[Now updated (28 March 2016) with comments on the Bill as published on 1 March 2016]
No-one expected much from the Intelligence and Security Committee’s Report on the draft Investigatory Powers Bill last Monday. The main event was supposed to be the Joint Committee’s Report on Thursday.
No-one expected much from the Intelligence and Security Committee’s Report on the draft Investigatory Powers Bill last Monday. The main event was supposed to be the Joint Committee’s Report on Thursday.
But after the ISC's unexpected fusillade –
"surprising", "inconsistent", "could not provide any
specific examples", "a curious approach", "must be
clarified", "not appropriate", "missed opportunity",
"simply unacceptable", "lack of transparency",
"misleading", "largely incomprehensible",
"unnecessarily confusing and complicated", "completely
unsatisfactory", "seemingly open-ended and unconstrained power",
"disappointed" – anything short of verbal meltdown on the part of the
Joint Committee was likely to seem a bit of a damp squib.
And so it proved. "Unclear,
unhelpful and recursive” was about as feisty as it got, reserved for the
notorious “Data includes any information which is not data” definition. A
sitting duck duly picked off, but not a calamity.
[Bill comments: Now replaced with: “data” includes data which is not electronic data and any information (whether or not electronic).]
[Bill comments: Now replaced with: “data” includes data which is not electronic data and any information (whether or not electronic).]
Nevertheless the overall moderation of the Joint
Committee's language – much of it, one suspects, carefully crafted to
accommodate a spectrum of opinions within the Committee – should not distract
from the substance of what the Committee had to say. At 200 pages and 86
recommendations the Report is a significant piece of work, all the more so
given the time pressure under which it was produced.
The three Parliamentary Committee reports (the Commons Science and Technology Committee Report completes the trilogy) together amount to a substantial
body of analysis and criticism of the draft Bill. The Home Office has to pick
itself up and dust itself off. Whether it will start all over again we shall
see in the coming weeks.
This selective commentary on the Joint Committee
Report concentrates mainly on data retention (including Internet Connection
Records) and bulk powers. (Numbered references are to the list of conclusions
and recommendations at page 7 of the Report.)
Internet Connection
Records and data retention
Not another word about itemised
phone bills
“We do not believe that ICRs are the
equivalent of an itemised phone bill. However well-intentioned, this comparison
is not a helpful one.” [18] Why is this a significant conclusion? For some
time the refrain has been that ICRs are just like an itemised phone bill –
something to which we are quite accustomed and don’t need to worry about. The
Home Secretary used it in her speech introducing the draft Bill in Parliament.
The effect of the analogy is to
downplay both the reach of ICRs and their privacy implications. The reality is
quite different from an itemised phone bill.
ICRs are more like a combination of universal online CCTV and a
mandatory list of our reading habits. They
could (if they can be made to work as intended) help answer not just the
question Who has she been speaking to?
(the itemised phone bill question) but Where
has she been? and What has she been
doing? The intrusiveness involved in compelling the generation and
retention of ICRs is on that score alone significantly greater than a real
itemised phone bill.
Furthermore, ICRs could answer the question What has she been reading? This bears no
relation at all to an itemised phone bill - unless your bill happens to list the titles of all the books, newspapers and magazines that you have read in the last year. It is not even a communication in any sense that would be understood for a telephone call. We never used to read books over the telephone.
Now we read remotely. By a mere accident of technology reading has become a
'communication', treated in the same way as if we were speaking to or e-mailing
another human being.
Officially compelled logs of reading habits are firmly in freedom
of expression territory, regardless of what queries the legislation might allow
to be made on the databases. Reluctance
to read a controversial website for fear that doing so might trigger an
official red flag is of itself sufficient to chill freedom of expression. As a
matter of human rights law, if that contravened the ‘essence of the right’ that
would be a violation, regardless of necessity or proportionality.
Thanks to the Joint Committee's firmly stated conclusion the debate over
ICRs can now take place in its proper context: that, as a rolling map of our
online lives, ICRs would be vastly more intrusive than an itemised phone bill
and in some significant respects impinge on freedom of expression.
[Bill comments: The Second Reading debate steered clear of itemised phone bills, albeit new metaphors were in evidence: 'initial point of contact' (Theresa May) and 'front door' of a site: 'They are closer to an itinerary, revealing places that people have visited.' (Andy Burnham).
The same cannot be said of the National Crime Agency when giving evidence to the Bill Committee on 24 March 2016:
[Bill comments: The Second Reading debate steered clear of itemised phone bills, albeit new metaphors were in evidence: 'initial point of contact' (Theresa May) and 'front door' of a site: 'They are closer to an itinerary, revealing places that people have visited.' (Andy Burnham).
The same cannot be said of the National Crime Agency when giving evidence to the Bill Committee on 24 March 2016:
]
Once more from the top and clearly this time
Lack of clarity around ICRs is a recurrent theme.
“We recommend that the definition of Internet Connection Records be made consistent throughout the Bill” [17]. “…the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’” [17].
“We welcome the additional information the Home Office has provided on ICRs, though we are not in a position to assess the extent to which it meets the concern of witnesses as to a lack of clarity”[16].
“We recommend that the definition of Internet Connection Records be made consistent throughout the Bill” [17]. “…the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’” [17].
“We welcome the additional information the Home Office has provided on ICRs, though we are not in a position to assess the extent to which it meets the concern of witnesses as to a lack of clarity”[16].
The call for clarity is more than lawyers’ pedantry. Clarity is a requirement of the rule of law. Intrusive powers should be sufficiently clear to enable someone to foresee with reasonable certainty the circumstances in which they might be used.
Like ‘Internet Connection Records’ itself,
none of the undefined terms is common currency or has a generally accepted
meaning. Yet they underpin the proposed regime for generation, retention and
access to ICRs. The Home Office explanatory documents that touch
on the term ‘internet communications service’ are inconsistent.
As the Home Office has provided more information, its concrete
illustrations have raised new questions (see my further evidence to the Joint Committee). In any event whilst providing examples is certainly helpful in shedding light on the
government's intentions that does not render unclear definitions clear.
[Bill comments: We do now have one consistent definition of internet connection records.
As to the Home Office's concrete illustrations, in its evidence to the Joint Committee it suggested that a sub-domain - such as news.bbc.co.uk - would count as content and therefore could not be an ICR. Previous understanding was that everything to the left of the first slash was communications data (of which ICRs are a subset). Now the draft Code of Practice appears to have reverted to the original understanding:
[Bill comments: We do now have one consistent definition of internet connection records.
As to the Home Office's concrete illustrations, in its evidence to the Joint Committee it suggested that a sub-domain - such as news.bbc.co.uk - would count as content and therefore could not be an ICR. Previous understanding was that everything to the left of the first slash was communications data (of which ICRs are a subset). Now the draft Code of Practice appears to have reverted to the original understanding:
The Home Office could now usefully publish updated lists of what it considers to be content and metadata including, crucially, its reasoning underlying each categorisation. Without that it is difficult to see how either MPs or the general public can be expected to comprehend what is being debated.
The critical terms 'internet service' and 'internet communications service' remain resolutely undefined in the Bill. Some loose quasi-definitions have been footnoted in the Communications Data Draft Code of Practice:
Question: If, as seems to be suggested by draft CoP footnote 46 and para 7.3 2nd bullet, 'internet communications services' are intended to be restricted to human to human messaging, why should this not be made explicit on the face of the Bill?]
Come back when you have fully addressed intrusiveness, definitions and feasibility
“..The government must address the
significant concerns outlined by our witnesses if [ICRs’] inclusion within the
Bill is to command the necessary support”
[14]
“We have concerns about the definitions and feasibility of of the existing proposal, which the Home Office must address.” [12]
“We have concerns about the definitions and feasibility of of the existing proposal, which the Home Office must address.” [12]
Although
preceded by some support for the idea of ICRs (“on balance, there is a case for [ICRs]
as an important tool for law enforcement” [12], “could prove a desirable tool”
[14]), the Committee's emphasis is on the need to address the concerns.
They are significant. One batch of concerns is around intrusiveness. But how
the government can address the intrusiveness inherent in ICRs other than by scrapping
them (a course recently advocated by the Financial
Times) is a ticklish problem.
The intrusiveness issue is intensified by the Joint
Committee’s recommendation that law enforcement access to ICRs should be
extended beyond the three specific purposes set out in Clause 47(4) of the
draft Bill and discussed in the Home Office Operational Case. The Committee
recommends that access should be possible in order to obtain “information
about websites that have been accessed that are not related to communications
services nor contain illegal material, provided that this is necessary and
proportionate for a specific investigation” [22]. At first blush this would seem to put access to ICRs for an investigation on a broadly comparable footing to other communications data requests.
[Bill comments: the purposes for which ICRs can be accessed have indeed been extended:
[Bill comments: the purposes for which ICRs can be accessed have indeed been extended:
The degree of potential intrusion to be weighed in the balance has correspondingly increased. The undefined term 'internet service' has again been used. The draft Communications Code of Practice suggests that it includes websites, applications and internet communications services (see above).]
The second set of witnesses’ concerns is about technical feasibility. “We urge the Government to explain in its response to this report how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice” [21] Technical feasibility is bound up with the lack of clarity over the ambit of ICRs. At the most fundamental level, how can a convincing case be made for the feasibility and effectiveness of records whose composition is not fully understood? The Committee cannot have been satisfied that the Operational Case published with the draft Bill covered all the feasibility issues raised.
[Bill comments: The government has published a revised Operational Case including additional material seeking to address criticisms made during pre-legislative scrutiny and seeking to justify the extended access purposes included in the Bill in response to the Joint Committee Report.]
That brings in the Danish experience with session logging. “The Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill” [20] The ultimately abandoned Danish system was not mentioned in the original Operational Case, but emerged in the course of evidence. The Home Secretary commented on it in her oral evidence on 13 January 2016. The differences that she identified were whereabouts on the network the information would be collected, the existing IP address resolution provisions of the CTSA, the availability of cost recovery and a more targeted approach involving recording individual internet connections or sessions rather than sampling every 500th packet s in the Danish system. A full assessment would no doubt have to develop this explanation.
[Bill comments: The government has published a comparison with the Danish session logging experience. Since then it has been reported that the Danish proposal to reintroduce session logging has been shelved on cost grounds.]
Is this 3rd
party data which I see before me?
A related area of confusion is over the extent to which
the draft Bill could, contrary to the government’s stated policy, require ISPs
to capture and retain 3rd party data travelling across their
systems. “We agree with the Government’s intention not to require CSPs to retain
third party data. The Bill should be amended to make that clear, either by
defining or removing the term ‘relevant communications data.” [32]. Only in the Home Office written evidence was it acknowledged that some ICR destination data could amount to 3rd party data. The evidence also says that
only ICRs that are already generated and processed by a CSP should be subject
to retention. Giving effect to that intention would certainly require Clause
71, which contains the power to require data retention, to be amended.
[Bill comments: The draft Communications Data Code of Practice is adamant that the data retention power cannot be used to require retention of third party data:
However clause 78 (as it now is) has not been amended to give effect to this.
Question: Where is this important restriction on use of data retention powers stated on the face of the Bill? If it is not stated, why not?]
[Bill comments: The draft Communications Data Code of Practice is adamant that the data retention power cannot be used to require retention of third party data:
Question: Where is this important restriction on use of data retention powers stated on the face of the Bill? If it is not stated, why not?]
Any further evaluation of the feasibility of ICRs would
presumably have to consider the effect on the Operational Case of this restriction
on availability of non-IP address destination data.
[Bill Comments: The effect of variable data availability on assumptions as to effectiveness is not specifically addressed in the revised ICR Operational Case.]
[Bill Comments: The effect of variable data availability on assumptions as to effectiveness is not specifically addressed in the revised ICR Operational Case.]
DRIPA or DRIPA Plus?
Clause 71 of the draft Bill covers the existing data
retention requirements of DRIPA and adds ICRs. But it doesn’t stop there. It
empowers the Home Secretary to issue notices requiring generation, obtaining
and retention of a range of communications data broad enough to cover virtually
any communications data capable of being generated on any network up to and
including the future internet of things. It also appears to be wide enough to
compel operators to obtain information such as identity details from their
customers.
The Joint Committee says: “Whether ICRs are included or
not, we believe that in the light of the ongoing need for communications data
and the imminent expiry of DRIPA, a continued policy of some form of data
retention is appropriate and that these provisions should accordingly form part
of the Bill.” [24] What does
the Committee mean by “these provisions”? Does it mean just the existing DRIPA
provisions, with or without the addition of ICRs? Or is it referring to the
rest of Clause 71 as well? The uncertainty is increased by the
Committee’s comment in para 158 that the data retention provision in the
Bill is "not new". The
extension of data retention to include ICRs is clearly new (indeed it is the
only power that the government has acknowledged to be new), even without the greatly
extended ambit of the rest of Clause 71.
If the Committee means simply that the
imminent expiry of DRIPA should be addressed, then Clause 71 could be rewritten in the same terms
as DRIPA leaving for debate only the question of whether or not to add ICRs.
[Bill Comment: Clause 78 (as it now is) remains as broad as in the draft Bill.
Question: Given that the only case that has been put forward for extension of data retention beyond DRIPA/CTSA relates to ICRs, why does Clause 78 go further than that?]
[Bill Comment: Clause 78 (as it now is) remains as broad as in the draft Bill.
Question: Given that the only case that has been put forward for extension of data retention beyond DRIPA/CTSA relates to ICRs, why does Clause 78 go further than that?]
Overall the Home Office has a formidable, perhaps an
impossible, task to meet the demands of the Joint Committee in respect of ICRs,
certainly in the short time that the government has given itself before
introducing the Bill itself in March.
You there with your private network, don’t think we’ve forgotten you
The current data retention powers in DRIPA can be applied
only to a public service provider. The
draft Bill would extend that to any telecommunications operator, public or
private. That could include not only internet cafes and the like (which may in
any case already be within DRIPA) but private offices, schools, universities
and even home networks.
The Joint
Committee concludes that: “the definition of telecommunications
service providers cannot explicitly rule out smaller providers without significantly
compromising the data retention proposals as a whole. We acknowledge that the
potential burden of data retention notices, particularly for smaller providers,
could be acute. This makes the clarification of cost models, as we have
recommended above, essential.” However it does not explicitly address whether
a case for extension to private networks (as opposed to smaller public
networks) has been made out.
[Bill comments: Not only does the Bill replicate the draft Bill's application to private networks, it goes further. It adds equipment interference warrants to the list of powers that can be exercised against private networks.
Filter that communications data request
[Bill comments: Not only does the Bill replicate the draft Bill's application to private networks, it goes further. It adds equipment interference warrants to the list of powers that can be exercised against private networks.
Most of the Bill’s powers apply not just to public
communications operators (internet providers, ISPs, public WiFi spots and the
like) but to all telecommunications operators.
That includes anyone who provides a telecommunications service (not just
commercial services) or controls a telecommunication network. A home router or
domestic WiFi setup, a network within an office, school or university, or a
private network of any sort would all be caught.
This is a significant change from existing legislation, in
which very few of the powers apply to non-public services or networks (see
table below). All the
examples of proposed use of powers given in the draft Codes of Practice are of
networks that provide access to the public or are quasi-public (such as
hotels). The Home Office has made no attempt to justify the extension to all
private networks. Nor has there been any
explanation of the decision to extend equipment interference powers to private
networks following the pre-legislative scrutiny of the draft Bill.
Question: If there is no intention to use the powers against private
networks, why are the powers that broad? If it is intended, where is the justification?
Green highlighting indicates explicit application to non-public services or networks |
Filter that communications data request
The Joint Committee’s comments on the so-called Request
Filter for communications data access: “We welcome the Government’s proposal to
build and operate a Request Filter to reduce the amount of potentially
intrusive data that is made available to applicants. …” [39]
If
this facility only rendered more focused and less intrusive the making of complex searches already conducted
manually, then the description of ‘filter’ could be appropriate. However if it
rendered possible searches that currently are not feasible to carry out
manually due to the volume of data involved, then the facility would look more like a powerful new query tool. The Committee says: “We
acknowledge the privacy risks inherent in any system which facilitates access to
large amounts of data in this manner…” It believes that the safeguards
would be sufficient to prevent the filter being used for fishing expeditions.
Bulk Powers
“We recommend that the Government should
publish a fuller justification for each of the bulk powers alongside the Bill.”
[56] The Committee appears not to be satisfied that the full case for the
bulk powers has been made out, although it is in general content that the proposed safeguards, authorisation regime and oversight "will be sufficient to ensure that the bulk powers are used proportionately." [62]. We can see the emergence of a common theme where bulk powers are concerned:
deference to bodies with access to classified material: “We further recommend that the
examples of the value of the bulk powers provided should be assessed by an
independent body, such as the Intelligence and Security Committee or the
Interception of Communications Commissioner.” [56] and “National security considerations mean that
we are not well-placed to make a thorough assessment of the value of the bulk
powers. The scrutiny and conclusions of the Intelligence and Security Committee
on the Bill will be of significant assistance for Parliamentarians considering
these powers.” The ISC, with the
benefit of security clearance, took evidence from the three security services
(GCHQ, MI5 and SIS) as well as the Home Secretary.
Bulk communications
data
The Committee repeats these sentiments specifically for
bulk acquisition of communications data: “We agree that bulk communications data has
the potential to be very intrusive. As with the other bulk powers, we believe
that the fuller justification which we have recommended the Government produces
and the conclusions of the Intelligence and Security Committee on the Bill will
assist Parliament’s consideration of the necessity and appropriateness of bulk
acquisition.” [65]
This appears to be a reference to the new bulk warrant for acquisition of communications data.
Although the Committee mentions the topic of related
communication data (RCD) obtained as a by-product of bulk interception, it
makes no specific recommendation. That
contrasts with the ISC, which devotes a section to RCD. The ISC points out the
lack of restrictions on examination of RCD for people in the British Islands
compared with bulk intercepted content, also as compared with non-bulk communications
data acquisition notices.
It comments: “the Agencies may choose to apply the same
processes in both circumstances as a matter of policy and good practice, but
this is not required by the draft Bill. To leave the safeguards up to the
Agencies as a matter of good practice is simply unacceptable: this new
legislation is an opportunity to provide clarity and assurance and it fails to
do so in this regard.” It goes on to conclude, on the draft Bill’s
approach to communications data generally: “The approach towards the examination of
Communications Data in the draft Bill is inconsistent and largely
incomprehensible. The Committee recommends that the same process for
authorising the examination of any Communications Data (including Related
Communications Data) is applied, irrespective of how the Agencies have acquired
the data in the first instance. This must be clearly set out on the face of the
Bill: it is not sufficient to rely on internal policies or Codes of Practice.”
The use of RCD (and, similarly, equipment data under bulk
equipment interference warrants) is potentially one of the more significant
issues raised by the ISC. It was the ISC
that in March 2015 commented on GCHQ’s use of RCD:
The ISC also commented on communications data generally:
Questions arise as to what can be done with RCD, what has been done
with it and what the government intends that the agencies should able to do with it. A particular issue is the extent to
which it may or may not be intended to be possible to build RCD databases including domestic
data on the back of overseas-related powers (see paragraphs 115 to 137 of my
evidence to the Joint Committee, including reference to the usefulness of the alleged
KARMA POLICE events database as a hypothetical touchstone by which to test these provisions
of the draft Bill).
The Joint Committee comments: “We recognise that, given the
global nature of the internet, the limitation of the bulk powers to
“overseas-related” communications may make little difference in practice to the
data that could be gathered under these powers. We recommend that the
Government should explain the value of including this language in the Bill.”
[57] If this were to lead to abandonment of the “overseas-related”
restriction that would be a radical departure from wording that, in its current
‘external communications’ form, has limited the purpose for which bulk
interception can be performed since S.4 of the Official Secrets Act 1920.
RCD is an area in which some of the most
impenetrable provisions of RIPA have been carried over into the draft
Bill. The potentially far-reaching nature of the power to intercept and use RCD
becomes apparent only by daisy-chaining a series of collateral powers –
effectively by navigating through the back alleys of the statute.
The potential reach of RCD powers is further expanded
by the new power in the draft IP Bill to extract communications data from the
content of communications and treat it as RCD.
[Bill comments: Related Communications Data is now replaced by new terminology, Secondary Data, reflecting the fact that RCD is wider than Communications Data. There are also other changes to the metadata definitions - see 'All about the metadata'.
Questions: Would a hypothetical KARMA POLICE database be possible under the Bill? Given the new power to extract secondary data from content, would a hypothetical 'KARMA POLICE PLUS' be possible? Is either of these intended? If not, should the Bill be amended to prevent that? If yes, is it appropriate for such a universal database of internet browsing profiles (domestic and foreign) to be capable of being built as a by-product of powers whose overall purpose is the interception of overseas-related communications? Should the purposes for which such a database could be accessed be more limited, at least for persons located in the British Islands?]
[Bill comments: Related Communications Data is now replaced by new terminology, Secondary Data, reflecting the fact that RCD is wider than Communications Data. There are also other changes to the metadata definitions - see 'All about the metadata'.
Questions: Would a hypothetical KARMA POLICE database be possible under the Bill? Given the new power to extract secondary data from content, would a hypothetical 'KARMA POLICE PLUS' be possible? Is either of these intended? If not, should the Bill be amended to prevent that? If yes, is it appropriate for such a universal database of internet browsing profiles (domestic and foreign) to be capable of being built as a by-product of powers whose overall purpose is the interception of overseas-related communications? Should the purposes for which such a database could be accessed be more limited, at least for persons located in the British Islands?]
More light may be shed on these issues in the future. In the meantime, here is my diagram illustrating
the draft Bill’s provisions on communications data. [Replaced with revised diagram reflecting the Bill's terminology and including Bulk Personal Datasets.]