Has the science and technology committee struck a blow against the Investigatory Powers Bill?

As an organiser for Open Rights Group Birmingham, I have followed with interest and not a little weariness the twists and turns as the government’s draft Investigatory Powers Bill makes its way through the pre-legislative scrutiny phase.

Today, the House of Commons science and technology committee published a highly critical report on the bill, with its chair, Nicola Blackwood MP commenting:

The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.

In particular, the report highlights the following problems:

• The feasibility of collecting and storing Internet Connection Records ICRs – including the very real problem of keeping these highly personal records from (non state-sanctioned) hackers.
• Anxiety amongst communication  providers over the ability to use effective encryption, which Blackwood recognises is “important in providing the secure services on the internet we all rely on“. The committee particularly wants the government to provide greater clarity over the status of end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.
• Concerns amongst certain communications over ‘equipment interference’. For some providers, such as Mozilla (the makers of Firefox), this concern appears to stem from a genuine concern for its users’ privacy and the integrity of the internet. For other providers, the concern is more about how a perception of hacking could hurt their competitiveness in a global market for services.
• Uncertainty over costs. Coverage of the committee’s report has downplayed the risk associated with spiralling implementation costs, both for government and businesses. At last cost, the Home Secretary has put the cost of implementing the new ICR system at £247 million but the report notes that costs are likely to change (i.e. rise), given the uncertainty and rapid pace of technological change.

It’s worth noting that the committee’s remit was purely to look at the technical feasibility of the government’s proposals and how these might affect communications businesses, not whether the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. These issues are expected to be addressed by the joint committe Joint Committee established to scrutinise the draft Bill as a whole.

I believe the criticisms levelled at the bill in this report are significant for a couple of reasons.

Firstly, by focusing solely on the technical feasibility of implementing the bill, it manages to side-step the highly polarised debate between privacy and security advocates. This report says, irrespective of your views on the merits of expanded monitoring of communications, you should be concerned as a citizen and taxpayer about the feasibility of implementing the government’s plans at anything approaching a sensible level of expenditure.

Secondly, by holding up the prospect that the Investigatory Powers Bill will do real harm to the growing UK tech sector, the report will hopefully encourage the government to modify its approach, if only to protect its supposed reputation for business confidence.

Both these signals – questions over the feasability of implementation and the likely damage to the UK’s growing tech sector – will not  in itself be enough to stop the Investigatory Powers Bill becoming law, but it’s a start.

The Joint Committee is due to deliver its full report on the Investigatory Powers Bill no later than 17 February. It will be interesting to see whether this committee takes a similarly critical stance on the merits of expanded monitoring provisions and the limited amount of time the committee was given to scrutinise the bill.

Cost of Investigatory Powers Bill could undermine UK Tech sector – full details of science and technology committee report

Science and Technology Committee of Parliament slams Snoopers’ Charter – Open Rights Group’s reaction to the committee’s report

Dismantling the Government’s Arguments in favour of the Investigatory Powers Bill

In my last post, I argued that if campaigners (including myself) are going to take on the Government over its plans for online surveillance and win, we need to dismantle the claims they are making about these powers being necessary for security and crime fighting.

Since then, I’ve done some further online research and had some interesting conversations on Twitter and at last night’s well-attended Open Rights Group Birmingham meetup. This has helped me to develop my thinking on how to frame the argument in a way that convinces politicians and the general public to sit-up and take notice of what’s at stake with the Investigatory Powers Bill.

Winning the argument over the Investigatory Powers Bill – key lines

Security risks created by the Investigatory Powers Bill

• The new requirement for tech firms to provide  unencrypted communications to the police or security services if requested through a warrant has been widely interpreted as an attempt to weaken encryption.
• Tim Cook, Apple’s Chief Executive, noted in a recent interview with The Telegraph : “If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”
• As Tim Cook explains, “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
• Criminals and other bad people will still be able to access widely available open source encryption tools, while regular people who are less technically sophisticated will be left more vulnerable to data thefts and identity crime, notes security researcher. Paul Bernal, Internet privacy law researcher at the University of East Anglia, notes: “Savvy criminals already use encryption and software like Tor to hide their online activities, so storing web records won’t help combat this.“
• In addition to the weakening of encryption, the bill will create more opportunities for cybercrime. Requiring ISPs to store everyone’s Internet connection records for 12 months will create huge amounts of personal data, which will be highly attractive to criminals. How much more personal data could criminals could have stolen from TalkTalk, had the new collection system been in place? Timothy Brown, Executive Director of Security with Dell Software Group noted: “this only creates larger and more attractive targets for hackers and leaks.“
• The bill proposes granting the security services broad powers to hack computer systems. Doing so will leave critical infrastructure at risk, as the same vulnerabilities used by security services will be exploited by criminals. As Tim Cook  noted: “Any backdoor is a backdoor for everyone.”

Questionable security gains from expansion of surveillance powers

• The bill gives authorities permissions to collect bulk data straight from the public internet cables. From this data, the metadata – the who, what, where and how long rather than the full contents of a communication – will be analysed. Amnesty International, Liberty and the European Court consider this to be mass surveillance.
• The value of bulk collection has been questioned, most notably in the United States. in January 2014, the United States Privacy and Civil Liberties Oversight Board (PCLOB – great acronym, by the way) ruled that the bulk phone records collection had not stopped terrorist attacks and had “limited value” in combatting terrorism more broadly.
• Researchers have also questioned whether this kind of blanket surveillance can ever be an effective of detecting serious crime. Commenting on the surveillance programmes introduced post 9/11 in the United States to search for terrorists, famed security researcher Bruce Schneier noted: “finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier.“
• In 2014, a report approved by the Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), noted that resources that might prevent attacks are diverted to mass surveillance, leaving potentially dangerous persons free to act.

Damage to the UK economy

• Speculation over the Investigatory Powers Bill is already hurting business confidence, both within and outside the UK
• On Tuesday, Tim Cook, Chief Executive of Apple, spoke out against the bill, warning of the ‘very dire consequences’ of weakening encryption.
• John Shaw, Vice President of Product Management at Sophos security, has said: “if I was a software business, I would be very worried my customers would not buy my software, because [they] would be worried that there was a backdoor built into this software that would allow the UK to look into my software”.

Expense

• Internet service providers (ISP) have called into question the cost of implementing a key element of the Investigatory Powers Bill, the mandatory collection and retention of every citizen’s Internet Connection Records.
• The Home Office has budgeted for £175 million but this is only intended to cover the initial up-front equipments costs, not the ongoing cost of running the system.
• Matthew Hare, Chief Executive of ISP GigaClear said “the indiscriminate collection of mass data is going to have a massive cost”
• Asked about the feasibility of implementing a system of mass data collection, James Blessing, the chair of the Internet Service Providers’ Association (ISPA),  said ISPs would find it “very feasible – with an infinite budget”.

Human rights and international reputation

• Joseph Cannataci, the UN’s special rapporteur on privacy, said the draft Investigatory Powers Bill heralded a “golden age of surveillance” unlike any that had come before. He also said, “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,”
• The European Court of Justice has previously ruled against mass data retention, notably in the 2014 Digital Rights Ireland Challenge. In this case, the Court criticised the untargeted nature of the surveillance measure, noting the directive “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.”
• The Government’s approach, which enshrines and expands mass data retention, appears to run contrary to the European Court’s judgement and so would be subject to challenge.
• Human rights group Liberty has described the bill as “terrifying” and “an astonishing assault on all of our internet security“.
• Human rights group Amnesty International UK has described the bill as “mass surveillance by another name“, with high intrusive powers which “flies in the face of the UK’s international human rights legal obligations to protect peoples’ rights to privacy, freedom of expression, and others.“

Sources

Amnesty International UK, Mass Surveillance by another name, 6 November 2015 (accessed 12 November 2015)

Ars Technica UK, Snooper’s Charter: UK gov’t can demand backdoors, give prison sentences for disclosing them, 6 November 2015 (accessed 12 November 2015)

BoingBoing, UK law will allow secret backdoor orders for software, imprison you for disclosing them, 10 November 2015 (accessed 12 November 2015)

Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), Mass Surveillance Report, 26 January 2015 (accessed 12 November 2015)

EDRi, European Court overturns EU mass surveillance law, 8 April 2014 (accessed 12 November 2015)

IT Pro, Snooper’s Charter puts data at risk even with encryption, 4 November 2015 (accessed 13 November 2015)

Liberty, Investigatory Powers Bill: Spoiler Alert – this is terrifying, 4 November 2015 (accessed 12 November 2015

New Scientist, UK spying rules may drive criminals to use stronger encryption, 11 November 2015 (accessed 13 November 2015)

Schneier on Security, Data Mining for Terrorists, 9 March 2006 (accessed 12 November 2015)

The Guardian, Obama must finally end NSA phone record collection, says privacy board, 29 January 2015 (accessed 12 November 2015)

The Guardian, Broadband bills will have to increase to pay for snooper’s charter, MPs are warned, 11 November 2015 (accessed 12 November 2015)

The Telegraph, Apple’s Tim Cook declares the end of the PC and hints at new medical product, 10 November 2015 (accessed 12 Nov 2015)

Why I’m Setting up an Open Rights Group in Birmingham

Next month, it’ll be five years since I left the weird and wonderful world of local government. In the years that have followed, I have explored different career paths, developed new skills, worked for a range of organisations and as a freelancer, moved from London to Birmingham and got married.

Why digital rights matter to me – a personal perspective

With the exception of getting married, what’s tied all these activities together and made experimentation possible has been digital technology and the open internet. Digital technology and the open internet has enabled me to discover new and interesting ideas beyond the mainstream media. It has given me the tools to express myself and develop greater confidence in my own thinking and outlook. Social media, particularly Twitter, has allowed me to connect with, learn from and partner with a wider range of people and organisations both for work purposes as well as independent pursuits such as Roots of Reggae and Bournville Social Media Surgery. And very significantly, throughout the last five years digital technology and the internet has been instrumental to me earning a living and developing my new career in communications.

While the circumstances of my initial career change in 2010 have played a role in deepening my relationship and sense of connection with all things digital, I also know from talking to friends, family members and colleagues that I am not alone. It’s become a platitude to say we now live in a digital world but when we look around us, it is hard to ignore the scale of social, economic and political changes that can be attributed, at least in part, to digital technology.

Bringing digital rights into the mainstream

Given the transformative effect digital technology is having on us as individuals and our society, I believe we need to find a way of bringing discussions and decision-making about digital technology into the civic and political mainstream.

By working hard to put across a persuasive case for being both pro-digital and pro-human rights I believe we can help decision-makers and people in positions of influence to realise the decisions we take in relation to digital technology and the internet have far reaching implications for our rights as citizens and the society we live in.

Moving from reactive campaigning to a positive vision of a digital society

Currently, a lot of attention has been given to the government’s revival of the so-called Snoopers’ Charter and the implications for privacy and freedom of expression arising from mass surveillance. Public scrutiny has also been applied to the Transatlantic Trade and Investment Partnership (TTIP), which is being negotiated in secret between the EU and the USA, and which potentially brings intrusive measures associated with copyright policy. While these high profile cases provide an opportunity to rally supporters and often see off the worst aspects of different proposals, we must do more than simply respond to threats when they arise, we need to come together and develop a movement that is capable to putting across a convincing, positive vision for a society that is both pro-digital and pro-human rights.

Introducing the Open Rights Group

After quite a lot of research and enquiry as to how people around the world have approached the issue of ‘digital rights’, I came across the UK-based Open Rights Group, whose vision of a digital society I share:

As society goes digital we wish to preserve its openness. We want a society built on laws, free from disproportionate, unaccountable surveillance and censorship. We want a society in which information flows more freely. We want a state that is transparent and accountable, where the public’s rights are acknowledged and upheld.

We want a world where we each control the data our digital lives create, deciding who can use it and how. We want the public to fully understand their digital rights, and be equipped to be creative and free individuals. We stand for fit-for-purpose digital copyright regimes that promote free expression and diverse participation in culture.

We believe people have the right to control their technology, and oppose the use of technology to control people.

Time to  build a grassroots campaign for digital rights

Following last month’s general election win for the Conservatives, which has resulted in the reintroduction of the Snoopers’ Charter in the Queen’s Speech, I decided I had to become more active on promoting digital rights. It was at this time that I became a paid up member of the Open Rights Group.

Now that I am a member of the Open Rights Group, I want to help more people become aware of the importance of digital rights and maintaining an open digital society that works for the many, not the few. To achieve this goal, I am in the process of setting up a local Birmingham Open Rights Group. The idea is to bring like-minded people together, both in person as well as online, and for us to work together to ensure digital rights become embedded into the everyday fabric of our society.

I’ve already started to reach out to friends and colleagues in Birmingham who I think might be interested in supporting the Open Rights Group. The next step will be organising an initial meet-up. This will help me to determine the current level of interest in digital rights in Birmingham (does anyone really care?) and for members of the group to decide on what the next steps should be. Look out for more information shortly about our first meet-up.

Would you like to help  set up an Open Rights Group in Birmingham?

Would you like to help set up an Open Rights Group in Birmingham? If so, please get in touch with me and we can get the ball rolling. I would be extremely grateful for any help you can provide – no matter how much or how little.