Surveillance bill - judicial oversight, no encryption ban
Home SecretaryThersa May unveiled the draft Investigatory Powers Bill in parliament today. It will be examined in detail by both Houses of Parliament before a final bill is produced and debated and voted on.
UK surveillance questioned as government publishes anti-terror law
A panel of specially qualified judges will now oversee the decisions of Ministers who authorise warrants for communications interception by UK security and law enforcement services under the draft Investigatory Powers Bill unveiled by Home Secretary Theresa May today in what was described as a 'double lock' authorisation process.
The police and security services will continue to apply for warrants to the Home Secretary for more intrusive activities such as the interception of data, and this will be reviewed by the judicial panel - but in the case of an emergency the Minister would be able to make an immediate decision, which would need to be ratified within five days, whereas a law enforcement warrent would last three months, and a security services warrant lasts six months. If the warrant is rejected, the requesting agency can abandon the request, come back with additonal information or an alternative warrant, and in the case of the emergency warrant being overturned it may be necessary to return information obtained. In each case both the Home Secretary and the judiciary will be required to decide if the actions proposed are necessary, targeted and proportionate. Last year there were 2,400 intercept warrants authorised.
In addition an investigatory powers commissioner, who will be a senior judge, will be appointed by the Prime Minister, replaceing the existing three oversight commissioners.
However, the bill will also require web and communications companies to hold "internet connection records" for 12 months so they can be requested by authorities - that is the device and website connected to to obtain the IP address. Although the government has dropped plans to give the authorities full access to everyone's internet browsing history it will collect metadata regarding who is contacting who, what, when and where and this data will be available to the police and security services without a warrant. Looking at the content would require a warrant.
The police account for most of the 500,000 annual external requests for communications data with approval at inspector or superintendent level depending on the kind of data being requested; 40 other public bodies will get different levels of access but often will need a magistrate's authorisation. To avoid the misuse of this data a new criminal offence of "knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority", will carry a prison sentence of up to two years. Councils are specifically prohibited from accessing such data to 'snoop' on their constituents.
The discussion confirmed on the record that hitherto, GCHQ had, as revealled by Edward Snowden, been engaged in mass surveillance under the 1984 Telecommunications act, but May commented: "Technology has moved on, the law hasn't and we need to update the law."
Encryption is NOT being banned - but cooperation on the part of internet and communications companies regarding unencrypted data will be sought - so for example, the authorities would expect to be able to get as detailed a picture of an internet service's customer, as the service provider has themselves, using the tools currently used by the providers for commercial purposes, eg tracking purchases and preferences etc. This does not preclude the security services from also seeking to break encryption themselves. But they are not asking for backdoors, acknolwedging that these call fall into the wrong hands, and it is accepted that encryption is both useful and necessary for legitimate activities in a digital economy.
The bill also authorises extra terroritorial jurisdicition for UK agencies seeking data from overseas companies operating in the UK.
May says the new act has dropped requirements for data retention by overseas providers and third parties, and web browsing data requirements have been limited.
Liberal Democrat Leader Nick Clegg described the moves as far more 'proportionate' than previous proposals.
May says that the new bill will, "not provide significant new powers - it brings together existing powers into one single piece of legislation," saying that the only new element is the retention of internet connection records, and the rest is about clarifying and strenthening authorisations.
Described as being in line with the Wilson Doctrine, oversight of interception of communications data of the legislature (ie parliamentarians) will require Ministerial warranty, judicial approval, and Prime Ministerial approval, plus there will be additional legal safeguards for sensitive professions such as journalists whose privacy may be deemed in the public interest.
According to Guardian reports quoting Home Office estimates, the cost of new regime has been put at £245 million to £250 million over ten years, after it comes into force in December 2016 with £175 million for data storage and £60 million for judicial oversight.
Renate Samson, Chief Executive of Big Brother Watch, told SCMagazineUK.com: “The recommendation of a ‘double-lock' of political and judicial sign off on the most intrusive powers appears to tick the box of independent judicial approval, but in a world which is increasingly connected online the future demands on a Home Secretary's time could become impractical.
“Requests for retention of internet connection records will provide access to the most detailed data on citizens, not just the who and when of a telephone record, but the what and how of the way we live our lives. The guarantee of security to this retained data will be critical. Furthermore, demands on technology companies to adhere to warrants for encrypted data, as well as the power to legally hack into our devices, could create legislative back doors which in a world of increased cyber-attack could make us more vulnerable to crime.
“There is a great deal to be scrutinised in a very short space of time. For this legislation to really be a world leader in how to protect the privacy and security of law-abiding citizens, the Bill will require a thorough investigation.”
In an email to SCMagazineUK.com, Darren Hayes, Assistant Professor and Director of Cybersecurity at Pace University's Seidenberg School of Computer Science and Information Systems in New York suggests that investigatory powers bill will facilitate more bulk data collection and retention of data, adding that it: “will be warmly welcomed by law enforcement and the intelligence community while simultaneously drawing consternation from consumer rights activists.
He goes on to recognise that: “What is clear is that dramatic improvements in encryption have prompted government leaders in the US and UK to introduce new legislation to address these changes. Companies like Apple have distanced themselves from law enforcement by developing hardware-based encryption with no backdoors. Therefore, an iPhone 6 seized from an ISIS terrorist suspect at JFK Airport cannot be accessed by investigators. Pedophiles know that they can easily mask their identity while they prey on young children."