Investigatory Powers Bill

Written evidence submitted by Graham Seaman (IPB 49)

I am writing as an individual. I have worked in IT as a programmer, lecturer and consultant since 1976.

1 This Bill licences practices which are either quite novel or which have existed in practice but not been formally acknowledged or discussed by Parliament. Since some of these practices are more commonly associated with dictatorships – and indeed go beyond what pre-Internet era dictatorships

achieved - it is clear that the likely effects of the Bill should be widely discussed both inside and outside parliament before such a major change is enacted.

The process which is being used to introduce the Bill has not enabled this discussion:

- 1.1 The language used in the Bill, particularly in the technical sections, is deliberately obfuscatory. The technique of hiding wide-ranging powers behind evasive language, for which earlier Acts were criticised by David Anderson, has continued throughout. Other responders have already pointed out many examples of these. This has been justified by the Government as necessary to make the Bill open-ended enough to deal with future technical developments. There are other ways to achieve this than obfuscation, which serves to make informed discussion of the Bill's proposals difficult, as well as maintaining the uncertainty as to what the law allows – which it was a stated purpose of this Bill to resolve.

- 1.2 The speed with which the Bill is being introduced has meant that there is no time for proper discussion and the large-scale rewriting many have thought necessary. It also means that there has been almost no discussion by the public, or in the media, of such a major change to British life.

2. I will attempt to justify the above statements by suggesting a few of the potential impacts of the Bill which have not been formally considered in any part of the process I am aware of.

· 2.1 As part of my job I have often advised on general security practices. I am confident that I am able to assess the ability of a computer system to withstand attacks by 'normal' criminals. However, I have always assumed that I am completely unable to prevent the penetration of a system by state actors. This has not mattered as long as state equipment interference has been targeted – ie., used against justified targets. With the licensing of bulk interference I will no longer be able to assure a client or employer that I can assess system security, and will necessarily advise them to use systems in other countries wherever possible. I have no reason to think that other technical employees will not do the same. This is only one of the potential sources of harm to the British IT industry from this Bill. Has any assessment of the potential scale of economic harm caused by the Bill been made?

· 2.2 The criminalization of the reporting of system changes ordered by Security Services or police under this Bill will put large numbers of people in an impossible situation. If I run my own email server, I can be ordered to spy on my own family or staff without a legal right to tell them. In general, the installation of new equipment and software, for example for creation of ICRs, will involve many people whose work will suddenly become classified. Some will find the moral conflict too great and will talk, to family, social media, or press. Their trials will presumably also have to be secret. The consequences are reminiscent of the old GDR. Who has worked through what the results of the gagging aspects of the Bill will be?

· 2.3 There is a general push from government to put our records on-line. There is already some suspicion about the motives for this (eg. Once online, will our health records be given to Pharmaceutical companies, or sold to insurance companies?). The bulk dataset provisions of the Bill contain no limits on the datasets which can be used by the Security Services and police for data mining: health records, educational records, contact with Social Services, children's records – none are ruled out. This is not yet general knowledge, but once it becomes so, the giving of information to any government related body will become even more resented. Have those needing this data for genuinely useful purposes been consulted as to the impact of the Bill on their work?

· 2.4. The maintenance of ICRs (which as I understand it include a summary of what we all read online, and of who we write to or receive emails from) marks a new relationship between citizens and state. The knowledge that a list of what we read and who we communicate with is being kept both for data mining – to identify suspicious patterns – and in case the police need retrospective information on us, clearly demonstrates distrust of citizens by the state. This is likely to be reciprocal. Apart from general chilling effects, it is likely to have many specific effects on social involvement. Will it be safe for me to contact Plane Stupid given that some members have recently had a conviction for their actions? Should I read the Greenpeace website, given that some police publications have classified them as 'low level terrorists'? Will information on my use of torrents to download co-operatively developed free software be passed to rights-holders organizations on the (undefined) grounds of 'economic security'? Has an assessment of the potential damage caused to civil society by the Bill been considered by this or other Committees?

3. Recommendations: The sections relating to bulk interception, bulk interference, and access to bulk datasets should be separated from the Bill for fuller consideration by Parliament and public in a more suitable time-scale. The time allotted should also allow for proper studies of the likely social, political, and economic effects of the bulk and thematic powers. The remaining sections should be rewritten without obfuscation and reintroduced as a new Bill. This should not be taken as an opportunity to reintroduce bulk powers in the guise of nominally 'thematic' targeted powers.

April 2016


Prepared 6th April 2016