Home Secretary leaves plenty unanswered after IP Bill debate
Theresa May also admitted parts of the legislation are intentionally vague.
At its heart, the Investigatory Powers Bill aims to give law enforcement and government agencies the means and powers to access Brits' online communications to aid their investigations. The bill's joint committee, whose job it is to scrutinise the legislation, has for several months been consulting with ISPs, mobile operators, tech companies, legal professionals, intelligence experts, privacy groups and other stakeholders. The last of these public evidence sessions took place on Wednesday, with Home Secretary Theresa May, the author of the IP Bill and long-time advocate of expanding the government's surveillance capabilities, being quizzed by the committee. While May attempted to provide some clarity on ambiguous parts of the bill and address concerns raised in previous sessions, plenty of uncertainty remains.
Seriously, what is an Internet Connection Record?
Under the IP Bill, internet service providers (ISPs) and mobile network operators will be required to store the Internet Connection Records (ICRs) of their users for 12 months. An ICR in its simplest form is merely a record of a visited domain, like facebook.com, but not the individual pages you've looked at across that site. That's easy enough to understand, but browser requests aren't exactly the be-all and end-all of internet traffic. Various apps on your smartphone, for example, are constantly "online," but they don't talk to servers in the same way browsers do.
There have been several calls for a clearer definition of ICRs. UK carriers in particular have said they can't really talk setup costs and ease of implementation when they don't know exactly what type of data they will be required to store and process. As far as May is concerned, an ICR is a web address, and yet later in the same session she suggested ICRs cover any form on online communications between connected devices -- any connected session, if you will. Glad that's all cleared up then!
Image credit: Shutterstock
Thankfully, she was explicit about one particular point. ISPs and mobile operators will not be required to store third-party data generated by over-the-top services like WhatsApp, Skype and others (though they might record when a particular service has been accessed). There has been some confusion over this, with providers concerned that collecting and storing third-party data, much of which is encrypted anyway, might be a unnecessary resource drain -- especially if they can't understand and therefore process the traffic in the first place.
Technical feasibility and budget
ISPs and mobile carriers are ultimately responsible for implementing the data collection systems proposed under the draft legislation. In prior sessions, both groups told the joint committee there has been no historical need for them to process internet traffic in this way, meaning they'll have to build the appropriate tools from scratch. While none have volunteered the opinion it's technically impossible -- though they are still somewhat in the dark about what's going to be required of them -- all have warned it'll be a serious undertaking and could take years to get up and running.
May has a more positive outlook on their ability to deliver, however, saying she's confident that meetings between providers and the Home Office have established the technical feasibility of the proposals. Much bigger discrepancies arise around the cost of creating these ICR gathering systems, though. The Home Office has budgeted £174 million (of a total £247 million) to fund them, a figure May said was arrived at through discussions with ISPs and carriers. It's exactly these companies, however, that have expressed in unison their worry it won't be nearly enough.
Image credit: BT/Flickr
Carriers won't even speculate what it'll cost to put these systems in place, and BT's President of Security Mark Hughes has said his company alone would need tens of millions at a conservative guess. And that's not taking into account recurring upkeep costs, and the high likelihood data processing and storage will be increasingly burdensome as the volume of internet traffic rises year after year.
A related issue that wasn't even discussed is whether providers will have to stump up some of their own cash to satisfy the proposals. The general consensus, not that May seems to be aware, is that £174 million just won't cut it, though several providers have been clear in their belief the government should pick up the tab in its entirety. The worry is that providers will have to raid their own bank accounts to some extent, and use money they would otherwise be investing in improving their services for data collection. Worst-case scenario, consumers will end up with higher bills to make ends meet. In the same vein, ICR gathering tools might turn out half-baked if companies aren't given appropriate resources to implement them.
What does it mean for encryption?
The IP Bill has been seen a potential problem for over-the-top providers like messaging apps, which rely on encryption for keeping their services secure and private. Apple's Tim Cook has been vocal about state-sanctioned weakening of encryption, with Facebook, Google, Microsoft, Twitter and Yahoo also clubbing together to officially raise complimentary concerns.
The legislation itself states there will be "no additional requirements in relation to encryption over and above the existing obligations in RIPA," aka the Regulation of Investigatory Powers Act that outlines the UK's existing surveillance laws. The IP Bill, however, makes room for a "technical capability notice" that asks for "the removal of electronic protection applied by a relevant operator to any communications or data."
The whole point of end-to-end encryption is that it can't be broken, even by the company providing the service (this is true of iMessage, for example). The wording of the technical capability notice hasn't sat well with some of the major tech companies, who believe the new laws may require them to build government-accessible backdoors into their products and services. According to Theresa May, this is "absolutely not" part of the plan.
Acknowledging the importance of encryption, she reiterated the government isn't proposing that over-the-top providers need do anything different. The legal position today is that companies are obliged to take reasonable steps to make decrypted data available when lawfully requested. Under the IP Bill, only the same obligations are said to apply.
While that should provide some reassurance to encrypted services, the phrase "reasonable steps" is open to interpretation, and May wasn't asked about "equipment interference," or hacking as it's more commonly known. As part of the draft bill, there's "a new obligation" to "assist in giving effect to equipment interference warrants." Reading between the lines, that could mean companies will be required to crack their own hardware or software on behalf of the government, thereby compromising the security (and privacy) of their products and services. Thus, it's still unclear exactly what powers of forceful decryption the government intends to exercise.
Overseas data
The major tech companies are also concerned the IP Bill will put them in a difficult position where international movement of data is concerned. Companies like Google, Microsoft and Facebook, which are all based outside the UK, fear that a data request from our government might conflict with local laws, meaning they have to violate one or the other. Understandably, May is of the opinion that if you operate in the UK, it's only fair that you play ball with the government, meaning a warrant issued to an overseas company should to all intents and purposes be the same way as a domestic warrant.
The committee also raised the question of the government being able to ignore the approval process written into the bill by soliciting information from foreign agencies. To this, May explained there is already a legal framework in place that means the UK is only entitled to receive information where it is lawful to do so, and it works both ways, too. The UK must be confident in the legality of requests and data handling arrangements of other countries before sharing information. The reality of overseas data sharing where companies or foreign agencies are involved, however, might turn out a little more convoluted than May's brief reassurances suggest.
Access to data
When is mass surveillance not mass surveillance? When you're not looking at the data being collected. In an attempt to protect the public's right to privacy, the IP Bill introduces a "double-lock" process for approving data requests. First, a government minister needs to green light an intercept warrant before an independent judicial commissioner makes the final call. Some stakeholders worry, however, that the judicial review would be no more than a formality: A check to ensure the appropriate procedures had been followed up to that point.
Image credit: Shutterstock
May attempted to alleviate these concerns, stating that the procedure will indeed be a true double lock. Judges won't just be proofreading warrants, they will have the power to reject them based on merit: whether the intercept request is "necessary and proportionate" given the circumstances. If the judge believes otherwise, the warrant doesn't go any further. As they are reviewed on a case-by-case basis, though, it's all up to the judge on whose desk it lands.
There is one loophole to the double-lock process, though, in "urgent cases." Though this phrase is obviously open to interpretation, it's supposed to refer to investigations where time is of the essence, or there's a threat to life or national security. In these instances, a minister can authorise an intercept warrant with immediate effect for up to five days without judicial approval, which will come after the fact.
Is this all really necessary?
Most of the final evidence session sought clarity on some of the finer details of the bill, but a few members of the joint committee did raise the question of whether we really need the controversial legislation in the first place. It is the duty of the committee to assess the balance between security and impact on civil liberties, after all. Are bulk collection powers ever appropriate, for example, and are they technically legal under EU law? Unsurprisingly, the author or the IP Bill and the Snooper's Charter that came before it assured the committee of its legality, and said that in this day and age digital surveillance was "absolutely" necessary given the threat of serious crime.
The intention is not to profile people based on their online activity, May said, but to have ICRs available (under appropriate safeguards) when they could be key to investigations. Committee members did question the utility of the data, however, remarking that web browsing history, for instance, might not tell you a great deal about someone.
Drawing on the evidence of William Binney, retired Technical Director of the NSA, May was also quizzed on how useful such a large volume of information will be to law enforcement and government agencies. There are many examples of terrorist attacks carried out by known suspects. Analysts are sometimes so swamped in data already they can't see the wood for the trees. "You can't look for the needle in the haystack unless you've got the haystack," May argued.
Image credit: Shutterstock
Session MVP Lord Strasburger was particularly bullish about the Home Office publishing an operational case -- a fancy term for solid reasoning/specific use cases -- for equipment interference activities (hacking) and various bulk collection powers. While a case has been put forward for the storage of ICRs, the IP Bill is the first time government-sponsored hacking has ever come before Parliament, though agencies like GCHQ have been using various secretive surveillance tactics for some time.
In previous sessions, legal experts have also demanded that legal privilege (the attorney-client privilege, in other words) be protected in writing under the bill. The same goes for journalistic sources, but May effectively brushed off these requests. She didn't want to formally rule out the use of powers in these scenarios, especially where it might be deemed "necessary and proportionate" to identify bad guys hiding behind legal privilege.
Don't call it vague, call it future-proofed
Perhaps the most important feature of the Investigatory Powers Bill is that much of its wording is open to interpretation. From the definition of an Internet Connection Record, to when an intercept warrant is deemed "necessary and proportionate," many concerns raised in prior evidence sessions have been issues with ambiguous legislese.
Theresa May didn't deny the IP Bill is full of vague vocabulary, instead admitting many of the ins and outs of the proposals are intentionally vague. Technical definitions will move on just as technology does, so indefinite language has been used to extend the lifespan of the legislation. Clarifying what types of communications data can be collected, for example, would mean others that arise are excluded. What some call "unhelpful" wording, May calls the exact opposite, since it future-proofs the bill.
May also rejected the idea of adding sunset clauses -- aka expiry dates -- to parts of the bill, saying it could create uncertainty among the companies expected to deliver the data collection systems. She also wasn't keen on being too specific in codes of practice, which will outline how the bill is to be enforced. If you over-regulate, May argues, you risk being in a position where, say, you are unable to collect a certain type of potentially useful data until the codes of practice are up for review.
Image credit: Carl Court via Getty Images
Considering the Investigatory Powers Bill is Theresa May's baby, we can't exactly say her parlay with the joint committee has put all the concerns raised in previous evidence sessions to bed. Admitting that the legislation is cleverly worded for the purpose of being open to interpretation won't be celebrated by privacy groups, and there seems to be some disconnect between the Home Office and communications service providers over technical feasibility and cost.
Nonetheless, the joint committee now has until February 11th to put together its recommendations on the bill. The Home Office has been criticised for the aggressive timetable and accused of trying to rush the 300-page piece of legislation through the process before the Data Retention and Investigatory Powers Act (DRIPA) expires at the end of March -- the emergency surveillance legislation was originally supposed to sunset at the end of the year, prior to being ruled unlawful by the UK's High Court. Perhaps one of the committee's recommendations might be that it's given more time to scrutinise what will result in a huge expansion of legal government surveillance powers.
