Investigatory Powers Bill

Written evidence submitted by Kevin Cahill FBCS.CITP, FRHistS (late FRSA, FRGS and F. Institute of Petroleum) BA. (IPB 37)

By background I am a former soldier, educated at the Royal Military Academy Sandhurst. I served in the infantry as a platoon commander in anti terrorist operations in Aden and Northern Ireland. I left the army in 1968 and started in the high tech industry as a computer programmer, later a systems analyst and finally a project manager. I left active computing in 1979 and became an associate editor at Computer Weekly. I specialised in reporting on the supercomputer sector, attending most of the European supercomputer conferences between 1986 and 2008. I sponsored a supercomputer seminar in the House of Lords in 2012.

Since about 1984 I have been an advisor to various Members of both House’s on matters such as High Tech Export legislation, the Copyright Act and now the Investigatory Powers Bill.

The Investigatory Powers Bill 2016.

Summary. The Bill, which is essential in principle, is wholly incomprehensible to the average citizen of the UK, all of whose rights are affected by the Bill. It seeks to limit privacy rights and key legal rights, to innocence and to reasonable suspicion, but hides this in otiose language and incomprehensible legal structures. In the face of terrorism trust needs to be maximised between a state and its people. That is demolished by the mass surveillance (bulk collection) aspects of this Bill. The US experiment with mass surveillance in the UK (PRISM) has been a criminal and legal disaster from which HMG appears to have learned nothing, not even the illegality of the roundup of children’s data in the bulk collection proposal. The cost estimates supplied with the Bill are essentially fictional and need a total rethink. The abolition of the Human Rights Act, which is implicit in the Bill, should not happen, under any circumstances.

Main text index.

1. General comments on impenetrable nature of the Bill to a lay person.

2. Purpose of the Bill altogether unclear and it creates a general warrant.

3. Digital makes no difference to personal communications, or rights. Getting a warrant

4. Trust between state and people seriously damaged by the Bill.

5. Mass surveillance in the UK has already failed with criminal and unlawful results.

6. HMG ignores actual mass surveillance in the UK, learns nothing.

7. Costs of the project as presented with the Bill are ‘fictional’.

8. Will the project work? Government record is diabolical in the area of big systems.

9. Bulk collection data to be held by those convicted by the ECJ of illegal interception and theft of data.

10. The Children’s data. No legal provision.

11. The IP Bill creates a digital safe haven for terrorists.

Appendix A. Sir Anthony May on the criminal and civil law of mass surveillance.

Appendix B. The findings of fact of the European Court of Justice in relation to criminally illegal mass surveillance (in the UK)

Appendix C. The view of GCHQ on extraterritorial jurisdiction.

1. General.

The Bill is 245 pages long and I have read it line by line. To quote a professor of computing speaking at the Royal Society on the occasion of the 2016 Lovelace lecture by Professor Ross Anderson on 10th March 2016. "No layman will ever read this bill and if they did they would not understand it" This is a bill that seeks to limit and dilute at least one right, the right to privacy, which is held by each of us individually, all 64 million of us. The bill ignores this inconvenient fact in the ‘bulk collection’ and seeks by passes us all.

A moment will soon come when the public will say, "Enough", "If I cannot understand the law, how can I obey it?" In a long series of incomprehensible Acts, compiled in legalese so dense it is doubtful if even Parliamentarians understand them, this is one of the worst. And, because the core purpose of the IP bill is so essential, all the more reprehensible for that. We do need an Investigatory Powers Bill, but this is not it.

2. Purpose of the Bill

We are told that the purpose of the Bill is to assist in the fight against terrorism, serious crime and paedophilia, in the digital age. It is impossible to see how the fight against terrorism is to be assisted by the Government spying on all of us, when what is needed is the opposite. We need a Bill that recognises and reinforces our rights, not dilutes them, a bill which trusts us, the people, to be, as we always have been, the frontline against our enemies and the best soldiers of all in the fight against the current IS type of terrorism. Instead, we are to have our rights severely diluted, rights which the Rt Hon Dominic Grieve QC, MP, PC, Chair of the Parliamentary Intelligence and Security Committee, has already indicated should have been at the heart of the bill and should have been its backbone. Instead we are to be spied on by our own government.

Let me give just one brief example of the incredibly poor analysis and thinking behind this Bill. The Bill proposes the bulk collection of communications data, a de jure warrantless act of mass surveillance, of the whole population; every one of the 64 million of us in the UK.

What the Bill actually does is creates a general warrant, against us all. That being the case the mass surveillance, collection and storage will include the data of about 2.9 million children. What has children’s data got to do with serious crime apart from being a form of paedophilia itself? But no one in the Home office thought of the children. And please see Para 10 to see what the NSA does with the children’s date they steal in the UK.

Exactly what part in the fight against terrorism will the data of children aged between 3 years and even just 10 years old, serve? There is no indication in the Bill that children will be protected from mass surveillance by the insertion of an age limit on the ‘take’. Small, but indicative of the slovenly thinking behind the bill.

In summary. This should be the last Bill ever sent to Parliament in which the public are patronised, deceived even, by the obscure language used in the Bill, by the Bill’s incomprehensible length, and by the dishonesty of the explanation for the Bill’s necessity. If we need an Interceptory Powers Bill and I believe we do, let us have an honest explanation for it, and not the PR gobbley de gook of "best interceptory powers regulation’ in the world. This Bill is nothing of the sort.

3. Digital makes no difference. The mail is the mail however sent.

The digital age has made no difference to the fact that a home is a home and communications are as they always were, items of human creation. E mails, tweets and so on are the modern mail. All are protected by privacy principles derived from English Common law going back to Magna Carta and earlier, and more recently incorporated in the European Charter of Human Rights, which derives its history and strength from its English roots and from Magna Carta.

If the state wants or needs to interfere with any of those rights it simply needs a warrant. It does not take 245 pages of legal doggerel to say "Get a warrant".

4. Trust

David Anderson QC and an issue of trust. Nothing could be more germane to this Bill than the title of David Anderson QC’s report which preceded the Bill and is called "An issue of Trust". In place of trust this Bill seeks a general warrant against the population as a whole, via the ‘bulk collection’ powers. The Bill would therefore repudiate the common law and constitutional concept of innocent until proven guilty and would eliminate the principle of ‘reasonable suspicion’ before a warrant for investigation or interference is issued. The Government intends to give itself a warrant against the entire population, via this Bill. In other words the Government sponsoring this bill not only does not trust the people, it views them all as suspects. It views all the people of the country with suspicion and is attempting to use Parliament itself to impose that suspicion on everyone via the general warrant hidden in the Bill.

5. Trust, PRISM and mass surveillance in the UK.

Beginning in September 2007 the UK came under a programme of mass surveillance that was both criminal and unlawful. (See Sir Anthony May QC, PC, to the Prime Minister Appendix A) This is not conjecture but the findings of fact by the European Court of Justice on Oct 6th 2015 in Schrems v Ireland. (Appendix B) The European Court, whose judgement is binding in the UK, found that the US was engaged in "indiscriminate mass surveillance" using PRISM in Europe and the UK. This programme intercepted the e mails of 67% of the UK’s internet user base of 89% of the population of 64 million, that is to say 56.9 million people. Of that 89% of the population about 67%, or 38 million, including about 2.9 million children between the ages of 3 and 17, are estimated to use the services of the companies executing the PRISM programme.

The PRISM programme was not executed in the UK from the US, but was run by 9 companies, all registered in the UK and all identified in the European Court evidence. They are Apple UK, Microsoft UK (including Hotmail) Google UK Facebook UK, Yahoo UK, Youtube UK, Pal Talk US, AOL UK and Skype UK. The instructions given those 9 companies were as follows. to intercept and obtain their clients "E mail, chat, video and voice, videos, photos, stored data,VoIP, file transfers, video conferencing, notification of target activity, logins etc, Online social networking details, special requests." For interception of e mails see Sir Anthony May. For mass theft of data, see also, Sir Anthony May.

The 9 PRISM companies received their original instructions for the interception and theft from the US National Security Agency, a part of the intelligence structure of our key ally, the United States. This was done on the grounds that a US law, the Foreign Intelligence Surveillance Act, has universal jurisdiction and can authorise crimes in other countries, that would be crimes if executed in the US. Like the extraterritorial aspirations in the IP Bill, this is the megalomaniac aspiration of a power that is out of control and outside the law. When it cannot commit crimes at home, it goes abroad to commit them. Let us eschew this absurd initiative. For GCHQ’s view on ‘ extraterritoriality’ see Appendix C.

US law does not run in the UK anymore than UK law runs in the US. A law passed in the US cannot make a crime committed in the UK, lawful. The same applies to UK law. The US is our ally, not our enemy. But why is it spying on 38 million people in the UK? And what has HMG done about it, that might earn some trust in relation to the IP Bill?

The US experiment in mass surveillance in the UK has been judged criminal and unlawful. It has eroded trust between allies now engaged in a battle against indiscriminate terrorism. Mass surveillance and extraterritoriality manufacture distrust, not trust.

6. Actions by the UK Government upon discovering what PRISM was in June/July 2013.

The director of GCHQ, Sir Ian Lobban retired at the age of 53 in 2014.

His replacement, Robert Hannigan, wrote an article for the Financial Times on his first day in office, Nov 4th 2014, saying that "The web is a terrorist’s command-and-control network of choice". He then levelled the most extraordinary criticism at the ‘internet giants’ in effect the PRISM 9. Such an article could only have been published with the express permission of the head of the intelligence structure, the Prime Minister, David Cameron.

This was state to state level megaphone dialogue. And it did not work. PRISM is still running according to Robert Litt in his recent letter to the European Commission in relation to ‘Privacy Shield’, the replacement for the repudiated ‘Safe Harbour’ agreement for the legal transfer of data from the UK and Europe to the US.

On the ground 38 million people UK residents and citizens are affected by the PRISM ‘experiment’ in mass surveillance. About 2.9 million of those affected are children. They too had their e mails intercepted and their data stolen. So far the UK government has done nothing about this but expects the public to accept a bill that attempts to replicate the PRISM criminal activity but with Parliamentary approval.

The criminal aspects of PRISM are for the police to deal with, the unlawful aspects and the breaches of the data protection act are for the Information Commissioner Christopher Graham to deal with.

On December 10th 2015 the Investigatory Powers Tribunal heard a complaint from me on behalf of myself and Child A, aged 7 and Child B, aged 5, and their parents. All of us had our e mails intercepted by some of the PRISM companies, and our data stolen by them, a fact of law since the ECJ judgement on Oct 6th 2015.

The IPT, a High Court equivalent, sent our complaint to the Metropolitan Police and the Devon and Cornwall Police and to the Information Commissioner.

The Met have refused to act, the Devon and Cornwall police, likewise. The Information Commissioner, who has a statutory duty to implement the judgement of the European Court in the UK, has done nothing and formally refuses to do anything.

And we are supposed to trust the promoters of the Bill, the Home Office, who are supposed to see that the police investigate serious crime. And we are supposed to trust the IPT to enforce the law. The performance of the authorities so far generates neither trust nor assurance.

The point of all this is to show that, not only is the Bill incomprehensible to 99% of the population, so also are the remedies for breaches of the IP and of Human Rights by the authorities. The cost of judicial review, or of going via lawyers to the IPT, is between £10,000 and £20,000. This Bill has put the right to privacy, art 8 of the Human Rights Act, firmly out of reach of legal remedy for 97% or more of the UK population.

The Government’s approach to the Human Rights Act and the problems this will raise with the IP Bill is to abolish the HRA. This is not an accident but the inevitable outcome of a Bill that is untrue in its argument and deceitful in its facts. If rights get in the way of unlawful executive action you abolish the rights, of course! Abolition of the HRA will not abolish the rights established by it. It will merely extend the mistrust in which the authorities are held.

7. Costs. Wholly mythical as indicated with the bill.

On Jan 29th 2016 I asked the Home Office for clarification on the costs of implementing the bill, which had been put, variously, at £174 million or £274 million over 10 years. I asked for a ‘quotable’ estimate for the project. It is 22nd March and there is no corrected estimate available from the Home Office. However, and on a wholly realistic basis, companies within the IT industry are now quoting figures of £1.2 billion just to set up the bulk collection part of the project. This is being done just as Denmark, the Home Office’s preferred ‘reference’ nation, has cancelled its mass surveillance project.

The full cost of implementing this project over 5 years is more likely to be £2bn, not just £1.2 bn as recently suggested by the IT industry; with the cost of running it about £500 million a year or more.

This assumes that the project will work.

8. Will the project work?

No one has ever written software for the kind of bulk collection implied in the Bill. That is a wholly critical unknown that should have been worked out long before the Bill was sent to Parliament. To have incorporated a wholly fanciful ‘mass surveillance wish list’ and to send it to Parliament effectively uncosted as this is, is totally irresponsible.

The government’s record in creating and delivering large IT projects is terrible. Allied with that are the ‘fictional’ cost estimates supplied with the Bill.

9. The criminals get to legally hold the data they used to steal.

In addition, most of the companies who will be ordered to collect and store this data are likely to be the same PRISM 9 who have spent the last 9 years intercepting e mails and stealing data in the UK, unimpeded by HMG, even when they were thieving HMG’s own data, and that of Parliament. At least the PRISM companies have experience of criminal interception and theft, which is what this Bill seeks to legitimise. (for them?)

10. Uses of the ‘bulk collected’ mass surveillance material. Children’s data

Apart from the absence of software to run the mass surveillance, and to store it, the Home Office has given no indication of how the Intelligence Services are supposed to use this mass surveillance data.

There is an un-stated assumption that the machines, the supercomputers and the software, will sort all this out. They won’t. They have failed in Denmark and the facts about PRISM suggest that it is effectively a mirage, only possible because the crimes involved are committed outside the USA.

There is only one example of the kind of mass surveillance proposed by the bill where there is evidence of how it is used.

This is PRISM. Based on Snowden’s evidence, which is now actual court evidence at the ECJ, all 14 lever arch files of it, and the evidence of a number of other National Security Agency whistleblowers, the mass of data collected is converted into individual files on people, communities and companies. Those files are called ‘profiles’ and are used to ‘manipulate’ the individuals, companies and communities involved. Manipulation, according to the whistleblowers, can mean something as simple as media pressure to go along with a government policy, or blackmail of political individuals.

The most serious aspect of all is that of the children’s data from the UK. The NSA stores that permanently. The children have no access to it. It can be used anytime during their lifetimes to affect their careers and lives. HMG is fully aware of this but has failed to explain its inaction over PRISM, or what its own plans for its own equivalent of PRISM are, save to ask for them in the Bill.

The theory of PRISM as sold to the US authorities by the NSA is that PRISM gives the US universal mass coverage of the planetary population. It doesn’t.

Both Russian and China have developed blocking mechanisms and de facto US reach fails with the two putative enemies, presumably the most important targets of all. But the countries without such protective mechanisms as Russian and China, are in many cases America’s allies. So what the US has wound up doing is spying on its allies populations. Not the best thing if you want to be trusted. World wide PRISM reaches about 140 nations, about 70% of the world’s countries. Within say, the UK, the reach of PRISM is about 67% of the population and that’s before the problems within the data itself occur. Poor reconciliation of individual records, mismatches between source data and final profile and so on.

A system of universal mass surveillance is a system designed to damage alliances at great cost, for very poor rewards, since the potential adversaries are out of effective reach of PRISM and similar experiments in digital megalomania.

But the Interceptory Powers Bill proposes that we go down this route.

11. The Investigatory Powers Bill creates a safe haven from surveillance for terrorists.

Finally there is a danger that the IP Bill will create a safe haven for terrorists. About 9% of the UK population, about 5.7 million people, are not on the web or a mobile and will escape this mass surveillance. It wont take unfortunately intelligent terrorists long to work out the ‘blind spot’ in the system, and avoid mobiles and computers altogether.

March 2016

Appendix A. The view of the Rt Hon Sir Anthony May QC, PC, on mass surveillance and UK law.

Report of the Investigatory Commissioner the Rt.Hon Sir Anthony May QC.PC., to the Prime Minister the Rt Hon David Cameron MP, PC.

Laid before Parliament on 8th April 2014.

1. 4 "Public concern has centred on potential intrusive invasion of privacy. (Arising from the Snowden revelations) Such concerns have been expressed publicly in the United States, Europe and other countries with greater force perhaps than in the UK. But unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights just as much here as in other parts of the European Union" (Sir Anthony’s bolding)

2.4 "Section 1(1) of RIPA makes it an offence for a person intentionally and without lawful authority to intercept at any place in the United Kingdom, any communication in the course of transmission by means of a public postal service or public telecommunications system…."

Appendix B. The findings of fact of the European Court of Justice on 6th Oct 2015 in Ireland v Schrems.

The Findings of fact by the Irish High Court on June 18th 2014 (Hogan J)Subsequently incorporated in the European Court of Justice judgement in Schrems v Ireland on 6th Oct 2015 and used to strike down Safe Harbour. There is no appeal against this judgement. Rights of audience were available to the US Government and Facebook at the Irish High Court. They were not taken up.

Par 11. According to the Washington Post the programme is code named PRISM and it apparently enables the NSA to collect personal data such as e mails, photographs and video from major internet providers such as Microsoft, Google and Facebook. This is done on a mass scale in accordance with orders made by the US Federal Intelligence Court sanctioning such activities.

Par 12. In a report in the Guardian newspaper dated 31st July 2013 it was claimed that a top secret NSA programme entitled "X Keyscore" enable it to collect " nearly everything a user does on the internet". The report further claimed that " A top secret NSA programme allows analysts to search with no prior authorisation through vast databases containing e mails, online chats, and the browsing history of millions of individuals, according to documents provided by whistleblower Edward Snowden"

Par 13. While there may be some dispute regarding the scope and extent of some of these programmes, it would nonetheless appear from the extensive exhibits contained in the affidavits filed in these proceedings that the accuracy of much of the Snowden revelations does not appear to be in dispute. The denials from official sources, such as they have been, were feeble and largely formulaic, often couched in carefully crafted in suitably ambiguous language designed to avoid giving diplomatic offence. I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of mass and indiscriminate surveillance of such data. Indeed in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusions.

Par 14. It is however appropriate to note that many of the activities of the NSA are subject to the supervision of the Foreign Intelligence Surveillance Court as provided by the US federal statute, the Foreign Intelligence Surveillance Act 1978 (the FISA Court) The FISA Court is a specialist court consisting of federal judges enjoying standard constitutional guarantees in relation to tenure and independence. This court entertains applications by the NSA for warrants in relation to foreign surveillance and interception of communications.

Par 15 It would seem, however, that the FISA Court’s hearings are entirely conducted in secret, so that even the Court orders and its jurisprudence remain a closed book. The US security authorities are, in effect, the only parties who are or who can be heard in respect of such applications before the FISA Court.

One of the striking features of the Snowden revelations was the disclosure of (the hitherto secret)orders of the FISA Court which effectively required major telecommunications companies to make disclosure of daily telephone call records on a vast and undifferentiated scale, while the company in question was prevented from disclosing the existence or nature of the order. Yet the essentially secret and ex parte nature of the FISA Court’s activities make an independent assessment of its orders and jurisprudence all but impossible. This is another factor which must – to some degree, at least – cast a shadow over the extent to which non US data subjects enjoy effective data protection rights in that jurisdiction so far as generalised and mass State surveillance of communications is concerned. Judgement of Mr Justice Hogan delivered on the 18th June 2014. (2013 No 765JR)

Appendix C. GCHQ’s view on the exercise of extraterritorial jurisdiction by the US in the UK, via PRISM

-----Original Message-----
From: PressOffice [mailto:PressOffice@cesg.gsi.gov.uk]
Sent: Tuesday, December 2, 2014 15:20
To: 'kjcahill'
Cc: PressOffice
Subject: RE: Questions

SECURITY CLASSIFICATION: OFFICIAL

Kevin, thank you for your letter to Robert Hannigan which we acknowledge.

The following is background information for clarification on your point about US CSPs.

It is expected that all multinational firms operating in the UK act in accordance with our laws, including RIPA. The Data Retention and Investigatory Powers Act 2014 makes clear to those companies that provide communications services to British users have an obligation to comply with our legislation. We expect all communication service providers to now comply with the law. As Robert Hannigan explained in his piece in the FT the challenge to governments and their intelligence agencies is huge and can only be met with greater cooperation from technology companies.

May I suggest that you re-read DRIPA act to get a better understanding of the scope of that legislation.

I hope that this helps.

Best wishes,

GCHQ Press Office

 

Prepared 24th March 2016