The UK Government has published a draft of the long-awaited Investigatory Powers Bill.
Since the Snowden revelations, civil liberty groups have been calling for a new law that would restrain the UK intelligence and law enforcement agencies. The UK government, however, has been calling for increased surveillance powers since the failure of the draft Communications Data Bill in 2012. The Bill, which became known as the ”Snoopers’ Charter” proposed forcing Internet Service Providers (ISPs) and phone companies to keep data about UK citizens’ Internet browsing activity, emails and phone calls for 12 months. The Bill was defeated but there have been repeated calls to bring it back, and even an attempt to insert its provisions as amendments to a different Counter Terrorism Bill.
The draft Investigatory Powers Bills does not go as far as the draft Communications Data Bill, but it would oblige ISPs to keep data about websites visited by their customers for 12 months. EDRi member Open Rights Group (ORG) will make a submission to the Joint Committee that will now scrutinise the legislation.
The draft bill spells out the powers that the security services have for the collection of content and data in bulk. Although this had been done for years, no one really understood the extent of the UK Government Communications Headquarters’ (GCHQ’s) capabilities until the Snowden leaks. The government has acknowledged that secret agencies have been going even further, accessing data in bulk from UK internet providers, not “just” from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as contact lists, driving licences, travel or banking records.
One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about their clients’ internet activities. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice (CJEU) ruling in April 2015 that said there must be safeguards for accessing retained data. In July 2015, the UK High Court (EWHC) said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.
The new Bill proposes a new system of “double-lock”, where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision, and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a more meaningful guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.
The Bill asks for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective.
The Bill clarifies the powers of security agencies to break into individuals’ laptops and mobile phones, including worrying new powers for non targeted mass hacking. It also forces internet companies to help in hacking their customers.
What are the positives? On first reading the Bill seems to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.
ORG’s initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices, and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.
First take on the Investigatory Powers Bill (05.11.2015)
(Contribution by Pam Cowburn, EDRi member Open Rights Group, United Kingdom)close