UK Gov Publish New ISP Internet Snooping Investigatory Powers Bill

The Home Office has published the first draft of its new Investigatory Powers Bill, which marks the third attempt to expand the United Kingdom’s Internet snooping laws by forcing ISPs into logging a bigger slice of everybody’s online activity; irrespective of whether or not you’ve committed a crime.

The existing law can already request ISPs to keep and provide a log of some very basic Internet connection activity (Internet Connection Records [ICR]) and or phone records (this does NOT include the content of your communication) for up to 12 months, which only becomes active after a warrant has been received.

However the Government is concerned that this approach doesn’t provide the security services with enough information to help tackle sophisticated cyber-crime and terrorist networks. Instead they want ISPs to pro-actively log more detail about the online activity of all their customers (ICR) and to then give the security services more access via a Single Point of Contact (SPoC).

Apparently once a request has gone through the SPoC, the authorisation will then be signed off by a Designated Person (DP), who is independent of the investigation for which the communications data is needed. A lot of detail is missing for this aspect, although we know that local authorities will be prohibited from acquiring ICRs.

Meanwhile a full interception warrant will still be required to obtain the most detailed information, but even without one the ISP would still need to record your basic activity (excluding the content of your communication) and that’s neither easy nor cheap to do.

The draft bill can be downloaded online (PDF), although most of you won’t want to burn your brain to death on that and so we’ve done a little summary to help bring you up to speed.

Investigatory Powers Bill – Key Highlights

* Broadband ISPs will be required to maintain a basic record of customer Internet connection activity for a period of 12 months (e.g. names, dates, times and website domains / servers visited). For example, you could see if somebody had visited ispreview.co.uk, but NOT what web pages (requires a warrant) they looked at or the CONTENT of those communications.

* A senior judge, Sir Stanley Burnton, has been appointed by the Prime Minister, on the recommendation of the Lord Chief Justice, to monitor use of the law (Investigatory Powers Commissioner) and he will be supported by a panel of judges that can authorise warrants. Warrants can only be raised for issues of either national security, serious crime or in the interests of the Economic Well-Being (EWB) of the United Kingdom.

* The Home Secretary will also retain an ability to grant warrants, although the bill allows for the IPC to review these and even veto them if necessary. The IPC must also publish an annual report on their work.

* In order to address fears of abuse it will now be a criminal offence, punishable by up to 2 years in jail, to “wilfully or recklessly acquire communications data” from a telecommunications operator without lawful authority.

* A new domestic right of appeal against potential abuse of the new rules will also be introduced.

* The bill will place a legal duty on British companies to help law enforcement agencies hack devices in order to acquire information, including if the data has been encrypted.

* The Wilson doctrine, which effectively prevents surveillance of Parliamentarians’ communications, is to become law (i.e. it’s fine to spy on the rest of us, but not MPs?)

* The draft Bill places the same obligations on all companies providing services to the UK or in control of communications systems in the UK. However, the draft Bill only provides for those obligations to be enforced through the courts against overseas companies in respect of communications data acquisition and (targeted and bulk) interception powers.

* Internet providers will be effectively gagged from speaking about their involvement because the bill says they must not disclose the existence or content of a data “retention notice“.

Sadly it’s by no means the first time that a Government has tried to get such laws introduced in the United Kingdom and once again a fight is brewing.

A Brief History of UK Snooping Laws

The pre-2010 Labour Government attempted to introduce a similar law called the Interception Modernisation Programme (IMP). The IMP proposed to intercept and log every Internet users e-mail headers, visited websites and telephone history, among other things, and to store it all in a central database.

But the IMP ended up being shelved after receiving significant opposition from almost all corners, much of which referenced the huge costs involved, as well as privacy concerns caused by using a centralised database (a lovely target for state sponsored hackers) and the problematic technical feasibility of its implementation.

Shortly after that a new coalition Government of Conservative and Liberal Democrats was formed in 2010, which after initially pledging to “end the storage of internet and email records without good reason” soon began tabling a revised IMP under a different name (Communications Data Bill).

The bill contained some improvements over Labour’s IMP (e.g. limiting the number of groups who could access the data and replacing the centralised database with a “request filter” that would still do much the same thing), but once again it proved to be just as unpopular.

In 2012 the Joint Committee responsible for conducting pre-legislative scrutiny of the bill described it as “overkill” and called for the text to be “significantly amended” (here). At the time Lord Blencathra, Chair of the Committee, said the bill needed to “strike a better balance between the needs of law enforcement and other agencies and the right to privacy“.

The final nail in the coffin came in 2014 when the European Court of Justice (ECJ) declared that the Regulation of Investigatory Powers Act (RIPA), which is the foundation on which the new bill would stand, was “invalid” because it breached the “fundamental right to respect for private life and the fundamental right to the protection of personal data” (here). On top of that the then Government’s Liberal Democrat coalition partners blocked the bill.

Back to the Present

The Government has since reintroduced the long standing RIPA laws via their Data Retention and Investigation Powers Act (DRIP), which is temporary legislation that has a sunset clause and means it will expire at the end of 2016 (here).

The DRIP Act was recently challenged by a Judicial Review that has already ruled against several key aspects (here), although the process of appeal is on-going. Meanwhile the Government has continued to prepare a replacement that would centralise and extend all of their snooping policies (Investigatory Powers Bill).

On top of that the Prime Minister, David Cameron, has been seeking new powers that would allow them to gain access to encrypted Internet content: “The question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not,” said Cameron earlier this year.

Encryption is of course used all over the place, for everything from securing your credit card transactions to keeping private messages.. private. It is an essential tool and one that only works if the decryption keys are kept hidden. Similarly if we weaken encryption then software and systems supplied by UK firms may be perceived as unsafe and that could hurt businesses.

Admittedly terrorists and criminals can use these features too and the Government are naturally worried about that, although security experts warn that you can’t allow one state or group to have special access and expect that not to be abused by others (e.g. hackers or less democratic countries).

Nick Clegg, Former Deputy Prime Minister, said:

“We have every right to invade the privacy of terrorists and those we think want to do us harm, but we should not equate that with invading the privacy of every single person in the UK. They are not the same thing. The so-called Snoopers’ Charter is not targeted. It’s not proportionate. It’s not harmless.

It would be a new and dramatic shift in the relationship between the state and the individual. People who blithely say they are happy for their communications to be open to scrutiny because they have ‘nothing to hide’ have failed to grasp something fundamental about open democratic societies: We do not make ourselves safer by making ourselves less free.”

Remember that we all have something to hide, from the fact that we close our blinds while undressing or choose to shield some of our most embarrassing medical problems from close friends or even family. Privacy is an important part of the free democratic society and so too is the principle of innocent until proven guilty.

The New Bill

At this point some of you will have probably read a few of the mass media reports, many of which made use of phrases like “watered down” to describe the new bill, although much of this is political spin and many contentious elements remain.

Furthermore we note that some politicians don’t appear to view data, such as which websites you visited, as sensitive personal information, but we’d beg to differ. You can learn a lot about a person from basic metadata (e.g. likes and dislikes) and such data can also be used for blackmail or worse.

At the same time Internet connections are shared, thus you can never be 100% sure who was using the service at the time or even if they were the ones who accessed a specific website, yet this information could still be used against you by the security services.

This all comes before we even get into the difficult field of open WiFi networks and computer hijacking / hacking. As the recent TalkTalk hack shows, we need more security and protection for our data and not less by creating a huge record that could at some point be stolen.

Overall today’s new bill suggests that the fundamental substance of what the Government wants to do remains intact and that’s no surprise as it’s standard practice for the first text of any new draft to represent its most aggressive form. Hopefully that can be softened over the next 8 weeks of debate.

On the other hand the new oversight regime is a clear improvement, although many of the original concerns about technical feasibility and cost still appear to exist. After all you can’t log all this data without needing a huge amount of data centre storage, which without the expected Government support could easily wipe out the low-profit margins of some providers.

Jim Killock, Open Rights Group, said:

“This Bill will redefine the relationship between the state and the public for a generation. The government needs to get it right and made sure that the UK’s law enforcement and security agencies can fight serious crime while upholding all of our human rights.

However, at first glance, it appears that this Bill is an attempt to grab even more intrusive surveillance powers and does not do enough to restrain the bulk collection of our personal data by the secret services. It proposes an increase in the blanket retention of our personal communications data, giving the police the power to access web logs. It also gives the state intrusive hacking powers that can carry risks for everyone’s Internet security.

The Joint Committee must now listen to the concerns of activists and the public if they are to restore trust in the police and security services.”

ISPA Secretary General, Nicholas Lansman, said:

“ISPA welcomes the attempt to modernise and clarify the law. We will work with Government to ensure that the Bill provides ISPs with a clear and stable legal framework that balances necessary powers with oversight whilst minimising the impact on business.”

Elsewhere the Government are still mixing up their legislative language by confusing Internet content with Internet access providers under the general Communications Service Providers (CSP) label, which is despite the fact that both work differently and thus need a separate approach (the Internet is too complicated for a singular approach).

Despite all this the new bill could easily win majority support in the House of Commons because most Labour and Conservative MPs have spent years pushing for it to be introduced. Indeed Labour MP Andy Burnham has already welcomed the bulk of what has been proposed, while the Liberal Democrats lack the influence to have much of an impact any more.

Whatever happens no Government will ever truly be able to force their rules upon the entire Internet, which is a global network of many different countries / laws, and as such there will always be ways to hide online habits and identity. Of course the terrorists know this too and so laws like this may only catch the stupid ones, although in fairness there’s no shortage of those.

The revised bill will now go through around 8 weeks of debate and consultation before being introduced into parliament during spring 2016. It’s also suggested that just £175m has been set aside for implementation, which seems unlikely to be enough and thus consumer prices may suffer.

SIDE NOTE:

Unfortunately for ISPs the “Request Filter” appears to have made a return, which could be described as an API to help the security services more easily access the data they store. Needless to say that there are lot of technical challenges with this approach.

IP Bill – Potential use of the Request Filter
Example (1): IP address resolution:

An investigator has details of a number of IP addresses which they believe relate to a specific individual, and have been used to access internet services at known times. However, each IP address cannot be resolved to a single individual because at the known time it has been simultaneously shared between many internet users. In this example the Request Filter would be able to match the specific individual in common between the users of each the IP addresses, then disclose only the communications data about that specific individual to the public authority. Without the Request Filter telecommunications operators would need to disclose details of every individual that had shared the IP addresses at the relevant times, and an analyst working in the public authority would examine all of the individuals data to obtain the same result.

Example (2): Location correlation:

If an investigator knows that a person of interest has been in a number of places at certain times. The Request Filter would enable them to determine whether communications service providers retained information that can identify the specific individual that matched being in those locations. Without the Request Filter the data of every individual that matched each location would have to be disclosed and the law enforcement agency would need to correlate the data.