This week a draft ‘Investigatory Powers Bill’ was released by Home Secretary Theresa May and is receiving a great deal of media intention, instead being dubbed the UK ‘Surveillance Bill’.
What’s it for?
The bill is introduced as being for consolidation of all the laws governing communications data, in order to make it more straightforward to interpret. Many are calling this the latest incarnation of the 2012 Communications Bill, which was dubbed the ‘snoopers bill’ and blocked by the Liberal Democrats during the coalition government era. Considering the current climate, post-Snowden and with many high profile data breaches having taken place, plus Obama’s own measures such as the controversial CISA bill, it’s no surprise that this has come now. The main media spin which is being put on it relates to the intention to store ‘internet connection records’, with both the Home Secretary and David Cameron himself quoted as saying there should be no ‘safe haven for criminals’.
Also highlighted in the accompanying documentation are that the bill will introduce ‘world-leading oversight arrangements’ and strengthen authorisation procedures with a ‘double lock’ process and the introduction of an Investigatory Powers Commissioner. It’s not made clear what these oversight arrangements are, but we would imagine this refers to their intention to store internet connection records. While lacking in any real technical depth, the bill is also touted as being to ensure that measures are fit for the ‘digital age’.
The measures themselves are broken down into four main areas; interception, communications data, equipment interference and bulk powers.
Currently, warrants are sought for interception of communications by a total of nine statutory agencies. In the new draft bill the task remains the responsibility of these nine agencies and as per current guidelines is allowed only for the purposes of preventing and detecting serious crime; in the interests of national security or in the interests of the economic well-being of the United Kingdom (where it is connected to national security).
While no changes seem to have been made here as to what can be intercepted, the control measures have been strengthened. All interceptions must now be signed off by the secretary of state and a judicial commissioners. In some cases the new Investigatory Powers Commissioner must also oversee the process. Interception is one act which is recognised as an offence if done unlawfully, with the bill stating a maximum penalty of 50,000 sterling.
This portion of the bill is the one which is raising the most concern among freedom of speech groups such as Liberty. The biggest change that the bill would introduce is to allow storage of ‘internet connection records’, which could be interpreted to mean your browsing history, though Theresa May has insisted this will only consist of basic information such as the domain, not individual pages browsed.
The bills accompanying document states this would be for the purpose of finding out which communication service a person had connected to. The bill would require all communication service providers to store this data for a maximum of 12 months.
Unlike the measures for approving acts of interception, approval to access these records goes through just a ‘Single Point of Contact’ and a ‘Designated Person’, of which no further clarification is given. Use of these powers will apparently be audited by the Investigatory Powers Commission but no high-level approval procedure is mentioned.
In addition to interception, a section of the bill is devoted to addressing the issue of interference with ‘equipment’. This section basically covers hacking computers, copying the content of someone’s smartphone and any other way of obtaining data from a privately owned device. This power is stated as being given to intelligence agencies, the military and law enforcement agencies for the purposes of ‘national security’ and ‘serious crime investigations’. A justification given for this is that encryption prevents them from being able to get hold of this data by any other means.
The issue some critics might find with this is in the definition of ‘national security’ and ‘serious crime’; without strict definitions of what constitutes these, they could be applied to a wide variety of investigations. One saving grace in this revision is that these actions must now be authorised by a judicial commissioner. However, we are still looking at a reality where law enforcement and intelligence agencies would be able to download all our personal data, without presenting a warrant or any notification. In collecting feedback on the draft bill, this section might well be the one which raises the most objections.
Finally, the bill deals with what is referred to as ‘bulk powers’, which covers scenarios in which large quantities of data would be obtained. The accompanying document states this would apply to all methods mentioned in the report, only where bulk quantities of data are necessary to monitor ‘known’ or ‘emerging’ threats and trends. Much reference is made to people overseas, so it’s clear this is intended to cover anti-terrorism operations. In the new bill, it’s said explicitly that these warrants will only be available to security and intelligence agencies and strictly for the purposes of ‘national security’, concerning persons and entities outside of the UK. All such warrants will have to be issued by the Secretary of State and reviewed by a Judicial Commissioner.
What about national security?
There are additional measures given for data belonging to those in ‘sensitive professions’ such as members of parliament, doctors, lawyers and journalists. However, these don’t seem to go beyond telling the ‘designated person’ that they must think harder about whether the intrusion will be detrimental and if it’s truly in the public interest. Any such acts which will reveal the identity of a journalistic source must also be given approval by a Judicial Commissioner. A ‘code of practice’ guiding intelligence and law enforcement staff on how to handle cases involving these ‘sensitive professions’ is also referred to frequently but these are not yet presented in the draft bill.
In the case of MPs, authorisation must come not only from the Secretary of State and a judicial commissioner, but also the Prime Minister. So, members of parliament have the highest level of protection. Although clearly necessary, this might also raise a few eyebrows. Surely there are other professions requiring similar high-level protection?
The majority of the bill clarifies existing procedures and puts in black and white how these must be carried out and by whom they must be authorised. The main new measures introduced are the storing of internet connection records, the explicit permission for authorised law enforcement and intelligence agencies to hack personal electronics and to obtain large data sets. Much criticism is already coming from civil liberties groups and even from the UN privacy chief who was quoted as saying ‘UK surveillance is worse than 1984’. Publications such as New Scientist are also passing damning commentary about the storing of internet connection records, pointing out that considering recent data breaches, the British public are unlikely to find service providers a trustworthy keeper of their personal browsing data. They also point out that anyone who truly wishes to carry out private communications will identify the services which the government is able to access and use others, or even devise their own. Encryption provides privacy and despite what the UK and US governments might wish, they cannot outlaw encryption.
The full bill can be found here and the government is inviting feedback by email to email@example.com.
Get the latest content on web security
in your inbox each week.