On Investigatory Powers

The Draft Investigatory Powers Bill proposes to increase powers to collect and analyse digital data in the UK. Currently being discussed in the UK Parliament, the Bill is designed to provide further powers of data collection and surveillance of any data within the UK and to collate the powers provided by separate legislation presently.

The general purpose of the Bill is one I agree with, but there are specifics which worry me. These are mostly tradeoffs which pose a threat to the private information of the general public.

Bulk data retention will become increasingly invasive as technology develops as part of our lives.

Draft Investigatory Powers Bill Excerpt

My first issue is with the “bulk data retention” which is allowed by the Bill. Due to the open language, a data retention order may be issued to any company which private data passes through. One proportionate cause for collecting data is for the purpose of “detecting crime”. This language is extremely loose and means an order need not be case-specific. This gives us the headlines like “Details of UK website visits ‘to be stored for year’”.

It is important to note here that the language in the Bill permits much more than this headline suggests. “Event data” as defined in the bill includes all data about communications except the content (meaning of the communication) itself, e.g. sender, recipient(s), locations attached, time data. This is known as metadata. For most data this may seem to you like an invasion of privacy but perhaps not a severe one. It means the government can require any company to retain all information about your messages and calls, etc online without a specific warrant mentioning or targeting you.

Technology develops quickly. As a BBC correspondent put it, the Home Secretary, Theresa May, “agreed updated legislation was needed to keep up with changing technology”, giving rise to the Draft Communications Data Bill and now the Draft Investigatory Powers Bill. I fear that the measures in the Bill do not fully consider the future developments of technology and its relation to privacy, however.

Increasingly, we use technology to track our daily lives. Our smartphones track our location. Our fitness apps log our every move. Our news apps know what we read. Our messaging apps communicate the most intimate details of our lives to friends and family. As this trend continues and more of our lives are encapsulated as digital data, the information available to the government will increase exponentially. More metadata will by attached to all our communications online. And please remember that any data being transferred online is classed as “communication”: it’s not just what we logically consider a message from one person to another. The data the government can demand will become more significant over time.

Draft Investigatory Powers Bill Excerpt

Forcing the removal of encryption and adding back-doors weakens all security and privacy online.

Another concern I have about the Bill was expressed widely regarding its predecessor. Many digital security experts worried that legislation such as this could require that encryption not be used when transmitting and storing data. One specific type of encryption (end-to-end encryption) prevents data content being viewed while it is in transit between sender and recipient. This is the encryption which ensures that your banking data is secure and that your private messages in apps like Whatsapp cannot be easily read by malicious hackers. The integrity of encryption is extremely important to ensure that data online can be guaranteed to be secure.

Draft Investigatory Powers Bill Excerpt

This controversial issue is still present in the Draft Investigatory Powers Bill. The language in the Bill requires any person to comply with “technical capability notices”, which are essentially back-doors to data. These notices are not limited by the current language of the Bill and hence include forcing companies to remove full encryption so that no data can be protected, private or secure. These intentional weaknesses imposed upon digital security would leave the public’s private data much more open to being intercepted and read by criminals. Unfortunately it is not possible to break encryption only for the government. Any weakness leaves the data open to a malicious attack as well.

Draft Investigatory Powers Bill Excerpt

Importantly, related to this, the Bill in its current form also mentions that data which companies do not currently record, but which they are able to, can be requested by the government. A company could be required by law to collect all information about you that it possibly can. This gives the government the power to turn any technology company into its own spying organisation. As a mild example, this could mean that any app you have on your phone could be required to store and report your location. Alternatively, all phones could be forced to monitor digital signals such as Wi-Fi and Bluetooth to map the locations of all devices (and hence people) and which devices meet at a location. There are many more creative possibilities which this could allow, and all are potentially damaging to general privacy. All can be demanded by the government.

The scope of the Bill is extremely wide in terms of who it can target and the data it can demand.

Draft Investigatory Powers Bill Excerpt

The range of people, companies and authorities this proposed legislation applies to is wide. The use of language such as that defining a “telecommunications system” in this context particularly gives the Bill a large brief. It means that the government can require any and all providers of communications systems to give them access to private user data. That is anyone who works on a digital product. Speaking as someone who works for a company storing private user data, this worries me. Depending on the nature of the company, this data could be extremely sensitive, up to the health or mental health data about a person. Not only is this worrying for end-users of digital apps and services, but also to the companies who rely on users’ trust to provide useful, loved features and encourage innovation in the technology industry. This comes down to one of the core tradeoffs the Bill presents: privacy and uninhibited free speech vs. the prevention and detection of crime. To me it seems this particular open language in the bill would be damaging and gives unnecessary power to the government. It leaves us saying “well they will probably never do that”, but we should not settle for legally encouraging the government to invade our privacy so fully.

Strong non-disclosure requirements are placed on any person involved; up to 5 years imprisonment.

Draft Investigatory Powers Bill Excerpt

One of the most troubling parts of the Bill is what has been dubbed by analysts as “gagging orders” which prevent anyone from discussing requirements placed upon them. The non-disclosure requirements prevent anyone involved in providing data from discussing the case with experts and even elected members of parliament. As UCl Associate Professor of Security and Privacy Engineering, George Danezis, said: the non-disclosure section “in effect means shielding [the Bill] from any proper scrutiny as related to its necessity, or appropriateness in the future, or any debate on that matter.” It means that no cases can be discussed in the future even when related to the details of the Bill itself. Notably, the only people whom the Bill allows any person affected by it to discuss an order against them with are the people who issue the order or one of fifteen Judicial Commissioners. There is no possibility to challenge the order if it has not been addressed to you, for example.

One important concept for companies developing software or hardware is “responsible disclosure”. This is when an outside party who finds a flaw with the security of a system can report this issue to be fixed. Responsible disclosure is often seen as the positive contrary to using knowledge of security flaws illicitly or maliciously. By imposing non-disclosure orders – gagging orders – the government muddies the waters with those who wish to make technical systems more secure through programs like responsible disclosure. The government is at odds with the incentive of the general public and technology companies for data to be secure. This position is one which I struggle to support in its current form.

There are, of course, arguments supporting the Bill and increased investigatory powers.

There are some strong arguments for having good availability of data to law enforcement and security services. Having data which is acted upon effectively can and does prevent terrorist attacks. Though that number may not be as high as people would hope, the positive affect of legislation such as this is notable. Data collection and analysis is good for finding and placing individuals on watch lists. However, other initiatives are much more significant in ensuring the public’s security. Even with a larger set of data, with increasing data access over recent years, the UK government and other EU authorities have shown that terrorist attacks are not always more easily prevented. Note the Charlie Hebdo case: “Charlie Hebdo suspects on US terrorist watchlist ‘for years’”. Powers of surveillance are a good foundation, but they will never stop or solve crime alone.

Much more likely I suspect is that this Bill would assist with less serious crime, including online and financial crime. In these examples, the larger set of data could be significant. The availability of that data to police units across the country could find connections between people and eventually lead to finding criminals.

As with most things, this is not a black-and-white situation. Giving further access to private data and compromising digital security is not the magic solution to all our problems with extremism, or crime, or any of the other issues mentioned in the Bill. We should not be too quick to see the issue as privacy vs. national security as it is not at all so clear-cut.

While we provide powers to the government and law enforcement to allow them to protect us, it is always worth considering the negative effects. Please, remember the damage to all online security, encryption and public privacy. Remember the increasing invasiveness of collecting personal data as we use technology more. Remember the non-disclosure requirements preventing important democratic discussion about this legislation’s orders.

Tweet Share





← View all articles