Investigatory Powers Bill: technology issues Contents

2Technology issues

13.David Allen Green of Preiskel & Co and legal commentator for the FT commented that the real challenge posed by the draft Bill is whether the measures will work in practice, given developments in technology; and whether overseas communications service providers will cooperate.15 TechUK identified particular issues of “utmost importance”:

14.Professor Ross Anderson told us about technological change and the difficulties this could create to the definitions in the Bill:

… technology just changes too fast. You cannot expect to have a Bill that will last for 25 years unless you have lots of Henry VIII clauses in it and do everything by statutory instrument, which creates problems of its own. The thing that is about to hit us, of course, is the internet of things. The Bill makes some provision for that by talking about things as well as persons, but the true implications of what it means to allow bulk equipment interference, for example, with road vehicles will probably have to be revisited once people start using autonomous vehicles at scale.17

Others also highlighted issues around the new ‘internet connection records’, encryption and equipment interference, which we discuss below.

Internet connection records

What are ICRs?

15.A great deal of attention has been paid to the provisions in the draft Bill for the retention of ‘internet connection records’ (ICRs). The purpose is to allow law enforcement agencies to identify the communications service to which a device has connected. The Institute for Human Rights and Business commented that “As this is a new provision in the draft Bill, it will require particular scrutiny. There are questions as to how collecting and storing ICRs is technically possible, and whether Data Retention Notices to retain all user ICRs are ‘necessary and proportionate’.”18 The Home Office indicated that “we will certainly not place obligations on every one of [the “200 or 300” communications service providers]”.19 We received a good deal of evidence concerning both the inherent difficulties in defining ICRs and the breadth of the definition in the draft Bill.

16.The draft Bill will require UK communications service providers (CSPs) who are served with a notice to retain internet connection records as ‘communications data’. The Home Office define ‘communications data’ as the ‘who’, ‘when’, ‘where’ and ‘how’ of a communication, often referred to as its ‘metadata’. But it does not include the content of a communication—it does not include every web page that a person has visited, for example, or any action carried out on that web page. Distinguishing between content and metadata is not necessarily straightforward because the web is not a single application. For a typical internet user, a number of different services are used at any one time, all of which blur the lines between content and metadata. According to Cisco, at present, in order to understand what someone is doing online, CSPs effectively need to track all of the data all the time.20

17.New definitions of ‘communications data’ are given in clause 193 of the draft Bill, on which the Government provides some commentary in the draft Bill publication:

These new categories are intended to be technology neutral and replace the three categories of communications data in RIPA: ‘traffic data’, ‘service-use data’ and ‘subscriber data’ which no longer adequately reflect the data available from telecommunication operators or systems.21

The terms used now are ‘entity data’ and ‘events data’. In addition, clarification around web browsing is given:

Anything beyond data which identifies the telecommunication service (e.g. is content. Accordingly, or would be communications data but data showing what searches have been made on Google or whose profiles have been viewed on Facebook would be content.22

18.TechUK acknowledged that “the original intention of bringing together various pieces of surveillance legislation into one Bill is to provide clarity to industry, agencies and the public,” but were concerned that “over-broad definitions … are counter to this goal”, particularly the definitions of what would constitute ‘communications data’ and ‘communications content’:

The definition of “communications data” relates to the “who, what, where, when and with whom” of a communication, yet does not appreciate the vast amounts of metadata that companies would have to retain under the requirements of the draft Bill and the difficulty for companies in separating data (which can be accessed without a warrant) from content (which could not be accessed without a warrant). The extent to which the two can be easily separated requires greater scrutiny—clearer definitions, and acknowledgement of, the metadata in between is therefore required.23

Exa Networks, an internet service provider, suggested that “some of the definitions of the Bill do not seem to accommodate the complexity of Internet Protocol networks”.24 Philip Virgo, on the other hand, acknowledged a need for enabling legislation to be technology neutral and “to avoid giving too much information to those wishing to avoid investigation”, and therefore believed it “unreasonable to expect a detailed list in the Bill of the communications data elements that should be retained.”25

19.In her statement to the House on 4 November, the Home Secretary said:

Some have characterised that power as law enforcement having access to people’s full web browsing histories. Let me be clear—that is simply wrong. An internet connection record is a record of the communications service that a person has used, not a record of every web page they have accessed. If someone has visited a social media website, an internet connection record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.26

Some witnesses questioned that analogy. Professor Mike Jackson did not think that “the data we are talking about is the equivalent of an itemised phone bill: It has significantly more information content than an itemised phone bill gives.”27 Dr Joss Wright of the Oxford Internet Institute went further:

The fundamental issue is that comparing it with telephony is ludicrous. In the modern world, particularly for younger people, a much closer analogy is with the real world. When did you go into your house? When did you leave your house? Which friend did you meet? What shop did you go into? What newspaper did you read? What book did you buy? If we were asking for bulk collection, retention and access to that kind of data in the real world, there would be uproar. Somehow, because this is the internet and it is slotted under “This is just telecommunications,” the Bill has got to where it is.28

20.In a similar vein, Dr Julian Huppert (a former MP) thought there was very little, if any, difference between ICRs and the ‘web logs’ considered by the earlier Joint Committee on the 2012 Draft Communications Data Bill, of which he was a member:

Our report agreed that ‘Web logs are at the more intrusive end of the communications data spectrum’. Even though the exact webpage isn’t recorded, it would be fairly clear why someone were going to websites such as

21.Unlike a phone bill, which clearly and consistently relates to a billed individual, IP addresses are shared by a number of users simultaneously. A communications service provider would ordinarily usually only be able to provide details of the person who pays the internet subscription, which is not necessarily the person who was using a device at a particular time.

22.Graham Smith pointed out that the draft Bill itself uses the term ‘internet connection record’ only in clause 47 and that this differs from the way in which ‘relevant communications data’ are defined in clause 71 (which details the powers to require retention of certain data). He described how the scope of ‘relevant communications data’ depended on thirteen interlinked definitions, and concluded that “the clause 71 power looks as if it may cover a wider range of communications data than is achieved by adding ‘Internet Connection Records’ to the current list of retainable communications data.”30 He added:

It would assist the discussion if the Home Office were to provide full, detailed and clear technical information about what data-types it believes would fall within (a) clause 71 and (b) clause 47 and how those would differ from the data-types covered by the existing retention legislation.31

Andrews & Arnold made the point that greater clarity and consistency in definitions would “limit the scope of future governments to expand the retention beyond current intentions without a change to the legislation”.32

23.Some witnesses were concerned about the potential breadth of the ICRs. IT-Political Association of Denmark suggested that “the motivation for ICRs in the draft Bill and the outlined retention requirements are very similar to the session-logging data retention scheme which was used in Denmark from 2007 until 2014, when it was repealed for lack of effectiveness”.33 Open Rights Group considered that the definition used in the Operational Case for the Retention of Internet Connection Records—”a very narrow set of data, such as numerical internet protocol (IP) addresses and port numbers … [and] the time that a specific service was accessed”34—does not reflect the definition in the draft Bill. They concluded that “ICRs could be used for a much broader range of purposes than stated in the guidance”.35 They added that:

ICRs are defined by their use and access regime, and could be understood very narrowly as a list of websites visited or services used, or quite broadly as covering almost all the types of communications data. … The creation of ICRs of web interactions could require the recording of full URLs … [which] would then be edited in order to generate a history of sites visited, which is not as simple as it seems.36

24.Richard Alcock from the Home Office assured us that the Government had been engaging very closely with industry, not least on the matter of definitions.37 The Home Office’s Chief Scientific Adviser, Professor Bernard Silverman, thought that the definition of the content of a communication had been pinned down in a way that “satisfies both a legal and a scientific requirement”.38 Richard Alcock emphasised that the purpose for which internet connection records could be used determined the circumstances in which the data could be accessed:

One new power that the Bill brings forward relates to what are called internet connection records. In simple terms, that means identifying the communications service that a person was using online at a particular point in time. Of course, what the Bill tries to do is to retain those data relating to individuals, but it also sets out clearly the terms under which the data can be accessed. Those three terms are as follows: one is to identify a person from a particular IP address—an internet protocol address; the second is to identify a person who may have been using an illegal website; the third is to identify what communications service an individual may have been using over time. Those internet connection records cannot be used for any other purpose.39

The Home Secretary told us subsequently that the definitions for ‘communication data’ and ICRs were intended to be “technology neutral and flexible in order that, should user behaviour and technology change, they will still apply”.40 The definitions were to be applied “to the full range of powers and obligations under the draft Bill”41 which had subsumed provisions from several current statutes. As a result, “the definitions as they are formulated are necessarily abstract”.42

The feasibility of collecting ICRs

25.The feasibility of collecting, and storing, internet connection records depends on what they actually are. Some ISPs, particularly smaller ones, have expressed concerns about the cost of installing hardware tools to identify and retain ICRs. William Waites described the burdens associated with looking “deep into the packet (known as Deep Packet Inspection or DPI) in order to find what web site is being accessed”.43

26.TechUK highlighted that many businesses do not already generate or store internet connection records for their business purposes, unlike other types of communications data. An important question was:

whether it is technically feasible for companies to easily separate ‘communications data’ from ‘communications content’ when retaining ICRs. The difficulty that some internet service providers may face during the retention of ICR in separating the first part of the URL up to the first ‘/’ (classified as communications data by the draft Bill and required) from the remainder of the URL after the first ‘/’ (classified as communications content and not required) creates additional complications for businesses.44

More fundamentally, James Blessing of the Internet Service Providers Association told us that “the whole idea of an internet connection record does not exist as far as internet service providers are concerned.”45 Andrews and Arnold Ltd, an ISP, said similarly that:

An ICR does not exist—it is not a real thing in the Internet. At best it may be the collection of, or subset of, communications data that is retained by an operator subject to a retention order which has determined on a case by case basis what data the operator shall retain. It will not be the same for all operators and could be very different indeed. We would like to see the term removed, or at least the vague and nondescript nature of the term made very clear in the Bill and explanatory notes.46

27.Matthew Hare of Gigaclear raised a concern about the feasibility of keeping what would be a “massive” volume of ICR data secure:

There would be the most massive and enormous amount of data that in future an access-provider would be expected to collect and keep, if it received a notice. … All you will do is create a massive database of who uses the internet for what and when, to be stored across a whole range of different service providers to make sure you have the content available, and I would question whether keeping that secure and safe is always going to be the case.47

Witnesses provided evidence as to whether there were technological developments which could improve detection of contact data without requiring large volumes of data to be captured, including benefits or otherwise of moving towards ‘IPv6’. Witnesses told us that this could potentially improve targeting of data access requests as well as reduce the amount of data required to be stored, although there were challenges to its implementation. James Blessing of the Internet Service Providers Association stated: “IPv6 would make it a lot easier to find people, which is fantastic. Adoption of IPv6 is a bit of a challenge.”48

28.John Shaw of Sophos had worries about security of the data that would be required:

There is a requirement to store 12 months’ worth of data about the communications. … It is really important that that data itself is then encrypted … Part of the cost is not just collecting the data but making sure that it is then super secure … so that it cannot be used for bad purposes.49

Richard Alcock from the Home Office told us that

In the majority of cases, our data retention stores are completely separate from the business systems that exist within comms service providers. Effectively, they are subject to their own security arrangements. We have very high standards, as you would expect, for the security of the data that we require CSPs to keep.50

29.Richard Alcock also explained that the circumstances of particular CSPs would be taken into account:

In the context of communications data … we work very closely with the comms service providers, even before serving a notice, to understand the technical feasibility, practicality, costs and robustness of the arrangements, noting that in the context of communications data all the data that are retained and used, where necessary and proportionate, have to be built to an evidential standard. Once that was done, we would serve a written notice, signed by the Home Secretary, on those suppliers, defining the specific fields and data fields that we wished to collect. Those fields will be a function of the different industry suppliers, by virtue of the fact that all the back-office and technical systems are quite different, depending on which comms service provider you are talking to.51

Later in our inquiry, the Home Secretary provided us with a detailed list of the types of data that communications service providers might be required to retain in order to generate ICRs and what would constitute ‘content’,52 and explained that:

The Government’s proposals regarding ICR retention are the subject of on-going consultation with industry. The Home Office has undertaken technical discussions with academics and industry bodies, as well as with the companies that are most likely to be subject to the obligations under the draft Bill. In light of those discussions, we are confident that the proposals are technically feasible and operationally essential for law enforcement.53

The Home Secretary also provided details of the operation of a ‘request filter’—a mechanism by which only relevant, and proportionate, information is made available to investigators.

30.While we are encouraged to learn of the Government’s ongoing engagement with the internet industry, there seems still to be confusion about the extent to which ‘internet connection records’ will have to be collected. This in turn is causing concerns about what the new measures will mean for business plans, costs and competitiveness. Although the Government maintains that ICR notices will be served on particular CSPs on a case by case basis in a way which takes account of the circumstances of the particular communications provider, based on the text of the draft Bill some envisage a situation where ICRs could be required from all CSPs. Given the volume of data involved in the retention of ICRs and the security and cost implications associated with their collection and retention for the CSPs on whom ICR obligations might be placed, it is essential that the Government is more explicit about the obligations it will and will not be placing on industry as a result of this legislation.

31.The Government, in seeking to future-proof the proposed legislation, has produced definitions of internet connection records and other terms which have led to significant confusion on the part of communications service providers and others. Terms such as “telecommunications service”, “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable” need to be clarified as a matter of urgency. The Government should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate. Furthermore, the proposed draft Codes of Practice (which we discuss in paragraph 69 below) should include the helpful, detailed examples that the Home Office have provided to us.


32.With the commencement of Part I Chapter II, and (in 2007) Part III of the Regulation of Investigatory Powers Act 2000, the Interception of Communications Commissioner was given further responsibilities for overseeing notices ordering the decryption of data acquired by interception and the adequacy of arrangements for the protection of communications data and encryption keys for intercepted material.

33.Many witnesses emphasised the importance of the use of encryption in providing the secure internet environment we need for many services, from credit cards and commerce, patient data and medical information, proprietary business and legal discussions, and other important communications.54 Before the draft Bill was published, there was speculation that it would address the use of encryption software. Professor Mike Jackson of Birmingham City University postulated that one approach would have been to legislate against the use of complex encryption that government bodies could not break, but noted that the “problem with this approach is that if the security forces can break the encryption then hackers will as well”.55 When the draft Bill was finally published, on 4 November, the Government stated that the Bill “will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA”.56

34.Clause 189 of the draft Bill, however, provides that the Secretary of State can use regulations to impose obligations on CSPs, via “technical capability notices”. Clause 189(4)(c) provides for the possibility that CSPs may be required to remove electronic protection (de-encrypt) material in order to assist in the implementation of a warrant. On the face of it, this does not affect ‘end-to-end encryption’, where the protection is applied by the communications service-user rather than the service-provider, so that the service-provider cannot ‘see’ the message content. Andrews & Arnold Ltd believed that:

Over the next few years it is likely to become quite rare for a web site to be unencrypted. At present some level of deep packet inspection can find the website name of an encrypted website from the initial negotiation, but this loophole is being plugged in the more modern protocols. This calls in to question the whole justification for logging ‘internet connection records’.57

35.Privacy International were concerned about clause 189 (4)(c) of the draft Bill which could impose “obligations relating to the removal of electronic protection applied by a relevant operator to any telecommunications or data”.58 These obligations are on top of those placed on telecommunications services to assist in “giving effect” to interception warrants (Clause 31) and other similar clauses elsewhere in the Bill. Privacy International told us that these, and other clauses, were “an indirect attack on end-to-end encryption, which the Government has previously stated it would not undermine.”59

36.Others had similar concerns, including TechUK, the Institute for Human Rights and Business and Mozilla. TechUK told us:

Although the Government has been at pains to stress that it is not restricting or weakening encryption, and that all requirements in the Bill regarding the ‘removal of electronic protection’ are already provided for in current legislation, further scrutiny around this is needed.60

They wanted, in particular, the envisaged ‘technically feasible’ test for the ‘removal of electronic protection’ to include a consideration of whether it was “reasonable and proportionate”:

It should be noted that Clause 190 states that the Secretary of State, before giving a notice relating to the removal of electronic protection, would have to consider the ‘technical feasibility’ of complying with such a notice. For the test of whether a measure is ‘technically feasible’ to be meaningful, it must consider something more than whether the end result is technically achievable with sufficient engineering manpower, investment and time … The consideration as to whether a measure is technically feasible should also consider whether the time, cost (including opportunity cost), knock-on effects and change in customer relationships are reasonable and proportionate to the expected benefits.61

37.The Institute for Human Rights and Business suggested that, while it was likely that the draft Bill would not eliminate end-to-end encryption, “it will prevent companies served with a technical capability notice from offering end-to-end encryption as part of their services”.62 The obligations on the ‘removal of electronic protection’ by clause 189 (4)(c) were, they said, “widely believed to refer to end-to-end encryption, where no actor holds the ‘keys’ to decrypt communications and are therefore impossible to intercept.”63 Mozilla similarly saw the draft Bill permitting “backdoor mandates” through the obligations imposed by a “maintenance of capability order,” which might include an obligation to “remove the electronic protection”. They thought the Bill could be used:

to compel a software developer, like Mozilla, to ship hostile software, essentially malware, to a user—or many users—without notice. As an open source project, this is problematic from both philosophical and practical perspectives.64

Recently, Apple and other communications companies have expressed concerns about whether the draft Bill might require them to adopt weaker standards of encryption. Apple have also reportedly stated that the draft Investigatory Powers Bill could be a catalyst for other countries to enact similar measures, leading to significant numbers of contradictory country-specific laws.65

38.The IT-Political Association of Denmark suggested that wrong-doers might take additional steps, such as the use of anonymity tools like virtual private networks and Tor,66 to protect their privacy as knowledge of the surveillance capabilities of the police and security services improved. Dr Joss Wright of the Oxford Internet Institute foresaw “chilling effects” that awareness of surveillance might have on even the legitimate web browsing activities of consumers.67

39.While publication of the draft Bill might have highlighted industry’s concerns over encryption, Dr Julian Huppert reminded us that there is already legislation that allows communications providers to be required to maintain an ability to provide the content of communications unencrypted.68 However, he raised a question about enforceability: “It is unclear what would happen if a court were to be asked to take action against an operator who was unable to comply with this power because of the fundamental nature of their product: Any decentralised communications system is likely to render this clause impossible to comply with.”69 Dr Robert Nowill of Herne Hill Consulting told us that ISPs and CSPs could “unwrap” encryption which they themselves had put in place, but that “if the underlying data stream is encrypted by something proprietary and unknown and is originating and terminating overseas, you would probably have the devil of a job digging into it”.70

40.Whether someone sufficiently determined to communicate in an encrypted fashion would be able to do so unbreakably is a moot point.71 Professor Sir David Omand suggested that this should not stop us from trying to see their communications when criminals or terrorists are involved:

Criminals don’t normally conduct their crime by breaking the encryption anyway, but do you want deliberately to remove what I would describe as the right to seek on the part of the police and the intelligence agencies—to try to find out if they can get a lead on some terrorist group, criminal group or paedophile network? We should be encouraging them to try, but there is no guarantee. I am certainly not advocating back doors being mandated, things which would weaken the integrity of the internet; there is a lot of nonsense talked about all of that. But they have to try, and some of the Bill would enable one or two tricks of the trade to be applied. Computer interference is one of those, which might give them a chance to get across some of the most dangerous people who are out there. I don’t think you can ask for more than that.72

41.When we questioned our Home Office witnesses about how encrypted communications would be dealt with under the draft Bill, they told us that the expectation would be that communications service providers would submit content data, when ordered to do so, “in the clear”—that is unencrypted—and that this was the same as was currently required under Regulation of Investigatory Powers Act 2000.73 However, that would not apply to content that is encrypted end-to-end before being passed to the communications provider for transmission: “What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection.”74

42.In tightly prescribed circumstances, law enforcement and security services should be able to seek to obtain unencrypted data from communications service providers. They should only seek such information where it is clearly feasible, and reasonably practicable, and where its provision would be consistent with the right to privacy in UK and EU law. The obligations on potential providers of such data should be clarified in the proposed Codes of Practice to be published in draft alongside the Bill later this year (paragraph 69).

43.There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption. The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.

Equipment interference

44.‘Equipment interference’ allows the security and intelligence agencies, law enforcement and the armed forces to target electronic equipment such as computers and smartphones in order to obtain data, including communications content. Equipment interference encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search.

45.Clause 99 of the draft Bill includes obligations on domestic CSPs to assist in giving effect to equipment interference warrants. Clause 101 explicitly applies this duty to ‘relevant telecommunications providers’. Privacy International explained their concerns about these provisions:

Under these two clauses, communications service providers could be compelled to take any steps, unless ‘not reasonably practicable’, to assist the police and the intelligence services to hack our computers and other devices. While we do not know what this assistance might look like in practice, it could include compelling communication service providers to send false security updates to a consumer in order to install malware that the police or intelligence services could then use to control the consumer’s computer.75

46.Professor Ross Anderson acknowledged the value of equipment interference provided that it was targeted, but also had concerns about the way it might be applied in practice:

The right way to get round encryption is targeted equipment interference, and that is hack the laptop, the phone, the car, the Barbie doll or whatever of the gang boss you are going after, so that you get access to the microphones, to the cameras and to the stored data. The wrong way to do it is bulk equipment interference.76

The draft Bill gives intelligence and law-enforcement agencies hacking powers (‘equipment interference’) that are excessive, and that need to be much more tightly controlled. As the Bill stands, its equipment interference provisions are likely to damage both national security and British industry.77

47.Some of the perceived difficulties with equipment interference relate to the definitions. TechUK commented:

Within the draft Bill, the term ‘equipment’ is defined as any equipment “producing electromagnetic, acoustic or other emissions, or any device capable of being used in connection with such equipment”. This term is particularly vague … Would, for example, an autonomous vehicle fall under this definition?78

Another difficulty could be the potential extent of these provisions. The Electronic Frontier Foundation were worried that the only qualification to equipment interference order is clause 101(6), which removes the requirement where any steps would not be “reasonably practicable”. The Foundation noted that there is “no guidance as how ‘reasonably practicable’ may be determined”.79 Big Brother Watch took little comfort from a draft Code of Practice on Equipment Interference, published on 4 November under section 71(4) of the Regulation of Investigatory Powers Act 2000, because there remained a need to clarify “loose and unexplained wording”.80

48.Some of our witnesses suggested that there could be technical difficulties associated with at least some approaches to equipment interference. The Electronic Frontier Foundation believed that software updates intended as methods of surveillance could be identified as such.81 Big Brother Watch noted that weakening a system does not mean that only law enforcement or the intelligence agencies can exploit it—”The system can be exploited by anyone who uncovers the weakness, including malicious actors, rogue states or non-Government hackers”.82

49.There are other challenges connected with the ever-growing deployment of ‘open source’ software. Antony Walker of TechUK told us:

Potentially there are significant problems for companies based fundamentally on an open source business model. … The very nature of [Mozilla’s] business, which is based on inputs from the open source community, means that a lot of its code has to be out in the open. Therefore, meeting any of the equipment interference requirements would be something it could not conceal from the people who provide the open source software. A company like that would face very real specific problems.83

Stan Shapiro was concerned that third parties—hackers, scammers or web developers—could insert malicious records into a web-browsing history, with “no way to resolve which records are genuine and which are malicious retrospectively”.84

50.The Government states that the draft Bill introduces no substantive changes to the existing ‘equipment interference’ regime. It has made the practices more visible to the public and industry, however, and it remains to be seen whether this greater visibility affects the nature or extent of such activity in practice. Some sectors of the communications industry have concerns that equipment interference could jeopardise their business model; for example those producing and distributing open source data. They have a concern that because, as now, CSPs will not be permitted to reveal any equipment interference, their clients may assume that it is used.

51.As ever, the fight against serious crime should be appropriately balanced with the requirement to protect and promote the UK’s commercial competitiveness. We believe the industry case regarding public fear about ‘equipment interference’ is well founded. The Investigatory Powers Commissioner should carefully monitor public reaction to this power and the Government should stand ready to refine its approach to ‘equipment interference’ if these fears are realised. Taking into account security considerations, the Investigatory Powers Commissioner should report to the public on the extent to which such measures are used.

16 techUK (IPB0037)

17 Q66

18 The Institute for Human Rights and Business (IHRB) (IPB0035)

19 Q138

20 Cited in House of Commons Library Briefing Paper 7371, Draft Investigatory Powers Bill, 19 November 2015, p21

21 Draft Investigatory Powers Bill, Cm 9152, November 2015, p287

22 Draft Investigatory Powers Bill, Cm 9152, November 2015, p287.

23 techUK (IPB0037)

24 Exa Networks Limited (IPB0026) para 12

25 Philip Virgo (IPB0031) para 19

26 HC Deb, 4 November 2015, col 970

27 Q69

28 Q69

29 Dr Julian Huppert, University of Cambridge (IPB0027) para 11

30 Graham Smith (IPB0025) para 10

31 Graham Smith (IPB0025) para 18

32 Andrews & Arnold Ltd (IPB0011)

33 IT-Political Association of Denmark (IPB0051) para 3

35 Open Rights Group (IPB0034)

36 Open Rights Group (IPB0034)

37 Q120

38 Q126

39 Q129

40 Home Office (IPB0065) Annex A

41 Home Office (IPB0065)

42 Home Office (IPB0065).

43 William Waites (IPB0006)

44 techUK (IPB0037)

45 Q3

46 Andrews & Arnold Ltd (IPB0011)

47 Q1

48 Q16

49 Q45

50 Q140

51 Q134

52 Home Office (IPB0065) Annex B

53 Home Office (IPB0065)

54 E.g. Mozilla (IPB0056)

56 Draft Investigatory Powers Bill, Cm 9152, November 2015, p29

57 Andrews & Arnold Ltd (IPB0011)

58 Privacy International (IPB0040) para 24

59 Privacy International (IPB0040) para 24.

60 techUK (IPB0037)

61 techUK (IPB0037)

62 The Institute for Human Rights and Business (IHRB) (IPB0035)

63 The Institute for Human Rights and Business (IHRB) (IPB0035) . para 4.2

64 Mozilla (IPB0056) para 3.3

65 “Apple launches Silicon Valley fightback over surveillance bill”, Financial Times, 22 December 2015

66 The Onion Router

67 Q75

68 Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931) para 10 of the schedule.

69 Dr Julian Huppert, University of Cambridge (IPB0027) para 27

70 Q155

71 Q43

72 Q87

73 Q135

74 Q154

75 Privacy International (IPB0040) paras 20-21

76 Q88

77 Professor Ross Anderson (IPB0036)

78 techUK (IPB0037)

79 Electronic Frontier Foundation (IPB0017) para 10

80 Big Brother Watch (IPB0048)

81 Electronic Frontier Foundation (IPB0017) paras 23-24

82 Big Brother Watch (IPB0048)

83 Q 101

84 Stan Shapiro (IPB0057)

© Parliamentary copyright 2015

Prepared 30 January 2016