’. It is thanks to Snowden that this legislative recalibration is taking place, and that we have a chance to subject the legislation to public and parliamentary scrutiny.
I assume that fellow readers of the draft bill agree with me on the following principles: that authorities should have robust powers, benefitting from technological expertise, to surveil, interrupt, and prosecute serious criminals; and that in the course of protecting the public, those authorities commit to protect the freedoms and rights that provide the public with liberty and safety – things that some serious criminals seek to undermine.
The entry of this bill into parliament is an overdue, and incredibly important opportunity to debate the provisions, powers and limits authorities have to collect, intercept, analyse and share data and communications. It is deeply concerning that in the wake of the horrific tragedy in Paris, several parliamentarians from major parties and some journalists have rallied for the fast-tracking of this legislation as some kind of a response. As you can see from my Twitter exchange with Telegraph columnist Dan Hodges, no one has yet been able to explain how evading the due course of democratic procedure would be an appropriate response to this terrorist attack – especially given that the draft bill seems not to add any new, as yet out of reach, powerful instruments to the arsenal of targeted surveillance tools. However, the draft bill would seem to embolden mass surveillance (and even mass hacking) – a totalitarian practice that, before Snowden blew the whistle and revealed the existence of mass surveillance practices, security experts and commentators had widely agreed was counter-productive in anti-terror surveillance efforts. The bill also gives us an opportunity to discuss important issues such as warrants, protections for privileged communications, the use of intercept in court, and safe storage of the population’s data.
The Draft Investigatory Powers Bill: Key Issues
The vague wording throughout the IP Bill has critics calling it a carte blanche for snooping, allowing past and future forms of mass surveillance and intrusive surveillance.
Protecting information by the requirement of a warrant to both collect and access information is an essential protection against the government’s practice of mass surveillance. Strictly warranted surveillance is exactly the type of surveillance we need to deal with crime in a modern democracy.
However, the warrants outlined in the draft IP Bill seem to be little more than gestural, lacking a strict legal framework. Specifically, they appear to authorise the Secretary of State to condone surveillance according to her unguided personal judgement.
‘Necessary and proportionate’?
Law enforcement agencies can seek warrants, and the Secretary of State can authorise warrants, when it is deemed ‘necessary and proportionate’ to do so for one of three statutory purposes: in the interests of national security; for the prevention and detection of serious crime; or in the interests of the economic well-being of the UK.
The phrase ‘necessary and proportionate’ is used to describe the otherwise undefined threshold for which warrants should be granted around 40 times in the draft bill. The government needs to make a serious effort to provide a much clearer legal threshold – our fundamental liberties are at stake.
‘Flexible’ meaning of ‘national security’
The three statutory purposes for authorising warrants remain vague. Firstly, and most necessary, is surveillance for the purpose of ‘national security’. Whilst we would agree in principle that ‘national security’ is an appropriate justification for surveillance, the term must be clearly defined if it is to justify intrusive surveillance. The public is currently only too aware of the grotesque abuses, past and present, of ‘national security’ interpretations as a justification for human rights abuses. For government policy making, national security is generally taken to refer to ‘the security and well-being of the United Kingdom as a whole’, including its citizens and its systems of government. However, MI5 explains that national security is not defined in UK or European law in order to ‘retain the flexibility necessary to ensure that it can adapt to changing circumstances’ – but should our human rights be treated with such flexibility?
Mass surveillance as a crime ‘detection’ tool…?
Secondly, snooping warrants can be authorised for the purpose of ‘preventing and detecting serious crime’. This wording is a cause for concern, not only because it is so vague, but also because it suggests that surveillance could be legitimately used as a crime detection tool, further reducing the necessity of reasonable suspicion before a citizens’ privacy is violated. Concern may be heightened when one looks at the Government’s recently published Disruptive and Investigatory Powers Transparency Report. The report reveals that of the 2,795 interception warrants authorised in 2014, 68% were for the ‘prevention and detection’ of crime, whilst only 31% were for ‘national security’. Interestingly, also in 2014, 78.5% of communications data acquired was for the purpose of ‘prevention and detection of crime’, whilst only 15% was for ‘national security’. We need to know what its extent and limits are.
Authorising warrants is a full time job
The Secretary of State insists on continuing to exercise her judgement over interception warrants, and has ensured again in this draft bill that it is ultimately only she who can authorise them (more on the judicial authorisation/the farcical “double lock” later). But exercising judgement over interception warrants is a full time job. If the Secretary of State did indeed authorise 2,795 interception warrants last year, that would amount to approximately 14 authorisations per working day in Parliament. Were she to spend a mere half hour on each warrant (not very long to evaluate evidence and sign away a group, family or individual’s basic right to privacy) that would take 7 hours a day. It doesn’t quite add up, does it? At worst, she is rubber-stamping the requests of law enforcement agencies; at best, she is compromising her roles as Secretary of State and Member of Parliament to oversee the state’s surveillance activities. Nevertheless, citizens’ fundamental liberties and human rights should be protected by the rule of law – not by one politician’s discretion. That means we need a much clearer, more stringent legal framework for warranting surveillance and effective judicial authorisation.
No warrant necessary to intercept your communications for overseas requests
It appears that the government does not need a warrant to intercept communications in accordance with overseas requests under international agreements (see s39, p.75).
This offers no safeguards for UK citizen’s privacy, and seems to leave open a familiar loophole for warrantless international surveillance.
Judicial Authorisation – the lack of
Theresa May’s promise of ‘double lock’ authorisation for surveillance warrants, involving approval from both herself and a Judicial Commissioner, was received with much praise and approval from parliament and the press. However, this represents perhaps the most blatant attempt to evade the advice from independent reviewers and civil liberties groups under the shroud of hugely misleading spin.
The Judicial Commissioner is tasked with ‘approving’ a decision made to authorise a warrant, but has no involvement in the decision making itself. In doing so, s/he ‘must apply the same principles as would be applied by a court on an application for judicial review’. That is, the Judicial Commissioner will approve warrants on the basis that the politician made the decision according to procedure – not on the basis of whether the right decision was made.
It is not a ‘double lock’ in any sense – there remains one lock. The Judicial Commissioner merely approves the Secretary of State on the basis that she ‘locked’ according to the usual procedure.
‘Urgent’ unauthorised warrants
It may be that a warrant needs to be issued as a matter of urgency, without the Judicial Commissioner’s authorisation. In this case, the Judicial Commissioner can choose whether or not to retrospectively authorise the warrant (bear in mind this is rubber-stamping anyway and does not involve decision making).
In the extraordinary circumstance that a Judicial Commissioner would not retrospectively authorise an urgent warrant, there is little to no consequence: there are no necessary repercussions for the Secretary of State; the data collected may still be retained and used; and the victim/s of the intrusion need not be informed of the violation (s21, p.62).
In one circumstance, the Judicial Commissioner’s retrospective authorisation process may not even be required. If it is decided that the urgent warrant will be renewed as a normal authorised warrant, the Judicial Commissioner does not have to retrospectively authorise the urgent warrant (s20.4, p.62). Whilst judicial authorisation is very minimal, this leaves a space in which politicians could issue urgent warrants without observation to usual procedures and without even minimal judicial oversight. This also means that information gathered under an urgent warrant could theoretically be used to justify an application for continued surveillance.
Journalistic protection – there is none
The tragic effect of journalists reporting directly from government briefing can be seen in the reams of press reporting that the draft IP Bill offers special protections for the communications of those in sensitive professions, such as journalists, lawyers and doctors. This is without foundation.
The real news is this: the draft IP Bill grants the government the power to uncover journalist’s sources, and to intercept journalists’, lawyers’ and doctors’ privileged communications.
There are no specific journalistic protections. It is merely suggested in the accompanying draft Code of Practice, that ‘confidential journalistic material’ should receive ‘particular consideration’. That is it – there are no protections. Rather, the government is asserting its right to undermine privileged, sensitive communications we previously had agreed are essential to protect fundamental rights (to a free press, to free expression, to a fair trial…) and to safeguard a functioning democracy.
Protections for MPs’ communications
Also essential to the functioning of a parliamentary democracy is that constituents should have access to private conversations with their Member of Parliament (MP). As many readers know, this principle was enshrined in the Wilson Doctrine, which set a convention (part of constitutional law in the UK) that MPs’ conversations with constituents should not be surveilled by the government. Of course, it is extremely challenging to protect the Wilson Doctrine in the context of mass surveillance. However, the draft bill has been briefed as offering extra protection for MPs’ communications.
Before the Secretary of State authorises a warrant to intercept an MP’s communications, she must consult the Prime Minister.
Good luck to the opposition.
The problem with political, rather than judicial, protections is that they tend to protect politicians rather than the law.
Intercept evidence still inadmissible in court
It is illogical that important intercept product gathered in the fight against terrorism, paedophilia and serious crime, is strictly prohibited from being used as evidence in court to convict serious criminals.
The government is so unbendingly committed to keeping intercept evidence out of court to avoid a “damaging” public debate on its surveillance methods, that it chooses to let multi-million pound cases collapse (even in this case, involving conspiracy to murder police and prison officers) in order to do so.
Liberty says that this ‘serves to highlight how removing the admissibility ban could play an important role in keeping the surveillance activities of the state in lawful check’. Liberty also pointed out that The Chilcot Review, the Joint Committee on Human Rights, three former Directors of Public Prosecutions, a former Attorney General and even the former director of M15 Dame Stella Rimington have reached the conclusion that intercept can and should be used.
Even intercept offences are off limits…
In summary, the draft bill says that ‘no evidence may be adduced, question asked, assertion or disclosure made or other thing done’ that could suggest interception may have or may be going to occur, or which could disclose: any information regarding warrants; intercepted content; communications data; information regarding the UK’s assistance in providing content and communication data to other countries; (this is astounding) any breaches of the Secretary of State in authorising the collection of data in the UK or in requesting data from partner states; or any interception-related breaches by anyone involved in the interception (authorities, CSPs, etc. – s42, p.78-9).
‘A disturbing precedent’ for data retention
Part 4 of the draft bill outlines that communication service providers (CSPs) can served with notices to retain communications data for up to 12 months. This follows the EU Data Retention Directive (2006) that said member states should retain communications data for 6-24 months – but this was invalidated in 2014 on the basis that it breaches human rights (see below*).
The shift for CSPs to take responsibility for storing masses of citizens’ detailed, intimate data has been met with great concern. A series of prolific hacks of public data troves (the UK is the most cyber-attacked country in Europe and the second most hacked globally; see also the Talk Talk hack, the Vodafone hack) does little to reassure the public that its deeply private data will be protected. Furthermore, putting this responsibility on CSPs, many of which are not based in the UK, means the government is attempting to achieve the extraterritorial effect of UK law. CSPs are not very pleased about this, and it was noted in Anderson’s Investigatory Powers Review that this sets ‘a disturbing precedent’ for other, more authoritarian countries.
In this draft IP bill, CSPs must keep the existence and details of data retention notices entirely secret (s77.2, p.104). This forced secrecy is not a feature I have seen/can find in the previous EU Data Retention Directive. The data that will be retained includes senders, receivers, time, duration, type, methods, the systems used, location, IP address or other identifiers, and patterns of communication. Security researcher George Danezis points out that the inclusion of ‘pattern’ of communications in the bill is ‘a sign that more complex traffic analysis is on the horizon’. I would posit it is a sign that complex traffic analysis may already be in deployment.
*In April 2014, the European Court of Justice ruled that blanket data retention between 6 -24 months (under the EU Data Retention Directive) was invalid due to its interference with privacy rights. The ECJ’s acknowledgement of this human rights violation motivated the coalition government to stage a theatrical ‘emergency’ a few months later in July 2014, to use emergency powers to force the DRIP (Data Retention and Investigation Powers) bill through parliament and bypass proper scrutiny and debate for continuing data retention.
Sadly, it appears the government is determined to continue disregarding the ECJ’s ruling, as well as the concerns in the Anderson review.
Digital insecurity, everywhere
The draft IP bill asserts that the government can force CSPs, whether in the UK or not, to ‘take all steps for giving effect’ to an intercept warrant (s31, p.71). It does kindly say they needn’t break the law in whichever jurisdiction they are situated. However, failure to reasonably comply with these requests could land an operator with up to two years in jail and/or a fine.
This is so broad, it could mean that sites like Facebook and Twitter could be forced not only to hand over data but to offer UK authorities backdoor access and potentially disseminate malware.
Government backdoors and malware are bad enough, but of course also leave the door open (or ‘window broken’) for other organisations and criminal hackers to exploit security holes too.
The draft bill also has a clause on the ‘maintenance of technical capability’ (s189, p.180). This contains a host of technical obligations that can be demanded of a CSP in order to allow interception, including undermining their own security and ‘removal of electronic protection’ (which would include third-party encryption – see Neil Brown’s IP Bill blog post for more). One ‘maintenance of technical capability’ obligation is ‘to provide facilities or services of a specified description’. The scope for what that means is potentially terrifying: could this lead to providers offering particular communications services with a claim of security, that are subverted into fronts for government interception? Could this also mean that a service provider who would rather dissolve than compromise users’ security/comply with government requests (see the closure of Lavabit) could be forced to continue providing their service and complying with surveillance requests?
Now is not a good time to provide communications services in the UK, and this draconian bill will surely undermine the UK’s digital economy, as well as users’ trust in the internet and online services.
Mass hacking, mass surveillance
The draft bill’s outline for ‘bulk equipment interference’ is disconcertingly vague – the only certainty is that it is terrifying. Bulk equipment interference means mass hacking – this draft bill says it is ‘used increasingly to mitigate the inability to acquire intelligence through conventional bulk interception and to access data from computers which may never otherwise have been obtainable’ (p.20-1).
UK citizens might be reassured that the draft bill promises ‘bulk equipment interference warrants may only be issued where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK’ – but it does also say that people within the UK can be hacked and intercepted for that purpose. It also means the UK government can conduct mass hacking overseas to circumvent protected communications and data (this could perhaps mean to undermine users of Tor, or end-to-end encryption, etc.).
Whilst mass hacking seems to be overseas focused, it sets a very disturbing standard for foreign intelligence agencies to follow. One must also consider the habit of GCHQ and NSA to use information sharing to circumvent restrictions on hacking/intercepting their own citizens.
Mass hacking, whether one is directly targeted or not (or indeed a victim of collateral damage, which is an issue acknowledged in the Code of Practice), involves serious security breaches that can potentially affect many thousands of people. Again, this practice leaves the door open (or ‘window broken’) for other organisations and criminal hackers to exploit security holes.
Unwarranted content analysis
The draft IP bill defines ‘the examination of intercepted material’ (i.e. access to and analysis of content) as ‘material being read, looked at or listened to by the persons to whom it becomes available as a result of the warrant’ (s121, p.138). Note the use of the word ‘persons’ – examination is defined as analysis by a human being. This means the warrants that are supposed to protect access to content only protect access by human beings – computers continue to have unwarranted access to conduct deeply sophisticated analyses of citizens’ communications content.
This definition of ‘examination’ allows warrantless mass surveillance under programs such as Tempora, which sifts and analyses communications content including recordings of phone calls, the content of emails, entries on Facebook and internet browsing history, because this is analysis by machines, not ‘persons’.
One might have some well-justified concerns about how these machines filter, sort and analyse data. Arguably, if the government wishes to conduct such unwarranted analysis of the population’s data, there should be some debate, checks, and restrictions on how that automatic surveillance is conducted. As a society, we might want to consider the risks of filtering data by such fields as race, religion, etc.
Just because you’re paranoid, it doesn’t mean they’re not spying on you
Following a series of revelations about state spying on journalists, politicians, racial equality campaigners, earth-loving vegans and Muslims generally – let alone the fact that the government collects and sifts information on, well, everyone (see Tempora; Optic Nerve; etc.) – it is little wonder that law-abiding citizens feel increasingly at risk of state intrusion. Vast amounts of our communications are being collected – how do we know how/if/when it is being accessed? And how would we know if/how/when/why we became a target for surveillance?
The draft IP Bill extends the principle of non-disclosure around surveillance, now making it an offence for CSPs to disclose the existence of an order to collect information on a user (s66, p.97-8). Neil Brown makes the point that this could contradict ‘right of access’ provisions under the Data Protection Act 1998. It was already an offence for state officials to disclose the existence of a warrant under Section 19 of RIPA. It is a great disappointment that the draft has not observed the advice in the Anderson report, that those incorrectly surveilled should be informed (without, of course, disclosing anything that would be damaging to national security or ongoing operations) and have the right to lodge an application to the Investigatory Powers Tribunal (IPT).
Liberty’s position is that, ‘once an investigation has been completed, or once that person is no longer under any suspicion, he or she should be notified of the relevant surveillance unless there is a specific reason for maintaining secrecy’. This allows individuals to seek recourse if their human right to privacy has wrongly been violated. This would be a valuable safeguard, and would be an important way to hold authorities to account. It is greatly disappointing that the government has sought to further evade accountability for wrongful spying in this draft bill.
Testing, maintaining, or developing equipment
The draft bill outlines that warrants can be issued to collect and/or intercept communications for the ‘testing, maintaining, or developing’ of equipment (s46, p.82) or ‘apparatus, systems, or other capabilities’ (s13, p.57). This seems to allow broad, indiscriminate interception and data access to build test datasets that can be used to improve machine learning. I am confused as to why intelligence agencies are being given this broad remit to collect/use more innocent citizens’ private communications (were suspicion involved, these communications would be intercepted under the appropriate warrant), rather than using the vast troves of data they have already collected. I think this area deserves further clarification.