The long-awaited Investigatory Powers Bill has been published at last. The draft Bill is almost 300 pages long so it is going to take us a while to go through the detail but here is our first take on what it contains.
Legitimising bulk interception and previously unknown access to UK communications data
The draft bill spells out the powers that the security services have to collect content and data in bulk. Although this had been done for years, no one really understood the extent of GCHQ’s capabilities until the Snowden leaks. The government acknowledged today that secret agencies have been going even further, accessing data in bulk from UK internet providers not just from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as phone books, driving licenses, travel or banking records.
Retaining even more data
One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about our internet activities, such as websites we visits or apps we use in our phone. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice ruling last April that said there must be safeguards for accessing retained data. In July, the High Court said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.
We will be asking why the UK police feel they need these powers. In his inquiry into surveillance, the Independent Reviewer of Terrorism Legislation, David Anderson QC said:
“I am not aware of other European or Commonwealth countries in which service providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal."
Who signs off warrants?
The new Bill proposes a new system of “double-lock” where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a better guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.
Has encryption been banned?
We don’t think there was ever going to be a serious attempt to ban encryption. The Bill ask for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective. This is something that we are sure companies will be looking into.
New hacking powers
The bill clarifies the powers of security agencies to break into our laptops and mobile phones, including worrying new powers for non targeted mass hacking. The bill also forces internet companies to help in hacking their customers.
What are the positives?
We asked for a transparent law and on first reading it does seem to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal, which is something ORG has campaigned for. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.
What happens next?
This is a massive bill and it’s going to take us some time to scrutinise it in detail. Our initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.