Has the science and technology committee struck a blow against the Investigatory Powers Bill?

As an organiser for Open Rights Group Birmingham, I have followed with interest and not a little weariness the twists and turns as the government’s draft Investigatory Powers Bill makes its way through the pre-legislative scrutiny phase.

Today, the House of Commons science and technology committee published a highly critical report on the bill, with its chair, Nicola Blackwood MP commenting:

The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.

In particular, the report highlights the following problems:

• The feasibility of collecting and storing Internet Connection Records ICRs – including the very real problem of keeping these highly personal records from (non state-sanctioned) hackers.
• Anxiety amongst communication  providers over the ability to use effective encryption, which Blackwood recognises is “important in providing the secure services on the internet we all rely on“. The committee particularly wants the government to provide greater clarity over the status of end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.
• Concerns amongst certain communications over ‘equipment interference’. For some providers, such as Mozilla (the makers of Firefox), this concern appears to stem from a genuine concern for its users’ privacy and the integrity of the internet. For other providers, the concern is more about how a perception of hacking could hurt their competitiveness in a global market for services.
• Uncertainty over costs. Coverage of the committee’s report has downplayed the risk associated with spiralling implementation costs, both for government and businesses. At last cost, the Home Secretary has put the cost of implementing the new ICR system at £247 million but the report notes that costs are likely to change (i.e. rise), given the uncertainty and rapid pace of technological change.

It’s worth noting that the committee’s remit was purely to look at the technical feasibility of the government’s proposals and how these might affect communications businesses, not whether the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. These issues are expected to be addressed by the joint committe Joint Committee established to scrutinise the draft Bill as a whole.

I believe the criticisms levelled at the bill in this report are significant for a couple of reasons.

Firstly, by focusing solely on the technical feasibility of implementing the bill, it manages to side-step the highly polarised debate between privacy and security advocates. This report says, irrespective of your views on the merits of expanded monitoring of communications, you should be concerned as a citizen and taxpayer about the feasibility of implementing the government’s plans at anything approaching a sensible level of expenditure.

Secondly, by holding up the prospect that the Investigatory Powers Bill will do real harm to the growing UK tech sector, the report will hopefully encourage the government to modify its approach, if only to protect its supposed reputation for business confidence.

Both these signals – questions over the feasability of implementation and the likely damage to the UK’s growing tech sector – will not  in itself be enough to stop the Investigatory Powers Bill becoming law, but it’s a start.

The Joint Committee is due to deliver its full report on the Investigatory Powers Bill no later than 17 February. It will be interesting to see whether this committee takes a similarly critical stance on the merits of expanded monitoring provisions and the limited amount of time the committee was given to scrutinise the bill.

Cost of Investigatory Powers Bill could undermine UK Tech sector – full details of science and technology committee report

Science and Technology Committee of Parliament slams Snoopers’ Charter – Open Rights Group’s reaction to the committee’s report

Dismantling the Government’s Arguments in favour of the Investigatory Powers Bill

In my last post, I argued that if campaigners (including myself) are going to take on the Government over its plans for online surveillance and win, we need to dismantle the claims they are making about these powers being necessary for security and crime fighting.

Since then, I’ve done some further online research and had some interesting conversations on Twitter and at last night’s well-attended Open Rights Group Birmingham meetup. This has helped me to develop my thinking on how to frame the argument in a way that convinces politicians and the general public to sit-up and take notice of what’s at stake with the Investigatory Powers Bill.

Winning the argument over the Investigatory Powers Bill – key lines

Security risks created by the Investigatory Powers Bill

• The new requirement for tech firms to provide  unencrypted communications to the police or security services if requested through a warrant has been widely interpreted as an attempt to weaken encryption.
• Tim Cook, Apple’s Chief Executive, noted in a recent interview with The Telegraph : “If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”
• As Tim Cook explains, “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
• Criminals and other bad people will still be able to access widely available open source encryption tools, while regular people who are less technically sophisticated will be left more vulnerable to data thefts and identity crime, notes security researcher. Paul Bernal, Internet privacy law researcher at the University of East Anglia, notes: “Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records won’t help combat this.“
• In addition to the weakening of encryption, the bill will create more opportunities for cybercrime. Requiring ISPs to store everyone’s Internet connection records for 12 months will create huge amounts of personal data, which will be highly attractive to criminals. How much more personal data could criminals could have stolen from TalkTalk, had the new collection system been in place? Timothy Brown, Executive Director of Security with Dell Software Group noted: “this only creates larger and more attractive targets for hackers and leaks.“
• The bill proposes granting the security services broad powers to hack computer systems. Doing so will leave critical infrastructure at risk, as the same vulnerabilities used by security services will be exploited by criminals. As Tim Cook  noted: “Any backdoor is a backdoor for everyone.”

Questionable security gains from expansion of surveillance powers

• The bill gives authorities permissions to collect bulk data straight from the public internet cables. From this data, the metadata – the who, what, where and how long rather than the full contents of a communication – will be analysed. Amnesty International, Liberty and the European Court consider this to be mass surveillance.
• The value of bulk collection has been questioned, most notably in the United States. in January 2014, the United States Privacy and Civil Liberties Oversight Board (PCLOB – great acronym, by the way) ruled that the bulk phone records collection had not stopped terrorist attacks and had “limited value” in combatting terrorism more broadly.
• Researchers have also questioned whether this kind of blanket surveillance can ever be an effective of detecting serious crime. Commenting on the surveillance programmes introduced post 9/11 in the United States to search for terrorists, famed security researcher Bruce Schneier noted: “finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier.“
• In 2014, a report approved by the Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), noted that resources that might prevent attacks are diverted to mass surveillance, leaving potentially dangerous persons free to act.

Damage to the UK economy

• Speculation over the Investigatory Powers Bill is already hurting business confidence, both within and outside the UK
• On Tuesday, Tim Cook, Chief Executive of Apple, spoke out against the bill, warning of the ‘very dire consequences’ of weakening encryption.
• John Shaw, Vice President of Product Management at Sophos security, has said: “if I was a software business, I would be very worried my customers would not buy my software, because [they] would be worried that there was a backdoor built into this software that would allow the UK to look into my software”.

Expense

• Internet service providers (ISP) have called into question the cost of implementing a key element of the Investigatory Powers Bill, the mandatory collection and retention of every citizen’s Internet Connection Records.
• The Home Office has budgeted for £175 million but this is only intended to cover the initial up-front equipments costs, not the ongoing cost of running the system.
• Matthew Hare, Chief Executive of ISP GigaClear said “the indiscriminate collection of mass data is going to have a massive cost”
• Asked about the feasibility of implementing a system of mass data collection, James Blessing, the chair of the Internet Service Providers’ Association (ISPA),  said ISPs would find it “very feasible – with an infinite budget”.

Human rights and international reputation

• Joseph Cannataci, the UN’s special rapporteur on privacy, said the draft Investigatory Powers Bill heralded a “golden age of surveillance” unlike any that had come before. He also said, “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,”
• The European Court of Justice has previously ruled against mass data retention, notably in the 2014 Digital Rights Ireland Challenge. In this case, the Court criticised the untargeted nature of the surveillance measure, noting the directive “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.”
• The Government’s approach, which enshrines and expands mass data retention, appears to run contrary to the European Court’s judgement and so would be subject to challenge.
• Human rights group Liberty has described the bill as “terrifying” and “an astonishing assault on all of our internet security“.
• Human rights group Amnesty International UK has described the bill as “mass surveillance by another name“, with high intrusive powers which “flies in the face of the UK’s international human rights legal obligations to protect peoples’ rights to privacy, freedom of expression, and others.“

Sources

Amnesty International UK, Mass Surveillance by another name, 6 November 2015 (accessed 12 November 2015)

Ars Technica UK, Snooper’s Charter: UK gov’t can demand backdoors, give prison sentences for disclosing them, 6 November 2015 (accessed 12 November 2015)

BoingBoing, UK law will allow secret backdoor orders for software, imprison you for disclosing them, 10 November 2015 (accessed 12 November 2015)

Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), Mass Surveillance Report, 26 January 2015 (accessed 12 November 2015)

EDRi, European Court overturns EU mass surveillance law, 8 April 2014 (accessed 12 November 2015)

IT Pro, Snooper’s Charter puts data at risk even with encryption, 4 November 2015 (accessed 13 November 2015)

Liberty, Investigatory Powers Bill: Spoiler Alert – this is terrifying, 4 November 2015 (accessed 12 November 2015

New Scientist, UK spying rules may drive criminals to use stronger encryption, 11 November 2015 (accessed 13 November 2015)

Schneier on Security, Data Mining for Terrorists, 9 March 2006 (accessed 12 November 2015)

The Guardian, Obama must finally end NSA phone record collection, says privacy board, 29 January 2015 (accessed 12 November 2015)

The Guardian, Broadband bills will have to increase to pay for snooper’s charter, MPs are warned, 11 November 2015 (accessed 12 November 2015)

The Telegraph, Apple’s Tim Cook declares the end of the PC and hints at new medical product, 10 November 2015 (accessed 12 Nov 2015)