the u.k. government has today published a draft bill setting out new surveillance powers that if passed into law willallowthesecurity and intelligence agencies to more deeply probe brits’ digital activity by requiring u.k. isps keep a log of all the websites visited by internet users overthe past12 months.brits’ media consumptionhabits, banking activity, political affiliations, health concerns,sexual proclivities and more could all potentially be inferred fromstate mandated iogging of internet activityunder the proposed new legislation.
try to think of an aspect of your life that you don’t ever browse the internet about.
keep trying.#ipbill
prof paul bernal (@paulbernaluk) november 4, 2015the investigatory powers bill was introducedto parliament byhome secretary theresa may earlier today, who said the governmenthopes tohave an amended bill introduced next spring, following aparliamentary and committee scrutiny process with the aim of getting a final billonto the statue books before the end of 2016.
speaking in parliamentahead of may, prime minister david cameron said the new powers are required to help the police and security services combat crime in an era of social media.may went on to describe the aim ofthe bill as beingto draft a new law “consolidating and updating our investigatory powers, strengthening the safeguards and establishing a world leading oversight regime”.the government confirmed its intention to legislate to plug what it termed “capability gaps” in law enforcement and securityagencies’ intelligence gathering abilities in the digital eraback in may.it is tabling legislation now with a view to replacing dripa aka theexisting ’emergency’ surveillance legislation which was rushed through parliament back in 2014, and which has a sunset clause meaning it will expire at the end of2016.dripa was criticized both for the draconian data capture powersit afforded, and also for the unseemly haste with which it was railroaded through parliament allowingnotime for proper parliamentary scrutiny. the investigatory powers bill will at least get the latter, with a special committee of mps due to pore over itsdetail in the coming months.
despite criticisms ofthe potential chillingeffect on the u.k. tech sector of draconian state surveillance powers, at a time wheneuropean institutions have generallybeen seeking to roll back data retention capabilities and bolster privacy protections for individualsin the post-snowden era, the u.k. governmentis nonetheless pushing ahead with a bid to cement and expandthe powers of the surveillance state by enshriningmass surveillance as ‘due process’ for domestic intelligence agencies and proposing what critics have dubbed another ‘snooper’s charter’.the government has of course been attempting to spin otherwise by, for example, claiming mass surveillance (euphemistically referred to as “bulk collection”) is “proportionate and necessary” in today’s modern digital era, and explicitly stating it is not seeking to ban encryption. albeit that any ban on encryptionwould likely be impossible to enforce especially without international agreement, given how much technology is developed and distributedbynon-u.k. companies.on the encryption point, earlier thisyear cameron hadmade comments widely interpreted as an intention by a future conservative majoritygovernmentto outlaw the technology.in the event today’s draft bill does not apparently seek to explicitly outlaw encryption but may said the requirement that is currently in secondary legislation “that those companies that are issued with a warrant should take reasonable steps to be able to respond to that warrant in unencrypted form” is being brought “onto the face of the legislation”.so it remains to be seen whethera company that runs a service under end-to-end encryption and then, ifserved with a warrant, fails to deliver unencrypted data because they are unable to do so is considered to be breaking u.k. law or not.on this front, clause 189(4)(c) also appearspertinent as it sets outthatspecific obligations on “relevant operators” can include: “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data” which appears to suggesta requirement that companies are able toremove encryption when asked. but of course encryption that can be removed is not end-to-end encryption (a technology the u.k. government recently described as “alarming”).”but we are not banning encryption,” claimedmay in parliament. “we recognize that encryption plays an important part for people in keeping their details secure.”(it also appears the government recognizes thatencryption can play an important role in itsnew legislation being perceived as more moderate than it could otherwise have been )may went on to emphasize thatother contentious measures included in theearlier2012communications data bill (also dubbed a snoopers’ charter), which failed to pass parliament have been dropped.
“the draft bill we are publishing today is not a return to the draft communications data bill of 2012. it will not include powers to force u.k. companies to capture and retain third party internet traffic from companies based overseas; it will not compel overseas communications service providers to meet our domestic retention obligations for communications data,” she said.despite this, the requirement that internet and phone companiesretain data on the websites users have visited for a full 12 months remainsa huge and intrusive expansion of state surveillance powers. civil rights organization big brother watch sumsupthis data as “the what and how of the way we live our lives”.may said itis not a full browsing history, in the sense of loggingevery click of and page visited by an internet user, but rather will be a timestampedrecord of the primary website url visited. which still of course generatesa hugely intrusive personal history of u.k. web users or at least those who don’t actively seek to avoid this state-mandated dragnet by using a vpn/proxy, such as the tor browser, to protect their privacy, or running other obfuscation technologies to muddy the waters of their internet activity.
some examples of the difference between internet connection records (no warrant) and browsing history (warrant) pic.twitter.com/rdcjnqctxa
mikey smith (@mikeysmith) november 4, 2015theprovision isdescribed as an “internet connection record” (icrs) in the bill, and may likened it to “the modern equivalent of an itemized phone bill”. however it’s clear that far more activity now occurs digitallythan does or ever did via voice calls so the comparison isa stretch.”some have characterized this power as law enforcement having access to people’s full web browsing histories. let me be clear: this is simply wrong,” said may. “[it] is a record of every communication service that a person has used, not a record of every webpage they have accessed.”
requests for this data from law enforcement agencies would be “forthe purpose of determining whether someone had accessed a communications website, an illegal website or to resolve an ip address where it is necessary and proportionate to do so in the course of a specific investigation”, she added. “strict limits will apply to when and how that data can be accessed.”quite how the bulk collection of u.k. users’ internet browsing activitywill be squared with european data protection legislation, currently being draftedwith a new data protection directive setto be introduced later this year which mayplace competing requirements on isps when it comes to user data retentionremains to be seen. (assuming, of course, the u.k. does not vote to leave the eu in itsreferendum next year.)anew criminal offence of “wilfully or recklessly acquiring communications data”, carrying a maximum two-year prison sentence, is being created with the aim of discouraging access abuse of these icrs. however, given how many data breaches are perpetrated by hackers already such as the recent data breach of uk isp talktalk, with police arresting several teenagers on suspicion of being behind that attack it remains to be seen how much of a disincentive a two-year jail sentence is. not to mention how securely isps will store this sensitivedata.raising the latterpoint in parliament, shadow home secretary andy burnham noted that the home secretary’s introductory speech had referenced how some 90 per cent of commercial organizations have experienced a data breach, and went on to query whether there might not therefore be risks to storing u.k. citizens’ website accessdata asking specifically whether it will not therefore be stored in “anonymized form” to safeguard the privacy of the public from hack attacks.may sidestepped this question, reiterating only that more powers are needed by law enforcement to combat cybercrime. “i think it’s very simple, that as criminals are moving into more online crime that actually we need to make sure that our law enforcement agencies have the power to be able to deal with that cybercrime,” she said.police will require warrantauthorization toaccess icrdata, whilelocal councils will be explicitly banned from accessing it. but even withthe check of a warrant, the u.k. government affording law enforcement access to web browsing data remainsexceptional when compared to powers afforded to police in the u.s. and elsewhere in europe.existing rules allowing u.k. police forces to access communications metadata without a warrant remain unchanged. earlier this year big brother watchpublished data obtained via foi detailing the extent of police forces’ comms data requests in that regard with some 733,000 requests made by domestic u.k. police forces over a three year period, between 2012 and 2014.on judicial oversight for signing off surveillancewarrants a key recommendation of the independent terrorism legislation reviewer, david anderson, in his reportthis summer the home secretary is proposing a third way, with senior ministers and judges both involved in sign off. shereferred to this as a “double lock”, claiming it offers”both the reassurance of democratic accountability and judicial accountability”.
“as now the secretary of state will need to be satisfied that an activity is necessary and proportionate before a warrant can be issued but in future the warrant will not come into force until it has been formally approved by a judge,” she said. “this will place a double lock on the authorization of our most intrusive investigatory powers.”anderson’s recommendation that the power to sign off warrants be taken away from ministers and handed over to judicial oversight entirely has, however, been rejected leaving the u.k. still somewhat at odds with other ‘five eyes’ allies and countries elsewhere in europe where judges are solely responsible for authorizing surveillance.commenting on this aspect of the bill, ben emmerson, the un special rapporteur on counter terrorism and human rights, arguedthat the u.k. will remain out of step with international standards if judges are not fully empowered to sign off warrants.”prior authorisation by an independent and impartial judiciary is an essential safeguard. empowering judges to weigh the balance between the competing interests at stake would bring the uk legislation into full compliance with the requirements of international law, and in particular article 17 of the international covenant on civil and political rights. judicial review after the event is better than no judicial review at all, but it falls short of the requirement to place the power to issue a warrant into the hands of an independent judge, which is where it belongs,” he wrote.
a serious question about the bill. arguably this is judicial supervision rather than authorisation. https://t.co/5qwz7oir4g
carl gardner (@carlgardner) november 4, 2015it is also noteworthy that it does alsoremain possible under the current draft bill for a senior minister to rubberstamp warrants on their own.
may clarified thatit would be possible for the home secretary to authorize an “urgentwarrant to come immediately into effect”, to avoid too much delay being caused by her double lock with the warrant thensubsequently reviewed by the panel of judges to determine whether the warrant should continue or not. however she added that in “most circumstances” there would be a double authorization for warrants.another portionof the draft billinvolves clarifying oversight rules for surveillance powers. a senior judge will be appointed as the overseeing commissioner, saidmay.”i am clear we need a significantly strengthened regime to govern how these powers are authorized and overseen. so we will replace the existing oversight with a powerful and independent investigatory powers commissioner. this will be a senior judge, supported by a team of expert inspectors with the authority and resources to effectively and visibly hold the intelligence agencies and law enforcement to account,” she told parliament.more broadly, the billseeks to enshrine mass surveillance as a lawful modus operandi for u.k. security and intelligence agencies that have already been using such digital dragnets for years, enabled by a lack of scrutiny and via arcane existing investigatory legislation (such as ripa andsection 94 of the telecommunications act 1984).
there’s a dark irony to theresa may’s admission today that the uk has secretly engaged in domestic mass surveillance since 1984. #orwell
edward snowden (@snowden) november 4, 2015
the ability for police and security agencies to use hacking (aka “equipment interference”) as an investigatory toolis also being enshrined in law.the bill refers to “bulk data” as “a vital tool in discovering new targets and identifying emerging threats”. and says a “clear statutory framework” will be provided for “all of the bulk powers available to the security and intelligence agencies”, in addition to introducing “robust, consistent safeguards across all of those powers”.responding to the draft bill in a blog post, the government’s independent terrorism legislation reviewer said the best thing about the bill is the light finally being shone ontothe operations of theu.k.’ssecurity apparatus.”for the first time, we have a bill that sets out, for public and political debate,the totality of theinvestigatory powersused or aspired to by police and intelligence agencies,” writes anderson, going to list some examples.”not everyone will be happy aboutthose powers. it will now be for parliament to decidewhether theyare justified. that is the way things should be in a democracy but rarely are at the moment, anywhere in the world. whatever the content of the eventual uk law, it will no longer be possible to describe it as opaque, incomprehensible or misleading.”
Add a comment
Keep Up to Date with the Most Important News
