A new surveillance bill proposed by the UK government has been scrutinised and, in many ways, criticised by a joint committee in its long-awaited report today. Since November the group has been gathering evidence, through written submissions and face-to-face hearings, to understand the ramifications of the draft Investigatory Powers Bill (IP Bill). Its findings aren't too surprising, balancing the criticisms levied by internet service providers, developers and privacy advocates with the justifications put forward by the UK's intelligence and security agencies. The report supports many of the overarching powers but calls for "significant changes" in order to provide "important clarity" in key areas.
One of the biggest mysteries surrounding the IP Bill is its effect on encryption. When the government requests user data, companies have to provide it in a readable format. What that means for end-to-end encryption -- a scenario where users have the keys and service providers are unable to decrypt -- has always been a little unclear, however. In the draft bill, the Home Office says there will be "no additional requirements in relation to encryption over and above the existing obligations in RIPA."
But what does that mean exactly?
The general understanding of RIPA, or the Regulation of Investigatory Powers Act, is that companies only have to comply if they're able to do so. Data protected by end-to-end encryption is generally accepted to be unobtainable. But in the draft IP Bill there appears to be some confusion. A "technical capability notice," for instance, can request "the removal of electronic protection applied by a relevant operator to any communications or data." Would that mean end-to-end encryption is banned outright? Or would companies be forced to implement backdoors? After hearing some inconclusive evidence from the Home Secretary Theresa May, the joint committee seems to have clarified the situation:
"The Government still needs to make explicit on the face of the Bill that CSPs (communication service providers) offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so. We recommend that a draft Code of Practice should be published alongside the Bill for Parliament to consider."
In addition, the group says the bill should make clear that software developers won't be required to compromise their users' encryption keys or install potentially vulnerable backdoors. These recommendations would suggest that companies like Apple, which currently offer end-to-end encryption through iMessage, won't be required to change their systems.
Internet Connection Records
The draft IP Bill has been conceived, for the most part, to collect and summarise the government's existing surveillance powers. It also includes some new ones, however, such as the ability to request "Internet Connection Records." These have been described by some as the equivalent of an "itemised telephone bill" for your online communications. The joint committee vehemently opposes this description, but has acknowledged it's "difficult" for the government to give a term that covers every aspect of the internet and the services it might want to monitor.
"We agree that all of the proposed purposes for which access to ICRs could be sought are appropriate. Furthermore, we recommend that the purposes for which law enforcement may seek to access ICRs should be expanded to include information about websites that have been accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation."
That clarity is important though, not only for accountability and public reassurance but for the companies that will be forced to comply with government requests. ICR data is generally described as the context around your communications -- when, where, how and to who you sent or received a message. In its simplest form that's a record of a visited domain, like facebook.com, but not the individual pages you were looking at.
The joint committee generally supports this surveillance power, but has asked the government to "address the significant concerns" of service providers and define important terms such as "internet service" and "internet communications service." It later adds: "We recommend that more effort should be made to reglect not only the policy aims but also the practical realities of how the internet works on a technical level."
Those "significant concerns" center around the cost and technical feasibility of collecting ICRs. Companies aren't sure what they are and there's a good chance that, in the course of their normal business operations, they don't collect or store them at present. The British government has ring-fenced £175 million to help enforce these data retention orders, but many estimate this won't be nearly enough to foot the bill. A greater concern, many ISPs have suggested, is the time and challenge involved with setting up the necessary systems -- it could be a long time before they can comply with any government requests.
In its report, the joint committee calls for the government to explain "how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice." Furthermore, the group is asking the Home Office to "improve the detail" of its workings for the cost estimates for ICR data retention and "to show how it will be deliverable in practice."
Equipment interference, which covers hacking of phones and computers, was legal before but never explicitly stated in law. The draft IP Bill covers the power but, according to the joint committee, there should be more detail about how it's used in the real world. Specifically, it's calling for a Code of Practice that would outline the activities commonly carried out by the security and intelligence agencies, as well as general law enforcement.
"We recommend that the Government should produce more specific definitions of key terms in relation to EI to ensure greater confidence in the proportionality of such activities and that a revised Code of Practice is made available alongside the Bill."
To appease privacy advocates, the draft IP Bill includes a new safeguard for warrant authorisations, which are necessary for government agencies to look at content -- i.e. actually reading your messages or listening to a telephone call. The proposed "double-lock" system would require a judicial commissioner to check every warrant that is normally signed off by the Secretary of State. Exceptions would be allowed in "urgent cases," but a commissioner would still need to approve them within five days.
The joint committee isn't happy with this setup. Rather than a group of Judicial Commissioners, it would prefer an Independent Intelligence and Surveillance Commission, similar to the one recommended by David Anderson in his report last year.
"We recommend that such a Commission should become the oversight body in the Bill."
If this isn't possible, however, it still welcomes the Judicial Commissions as this will, in its view, improve transparency and public confidence.
Keep it under review
The government has a difficult balancing act when crafting any new surveillance bill. Legislation takes a long time to pass and is difficult to change once finalised. As such, the Home Office wants the definitions and powers to be a little broader than some might like -- this way it'll still be relevant as new services and technologies rise to prominence.
That argument makes sense, but it has to be balanced by the need for detail. Otherwise, it creates opportunities for those in positions of power -- the intelligence and security agencies, for instance -- to abuse their abilities or work without the proper safeguards and oversight.
The necessary detail will be found in a Codes of Practice. Understandably, the joint committee says this document should be published alongside the new bill so they can be considered and debated in tandem. (The argument being that a Codes of Practice, which contains the minutiae of how each power should be carried out, is easier for legislators to tweak over time.)
Regardless, the group wants the government to commit to a five-year review program. It would force the next Parliament to review what's been legislated in the bill and how it's been working in practice:
"(It) would, in out view, be a healthy way to fulfil the welcome aspirations for greater openness and legitimacy which underpin the draft bill."
Now, we wait for the government to give its response to the report. With 86 recommendations, there's plenty to be addressed. "The Home Office has a significant amount of further work to do before Parliament can be confident that the provisions have been fully thought through," Lord Murphy of Torfaen, the chairman of the joint committee said.