A third UK parliamentary committee has now published a report on the government’s draft surveillance legislation.
The report of the joint select committee, which is made up of a majority of Conservative MPs and Peers, takes a more supine approach than the ISC committee report earlier this week, with many statements where the committee accepts the government’s position, while still suggesting it should publish, for example, fuller justification for each of the so-called “bulk capabilities” (aka mass surveillance powers) to be set out in the legislation.
The committee does recommend a raft of specific changes to the draft bill, although its general tone is more supportive than the ISC report. Cambridge University security researcher Ross Anderson, one of the expert witnesses who gave evidence to the committee, dubs the report “deeply disappointing“.
That said, one of the committee members, the Lib Dem Peer Lord Strasburger, summing up the report for Wired, calls for the bill to be “fundamentally rethought and rebuilt”, branding it “sloppy in its wording and short on vital details”. Albeit, at times Lord Strasburger has stood out as something of a lone dissenting voice speaking up for privacy and civil liberties on the committee.
“[The report] tells the government to make clear that it does not expect companies to provide decrypted copies of end-to-end encrypted information. It finds the proposed Internet Connection Records, essentially a log of everything that everyone does on the internet, to be largely undefined, difficult and costly to deliver, and risky for the ISPs to store safely for 12 months. It says that there should be strong protections to prevent journalists’ sources from being exposed and for legally privileged communications,” writes Strasburger.
“So this Bill is a long way from the finished article,” he adds. “It needs more than mere tweaking, it needs to be fundamentally rethought and rebuilt. The Home Office should stop rushing to push it through and take its time to get it right.”
The Investigatory Powers Bill (IP bill) was introduced by the UK government this fall, with the aim of — in its words — plugging “capability gaps” for domestic intelligence and law enforcement agencies operating in an increasing technological context by expanding state surveillance powers, such as laying out a requirement that ISPs must log details of all the websites visited by citizens over a 12 month period. Hence critics dubbing it another ‘Snoopers’ Charter’.
The government wants the IP bill passed by the end of this year when existing emergency surveillance powers, passed under DRIPA in 2014, are set to expire. Which gives a relatively short timeframe for the parliamentary scrutiny process. So all the committee reports are key steps and will steer the wider response of MPs and Peers in Parliament and the Lords when they begin to look in earnest at the proposals.
Talking of expiring, the joint select committee is at least pushing for a review of the new powers after five years. When the Home Secretary gave evidence to the committee last month she rejected the idea put to her by the committee of including a sunset clause in the legislation, arguing that ISPs will need certainty that the provisions are permanent.
The committee notes this but says: “We are of the view that some form of review after five years would be merited. We believe that a review provision of this sort, which would require the next Parliament to revisit the powers which are in the draft Bill, would go some way to provide assurance to those who have expressed concerns over the operational case for some of these powers. The evidence of several years’ operation will inform the debate.”
“A provision which asked Parliament to revisit the intrusive powers it gives to the Executive after a period would, in our view, be a healthy way to fulfil the welcome aspirations for greater openness and legitimacy which underpin the draft Bill,” it adds.
It is also recommending “detailed post-legislative scrutiny” of the bill after “an appropriate period” — suggesting this should be another joint select committee and should start six months after the end of the five-year operational period. (Albeit, that’s a rather ‘shutting the door after the horse has bolted’ type of provision.)
Other key suggestions of the committee include that the language around encryption should be clarified, as noted by Lord Strasburger — and in line with calls from other critics.
“We agree with the intention of the Government’s policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems. The drafting of the Bill should be amended to make this clear,” writes the committee.
“The Government still needs to make explicit on the face of the Bill that CSPs offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so. We recommend that a draft Code of Practice should be published alongside the Bill for Parliament to consider.”
The encryption point is especially key, given that earlier this week the FT newspaper reported that UK intelligence agencies have apparently warned Silicon Valley tech giants the UK government intends to press ahead with plans to force companies to decrypt encrypted private messages sent between their customers — contrary to statements made by the Home Secretary to the joint select committee on this very point — with spooks said to be intending to rely on overly broad clauses in the current draft bill to enable them to force companies to decrypt user data (clauses such as one that requires “electronic protection applied by a relevant operator to any communications or data” to be removed).
The UK government has been cooking up a pretty fudge on encryption for more than a year, with senior politicians such as the Prime Minister appearing to call for a ban on encryption then apparently rowing back and saying they are not calling for anything of the sort. The mixed messaging is unsurprisingly reflected in the opaque language of the draft legislation on encryption. But if the government’s intention is to legislate to outlaw end-to-end encryption that should at least be made clear in the language of the bill — so it can be quite rightly opposed in parliament.
The committee is also uncomfortable with so-called thematic bulk warrants, asserting that “the current wording of the provisions for targeted interception and targeted equipment interference warrants is too broad” and recommending that the language of the bill “be amended so that targeted interception and targeted equipment interference warrants cannot be used as a way to issue thematic warrants concerning a very large number of people”.
Another area the committee wants to see changes is on so-called ‘urgent’ warrants, where the legislation affords for a Secretary of State to be the sole authorization mechanism in such urgent situations — and judicial approval (the “double lock” authorization mechanism) only carried out in retrospect (so, at times, only a single lock in practice).
The committee wants the period afforded for back-checking by a judge to be shortened from the current five days to within 24 hours. It is also calling for greater clarity on the term “urgent” in this context.
It also specifically warns the government that operation of some of the bulk capabilities set out in the bill could infringe European human rights law. “It is possible that the bulk interception and equipment interference [hacking] powers contained in the draft Bill could be exercised in a way that does not comply with the requirements of Article 8 as defined by the Strasbourg court. It will be incumbent upon the Secretary of State and judicial commissioners authorising warrants, and the Investigatory Powers Commissioner’s oversight of such warrants, to ensure that their usage is compliant with Article 8,” it notes.
The committee is also critical of the bill’s position on intelligence sharing and flags up the risks of potential workarounds to safeguards via agreements with foreign intelligence services — so it is directly calling for “more safeguards” to be put on the face of the bill.
“These should address concerns about potential human rights violations in other countries that information can be shared with,” it notes, adding specifically that “the Bill should make it illegal for UK bodies to ask overseas agencies to undertake intrusion which they have not been authorised to undertake themselves”.
With so many detailed criticisms of the draft bill, one of the specialist advisors to the joint select committee — Martin Hoskins — is today suggesting there may not be enough parliamentary time this year to pass even a narrower bill.
“Should Parliament concentrate on passing a Bill that is narrower in scope this year, say one that just addresses the data retention and oversight provisions? Is there really sufficient time to consider other elements — such as overhauling the bulk data and equipment interference provisions in 2016? A second Bill, containing the remaining provisions, could always be considered in 2017,” he writes, noting constraints on the parliamentary calendar this year such as the EU referendum campaign and the various holidays and recesses scheduled in 2016. “That doesn’t leave a lot of time for legislating.”
“So, a new bill needs to be ready and tabled within weeks,” he adds. “And, if it is to get through both Houses of Parliament unscathed, it really does needs to take full account of each of the 123 recommendations that have been made by the scrutiny Committees. There will be no rest for the Home Secretary, her officials and the Parliamentary draftsmen for the foreseeable future.”