Dismantling the Government’s Arguments in favour of the Investigatory Powers Bill

In my last post, I argued that if campaigners (including myself) are going to take on the Government over its plans for online surveillance and win, we need to dismantle the claims they are making about these powers being necessary for security and crime fighting.

Since then, I’ve done some further online research and had some interesting conversations on Twitter and at last night’s well-attended Open Rights Group Birmingham meetup. This has helped me to develop my thinking on how to frame the argument in a way that convinces politicians and the general public to sit-up and take notice of what’s at stake with the Investigatory Powers Bill.

Winning the argument over the Investigatory Powers Bill – key lines

Security risks created by the Investigatory Powers Bill

• The new requirement for tech firms to provide  unencrypted communications to the police or security services if requested through a warrant has been widely interpreted as an attempt to weaken encryption.
• Tim Cook, Apple’s Chief Executive, noted in a recent interview with The Telegraph : “If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”
• As Tim Cook explains, “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
• Criminals and other bad people will still be able to access widely available open source encryption tools, while regular people who are less technically sophisticated will be left more vulnerable to data thefts and identity crime, notes security researcher. Paul Bernal, Internet privacy law researcher at the University of East Anglia, notes: “Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records won’t help combat this.“
• In addition to the weakening of encryption, the bill will create more opportunities for cybercrime. Requiring ISPs to store everyone’s Internet connection records for 12 months will create huge amounts of personal data, which will be highly attractive to criminals. How much more personal data could criminals could have stolen from TalkTalk, had the new collection system been in place? Timothy Brown, Executive Director of Security with Dell Software Group noted: “this only creates larger and more attractive targets for hackers and leaks.“
• The bill proposes granting the security services broad powers to hack computer systems. Doing so will leave critical infrastructure at risk, as the same vulnerabilities used by security services will be exploited by criminals. As Tim Cook  noted: “Any backdoor is a backdoor for everyone.”

Questionable security gains from expansion of surveillance powers

• The bill gives authorities permissions to collect bulk data straight from the public internet cables. From this data, the metadata – the who, what, where and how long rather than the full contents of a communication – will be analysed. Amnesty International, Liberty and the European Court consider this to be mass surveillance.
• The value of bulk collection has been questioned, most notably in the United States. in January 2014, the United States Privacy and Civil Liberties Oversight Board (PCLOB – great acronym, by the way) ruled that the bulk phone records collection had not stopped terrorist attacks and had “limited value” in combatting terrorism more broadly.
• Researchers have also questioned whether this kind of blanket surveillance can ever be an effective of detecting serious crime. Commenting on the surveillance programmes introduced post 9/11 in the United States to search for terrorists, famed security researcher Bruce Schneier noted: “finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier.“
• In 2014, a report approved by the Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), noted that resources that might prevent attacks are diverted to mass surveillance, leaving potentially dangerous persons free to act.

Damage to the UK economy

• Speculation over the Investigatory Powers Bill is already hurting business confidence, both within and outside the UK
• On Tuesday, Tim Cook, Chief Executive of Apple, spoke out against the bill, warning of the ‘very dire consequences’ of weakening encryption.
• John Shaw, Vice President of Product Management at Sophos security, has said: “if I was a software business, I would be very worried my customers would not buy my software, because [they] would be worried that there was a backdoor built into this software that would allow the UK to look into my software”.

Expense

• Internet service providers (ISP) have called into question the cost of implementing a key element of the Investigatory Powers Bill, the mandatory collection and retention of every citizen’s Internet Connection Records.
• The Home Office has budgeted for £175 million but this is only intended to cover the initial up-front equipments costs, not the ongoing cost of running the system.
• Matthew Hare, Chief Executive of ISP GigaClear said “the indiscriminate collection of mass data is going to have a massive cost”
• Asked about the feasibility of implementing a system of mass data collection, James Blessing, the chair of the Internet Service Providers’ Association (ISPA),  said ISPs would find it “very feasible – with an infinite budget”.

Human rights and international reputation

• Joseph Cannataci, the UN’s special rapporteur on privacy, said the draft Investigatory Powers Bill heralded a “golden age of surveillance” unlike any that had come before. He also said, “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,”
• The European Court of Justice has previously ruled against mass data retention, notably in the 2014 Digital Rights Ireland Challenge. In this case, the Court criticised the untargeted nature of the surveillance measure, noting the directive “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.”
• The Government’s approach, which enshrines and expands mass data retention, appears to run contrary to the European Court’s judgement and so would be subject to challenge.
• Human rights group Liberty has described the bill as “terrifying” and “an astonishing assault on all of our internet security“.
• Human rights group Amnesty International UK has described the bill as “mass surveillance by another name“, with high intrusive powers which “flies in the face of the UK’s international human rights legal obligations to protect peoples’ rights to privacy, freedom of expression, and others.“

Sources

Amnesty International UK, Mass Surveillance by another name, 6 November 2015 (accessed 12 November 2015)

Ars Technica UK, Snooper’s Charter: UK gov’t can demand backdoors, give prison sentences for disclosing them, 6 November 2015 (accessed 12 November 2015)

BoingBoing, UK law will allow secret backdoor orders for software, imprison you for disclosing them, 10 November 2015 (accessed 12 November 2015)

Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), Mass Surveillance Report, 26 January 2015 (accessed 12 November 2015)

EDRi, European Court overturns EU mass surveillance law, 8 April 2014 (accessed 12 November 2015)

IT Pro, Snooper’s Charter puts data at risk even with encryption, 4 November 2015 (accessed 13 November 2015)

Liberty, Investigatory Powers Bill: Spoiler Alert – this is terrifying, 4 November 2015 (accessed 12 November 2015

New Scientist, UK spying rules may drive criminals to use stronger encryption, 11 November 2015 (accessed 13 November 2015)

Schneier on Security, Data Mining for Terrorists, 9 March 2006 (accessed 12 November 2015)

The Guardian, Obama must finally end NSA phone record collection, says privacy board, 29 January 2015 (accessed 12 November 2015)

The Guardian, Broadband bills will have to increase to pay for snooper’s charter, MPs are warned, 11 November 2015 (accessed 12 November 2015)

The Telegraph, Apple’s Tim Cook declares the end of the PC and hints at new medical product, 10 November 2015 (accessed 12 Nov 2015)