November 05, 2015 | Pam Cowburn

First take on the Investigatory Powers Bill

The long-awaited Investigatory Powers Bill has been published at last. The draft Bill is almost 300 pages long so it is going to take us a while to go through the detail but here is our first take on what it contains.

Legitimising bulk interception and previously unknown access to UK communications data

The draft bill spells out the powers that the security services have to collect content and data in bulk. Although this had been done for years, no one really understood the extent of GCHQ’s capabilities until the Snowden leaks. The government acknowledged today that secret agencies have been going even further, accessing data in bulk from UK internet providers not just from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as phone books, driving licenses, travel or banking records.

Retaining even more data

One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about our internet activities, such as websites we visits or apps we use in our phone. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice ruling last April that said there must be safeguards for accessing retained data. In July, the High Court said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.

We will be asking why the UK police feel they need these powers. In his inquiry into surveillance, the Independent Reviewer of Terrorism Legislation, David Anderson QC said:

“I am not aware of other European or Commonwealth countries in which service providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal."

Who signs off warrants?

The new Bill proposes a new system of “double-lock” where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a better guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.

Has encryption been banned?

We don’t think there was ever going to be a serious attempt to ban encryption. The Bill ask for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective. This is something that we are sure companies will be looking into.

New hacking powers

The bill clarifies the powers of security agencies to break into our laptops and mobile phones, including worrying new powers for non targeted mass hacking. The bill also forces internet companies to help in hacking their customers.

What are the positives?

We asked for a transparent law and on first reading it does seem to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal, which is something ORG has campaigned for. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.

What happens next?

This is a massive bill and it’s going to take us some time to scrutinise it in detail. Our initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.

Comments (12)

  1. Mark James Talbot:
    Nov 05, 2015 at 12:07 PM

    The worrying part is what effect this will have on UK hosting and tech companies. Do the rules on encryption for CSP's cover British companies that host somewhere safe still have to comply. If they do then this is a death bell for any UK based "cloud" software companies as it effectively means you can't use any form of e2e encryption of data, meaning there will always be a weak link in the providers infrastructure.

    This is also likely to make talk talk style hacks by "script kiddies" more likely, any innovation with federated payment networks that would have meant that finally we could remove the risk of hacks compromising PII would be lost as it would still have to be decryptable on CSP end.

    As usual with any of these style of bill's it shows the fact that government ministers have a stunning lack of technical knowledge and do not have the advisors around them with the functional knowledge that this is easy to get around if you want to.

  2. George Chiesa:
    Nov 05, 2015 at 03:27 PM

    Big things:
    If you travel abroad, even on holidays, a mutual assistance request can be put to Eu or not "sister countries", so five eyes cab inform the uk with no limits anything they know on you, since the beginning of times, because at the time of the request, you are technically not in uk.

  3. Steven:
    Nov 06, 2015 at 03:28 AM

    I think the biggest risk in this, is the logging of websites and how easy it can be accessed and it could land innocent people in to trouble that no one seems to of, as far as i can tell, has thought of.

    Visiting Site A while a secret Site B is loaded in a hidden IFRAME on the page will be logged as that person visiting that site in this itemized list. The same can be done using Ajax too. This could give more power to the bad guys by making it look like innocent people have visited a suspicious site. Ad networks can become infected, it happened to Yahoo not long ago, they could easily send people to suspicious sites.

    Most people are not fully adept at how the Internet works. If an Internet user is looking for info and scans various sites in Goggle and they click on one, all looks innocent so they scroll down seeing falsely labeled links and click on them and end up coming across some unsavory content because its impossible to know what's on a site without clicking that link. They click away but that link is in that list. There are times when even visiting certain popular social networks where game apps are infected or an exploit to send everyone on your friends list a link, these have happened and some people do click on them, even if only for a second, that site is logged.

    A site can easily redirect a visitor to another site without them knowing, especially on mobile where the URL bar is sometimes hidden. They never chose to be redirected much in the same way they didn't choose to visit the site in the hidden IFRAME.

    If this site logging comes in to law, the biggest risk to people is this kind of cloaking that could incriminate innocent people.

    Some may say, then don't visit sites you don't know of. No one knew of the popular sites now dominating the online space, they wouldn't be popular with that kind of thinking and would have an impact on start-up companies. But it all comes back down to that list and that it could list sites that the visitor wasn't aware of. Its easy to have popups on screen and hide them.

    All it takes is a bit of understanding of HTML/CSS/JavaScript to see how easy it could be used against innocent people. The only thing they are doing with this, is trying to solve one problem by creating another one.

    Also on some news sites, they are claiming the police etc. don't need a warrant to see the list of sites, only for the content, which could easily be exploited by a bad employee. There needs to be a threshold to be passed before they can view it because it sounds like they can look at the list for anyone for any reason they see fit. Its a stalkers paradise. These laws could backfire in more ways than has been talked about.

    Sorry for the long comment.

  4. George Chiesa:
    Nov 06, 2015 at 08:21 AM

    Our #SecretaryOfState says:
    "#without #security you #can't #enjoy #freedom".

    I say:
    "#without #freedom, #whatsThePointOf #security?"

  5. Phil:
    Nov 07, 2015 at 09:59 AM

    If there was anything we've learned from Snowden's revelations is that oversight of intelligence gathering was criminally inadequate. There is nothing in this bill to convince us that these same people won't continue breaking the law even with given such obscene powers.

    Ministers and MPs may think they are exempt, but of course techies will know this is nonsense. If the data is collected for every communication, their data will be swept with it. They will be collateral damage in the new bill, the same way we all are now. Their spouses and their children's data. And as David Davies put it - this will be the ultimate Blackmail Machine opening the system to broad corruption at every level.

    To think they can keep this data secret shows unflinching hubris. The prize will be simply too big and we'll have foreign states, powerful crime networks and script kiddies all having a go. Successfull attackers would keep their success secret, so we'll only know when juicy details come out in case a minister, MP or business leader rejects blackmailers terms - at a cost of losing their position which may often be the blackmailers goal in the first place. Of those who go along with blackmailers, we'll probably never know - apart from seeing grotesque laws like this one.

    It's clear this has not been through through - what happens in 50 or 100 years from now with a caste that sees all and knows all about anybody? It's the sort of society so fundamentally different from Britain today that the government looks more like radical than a conservative one.

  6. John Collins:
    Nov 10, 2015 at 10:25 AM

    Without having any malicious intent I have used proxy servers when sites I've wanted to look at have been blocked from UK access.

    I run my own email server so no one can access in any details of who I've exchanged mail with (amid all the spam, good luck with that).

    I use PGP (or GPG) whenever I can.

    If I can do all those things, what stops the people they supposedly want to catch?

  7. George Chiesa:
    Nov 10, 2015 at 11:55 AM

    From and to headers in unencrypted port 25... Smtp

  8. John Collins:
    Nov 10, 2015 at 12:01 PM

    I should perhaps have added that the mail server is set up on a VM I rent out to host some websites (and also provides mail servers for those websites) which I manage and my traffic to/from that VM is encrypted.

  9. George Chiesa:
    Nov 10, 2015 at 02:01 PM

    And that's the problem. YOUR traffic is encrypted. Mail delivery TO/FROM your server over unencrypted SMTP is vulnerable to snooping "en transit". False sense of security?

  10. John Collins:
    Nov 10, 2015 at 02:14 PM

    OK take your point on that. On the other hand what will "they" do when they want to look at the historical log of emails to and fro for the past year and they discover I haven't kept more than the past few days worth?

    And are they going to ban PGP? Pity that isn't used more I wish all these power company/bank/etc would send me encrypted emails with statements and what-have-you so I don't have to laboriously log in to their websites to download them. Mind you the ISP and the web hosting company (different) both send plain text PDF invoices which "they" can probably read.

  11. George Chiesa:
    Nov 10, 2015 at 02:23 PM

    You miss a point. They are keeping the logs, the whole actual traffic in some cases. Read the section under "bulk". Or the Snowden reports.

  12. Hamish Downer:
    Nov 14, 2015 at 05:09 PM

    I also find the many gagging orders very worrying - we will not be able to have an informed debate about these powers. I urge you all to read the following by George Danezis (and other blog articles about the IP Bill)