UK surveillance reform – third time’s a charm?
As NSA is preparing to end bulk collection of phone calls data in the US, on the other side of the Atlantic, UK is preparing to introduce new regulation regarding investigatory powers of British law enforcement. Presented yesterday, by Home Secretary Theresa May, Investigatory Powers Bill (already known as “snoopers’ charter”) will significantly overhaul currently existing provisions regulating targeted interception, remote search, acquisition of bulk personal datasets and retention of internet connection records by CSPs (Communication Services Providers) as well as oversight and authorisation matters. The fact that data retention is once again introduced in the UK, as it is third time British government is trying to push it through, is especially daunting. Previous attempts were neutralised by judgement of CJEU that declared Data Retention Directive illegal and by decision of the UK High Court, which ordered two sections of the Data Retention and Regulation of Investigatory Powers – apparently British government refuses to be bound by judiciary.
The new bill has two main goals – to gather regulation of all powers available to law enforcement into single act and to create new system of oversight, supposedly one that balances intrusiveness of surveillance methods used by UK security services. There is no point in doing in-depth analysis of each provision, as draft will be certainly reworded many times before passing the parliament, however it is worth to take a better look at aspects that stands out: third entrance of data retention into UK legal system, provisions related to “bulk” equipment interference and overhauled oversight mechanism.
Data retention scheme regarding Internet Connection Records (ICR) might be the most troublesome aspect of the “snoopers’ charter”. The new law will require ISPs to retain data regarding every web page visited by every customer for up to 12 months. The Government claims that information about specific page within domain will not be stored (e.g.: what will be recorded is visit to lawsec.net but not to specific post), however painting it as a privacy safeguard is extremely misleading. Service providers will still be required to retain detailed log of the connection, which includes sender and recipient (IP address); duration of the communication; method, type or pattern – which is probably related to protocol used; telecommunication system from or to which connection is made; if obtainable, location of systems; identifier of apparatus used for the purpose of obtaining access or computer program – which probably means IP of remote server or VPN. It is quite interesting to see British legislation’s attempt of authorising as extensive scheme of data retention as the one that was ruled to be incompatible with fundamental rights of the EU. In fact, if introduced as it is proposed now it will be one of the most intrusive retention legislation in the world. Of course notices that will require ISP to begin retention will be secret.
Also interesting is a concept of bulk equipment interference (that is large scale hacking of whole category of devices e.g: all devices in particular area). It seems that even few years ago it would be unthinkable for government to openly admit that it will conduct large scale, effectively indiscriminate, hacking operation. This provision might be to a degree result of “you can’t put the toothpaste back in the tube” thinking – given that Snowden leaks have already provided insight into large scale operations conducted by the GCHQ, such regulation might be an attempt to those action into legal framework and avoid potential lawsuits against their further use.
Regarding proposed new oversight regulations, new body – Investigatory Powers Commission – will be introduced, as well as Judicial Commissioners tasked with assessing and authorising requests for bulk data collection, targeted equipment interference and acquisition of Bulk Personal Datasets. Furthermore, for most intrusive measures such as bulk equipment interference, bill introduces “double-lock” procedure, where use of powers has to be authorised by Secretary of State who issues warrant and Judicial Commissioner who approves. As always in case of oversight mechanisms, their real effectiveness lies in execution. Whether ‘double-lock’ and independent authorisation from judiciary and executive will be worth anything is strictly a matter of real independence of those in charge of authorisations. Also it is not clear whether Judicial Commissioners will have as much power as the government tries to suggest. As shown by FISC even theoretically robust oversight body does not offer much oversight when it acts as a rubber stamp.
In terms of other provisions, bill does not contain feared ban on encryption, leaving only power to enforce “removal of electronic protection applied by a relevant operator.” which does not mean much in case of open source cryptography. Barely any protection is provided to members of sensitive professions such as lawyers and journalists – judicial authorisation will be required to identify confidential journalistic sources and spying on MPs will require consultation with Prime Minister.