First thoughts on the Draft Investigatory Powers Bill

The draft bill has been published, the generic “I have not read this yet but I must say something” statements have been made by politicians, and now it’s time to read what the bill actually says.

First impressions: It’s not a bill I could come close to supporting without major changes, but it’s an improvement on previous attempts. It’s also long. At 299 pages, very long indeed. The 35 page extended press release at the start, titled a “guide to powers and safeguards” is interesting, but of course doesn’t actually have any legal force. Many of the initial comments about the bill made by politicians seem to have been on the basis of reading this guide, and not the full bill. One comment I would pick up on in the initial section is that the bill is “bringing together existing powers”. Simplification on existing legislation always sounds good, but the Equality Act 2010 was also supposedly a consolidation exercise. Many readers will know my less-than-positive feeling on that particular piece of legislation!

Another highlight of the intro is the assertion that there are “862 suspected paedophiles” that this bill might help catch. You can’t publish a bill like this in the UK without using the “but, but… terrorists and paedophiles!” line. As investigations of both are, of course, shrouded in secrecy this makes scrutiny that much harder.

It’s going to take time for everyone to digest it all and figure out where any remaining problems lie, so discussion will probably take weeks before there is any kind of consensus. I’ve read it properly – highlighter in hand – once through so far and it’s likely I’ve missed bits but here’s what I have noticed so far. (This is not a list of what I would want to see in an Investigatory Powers Bill, as that would include things such as notification to individuals, just a commentary on what is actually present)

Judicial Oversight
Rejoice, for we have judicial oversight of interception warrants!

OK, hold on a second. We have some oversight but you can drive a coach and horses through much of it. Three major problems jump out:

The standard of proof required is that of “Judicial Review”. Quoting from the Courts and Tribunal’s web page: “[A Judicial Review] is not really concerned with the conclusions of that process and whether those were ‘right’, as long as the right procedures have been followed“. Essentially, we’ll have a group of very well paid judges checking that the Home Secretary signed the warrants correctly.

Warrants can be modified after issue to add names to them. In the case of “minor” changes, such as adding new phone numbers, they can be authorised by the police themselves. However, major changes only need a minister to approve the change – a judge does not need to be involved.

Finally, “urgent” warrants do not need reviewing for five working days. Judges are already used to being woken up at unsociable hours so that warrants can be applied for, so five days seems excessive. It still requires ministerial approval, and getting hold of a judge would seem easier and quicker than getting hold of a government minister.

Training warrants
Interception warrants can be issued for “testing, maintenance or development” of interception systems and “training of persons” who carry out interception, without any need that data collected should be destroyed without being examined. I do wonder how many people might find themselves “accidentally” intercepting the communications of people they know, or doing it to someone “who won’t possibly mind, because they have nothing to hide”.

Wilson Doctrine & Journalistic Sources
Looking on the positive side, the additional protections given to members of parliament would be put into law for the first time by this bill and explicitly cover members of other many other legislative bodies. However, these protections are watered down significantly from the original doctrine – rather than a blanket ban on interception of MPs communications, any warrant would require that the Prime Minister be consulted.

Journalists fare little better – judicial authorisation is required to get access to data on journalistic sources even in situations where a judge would otherwise not need to be involved. Other professions (Doctors, Lawyers and Ministers of Religion) get “extra consideration” in the Codes of Practice, but no extra safeguards against interception in the main bill. It’s clear that the intent is to make any exceptions to surveillance as limited as possible.

Communications Data Retention
A very important point for many people will be exactly who is required to keep bulk data – ie lists of web sites etc, visited by users. There’s a cost associated with collection that the Home Office may pay for, although they seem to be pushing the cost on to service providers with the latest bill. Luckily, only providers who have been notified by the Home Office that they need to collect data are covered and nothing prevents an operator stating that they have received or not received a retention notice. This allows privacy-conscious ISPs to be able to state publicly that they are not performing bulk retention of data. As Keith points out in the comments, section 77 does prohibit revealing the existence of a retention notice.

Filtering
There is a large section on “filtering” in the bill that deserves some explanation. Although data would be stored by ISPs, the Home Office would like to create a system (An API) so that they can remotely query and filter data on the ISPs systems without necessarily needing to talk to someone at the ISP. This removes a safeguard against wide-scale bulk data access without proper authorisation, and potentially allows someone to go on fishing expeditions that are marginally relevant to a warrant that’s been issues such as allowing queries like “tell me everyone across multiple ISPs who have accessed terrorist-hub.com”.

Security of collected bulk data
The headline issue has been retention of data for 12 months by ISPs, which is longer than many other countries. But how securely is the data kept? The bill answers that in a surprisingly poorly written clause: “subject to at least the same security and protection, as the data on any system from which it is derived“. The draft bill will no doubt have had the attention of many security experts within the Home Office, so it’s surprising that they did not pick up on the obvious point: Hacking a router gives you relatively little ability to capture much data without someone noticing but hacking a pre-existing bulk data archive gives you much more data and is thus a bigger target. As a result of this, the security of retained data needs to be significantly higher than that of other systems and I am surprised not to see reference to some soon-to-be published technical guidance on the measures required.

There is also no prohibition on the use of data collected by service providers for commercial purposes, such as being sold on to marketing companies or used for targeted advertising. (If it’s allowed for in the ISP’s terms and conditions, it’s not unlawful disclosure!) There are major privacy issues here that we’ve seen already on a smaller scale, where people access help sites for domestic violence or LGBT+ issues and then other members of their household receiving targeted advertising as a result. Service providers can do this already to an extent, but it costs money to do. If they’re going to have to do it anyway (Either paying for it themselves or being paid to do it) then they might as well make some money from it.

Finally, and most critically, there is no prohibition on a court ordering the disclosure of collected data to groups like copyright holders. It would become very easy for someone to apply to the courts for a list of everyone who has accessed Pirate Bay, Popcorn Time etc and send them not-so-nice legal letters.

Equipment Interference
…or “hacking into other people’s computers” as most people call it – although the bill would force service providers to cooperate in hacking attempts. Although more analysis of the bill is needed this is one area where the Bill looks like an improvement on the existing situation, as hacking is currently going on without proper scrutiny. The most obvious omission is the lack of any consideration for the side effects of hacking should they cause problems, by taking down critical computer systems or installing back doors into systems that are then abused by others.

Overseas
There has been a history of quid pro quo arrangements between security services where countries spy on each other’s citizens because the law doesn’t allow them to spy on their own citizens. Although the act prohibits formal arrangements of this type, it does not (that I can see) stop someone using information that they have been given that would otherwise have required an interception warrant. The act also allows the Home Secretary to sign agreements with other countries to honour each other’s warrants, but there is little to suggest that warrants from other countries would require the same level of authorisation and oversight as locally issued ones.

I will probably notice more on later re-reads of the draft bill, and I will post again if I find anything substantial.

3 comments

  1. You say “nothing prevents an operator stating that they have received or not received a retention notice” – are you sure about this?

    Section 77(2): “A telecommunications operator, or any person employed for the purposes of the business of a telecommunications operator, must not disclose the existence and contents of a retention notice to any other person”

Leave a Reply