Investigatory Powers Bill

Written evidence submitted by Christopher Pidgeon (IPB 47)

1. I am a university student, freelance musician, and, as most people, utilise technology and communications frequently in everyday life to lead both my professional and social engagements. My highest qualification in IT is an AS Level, though I consider myself a higher-than-average competency user with a general understanding of many technological issues (far from expert). I believe there are huge opportunities in this Bill that are not being explored, and that the Bill as it stands presently holds many problems. I submit this evidence in a personal capacity.

2. My below evidence relates to what I consider to be particularly problematic parts of the Bill and my understanding of technological issues. In summary, I address the lack of scrutiny being afforded to existing powers, the many issues relating to internet connection records, the impact of maintaining technical capability and equipment interference, then the complex questions of extraterritoriality and encryption. I then critique the oversight provided by the Bill and finally propose further amendments.

Existing Powers

3. Many of the powers set out in the Bill are being regarded as ‘existing’. While legally and on paper this may well be the case, it is also unquestionably the case that part of the motivation for the writing of this new law has been the unforeseen ways in which older laws have been interpreted.

4. The use of many of these powers came to light in the public forum only after the Edward Snowden revelations. Prior to this, the great majority of Britons had no idea many of these ‘existing powers’ existed, not to mention many of their MPs.

5. It is therefore worrying to me the Bill is being scrutinised on such a tight timetable. This Bill is widely acknowledged to be one of the largest and most complex in this Parliament, containing both legal and technical concepts that take some time to marry together. Many of the ‘existing’ powers have never been scrutinised by Parliament, and the current timetable does not appear to recognise this. An informed debate must be had on such a provocative, encompassing and landmark piece of legislation.

· The current timetable for legislative scrutiny of the Bill is not sufficient. This either needs to be expanded or parts of the Bill regarding existing powers must be removed until such time adequate scrutiny may be afforded to it.

Internet Connection Records (ICRs)

6. This is the one new power in the Bill and the subject of particular scrutiny by both the Joint Committee and, no doubt, the current Select Committee.

7. From the point of view of an internet user, this power appears disproportionate and unnecessary. A record of every site visited stored for up to twelve months raises concerns on many levels.

Definition

8. As of yet, there is no clear definition of an ICR that both industry and Parliament can agree on. ICRs will require data (some of which may already be used by communications service providers (CSPs)) to be generated and processed in a particular way, although it is impossible to scrutinise this from a legislative perspective before industry and the Government have ameliorated the differences between language on the face of the Bill and what is technically feasible.

· The definition of an ICR should be amended with due advice from industry experts. The Bill should not be allowed to proceed to third reading with this crucial new power still shrouded in misunderstanding and confusion.

Use to Law Enforcement and Intelligence Agencies

9. The data captured may be misleading, and, due to the nature of metadata, may not always be accurate. Metadata can indeed, highlight much about a person, however it is also liable to fall into a narrative when it ought not to, thus providing a false positive.

10. For example, if as user visits a webpage that has adverts (or pop ups), a user’s ICRs will show that they connected to the host site of said advert(s). Thus, without any knowledge or intention, a user’s ICRs could highlight that they visited easyjet.com, or any other site, without their intention of doing so. There is no way for this to be highlighted in the ICRs and may create ‘leads’ for law enforcement that are actually not correct (in the case of a missing person, the presence of easyjet.com among traffic that does not normally constitute of travel sites may lead to the theory that they flew abroad – when in fact the missing person may still be on UK soil).

Technical Issues

11. While my understanding of networks and how the internet works is limited, I at least understand enough to assure you that, should the definition of an ICR be ironed out, it is extremely difficult for a computer to self-generate data with appropriate protections already in place. Certain information will have to be collected and processed, and then (somehow) redacted before it is useable based on the first stage ‘collection’ warrant. I believe this will be very difficult to implement and would advise this be looked at particularly carefully.

12. Adrian Kennard in his evidence helpfully addresses this particularly problematic divide of ‘Content vs Communications Data’.

Privacy

13. The Government, in its public messaging, has likened ICRs to an itemised phone bill, a description the Joint Committee found to be ‘unhelpful’. This is unsurprising: unlike a phone number, an internet site may say an awful lot about you as a person on its face. For example, the purpose of a visit to www.samaritans.org, www.gambleaware.co.uk or even www.conservatives.com may clearly signal the circumstances surrounding a visit to the site.

14. Further, considering the above section ‘Use to Law Enforcement and Intelligence Agencies’, I would be worried as to the false conclusions that may be drawn about me from this data.

15. As an internet user, I consider my privacy to have been breached immediately when this data is collected and stored. This is because it forms a record of my activity without my knowledge or consent. As a citizen, I have a right to expect privacy and to be at a distance from the state in my lawful everyday business; this removes that protection and could have a chilling effect on freedom of expression more widely. Innocent until proven guilty is a fundamental concept in the rule of law – this legislation could effectively move that standard to ‘suspicious until proven guilty’, if surveillance on the scale proposed is implemented.

Security

16. This will constitute a very detailed record of everything about me as a person. The data generated would clearly outline my lifestyle, my hopes, aspirations, political leanings, religious views and other extremely sensitive personal information (and that is before what is deemed ‘content’ is examined).

17. I worry that this vast trove of data will be stored without my knowledge or consent in a manner over which I have no control and are entitled to no knowledge of. In my view, this would be of prime target to hackers and other bad actors. With massive data thefts becoming more common, I cannot help but feel that both my security and the security of my fellow citizens, as well as the wider UK, could be put at risk by this provision. It is impossible to make data storage ‘hack-proof’ and it is almost a certainty that if this data were to be compromised in any way, that the livelihoods of a great number of people could be compromised irreparably.

18. This is also problematic in that I doubt UK-based businesses will be happy that their commercially sensitive communications, and perhaps databases about their customers potentially containing sensitive information (if sent by communicative means), will be held without their knowledge or consent in an environment they themselves cannot guarantee to be secure.

· The possibility of amending the Bill to remove or heavily modify and specify the ICR concept should be strongly considered as an option here: targeted interception and retention warrants may well achieve the same effect without creating a honey pot for bad actors. In other words, the option is not either ‘collect it all’ or be left in the dark.

Requirement of Technical Capability and Equipment Interference

19. The requirement of maintaining technical capability if so ordered has been an object of concern for many.

20. This part of the Bill appears to suggest that companies may be compelled to build back doors into their software and hardware in order to assist agencies with equipment interference. This is extremely dangerous, as not only can equipment interference cause harm to networks, it also leaves users exposed to unnecessary risk of being targeted by bad actors.

21. Further, in terms of open source software, any malicious changes to code will be spotted by the community and corrected or highlighted, thus reducing (or eliminating) use of certain software.

22. Companies should not be forced to ship malware and spyware to their customers, as it will create a great level of distrust in the market and will put them at a commercial disadvantage compared to their international competitors.

23. Further, with more and more devices now connected to the internet, from cars to children’s toys, creating backdoors in many of these devices would put people directly in harm’s way.

· The Bill should be amended to remove the requirement of technical capability. If agencies wish to hack, this should be done on a case-by-case basis.

· The Bill should be amended to explicitly compel the agency interfering to be liable for any damage they cause or inadvertent misuse of equipment interference powers (eg. exploring the wrong areas of a device or other conduct not related to the investigation).

· 88 (5)(a) requires tighter definition – "any conduct" implies, among other things, that destruction of property is a legal means by which to achieve the effects of the warrant. 88 (11) also legitimises "any conduct".

Extraterritoriality

24. Extending jurisdiction outside the UK creates many complications. For instance, the Government may find itself having to pay for foreign CSPs across the world to have the resources and equipment to collect data on UK citizens. There is no way to ensure that data would be stored to the same standard as UK-based CSPs, thereby creating further honey pots that may be more easily accessible.

25. Further, there may be a legal conflict between local laws and UK law. For example, it would be very difficult to mandate this in the US, as it is very possible the constitution prohibits this. Further, it would be very difficult to marry the proposed standard of oversight (a warrant signed by a politician with a procedural check by a judge) with the US standard of a warrant issued by a judge in the adversarial FISA court setting.

26. This would also set a new precedent that many countries may be keen to follow. I would hardly want North Korea asserting its jurisdiction over the software companies I use every day here in the UK on the justification that they are emulating the UK model.

· Extraterritoriality should be removed from the Bill entirely and work be initiated on forming international agreements for data sharing between nations. Not every country in the world will be willing or able to afford to implement the level of surveillance called for in this Bill.

Encryption

27. The Bill is not clear on this front. The definition of whether it is ‘practicable’ to remove encryption is non-existent on the face of the Bill.

28. Encryption is used by everyone every day to use the internet as we know it: secure socket layer is used by everyone without many even being aware of this. It allows online banking transactions, as well as secure communication between people. It is also used on computers to protect files – encryption can protect data even if a hacker has complete control over a user’s system.

29. While the argument is made that criminals should not be afforded any safe space, undermining encryption standards will only serve to harm wider society rather than protect it. That is because encryption is a mathematical concept, and is not tied to technology – a one-time pad may be used for criminals to pass secure messages to eachother that no third-party could decrypt.

30. Thus, undermining encryption software will only serve to put the UK tech sector at a further disadvantage, and remove crucial security every day users rely on to safely lead their online lives.

· The Bill must be amended to either specifically protect encryption from technical capability notices, or at the very least explicitly recognise that in most cases the removal of encryption will not be regarded as practicable.

Oversight

31. The idea of the ‘double lock’ is inherently flawed. The Bill on its face calls for a judicial review standard to check the Secretary of State. This standard is not a fixed concept.

· The Bill (at 21 (2)) should be amended to precisely define the standard at which warrants will be judicially examined and what powers the Judge will hold in their scrutiny.

32. I see no reason why a Judge with appropriate training and access to technical expertise could not do this task alone. The Home and Foreign Secretaries are asked to sign many of these warrants every day, and from the perspective of the public, this does not lend confidence as to the level of scrutiny each receives. Further, many Secretaries of State will have no legal training or understanding of the process of how to assess necessity and proportionality.

33. As previously discussed, the type of data that will be available with be hugely sensitive. In fact, with the use of the internet and electronic devices so ubiquitous in today’s society, you may very well find items in communications data that one may previously have only expected to find in a house search (the most protected domain under law). It is therefore baffling that these warrants are not held to the same standard.

34. There is no protection on the face of the Bill to prevent any future Secretary of State from acting in bad faith. A warrant may be issued for questionable reasons. A Judge, if held to the lower standard of judicial review, would struggle even to prevent this level of abuse, as they may still find the decision making process to have been not manifestly incompetent.

35. In contrast to the argument that a Home or Foreign Secretary may be made more accountable than a Judge, it is interesting to note that the existence of these warrants may not be disclosed. It is also interesting to note that the Home Secretary has not proposed any means by which she will appear to Parliament to account for her warrants. It is also the case that, if (somehow) a Home Secretary was found to have committed an error in issuing a warrant, the only people that may hold her accountable are her own constituents. On an issue that has national implications, this does not appear to be strong accountability.

· The Bill should be amended to remove the Secretary of State from the warranty process. This would bring it closer to international standards.

· The Bill may additionally be amended to allow warrants to be issued in an adversarial court setting at which the case is presented for the Government and for a public advocate.

36. I am also dismayed at the fact that the existence of any of these warrants, as well as the fact that my data is being collected/my computer being hacked/my health records being acquired, is to be compelled to happen in secret. This is hugely disturbing as it effectively removes my rights as a citizen to claim for any damage that may have been caused due to incorrect deployment procedurally, etc.

· The Bill should be amended to allow subjects to be informed that action has been taken against them in order for them to take action as they feel is necessary (whether it be a security check of their system or network after equipment interference or legal action if they feel their rights have been violated). I would suggest that this be after a set time period, defined precisely in the Bill, which would also serve to further protect these powers from being abused.

Further Amendments

· The Bill must be amended to allow public scrutiny of the use of these powers. I would suggest a mechanism by which the Government is compelled to outline, in a public forum, which powers have been used within a given period (eg. one year), how much this has cost the taxpayers, and to what degree success has been achieved by their use.

· At 81 (2) add: "…must [securely] destroy this data…" and define the level of secure destruction required (I would recommend to a level where data recovery is impractical by known means).

· The definition of ‘national security’ at 18 (2) (a) must be specified, as must ‘economic well-being’ at 18 (2) (c).

· Greater reference to privacy protections must be made throughout the Bill.

37. This Bill is being looked to by a great many countries as a model for how investigatory powers are to be used in an ever-more technologically rich world. It is therefore imperative that this Bill not be looked at for the benefit of the UK alone, but in genuinely seeking to create a world-leading piece of legislation that provides consensus rather than controversy.

38. I again re-emphasise the issue of the current Parliamentary timetable on this matter. This Bill addresses a great number of problematic legal and technical issues, and on the current timescale, it is unlikely any side of the debate will grow to fully understand the other.

39. The Bill as it is currently written still creates confusion among many, and employs many ‘catch all’ terms that are frequently criticised for lacking connection with technical reality at the present time. There are many aspects that could potentially harm UK industry, and put citizens at risk.

40. While the Government is keen to future-proof the Bill, I see no reason why this Bill cannot simply address in clear, understandable terms the issues we face today, and then be amended/replaced as required by future Parliaments.

April 2016

 

Prepared 6th April 2016