Draft IP Bill's fake judicial oversight
I don’t have the legal expertise to analyze the recent release of the UK’s draft Investigatory Powers Bill, but there are already some useful comments about the proposed law.
Conservative MP David Davis was highly critical of his own party’s new law and made two excellent points on Twitter. First, all oversight will be made by officers appointed by Prime Minister, not an independent body as recommended by the Anderson report. Second, the judicial oversight will only check that procedure was followed, not that the law was followed.
The oversight standard of the bill is a complete sham. It gives the illusion of judicial oversight, but keeps all the power within the Cabinet Office where GCHQ wants it.
More doublespeak
Another piece of doublespeak from Theresa May is the phrase “world-leading oversight regime”.
Divide its literal meaning from its implied value. Literally, it means the UK will do something no other country has done. But the unproven implications are that it’s the best solution in the world, that the only reason nobody else has done this before is that the UK is ahead of the times, and other countries will soon follow suit.
The reality is that other attempts to pass this kind of law around the world have failed, including the UK’s earlier multiple attempts to pass the Snooper’s Charter. Collecting citizens’ internet history is illegal in the US, Canada, Australia and most of Europe, according to the Guardian.
May is further quoted as saying “It’s not mass surveillance”, which is misleading because other, top secret systems already conduct mass surveillance.
Backdoored oversight
The IP Bill replaces all existing oversight units (the IoCC, the CSC, and ISCom, according to the bill) with a new IPC, who David Davis MP points out will be appointed directly by the Prime Minister. The IPC will be supported by Judicial Commissioners, who are also appointed directly by Prime Minister.
The Home Secretary, also appointed directly by the Prime Minister, will continue to sign off on warrants. The Judicial Commissioners will also sign off on the warrants, but Davis warns that they will have no power to actually weigh evidence, and Snowden called it notational, not serious.
Leaked GCHQ documents revealed that they are desperately frightened of actual judges gaining the power to grant their warrants. A judge is an expert in what is legal and proportionate, whereas the Home Secretary is just a politician who accepts GCHQ claims at face value.
Targets will be allowed the right of appeal, but the IP Bill doesn’t allow them to be informed that they have been targeted unless they have been the subject of serious errors.
Metadata vs content
ISPs will be forced to divulge only metadata, not content. But what GCHQ decides to be metadata is secret and not always obvious.
Your instant messenger buddy list is metadata. The folders you sort your e-mail into. User IDs scraped from cookies. Passwords and usernames. E-mail addresses and phone numbers.
The draft bill promises to change this definition, though how it will decide exactly what is and isn’t metadata in practice has yet to be seen. Likewise, the summary is perhaps deliberately vague in its explanation of who will be able to access this metadata and under what circumstances.
Britain has been hacking for years
The draft bill admits that yes, UK law enforcement and intelligence already engages in hacking, or “equipment interference”. The National Crime Agency already hacks targets, which should have been obvious given its success against hackers and high secrecy.
Hacking has been secretly interpreted as legal under the Intelligence Services Act 1994 and Police Act 1997. The new law will explicitly allow intelligence and military to hack devices without a warrant in some circumstances, but fewer than current, and will limit law enforcement to only use it for serious crime, however exactly that is defined.
UK ISPs will be forced to help agencies deploy hacking, which quite probably they are already doing, given reports of “black box” devices installed at British ISPs. Smaller orgs will have an assigned “single point of contact” who deals with all requests, which will help keep it secret. Larger companies like BT presumably do so much of this hacking stuff that they need more than one guy.
Hacking warrants will allow the Secretary of State to judge whether they are necessary and proportionate, in intelligence cases, or the Chief Constable, in serious criminal cases. The Judicial Commissioner does no actual judging, giving politicians and police significantly increased power over the people.
Britain finally admits mass surveillance
The draft bill admits that the UK uses mass surveillance to map people’s social networks and discover new targets, for intelligence cases, terrorism and serious crime.
Under RIPA, it records communications en masse in order to search it for terrorist and criminal activity.
Under section 94 of the aptly-named Telecommunications Act 1984, it analyzes domestic and foreign metadata to map relationships between suspects.
The Intelligence Services Act 1994 allows the UK to engage in “bulk equipment interference”, or mass hacking. It increasingly uses this to access data it lost access to post-Snowden, after Google and Yahoo discovered the NSA/GCHQ stealing user data from their systems and sites like Facebook enabled HTTPS to protect user privacy.
Safeguards we don’t have
It’s the safeguards that are most frightening, because they suggest that those safeguards don’t already exist. They also suggest an upper limit to what the safeguards will be.
Mass surveillance warrants will only be granted to security and intelligence agencies, and only for the purpose of national security. This leaves open the possibility that Tempora, XKeyscore or bulk hacking were being used for domestic crime, and commercial espionage under the guise of economic wellbeing.
Mass surveillance and mass hacking, but not metadata collection or targeted hacking, will be limited to acquiring information on people outside the UK. However, data can be taken from people inside the UK as long as the warrant targets someone abroad; e.g. forcing EE to automatically rootkit any UK phone that communicates with a known member of Al Qaeda. It’s limited to cases where this is “necessary”, but only the Home Secretary decides what’s necessary.
Protections applying to data will apply to metadata. Previously, if data was acquired for a certain purpose (perhaps only terrorism), its data could not be used for other purposes (perhaps commercial espionage), but its metadata could.
Use of bulk data belonging to UK persons will now require a targeted warrant to use that information. This suggests that the data of foreign targets is freely collected and accessed without individual warrants, and will continue to be, while data has been collected on UK targets without individual warrant.
In all cases, the warrant here is a “Home Secretary special” and not an ordinary court warrant. This is likely to see terror suspects denied rights in the interest of national security, something Theresa May has a record of being okay with.
Reading your internet history
ISPs will be forced to keep logs of all users for 12 months, listing what hosts that user has connected to. The UK reveals in its report that it can currently do this, but only starts collecting when provided a warrant for that user. The new bill requires them to hold this data for all users, even if not suspected of a crime.
ISPs are already required to take orders from the Secretary of State on matters of national security, under the Telecommunications Act 1984 (again, aptly named). Under RIPA, they’re required to remove encryption that they apply, something which one would imagine mainly applies to mobile providers.
The government will be required to pay ISPs for their expense, which is probably already something that happens.
Stripping encryption
The other big issue was that this bill was expected to outlaw apps which used end-to-end encryption. According to this draft bill document, it won’t, for two reasons.
First, it promises not to change existing law:
The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.
According to the document, RIPA legislation already requires Communications Service Providers (CSPs) to provide the ability to maintain the ability to decrypt any encryption that they apply. The term CSP generally applies to ISPs and phone companies.
The second reason is that UK law doesn’t apply to non-UK companies, so any requests would be purely voluntary.
But there are a loopholes that would allow the encryption ban to sneak back in.
- The term “Communications Service Provider” is vaguely defined in RIPA, and could be interpreted more broadly, or “clarified”, to include any website or online service.
- The law may apply to any company that operates partially within the UK, such as a company with a UK branch or UK servers. That could force foreign companies to adhere to the law.
- They can always change the law before it passes, or after it passes, or re-interpret the law. Ditching the encryption ban idea might be a way to get the fake judicial oversight scam through first.
The result is that PGP, OTR, iMessage, Facetime and Signal are still probably going to be safe. If the government really wants your data, they’ll just hack your device.
Feedback
A Joint Committee of Parliament is expected to form and request feedback from the public. I recommend that if you contact this committee when it puts out its request for feedback.
The Home Office also accepts e-mail feedback on the bill at investigatorypowers@homeoffice.gsi.gov.uk.