The Joint Committee into the Investigatory Powers Bill was published today. It’s the third report in less than two weeks that calls for significant changes to be made to the draft Bill.
The Joint Committee report's is far from perfect - for example it accepts the Bill's weak proposals for judicial authorisation – but its 86 recommendations cannot be addressed with anything less than a full rewrite.
As Committee member Lord Strasburger puts it: “It needs more than mere tweaking, it needs to be fundamentally rethought and rebuilt.”
Here are some of the key points:
The report asks the Home Office to make the case for bulk surveillance powers and to show that their use could be compliant with privacy rights as these powers have the potential to be, “exercised in a way that does not comply with the requirements of Article 8 as defined by the Strasbourg court.”
It also points out that limiting these powers to overseas communications only could be pointless, given the global nature of the Internet.
All three reports expressed concerns about how ICRs (Internet Connection Records) are defined and budgeted for. In addition, the Joint Committee stated it has “concerns about the definitions and feasibility of the existing proposal”.
The Committee's report calls for clarity about the definitions of ICRs, and admits it was not able to accurately assess the costs provided by the Home Office, which have been criticised as too low by several ISPs.
The Committee also rejected one of the key pieces of Government spin around for ICRs: “We do not believe that ICRs are the equivalent of an itemised telephone bill. However well-intentioned, this comparison is not a helpful one.” There is far more personal data available on our phones and computers than a telephone is ever able to gather.
The Committee says the Bill needs to be amended to make it clear that companies won’t be required to compromise encryption keys or install backdoors. It also says that the Government should, “make explicit on the face of the Bill that CSPs offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so.”
Bulk personal datasets (BPDs) are databases held by public and private organisations - for example, the electoral roll. The Committee found that the Government had not made the case for acquiring BPDs and said that the safeguards around them had not been explained properly. Like the Intelligence and Security Committee, they said that class warrants, which would allow the agencies to use one warrant to acquire multiple BPDs, should be removed from the Bill.
When Theresa May presented the draft Bill to Parliament, she said it was: “a modern legal framework which brings together current powers in a clear and comprehensible way”.
Three months later even she must recognise that claim no longer stands. The draft Bill needs to be completely rewritten and as the ISC suggested, the starting point should be privacy, which should be "the backbone" of this law. We urge the Home Office to go back to the drawing board.