Rebutting UK.Gov’s Investigatory Powers Act defense

As the Investigatory Powers Act became law, a petition to repeal it quickly attracted over 10,000 signatures, and therefore a Government response. (ETA: it seems few were persuaded by that response – the petition has now attracted more than 150,000 signatures).

The UK.gov petitions platform is a medium through which the Government promotes its policies. It is not a place HMG chooses to engage seriously with issues. The Investigatory Powers Act has cross-party backing and the Home Office won’t be changing a course they’ve been pursuing for fifteen years just because a small number of people have become upset belatedly.

Nonetheless the Government’s response to the petition is risible – and I couldn’t resist taking it apart. This is off the top of my head – I have probably mis-remembered some things and I could do a better job with some research time. But anyway, here we go…

The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers.

It would be difficult to be less transparent. Lots of this newfound transparency has been forced on the Government through Investigatory Powers Tribunal cases brought by civil society organisations, most notably Privacy International, and of course by the 2013 revelations made by Edward Snowden. The Act still represents the minimum transparency the Government could get away with.

It protects both privacy and security…

The Act requires technology companies of all types to render their products and services insecure on demand. It creates new security vulnerabilities too: ISPs must create, store for twelve months, and make available to dozens of state agencies comprehensive records of your private online activities (so-called Internet Connection Records or ICRs). As time goes on, the probability of at least one such trove being hacked, lost, stolen or otherwise exposed approaches one. The Act is certain to reduce the security of everyone in Britain. Whether it also increases security against some incredibly rare threats, such as terrorism, is an open question.

The Act represents a massive reduction in both liberty in general and privacy in particular. Forty-three state agencies, including HMRC, the DWP and the Food Standards Agency will get the power to view your browsing history, as will every police force, ambulance service and fire service in the country.  Many of these authorities will be given a powerful new search-engine facility, called a “request filter”, to use against ICR databases and other “bulk datasets” (e.g. medical records, bank records). In the case of ICRs, no warrant will be required to use this search engine, and no audit trail of searches will exist. You won’t be told if your private details have been viewed – whether or not in pursuit of a legitimate enquiry and regardless of whether you were a suspect. GCHQ and the NSA are the same organisation for all practical purposes, so Donald Trump’s Government and millions of security cleared Americans will get access to all this for free.

and underwent unprecedented scrutiny before becoming law.

All of which was ignored by the Government – except for one suggestion: that they exempt themselves from the Act’s provisions.

The Government is clear that, at a time of heightened security threat…

We have always been at war with East Asia. You should be afraid.

…it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The state is benevolent – trust us…

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers.

This invites you to fall for an implied fallacy of common cause: change is good, this Act changes things, therefore this Act is good.

It strengthens safeguards and introduces world-leading oversight arrangements.

A bar so low a slug could clear it without a run-up. Also it’s not true: judges issue warrants in democracies, not ministers.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

It would be difficult for the Investigatory Powers Act to be less clear than its predecessor, the Regulation of Investigatory Powers Act 2000 (RIPA), which was designed deliberately to obscure its effects. Secret, wildly creative interpretations of RIPA, and other laws such as the Telecommunications Act 1984 helped Government break the law with impunity for a generation.

The Investigatory Powers Act is not at all clear. It has generated a huge amount of debate amongst interested parties about exactly what effects it might have and on whom. Important aspects have been left to secondary legislation and regulations, which will not be well scrutinised, on the pretext that this is “future proofing” against technical developments. Future proof laws are vague laws that beg to be stretched beyond their original context.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner.

Britain will remain the only western democracy where the executive branch issues warrants.

The ministerial warrants themselves will not be approved by judicial commissioners. The commissioners are only allowed to check whether a Secretary of State followed the correct process when issuing a warrant. There’s nothing they can do to oppose them unless the SoS messed up the paperwork.

And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

OK. This oversight will be public to a limited extent only though. Secret oversight is not oversight.

The Investigatory Powers Act requires the technology industry to develop and put into service the world’s most advanced infrastructure for facilitating a police state. That’s the hard part. Ignoring the mechanisms that purport to constrain this infrastructure’s use would be trivial for a future British despot. This is the definition of turn-key tyranny. Calling the Investigatory Powers Act “poor civic hygiene” transforms Bruce Schneier’s prescient warning into pure British understatement.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected.

Translation: comprehensive records of your private activities will be collected, stored for a year, and made available to myriad authorities via a powerful search-engine. That a democracy should be allowed this level of intrusive insight into the lives of its entire population, regardless of suspicion, is terrifying. Trying to claim this is somehow restrained is incredible.

This will restore capabilities that have been lost as a result of changes in the way people communicate.

The claim that intelligence services are somehow losing capabilities due to the communications revolution is ridiculous.

By the intelligence services own admission we are living in a golden age of signals intelligence. They have never had so much information. They are drowning in it. They don’t know what to do with it. If they’ve lost any capability, it’s because they have far more data than they can process into anything of value.

The Bill was subject to unprecedented scrutiny prior to and during its passage.

The fact that the Bill was subject to unprecedented scrutiny says nothing about the quality of the Bill.

The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

Agreeing that a new law is needed is far from agreeing this law is needed. All three reports criticised the draft Bill severely. The Government then ignored all  those criticisms.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others.

This is the best the Government can say about the feedback they received on their plans: that there was lots of it. They fail to mention that it was universally negative feedback and that they changed nothing of substance in Bill as a result of it.

The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

The Intelligence and Security Committee of Parliament said, “privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built” and added, “one might have expected an overarching statement at the forefront of the legislation.” The Home Office response was to add the word “Privacy” to a heading in Part One of the Bill.

That’s it.

The new supporting material consisted of a number of strawman arguments designed to prop up powers the Government had decided it wanted already. Evidence-based policy-making this was not.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Parliament thought the Bill was so bad it saw fit to table more than 1,700 amendments to try to bring it up to scratch. The vast majority were rejected by the Government, meaning the deficiencies Parliament sought to correct were ignored. Only one change of any significance was accepted. It exempted MPs from the provisions of the Act (though the Prime Minister can still overrule this exemption) and made it slightly more difficult to spy on journalists and lawyers without getting a proper warrant (the rest of us can be surveilled without a warrant).

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy. A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human rights and the particular sensitivity of certain information. The powers can only be exercised when it is necessary and proportionate to do so, and the Act includes tough sanctions – including the creation of new criminal offences – for those misusing the powers.

Again, this safeguard consisted of adding the word “privacy” to a section heading, and changing nothing else.

The Investigatory Powers Act represents a reduction in liberty and a loss of privacy for UK citizens. If the Act had not been passed then ISPs would not retain records on our web-browsing habits. Technology companies would not have to help the Government hack their products so their users can be spied upon. Nobody would feel the chilling effect of mass surveillance when they wanted to research or explore controversial ideas, embarrassing medical conditions, niche sexual interests et cetera.

The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both privacy and security.

What this law sets is an international precedent that mass surveillance is normal, acceptable and even desirable for modern states to install. I suspect it will be copied abroad. Indeed it has already been cited as inspiration for repressive laws in China and Australia.