hoakley General, Macs, Technology

After RIPA, IPA: the UK’s draft Investigatory Powers Bill

After intense – and often misdirected – speculation, and a few bungled pre-announcements, the UK’s draft Investigatory Powers Bill has finally been published.

Together with its supporting ‘factsheets’ and other material, there are several hundred pages of often highly opaque reading. As is so often the case, the draft Bill has many good points.

At present, oversight of the various means by which personal data, communications, etc., can be monitored or intercepted rests with three different bodies, the IoCC, CSC, and ISCom. The Bill proposes replacing these with a single body, the IPC, headed by a senior judge, and with a strong staff including serving or former High Court judges, and a team of “expert inspectors” who will audit compliance and undertake investigations.

Accordingly, the draft Bill brings together all powers of interception which have previously operated under separate legislation, including the quaintly-named Wireless Telegraphy Act (2006), as if anyone still used wireless telegraphy!

However there are several areas of major concern which will no doubt become its key debating points. On my first reading, I see these as being:

  • mass surveillance, here termed “Bulk Powers”,
  • acquiring Internet Connection Records (ICRs),
  • sensitive areas such as journalism,
  • encrypted communications and “targeted equipment interference”.

Mass surveillance

We had always suspected it, Edward Snowden confirmed it, and now we have it acknowledged in writing: the UK conducts surveillance of the private communications of its law-abiding citizens as part of the day-to-day work of its security and intelligence agencies. Of course this is all for the best of reasons, and is mainly directed at those outside the UK.

But under the draft Bill, these security agencies “search for traces of activity by individuals who may not yet be known to the agencies”. Permission for “bulk interception and bulk equipment interference” may only be issued “where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK. Conduct within the UK or interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose.”

So as an entirely innocent and untargeted bystander, as a UK citizen remaining within the UK, your communications can be intercepted and analysed by the security agencies, so long as they are being careful about it, and mostly collecting intelligence about those outside the UK.

Internet Connection Records

Quite rightly, some of the biggest concerns have been raised about what the draft Bill refers to as “Internet Connection Records” (ICRs), which it proposes will be collected by ISPs or “telecommunications operators”. In spite of the dense language in the draft Bill and its ‘factsheets’, it remains remarkably unclear what an ICR consists of, and who will be expected to collect them.

Although clearly aimed mainly at ISPs, these could spread beyond to other less direct providers under the term “telecommunications operators”, including Apple, and even perhaps the providers of social media services (section 193, definitions). These records can be required to be kept for a maximum period of 12 months.

So what data will ISPs or “telecommunications operators” be required to retain? The draft Bill is spectacularly vague on this, but does include the following (or data which “may be used to identify, or assist in identifying” them):

  • the sender or recipient (whether or not a person), in practice IP addresses, email addresses, and the like,
  • the time or duration of communication,
  • the type, method or pattern, or fact, of communication, which is probably to be interpreted as the Internet protocol used and port number, e.g. HTTP,
  • the telecommunications system from, to or through which the communication was transmitted, which might include details of the phone or computer used, routers, almost anything,
  • the location of any such system, which allows location of mobile communications,
  • the IP address “or other identifier” of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program, which probably means the remote server’s IP address.

However the supporting Factsheet on Internet Connection Records refers to police being able to identify whether someone was using “a particular smartphone app” at a particular time.

So the assurances that ICRs do not include specific URLs or a detailed browsing history appear to have been accurate. However that is still an unconscionable amount of very personal and sensitive information to collect about most of the population of a country, and appears to be unprecedented in any other country of the world.

The ISPs and “telecommunications operators” are required to secure and protect such retained data, but there do not appear to be any specific penalties for those who might have some ‘stolen’ from them, nor are there personal remedies for those whose data might be stolen. (Think TalkTalk here.)

These ICRs may only be acquired from the ISPs “using the stringent application process for communications data requests”, only for a limited set of purposes, and local authorities will be prohibited from acquiring them. Just as well for such unprecedented snooping.

Sensitive professions

The draft Bill does recognise that certain professions – including medical practitioners, lawyers, journalists, ministers of religion, and MPs – handle sensitive communications and need special care. For these, special measures will be provided in codes of practice. For MPs and similar, that will require consultation with the Prime Minister.

Whether these codes of practice protect those professions is another matter, and no doubt will generate considerable debate for a long time to come.

Encryption

Given the hoo-ha there has been over possible bans on encrypted communications, the draft Bill is remarkably coy about this issue. However, as gaining access to the content of communications is outside the scope of the mass surveillance scheme and ICR collection, you and I should not be too worried about getting our Messages and other secure communications decrypted. Nowhere does the draft Bill make provision for that.

The question of encrypted communications arises in “targeted equipment interference”: in other words, the ultimate and very personal level of surveillance in which a law enforcement agency obtains access to all your communications, the electronic wiretap.

However this is where encryption gets very complicated, and the ‘factsheets’ and explanatory notes do not help. Any ‘person who provides a public telecommunications service’, or a person ‘who has control of the whole of or any part of a public telecommunications system located wholly or partly in, or controlled from, the UK’, is then obliged to assist those agencies in obtaining access to the content of their communications.

There is going to be quite intense exploration as to how much, if any, of that might apply to Apple and other operators who provide encrypted communications services to UK users. Whether Apple will plead that its European operations are in Ireland, and that none of its systems are located in the UK, I do not know.

There is also a let-out in that such operators are only expected to provide as much support to “targeted equipment interference” as is reasonable. No one knows whether it might be deemed reasonable to provide encryption which does not have a back door. There is plenty of room here for negotiation, amendment, and general weaseling which will undoubtedly try to show the UK government as triumphant in its war against terrorism and organised crime.

At what cost to the free and open democracy which we once used to enjoy?