Investigatory Powers Bill: technology issues Contents

1Introduction

1.The draft Investigatory Powers Bill was published by the Government on 4 November 2015. Ministers have been clear that the intention of this Bill is to consolidate and clarify existing legislation on the interception of communications and the acquisition of communications data. It also represents an attempt to modernise the law in the light of developments in communications technologies, to maintain the operational capabilities of law enforcement agencies and the intelligence and security services.

2.The Regulation of Investigatory Powers Act 2000 (RIPA) set out the conditions that the security services and other agencies must satisfy in order to access ‘communications data’ (namely information about communications but not the content of those communications). The Act also specifies what data can be accessed, by whom and for what purposes. In 2012, a draft Communications Bill (dubbed the “snoopers’ charter” by its detractors) was introduced to secure further access to communications data. However, although the Joint Committee on the draft Bill saw a case for “some further access to communications data”, it concluded that the draft Bill was “too sweeping”, and “went further than it need or should”.1 The Bill was disproportionate, giving the Secretary of State “sweeping powers to issue secret notices to communications service providers (CSPs) requiring them to retain and disclose potentially limitless categories of data”.2 The draft Bill was also considered by the Joint Committee on Human Rights and the Intelligence and Security Committee. It was not taken forward in the last Parliament.

3.The Data Retention and Investigatory Powers Act 2014 was enacted to allow for the ongoing retention of communications data, in response to the Court of Justice of the European Union having declared the pre-existing regime under the Data Retention Directive invalid on privacy grounds. Part 3 of the Counter-Terrorism and Security Act 2015 subsequently amended the Data Retention and Investigatory Powers Act 2014 to enable the Secretary of State to require internet service providers to retain data allowing the authorities to identify the person or device using a particular IP (internet protocol) address at any given time.3

4.The 2015 Queen’s Speech included an undertaking that “new legislation will modernise the law on communications data”.4 The Government stated that its purpose would be to:

In June 2015, the Home Secretary set out a timetable for the new legislation, publishing a draft Bill “in the autumn for pre-legislative scrutiny by a Joint Committee of Parliament, with the intention of introducing a Bill early in the new year”.6 She highlighted that because of the sunset clause in the Data Retention and Investigatory Powers Act 2014, “the new legislation will need to be in place by the end of December 2016”.7

5.The Government also committed to ensuring that the Bill would respond to issues raised by David Anderson QC—the Independent Reviewer of Terrorism Legislation—in his report on the operation and regulation of investigatory powers.8 David Anderson’s report covered the interception of communications and communications data, the challenges posed by changing technology, new capabilities for encryption, anti-surveillance tools and the ‘dark net’. During a debate on the Anderson Report in June 2015, the Home Secretary said that the Government “would accept all the principles that [the Joint] Committee set out [in 2012], including that the original draft Communications Data Bill, which was an attempt to future-proof our legislation, was too wide ranging”.9

6.According to the Government, the draft Investigatory Powers Bill will do three things:

7.In the lead-up to publication of the draft Bill, there were concerns from various quarters that the new legislation would expand data capture and retention powers beyond the provisions set out in the 2012 draft Communications Data Bill.11 There were also concerns about whether the draft Bill would attempt to circumscribe the use of encryption in order to facilitate access to communications.

8.In a foreword to the Draft investigatory Powers Bill, the Home Secretary wrote: “The draft Bill only proposes to enhance powers in one area—that of communications data retention—and then only because a strong operational case has been made.”12 With 202 clauses and 9 schedules, the Bill is also to some extent a consolidation measure. Quite to what extent is a point of contention. Dr Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre based in the Computer Laboratory of the University of Cambridge, believed that “the present Bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail.”13 In a similar vein, Graham Smith believed that “the suggestion that the new retention power is limited to internet connection records … is open to question”,14 and provided a list of powers in the draft Bill that were in his view either new or greater than those in existing legislation.

Our inquiry

9.Recent events in Paris demonstrate clearly that the ability of law enforcement and security agencies to legally probe the communications of criminals and terrorists has never been more important, which makes getting the Bill right so necessary. Of course, the Bill must balance protecting the law-abiding majority from the criminals and terrorists against protecting the very democratic freedoms these terrorists are seeking to undermine. The right to privacy, embodied in the Human Rights Act 1998, is at the heart of this balance. It is not an absolute right, but one which is qualified to allow for proportionate legal intrusion in order to protect the wider interests of a democratic society. This balancing act will be central to the scrutiny by the Joint Committee on the Draft Investigatory Powers Bill.

10.In our inquiry we have focused on critical technological aspects of the draft Bill. We have not addressed the need or otherwise for the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. Our focus has been on how the main technological issues involved might affect the communications businesses that will have to collect data and provide access to the security authorities. If we do not get these technological aspects of the Bill right, not only will the Bill fail to achieve its security objectives but it will also damage our digital economy.

11.Following an initial evidence session on 10 November 2015, we launched our inquiry on 12 November. We called for written evidence on the technical feasibility and costs of meeting the obligations imposed by the Bill; the impact on communications service providers and related businesses; and the likely consequences for people using ICT services. More specifically, we sought views on the extent to which communications data and communications content could be separated and the extent to which this was reflected in the draft Bill, as well as views on encryption, bulk data collection, cloud computing, deep packet inspection and anonymous internet communications systems. We received over 50 written submissions. Following our first oral evidence session on 10 November, during which we heard from industry and academics, we held a second hearing on 8 December with internet businesses and technical experts and the Home Office.

12.We thank all those who have contributed to our short inquiry, including Dr Steven Murdoch of University College London who provided technical advice. We hope that our report, and also the oral and the written evidence we have collected, assists the Joint Committee in its consideration of the draft Bill and the House in considering the proposed Bill itself when it comes forward.

1 Joint Committee on the Draft Communications Data Bill, Report of Session 2012-13, Draft Communications Data Bill, HL Paper 79, HC 479

2 Joint Committee on the Draft Communications Data Bill, Report of Session 2012-13, Draft Communications Data Bill, HL Paper 79, HC 479.

3 House of Commons Library Briefing Paper 7371, Draft Investigatory Powers Bill, 19 November 2015

5 Cabinet Office Policy Paper, Queen’s Speech 2015: what it means for you, 27 May 2015

6 HC Deb, 11 June 2015, col 1354

7 HC Deb, 11 June 2015, col 1354.

9 HC Deb, 25 June 2015, col 1088

10 Draft Investigatory Powers Bill, Cm 9152, November 2015, p5

11 “Security services’ powers to be extended in wide-ranging surveillance bill”, Guardian, 27 May 2015

12 Draft Investigatory Powers Bill, Cm 9152, November 2015, p1

13 Dr Richard Clayton (IPB0032) para 59

14 Graham Smith (IPB0025) para 29




© Parliamentary copyright 2015

Prepared 30 January 2016