In the 373-page ‘A Question of Trust: Report of the Investigatory Powers Review' report published yesterday, Anderson said that clear new laws are needed so that law enforcement and security agencies, such as GCHQ, can monitor online conversations.
He also appeared to agree with the need for the bulk collection of metadata and the so-called ‘Snooper's Charter' law, or the Draft Data Communications Bill in its latest guise - providing legal oversight can be ensured.
The long-awaited report, which was commissioned by the government and backed by Home Secretary Theresa May, is designed to set wheels in motion on new laws which clarify what information security agencies can legally obtain, and it could well spell the end of the Regulation of Investigations Powers Act (RIPA).
Anderson argues that current legislation, most of which predates the Internet, is "undemocratic and unnecessary."
"Modern communications can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation,” he wrote in the report.
"A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world. But trust requires verification."
He continued: "Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards. The current law is fragmented, obscure, under constant challenge. It is time for a clean slate."
Anderson's most contentious point, for privacy activists at least, was that in the digital world – as in the real world – “no-go areas” for intelligence and law enforcement agencies should be minimised.
"The agencies do not look to legislation to give themselves a permanent trump card," he wrote. "Neither they nor anyone else has made a case to me for encryption to be placed under effective government control."
The report has 124 recommendations in total, including that:
- Security and intelligence agencies should have powers to carry out "bulk collection" of intercepted material. However, he says that there must be "strict additional safeguards".
- Judges should authorise requests to intercept communications, which would limit the home secretary's current role in deciding which suspects are so monitored. The Guardian and The Times reported today that it is a contentious issue within the UK government.
- The Draft Data Communication Bill, otherwise known as the “Snoopers' Charter", must be subject to “rigorous assessment” on whether these proposed laws would be legal or effective.
- The definition of communications data should be "reviewed, clarified and brought up to date".
Anderson's report puts US tech firms in a difficult position too, although the Daily Mail reports that Twitter “will tell suspects if they are on the spy radar.” Twitter also reportedly says it will only keep investigations secret if compelled to do so by a court.
However, other companies took a different tack; one unnamed technology company, documented on page 206 of the report, said that “Our priority is our brand, not UK intelligence.”
Ed Wallace, director of incident response and advanced threats at MWR Infosecurity, toldSCMagazineUK.com: “I don't think there's anything massively contentious about it,” adding that it made a “a lot of sense” to update laws which pre-date the iPhone, and which also hand out ‘vastly different' powers to the various different agencies.
“The only way to create something that society will be happy with is to have an open debate. A sensible refresh [of legislation] just makes sense.”
Wallace said that the question of who signs off on warrants, a judge or politician, is the most contentious point on any surveillance changes, although he noted that the current balance is reasonable, with politicians typically intervening on cases of national security and where ISC committee has prior knowledge.
He added there's not much understanding of the different types of data collected outside of the agencies, saying that bulk collection is already relatively honed down to a small number if people. One issue he has said would need to be addressed is if you can share data with other jurisdictions.
But he warned that any legislation would need to be wary of burdens put on technology companies, especially instant messaging start-ups, with few resources.
“It could be a barrier to innovation…if, for example, you have to hold on to data for five years, a start-up just can't enter that market,” he said. He also said that any legislation changes would need to consider ways of bringing larger companies to account, if they were geographically based elsewhere and unfamiliar with UK warrant process. “Questions like that need to be worked out,” he admitted.
David Lacey, futurologist and independent security consultant, told SC in an email that the changes were needed: “Clarifying the law is long overdue. Surveillance is necessary because the threats presented by terrorists are bigger than the risk of over-zealous snooping. But it needs to be strictly controlled. This legislation is a step forward though I'm not sure what we gain from passing responsibility for authorisation from ministers to judges.”