The Draft Investigatory Powers Bill was published last November amid much speculation about its implications for privacy. Following a period of consultation, review, and much further work, the Bill itself is now going through the UK Parliament.
In a previous article I concluded that although there were areas of concern the Draft Bill wasn't half as bad as many of the prophets of doom had predicted. After all, spooky stuff is what we expect our spooks to do, and now, at least, their spookier activities were being brought much more into the open, and what's more were being placed under judicial review.
The Bill now before Parliament isn't easy to get to grips with. Together with Explanatory Notes, a Briefing Paper, two Operational Cases, three Committee Reports, six Codes of Practice, 15 Factsheets, a Government Response to Pre-legislative Scrutiny, and several other Overarching Documents, you have (if I can count and haven't missed anything) some 1360 pages to digest to get the whole picture!
I'll be the first to admit that I may not have the whole picture. I'd probably die of boredom first.
One thing that's clear is that the security and intelligence services themselves are very strongly behind the increase in accountability and transparency. The best defence against a British Edward Snowden is to have nothing to hide, except what you have to hide for operational reasons.
Yet it wasn't the spookier things like equipment interference and interception of communications that seemed to bother people most in the Draft Bill. Retention of Internet Connection Records (ICRs) was something everyone could relate to; someone could be watching your browsing habits.
But it became clear that what was to be collected was only the domain names (e.g. www.example.com), not the full URL (www.example.com/interesting_stuff), nor any search terms in an internet search. In many cases this would considerably reduce the sensitivity of the data collected, though not in others, such as in the case of websites dedicated to particular health issues.
As a result, it seemed to be more than enough to cause alarm but too little, as far as I could see, to be of any real investigative value.
However, the Operational Cases now published are very enlightening. In particular, the one for Retention of Interconnection Records makes a good case for why the proposed collection of metadata would be valuable.
When I use my home broadband I have a unique IP address, shared only with any other members of my household. It may be different tomorrow, but for now it is unique.
The situation is quite different when using mobile data - my mobile data provider may be funnelling the traffic from thousands of users through a single IP address, giving each an individual "port number". In tracing the contacts of a known suspect, only if the port number or the service accessed by each user is recorded can an individual subscriber be identified.
It's clear from all the examples given in the Operational Case that the ICRs themselves are never the focus of interest or the starting point of an investigation but are only needed in order to trace back to the originator of a connection already identified by other means.
There is one thing, though, that the Operational Cases fail to demonstrate, and that's why ICRs need to be retained for as long as a year. In the fast moving worlds of terrorism and internet crime it's hard to imagine that such data would be of much use beyond 6 months. Reducing the retention period accordingly would defuse some of the opposition, as well as the quantity of data at risk in the case of a breach.
The Operational Case for Bulk Powers describes the spookier activities, and although it necessarily goes into much less detail so as not to reveal methods and capabilities, it gives an unprecedented insight into the sort of things the security and intelligence agencies do.
In reviewing the Draft Bill, one of my main concerns was that it contained no clear definition of a Communications Service Provider, now simply referred to as a telecommunications provider. Was it simply those carriers licenced as Telecommunications Providers under the Telecommunications Act 1984? Or was it intended to include providers of higher level facilities such as email, messaging, chat, and even discussion forums? I had hoped the former, as the latter complicates things considerably, but it seems I hoped in vain.
It is at this higher level that encryption is generally applied. An Encryption Factsheet states plainly that the Government regards encryption as essential in protecting personal data, intellectual property and e-commerce.
Yet neither the Bill itself nor the Codes of Practice nor anything else I've found states unequivocally that a CSP will not be required to defeat or deactivate end-to-end encryption, where this is applied.
In fact there seems to be a strange reluctance even to use the word "encryption". Perhaps the intent is to make the Bill technology-agnostic.
But if this is so, the use of the alternative term "electronic protection" fails to achieve the desired end. Encryption is maths, which I wouldn't mind betting will still be around when electronics is history and instead we're all using quantum computers or petri dishes full of cultured neurons.
The picture is nicely confused by a Home Office witness to the Science and Technology Committee who stated:
"What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection."
I'm still trying to get my head around that!
In fact, the Bill does make it quite clear that a CSP can only be required to remove encryption that it has itself applied, or has been applied on its behalf. But if the software on my device encrypts my data, is it working on my behalf or on behalf of the software vendor and service provider? Both interpretations are defensible.
Encouragingly, the same Home Office witness did state that the requirement to provide data in the clear was not intended to apply where the data is encrypted end-to-end.
However, as recognised by all three Committee reports, it's absolutely vital that this is made explicit in the Bill itself or in the Codes of Practice, as otherwise it could all too easily be interpreted differently by a future government or judicial commissioner. Any doubt could seriously weaken the UK's position as a leader in IT.
The importance of clarity in this area can hardly be overstated. The Bill requires that before issuing a Technical Capability Notice for the provision of an intercept capability, the Secretary of State must take into account the benefits, technical feasibility, costs and other effects of the Notice.
But it is disagreement on precisely these points that separates Apple and the FBI in their current dispute! The last thing we should be doing is setting ourselves up for a similar dispute on this side of the pond.
I've concentrated in this article on a very few points in the Bill, and others will doubtless find many more to ponder. Cardinal Richelieu is quoted as saying:
"Give me six lines in the hand of the most honest of men, and I'll find enough to hang him"
On that basis the Bill and associated documents probably contain enough to hang 10,000.
The Bill is subject to worryingly short timescales dictated by a sunset clause in the Data Retention and Investigatory Powers Act 2014 (DRIPA), limiting debate in Parliament. Rushed laws tend to be bad laws and some sort of post-legislative review, perhaps after five years, was suggested by several witnesses to the Committees.
Regrettably, it seems the Home Secretary was against this, arguing that a period of stability was required. Stability is no doubt what King Canute would have liked, but unfortunately the tide was against him.
Intelligence gathering in a free society is hard. It's meant to be hard, and getting it right is even harder and takes time. The only place it's easy is in a police state, but there it only tells you what you'd already decided you wanted to hear.
Do you agree with Philip Le Riche's assessment of the bill? Leave a comment below sharing your opinion.