Investigatory Powers Bill

Written evidence submitted by Dr Paul Bernal, Lecturer in Information Technology, Intellectual Property and Media Law at the University of East Anglia Law School (IPB 06)

Investigatory Powers Bill

I am making this submission in my capacity as Lecturer in Information Technology, Intellectual Property and Media Law at the UEA Law School. I research in internet law and specialise in internet privacy from both a theoretical and a practical perspective. My PhD thesis, completed at the LSE, looked into the impact that deficiencies in data privacy can have on our individual autonomy, and set out a possible rights-based approach to internet privacy. My book, Internet Privacy Rights – Rights to Protect Autonomy, was published by Cambridge University Press in 2014. I am a member of the National Police Chiefs’ Council’s Independent Digital Ethics Panel for Policing. The Investigatory Powers Bill therefore lies precisely within my academic field.

I gave oral evidence to the Joint Parliamentary Committee on the Investigatory Powers Bill on 7th December 2015 and submitted written evidence to follow that. This written evidence to the Public Bill Committee follows up on that evidence and on how the Investigatory Powers Bill has been amended to reach the current stage.

Brief summary of this submission

This submission makes five specific recommendations:

1) That oversight arrangements are strengthened, with a well-funded independent oversight body with powers not only to monitor the processes but the powers themselves.

2) That Bulk Powers be re-balanced, ensuring that the proportionality tests are applied when data is gathered and that the intrusive nature of the gathering of that data is considered, in line with International Law

3) That Internet Connection Records be removed from the Bill until a two-year independent feasibility study is undertaken, after which a decision could be made whether or not add them to the law

4) That the approach to encryption be clarified and reassessed, with clarity and specific statements concerning end-to-end encryption and back doors.

5) That formal reporting on the functioning of the bill be made earlier and more rigorous, including an initial report after two years.

Each of these changes should help the Bill to be better able to face legal challenge, to be more adaptable and ‘future-proofed’, and to help re-build the trust that is crucial for the functioning of both the law and the surveillance activities of law enforcement and the intelligence and security services.

In addition, I would like to make a particular plea for more time to be given to scrutiny of the bill – it is highly complex and deeply significant, and the technical and technological details mean that getting it right in both principle and detail is even more complex than with most laws. In the current atmosphere, with tension between politicians, the internet industry, civil society and others, the importance of not only taking time but being seen to take sufficient time cannot be overstated. As David Anderson QC pointed out in his report A Question of Trust, regaining trust is perhaps the single most important thing at this stage. That needs time.

1 Strengthened Independent oversight

1.1 The inclusion within the bill of a reformed oversight regime is very welcome – but it does not go as far as it could. Oversight is needed not just of how the powers introduced or regulated by the bill are being used in a procedural way but whether the powers are actually being used in the ways that parliament envisaged. Reassurances made not just within the law itself but in the various codes of practice, factsheets and other public pronouncements need to be not just verified but re-examined. As time moves on, as technology develops and as the way that people use that technology develops it needs to be possible to keep asking whether the powers remain appropriate.

1.2 The oversight body needs not just to be independent and well funded but also to have real powers. Powers to sanction, powers to notify, and even powers to suspend the functioning of elements of the bill should those elements be found to be no longer appropriate or to have been misused. Independent oversight – as provided, for example, by the Independent Reviewer of Terrorism Legislation – is not just valuable in itself, but in the way that it can build trust. Building trust is particularly critical in this area.

2 Rebalancing ‘Bulk Powers’

2.1 From a public perspective one of the most contentious areas in the bill is that of ‘Bulk Powers’: bulk interception, bulk acquisition (of communications data), bulk equipment interference (which includes what is generally referred to as ‘hacking’) and bulk personal datasets. These powers remain deeply contentious – and potentially legally challengeable.

2.2 It is these powers that lead to the accusation that the bill involves ‘mass surveillance’ – and it is not sufficient for the Home Secretary simply to deny this. Her denials appear based on a semantic argument about what constitutes ‘surveillance’ – whether ‘surveillance’ occurs when data is gathered (through any of the ‘bulk powers’ or the retention of Internet Connection Records for example), when the gathered data is algorithmically analysed, or when it is examined by human agents.

2.3 Though it is a sustainable argument in semantic terms, it is argument that potentially puts the UK (and the Investigatory Powers Bill) at odds with both the European Court of Human Rights and the Court of Justice of the European Union. Whether it is deemed to be ‘surveillance’ or not, gathering and holding data has been ruled as interfering with privacy (and engaging Article 8 of the European Convention on Human Rights) in a series of cases dating back to Marper in 2008.

2.4 That means that the proportionality of the gathering of data has to be considered, not just the examination of that data. This is what lies behind the invalidation of the Data Retention Directive in 2014, and the problems with the Safe Harbour agreement that are being wrestled with right now.

2.5 It also puts the UK increasingly at odds with opinion around the world. The UN’s Special Rapporteur on the right to privacy, Joseph A. Cannataci, said in his Report to the UN Human Rights Council on the 8th March:

"It would appear that the serious and possibly unintended consequences of legitimising bulk interception and bulk hacking are not being fully appreciated by the UK Government."

2.6 Much more care is needed here if the Investigatory Powers Bill is to be able to face up to legal challenge and not damage not only people’s privacy but the worldwide reputation of the UK. Again, proper and independent oversight would help here, as well as stronger limits on the powers. In particular, an explicit acknowledgment that the proportionality tests apply to data gathered, not just to data examined, and oversight should not just examine whether the tests were applied but how well they were applied.

3 An independent feasibility study for ICRs

3.1 The Home Office have described ‘Internet Connection Records’ as the one genuinely new part of the Investigatory Powers Bill: it is also one that has come in for significant criticism. Critics have come from many directions. Privacy advocates note that they are potentially the most intrusive measure of all, gathering what amounts to substantially all of our internet browsing history – and creating databases of highly vulnerable data, adding rather than reducing security and creating unnecessary risks. Industry experts have suggested they would be technically complex, extortionately expensive and extremely unlikely to achieve the aims that have been suggested.

3.2 All three parliamentary committees asked for more information and clarity – and yet that clarity has not been provided in either the face of the Bill or in the relevant codes of practice. The suggestion that ICRs are like an ‘itemised phone bill’ for the internet has been roundly criticised (notably by the Joint IP Bill Committee) and yet it appears to remain the essential concept and underpinning logic to the idea.

3.3 The comparison between the idea of ICRs and the Danish ‘Session Logging’ was noted by a number of commentators and responded to directly by the Home Office in their ‘Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation’. That response, however, left a lot of questions unanswered: indeed, one of the key pieces of logic behind the response was that the Investigatory Powers Bill left definitions and rules around ICRs deliberately open. That, however, leaves a great deal to be desired: open ended legislation has many problems, as well as in this case again leaving the Bill open to challenge on the basis that it could enable mass surveillance.

3.4 Sir David Omand, in his oral evidence to the Joint Parliamentary Committee on the Investigatory Powers Bill, made the point that though the Danes had abandoned their session logging, they were considering reintroducing it. That proposed reintroduction incorporated a number of changes that have been suggested as making Internet Connection Records different from the failed Danish scheme, notably recording sessions instead of sampling every 500th packet, collection near the subscriber and bytes downloaded and uploaded every session. The new Danish scheme is very similar, therefore, to the suggestions for ICRs included in Annex B to the Home Office supplementary evidence to the Joint Parliamentary Committee in January.

3.5 That proposed reintroduction, however, has been put on hold at least for this parliamentary session – after an investigation and report from consultants Ernst and Young. The report has not been made public, but Danish media is reporting that Ernst and Young have confirmed the ISPs cost estimates that the investment in equipment alone would be close to 1 billion Danish Krone: around £100 million. Compared to the previous scheme – abandoned in part because of cost – this is a tenfold increase. This seems to suggest that the ISPs’ concerns about the cost of the UK scheme may well be valid – and this is even without determining whether this information would be actually useful, as the previous scheme was not.

3.6 Given all this, to introduce the idea without proper testing and discussion with the industry seems premature and ill conceived at best. Instead of including it within the bill, a feasibility study could be mounted – two years of working with industry to see if the concept can be made to work, without excessive cost, and producing results that can actually be useful, can be properly secured (so represent less of a risk) and so forth. If at the end of the feasibility study the evidence suggests the idea is workable, it can be added back into the bill. If not, alternative routes can be taken.

4 Reassess encryption

4.1 Perhaps the most contentious issue of all at present is the way in which the bill addresses encryption. All three parliamentary committees asked for clarity over the matter – particularly in relation to end-to-end encryption. That clarity remains absent in the bill – as the letter on the 15th March 2016 from Nicola Blackwood MP, Chair of the Science and Technology Committee, to the Home Secretary, put it:

"The extent to which ‘technical capability notices’ could compromise encryption services – directly or indirectly – remains a key area of uncertainty (as the high profile case involving Apple and the FBI illustrates."

4.2 The industry needs the government to be clear in the legislation that it will not ban end-to-end encryption, demand that ‘back doors’ are built into systems, or pressurise companies to build in those back doors or weaken their encryption systems. The current position not only puts the government at odds with the industry, it puts it at odds with computer scientists around the world. The best of those scientists have made their position entirely clear – and yet still the government seems unwilling to accept what both scientists and industry are telling them.

4.3 This needs to change – what is being suggested right now is dangerous to privacy and security and potentially puts the UK technology industry at a serious competitive disadvantage compared to the rest of the world. Moreover, the technology industry is moving further towards the use of strong encryption and against the idea of back doors or breakable encryption – primarily because strong encryption is the best way to deal with the growing threats from cybercriminals, hackers and so forth. The Apple and FBI case illustrates quite how hard the industry will fight to defend their right to use this technology. To effectively oppose this technology – and in practice the industry does and will see the terms of the Investigatory Powers Bill as it is currently drafted as opposing this technology – is to escalate the tensions with the technology industry. Such an approach, therefore, is not only likely to decrease trust, it is also highly unlikely to succeed.

4.4 To restore that trust and to work with rather than against the industry, the idea of end-to-end encryption should be supported, and supported explicitly. The terminology should be clearer and more direct – including using the term ‘end-to-end encryption’ rather than requiring people to try to work out what is intended. The law should be comprehensible to the technology industry and indeed to the public.

5 Formal Reporting at an earlier stage

5.1 The Bill as drafted requires the Home Secretary to lay a report before parliament after six years: in relation to this kind of bill, that is far too late. In technology terms, six years is a very long time indeed, and much of what is included in this bill needs close monitoring and testing – and that monitoring and testing should be reported back to parliament at an earlier stage.

5.2 This reporting function could be part of the strengthened, independent oversight discussed in section 1 above. Parliament should be kept properly informed on a regular basis, not just of what has been happening under the auspices of the law, but whether the law remains appropriate or needs amendment or replacement.

5.3 As Sir Edward Garnier QC MP suggested in the debate for the second reading of the bill, an initial report after two years would seem an appropriate time for the first report. This could also coincide with the end of the two-year feasibility study for Internet Connection Records proposed in Section 3 above.

The need for sufficient time

Perhaps the most important thing right now, however, is to ensure that time is needed for scrutiny for the bill. Some very significant issues that have not yet received sufficient time for examination and debate – the three parliamentary committees that have examined the bill so far (the Science and Technology Committee, the Intelligence and Security Committee and the specially convened Joint Parliamentary Committee on the Investigatory Powers Bill) all made that very clear. The Independent Reviewer of Terrorism Legislation, David Anderson QC has also been persistent in his calls for more time and more careful scrutiny – most recently in his piece in the Telegraph where he said:

"A historic opportunity now exists for comprehensive reform of the law governing electronic surveillance. Those who manage parliamentary business must ensure that adequate time – particularly in committee – is allowed before December 2016."

David Anderson is right on all counts – this is a historic opportunity, and adequate time is required for that review. That this particular call for evidence was made within a day of the second reading of the Bill, and that evidence sessions are due to begin only a little over a week after that second reading does make it look as though haste is being applied here. That would be most unfortunate: amongst other things, without a great deal of care, this bill could be highly vulnerable to legal challenge, and could include terms that are technically impractical, highly expensive and likely to be far less effective than they could be.

I hope this submission is of use to the committee, and I would be happy to provide more detailed information, either written or oral, should the committee wish.

March 2016


Prepared 24th March 2016