Government surveillance in the dock

Government to drop contentious proposals in its revised draft Data Retention and Investigatory Powers Act due to be published by the Home Office on Wednesday.

UK surveillance questioned as government publishes anti-terror law
UK surveillance questioned as government publishes anti-terror law

At first glance it appears that the government has dropped the most contentious proposals in its revised draft Data Retention and Investigatory Powers Act (DRIPA), often referred to as the "snooper's charter", due to be published by the Home Office on Wednesday.

The Act was declared illegal under EU law in October when the High Court confirmed that sections 1 and 2 of the Act breached the British public's rights to protection of personal data and to respect for private life and communications under the EU Charter of Fundamental Rights because:

  • They fail to provide clear and precise rules to ensure data is accessed only for preventing, detecting or prosecuting serious crime.
  • They do not require data to be authorised by a court or independent body, which could limit access to and use of data to what is strictly necessary.

The unlawful sections of DRIPA will remain in force until the end of March 2016 to allow time for the Government to legislate properly. At that point they will cease to have effect.

On Sunday, Home Secretary Theresa May announced on the BBC that there would be "world-leading" oversight of warrants to access digital records but, she added, the government may still reject calls for final responsibility for signing warrants to be made by judges rather than the Home Secretary and the Foreign Secretary.

Conservative backbencher David Davis and Labour deputy leader, Tom Watson, have campaigned against ‘excessive' surveillance legislation and called for judicial authorisation of individual, targeted intercept warrants.

A report by David Anderson QC also recommends judicial oversight while Parliament's intelligence and security committee has sought to keep ministers responsible, as has the Royal United Services Institute. A compromise could include the ministers retaining sign-off responsibility with additional judicial oversight.

Last year 2,795 warrants were agreed by cabinet ministers, covering contents of phone calls, emails and other communications, while metadata has been obtained 500,000 times. 

The latest moves are reported to include not allowing the police and security services full access to internet browsing history, but restricting this to metadata about who is contacting whom, saying it will "strictly” limit access to internet connection records. 

It will also require internet companies to retain the web browsing history of their customers for up to a year. This will mean existing powers allowing authorities to see which websites people have visited become practical to implement for the first time.

This has implications for encryption. Over the past year, senior police at the NCCU and City of London Police have been telling SCMagazineUK.com they are concerned about the lack of access to encypted data, including end-to-end encryption on social networks such as Apple's iMessage and WhatsApp. MI6 has expressed similar concerns. 

Prime Minister Dave Cameron had similar concerns, telling ITV News: “I think we cannot allow modern forms of communication to be exempt from the ability, in extremis, with a warrant signed by the home secretary, to be exempt from being listened to.”

Officially the government is actually dropping its plans to restrict use of encryption. The BBC reported that ministers have no plans to ban encryption services because they have an important role in the protection of legitimate online activity such as banking and personal data.

To an extent, this appears contradicted by Telegraph reports that the new legislation will include a legal requirement for tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant – something not possible with end-to-end encrypted services where the users hold the encryption keys.   

Bob Tarzey, analyst and director, Quocirca Ltd, told SCMagazineUK.com: “There is an important principle at stake here. The Legislature (Parliament) passes laws, but the Executive (the government) oversees their implementation, but the ultimate authority when it comes to fairness is the Judiciary (the courts etc.), so I think (judicial oversight) would be a good compromise. The government is less likely to stand accused of authoritarianism and we, the citizens, if and when we become the subjects of investigation, will have to accept access to our personal data as only been allowed after consideration by a judge.

In an email to SCMagazineUK.com Sarb Sembhi, director at STORM Guidance, said: “The disadvantage with the politicians having oversight is that they may only understand national security implications that they are being presented with by the security services. On the other hand the disadvantage with the judiciary having oversight is that they may not understand the national security implications. 

"However, given that judges have had to interpret complex legislation all their working careers, I think most people would trust that judges would be in a better position to learn the aspects of national security that they need to in the same way that they are required to understand so many other issues that require public judgements. One of the concerns I think that the public may have is around the consistency in decision-making between judges.”

Regarding reports of the government dropping plans to restrict the use of encryption, Sembhi noted: “Given that the US has caved in to requiring developers to build in backdoors for encryption tools, the UK has to follow suit. Also, if this hasn't been dropped it is likely that the Lords would want it out – with last week's defeat fresh in their mind, neither the PM or the home secretary would want to have another defeat on their hands.

“Aside from all that, business leaders and security professionals want to ensure that they are able to protect their business data without making it easy for competitors. The original draft requirements would have meant that the UK would not be a secure place to operate a business in, to a point that operating in another country would be a competitive advantage in being able to secure your information assets.”

Tarzey adds, “Restricting encryption was never practical, criminals were always going to use it in their interests and would not have heeded any laws anyway.”

In an email to SCMagazineUK.com Shami Chakrabarti, director of Liberty, said: "It's an old Home Office trick to start with such extravagant proposals that dropping a couple of small items from ‎the bottom of the shopping list can be spun as a concession. 

“But the biggest outrages in this plan remain: we are to be hacked, tracked and spied on as an entire population with no prior judicial authorisation."

As The Register noted last year, metadata encryption doesn't protect identities. Looking at a simplified representation of an IPv4 packet, it noted: “You can't encrypt addresses, because all of the routers between you and the other end of a communication have to know where they're sending the packet (layering was covered elsewhere in the article).”

“The sender and recipient of an e-mail are carried as part of the packet payload – if you're using a secured login or if the provider requires it, then even the e-mail metadata (sender, recipient and subject) are travelling as part of the IP payload. But only as far as the server, where the payload is decrypted. If the provider were subject to a retention regime, then that metadata will be in its system logs, and encryption doesn't protect you at all.”

Sign up to our newsletters