The fallout from Edward Snowdon's revelations about US and UK government surveillance of the general public continues as the UK government seeks to put on a legal footing a range of activities undertaken by the security services.
These activities have not previously been discussed by, let alone authorised by, parliamentarians.
Yesterday in Parliament, Home Secretary Theresa May gave a robust defence of the Draft Investigatory Powers Bill – widely dubbed the snoopers' charter – when quizzed by MPs and peers seeking to tease out the implications of the proposed bill.
The government's contention is that without retaining Internet Connection Records (ICRs – a record of the internet services that a specific device connects to such as a website or instant messaging application), it is not possible for law enforcement and security agencies to identify consistently who has sent a particular communication online, information often deemed necessary to carry out their work.
Issues of contention in the bill include rejection of any sunset clause; the call for even the smallest service providers such as cafes and bookshops to retain data; no defined limit on the data to be accessed, including medical data; the definition bulk data collection as being different to bulk surveillance; the likely compensation costs to be incurred by data-holders – plus the fact that the judicial oversight of parliamentarians will be by commissioners appointed by the Prime Minister.
The committee asked about inclusion of a sunset clause (a defined end date for the legislation) which had been called for by the information commissioner to accommodate changing technology, but May rejected the move, saying the legislation was designed for the long term (‘say 15 years'), and sunset clauses to revisit after five years would add uncertainty for providers who were required to undertake ‘certain actions'. But she also said that reviews could take place as technology advanced.
May was asked, “What steps have been taken to minimise risk of loss of privacy?” She responded that the safeguards for individuals included the authorisation procedure, the double lock of both judicial oversight and secretary of state approval being required. Also, that the new system entailed oversight at different levels including the new Investigatory Powers Commissioner, as well as parliamentary oversight by the security and intelligence committee. In addition, there are requirements relating to data being retained – such as the Data Protection Act and Data Privacy Act, plus a new offence is being introduced for misuse of data held by companies.
There were also questions about likely confusion of terms within the 300 page document, one clause noting: “Data includes any information which is not data,” which May explained could, for example, include paper documents. Also, extending the use of data in the case of an emergency started with emergencies being potential loss of life, but will also cover ‘serious' issues not defined as an emergency in current police parlance. May justified some level of ambiguity, saying that the sector was fast moving and while you want to be clear, “the more you try to proscribe with definitions, the shorter the life of the legislation.”
One bit of welcome clarification is that communications service providers (CSPs) will not be required to keep data from third-party services going across their network, or other instances where it is not practical. But when data retention notices are issued, the data will need to be held in a way that is accessible.
It was noted that the burden of cost is greater for small CSPs, and May was asked, would a coffee shop WiFi system be included? She replied that this was being left open as “there are circumstances where it would be appropriate. It would not be right to exclude any type of network (coffee shops, universities etc)”.
Small CSPs may serve a specific niche, geographically or by service, and these would be looked at on case by case for proportionality, necessity and cost. “There won't be a CSP size that will never be served a notice,” she said.
She reaffirmed that the bill is working on basis of government providing cost recovery – and would discuss with the provider the impact of providing, and necessity of access.
Regarding the overall cost of compensation, Labour MP David Hanson said Vodafone, EE, O2 and Three had testified that they could each spend £240 million alone (the total combined budget) and were thus concerned about their ability to comply with the legislation on budget and on time. May reiterated that compensation would be on a “cost recovery basis” and insisted the figure was realistic.
May was challenged on the threat to encryption, with companies whose business model was based on end-to-end encryption potentially taking their business elsewhere. Earlier Dr Nithin Thomas, co-founder and CEO of SQR Systems, commented in an email to SCMagazineUK.com: “While operational policy and safeguarding has remained a focus, we must not overlook the importance of the technology at the heart of the situation. The UK is a world leader in developing innovative encryption technology, and we have now reached a point where it is possible to ensure protection for sensitive data without impeding urgent criminal investigations.
“Private enterprises and the government must explore all options that would enable encryption to be kept strong while addressing the growing concerns around communications between terrorists and criminals.”
May sought to clarify the situation regarding the requirement to remove electronic protection, saying, “We believe encryption is important. We are not proposing to make any changes to the legal position of encryption that... is currently in secondary legislation.”
While May confirmed the government doesn't need to know the encryption keys, she insisted "the information should be readable” and that companies should take reasonable steps to comply with the law. The implication was that companies should assist with methods of circumventing encryption rather than backdoors or breaking the encryption.
“We believe current legislation is compliant with the requirements of EU law and the proposals are also compliant,” declared May when asked, “Can bulk powers ever be proportionate, and on what legal basis given European law?"
Expanding on why something that needs to be targeted can include bulk gathering, May added: “Bulk data access and use are different. There are provisions in the bill to introduce an authorisation process to provide greater safeguards regarding how to access the bulk data sets. We are bringing powers in to one place and one piece of legislation. Our aim is to be transparent and clear about the powers that the authorities have – I believe this is world leading legislation because it is open.”
When questioned further about the efficacy and legality of mass surveillance, May responded: “We do not collect all the data all the time. It's a misrepresentation of the UK authorities."
She added, “We have not and do not undertake mass surveillance.” Bulk equipment interference was described as a tactic used to stop those who would harm the nation, with bulk powers necessary, especially overseas bulk interception as the only means to gain such information – but it was described as not then used in an untargeted way.
In contrast, Edward Snowden had earlier described the bill as a #SnoopersCharter, saying it legitimises mass surveillance and is,"the most intrusive and least accountable surveillance regime in the west." He added that, because it does not require individualised judicial authorisation in advance of interception, "Such a dragnet is mass surveillance."
May refused to say exactly what data sets would be accessible under the act. When pressed to confirm these would include medical records, she commented: “We are not listing out the data sets but providing greater safeguards to the access to these datasets. Relevant commissioners recognise it is an important capability, and agencies need to see classified elements – the important thing is to know they are being accessed in accordance with the double lock process, ensuring necessity and proportionality. The important thing in relation to privacy is that there will be an oversight process that provides a safeguard to people.”
Regarding sharing information with overseas agencies not operating to the same standards, and thereby circumventing the bill's intentions, May emphasised that the UK authorities do look at information handling arrangements before sharing and must be satisfied they have equivalent handling arrangements – but said determining this is a matter for the issuing authority to decide.
Appointment of the investigatory powers commissioners for three years by the Prime Minister was described as reducing their independence from the executive, a claim May rejected, noting that they are senior members of the judiciary, therefore not easily swayed by politicians, and that the current commissioners are appointed by the prime minister and there is no suggestion they have not operated independently.
It was also questioned whether this judicial oversight would simply be rubber stamping, ensuring compliance on a legal/technical level but would not be able to overrule the Home Secretary if they disagreed on an issue of necessity or proportionality, but May insisted that such considerations would be taken into account and that both parties needed to agree under the double lock for a warrant to be issued.
She commented: “The judicial review gives a level of flexibility of how they approach the evidence, and it is open to a senior high court judge to look at necessity and proportionality. The double lock needs both parties to agree, and it cannot be applied if the judge doesn't agree. When looking at its merits (not just an issue of law), they do allow the executive a degree of discretion. There will be circumstances where they determine in one case with a lighter touch than another – but both parties have to agree for the warrant to be applied.”
Following this period of review and scrutiny, the draft bill will go back to the government which will rewrite it. It will then be introduced to the House of Commons with the aim of passing it into an Act of Parliament by the end of 2016.
Jens Puhle, UK managing director of access rights management specialist 8MAN, emailed SCMagazineUK.com to note: “Major technology and telecoms companies such as Vodafone have cited the legislation as ‘a major imposition on the freedom of an operator'. However, public opinion has seen a significant shift towards supporting the proposal, with 63 percent now in favour, according to a poll by Broadband Genie. It appears that the British public is increasingly looking to put security first in the fight against terror.
“Companies should be focused on preparing for some of the most likely outcomes of the final legislation, especially around data retention. Critical data loss is one of the biggest issues facing companies, and the pressure will increase if they are required to hold on to more data for longer periods.
“While large firms are arguing that the proposal will risk undermining consumer trust, I believe they would be better served by putting precautionary measures in place rather than fighting to block the legislation. Organisations must be able to prove to the public that security is their highest priority, regardless of the outcome of the final bill.”