One of the most long-lasting effects of Edward Snowden’s revelations in 2013 was that they presented strong evidence that national security agencies in the US and the UK were involved in serious indiscriminate mass surveillance programmes. Furthermore, one of the most revealing aspects was the fact that some of these powers lacked adequate oversight. It became clear that the law needed to be changed in order to address clear concerns from the public about the amount of powers the government has. Some feared that this would be an exercise akin to a burglar that has been caught in the act, and tries to change the law to make their intrusion legal.
The UK government appointed David Anderson QC to conduct a review of the investigatory powers legislation. This produced a comprehensive and balanced report that called for an overhaul in legislation to regain trust, but it also criticised some of the potential responses that would hinder normal use of the Internet.
The result of the consultation is a comprehensive and mammoth draft Investigatory Powers Bill. The government has stated that the Bill will have 3 main objectives:
- First, it will bring together all of the powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It will make these powers – and the safeguards that apply to them – clear and understandable.
- Second, the draft Bill will radically overhaul the way these powers are authorised and overseen. It will introduce a ‘double-lock’ for interception warrants, so that, following Secretary of State authorisation, these – and other warrants – cannot come into force until they have been approved by a judge. And it will create a powerful new Investigatory Powers Commissioner (IPC) to oversee how these powers are used.
- Third, it will make sure powers are fit for the digital age. The draft Bill will make provision for the retention of internet connection records (ICRs) in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.
There will be time for more detailed analysis of all of the provisions, and we are putting together a team of activists and academics that will go through the almost 300 pages in fine detail. Here I will post a few thoughts on some provisions that worry me, and a few things that the Bill does well. However, I would like to point out that this Bill is a prime example of what I call obscurity through transparency. It is so long and so detailed that the public will simply not go through it, and it will be very difficult for those who do to explain what is going on, and why some of the proposals are problematic.
The one thing that is welcome is that we have a detailed document that is trying to overhaul the legal system of surveillance for the digital age. The creation of judicial oversight of surveillance is always welcome. The Bill also creates an Investigatory Powers Tribunal (IPT), tasked with giving the public the possibility of redress if they feel that their rights have been violated. There will also be an Investigatory Powers Commissioner (IPC) undertaking authorisation and oversight functions. The Bill makes illegal interception a criminal offence, but with several caveats designed to allow intelligence services access to communications.
The first concern is that, while the Bill has been sold as nothing like the maligned Snooper’s Charter, it contains sections that are entirely taken from that failed attempt, eg. s51 on “Filtering arrangements for obtaining data”, you know, snooping. In fact, the Bill maintains some figures that already existed in other legislation, such as RIPA.
The second issue for concern for me is that the Bill contains the figure of lawful interception of communications, which can only be carried out through the issuing of a warrant. While in principle this is a good thing, I found that the wording of this section is not specific enough, and the Secretary of State is given too many broad powers to issue warrants. For example, s14 (3) specifies the situations in which the Secretary of State may issue a warrant:
(3) […] (a) in the interests of national security,
(b) for the purpose of preventing or detecting serious crime,
(c) in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security (but see subsection (4)), or
(d) for the purpose of giving effect to the provisions of an EU mutual assistance instrument or an international mutual assistance agreement […]
(4)A warrant may be considered necessary on the ground falling within subsection (3)(c) only if the information which it is considered necessary to obtain is information relating to the acts or intentions of persons outside the British Islands.
I found these extremely broad, and (c) is particularly worrying. This provision, coupled with s(4) would seem to be equating economic espionage with national security, but only performed to actors outside of the UK. In a Bill that is replete with national security exceptions, this would appear to offer a blank cheque to conduct economic surveillance against potentially hostile entities. Needless to say, this provision would foster a symbiotic relation between economic interests and security services, and I am worried that it would encourage private enterprises to spy on behalf of the government in exchange of economic data on their competitors.
One of the most chilling sections of the Bill for me was the figure of equipment interference warrant. S81 (2) says that:
“A targeted equipment interference warrant is a warrant that authorises the person to whom it is addressed to secure interference with any equipment for the purpose of facilitating the obtaining of one or more of the following—
(a) communications (see section 105);
(b) private information (see section 105);
(c) equipment data (see section 82).”
In other words, the law will allow hacking of equipment. In a world where data security has become a daily concern, I find it problematic that the law will allow hacking of practically any subject for any activity deemed suspicious. The wording in this section is too broad once more.
The Part 6 on Bulk Warrants seems also problematic (a modified figure from RIPA). While the language in the provisions relating to individual and group warrants appear to be extremely broad, I am still hoping that the final draft of the bill will be more specific. One issue is that the Bill allows for the collection of communications in bulk, which is already taking as per RIPA and Snowden, and it is a power that is used to collect large amounts of Internet data, often on behalf of the NSA. This section sanctions the existing regime and expands on it. Furthermore, this section pretty much confirms that the UK had been collection bulk phone data for the last decade.
It must be welcomed that the proposed bulk collection system does contain checks and balances, but the more one looks at the detail, the more it seems like these powers are still not strict enough. For example, s106 (7) describes the data that will be subject to a bulk warrant as “any data as is obtained while the communication is being transmitted, or at any time when the communication is stored in or by the system (whether before or after its transmission)”. This covers pretty much any sort of communication and hosting of communication, I am worried by the lack of detail. I am also concerned that the Secretary of State is once more given powers to issue bulk warrants “in the interests of the economic well-being of the United Kingdom” in s107 (2)(b).
The Bill contains a number of safeguards, including some of the ones already mentioned such as the creation of the IPT and the IPC. While some of the safeguards are detailed, there are several where the objective seems to be mostly to assure collaborating individuals and organisations immunity if the interference is detected (eg s145).
These are just some of the first things I noticed from a general reading of the Bill, and it will take the next few days to fully digest the entire contents of the document (did I mention that it’s about 300 pages long?). Here are links to interesting first reactions from privacy experts (I just dabble in this stuff):