2nd Update: Surveillance bill; judicial oversight, no encryption ban, archiving browsing data

News by Tony Morbin

Home SecretaryThersa May unveiled the draft Investigatory Powers Bill in parliament today. It will be examined in detail by both Houses of Parliament before a final bill is produced for consideration by MPs and Lords.

A panel of specially qualified judges will now oversee the decisions of ministers who authorise warrants for communications interception in what is being described as a rationalisation of UK government surveillance powers.

The new authorisation process included in the draft Investigatory Powers Bill was described as a "double lock" by Home Secretary Theresa May when she unveiled the proposed legislation today. 

More controversially, the draft bill would also require providers of communication services to retain metadata on user activity for a period of one year. 

The police and security services will continue to apply for warrants to the Home Secretary for more intrusive activities such as the interception of data, and this will be reviewed by the judicial panel – but in the case of an emergency the Minister would be able to make an immediate decision, which would need to be ratified within five days, whereas a law enforcement warrent would last three months, and a security services warrant lasts six months. 

If a warrant were rejected, the requesting agency could abandon the request or modify the request. In the case of an emergency warrant being overturned agencies would be required to return any information obtained. 

To approve a warrant, both the Home Secretary and the panel would be required to decide whether the actions proposed were necessary, targeted and proportionate. 

Last year there were 2,400 intercept warrants authorised.

In addition an investigatory powers commissioner, who will be a senior judge, will be appointed by the Prime Minister, replacing three existing commissioners.

Perhaps the most controversial element is the proposed requirement that web and communications companies hold "internet connection records" for 12 months so they can be requested by authorities. The information they would be required to hold includes the device connected to and the IP address of the target website. 

Although the government has dropped plans to give authorities full access to everyone's internet browsing history, it will collect metadata regarding who is contacting who, what, when and where, and the data will be made available to the police and security services without a warrant. Looking at the content would require a warrant.

The police account for most of the 500,000 annual external requests for communications data with approval at inspector or superintendent level depending on the kind of data being requested; 40 other public bodies will  get different levels of access but often will need a magistrate's authorisation. 

To avoid the misuse of this data a new criminal offence of "knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority" has been created and will carry a prison sentence of up to two years. 

Councils are specifically prohibited from accessing such data to 'snoop' on their constituents.

The discussion confirmed on the record that hitherto, GCHQ had, as revealed by Edward Snowden, been engaged in mass surveillance under the 1984 Telecommunications Act. However, the Home Secretary excused this activity, commenting that the old laws were inadequate. "Technology has moved on, the law hasn't and we need to update the law," she said. 

Encryption is not being banned – but cooperation on the part of internet and communications companies regarding unencrypted data will be sought – so for example, the authorities would expect to be able to get as detailed a picture of an internet service's customer as the service provider has themselves, using the tools currently used by the providers for commercial purposes, eg tracking purchases and preferences etc.  

This does not preclude the security services from also seeking to break encryption themselves. But they are not asking for backdoors, acknowledging that these could fall into the wrong hands, and it is accepted that encryption is both useful and necessary for legitimate activities in a digital economy.

The bill would also authorise extraterritorial jurisdiction for UK agencies seeking data from overseas companies operating in the UK.

May says the new act would drop requirements for data retention by overseas providers and third parties, and web browsing data requirements have been limited.

Former leader of the Liberal Democrat party Nick Clegg described the moves as far more 'proportionate' than previous proposals which were rejected by his party when it was in coalition government with the Conservative Party.

May says that the new bill will "not provide significant new powers – it brings together existing powers into one single piece of legislation," saying that the only new element is the retention of internet connection records, and the rest is about clarifying and strengthening authorisations.

Described as being in line with the Wilson Doctrine, oversight of interception of communications data of the legislature (ie MPs and Lords) will require ministerial warranty, judicial approval, and prime ministerial approval, plus there will be additional legal safeguards for sensitive professions such as journalists whose privacy may be deemed in the public interest.

According to Guardian reports quoting Home Office estimates, the cost of the new regime has been put at £245 million to £250 million over ten years, after it comes into force in December 2016 with £175 million for data storage and £60 million for judicial oversight.

Renate Samson, chief executive of Big Brother Watch, told SCMagazineUK.com: “The recommendation of a ‘double-lock' of political and judicial sign off on the most intrusive powers appears to tick the box of independent judicial approval, but in a world which is increasingly connected online the future demands on a Home Secretary's time could become impractical.

“Requests for retention of internet connection records will provide access to the most detailed data on citizens, not just the who and when of a telephone record, but the what and how of the way we live our lives. The guarantee of security to this retained data will be critical. Furthermore, demands on technology companies to adhere to warrants for encrypted data, as well as the power to legally hack into our devices, could create legislative back doors which in a world of increased cyber-attack could make us more vulnerable to crime.

“There is a great deal to be scrutinised in a very short space of time. For this legislation to really be a world leader in how to protect the privacy and security of law-abiding citizens, the Bill will require a thorough investigation.”

In an email to SCMagazineUK.com prior to May's announcement, Dr Darren Hayes, assistant professor and director of cyber-security at Pace University's Seidenberg School of Computer Science and Information Systems in New York, suggested that the Investigatory Powers Bill will facilitate more bulk data collection and retention of data, adding that it “will be warmly welcomed by law enforcement and the intelligence community while simultaneously drawing consternation from consumer rights activists."

However, he went on to recognise that: “What is clear is that dramatic improvements in encryption have prompted government leaders in the US and UK to introduce new legislation to address these changes. Companies like Apple have distanced themselves from law enforcement by developing hardware-based encryption with no backdoors. Therefore, an iPhone 6 seized from an ISIS terrorist suspect at JFK Airport cannot be accessed by investigators. Pedophiles know that they can easily mask their identity while they prey on young children."

Following May's confirmation of the contents of the Bill in parliament Hayes commented to SC:  “I think that it has been easy for many to jump on the bandwagon and be critical of the Investigatory Powers Bill without fully understanding the Bill's limitations, oversight and impetus. Judges will have the ability to block spying operations. Furthermore, "knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority", is a new criminal offence, which may result in a prison sentence of up to two years. Additionally, law enforcement may not access journalistic information without court authorisation. What many fail to understand is that access to critical intelligence has been severely diminished in a post-WikiLeaks and post-Snowden era. Many social media companies, like Twitter, have become more vocal about their opposition to government surveillance or law enforcement investigations and are less apt to assist the government. In an environment of less cooperation and enhancements in encryption, mean that the government must act to thwart terrorist threats.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews