Problems Remain – Government Publishes Revised ISP Internet Spying Bill

After receiving strong criticism from three major reports, the Government has today appeared to rush out a revised draft of their controversial Investigatory Powers Bill (IPB), which hopes to force broadband ISPs into logging and monitoring a much bigger slice of your online activity.

In simple terms the bill introduces a number of new powers, such as requiring ISPs to maintain log (Data Retention) of your online activity for up to 12 months (irrespective of whether or not you’ve committed a crime) and then making it easier for approved organisations (police etc.) to access that information.

The first IPBill draft was only published in November 2015 and since then there have been three major reports (here, here and here), all of which have poked big holes in the Government’s arguments and pointed to significant concerns about its cost, the impact upon privacy, the potential weakening of end-to-end encryption services and a lack of adequate safeguards.

All of the three reports, which were only published last month, also noted a lack of detail and a failure to clearly define what an Internet Connection Record (ICR) should constitute; this reflects the data that ISPs will be expected to log and so is very important to get right.

Only a few weeks have passed since those reports were published and yet the Government has today rushed out a revised draft, which claims to make the following broad tweaks.

IPBill Tweaks Statement

* [The Government] responded to the committees’ call for greater clarity by producing a much clearer bill (we have refined technical definitions and are publishing additional material alongside the bill to explain how the powers in the bill will be used and why they are needed).

* [The Government] made the privacy safeguards clearer and stronger (the bill incorporates additional protections for journalists, removing an exemption for the security and intelligence agencies when seeking to identify journalists’ sources and it incorporates statutory protections for lawyers).

* [The Government] will continue to work closely with industry to develop implementation plans for retaining internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee.

As usual what the Government says and what it produces are still not entirely in balance. For example, the same provisions for attempting to access encrypted communications still exist, but they’ve now added a clause that says this can only be done where it is “practicable” (i.e. end-to-end encrypted communications might be safe from such requests, but it’s not 100% clear).

In other areas the Government has also expanded, rather than scaled back, some of its measures. For example, the bill now allows police to access all web browsing records in specific crime investigations (originally it only focused on illegal websites and communications services specified in the first draft). We’ve summarised just a few of the other tweaks below.

Summary of Several Key IPBill Tweaks

* ISPs will now be permitted (previously they were NOT permitted) to disclose the existence of a data retention notice in specified circumstances, but ONLY with the permission of the Secretary of State.

* The security and intelligence agencies will now have to seek judicial authorisation for acquiring communications data to identify a journalistic source.

* On the cost of implementation the Government said, “it would not be appropriate to commit future Governments to pay the full cost of compliance, as it would limit their discretion on this issue … In practice, the Government has a long-standing position of reimbursing 100% of the costs associated with data retention. There are no current plans to change that policy, which was confirmed by the Home Secretary on the floor of the House of Commons on 21 February 2016.”

* Clause 80 of the Bill provides a route for CSPs to appeal to the Secretary of State should a company consider that the obligation placed on them would incur unreasonable costs. In considering their appeal, the Secretary of State must take advice from the Technical Advisory Board (TAB) on costs and technical feasibility and from the Investigatory Powers Commissioner (IPC) on proportionality.

* The bill will now allow law enforcement to acquire Internet Connection Records (ICR) to identify the internet services that a person or device has accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation.

* The Government claims to have created a “consistent definition” of what an ICR actually is. The first draft didn’t include any real definition, which left many ISPs to scratch their heads about what data they would be expected to log. We had to dig deep in order to find the definition, but this is what we uncovered:

An ICR may consist of:
1. A customer account reference – this may be an account number or an identifier of the customer’s device or internet connection;
2. The date/time of the start and end of the event or its duration;
3. The source IP address and port;
4. The destination IP address and port – this is the address of the service accessed on the internet and could be considered as equivalent to a dialled telephone number. The port additionally provides an indication of the type of service (for example website, email server, file sharing service, etc.);
5. The volume of data transferred in either, or both, directions;
6. The name of the internet service or server connected to; and
7. Those elements of a URL which constitute communications data – this is the web address which is the text you type in the address bar in an internet browser. In most cases this will simply be the domain name – e.g. socialmedia.com.

We can see a few potential problems with the ICR definition, although the text does state that its “core information” will most likely include just the “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (what gets logged is ultimately said to “depend on the service and service provider concerned“).

However there’s still a rather big question mark over how you separate “content” from that which constituents “communications data” in a URL / web address (i.e. a URL can also include names, phone numbers and messages when transmitted via http instead of https). Splitting out this information automatically sounds like an almost impossible filtering process and it would be better if the Government limited it to only domain names, as opposed to using the “in most cases” caveat (see above).

Similarly the request for the “name of the internet service or server connected to” may be challenging, especially when you try to log any connection to a modern website that can result in a convoluted mass of data as most websites call information from several other remote and local servers when you load them (to an ISP this would just be one big mess of IP addresses and requests). The bill does talk about not requiring ISPs to log “third party data“, but the description of how they interpret this is tedious to understand.

Home Secretary, Theresa May, said:

“This is vital legislation and we are determined to get it right. Our proposals have been studied in detail by a Joint Committee of both Houses of Parliament established to provide rigorous scrutiny, and 2 further committees.

The revised Bill we introduced today reflects the majority of the committees’ recommendations – we have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements – and will now be examined by Parliament before passing into law by the end of 2016. This timetable was agreed by Parliament when we introduced the Data Retention and Investigatory Powers Act in summer 2014.

Terrorists and criminals are operating online and we need to ensure the police and security services can keep pace with the modern world and continue to protect the British public from the many serious threats we face.”

Overall the revised bill is unlikely to silence the Government’s critics and many problems remain, not least with regards to the open question of how much it will all cost (estimates upwards of £175m+ still seem absurdly low) and how long it will take for ISPs to implement a working system (we can’t see smaller ISP achieving this any time soon, but they may only need to cater for the so-called “core information“; see above).

James Blessing, Chair of the UK ISPA, said:

“With the Joint Committee publishing its report a mere nineteen days ago to conclude the pre-legislative parliamentary scrutiny, ISPA is disappointed that the Home Office has moved forward with a revised Bill in such a short space of time. It is widely agreed that a new legislative framework is needed that balances the interests of privacy, security and the impact on the Internet industry.

The Prime Minister himself said that it “is one of the most important Bills that this parliament will pass and it is vital that it is scrutinised and debated properly”, we now hope that Parliament is given sufficient time to properly scrutinise the Bill in order to get a Bill that is proportionate and workable.

Whilst we welcome the publication of further information alongside the revised Bill, including the associated draft codes of practice, the Home Office has pledged a number of changes to the Bill that will require close scrutiny. For example, as more work is undertaken to better understand Internet Connection Records, the powers have been extended, and there are still questions to be answered around the use of technical capability orders and definitions used in the Bill.

With the Bill and numerous supporting documents published today, ISPA will be holding a meeting with members to discuss the Bill in full.”

Jim Killock, Open Rights Group (Executive Director), said:

“The Home Office is treating the British public with contempt if it thinks it’s acceptable to rush a Bill of this magnitude through Parliament. MPs and peers need sufficient time to consider the fundamental threats to our privacy and security posed by the Investigatory Powers Bill. Many have their minds elsewhere, dealing with important decisions about Europe.”

On first reading, the revised Bill barely pays lip service to the concerns raised by the committees that scrutinised the draft Bill. If passed, it would mean that the UK has one of the most draconian surveillance laws of any democracy with mass surveillance powers to monitor every citizen’s browsing history.”

The bill has now gone before parliament and will no doubt receive a fair bit of scrutiny as part of that process, which will probably produce some further changes along the way. The Government will aim for the Bill to pass into law before the end of 2016, which would allow it to replace their existing temporary legislation that runs out at the same time.

The Revised 2016 IPBill
http://www.publications.parliament.uk/../cbill_2015-20160143_en_1.htm

Government Responses to IPBill Committees
https://www.gov.uk/../investigatory-powers-bill-overarching-documents

IPBill Codes of Practice
https://www.gov.uk/../investigatory-powers-bill-codes-of-practice