I’m in a symposium at Churchill College on the Investigatory Powers Bill. It’s organised by John Naughton and I’ll be speaking later on equipment interference, a topic on which I wrote an expert report for the recent IP Tribunal case brought by Privacy International. Meanwhile I’ll try to liveblog the event in followups to this post.
The lawyer Conor Gearty kicked off the session, discussing relevant cases. Mr Malone found his phone had been tapped when a policeman in court was reading from nootes of one of his phone calls. He sued the British state; Megarry told him to get stuffed; the ECtHR then told British state to get stuffed as there was no law on wiretapping at the time, so no “according to law” exception to the ECHR (which guarantees process rather than rights). Now we have IOCA etc, a plaintiff must win on “necessary and proportionate in a democratic society” which is a harder test. Alison Holford (Merseyside ACC denied promotion) won because her work phone was tapped, but not for tapping of her home phone. In Liberty v GCHQ at IPT on Tempora: is this “prescribed by law?” IPT: it depends, with GCHQ’s counsel James Eady pleading “arrangements below the waterline” made by agencies internally. Liversidge 1941: so long as the judges are in there, it doesn’t matter what they do. Also, the IPT is inquisitorial and can make up evidence on the hoof. Finally, there is a huge problem with the draft Bill with the commissioners being limited to judicial review principles – a trick the government came up with in 1985 to provide the appearance of judicial involvement (this is made worse by the demeaning behave-yourselves provisions on the commissioners). Conor has written on the “neo-democratic state” such as Belarus or even Russia which applies a veneer of democracy; Russia has ombudsmen galore. His core objection to the Bill is that it is in this tradition; it provides the appearance of democratic and judicial control rather than the reality.
Judith Townend of the IALS has coordinated a large project to trace the provenance of each of the bill’s provisions. An example is press freedom, where for example the police failed to reveal Sally Murrer was a journalist when they bugged her. Will this be fixed? Section 61(4) of the bill on tapping journalists doesn’t require an applicant for a warrant to give notice to the affected journalist, to their employer or even to its lawyers. This is much worse than PACE, which specifies an “overriding public interest in disclosure”. She recommends that there be no exception for intelligence services; and that there be a default requirement to notify legal representatives, with clear criteria for exceptions and special advocates in that case; journalist as anyone collecting information and disseminating it by mass communication. These are all recommendations from the Bingham Centre. (Here are her slides.)
David Anderson QC was third. We’re here because of Edward Snowden who told us what the government was up to, and made it clear to them that they needed a bill setting everything out. We can no longer just complain that we can’t understand section 8 of RIPA, and that the government must be deceiving us; we must discuss what the powers actually should be. He thinks the judicial independence aspect hasn’t gone far enough; he knows of no other country in the world where ordinary criminal warrants aren’t dealt with by judges, but given that the decision’s been taken to go for judicial commissioners, they might do with more technical assistance and will no doubt flex their muscles following cases such as Lumsden. The European courts are getting vigorous on this; after Digital Rights Ireland and Schrems, watch out for Davis and Watson: if the court were to repeat what it said in Digital Rights Ireland, and demand judicial authorisation even for traffic data, then the whole system of SPOCs would have to be completely reworked while the IP Bill is still in progress through Parliament. He also agrees with notifying journalists about wiretaps. As for academics, we should be sending our ideas to members of the House of Lords, who can make a difference.
In discussion, it was noted that the Eurosceptic David Davis is having to rely on Europe, which he abhors, to make the case for the human rights he supports; we’re all journalists now, and in Field v UK the European Court has confirmed this; the Bill is mean-spirited in many ways, such as in the restrictions on judicial commissioners, when what’s needed is a clear statement of their independence; we also need a mechanism whereby the commissioners can come back for more powers once they have the evidence that they need them, like the public health officials responsible for sewers in Victorian Britain; we need to cultivate the ability to tell stories, as the terrorists do, and as a few people on our side such as Shami Chakrabarti also have; magistrates may get in the way of trading standards data collection by forcing them to wait 4–6 weeks for a warrant, but this is no argument against having full-time high court judges reviewing serious warrants, especially for bulk interception; it’s not clear who won the Miranda case and who lost it; the definition of terrorism is so wide that the courts trimmed it in the case of someone advocating against vaccination; the Home Office likes to control warrants, as a means of controlling the police – but then why not get ministers sign search warrants for houses, and warrants to place bugs in cars?; and the proportionality test is too amorphous, which makes people worried about giving power to judges.
The second session was started by Richard Clayton whose expertise is traceability online “Who did that?” RIP in 2000 taught us how many agencies do law enforcement, and the 2005 EU directive got us a tardis to go back in time. However it was very specific about what had to be retained, perhaps because the drafters didn’t want to frighten the horses; a side-effect that was mobile Internet access became untraceable, as you share an IP address with a thousand other people and the web sites you visit don’t log source port addresses along with IP addresses. Then in 2014 the ECJ caused the Directive to disappear in a puff of smoke, and the supposed fix is “Internet Connection Records”, in clauses 49, 71 and 193. It turns out they enable you to ask not just who did that, but what else they accessed and who else accessed those sites. The Home Office explanatory notes helpfully say this is to solve the mobile IP resolution problem using an intersection attack, but it won’t actually work for that (unless they use other powers to order the phone companies to randomise IP address allocation). The law actually lets them do much more: it gives everything they need to support snowball searches and other powerful complex queries. The effect of this is that we’re move an interception-like capability out of the hands of the Secretary of State and into the hands of a police superintendent, who will be able to use the website URL plus the page size to identify the actual page the suspect looked at in many cases. What the bill should do instead is list the capabilities that agencies should be able to get with given levels of authorisation, rather than hiding everything behind technical detail (and that will change anyway, so listing capabilities instead will be more future-proof).
Next was Lorna Woods with a lawyer’s view. Access to comms data is a low-level process despite the filtering, and access is available for a wide range of purposes including ordinary crime, disorder and the identification of people, though there are some controls on ICRs to prevent fishing exercises (see clause 47). The scope is expanded from public telcos to private operators, and operators can now be required to create data, which makes the title “retention” somewhat misleading (the retention powers are in clause 71). The provisions are complex, unwieldy and abstract; they are not limited to person-to-person communications but are ready to be rolled out to the Internet of Things. In particular she doesn’t think 71 a-e have predecessors but doesn’t claim to understand them; there are building blocks of 12 or 14 definitions to build up what’s being talked about. Phrases such as “data includes information that is not data” serve to suggest that the real function of the definitions is not to set limits but to ensure that there are none. Now the right to form and hold an opinion is not capable of being restricted under section 19 of the International Covenant on Civil and Political Rights, and the UN has made clear that opinion is formed online, so this process is protected and in Lorna’s view this is completely incompatible with blanket data retention. The act is also so vague and uncertain that it doesn’t let people understand what’s caught and what’s not.
The third speaker, Ray Corrigan, noted that the bill has created more heat than light, but ICRs are one topic that’s getting rapidly expanding coverage thanks to Richard’s explanations. He discussed the coverage in the Science and Technology Committee’s report, the Home Secretary’s supplementary evidence to the committee, industry’s dispute with her claim that collection is feasible. The extra-territorial aspects of the bill just don’t seem to have been thought through. He wants parliament to abandon the collection of ICRs.
Points made in questions included the need for gathered data to be of evidential quality; the difficulty of regulating the negotiations between the government and the companies about what can be got and how; the huge amounts of money thrown at the industry to create intercept capabilities; the cosy and mutually supportive relationships that develop between government and industry as a result; the vanishing privacy of your searches and location history, against industry as well as the state; the lack of understanding of what the bill means, and where we do understand it, what the practical consequences will be in a changing world; the lack of an obvious link between our behaviour and the response of the government; that local authorities will get plenty even if they don’t get ICRs; perhaps the spooks really just wanted netflow and would have settled for a sample of the data, but the Home Office gold-plated it to “all data” which will be a bonanza for makers of disk drives; some ISPs’ routers don’t do netflow, but clause 189 can require them t install specified capacities, so with this they might be required to re-equip; we really need a simplifying definition of surveillance, like we have of fraud in the Fraud Act or of computer misuse in the Computer Misuse Act, and to do that you need to think of the law, not of the problems; this is the “May bill” in that you can do anything you like provided Teresa May gives you a piece of paper saying it’s OK; it says they can do anything they want because they’re already doing whatever they want and they want the courts to stop telling them to stop.
The early afternoon session was started by Ian Walden, talking on what is, what will be and what should be. He accepts that the IP Bill potentially improves things as all the powers are sort of there, but in broad form under the Intelligence Services Act etc., where equipment interference is a subset of property interference. The control regime was only made public last February with the draft EI code of practice. The other side of the coin is immunity; and in April last year the government amended the Computer Misuse Act just before the IPT case brought by Privacy International. Also, the Act can only protect our agencies from domestic criminality; in the Gorshkov case, the FBI agent was the subject of an arrest warrant from the Russian police. And don’t forget the other acts of parliament too, and don’t forget that acts are lawful with the consent of the controller of the resource, in which case it doesn’t count as “equipment interference”. The government must also clarify that software and hardware manufacturers won’t be targeted for assistance with implanting malware, and there should be tight restrictions on secondary uses of data obtained from interference, e.g. surveillance shading into disruption. Where there is not intention to prosecute, no oversight mechanism arises through the criminal justice system, and we need very much tighter oversight. Finally we need to know a lot more about bulk interference as it raises many serious questions.
I was next; my talk covered the material in my IPT expert testimony, and my slides are here.
Questions included whether interference with standards might be considered equipment interference; that the US third amendment enables people there to refuse to help the state to harm their neighbour; whether we should be able to “target” a few hundred people in Luton as we might do in Aleppo; that if I run an open wifi, I’m technically a comms service provider and I can be compelled to spy on my neighbour; whether targeted interference can be done in bulk ways, as allowed by thematic warrants under clause 81, and indeed why bulk warrants are needed at all; the GCHQ hacking mentality shown by the smiley face in the slide on how they hacked the link between Google data centres; that the law is just as open to hacking as software, with ingenious lawyers being in demand by the agencies and their work product including the doctrine that it’s only “interception” when a human being looks at it; that equipment interference was outside scope for David Anderson and RUSI, so this field has not been studied by any independent person with access; whether a judge worth his salt would allow a thematic warrant of the kind that’s technically possible, such as “hack all mobile phones in Liverpool”; whether large asks such as software backdoors would get past judicial commissioners disguised as targeted requests; the reaction of other EU countries to bulk interference that affects them; whether the EU consistency mechanisms could be triggered against a UK company leading to fines of 4% of turnover being triggered by a non-UK enforcer; whether we can find non-governmental mechanisms to fix some of the problems, such as bug bounty programmes; and when there’ll be a Millie Dowler moment that causes the public to take these issues seriously.
The first speaker in the fourth session was David Vincent, who noted that the only three harm stories used to support the bill, namely terrorism, drugs and pedophilia. Anthony Glees notes that it’s no longer unthinkable that people on the extreme right or extreme left might hold political office in Britain, and use these powers for other purposes. So should the Prime Minister be able to censor the report of the IPT? And what does “economic wellbeing” mean as a means of surveillance foreseeability; is anyone who objects to the reduction of the national deficit liable to come to MI5’s attention? The meaning of EWN is surely different now from the late 1940s when the words were put in ECHR article 8.2; it’s entirely an exercise in keeping human rights at bay. The Home Office still maintains that the words give foreseeability and compatibility with the rule of law, and have been copied from one Act to the next despite the opinions of many other groups and lawyers, from Liberty to Lord Carlile.
Next was Nora ni Loideain who explained that the Bill provides for mass surveillance and ECHR proofing at the same time. This raises issues of legality, necessity and (hardest) proportionality. Thanks to Strasbourg (and Luxembourg) the ECHR is a living document, kept up to date on technology by precedent; and it has more and more to say on mass surveillance. The Strasbourg court follows a strict interpretation, and Luxembourg even more so; we’re all awaiting the outcome of Davis and Watson. Is the IP Bill proportionate? It’s so vague that in a lot of cases there is no evidence of a “pressing social need” (and in any case the UK government prefers to talk of an “operational case”, in which case we might at least ask for evidence of effectiveness). There is no evidence for the Food Safety Authority (for example) needing access to ICRs, or for bulk personal datasets. In fact we need not just a tighter surveillance law but a review of the entire system. Maybe we need a US-style Privacy and Civil Liberties Oversight Board.
The third speaker was Andrew Murray wrote to all MPs after the election asking for clarity; what we have is doublespeak, doublethink and Double Dutch. We’re told the powers are mostly not new, but they’re mostly not powers anyone realised the government had. The magic juju words that make the European court go away such as national security, economic wellbeing are not in the EU treaty, which is why the Luxembourg court is more robust. We need a proper judicial check; anyone who works as an academic knows that second marking isn’t as effective. We also need an end to bulk data retention; we don’t need large repositories of personal data kept insecurely by private companies, and following Digital Rights Ireland we expect that Watson and Davis will confirm this. The current government won’t concede either in parliament. In practice the comms databases are the poor man’s Tempora; the cops get something without waiting 6 weeks for GCHQ.
Discussion points included the necessity of retaining enough data to link IP addresses to physical people, else no investigations of online crime would be possible; that we’re starting to get some real data on proportionality in some areas such as the retention of DNA data that had to be produced in the Marper case; the gradual emergence of text on what “national security” means, for example in the 2010 National Security Strategy, which might eventually clarify those juju words; whether “economic wellbeing” means compromising the privacy of all of us in order to protect the relative wealth of an elite; whether it squares with the Single Market; whether there is in fact a sharp boundary between EU and non-EU in any case; whether the bill will actually damage Britain’s economic well-being; whether some “discriminate” forms of mass surveillance may be compatible with ECHR; and whether a Luxembourg judgement in Davis and Watson’s favour could play into the Brexit camp.
The fifth session was started by Adrian Kennard who runs an ISP and a company that designs routers. He notes that the Bill brings into scope all sorts of private networks, from Janet to your local pub; they might be ordered to buy the “right” sort of router, which could harm his business. Even if he’s too small to ever get any orders to help with equipment interference, it will be a real problem if his customers think he might be. This is also the first time communications providers have been asked to create records for logging, rather than just retain stuff they created anyway; that has a huge potential for costs, of development and storage. Will they be asked to reconstruct all TCP sessions and look for the host header in http? Or to look for end points of phone calls, or cert IDs in https? Once someone sells big shiny black boxes, everyone can be ordered to buy them, small vendors get killed, and the big boys will be in bed with the Home Office. No-one will be allowed to discuss what they’re ordered to do, so they could be ordering different ISPs to do different things. Not only will no-one but a few insiders with security clearances know what the black boxes are doing, but innovation will be killed as a side-effect. The powers to remove protection undermine the claim that encryption won’t be banned or weakened. How can you make a business plan for a product or service that uses end-to-end encryption if you might be obliged to remove it? Also, you can be required to remove encryption provided by someone else, without an “if feasible” get-out, which means that carrying an encrypted service might be a crime. Also, this is the first time communications providers have been required to help with hacking, which for his companies means that his ISP could be ordered to undermine the security that his other company sells his customers. if that happens he’ll move Firebrick out of the UK, which will be bad for “economic wellbeing”. Finally they currently declare that they have no orders; they asked the Home Office what they’d have to do if they got an order. Neither confirm or deny? Either he commits criminal fraud, or a civil wrong under the current bill, and he’ll resist being ordered to commit fraud, but either way it’s bad for business confidence. As for fixing it, much of the bill should be scrapped and the bad things that Snowden disclosed should be stopped. EI should be legal but not mandateable; companies should not be forced to break trust with customers; data retention should be limited; ICRs should be clearly defined; and all costs must be met in full. This law is about providing services to law enforcement; no-one selling them photocopiers would be expected to provide them for free!
The final session covered impositions on companies and the effects thereof.
A record being kept of every citizen who has accessed the DepressionAlliance is something that resonates with the public.
Julian Huppert talks about how his IP bill experience started with Charles Farr showing up in his office late one night, and the history we’ve found out about since then, such as the general power of s94 Telecommunications Act 1984. Some uses of this power have not yet been avowed.
On encryption, it’s unclear.
On “entity data”, as an academic, he noticed that it covers “any information your university has that may describe” him, which includes any health records that a university may hold from when he was a student.
On Computer Network Exploitation, hacking LINX would be an easy way to achieve a range of the Bill’s aims, but if they got it wrong, they might accidentally break the entire UK internet.
What the Home Office think the bill means now matters; but it also matters what those think who will look at it elsewhere and interpret it for their own purposes.
Final session questions:
Questions to panel, 85% of tax returns were paid online. 1 in 3 adults access their bank accounts online every day; and these all depend on encryption. Emergency response processes tend to be stored on computers, and if critical national infrastructures are to be relied upon, they need to be reliable.
All companies do a great deal of work to protect their systems from hackers and misc criminals. Unfortunately, it turns out that GCHQ has sided with the criminals.
The first case study in the Cambridge MPP is on encryption, and what the process should be to test the distinction between cybersecurity and cyberoffense. The answer always comes out of the same for the public interest: protection wins, unless the rules are skewed. Unfortunately, the rules are heavily skewed.
MLAT reform is absolutely critical, as it will make our system entirely compatible with the US framework, which can be used to make access easier for law enforcement in particular cases.
Is a Facebook “like” communications data or content? Every group is entirely certain as to which they are; unfortunately, there is no agreement between different groups as to where the boundaries lie.
Some customers choose particular ISPs because of their stance on privacy (& IPv6) issues; yet not all those concerns are within the control of ISPs.
TechUK wanted to make clear that the tech industry has been trying on this, and has some good headings in their submission to the IP Bill committee.
The bill is unlikely to stand the test of time as the commercial world evolves at the normal pace.
concluding comments
for every terrorist case that’s happened, the problem hasn’t been that the terrorists weren’t known; it’s that they were under attention but they didn’t have the staff to do what they were doing already. Had the home office processed the paperwork on time, they’d have started intensive surveillance on the killer of Lee Rigby before it happened.
Project Spade in Canada handed a large amount of data to the UK of people who had bought child abuse images. 2345 named individuals, with credit card details, including those of a doctor in Cambridge who was continuing to abuse children. It was ignored for 16 months because the officials didn’t bother to read their email.
New technical powers may not help with the actual problems.
Phew, alarming to say the least even if I am not that familiar with the details.
Will the presentations and discussion details be published…somewhere?
Ross and Sam many thanks for your excellent efforts