The Investigatory Powers Bill, which is set to become the UK's new, consolidated piece of surveillance legislation, was first introduced in draft form late last year. After fielding the thoughts and concerns of telecoms providers, major tech firms, intelligence specialists, privacy advocates and many more invested parties, a trio of Parliamentary committees reviewed and ultimately criticised the draft bill. Taking the red pen of the committees on board, the Home Office has revised the draft and yesterday submitted the IP Bill Mark II to Parliament. Mostly, it just tries to clarify a few of the more ambiguous proposals, but it also expands certain powers rather than reining any in.
If there was one thing all the review committees agreed on (supported by the views of many companies and individuals), it was that the draft bill was far too vague. Home Secretary Theresa May -- the primary author of the bill, nicknamed the Snooper's Charter -- admitted as much, arguing that by leaving certain aspects open to interpretation, the IP Bill would be future-proofed. Her reasoning? Technology and online communications are evolving at such a rate that being too specific would ultimately restrict the use of surveillance powers written into the bill.
Alongside the revised bill, however, the Home Office has published a number of draft Codes of Practice (six, in fact) that explain in detail how the powers will be used and why they're required. Think of the Codes of Practice as footnotes to the bill that can be revisited and changed. The bill itself, when passed into law, will be far from malleable. Codes of Practice, on the other hand, can be expanded (or condensed) when, say, a new type of communication data not previously covered becomes of interest to law enforcement or intelligence agencies.
These draft Codes of Practice will be subject to scrutiny themselves, of course, but the idea is they clarify some of the ambiguous legislese the committees took issue with. The Home Office has also published additional Operational Cases to compliment the revised bill, which offer further justification for the retention of Internet Connection Records (ICRs) and the use of bulk powers (read: not targeted), including the interception of communications and state-sponsored hacking. Though again, whether these use cases are satisfactory will be decided by Parliament.
Now onto some of the more specific changes included in the IP Bill Mark II.
Internet connection records (ICRs)
Image credit: Shutterstock
Both the UK's major internet service providers (ISPs) and mobile network operators have expressed a limited understanding of what the Home Office calls an ICR. In layman's terms, an ICR is the top-level domain of a visited website (so, reddit.com, but not the individual pages accessed during that session). It also describes the context (metadata) of online communications -- the who, when, where and how of, say, a WhatsApp message, but not the content. Obviously, the bill uses much more technical language, but the definition has never been championed as clear.
This poses a serious problem for ISPs and mobile operators. After all, these companies will be lawfully required to develop the systems needed to gather and store ICRs for 12 months -- one of the proposals at the heart of the IP Bill. The revised legislation includes a tweaked definition of ICRs (we'll spare you the gobbledygook), intended to paint a clearer picture for service providers, so they can think about how they're going to develop the appropriate tools. Or at least continue dialogue with the Home Office on what it'll take to support the proposal.
Service providers have already warned that creating these systems will be a technical feat, and a time-consuming and expensive one at that. The general consensus is the £174 million the Home Office has budgeted to support companies that'll be on the hook for collecting ICRs isn't nearly enough. Should they not be fully compensated, the worry is the shortfall could lead to less investment in improving services, or worst-case scenario, higher bills for customers. The Home Office, while not making a formal commitment, has gone some way to putting these fears to bed. In its "response to pre-legislative scrutiny" (one of the many, many supporting documents for the IP Bill Mark II), it states:
"In practice, the Government has a longstanding position of reimbursing 100% of the costs associated with data retention. There are no current plans to change that policy..."
Encrypted services are safe, probably
Image credit: Shutterstock
The IP Bill's stance on encryption has been one of the most ill-understood, and heavily debated. The legislation states there will be "no additional requirements in relation to encryption over and above the existing obligations in RIPA," RIPA being a major component of existing surveillance law. What's made serious waves among the world's biggest tech companies, though, is the bill's introduction of a "technical capability notice," which when served, would demand "the removal of electronic protection applied by a relevant operator to any communication or data."
As much of the legislese is intentionally open to interpretation, tech giants have seen this as a red flag. They fear the UK government might attempt to strong-arm them into building backdoors in their encrypted services or effectively hacking their own hardware, as the FBI is pushing Apple to do in the US currently. In response, the Home Office has attempted to clarify the scope of technical capability notices with the publication of the IP Bill Mark II.
The new wording seems to state that technical capability notices won't be actionable on end-to-end encrypted services, or other forms of encryption where the company doesn't hold the key (your phone's lockscreen passcode, for example). In addition to reviewing how necessary and cost-effective the notice might be, the nature of encryption and technical feasibility of breaking it will be taken into account. Providers "can only be required to remove protection they themselves have applied, or that has been applied on their behalf," the Home Office says, "or where the company is removing encryption for their own business purposes."
If we're understanding this correctly, then a company may be required to decrypt, say, its payroll database, since it's in possession of the key and can comply without too much fuss. On the flip-side, if the government wanted to peek inside an iMessage conversation, the feasibility, cost and disproportionate consequences of breaking this end-to-end encrypted service would be preventative. Annoyingly, though, the redrafted wording is still open to interpretation, and is unlikely to placate opponents of this vague, new power.
Oversight, sensitive professions and foreign agents
Image credit: Getty
The other notable amendments in the IP Bill Mark II include a change to how urgent interception warrants are handled. In this context, interception means accessing/monitoring the content of communications, like reading an email; in contrast, communications data (a type of ICR) is merely the metadata surrounding a conversation, and can be looked at without a warrant.
To get an interception warrant, intelligence and law enforcement agencies need the approval of both a Secretary of State and an independent judicial commissioner. This is known as a "double-lock" procedure, but in urgent circumstances, investigations can begin before a warrant has been authorised. The draft IP Bill stated that these needed to be approved or refused by a judge (retrospectively) within five days, but the revised legislation cuts that window down to three days.
Among several other tweaks to oversight and safeguards, the Investigatory Powers Commissioner -- a new appointment to monitor and scrutinise the use of surveillance powers -- is now able to report failings in the system to affected individuals without the approval of a separate tribunal.
One criticism of the draft bill was that it didn't include explicit protection for lawyers, journalists, doctors, Members of Parliament and other professionals that deal with confidential information. In the revised bill, additional authorisations have been included where sensitive information and journalistic sources are in play.
Some stakeholders also worried that while the limitations and approval procedures might keep national agencies in check, the UK government could ignore these by allowing foreign intelligence services to use the new surveillance capabilities on their behalf without playing by the rules. The Home Office has made clear that no international partners will be able to act in the interests of the UK without a domestic warrant.
Image credit: Shutterstock
The new version of the IP Bill hasn't just been an opportunity for the Home Office to clarify, tweak and publish supporting documentation for the controversial legislation, but to expand its scope slightly, too. Previously, law enforcement (i.e. the police) was only permitted to access communications data and web browsing histories (ICRs, in other words) that obviously pertained to illegal content and activities.
In the revised bill, any and all ICRs will be available to the police where it is "necessary and proportionate" for conducting investigations. It's extremely important to note here that the expanded powers don't include additional safeguards: In other words, the police are not required to seek a double-lock warrant to get hold of ICRs.
The IP Bill includes the first public admission of state-sponsored hacking, which the government calls equipment interference. In the draft bill, law enforcement was entitled to carry out equipment interference "for the purpose of preventing or detecting serious crime." Mark II now says it can be used where there is an "imminent threat to life or serious harm," which is a broad phrase that covers everything from kidnappings to "mitigating any injury or damage to a person's physical or mental health."
The revised bill also specifies that equipment interference powers aren't just reserved for intelligence and law enforcement agencies. "Certain public authorities" including immigration officers, the British Transport Police and the UK's Competition and Markets Authority already use these tactics, and they'll be preserved in the IP Bill.
Image credit: Shutterstock
It's safe to say that early reactions to the IP Bill Mark II have been frosty at best. The general sentiment (aside from objections to the expansion of powers) is that many of the serious concerns and countless recommendations put forward by the three Parliamentary review committees have largely been ignored or addressed unsatisfactorily. A statement from Amnesty International said the hasty redraft was "like adding extra storeys to a burning building."
"Rather than a full redraft, we've been given cosmetic tweaks to a heavily criticised, deeply intrusive bill," said the Director of the Don't Spy On Us coalition. And the list goes on... and on. Privacy International, Liberty, Big Brother Watch, the Web Foundation and many more have expressed their contempt for the bill, with several groups arguing that its impact on the public's fundamental right to privacy should be at the forefront of the debate -- that discussing the minutiae of the bill is taking attention away from the bigger picture.
Lord Strasburger, the most, er, provocative member of the draft bill's Joint Committee, has joined the chorus, too. "Nothing has changed since I made my comments on the draft bill three weeks ago. The Home Office just doesn't do privacy. It does security and ever more intrusive powers they claim will make us safer, but not privacy." Writing in The Telegraph, David Anderson QC -- an independent reviewer of terrorism legislation that produced a report on mass surveillance in the UK last year -- said "the Investigatory Powers Bill remains a work in progress." He also described the whole saga better than we ever could:
"The debate on investigatory powers, as I discovered when I was asked by Parliament to report on it, is addictive to some and toxic to everybody else. Securocrats seek access to innocent communications, while privacy advocates warn darkly of dystopia. The rest of us tend to be bored, confused and generally defeated by it all."
Why the rush?
Image credit: AFP/Getty
Ever since the first draft of the IP Bill hit the streets, the Home Office has been accused of rushing the extremely complex and controversial legislation through Parliament. The Joint Committee was given only three working weeks to field evidence and report its recommendations, for instance. Home Secretary Theresa May is now taking further flak for taking the same amount of time to redraft the bill, despite calls for a major reworking based on the concerns raised by the three Parliamentary committees.
She has her reasons. The Data Retention and Investigatory Powers Act -- an emergency piece of surveillance legislation introduced in 2014 and later ruled unlawful -- is due to expire this year, hence the aggressive timetable for the IP Bill. An open letter published in The Telegraph and signed by MPs, professors, experts, organisations -- all of which are knowledgable and invested in the IP Bill debate -- has suggested it's irresponsible of the government to incorporate the bill into law this year. Instead, they recommend that any vital powers could be condensed into a separate bill, with more comprehensive legislation following that after adequate debate.
As it stands, though, MPs have a couple of weeks to get through hundreds and hundreds of pages of dense documentation before the first debate lights up the House of Commons on March 14th.