Blog


January 19, 2016 | Pam Cowburn

Thanks to our supporters, we can make our mass surveillance film

Thanks to our supporters, we more than reached the target of our Indiegogo crowd-funder. With your help we raised £20,624, which we're going to use to produce a high-quality campaign video to explain the implications of the Investigatory Powers Bill to people who may not be fully aware of it.

We've already met with the team of film-makers who will be working on this and they are going to present some ideas this week. They are the same guys behind the brilliant Department of Dirty film and we're sure they are going to come up with something equally good for this campaign.

One of the problems that we face is that the arguments for surveillance are very emotive and use the fear of terrorism, paedophilia and other crimes to persuade people that they need to give up their privacy and Internet security. But we know that many people are uncomfortable with the levels of surveillance being proposed and we hope that this film will show them why they are right to feel uneasy. We want it to resonate with the wider public and raise awareness of why our privacy is under threat.

At the minute, the draft Bill is being scrutinised by a Joint Committee who are due to report back in February. The Bill will then be redrafted and we expect it to be laid before Parliament around April. We want to launch our film before then to increase awareness and start motivating people into taking action and talking to their MP.

Thanks again to everyone whose donation is making this possible. It is still possible to contribute to the campaign here. We'll use any additional money to promote the film more widely.

[Read more]


January 19, 2016 | Jim Killock

Does the government want to break encryption or not?

The government has responded to a petition asking for clarity about their intentions to control or limit encryption. Unfortunately, it is still far from clear what they are hoping to do.

The government opens up by stating:

This Government recognises the importance of encryption, which helps keep people's personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet.… As Baroness Shields made clear in the House of Lords on 27 October 2015, the Government does not require the provision of a back-door key or support arbitrarily weakening the security of internet services.

However it then goes onto state that

Clearly as technology evolves at an ever increasing rate, it is only right that we make sure we keep up, to keep our citizens safe. There shouldn’t be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law.

The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.

That appears to imply that any encryption should be removeable. This stands in direct contradiction to the paragraphs above. Either encryption can only be removed by the intended sender and recipient, or it is broken and unsafe.

The government concludes that:

There are already requirements in law for Communication Service Providers in certain circumstances to remove encryption that they have themselves applied from intercepted communications. This is subject to authorisation by the Secretary of State who must consider the interception of communications to be necessary and proportionate. The Investigatory Powers Bill will not ban or further limit encryption.

Perhaps this is the nearest thing we have to clarity. The government perhaps thinks that companies, where they control the technology, should be able to get to the information. Perhaps the government is assuming that companies might re-engineer their products, so any encryption is only for data in transit. End to end encryption, where companies are not key holders, is the kind of set up that the government might seek to limit, without attempting to break the fundamental mathematics or encryption technologies. 

As TechCrunch observes, however, this kind of threat of companies enabling internal backdoors is already displacing the technology used by ISIS to set ups that are not under the control of central platforms. So such an approach could end up with privacy for the criminals, but not for ordinary, law abiding ctiizens.

[Read more] (1 comments)


December 22, 2015 | Pam Cowburn

How the Investigatory Powers Bill will affect Internet Service Providers

The draft Investigatory Powers Bill (IPB) has serious implications for Internet Service Providers (ISPs), who could be both obliged to assist the state in surveillance and also adversely affected by other provisions in the Bill, such as new hacking powers.

Earlier this month, President of BT Security, Mark Hughes, Director of Policy at Sky, Adam Kinsley, Director of Operations at Virgin Media, Hugh Woolford, Chair of the Internet Services Providers' Association (ISPA), James Blessing and Managing Director of AAISP, Adrian Kennard all gave evidence to the Joint Committee scrutinising the IPB.Here are some of the issues that they raised:

Internet Connection Records are ill-defined
The Investigatory Powers Bill would force ISPs to create and retain even more data about their customers.

ISPs are already obliged to keep certain types of communications data for 12 months under the Data Retention and Investigatory Powers Act (DRIPA). Under the IPB, the data retained would be extended to include “Internet Connection Records”. These are described in the Bill’s explanatory notes as, “a record of the internet services a specific device has connected to, such as a website or instant messaging application”.2 However, the definitions within the Bill itself are much broader and open to interpretation. When asked to rate the clarity of definitions contained in the Bill, on a scale of one to ten, Adam Kinsley of Sky said that the definition of ICRs was, “pretty close to zero” and stressed that further clarification would be needed through codes of practice. James Blessing told the committee that the Bill doesn't spell out, “what information is required to be captured, what format it is to be stored in and how it is to be made available”.

This lack of definition means that it is very difficult for ISPs to know what systems they need to put in place to capture and store the required data. Virgin Media’s Hugh Woolford believes that: “this Bill could potentially look at us, all of us, having to almost mirror our entire network's traffic to enable us to then filter it”.

ICRs need to be created not retained
The explanatory notes to the Bill claim that an ICR is “captured by the company providing access to the Internet”3 but this is not the case. Woolford told the Joint Committee: “This is something that is completely new … from a business point of view, there's no need for us to capture any of this information.” This point was reiterated by Blessing who said: “Internet Connection Records don't exist, they are not a thing, they are not generated in normal business.”

ISPs could be prevented from talking about ICRs
The terms of the Bill means that ISPs would be prevented from discussing orders they receive the Home Secretary. Blessing argued that Internet companies differ from other types of industry because even competitors rely on each other. How each ISP collects ICRs would vary from network to network. If they understood exactly what was expected, they could then discuss the best ways to collect them in an open forum. Preventing them from doing so will affect how effectively they can deliver their services.

The filter carries privacy and security risks
The police and other government departments would use a “filter” that would analyse data to identify what may be of interest. This has been presented as a privacy-enhancing measure that would reduce the amount of data accessed. In practice, it will mean that data mining takes place prior to authorisation and some ISPs appear uncomfortable with this. Virgin Media's Woolford told the Joint Committee: “what we don't want to do is become data analysers of information”.

ICRs fall under the existing, usually internal, authorisations for communications data, which means there is not the supposed “double lock” of judicial authorisation that has been proposed for other surveillance warrants. Adrian Kennard, pointed out to the Joint Committee that allowing third party access to this data increases the risk of it being compromised.

The budget doesn’t add up
As companies don't already create or retain this data, they will need to invest in new systems. BT's Mark Hughes broke down the costs for ICR retention as capital investment, growth in bandwidth and maintenance and storage. Keeping ICRs secure would be a significant part of these costs.

The Home Office has allocated £174.2 million over ten years to cover these costs. However, Hughes, told the Joint Committee that this would effectively cover BT's costs alone. Woolford also indicated that Virgin Media’s expected costs would be tens of millions of pounds. While an obvious concern for companies and their shareholders, customers could see price rises if costs are not fully met by the Home Office’s budget.

Kennard pointed out that the fact that the Home Office have come up with these costs means that that they must have an idea of what exactly it is they want ISPs to generate – so costs should theoretically help with clarification about what ISPs are expected to provide.

Undermining security undermines trust
If ISPs are forced to break encryption in order to respond to Home Office requests for data, there are serious implications for consumer trust. Kennard told the Joint Committee: “if providers are required, even secretly, to remove that protection, then obviously that removes all trust in those providers, if they are offering secure communications services but at any time they could be subject to an order that makes it not secure.” According to Kennard, this could cause companies to avoid being based in the UK and customers to avoid UK companies.

ISPs could be targets themselves
The IPB gives the police hacking powers and the security services bulk hacking powers that would allow them to hack individuals or networks in order to reach targets. As we saw with the GCHQ’s hacking of Belgacom, hacking can have major financial and reputational consequences for affected companies. Woolford, Kinsleigh and Hughes were reluctant to answer the Joint Committee’s questions about bulk hacking powers. However, Hughes did admit that BT was “not OK with anything that undermines the integrity of our network.”

ISPs could be given permission to intercept data
The IPB would also give ISPs permission to intercept communications data for the purpose of filtering content (s33). We believe that could be used, for example, to allow companies to intercept all traffic so they can identify malware or see if it should be blocked by their family friendly filters. It could be used to permit a much wider range of detection and blocking of legal or illegal content, including through ISP terms and conditions. This opens the door for new private enforcement measures beyond the apaprent intention of section 33.

The Government needs to present an operational case
No one would argue that ISPs shouldn't help the police and security services when it comes to tackling serious crime and terrorism. But when we are asking companies to compromise their customers' privacy and security, it should because there is suspicion that a crime has taken place or that serious harm can be prevented.

Many European countries are ending the retention of communications data without any noticeable effect on their ability to prevent and solve crime. No other EU or Commonwealth country forces their ISPs to record Internet histories. Operational cases need to be subject to scrutiny, as they have been in the USA. There, close examination of these cases has resulted in a scaling back of bulk programmes, as the results have been shown to be poor.4 If UK ISPs are to be forced into collecting personal data on an unprecedented scale, the Government needs to present an evidence-based operational case.

(1) http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=16:28:27

(2) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf pp25

(3) ibid

(4) https://www.lawfareblog.com/nsa-ends-bulk-collection-telephony-metadata-under-section-215

[Read more] (1 comments)


December 18, 2015 | Ruth Coustick-Deal

Ten Triumphs of 2015

Let's take a moment to look back on 2015, and some of our top moments during this year.

 

  1. We saw off a sneaky attempt to introduce Snoopers’ Charter into law. Four members of the House of Lords tried to insert the text of the Snoopers’ Charter into the Counter Terrorism and Security Bill, just when that Bill was at its final stages. With only a few days notice, ORG responded, galvanising supporters to call Lords and explain why this was unacceptable. The Lords saw sense and the amendments were dropped.

  2. ORG’s legal intervention was key to the successful challenge of the Data Retention and Investigatory Powers Act. Our exertise and fantastic legal support meant that parts of DRIPA were found to unlawful by the High Court. The successful judicial review was brought by Liberty, represented by David Davis MP and Tom Watson MP, with ORG and PI acting as intervenors.

  3. Our Scotland office was launched and in its first months challenged a scheme that could have introduced an identity card system.


    These plans could have been sneaked in through a minor public consultation but thanks to our strong press work and lobbying, we made the Scottish parliament and the public aware of what was happening. Along with ORG, over 200 supporters submitted their views to the consultation in February and the plans appear to be on hold. We also held an ‘ORG Scotland Day’ with author Charles Stross on 10th May to ask members in Scotland to contribute to shaping the future of the organisation.

  4. The Government finally published a comprehensive new surveillance law - the Investigatory Powers Bill. This is something we’ve been calling for since the Snowden revelations. There are many things wrong with the Bill but its publication is an acknowledgement that the Government needs to be more transparent about surveillance - and this will make it much easier for us to challenge what is in it. 

  5. We taught practical digital skills to groups from jounalists and NGOs to school children and teachers.



    A lot of our work this year was educational: we created a security and threat modeling training programme for journalists, activists. We ran a series of interactive workshops at Being Watched, an all day conference for young women, aimed at helping them to regain control in the online world. We collaborated with Chris Pounder to provide data protection training for NGO staff, who are now better equipped to campaign and protect their supporters from misuse of personal data. Plus, our local groups ran a series of ‘cryptoparties’ teaching people about online privacy and security at an introductory level, with events taking place in Cardiff, Sheffield & Brighton, Bristol and Edinburgh through March & April

  6. Working jointly with Wikipedia we forced MEPs to drop their attack on 'freedom of panorama'



    This is an important copyright exception that means we are free to photograph or paint a work of art that's in a public place - like a scultpure or a building. During the process of creating new copyright law in the EU, some MEPs proposed removing this ability across Europe. We helped supporters tell their MEPs to vote the idea down - and the proposal was swiftly taken out of the vote altogether!

  7. ‘Collect it all: GCHQ and Mass Surveillance’, the first full report into the substance of the Snowden revelations was written and published by ORG. The substantial review is a thorough guide to the slides and documents Snowden leaked, and has been published as an ebook.

  8. We challenged candidates to take a positive stance for digital rights in the 2015 election. We organised hustings in Bristol, Brighton and Manchester to give voters the opportunity to ask questions on surveillance to their Parliamentary candidates. We ran training sessions with members based in London, Manchester and Sheffield on talking to candidates, writing to local press and organising campaign events. Our briefing pack with key questions and myths about surveillance helped supporters speak out on these issues. On top of which, we built a tool which reported on candidate's stances on surveillance.

  9. The bad bits of the Investigatory Powers Bill are being thoroughly challenged in our on-going campaign. In just a few weeks since the release of the Bill, we’ve given evidence in Parliament, submitted long form evidence, made a lot of press appearances, and helped supporters write to their MP about the new law.

  10. As the year drew to a close, we celebrated ten years of Open Rights Group! With 100s of campaign actions, and 1,000s of supporters, ORG has stood up for your rights for over a decade!

So what's the plan for 2016?

In the new year we're going to launch a public-facing campaign  on the Investigatory Powers Bill. The Joint Committee, who are examining the Bill, will report back in February and there will be media and political interest in what they have to say. At this point we need to put pressure on MPs and members of the House of Lords who will amend, debate and vote on the Bill.

The focal point of this campaign will be a short film that shows exactly what mass surveillance means and the implications of what the Government is proposing. If we raise enough money, we will also produce other marketing materials, such as ads and flyers to increase awareness.

Can you help us make it happen?

Please donate to support our Indiegogo campaign!

[Read more]


December 10, 2015 | Ruth Coustick-Deal

The Investigatory Powers Bill: PR myth list

In the weeks since the Investigatory Powers Bill was officially released, we've seen a lot of Government PR. They are trying their best to assure us that we have nothing to be worried about, but we're not convinced.

So we've broken down some of the lines that you might have seen used by the Government and those who are pro surveillance:

1. The line: This is not a Snoopers’ Charter

What they said: “neither a Snooper’s Charter nor a plan for mass surveillance” - Andy Burnham [1]

Our view: This new will Bill put into law the capabilities and powers revealed by Snowden and more.

Specifically, the Bill extends the state's powers by forcing Internet Service Providers like TalkTalk, Sky and Virgin to store a record of every website and app we've visited in the last 12 months for the police to use. We will be the only EU or Commonwealth country to force ISPs to create and retain people's Internet browsing history.

The idea that the Investigatory Powers Bulk is somehow not mass surveillance is also undermined by the word ‘bulk’. Bulk collection, bulk hacking, bulk interception, bulk retention: the Bill uses this word exactly 400 times. Privacy? It only crops up 17 times.

2. The line: There is strong accountability

What they said: “This will be one of the strongest authorisation regimes anywhere in the world.” - Theresa May [2]

Our view: The Government assures us that this Bill offers a “double lock”, by which they mean that Judicial Commissioners will check warrants for the bulk interception of data after they have been signed off by the Secretary of State.

But Judicial Commissioners will not check whether surveillance is necessary and proportionate, they will check whether the Secretary of State acted in good faith and followed the right procedures. It is unlikely that a Judicial Commissioner would challenge any decision on these grounds but if they do, the Secretary of State can go over their head to the Investigatory Powers Commissioners and ask them to approve the warrant.  This looks more like a rubber-stamping exercise than judicial authorisation.

3. The line: We won’t attack encryption

What they said: “it will not ban encryption or do anything to undermine the security of people’s data” - Theresa May [3]

Our view: The Government have gone round in circles on this. In January, the Prime Minister David Cameron said that we must not allow a means of communication which could not be read. [4] Now the Government is trying to assure us that they are not going to do any such thing: this isn’t a ban on encryption, but they do want it weakened a little bit.

The Bill sets out vague powers to compel communications providers to help with demands for interception. In practice this may involve obliging companies to compromise their software and make their encryption less effective. The end result of course being that we are all more vulnerable to criminal hacks and data leaks. If a weakness is there for the Government, it’s there for everyone.

4. The line: If you have nothing to hide, you have nothing to fear

What they said: "if you have nothing to hide, you have nothing to fear" - Richard Graham, Conservative MP [5]

Our view: That isn’t true. It’s clear that surveillance affects a broad group of people, with real painful consequences for their lives. We’ve seen journalists being monitored, lawyers having their client confidentiality broken, victims of police misconduct being spied on and environmental campaigns infiltrated.

We also published a blog post here which gives a thorough rebuttal of this cliched argument.

5. The line: We need to sacrifice our privacy for security

What they said: Actually, Theresa May didn’t mention the word privacy once in her speech.

Our view: We are being asked to give up our right to privacy in the name of security but it is possible to value both principles as important, to have privacy AND security. And some of the proposals in this Bill could make us less secure. Activities such as hacking can undermine Internet security and can have consequences for people who are not suspected of any crime. We all have a right to privacy and it should only be invaded if we are suspected of a crime. This is no simple trade-off equation and privacy needs to be valued by all the decision makers in the process.

6. The line: GCHQ have to collect everything so they can find the needle in the haystacks

What they said: “It is impossible to provide a defensive cyber-security apparatus without operating first at the level of bulk, then to winnow out the chaff.” - Sir Iain Lobban, former head of GCHQ [6]

Our view: There is no evidence that mass surveillance is more effective than targeted surveillance when it comes to tackling terrorism and serious crime. Collecting, analysing and keeping everyone's data reverses the presumption of innocence until proven guilty. Surveillance should only be used when there is reasonable suspicion.

7. The line: We need to keep everyone's data in order to catch criminals

What they said:"communications data is absolutely crucial not just to fight terrorism but finding missing people, murder investigations" - David Cameron [7]

Our view: We agree that keeping specific communications data can help the police to tackle serious crimes, such as terrorism and child abuse. However, a ruling in the Court of Justice of the European Union (CJEU) outlined the threshold for deciding to retain that data. For example, if a serious crime is committed, data could be retained for a particular geographical region to support a criminal investigation. This means that the police could still retain data for specific investigations, rather than the blanket surveillance of all citizens.

The CJEU ruling was clear that blanket data retention interfered with our right to privacy and our right to a private family life. Other European countries, including Austria, Belgium, Bulgaria, Germany, Greece, Romania and Sweden, have agreed to this. These countries continue to tackle serious crime without undermining their citizens’ civil liberties through blanket data retention.

References

[1] Andy Burnham, http://www.theguardian.com/world/2015/nov/04/theresa-may-surveillance-measures-edward-snowden

[2] Theresa May, https://www.gov.uk/government/speeches/home-secretary-publication-of-draft-investigatory-powers-bill

[3] Theresa May, https://www.gov.uk/government/speeches/home-secretary- publication-of-draft-investigatory-powers-bill

[4] David Cameron, http://www.bbc.co.uk/news/uk-politics-30778424

[5] Richard Graham, Conservative MP for Gloucester, on the day the Bill was announced, and previously by William Hague http://i100.independent.co.uk/article/tory-mp- richard-graham-accused-of-quoting-joseph-goebbels-in- defence-of-new-surveillance-bill--bklSCE9nOg

[6] Iain Lobban, http://www.theguardian.com/uk-news/2015/nov/05/former- head-gchq-sir-iain-lobban-adviser-shell-hakluyt

[7] David Cameron, http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks

[Read more] (1 comments)


December 04, 2015 | Ruth Coustick-Deal

Responding to "Nothing to hide, Nothing to fear"

Every time we talk about mass surveillance, privacy or the security services’ powers we and our supporters find ourselves at the other end of that familiar phrase, “If you’ve got nothing to hide, you’ve got nothing to fear”. It's time to challenge that.

This powerful sentence does many things:

  • It encourages a complete trust in state powers - that you will never face wrongful suspicion or misuse of powers, for only the guilty are affected by mass surveillance.

  • It encourages people to embrace their own innocence, to look inwards, and not to look at how other people have been treated or targeted.

  • And after all, this is a climate of fear. Being told that nothing to hide means you have nothing to fear is reassuring. We all want nothing to fear.

  • It also introduces the vague threat that just maybe, if you haven’t behaved, you do have something to fear. Not something to challenge, or criticise, but to fear.

  • And so it keeps us in our place.

So let’s give some answers back:

I wrote a piece about how 'surveillance makes us less safe' earlier in the year. I will say again that I believe we should choose to look outwards, and think about all the people who really need the protections of privacy, and all the examples of when they've had that right invaded:

These are all people for whom surveillance turns into real, felt harms. The vulnerability created by an all-watching surveillance state affects everyone who needs their privacy. When they are listed out like this, you can see how so many people fall into one of these categories. Perhaps you find yourself in this list, or know people who are.

Even if a service is something that you are not using in your day to day life, whether that is a hospital, a library, or the local bus service, we understand that those things should still exist for those who rely on them. In the same way, if one person does not feel that they actively need the right to privacy, we should campaign and fight for all those for whom privacy, and the security it provides, is vital.

However, there are a lot of other perspectives on the cliche, "nothing to hide, nothing to fear", and here are some of the best ripostes our members shared with us as their preferred answers:

  • "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    -- Edward Snowden, US government whistle-blower and former NSA worker
  • "The premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect."
    -- Bruce Schneier, computer security and privacy specialist
  • “Equally, what it means to be a free and fulfilled human being is to have a place we can go and be free of the judgmental eyes of other people. There are things we are willing to tell our physician or our lawyer or our psychologist or our spouse or our best friend that we would be mortified for the rest of the world to learn. People can very easily say that they don’t value privacy, but their actions negate the authenticity of that belief.”
    --“Why privacy matters" TED Talk by Glenn Greenwald, lawyer, journalist and author
  • “There is the inherently selfish response of ‘I have nothing to hide’. Well it is true that I am not ill. It is true that I am not blind. But I still want to live in a world that has hospitals. I still want to live on a street that has accessibility for blind people. And it is also the case that I want to live in a world where everyone has privacy, thus dignity, confidentiality and integrity in their daily lives, without having to ask for it, to beg it from a master. Because it is the case that when you ask someone for those things, they may not grant them. And then you will know that you are not free”.
    --Jacob Appelbaum, computer security researcher and hacker
  • "You may consider yourself law-abidingly white as snow, and it won’t matter a bit. What does matter is whether you set off the red flags in the mostly-automated surveillance... When you frequently stop at a certain bar on your way driving home from work, the Department of Driving Licenses will draw certain conclusions as to your eligibility for future driving licenses – regardless of the fact that you think they serve the world’s best reindeer meatballs in that bar, and never had had a single beer there. People will stop thinking in terms of what is legal, and start acting in self-censorship to avoid being red-flagged, out of pure self-preservation."
    --Rick Falkvinge, founder of the Swedish pirate party.
  • "The broad purposes of the surveillance and its secret nature prevents open debate and deliberation in Parliament, thereby preventing democratic authorisation and oversight. "If you have nothing to fear, you have nothing to hide" is not the language of a democratic society. Our right to privacy forms the bedrock upon which all of our other rights and freedoms are built. The Lords Constitutional Committee (2009) agreed that "Mass surveillance has the potential to erode privacy. As privacy is an essential pre-requisite to the exercise of individual freedom, its erosion weakens the constitutional foundations on which democracy and good governance have traditionally been based in this country."
    --The Don't Spy on Us coalition (of which ORG is a member)

 

Share image by Brian Yap (CC BY-NC 2.0)

[Read more] (10 comments)


November 05, 2015 | Pam Cowburn

First take on the Investigatory Powers Bill

The long-awaited Investigatory Powers Bill has been published at last. The draft Bill is almost 300 pages long so it is going to take us a while to go through the detail but here is our first take on what it contains.

Legitimising bulk interception and previously unknown access to UK communications data

The draft bill spells out the powers that the security services have to collect content and data in bulk. Although this had been done for years, no one really understood the extent of GCHQ’s capabilities until the Snowden leaks. The government acknowledged today that secret agencies have been going even further, accessing data in bulk from UK internet providers not just from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as phone books, driving licenses, travel or banking records.

Retaining even more data

One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about our internet activities, such as websites we visits or apps we use in our phone. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice ruling last April that said there must be safeguards for accessing retained data. In July, the High Court said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.

We will be asking why the UK police feel they need these powers. In his inquiry into surveillance, the Independent Reviewer of Terrorism Legislation, David Anderson QC said:

“I am not aware of other European or Commonwealth countries in which service providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal."

Who signs off warrants?

The new Bill proposes a new system of “double-lock” where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a better guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.

Has encryption been banned?

We don’t think there was ever going to be a serious attempt to ban encryption. The Bill ask for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective. This is something that we are sure companies will be looking into.

New hacking powers

The bill clarifies the powers of security agencies to break into our laptops and mobile phones, including worrying new powers for non targeted mass hacking. The bill also forces internet companies to help in hacking their customers.

What are the positives?

We asked for a transparent law and on first reading it does seem to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal, which is something ORG has campaigned for. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.

What happens next?

This is a massive bill and it’s going to take us some time to scrutinise it in detail. Our initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.

[Read more] (12 comments)


November 04, 2015 | Ed Johnson-Williams

Investigatory Powers Bill published and now the fight is on

The Government’s just published the draft Investigatory Powers Bill. It will decide the surveillance powers that the police and intelligence have for years to come.

Open Rights Group has been calling for a new surveillance law for years. Today, we’ve got a draft of one. Now the fight’s on to make sure the final Bill genuinely protects our rights to privacy and freedom of speech.

There’s a huge campaign ahead of us now. Can you join ORG today to help us campaign for the dangerous parts of this Bill to be taken out?

The Bill is huge and we’re going to spend the next couple of days going through it to work out exactly what’s in there and what’s not, what’s problematic, and what should stay.

So far we know that he Bill requires Internet Service Providers like Virgin, Sky and BT to store details of every website visited by their customers for 12 months so the police can access that information about us. It also authorises GCHQ’s bulk collection of Internet data by systematically tapping the cables transporting Internet traffic in and out of the UK.

We’ve been talking to the media today and over the last couple of weeks but there’s a lot more to do in the coming months.

First, we want to give politicians, the media, our members, and the public a considered analysis of how the Bill would affect the Internet, the economy, our legal system, and our rights to privacy and freedom of speech.

Then we’ll give evidence to the joint committee of Parliament who will scrutinise the Bill to push for their recommendations to include the changes we want. We’ll also support our local groups who want to lobby their Member of Parliament as the Bill reaches the Commons.

Can you join ORG today to stand up for privacy in the digital age?

We want surveillance to be targeted to those who are reasonably suspected of crimes. It’s a difficult debate and there are plenty of powerful voices on the other side to us. Join us today and add your voice to the debate.

[Read more]