Draft Investigatory Powers Bill: What you need to know

11.11.2015
Since publication last week, the government's Draft Investigatory Powers Bill has sparked debate over the balance between privacy concerns and national security in the post-Snowden era, with controversy around encryption, bulk data and hacking, to name just a few aspects.

The headlines

Clause 71 has led the news agenda so far. This requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and other public bodies.

In practice this would take the form of an itemised list of each citizen's browsing history. This would not be a list of the specific web pages but the main domain (so computerworlduk.com but not the specific stories you read) so a basic online footprint can be drawn up. One concern here will be around the security of this data, especially in the current climate of TalkTalk customer hacks and data dumps.

The bill seeks to make the power for security services to acquire bulk collections of communications data explicitly legal. For example this could mean a bulk data set such as NHS health records.

Security services will also be legally empowered to bug computers and phones upon approval of a warrant. Companies will be legally obliged to assist these operations and bypass encryption where possible (more on this below).

Oversight for these operations will change, with a new "double-lock" where any intercept warrants will need ministerial authorisation before being judged by a panel of judges, who will be given power of veto. This panel will be overseen by a single senior judge, the newly created Investigatory Powers Commissioner.

For some context, figures from the Home Office, as published by The Guardian, show there were 517,236 authorisations in 2014 of requests for communications data from the police and other public bodies and a further 2,765 interception warrants authorised by ministers.

The politics

There has generally been cross-party approval of the bill as first proposed, with Shadow Home Secretary Andy Burnham stating that it was "neither a snooper's charter nor a plan for mass surveillance."

Conservative MP David Davis has been one of the more outspoken critics of the proposed legislation. Talking to The Guardian he said: "In every other country in the world, post-Snowden, people are holding their government's feet to the fire on these issues, but in Britain we idly let this happen [] Because for the past 200 years we haven't had a Stasi or a Gestapo, we are intellectually lazy about it, so it's an uphill battle."

The Lib Dem leader Tim Farron has stated that he will table amendments to the bill, specifically surrounding the issue of judicial approval.

Author and journalist Heather Brooke went one step further. Writing for The Guardian she said: "The spies have gone further than [George Orwell] could have imagined, creating in secret and without democratic authorisation the ultimate panopticon. Now they hope the British public will make it legitimate."

Edward Snowden tweeted: "By my read, #SnoopersCharter [The Draft Investigatory Powers Bill] legitimises mass surveillance. It is the most intrusive and least accountable surveillance regime in the West."

According to YouGov the UK public generally approve of surveillance, with 44 percent of respondents stating it wouldn't bother them to know that they could be spied upon and they don't think they are at this time.

Obligations on communications service providers

The use of investigatory powers relies heavily on the cooperation of so-called 'communications service providers' in the UK and overseas. The draft bill clearly outlines a legal duty on British companies to assist in hacking devices (equipment interference warrants).

A spokesperson for UK internet service provider (ISP) BT responded to this obligation by stating: "National security is a critical issue and everyone needs to play their part, including industry. Parliament has long taken the view that the national interest is best served by allowing security and law enforcement authorities access to certain types of data under certain circumstances. We believe there must be a clear legal framework around this regime, one that ensures adequate checks and balances are in place to weigh up any human rights concerns."

ISP Virgin Media said it "does not monitor or control what customers do online but complies with all lawful requests. It is for Parliament to decide where the balance lies between the needs of law enforcement and citizens' privacy.''

ISPs have been cooperating with requests like this since 1984 under obligations outlined in the Telecommunications Act, if requested by the Secretary of State in the interest of national security. This bill looks to write this power into law for the security and intelligence agencies.

The draft bill also outlines a means for ISPs, telecommunications operators and postal operators to receive appropriate contributions to cover the additional costs of these activities.

These providers can appeal requests for data, but only directly to the Secretary of State.

Encryption

Encryption of communications has been a controversial topic of conversation ahead of publication of the bill. It does not seek to ban end-to-end encryption, but it will impart an obligation on communications services to help descramble communications if a warrant is issued to do so.

The issue for the security services, if this was to be codified into law, would be over the top communications services, like Apple's iMessage and the popular WhatsApp messaging service, as these third-party services apply end-to-end encryption to all messages, meaning they can't read them even if they wanted to. Emails sent using Microsoft Outlook aren't automatically encrypted in this way and Gmail requires an end-to-end encryption extension for Chrome. Blackberry offers end-to-end encryption between devices through its paid BBM Protected product. The Cisco Spark messaging service has built in end-to-end encryption.

Privilege

The draft Bill does specify sensitive professions, namely medical doctors, lawyers, journalists, Members of Parliament and the devolved legislatures, and Ministers of Religion, who will be afforded extra protections under a new code of practice. The safeguards appear to be limited though, with the new judicial authorisation cited, along with the added obligation to ensure that the information being investigated is in the public interest.

What next

The 299-page draft bill will be debated and consulted on before a bill is formally introduced to Parliament in the New Year, where it will have to pass votes in both Houses of Parliament.

(www.computerworlduk.com)

By Scott Carey