A revised version of the Investigatory Powers Bill was published today, less than three weeks after critical reports by the Intelligence and Security Committee and the Joint Committee, which had scrutinised the Bill. Together with the Science & Technology Committee, they made 123 recommendations. On first reading, it appears that the revised Bill has made minor revisions not the full redraft that many, including ORG, have called for.
There are two broad questions for Parliament. Firstly, do they agree that collecting records of everyone’s communications does not constitute a serious infringement of people’s privacy, and therefore cannot be regarded as mass surveillance. This is question of principle, which will inevitably be tested in court.
Crucially, the Home Office has presented an “Operational Case” for each power. This was a key demand from the Joint Committee - which they made because they felt Parliament needed to understand whether bulk data acquisition is necessary and proportionate. Without understanding what these programmes are used for, and what results they achieve, it is impossible to justify them.
However, while these present helpful information to Parliament, they lack the key requirements of an Operational Case: information that can help people work out if the programmes are worth the money, and how they compare with the alternatives such as targeted programmes of data acquisition. In any case, a process is needed to go through these and examine them, which should take place at the start of a legislative process, rather than near the end.
The second question is whether the Bill is fit for purpose, and whether it answered the criticisms made by the three committees.
ORG and the Don’t Spy on Us coalition published a summary of the Committees’ findings, which was emailed to MPs and peers to help them judge whether the amended Bill has addressed the flaws that have been identified.
What has changed?
Privacy: The ISC said: “privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built” and said that “one might have expected an overarching statement at the forefront of the legislation”. The Home Office response seems to have been to add the word “Privacy’ to a heading in Part One of the Bill.
Internet Connection Records: The revised Bill has extended police powers to monitor British citizens’ internet use. In the draft bill, the police were allowed to look at your use of internet communications services - such as messenger or chat applications - or whether you had accessed illegal materials. The new proposals give the police the powers to access any internet services, including cloud services where you don’t “communicate” with anyone else such as Dropbox, if they think it is relevant to an investigation. Access to ICRs still has internal sign off by public authorities without external authorisation.
ISPs raised concerns about lack of clarity about their obligations, but the final Bill does not help here. The Codes of Practice say: “The core information that is likely to be included are: an account reference, a source IP and port address, a destination IP and port address and a time/date. However, there is no single set of data that constitutes an internet connection record, it will depend on the service and service provider concerned.”
The filter: there has been no change to provisions for the ‘filter’ which could turn ISP data into an enormous population profiling engine. While the committees did not highlight this issue to the extent they could have, it remains a key concern.
Bulk interception and acquisition by GCHQ and MI5: The final Bill does not contain any fundamental changes and the wholesale tapping of fibre optic cables revealed by Snowden will continue as before. The agencies will also continue to obtain the phone records of everyone in the UK, plus soon our full internet histories. The final bill ensures that nothing is out of bounds by using more general words to refer to the intercepted content and data, now referring to “anything obtained under the warrant”. The agencies also gain more flexibility to modify warrants, separating the obtention of content and data, which can be changed without judicial approval during emergencies.
Bulk personal datasets: Both the ISC and the JC called for class warrants to be removed but they have remained in the Bill. There is more detail on how Bulk Datasets warrants can be authorised and modified but no substantive restrictions. Judicial Commissioners can now order the retention or deletion of only part of a database.
The final bill makes clearer that warrants do not cover the obtention of databases - which relies on separate statutory powers - just their retention and examination. This is good for clarity, but raises more questions on how exactly the agencies obtain such databases when public bodies and private organisations are not compelled by law to collaborate.
Judicial authorisation of warrants: The system of “double-lock” remains in place with minor modifications. Ministers continue to authorise warrants with a “judicial review” by Commissioners. The period for emergency warrants to operate without approval from the Commissioners has been reduced to three days down from five.
There are some changes to the process for appointing commissioners and their operations, with more budgetary independence from the Home Office.
Privileged communications: The Bill is now peppered with references to legally protected communications, but the underlying protections remain too weak. Chairman of the bar Chantal-Aimée Doerries QC said: ‘The Bar Council is disappointed that the bill introduced to parliament today does not provide sufficient protection for legal privilege on the face of the bill.
Encryption: Some small changes on the issuing of technical capability notices, which now cover removal of encryption applied “on behalf” of the operator. The obligations to support state hacking operations now applies to “telecommunications operators”, which can be both public or private.
Bulk hacking: Once more no changes other than closing potential loopholes to ensure that the agencies cannot miss anything, a recurrent theme throughout the new bill. Here the bill now refers to obtaining “any other information”, instead of “private information”. In case of doubt, the bill now clarifies that “any conduct which is carried out in accordance with a bulk equipment interference warrant is lawful for all purposes”.