June 15, 2016 | Ed Johnson-Williams

Tesco Mobile customers should think twice before viewing ads for a £3 a month discount

Tesco Mobile has announced a new optional scheme in which its customers can get £3 a month off their phone bill. In return, customers agree to see adverts on their lockscreen "every few times" they unlock their phone.

Customers have to see "at least one ad, offer or piece of content" on at least 21 days each month to get the discount.

What are people going to be giving up for that £3 a month?
The implication is that customers get the £3 discount for giving up some of their time and attention to see and open or dismiss the adverts. In reality, they are also paying with their data. Tesco Mobile are working with a company called Unlockd to deliver the ads to people's phones. Tesco Mobile customers have to agree to Unlockd's privacy policy to get their £3 a month discount.

In addition to collecting customers' mobile number, email address, age, gender and interests at the signup stage, Unlockd's privacy policy says they will:

  • collect customers' location data to serve tailored adverts
  • create 'anonymous' data records of customers' personal data and use them "for any purpose"
  • transfer customers' personal data to the USA, the UAE, and India and process it there.

The links to Unlockd's privacy policy are difficult to find. Tesco Mobile's webpage (which is all most customers are likely to see) doesn't mention any of these personal data collection issues.

This is an optional scheme and companies should be able to make contracts with their customers. But the bare minimum standard should be that customers are asked for their genuinely informed consent when giving up privacy. This kind of data collection and processing needs to be flagged up much more clearly to customers to meet this standard.

Location data
Somebody's location data can be very sensitive. It can reveal all kinds of patterns about their life. It's reasonable to think that lots of people would like to avoid constantly sharing their location with a company that will put adverts on their phone lockscreen every day.

Unlockd's privacy policy tells customers to turn off location on their phone if they want to "deactivate this feature". That's the 'feature' of having your location collected to show you ads by the way. But for many people, location-based services like maps are one of the most useful things about having a smartphone. Asking people to give up maps so that they can opt out of their location being collected for advertising purposes isn't fair or reasonable.

'Anonymised' data records
Significant amounts of research have been done illustrating ways in which identifying individuals from anonymised data is both possible and practical. Unlockd saying they can "use and disclose anonymous data for any purpose" [our emphasis] is worrying to say the least.

Personal data transferred and processed abroad
Unlockd's privacy policy says they may transfer and process personal data to countries "including, but not limited to the United States, the United Arab Emirates and India, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world."

It is also worrying that people's data would be transferred to and processed in places where personal data and privacy are not as highly protected as they are in Europe. It is not made clear what the reasons are for data being transferred to and processed in these countries instead of in Europe.

Poverty and privacy
"You can save money by looking at adverts and giving up your personal data" is a message with big implications. Some people may have the means and freedom to choose to give up some privacy and attention for a discount. But for others, seeing adverts on your phone to save £3 on your phone bill might mean your family doesn't have to skip a meal. Of course it will not only be poorer people who will take Tesco Mobile up on this offer, but the incentive to give up some privacy in this case is surely stronger for poorer people.

We don't want a society where richer people can afford to retain their privacy and poorer people give up their privacy to make ends meet.

This is similar to what Christopher Soghoian, the ACLU’s principal technologist, calls the "digital security divide". Richer people are more likely to be able to afford Apple's iPhone which is encrypted by default. Most people buy cheaper Android phones which are not encrypted by default. In effect this makes it more difficult for thieves to unlock phones belonging to rich people than poorer people.

Customers should be cautious and consider the implications on their privacy before giving up their privacy for a discount. And if this business practice continues, or expands to other sectors, there is a danger that some people will feel they cannot afford not to give up their privacy.

[Read more]

June 13, 2016 | Slavka Bielikova

Investigatory Powers Bill Report stage and Third Reading

MPs discussed and voted on the Investigatory Powers Bill last week in the report stage of the Bill's progression through Parliament. This was MPs' third vote before the Bill was sent to the House of Lords. The Bill was passed by a vote of 444 to 69. Here's an overview of the points that were raised for discussion – many of which will be debated again by the Lords.

Privacy Clause

There have been repeated calls for an overarching privacy clause to be added to the Bill. The Home Office attempted to address this previously by inserting the word 'privacy' into a heading within the Bill, which was greatly derided. This time the Government proposed a new Privacy Clause 5; Labour also proposed their own privacy clause, Clause 21. It has been pointed out that the two clauses are very similar. Keir Starmer MP argued that Labour's clause tightened up references to human rights and public law. However, after discussion, he backed down in favour of the clause proposed by the government.

This clause only pays lip service to privacy and does little to restrain the powers in the bill.

Bulk Powers and warrants

Bulk powers were discussed extensively over the two days' debate. The Government has agreed to an independent review of bulk powers that opposition parties had asked for. This review will be carried out by David Anderson QC.

Conservative party defended bulk powers with many MPs using 'nothing to hide, nothing to fear' arguments.

Suella Fernandes MP (Conservative) even went as far as to justify the necessity of bulk powers by claiming we are in a war (in this particular case against Daesh). John Hayes followed her statements by saying it is not important whether the powers are necessary. What matters are safeguards that come with the powers.

Dominic Grieve (Conservative) emphasised that the Information and Security Committee recommended to remove bulk equipment interference warrants from the Bill. Grieve also explained that he finds bulk powers necessary; targeted interception (suggested instead of bulk collection), according to him, is not always effective if it is not clear what the intelligence are looking for.

Labour were broadly supportive of the Government. Keir Starmer (Labour) made references to the necessity of bulk powers for intelligence agencies several times in his speeches. He explained he understood their importance to tackle threats since he served as the Director of Public Prosecutions and worked closely with the agencies.

He was interrupted by David Winnick (Labour) who clearly stated that he doesn't accept the principle of bulk powers. Starmer responded with the reasoning that these powers are in use already and as such should be put in law so they could be regulated.

Starmer further expressed his appreciation to the Home Secretary for setting up the independent review of bulk powers to be conducted by David Anderson. MPs requested that Keir Starmer and John Hayes publish their letters on the terms of reference for the review they exchanged prior to the debate.

The SNP opposed the call for necessity of bulk powers in the Bill. Joanna Cherry MP (SNP) also welcomed the review of bulk powers; however she was more concerned with the consequences of the findings of the review. She stressed that the review needs to consider whether these powers are necessary at all. Cherry maintained the position that bulk powers go too far in a democratic country and should be removed from the Bill until the review establishes their necessity.


The Chair of the Intelligence and Security Committee (ISC) Dominic Grieve MP brought up issues of penalties several times from various angles. His first point of concern was about lack of penalties for abuse of power in the Bill. Minister Hayes assured him that these will be in place. Grieve requested that the Minister writes to him explaining what penalties will be incorporated in the Bill. He also pointed out that the penalties remain scattered throughout the whole Bill and would need a better structure.

Hacking warrants

Stephen McPartland MP (Conservative) raised an issue businesses might face when they would need to comply with a hacking warrant. As laid out in codes of practice, communications service providers would be subjected to a technical capability notice, meaning they would need to notify the government of new products and services in advance of their launch. Essentially, UK-based companies will have to ask the government for permission to put their product on the market. This requirement will make it more difficult to innovate and could have harmful effect on the UK economy.

Parliamentary privilege

New amendments discussed included extra protections for MPs against interception of their communications. According to the amendments, the Prime Minister will be responsible for approving hacking of MPs. Harriet Harman disagreed with this provision on the grounds of the PM potentially using this power for spying on the opposition and ministers.

Journalistic protections

New amendments were brought in to introduce minor changes to protect journalistic sources. However the MPs still debated who qualifies as a journalist. Andy Burnham voiced his opinion that voluntary bloggers shouldn't have the same protections as journalists.

Request Filter

Stephen McPartland (Conservative) brought up the issue of the request filter through probing amendments with an intention to obtain more information from the Minister. The biggest concern he voiced was regarding too many agencies having access to the request filter and Internet Connection Records. He also questioned who will be in charge of building the filter. McPartland pointed out that government has a notoriously bad record of building large IT projects and the filter might not even become a reality.

The Solicitor General responded that the request filter is there to limit what different agencies access. The Government has attempted to frame the request filter as something that restricts access to data but in reality it would create a vast population-wide database that could be analysed without a warrant.

Independent review of bulk powers

This topic has come up several times despite it being discussed at length the previous day. The main point of the discussion was the question coming from the SNP bench whether the Minister (John Hayes) will consider removing the bulk powers provisions from the Bill if David Anderson's review will show they are not necessary. John Hayes avoided answering the question.

The Bill will be introduced to the House of Lords on 27 June 2016.

[Read more] (1 comments)

June 10, 2016 | Javier Ruiz

What the Commons changed in the #IPBill

The short answer is: not a lot, and nowhere near enough. As Andy Burnham and the Labour opposition has claimed they have made progress with the Investigatory Powers Bill, here is the low down of what really happened.

andy_burnham-cc-by-nc-thebma.jpgThe vast majority of amendments presented by opposition parties were rejected with little discussion. Many were withdrawn as they were designed as probing amendments, aiming to force the government to explain itself and tease out justifications for policies. In practice sometimes it can be better to withdraw an amendment than push through a vote, as this allows for the option to re-introduce the proposal at a later stage when it may have better chances.

The government also proposed various amendments that were approved. This included some new clauses and smaller changes. The clause numbers below refer to the latest version of the bill as presented to the House of Lords, and may change when it becomes act.

General duties in relation to privacy (Cl 2)

The government and the Labour front bench have been patting each other's backs over this new clause, but we do not believe it will have a major impact. The clause asks to check “whether what is sought to be achieved by the warrant, authorisation or notice could reasonably be achieved by other less intrusive means”. It also mentions considerations for the integrity and security of systems and privacy in general.

This sounds good, but it is what those responsible for surveillance are supposed to have been doing all along. For example, internal MI5 documents produced in court show that these questions have been part of the requests for bulk datasets. It is unclear how this is ever challenged.

Modifications to interception and equipment interference warrants (Cl 32, 33, 34, 35, 111, 112, 114, 115, 172...)

There are quite a few new clauses on modifications to warrants, with restrictions to the changes that can be made. E.g. warrants for a single person, organisation or premises cannot be changed. The main substantial changes are a new requirement to notify a Judicial Commissioner of major modifications to interception or hacking warrants; and the need for a Commissioner’s approval in cases involving MPs or lawyers.

Tightening of modifications was one of the demands from Labour, while we have seen some concessions here, we do not think that notifications are enough.

Health records (Cl 187)

Another demand from Labour that has seen some concessions from government is restricting access to health records. The new clause requires an intelligence service to take special steps when making an application for a specific BPD warrant relating to health records, which are only to be kept and examined under “exceptional and compelling circumstances”. Unfortunately, exceptionalism has become the norm in the world of security, so this may provide little practical protections.

The clause also has some potential loopholes in that it only applies to specific warrants, and possibly not to class warrants, and then only to health records obtained from health professionals or health service bodies. It is possible that health records obtained from insurers or researchers are not covered by these safeguards.

Approval of national security and technical capability notices by Judicial Commissioners notices by Judicial Commissioners (Cl 227)

This new clause makes is arguably the biggest improvement so far in practical terms. Bringing Judicial Commissioners into the technical aspects of surveillance meaningfully will require some serious technical capacity in their teams. Unfortunately, as in the rest of the bill, the Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review.

Extra safeguards for MPs (Cl 26, 105)

Lawful interception or hacking of MPs' communications will require the Prime Minister to approve the warrant. MPs may still be included in bulk data collection but not in a targeted manner.

The Human Rights Committee and many MPs wanted the Speaker of the House to be notified to ensure surveillance could not be used for partisan purposes. After all the PM could be as tempted to spy on the opposition as his ministers. Unfortunately this provision was not agreed.

Trade unionists (Cl 20.6)

This has been claimed as a major achievement by Labour. The clause says that trade unionists cannot be targeted just because of this factor. Given the history of trade union attacks by the security services, sadly it is good to have it in the bill; but in practice it is likely that an investigation on trade unions would be justified under other rationale. The clause also leaves out other legitimate forms of association, social and environmental campaigning. As unions increasingly engage in “community organising” outside the workplace, they may see fewer benefits form this clause.

Journalists (Cl 73)

There are some small changes to ensure there is a public interest case in identifying or confirming sources of journalistic information. The NUJ does not believe these go far enough and recommended other ammendments that were not passed.

Civil liability for certain unlawful interceptions (Cl 8)

A minor but important change. Somehow, the draft bill forgot to incorporate the provisions in section 1(3) of the Regulation of Investigatory Powers Act 2000, which provide for civil liability in certain cases of unlawful interception in a private telecommunication systems. The clause simply closes that loophole, and shows what a rushed job this whole bill is.

[Read more]

June 07, 2016 | Jim Killock

It’s not over. We keep fighting.

We’d like to thank you for all the work you’ve done so far to challenge the IPBill. MPs voted in favour of the Investigatory Powers Bill by 444 to 69. This was disappointing but expected - we know how hard the Government is trying to push this Bill through.

GCHQBut thanks to your campaigning, some MPs - particularly Joanna Cherry, David Davis, Alistair Carmichael and Stephen McPartland - did a great job in putting the Government under pressure. SNP, Lib Dem and Green MPs voted against. Many other MPs know that this matters to you, through your emails and tweets to MPs. And our campaign video, which many of you fund raised for, brought the bill to the attention of over 2 million social network users.

The fight isn’t over. First, the Bill will now be debated in the House of Lords where they’ll be putting the bill under more scrutiny. We have more chance of getting the amendments we’ve been fighting for in the Lords and we’ll be making them aware of the Bill’s flaws. The Lords have a recent track record of pushing back on bad legislation.

There are also important court cases coming up that we have intervened in. In particular, data retention and use of the police search engine called the “Filter” in the #IPBill could still be wounded by the Davis and Watson case. In this case, the High Court ruled that parts of the Data Retention and Investigatory Powers Act (DRIPA) were unlawful. 

It is ORG’s arguments on EU law and the applicability of the Digital Rights Ireland judgment that are making the running.

When Government appealed, the case was referred to the Court of Justice of the European Union. We made the argument that blanket data retention could not be necessary and proportionate. The court will clarify how EU law applies to UK data retention, which will be crucial. We will hear back from the court this summer, before the bill finishes in the Lords.

Whatever the government do, we will challenge mass surveillance in the courts. It is not acceptable to blur the line between legitimate, targeted surveillance of criminals, and the bulk analysis of whole population data.

Please help us to keep on fighting. Join us so we can continue to stand up to mass surveillance, first in the Lords, then in the courts.

[Read more] (3 comments)

June 03, 2016 | Jim Killock

Understanding and reviewing the bulk powers in the IP Bill

Parliament wants an independent review of the bulk powers contained in the #IPBill. This is a difficult task and there are significant requirements that need to be met if we are to value the results.

This post represents the opinions of Privacy International and the Open Rights Group. Other organisations are welcome to add their names as being in agreement.

files cc-by-nc plashingvole flickrThe public operational case for bulk powers and review

The majority of the powers in the Investigatory Powers Bill are new to Parliament. While much of the capability is already in use by the security and intelligence agencies, they have been deployed under secret interpretations of statutes, which Parliament has not consented to. The primary reason they were not able to consent to them is because the fact of the bulk powers were not avowed until very recently, and indeed, some are still not avowed.

As this is the first time that Parliament has considered the powers, it is right that the Government make full, detailed, operational cases from first principles for every such new power, and that case is scrutinised.  As of yet, the Government’s attempts at providing an operational case have been insufficient.  There is much work to be done to give Parliament and the public a full picture of scope and utility of the bulk powers.

An Independent Review

An independent assessment should be made of the operational case for each bulk power by a security-cleared panel who will have additional fact-finding powers, allowing them to scrutinse material that for national security reasons can't be made public. To this end, the launch of a review panel is a welcome one.

The review is a step forward in ensuring democractic accountability for the actions of our security and intelligence agencies. But to be credible, the review must:

1 Establish public terms of reference.

No terms of reference have yet been set. It is essential that terms of reference is agreed and made public immediately.

2 Take the time that is needed.

The panel cannot undertake a full review of the bulk powers contained in the Investigatory Powers Bill in the time frame provided. To to so, an assessessment of the three security and intelligence agencies investigative capabilities would be required which will be impossible with the resource currently available to the panel. Should the panel expand the scope of their review or feel they are unable to complete the review with the level of rigour required in the time available, a time extension must be permitted, with the bulk powers split from the IPBill until the review can report back to their satisfaction.

3 Be produced by a balanced panel.

Perspectives from outside the intelligence community are needed to ensure independence inclduing civil libertities and human rights expertise. We recommend in particular the inclusion of a technical expert from outside the intelligence community, as well as the ability for the panel to request technical assistance from agencies in the form of seconding a technical staffer of the panels choosing to work for the scrutiny panel. Recent panel reviews of bulk powers in the US should be consulted to ensure lessons are learned. 

4 Examine the capabailities and their use, rather than the legal powers.

It would be unsatisfactory to review the high-level case for bulk powers without analysing how they have, and continue to be used in fact. The production of a new public operational case is only the beginning of that exercise. The bulk powers are drafted in such a way that there is considerable variety of technical capabilities that could be deployed under each of the bulk powers. The review must analyse the case for the capabilities, rather than just the power. 

Capabilities the panel should consider include those that have had least scurinty such as Bulk Communications Data Acquisition, Bulk Equipment Interference due to their late avowal, or in the case of Bulk Equipment Interferance continued disavowal. Longstanding concerns about Bulk Interception of secondary data will also need detailed scrutiny.

5 Test the necessity of the bulk powers, not merely their usefulness.

Such capabilities need to be assessed, not as to whether they are merely helpful, faster or offer some form of value, but that given the likely widespread intrusion bulk powers result in, that they are strictly necessary to prevent attacks in the UK. An essential aspect of this requires analysing case studies provided by agencies to determine whether more targeted measures could achieve the same or a similar goal. 

6 Report publicly.

Unlike previously sensitive reviews, such as Nigel Sheinwald's review of the UK-US data sharing which remains classified, the review's report must be a public document.

The Government’s Current Operational Case

The existing 47 page "operational case for bulk powers" which was published alongside the introduction of the Bill is inadequate.  More than half of the document is introductory in nature, covering topics such as how the internet works, leaving an average of 5 pages devoted to each capability, with most of that material being already public, in other explanatory documents. Despite the opportunity to provide concrete, solid examples of how bulk powers bring unique value, most of the material even within each section is kept at a high level. By way of example, the first three pages of the four page Bulk Interception case, covers (i) introduction to the power, (ii) current legal position, and (iii) new safeguards in the IPBill. The fourth and final page provides three one-paragraph case studies.

A new public operational case needs to be made. This operational case must go further than setting out individual, unsupported case studies. Sufficient material should be made public to permit detailed analysis, and stand the scrutiny of parliamentarians, civil society, academia and any other body.

[Read more] (1 comments)

June 03, 2016 | Javier Ruiz

The Request Filter will turn your personal records into a police database

Next week MPs will be discussing amendments to the #IPBIll. We must ensure they understand what the Request Filter really is—a federated database, or Google search for citizen-suspects.

database cc-by-eirik-stavelin-flickrThe Investigatory Powers BIll (IPB) is reaching a critical junction. Next week, the House of Commons will be discussing the bill at the Report Stage, which is the last chance for MPs to propose or support amendments before the bill is passed to the Lords.

The bill is very long and complex, and hundreds of amendments have been proposed. However, the “Request Filter” in particular is receiving far too little attention. With a huge range of issues to deal with, the Request Filter has been absent from the discussions from the front benches, despite being the one of two completely new developments in the Bill. As the IPB enters report stage we need to ensure that the Filter gets the attention it deserves from MPs.

The Request Filter is described by the Home Office as a safeguard designed to reduce the collateral intrusion produced in searching for small, specific information in a large dataset. In reality, the Request Filter would allow automated complex searches across the retained data from all telecommunications operators.

This has the potential for population profiling, composite fishing trips and the unaccountable generation of new insights. It is bulk data surveillance without the bulk label, and without any judicial authorisation at all. The Food Standards Agency will be able to self-authorise itself to cross reference your internet history with your mobile phone location and landline phone calls—and search and compare millions of other people’s records too.

Queries can be made across datasets. Location data - which pub you were in - can be compared with who you phoned, or which websites you visit. All with great convenience, through automated search. The searches will be increasingly focused on events, such as a website visited, or place people have gathered, rather than the suspects. This is the reverse of the position today, which requires the police to focus on suspects, and work outwards.  In the future, with the Filter, any query can examine the data of thousands of innocent persons - to “check” that they don’t fit the police’s search criteria.

The idea of “passive” retained records, that lie unexamined until someone comes to the attention of the authorities, will lie dead. The data becomes an actively checked resource, allowing everyone’s potential guilt to be assessed as needed.

The Filter creates convenience for law enforcement queries, and pushes practice towards the use of intrusive capabilities. It lowers the practical level on which they are employed. Techniques that today would be used only in the most serious crimes, because they require thought and care, tomorrow may be employed in run of the mill criminal activity, public order, or even food standards, as the bill stands.

The Filter was at the centre of debates when the original Snooper’s Charter was first introduced in 2012. Parliament described the Request Filter at the time as “essentially a federated database of all UK citizens’ communications data”.

This dystopian surveillance tool should be stopped, and next week MPs will have the chance to do it. There are several amendments presented by the Lib-Dem MP Alistair Carmichael that aim to remove the filter.

Another MP, the Conservative Stephen McPartland, who was part of the Science and Technology Committee and understands the implications of the Filter, has tabled a series of amendments with measures designed to constrain the power. These include restricting the Filter to exceptional circumstances, putting it under the control of the Judicial Commissioner as other bulk powers, and bringing it into the statute book as formal Regulations - so it is subjected to the normal transparency and processes of judicial review.

It is important that all those amendments get debated. We want the complete removal of the filter. McPartland’s amendments describe the minimum requirements even a proponent should be seeking, but more importantly give MPs an opportunity to be told what the filter is, what it is capable of, and why the government plans so little oversight for it.

The nature of the Filter must be discussed to expose the Orwellian doublespeak characterisation by the Home Office of this surveillance tools as a “safeguard” to improve privacy. This will only happen if MPs’ can have enough time to discuss the BIll, and their constituents - i.e. you - remind them that this is important.

[Read more]

May 26, 2016 | Jim Killock

Andy Burnham’s demands—can they be met?

Andy Burnham has asked for further changes to the Investigatory Powers Bill. Parliamentarians are right to have concerns about the Bill. Some of what Burnham is asking for is very important, and he has won a very important concession in getting a review of bulk surveillance powers.

Andy Burnham, cc-by-nc TheBMA // FlickrStrong opposition is vital to ensure surveillance is conducted lawfully and proportionally. It is essential that this pressure continues from Labour to secure further concessions and ensure those it has already won are fully realised. Burnham has to be careful not be handed superficial changes by the Home Office, who are used to fobbing off politicians, including their own ministers. Let’s look at some of the problems he faces, to secure concessions he has set out in his letter:

(1) Review of bulk powers

Burnham has done well to secure a review of bulk powers by David Anderson. However, this late in the day, it will only look at a fraction of GCHQ’s billion-pound operation. Furthermore, it needs to look at the programmes themselves, to assess whether they work and provide value for money against the intrusion they cause. By assessing the programmes, a more sensible answer about the powers can be given, such as how to restrain and review capabilities. The review also needs to propose how to carry out ongoing review, as it will barely get started in three months. ORG has given them a slight head start in summarising the Snowden evidence relating to the UK in our report.

It is a shame that the review will inevitably report after the Commons has finished scrutinising the bill, but blame for that must go to the Government.

(2) Protections for Trades Unionists

This is all about processes, rather than simple statements at the top of the Bill. It shares the same problems as other carve outs for particular professions – essentially, GCHQ mass surveillance (“bulk datasets”) can’t tell the difference between people, and the police decide when they think they need to consult a magistrate prior to a data request to a telephone company. We discuss this more fully below.

(3) Over-arching Privacy clause

Any meaningful clause needs to set specific restraints that apply across the board, for instance by requiring that any intrusive act must be subject to an independent system of authorisation. This could serve to limit legal workarounds that tend to prove popular with agencies once they find them. On the other hand, statements of principle reminding us that surveillance must be ‘necessary and proportionate’ will sound great but won’t offer anything genuinely new or protective.

(4) Internet Connection Records

It is useful to suggest that ICRs – information about your web browsing history – should only be used for the most serious of crimes. This reminds us that ICRs are very intrusive. However, we still have no real idea why they are needed or even how to properly define them. It is highly likely that collection of ICRs will be open to legal challenge as a measure that fails to target actual suspects, but instead intrudes on everyone’s privacy.

The issue of the query engine – the “filter” is yet to be properly assessed by Parliament. It seems to provide very dramatic powers of searching and profiling, which mean everyone’s data being trawled through to produce results. It would be good to see Labour ask more questions about this.

(5) Judicial authorisation of warrants

The most serious kinds of warrants, for wire taps and bulk data gathering, are signed by ministers, or in the future, to be examined by Judicial Commissioners. Mr Burnham is on the right lines by insisting that this process can be guaranteed to allow judges to make a full assessment, rather than just marking the ministers’ homework.

Labour should also remember that the 4-500,000 data requests made by police annually are still not subject to an external process. Oversight Commissioners instead check off a portion to see if they are being assessed correctly. This is how journalists have continued to find themselves subject to police investigation, despite requirements for the police to approach the courts where they are involved.

(6) Protection for sensitive professions

It is correct to ask for this, but there are two massive holes. Firstly, all the bulk programmes suck up all the data they can find. GCHQ programmes assess the data, and finally data is presented to operatives. It is only at this final step that any hope can be given of protecting MPs, trades unionists, journalists, doctors or lawyers communicating with their sources or clients. By which time, GCHQ might well be in a much better place to assess that some risk may exist – because their surveillance apparatus will have automatically decided which person has made travel routes, phone calls or website visits that make them look suspicious. This does not feel like a meaningful protection: only by returning to a system based on prior suspicision leading to targeted surveillance can we hope to protect professional privilege.

The second massive hole is that the police make their own requests for data from ISPs and telephone companies. This places the judgement about who is a journalist or professional in their hands. There will be a lot of grey in this for the police to ignore. Who, after all, is a journalists in the age of blogging and self-publishing? Who is a trades unionist—would this just apply to people acting in an official capacity, or the millions of members (unlikely)?


It is very clear that the Bill is still a long way from being acceptable. Andy Burnham has highlighted some key issues. He needs to be very careful about the responses he receives.

[Read more]

May 26, 2016 | Jim Killock

How we make sure the bulk powers review is meaningful

Andy Burnham has written to Theresa May to ask for further changes to the Investigatory Powers Bill, and to open negotiations on an independent review of ‘bulk powers’.

As he mentions in his letter review of bulk powers is particularly important, if it is done correctly. Any review has to frame its work correctly, however. There are four key issues:

(1) The review cannot possibly assess the efficacy of all of the bulk programmes in three months.

They should therefore narrow their focus to one or two specific programmes or datasets, to understand the full picture in relation to these examples. This should allow the review panelists to get sufficient depth and information to properly understand and question what is taking place.

(2) It must be clear that they are assessing the programmes rather than the powers.

It is much easier to justify a power on the basis that it may be needed sometime, or it has been useful once. If one example of the use of the power appears to have been essential, then the panel may feel compelled to say that the power is needed.

A specific programme however can only be justified in its own terms, i.e. does it work, is it worth the cost, and could alternative methods have led investigators the same conclusions.

By understanding which programmes are manifestly excessive, Parliamentarians, authorisation and oversight bodies and the review can all start to understand how to restrain GCHQ’s activities.

(3) The panel must have the expertise to conduct their investigations

A team of three won’t have everything they need. They therefore need to be able to bring in help, or appoint more people.

(4) The group should be able to recommend a future processes to assess bulk programmes in the future

The panel will not complete the work needed. They need to be clear about what is needed to continue to assess these programmes for efficacy and proportionality during the lifetime of any future Act of Parliament.



[Read more]

: E-voting's Unsolvable Problem-->
  • ORG Glasgow: A discussion of the General Data Protection Regulation (GDPR)
  • ORG Aberdeen: March Cryptonoise event
  • ORG North East: Take control of your online life
  • ORG Cambridge: Monthly March Meetup