Last Thursday I attended Scrambling for Safety, a conference about the upcoming UK surveillance law the Investigatory Powers Bill (IPB). The event drew participants from parliament, the media, NGOs and even the security services, including David Omand, the former head of GCHQ. Here’s my take on what was discussed.
Context: Following the Snowden revelations, several reviews were instigated into surveillance laws and capabilities in the UK. The findings? Current UK laws on surveillance were outdated, unclear, and, in the words of the Independent Reviewer of Terrorism Legislation, David Anderson, ‘undemocratic and intolerable’. The last major UK bill on the matter (RIPA) was passed back in 2000, before Facebook and Twitter existed. Everyone agrees it’s time for new legislation. Enter the Investigatory Powers Bill.
Unusually for a western nation, UK intercept warrants are signed by politicians rather than judges. There has been a lot of pressure on the government to change this but the IPB proposes a compromise via a so-called ‘double-lock’ mechanism. Ministers will still sign warrants, but they will be subject to judicial review. The key controversy here is what form that review will take. Will it merely check that the correct procedure was followed, or will it evaluate the proportionality and legality of each warrant?
Bulk personal data sets
These include mass data held by companies and public organisations which are not classified as ‘communications data’. E.g. Google calendar data for everyone in the country, Oyster card records for every journey made in London, or medical data on (hundreds of) millions of people. The IPB proposes that GCHQ can demand companies and public bodies provide such info. They cannot refuse. How these data sets are analysed and used is unclear.
This includes programs revealed by Snowden such as Tempora which copies virtually all internet traffic going in and out of the UK directly from the fibre-optic internet cables. The bill aims to legalise these programs. The key contention here is whether storing data is itself a threat to privacy and security. The security services and government say that they will store everything but only look at data for which they have a warrant. They’re effectively putting surveillance cameras in every room of your house but promising ‘we won’t look at the footage, trust us’.
Judicial privilege and confidential sources
Both of which relate to bulk collection. Judicial privilege is the idea that clients and their legal advisors should be able to communicate in confidence. This is a critical part of a well-functioning justice system. How can we reconcile this with programs that store client-attorney communications such as those legitimised by the IPB? Once again the argument is made that as long as the emails, calls, and messages are only stored and not read, legal privilege is preserved. Will a torture victim taking a sensitive human rights case against the government feel the same? That it’s ok for the government to hold a copy of private emails they’ve sent to their legal team? I’m not so sure.
The same principles apply to journalists and their sources.
The question that won’t go away. In particular: Can you setup and run a communications company offering secure, end-to-end encryption in the UK? i.e. a service where you cannot read or access the content of the communications, and where the law cannot compel you to modify your software/hardware to do so. Home Secretary Theresa May has been especially slippery on this issue, and exceptionally careful in her use of language. She doesn’t seem to have answered this exact question and will need to do so before the bill.
Most communication and software services are international and cross multiple jurisdictions. What happens if a company is required to give up data by UK law, but forbidden by the jurisdiction where the data is held? The IPB makes extra-territorial requests of companies but offers no concessions to solve this issue. Facebook and others are worried. Markets may be global but, according to the government, human rights aren’t.
Aka ‘hacking’. In particular, hacking of innocent people’s machines, and of critical infrastructure. With interconnected devices, it can be hard to evaluate all associated risks, and with the ‘internet of things’ this will only become more difficult in the future. This also highlights the unusual duality of GCHQ, parts of which are protecting our companies from cyber attacks, whilst other departments are attacking those same companies and leaving them open to attacks from others.
Laws take a long time to change, technology doesn’t. In an effort to keep apace with technological changes we have seen security services act, and ask for permission later. How can we reconcile this with the needs of democratic accountability and transparency? Is there a better way than having the law simply catch up with GCHQ’s capabilities every decade? Perhaps, but government isn’t offering one.
No one understands the bill
Perhaps the biggest problem of all. The draft bill is a hugely complex 300 page long, inscrutable behemoth. It’s clear that virtually no one understands the full contents or implications. Especially not MPs. Keir Starmer (who speaks for Labour on the issue) spoke at the conference but despite vague references to ‘protecting privacy while giving the security services the powers they need’, didn’t display a firm grasp of the bill. Given that NGOs, multinationals, and dedicated journalists are struggling to understand the proposals, it’s not surprising that busy MPs don’t, but it’s worrying nonetheless.
Attending Scrambling for Safety, it’s clear that the gap between the government and human rights campaigners on this issue has not narrowed. The government’s response to the Snowden leaks has simply been to try and place everything revealed into statute. The IPB doesn’t have to be a bad thing. Increased transparency and oversight are long overdue. Unfortunately the draft bill will, for the first time, explicitly place mass surveillance into law in the UK.
The good news is that there’s still time to stop that happening.« Back to blog