The Intelligence and Security Committee (ISC) has released a damning report on the Home Office's draft Investigatory Powers Bill (IPB).
The ISC is a committee of MPs and Peers who scrutinise the intelligence and security agencies. It's traditionally avoided rocking the boat and ORG has often called for them to more vigorous in their oversight. This time, though, under the leadership of Dominic Grieve MP, the Government's former main legal advisor, they've picked apart large parts of this Bill.
The Committee calls for privacy protections to be strengthened in the Bill:
"Privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built. Whilst recent terrorist attacks have shown the importance of the work the Agencies do in protecting us, this cannot be used as an excuse to ignore such important underlying principles or unnecessarily override them. Privacy considerations must form an integral part of the legislation, not merely an add-on."
It is good to see privacy be such a strong focus of their report. The report calls for privacy to be an "integral part of the legislation" and calls for the inclusion of a new section "dedicated to overarching privacy protections".
They have nevertheless agreed with previous committees that bulk powers may be “necessary and proportionate”. Here, they could have called for more public evidence to show their impact. Even if you agree that bulk data is useful or even necessary, the absence of public information, excepting a few details of some possible Home Office case studies, is not enough to justify the powers or to allow a full Parliamentary discussion of these capabilities. It will certainly be interesting to see the extent to which the Home Office builds a response to this criticism into the re-drafted Bill.
The Committee criticises the Home Office for being overly hasty in their preparation of the Bill:
"It appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."
We agree with the ISC. This Bill cannot be rushed through Parliament. It is a huge piece of legislation that needs to be drafted carefully and thoroughly scrutinised.
On the subject of Bulk Equipment Interference (read: bulk hacking), the ISC complained that they haven't seen convincing evidence for the need for Bulk Equipment Interference (EI) warrants:
"The Committee has not been provided with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn. The Committee therefore recommends that Bulk Equipment Interference warrants are removed from the new legislation."
At first reading this is positive but the reason the report gives is that Targeted Equipment Interference warrants can be broad enough to cover anything the Agencies might have wanted to use a Bulk EI warrant for. A better recommendation might have been to restrict Targeted Equipment Interference warrants to more limited targets.
Bulk personal datasets
The ISC is particularly critical of the draft IPB's provision for agencies to acquire large numbers of Bulk Personal Datasets (BPDs) - large datasets containing personal information about a wide range of people. They said:
"BPDs contain personal information about a large number of individuals, the majority of whom will not be of any interest to the Agencies. Given the volume of the material concerned, and the number of individuals covered, the Committee does not feel that such practical considerations are sufficient to override privacy concerns.
The Committee considers that the acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation."
The use of BPDs was exposed by the ISC's previous report into surveillance powers. It is just one of the areas of the Bill where the law is being drafted to allow practices that are already taking place. We agree with the ISC's calls to remove class warrants that would allow the agencies to acquire multiple BPDs.
What happens now?
When you've got a committee of MPs and Peers that's traditionally supportive of surveillance and headed up by the Government's former legal advisor telling you that your Bill doesn't provide enough privacy protections, you know you've got work to do.
Parliament's Science and Technology Committee has already said the Bill could put the UK tech sector at risk. The Joint Committee of MPs and Peers tasked with scrutinising the whole Bill will publish its report on Thursday. Their report is rumoured to be 400 pages long.
While we'll wait to see what the Joint Committee has to say, it's already clear that the Home Office will have to properly re-draft this Bill to include privacy protections. There have been suggestions that the Home Office is planning to publish a new version of the Bill by the end of February. They should take a lot longer than two weeks. Theresa May must ensure that the ISC’s very serious and well thought-out demands are dealt with in full.