The UK is going through the painful process of rewriting its interception laws following the Snowden revelations. At the same time it is reviewing its communications data retention and acquisition laws. These will all be bundled together in one piece of legislation: the Investigatory Powers Bill. The Bill, when it becomes law, is likely to become a model for legislation in other countries.
A draft of the Bill has been under scrutiny by three Parliamentary Committees. They have all reported in the last two weeks: the House of Commons Science and Technology Committee, the Joint Intelligence and Security Committee and, yesterday, the Joint Committee charged with formal pre-legislative scrutiny. (I gave evidence to the scrutiny committee.)
The three Committees are all critical of the draft Bill to different degrees, the ISC being especially scathing. This is my quick view on some of the many issues raised in the reports.
The Bill has to be intelligible to Parliament, to the technology and communications industry and, most importantly of all, to the general public. The message from all three Committees is that so far the draft Bill has fallen short on all these counts. This is not a strong foundation on which to build the trust in the investigatory powers system that the Anderson Review (one of three reviews commissioned following Snowden) said was essential.
Another lesson from the Committee reports is that it is not enough to have safeguards and oversight, important as those are. The powers themselves must be carefully limited, fully aligned with technical considerations and strictly justified.
While Codes of Practice will be helpful and are favoured by the Joint Committee, they are in my view no substitute for intelligible and appropriately drawn legislation.
The Joint Committee has, in effect, sent the Home Office back to do more homework on aspects such as mandatory generation/retention of internet connection records and bulk interception, equipment interference and communications data acquisition powers. The Home Office has to address significant concerns, both technical and civil liberties, especially on ICRs. On bulk powers the Committee has largely deferred to the Intelligence and Security Committee.
There will inevitably be frustration that many of these issues were not fully addressed when the government presented the draft Bill, resulting in late Home Office evidence that the Committee was not able to assimilate fully.
Given how significant are the technical and civil liberties issues raised, the Home Office has a formidable task ahead of it to address them satisfactorily now.
Internet Connection Records as itemised phone bills
The draft Bill proposes to extend data retention obligations to include so-called Internet Connection Records. Unlike previous data retention requirements these would include destination data such as details of websites visited.
The Joint Committee has performed a valuable service in nailing the myth that Internet Connection Records are no more than the equivalent of an itemised phone bill. ICRs are more like a combination of universal CCTV and a mandatory log of our reading habits. The debate over the justification for requiring ICRs to be generated and retained can now take place in its proper context: that, as a rolling map of our online lives, ICRs would be vastly more intrusive than an itemised phone bill.
Internet of things
The scope of the data retention clause is far wider than existing data retention laws with the addition of Internet Connection Records. It could cover all machine to machine communications, the connected thermostat in our house, our car checking for software updates, as well as all the background activities of our devices. The breadth of this clause deserves more attention than the Joint Committee has been able to give to it.
The Committee’s proposal for a five year review of the legislation by Parliament is welcome, but could have gone further. Experience with the existing interception legislation (the Regulation of Investigatory Powers Act, RIPA) teaches us that attempting to future-proof powers leads to unintelligibly abstract legislation and the risk that new technology will upset the balance between intrusion and privacy settled on by Parliament. We can see the results of this kind of future-proofing in the universal criticism of the lack of clarity of the draft Bill.
With RIPA the combination of internet and mobile phone technology has, by a mere accident of technology, caught within its net an ever-growing swathe of everyday activities and consequently thrown an avalanche of new data into the hands of law enforcement and the intelligence agencies. While the powers have remained the same, the balance between privacy and intrusion now embodied in RIPA bears little resemblance to that settled upon by Parliament in 2000.
In the Bill there could usefully be a greater focus on future-proofing the privacy/intrusion balance. That would tend towards concrete, technology-specific drafting (and thus greater intelligibility), sunsetting of powers and frequent revisiting by Parliament.
That approach would also require continuing information and openness about how the powers have been used, so that Parliament could engage in an informed debate when it came to review the legislation.