Investigatory Powers Bill briefing

(1) What is the Investigatory Powers Bill? 

  • The government is setting out the powers it has to order GCHQ to collect and analyse vast amounts of Internet data. These powers are being set out in response to information released by several whistleblowers.

  • These powers were never discussed by Parliament. The principle of collecting information about people who are not under suspicion of any criminal activity has never been democratically agreed.

  • The Bill gives the Police new powers. Private companies would be forced to collect detailed information about what everyone does online.

  • Internet records would be directly accessible by the police without judicial authorisation. Location data from phones, and Internet records could be data mined by the police, through a “filter”. This power could enable the police to engage in fishing trips. It will also be costly to collect everyone’s personal web histories and keep them secure.

  • There are also powers to hack networks and computers, including “bulk hacking” of unidentified machines.

  • The bill allows GCHQ to hack of people or companies who are not under suspicion. This is a routine measure, lacking special restrictions, rather than an exceptional power.

  • The committees made 123 recommendations for changes. They were concerned about the economic impacts, poor definitions and the lack of proper justifications for the powers – “operational cases”. Most of these have been not been properly dealt with in the revised Bill.

  • Authoritarian regimes will pass similar laws. The Bill’s impact will reach beyond the UK as other countries pass similar laws. The Chinese Government said it took inspiration for its much-criticised terrorism law from the the US and UK.

 

(2) GCHQ Powers

(a) Is collecting bulk data the same as mass surveillance?

The government says that collecting and analysing personal information does not constitute surveillance. They contend that it only becomes “surveillance” when a person looks at information. This means that huge amounts of information pertaining to every UK person can be gathered, sorted, analysed and re-examined while this bill contends that no meaningful intrusion is taking place.

Computers are in fact much better at surveillance than people.

The police delete DNA information collected about innocent people because it agrees that this is an unfair intrusion into those people’s privacy.

(b) Could GCHQ do better with targeted surveillance 

Bulk programmes are very expensive. They involve collecting vast amounts of information, mostly irrelevant, then building the means to sort through it to find what is needed. There are serious arguments that ‘less is more’. Bill Binney, the former Technical Director of the NSA, is among those who think that bulk programmes are actually endangering lives.

The very least that Parliament needs to do is to ensure that these programmes are regularly tested against questions of effectiveness and cost. The bill has no mechanism to do this.

(c) Encryption powers – are they dangerous or justified?

Strong encryption keeps our online activities such as emailing, shopping and banking secure. Undermining encryption would make millions of people vulnerable to criminal attacks. The bill is unclear as to when encryption would be interfered with, or if the risks will be independently assessed.

The Bill includes vague powers to compel communications providers assist with surveillance demands, including removing “electronic protections”. In some cases this might require that companies compromise their software to make the encryption less effective. This could have severe consequences for everyone’s Internet security.

(2) Police powers

(a) Do the police need web histories (ICRs)?

No other democratic country collects its citizens’ web browsing history. Existing “data retention” of more limited Internet records has stopped in about half of Europe, including Germany. Yet there is no sign that a flood of cases are failing to be solved.

Most cases can be solved by more than one evidential route. While investigations often use communications data, data can come from many sources. It is not always necessary to get it from retained records.

There is yet to be a single study that convincingly shows that police data retention is effective. Even the European Commission, deeply attached to data retention measures, can’t find any convincing evidence. 

The question is whether the cost of ICRs matches the supposed benefits—and whether keeping every innocent person’s reading records is really the right thing for a democracy to do.

(b) What will keeping ICRs cost? What could be done with that money? 

The Home Office have said that the cost to ISPs for collecting ICRs will come to £174.2 million over ten years; BT say that this would cover their costs alone. The Internet Service Providers Association said that they “do not recognise” this figure. The Science and Technology Committee has warned that uncertainty about costs, “risks undermining the UK’s strongly performing Tech sector”. Costs may well spiral, as the amount of data collected increases and with the filtering necessary to make sense of it and the measures to keep it secure from criminals.

(c) What is the operational case for these powers?

Late in the day, the Home Office has published operational cases for bulk collection and equipment interference. As with the operational case for ICRs, these are anecdotal rather than thorough analyses of the benefits, risks and threats; the committees have not had time to interrogate them.

In the USA, the Privacy and Civil Liberties Oversight Board has removed a number of “bulk” programmes as essentially useless. In the bill, there is no mechanism to examine the case and stop them if they are in fact not worth the money.

It is essential that Parliament and oversight bodies are able to review and stop these powers. But this bill lacks the means to do so.