Unsurprisingly, a motion to Liberal Democrat conference against the Investigatory Powers Bill passed overwhelmingly this weekend. Below is the video and text of my contribution to the debate, which I can share with you as I had written it in advance, albeit only a couple of hours earlier!

The myth spread by the Home Office that the technical industry understands the Bill is always something I am keen to dispell, so that was my main purpose in wanting to speak. The quote from the New York Review of Books is also something that’s stuck in my head since I first read it, and I particularly wanted to give it an airing in the debate. (I have verified the quotes given in the article from other sources)

All of this is, sadly, against the backdrop of a very showing from both Labour and the SNP who abstained at the second reading of the bill yesterday. A particular shout out is due to Cambridge’s Labour MP Daniel Zeichner, who said he wants to “robustly challenge” the bill… but abstained anyway.

(The text below is what I wrote in advance, it does not entirely match what I actually said. No autocue for most speakers at conference)

I am a member of the Security & Liberty working group, so it should come as no surprise to you that I would urge you to support the motion. Brian Paddick has already made the case for the motion very well. However, there are some points I would like to make in relation to metadata and some of the claims being made by the current government.

A couple of months ago, I was asked to speak as part of a Q&A panel on the Investigatory Powers Bill at the UK Network Operators Forum. This forum, in case the name is not enough of a giveaway, was a full of a couple of hundred of the people who really run the Internet. I worked as one of those running the internet myself, for over a decade.

I asked – who here understands what data you are being asked to collect by the Home Office? Now, if you believe what we’re being told by the Tories, every hand in that room should have gone up. Because we’re told that – absolutely – Service Providers really understand the limits of what is being asked of them.

But not one hand went up. Nobody understood the limits of the powers Theresa May is asking for. The bill is so confused, and hands Theresa May such sweeping and unchecked power, that the draft bill includes the now-infamous phrase “Data includes any information which is not data”.

Of course, the Tories claim that it’s only meta-data, or “Internet Connection Records” as they’re now calling it. That can’t be too harmful, can it? Here’s a quote from David Cole in the New York Review of Books, in 2014

As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”

No other democratic country in the world gives such powers to its politicians to monitor and collect Internet browsing history to this extent.

Please vote for the motion.

The draft bill has been published, the generic “I have not read this yet but I must say something” statements have been made by politicians, and now it’s time to read what the bill actually says.

First impressions: It’s not a bill I could come close to supporting without major changes, but it’s an improvement on previous attempts. It’s also long. At 299 pages, very long indeed. The 35 page extended press release at the start, titled a “guide to powers and safeguards” is interesting, but of course doesn’t actually have any legal force. Many of the initial comments about the bill made by politicians seem to have been on the basis of reading this guide, and not the full bill. One comment I would pick up on in the initial section is that the bill is “bringing together existing powers”. Simplification on existing legislation always sounds good, but the Equality Act 2010 was also supposedly a consolidation exercise. Many readers will know my less-than-positive feeling on that particular piece of legislation!

Another highlight of the intro is the assertion that there are “862 suspected paedophiles” that this bill might help catch. You can’t publish a bill like this in the UK without using the “but, but… terrorists and paedophiles!” line. As investigations of both are, of course, shrouded in secrecy this makes scrutiny that much harder.

It’s going to take time for everyone to digest it all and figure out where any remaining problems lie, so discussion will probably take weeks before there is any kind of consensus. I’ve read it properly – highlighter in hand – once through so far and it’s likely I’ve missed bits but here’s what I have noticed so far. (This is not a list of what I would want to see in an Investigatory Powers Bill, as that would include things such as notification to individuals, just a commentary on what is actually present)

Judicial Oversight
Rejoice, for we have judicial oversight of interception warrants!

OK, hold on a second. We have some oversight but you can drive a coach and horses through much of it. Three major problems jump out:

The standard of proof required is that of “Judicial Review”. Quoting from the Courts and Tribunal’s web page: “[A Judicial Review] is not really concerned with the conclusions of that process and whether those were ‘right’, as long as the right procedures have been followed“. Essentially, we’ll have a group of very well paid judges checking that the Home Secretary signed the warrants correctly.

Warrants can be modified after issue to add names to them. In the case of “minor” changes, such as adding new phone numbers, they can be authorised by the police themselves. However, major changes only need a minister to approve the change – a judge does not need to be involved.

Finally, “urgent” warrants do not need reviewing for five working days. Judges are already used to being woken up at unsociable hours so that warrants can be applied for, so five days seems excessive. It still requires ministerial approval, and getting hold of a judge would seem easier and quicker than getting hold of a government minister.

Training warrants
Interception warrants can be issued for “testing, maintenance or development” of interception systems and “training of persons” who carry out interception, without any need that data collected should be destroyed without being examined. I do wonder how many people might find themselves “accidentally” intercepting the communications of people they know, or doing it to someone “who won’t possibly mind, because they have nothing to hide”.

Wilson Doctrine & Journalistic Sources
Looking on the positive side, the additional protections given to members of parliament would be put into law for the first time by this bill and explicitly cover members of other many other legislative bodies. However, these protections are watered down significantly from the original doctrine – rather than a blanket ban on interception of MPs communications, any warrant would require that the Prime Minister be consulted.

Journalists fare little better – judicial authorisation is required to get access to data on journalistic sources even in situations where a judge would otherwise not need to be involved. Other professions (Doctors, Lawyers and Ministers of Religion) get “extra consideration” in the Codes of Practice, but no extra safeguards against interception in the main bill. It’s clear that the intent is to make any exceptions to surveillance as limited as possible.

Communications Data Retention
A very important point for many people will be exactly who is required to keep bulk data – ie lists of web sites etc, visited by users. There’s a cost associated with collection that the Home Office may pay for, although they seem to be pushing the cost on to service providers with the latest bill. Luckily, only providers who have been notified by the Home Office that they need to collect data are covered and nothing prevents an operator stating that they have received or not received a retention notice. This allows privacy-conscious ISPs to be able to state publicly that they are not performing bulk retention of data. As Keith points out in the comments, section 77 does prohibit revealing the existence of a retention notice.

There is a large section on “filtering” in the bill that deserves some explanation. Although data would be stored by ISPs, the Home Office would like to create a system (An API) so that they can remotely query and filter data on the ISPs systems without necessarily needing to talk to someone at the ISP. This removes a safeguard against wide-scale bulk data access without proper authorisation, and potentially allows someone to go on fishing expeditions that are marginally relevant to a warrant that’s been issues such as allowing queries like “tell me everyone across multiple ISPs who have accessed terrorist-hub.com”.

Security of collected bulk data
The headline issue has been retention of data for 12 months by ISPs, which is longer than many other countries. But how securely is the data kept? The bill answers that in a surprisingly poorly written clause: “subject to at least the same security and protection, as the data on any system from which it is derived“. The draft bill will no doubt have had the attention of many security experts within the Home Office, so it’s surprising that they did not pick up on the obvious point: Hacking a router gives you relatively little ability to capture much data without someone noticing but hacking a pre-existing bulk data archive gives you much more data and is thus a bigger target. As a result of this, the security of retained data needs to be significantly higher than that of other systems and I am surprised not to see reference to some soon-to-be published technical guidance on the measures required.

There is also no prohibition on the use of data collected by service providers for commercial purposes, such as being sold on to marketing companies or used for targeted advertising. (If it’s allowed for in the ISP’s terms and conditions, it’s not unlawful disclosure!) There are major privacy issues here that we’ve seen already on a smaller scale, where people access help sites for domestic violence or LGBT+ issues and then other members of their household receiving targeted advertising as a result. Service providers can do this already to an extent, but it costs money to do. If they’re going to have to do it anyway (Either paying for it themselves or being paid to do it) then they might as well make some money from it.

Finally, and most critically, there is no prohibition on a court ordering the disclosure of collected data to groups like copyright holders. It would become very easy for someone to apply to the courts for a list of everyone who has accessed Pirate Bay, Popcorn Time etc and send them not-so-nice legal letters.

Equipment Interference
…or “hacking into other people’s computers” as most people call it – although the bill would force service providers to cooperate in hacking attempts. Although more analysis of the bill is needed this is one area where the Bill looks like an improvement on the existing situation, as hacking is currently going on without proper scrutiny. The most obvious omission is the lack of any consideration for the side effects of hacking should they cause problems, by taking down critical computer systems or installing back doors into systems that are then abused by others.

There has been a history of quid pro quo arrangements between security services where countries spy on each other’s citizens because the law doesn’t allow them to spy on their own citizens. Although the act prohibits formal arrangements of this type, it does not (that I can see) stop someone using information that they have been given that would otherwise have required an interception warrant. The act also allows the Home Secretary to sign agreements with other countries to honour each other’s warrants, but there is little to suggest that warrants from other countries would require the same level of authorisation and oversight as locally issued ones.

I will probably notice more on later re-reads of the draft bill, and I will post again if I find anything substantial.

The police’s handling of Oliver Drage is already a disaster in wider practical terms and can only get worse.

It has been all over the internet for the last couple of days so I’m sure most people reading this have already seen the story, but to summarise a teenager has been jailed for 16 weeks because he refused to hand over his passwords. He’s accused – and we have no idea what evidence the police have – of some sort of “child pornography” offence. The act under which he’s been charged, Regulation Of Investigatory Powers Act 2000, is one that really matters to me as it was my first engagement with national politics.

The handwritten reply I received when I wrote to me MP at the time to object to much of the act, whilst a nice touch, probably just indicates the level of technical sophistication of MPs voting on the bill back at the start of last decade. Jack Straw spoke of it in parliament at the time as a “significant step forward for the protection of human rights in this country“. I agree with every word of that, except “forward”.

Back to the case in point. Even if one believes Oliver Drage is probably guilty of the crime he’s accused of, we do have a principle in this country of innocent until proven guilty. The Americans go one step further with their 5th Amendment that you shouldn’t be expected to incriminate yourself, but that’s something that we seem to have dropped ourselves as a nation.

Lets use an obvious analogy of a high-quality safe. The government is sufficiently concerned about the advanced state of the Acme-brand safe-making industry that it passes legislation forcing people to reveal to the police the code to their safe, should they be asked.

The police suspect someone of being a rather unpleasant individual who they think they can send down for several years. As a result, they decide they need a copy of whatever is in the safe they quite likely possess, so they do the usual police trick of kicking down the door at 3am.

They find and take an Acme-brand safe and lock up the allegedly unpleasant individual. But the individual knows full well what is in the safe. It might be the documents the police think he has, which could see him sent down for many years, alongside his co-conspirators. Or it might be something entirely unrelated, such as the photos of himself with the Chief Superintendant’s partner or even just some pornography (No, not the kind involving children) that he’s worried the police won’t look too kindly on. Wisely, he decides to keep his mouth shut and ends up in the local nick for a mere few weeks.

Worse, perhaps he really has nothing to hide and doesn’t use the safe, so he’s forgotten the code. This doesn’t bother him as he can reset it if he ever needs to use the safe, but an Acme-brand safe will destroy the contents so the police are not too happy with this answer and lock him up for a bit to teach him a lesson.

The story gets out and sales of Acme-brand safes rocket amongst anyone who thinks they have something to hide as the police have effectively just branded them unbreakable. From now on, every time the police kick down a door they find an Acme-brand safe inside.

Except sales don’t need to rocket as many people own one of those Acme-brand safes right now. The laptop I’m typing this on right now is encrypted. All the laptops we build for customers where I work are encrypted. When I’m performing my other job which involves putting on a uniform, all the laptops I build are encrypted. If you’re reading this on a computer running “Windows 7 Ultimate”, then you can turn on encryption in just a few clicks.

But you’d better not try turning on encryption if you don’t need it, because if you forget the code then the police will think you’re guilty until proven innocent. There’s something fundamentally illiberal about that.

The trouble is, the fix to the initial problem probably wasn’t legislation and it certainly wasn’t this legislation: You can’t kick in a digital door and the moment you kick down someone’s physical door, you’ve quite possibly lost. Technology is still developing as well and self-destructing devices are now commercially available. Unfortunately, my run-ins with some of the ideas to come out of the Home Office suggest it’s the police they’ve been asking about what they should do, not the more technically-minded.

Ask a geek rather than a policeman how to get at someone’s information and you’ll get solutions more like the film Sneakers rather than you’re average episode of “Police, Camera, Action”. Little USB key loggers which attach to the back of the machine are not new technology and can be had for a few tens of pounds. Journalists and TV programs like “That’s Life” have been installing hidden cameras for years. Get your evidence, then kick in the door.

Spying on people isn’t very liberal, but it’s more liberal than locking people up with no evidence.

Update: I’ve just run across this article from the local paper which says:

Oliver Drage, 19, told the jury at Preston Crown Court he had “forgotten” the password, when officers investigating another offence asked him to surrender it. …
Drage’s computer was seized in May last year. But by December police still did not have access to it.

Can you remember a password to a computer you haven’t used for seven months? More worrying is the judge – and I hope she’s been quoted out of context – seems to have a presumption of guilt:

Judge Heather Lloyd said: “This was a deliberate flouting of a court order compounded by your continual denial of guilt.”