Opposition Grows as UK ISP Internet Spying Bill Hits Parliament

The Draft Investigatory Powers Bill, which among other things aims to force broadband ISPs into logging a much bigger slice of your online activity and to then share it with the security services, will today receive its second reading and the battle lines have already been firmly drawn.

The logs (‘Internet Connection Records‘) would be stored for up to 12 months and the police will not require a warrant in order to access your Internet history (only a somewhat vague approval mechanism exists), although they would still require a warrant when seeking the “interception” of more detailed information (i.e. the content of your communications).

An ‘Internet Connection Record’ may consist of:
1. A customer account reference – this may be an account number or an identifier of the customer’s device or internet connection;
2. The date/time of the start and end of the event or its duration;
3. The source IP address and port;
4. The destination IP address and port – this is the address of the service accessed on the internet and could be considered as equivalent to a dialled telephone number. The port additionally provides an indication of the type of service (for example website, email server, file sharing service, etc.);
5. The volume of data transferred in either, or both, directions;
6. The name of the internet service or server connected to; and
7. Those elements of a URL which constitute communications data – this is the web address which is the text you type in the address bar in an internet browser. In most cases this will simply be the domain name – e.g. socialmedia.com.

The Code of Practice states that an ICR’s “core information” will most likely include just the “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date.” But what gets logged is also said to “depend on the service and service provider concerned” (i.e. if the ISP can collect more data, then that’s what they’ll be asked to do).

It’s important to stress that this level of state surveillance would occur regardless of whether or not you have ever committed or are even suspected of a crime and needless to say that many people are concerned. On the other hand there’s also no shortage of those who support the move and see it as a useful tool for helping to catch terrorists and online criminals, so it’s not just the Government who want it to become law.

The first IPBill draft was only published in November 2015 (summary) and since then there have been three major reports (here, here and here), all of which have poked huge holes in the Government’s arguments and pointed to significant concerns about its cost (the £175m+ allocated is not even remotely enough), impact upon privacy, the potential weakening of end-to-end encryption services and a lack of adequate safeguards.

A revised draft was published at the start of this month (here), which clarified a lot of things and made some improvements, yet many of the core concerns remain and they even added a few new ones. All of these issues will be the subject of today’s House of Commons debate (2nd reading).

At this point the Liberal Democrats and SNP have positioned themselves in opposition to the bill in its current form, while the Labour Party (let’s not forget that they tried to pass an even tougher version of roughly the same bill while in Government) have taken the unusual position of choosing to abstain.

Andy Burnham, Labour’s Shadow Home Secretary, said:

“The bill cannot be supported in its current form but nor should we just oppose it because there is a deadline where the country needs new legislation. What I am saying very clearly to Theresa May is: here are very specific concerns that we have and unless you meet them we will not cooperate with getting this bill on the statute book by the end of the year. That is quite a significant statement.”

According to Burnham, Labour want political campaigners for justice, trade unionists and bereaved families to be excluded from state spying (in practice this would be very hard for ISPs to accurately vet) just like MPs already are. Likewise they want better protection for confidential communications, such as those that take place between MPs, lawyers and journalists.

Labour are also seeking clearer definitions for when the powers can be used and a proportionate list of crimes that would justify the police to access it, which they say should be accompanied by restrictions upon the number of law enforcement agencies than see the data. On top of that they also say that approval for deeper interception should only be granted based on evidence, rather than simply having followed the right process.

Mind you none of this tackles the underlying concerns that ISPs have about the practical cost, storage and processing requirements of simply maintaining such a huge database of sensitive personal data for tens of millions of UK Internet users. On that front the ISPA’s Chair, James Blessing, has today outlined their key concerns. “We are a long way from having a Bill that is clear and workable,” said Blessing.

Key Concerns for UK ISPs (ISPA)

The industry has been asking for and fully supports a reform of the surveillance framework
The Internet industry has long argued for a reform of the legislative framework for surveillance in the UK. ISPA members are fully supportive of a stable and proportionate framework that provides law enforcement with proportionate and necessary powers without undermining user trust. It is vital that the final Bill is comprehensive, comprehensible, workable and complies with all relevant legal obligations.

The Bill does not do what the Home Office says it does
The Investigatory Powers Bill deals with complex technical matters, however, our members do not believe that complexity is an excuse for a poorly drafted Bill. On numerous occasions, there is a disconnect between what can be found on the face of the Bill and what the Government says the Bill will be used for. Given that the Bill is highly intrusive, the Government must put all of its intentions for how it plans to use the powers on to the face of the Bill. Reliance on speeches and non-legislative documents, such as codes of practice, to make clear what the Bill explicitly intends is unsatisfactory.

Key terms, concepts and cost implications remain unclear
In its attempt to future-proof the Bill, the Home Office has opted to define many of the key areas in such a way that our members still find it difficult to understand what the implications would be for them. Of key concern in this area are Internet Connection Records (an entirely new concept), encryption powers, extra-territorial application but also the various definitions of data in the Bill. Members have also expressed concern that the Home Office’s cost estimates are entirely unrealistic. These fundamental points need to be rectified whilst the Bill is being debated, so that MPs and the public can make a proper assessment of the proportionality of the Bill.

Full cost recovery needs to be written into the Bill
Cost recovery is one of the strongest check and safeguard as it provides a clear link between public expenditure and the exercise of investigatory powers. Despite a recommendation by the Science and Technology Committee, there is still no explicit commitment from government to pay the full costs incurred. Our members do not benefit from investigatory powers so it is important that industry is not put a competitive disadvantage and receive full cost recovery.

Parliament must be provided with sufficient time to scrutinise the Bill
Due to the concerns outlined above but also wider issues, our members have significant concerns about the ambitious timetable of the Bill. The Prime Minister himself argued at PMQs (04/11/2015) that the Investigatory Powers Bill is “one of the most important bills this House will discuss.” We recognise that three parliamentary committees have investigated the Bill and made 123 recommendations. However, even our members are not yet fully clear about what the Bill will mean for them. It is vital that Parliament is provided with a sufficient amount of time to scrutinise the Bill.

Elsewhere some 200 senior lawyers have this week signed a new letter, which claims that the bill in its current form compromises the “fundamental right to privacy and may be illegal” (here). At the same time any criminals or terrorists with even basic knowledge of how to use the Internet will simply be able to use encrypted services and VPNs that exist outside of UK control, thus avoiding all of this.

Internet consumers should also be mindful of the fact that some of the significant implementation costs will, without big change, almost certainly push up your broadband and phone bills. The question of how much extra is difficult to answer, but if the ISPA’s warning is correct then it could be a steep hike (here).

Most people can easily understand and support the desire to snoop on suspected criminals and terrorists, but is it really necessary to invade the privacy of every single person in the UK in order achieve that? Do we make ourselves safer by making ourselves less free or is this merely storing up trouble for the future (history shows that such wonderful things as democracy can easily be lost through ignorance and fear). The answer will depend upon the final form of this bill.