Tuesday, 16 February 2016

The draft Investigatory Powers Bill - start all over again?

[Now updated (28 March 2016) with comments on the Bill as published on 1 March 2016]

No-one expected much from the Intelligence and Security Committee’s Report on the draft Investigatory Powers Bill last Monday. The main event was supposed to be the Joint Committee’s Report on Thursday.

But after the ISC's unexpected fusillade – "surprising", "inconsistent", "could not provide any specific examples", "a curious approach", "must be clarified", "not appropriate", "missed opportunity", "simply unacceptable", "lack of transparency", "misleading", "largely incomprehensible", "unnecessarily confusing and complicated", "completely unsatisfactory", "seemingly open-ended and unconstrained power", "disappointed" – anything short of verbal meltdown on the part of the Joint Committee was likely to seem a bit of a damp squib.

And so it proved.  "Unclear, unhelpful and recursive” was about as feisty as it got, reserved for the notorious “Data includes any information which is not data” definition. A sitting duck duly picked off, but not a calamity.

[Bill comments: Now replaced with: “data” includes data which is not electronic data and any information (whether or not electronic).]

Nevertheless the overall moderation of the Joint Committee's language – much of it, one suspects, carefully crafted to accommodate a spectrum of opinions within the Committee – should not distract from the substance of what the Committee had to say. At 200 pages and 86 recommendations the Report is a significant piece of work, all the more so given the time pressure under which it was produced.

The three Parliamentary Committee reports (the Commons Science and Technology Committee Report completes the trilogy) together amount to a substantial body of analysis and criticism of the draft Bill. The Home Office has to pick itself up and dust itself off. Whether it will start all over again we shall see in the coming weeks.

This selective commentary on the Joint Committee Report concentrates mainly on data retention (including Internet Connection Records) and bulk powers. (Numbered references are to the list of conclusions and recommendations at page 7 of the Report.)

Internet Connection Records and data retention

Not another word about itemised phone bills

“We do not believe that ICRs are the equivalent of an itemised phone bill. However well-intentioned, this comparison is not a helpful one.” [18] Why is this a significant conclusion? For some time the refrain has been that ICRs are just like an itemised phone bill – something to which we are quite accustomed and don’t need to worry about. The Home Secretary used it in her speech introducing the draft Bill in Parliament.

The effect of the analogy is to downplay both the reach of ICRs and their privacy implications. The reality is quite different from an itemised phone bill.  ICRs are more like a combination of universal online CCTV and a mandatory list of our reading habits.  They could (if they can be made to work as intended) help answer not just the question Who has she been speaking to? (the itemised phone bill question) but Where has she been? and What has she been doing? The intrusiveness involved in compelling the generation and retention of ICRs is on that score alone significantly greater than a real itemised phone bill.

Furthermore, ICRs could answer the question What has she been reading? This bears no relation at all to an itemised phone bill - unless your bill happens to list the titles of all the books, newspapers and magazines that you have read in the last year. It is not even a communication in any sense that would be understood for a telephone call. We never used to read books over the telephone. Now we read remotely. By a mere accident of technology reading has become a 'communication', treated in the same way as if we were speaking to or e-mailing another human being.

Officially compelled logs of reading habits are firmly in freedom of expression territory, regardless of what queries the legislation might allow to be made on the databases. Reluctance to read a controversial website for fear that doing so might trigger an official red flag is of itself sufficient to chill freedom of expression. As a matter of human rights law, if that contravened the ‘essence of the right’ that would be a violation, regardless of necessity or proportionality.

Thanks to the Joint Committee's firmly stated conclusion the debate over ICRs can now take place in its proper context: that, as a rolling map of our online lives, ICRs would be vastly more intrusive than an itemised phone bill and in some significant respects impinge on freedom of expression.

[Bill comments: The Second Reading debate steered clear of itemised phone bills, albeit new metaphors were in evidence: 'initial point of contact' (Theresa May) and 'front door' of a site: 'They are closer to an itinerary, revealing places that people have visited.' (Andy Burnham).  

The same cannot be said of the National Crime Agency when giving evidence to the Bill Committee on 24 March 2016:






]

Once more from the top and clearly this time

Lack of clarity around ICRs is a recurrent theme. 

We recommend that the definition of Internet Connection Records be made consistent throughout the Bill[17]. “…the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’[17]

“We welcome the additional information the Home Office has provided on ICRs, though we are not in a position to assess the extent to which it meets the concern of witnesses as to a lack of clarity”[16].  

The call for clarity is more than lawyers’ pedantry.  Clarity is a requirement of the rule of law.  Intrusive powers should be sufficiently clear to enable someone to foresee with reasonable certainty the circumstances in which they might be used. 

Like ‘Internet Connection Records’ itself, none of the undefined terms is common currency or has a generally accepted meaning. Yet they underpin the proposed regime for generation, retention and access to ICRs. The Home Office explanatory documents that touch on the term ‘internet communications service’ are inconsistent.

As the Home Office has provided more information, its concrete illustrations have raised new questions (see my further evidence to the Joint Committee). In any event whilst providing examples is certainly helpful in shedding light on the government's intentions that does not render unclear definitions clear.

[Bill comments: We do now have one consistent definition of internet connection records. 

As to the Home Office's concrete illustrations, in its evidence to the Joint Committee it suggested that a sub-domain - such as news.bbc.co.uk - would count as content and therefore could not be an ICR. Previous understanding was that everything to the left of the first slash was communications data (of which ICRs are a subset). Now the draft Code of Practice appears to have reverted to the original understanding:













The Home Office could now usefully publish updated lists of what it considers to be content and metadata including, crucially, its reasoning underlying each categorisation. Without that it is difficult to see how either MPs or the general public can be expected to comprehend what is being debated.

The critical terms 'internet service' and 'internet communications service' remain resolutely undefined in the Bill. Some loose quasi-definitions have been footnoted in the Communications Data Draft Code of Practice:
  




Question: If, as seems to be suggested by draft CoP footnote 46 and para 7.3 2nd bullet, 'internet communications services' are intended to be restricted to human to human messaging, why should this not be made explicit on the face of the Bill?]

Come back when you have fully addressed intrusiveness, definitions and feasibility

..The government must address the significant concerns outlined by our witnesses if [ICRs’] inclusion within the Bill is to command the necessary support [14]  

“We have concerns about the definitions and feasibility of of the existing proposal, which the Home Office must address.” [12]  

Although preceded by some support for the idea of ICRs (“on balance, there is a case for [ICRs] as an important tool for law enforcement” [12], “could prove a desirable tool” [14]), the Committee's emphasis is on the need to address the concerns. They are significant. One batch of concerns is around intrusiveness. But how the government can address the intrusiveness inherent in ICRs other than by scrapping them (a course recently advocated by the Financial Times) is a ticklish problem. 

The intrusiveness issue is intensified by the Joint Committee’s recommendation that law enforcement access to ICRs should be extended beyond the three specific purposes set out in Clause 47(4) of the draft Bill and discussed in the Home Office Operational Case. The Committee recommends that access should be possible in order to obtain “information about websites that have been accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation” [22]. At first blush this would seem to put access to ICRs for an investigation on a broadly comparable footing to other communications data requests.  

[Bill comments: the purposes for which ICRs can be accessed have indeed been extended:






The degree of potential intrusion to be weighed in the balance has correspondingly increased. The undefined term 'internet service' has again been used. The draft Communications Code of Practice suggests that it includes websites, applications and internet communications services (see above).]

The second set of witnesses’ concerns is about technical feasibility. “We urge the Government to explain in its response to this report how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice” [21] Technical feasibility is bound up with the lack of clarity over the ambit of ICRs.  At the most fundamental level, how can a convincing case be made for the feasibility and effectiveness of records whose composition is not fully understood? The Committee cannot have been satisfied that the Operational Case published with the draft Bill covered all the feasibility issues raised. 

[Bill comments: The government has published a revised Operational Case including additional material seeking to address criticisms made during pre-legislative scrutiny and seeking to justify the extended access purposes included in the Bill in response to the Joint Committee Report.]

That brings in the Danish experience with session logging. “The Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill” [20] The ultimately abandoned Danish system was not mentioned in the original Operational Case, but emerged in the course of evidence.  The Home Secretary commented on it in her oral evidence on 13 January 2016. The differences that she identified were whereabouts on the network the information would be collected, the existing IP address resolution provisions of the CTSA, the availability of cost recovery and  a more targeted approach involving recording individual internet connections or sessions rather than sampling every 500th packet s in the Danish system. A full assessment would no doubt have to develop this explanation.

[Bill comments: The government has published a comparison with the Danish session logging experience. Since then it has been reported that the Danish proposal to reintroduce session logging has been shelved on cost grounds.]

Is this 3rd party data which I see before me?

A related area of confusion is over the extent to which the draft Bill could, contrary to the government’s stated policy, require ISPs to capture and retain 3rd party data travelling across their systems. “We agree with the Government’s intention not to require CSPs to retain third party data. The Bill should be amended to make that clear, either by defining or removing the term ‘relevant communications data.” [32]. Only in the Home Office written evidence was it acknowledged that some ICR destination data could amount to 3rd party data. The evidence also says that only ICRs that are already generated and processed by a CSP should be subject to retention. Giving effect to that intention would certainly require Clause 71, which contains the power to require data retention, to be amended.

[Bill comments: The draft Communications Data Code of Practice is adamant that the data retention power cannot be used to require retention of third party data:



However clause 78 (as it now is) has not been amended to give effect to this.

Question: Where is this important restriction on use of data retention powers stated on the face of the Bill? If it is not stated, why not?]

Any further evaluation of the feasibility of ICRs would presumably have to consider the effect on the Operational Case of this restriction on availability of non-IP address destination data.

[Bill Comments: The effect of variable data availability on assumptions as to effectiveness is not specifically addressed in the revised ICR Operational Case.]

DRIPA or DRIPA Plus?

Clause 71 of the draft Bill covers the existing data retention requirements of DRIPA and adds ICRs. But it doesn’t stop there. It empowers the Home Secretary to issue notices requiring generation, obtaining and retention of a range of communications data broad enough to cover virtually any communications data capable of being generated on any network up to and including the future internet of things. It also appears to be wide enough to compel operators to obtain information such as identity details from their customers.

The Joint Committee says: “Whether ICRs are included or not, we believe that in the light of the ongoing need for communications data and the imminent expiry of DRIPA, a continued policy of some form of data retention is appropriate and that these provisions should accordingly form part of the Bill.” [24] What does the Committee mean by “these provisions”? Does it mean just the existing DRIPA provisions, with or without the addition of ICRs? Or is it referring to the rest of Clause 71 as well? The uncertainty is increased by the Committee’s comment in para 158 that the data retention provision in the Bill is "not new".  The extension of data retention to include ICRs is clearly new (indeed it is the only power that the government has acknowledged to be new), even without the greatly extended ambit of the rest of Clause 71.

If the Committee means simply that the imminent expiry of DRIPA should be addressed, then Clause 71 could be rewritten in the same terms as DRIPA leaving for debate only the question of whether or not to add ICRs.

[Bill Comment: Clause 78 (as it now is) remains as broad as in the draft Bill.

Question: Given that the only case that has been put forward for extension of data retention beyond DRIPA/CTSA relates to ICRs, why does Clause 78 go further than that?]

Overall the Home Office has a formidable, perhaps an impossible, task to meet the demands of the Joint Committee in respect of ICRs, certainly in the short time that the government has given itself before introducing the Bill itself in March.

You there with your private network, don’t think we’ve forgotten you

The current data retention powers in DRIPA can be applied only to a public service provider.  The draft Bill would extend that to any telecommunications operator, public or private. That could include not only internet cafes and the like (which may in any case already be within DRIPA) but private offices, schools, universities and even home networks.  

The Joint Committee concludes that: “the definition of telecommunications service providers cannot explicitly rule out smaller providers without significantly compromising the data retention proposals as a whole. We acknowledge that the potential burden of data retention notices, particularly for smaller providers, could be acute. This makes the clarification of cost models, as we have recommended above, essential.” However it does not explicitly address whether a case for extension to private networks (as opposed to smaller public networks) has been made out.

[Bill comments: Not only does the Bill replicate the draft Bill's application to private networks, it goes further. It adds equipment interference warrants to the list of powers that can be exercised against private networks.   


Most of the Bill’s powers apply not just to public communications operators (internet providers, ISPs, public WiFi spots and the like) but to all telecommunications operators.  That includes anyone who provides a telecommunications service (not just commercial services) or controls a telecommunication network. A home router or domestic WiFi setup, a network within an office, school or university, or a private network of any sort would all be caught.

This is a significant change from existing legislation, in which very few of the powers apply to non-public services or networks (see table below).  All the examples of proposed use of powers given in the draft Codes of Practice are of networks that provide access to the public or are quasi-public (such as hotels). The Home Office has made no attempt to justify the extension to all private networks.  Nor has there been any explanation of the decision to extend equipment interference powers to private networks following the pre-legislative scrutiny of the draft Bill.

Question: If there is no intention to use the powers against private networks, why are the powers that broad? If it is intended, where is the justification?


Green highlighting indicates explicit application to non-public services or networks























Filter that communications data request

The Joint Committee’s comments on the so-called Request Filter for communications data access: “We welcome the Government’s proposal to build and operate a Request Filter to reduce the amount of potentially intrusive data that is made available to applicants. …” [39]

If this facility only rendered more focused and less intrusive the making of complex searches already conducted manually, then the description of ‘filter’ could be appropriate. However if it rendered possible searches that currently are not feasible to carry out manually due to the volume of data involved, then the facility would look more like a powerful new query tool. The Committee says: We acknowledge the privacy risks inherent in any system which facilitates access to large amounts of data in this manner…” It believes that the safeguards would be sufficient to prevent the filter being used for fishing expeditions.

Bulk Powers

“We recommend that the Government should publish a fuller justification for each of the bulk powers alongside the Bill.” [56] The Committee appears not to be satisfied that the full case for the bulk powers has been made out, although it is in general content that the proposed safeguards, authorisation regime and oversight "will be sufficient to ensure that the bulk powers are used proportionately." [62].  We can see the emergence of a common theme where bulk powers are concerned: deference to bodies with access to classified material: “We further recommend that the examples of the value of the bulk powers provided should be assessed by an independent body, such as the Intelligence and Security Committee or the Interception of Communications Commissioner.” [56] and “National security considerations mean that we are not well-placed to make a thorough assessment of the value of the bulk powers. The scrutiny and conclusions of the Intelligence and Security Committee on the Bill will be of significant assistance for Parliamentarians considering these powers.”  The ISC, with the benefit of security clearance, took evidence from the three security services (GCHQ, MI5 and SIS) as well as the Home Secretary.

Bulk communications data

The Committee repeats these sentiments specifically for bulk acquisition of communications data: “We agree that bulk communications data has the potential to be very intrusive. As with the other bulk powers, we believe that the fuller justification which we have recommended the Government produces and the conclusions of the Intelligence and Security Committee on the Bill will assist Parliament’s consideration of the necessity and appropriateness of bulk acquisition.” [65]

This appears to be a reference to the new bulk warrant for acquisition of communications data.

Related communications data

Although the Committee mentions the topic of related communication data (RCD) obtained as a by-product of bulk interception, it makes no specific recommendation.  That contrasts with the ISC, which devotes a section to RCD. The ISC points out the lack of restrictions on examination of RCD for people in the British Islands compared with bulk intercepted content, also as compared with non-bulk communications data acquisition notices. 

It comments: “the Agencies may choose to apply the same processes in both circumstances as a matter of policy and good practice, but this is not required by the draft Bill. To leave the safeguards up to the Agencies as a matter of good practice is simply unacceptable: this new legislation is an opportunity to provide clarity and assurance and it fails to do so in this regard.” It goes on to conclude, on the draft Bill’s approach to communications data generally: “The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.”

The use of RCD (and, similarly, equipment data under bulk equipment interference warrants) is potentially one of the more significant issues raised by the ISC.  It was the ISC that in March 2015 commented on GCHQ’s use of RCD:


The ISC also commented on communications data generally:

Questions arise as to what can be done with RCD, what has been done with it and what the government intends that the agencies should able to do with it. A particular issue is the extent to which it may or may not be intended to be possible to build RCD databases including domestic data on the back of overseas-related powers (see paragraphs 115 to 137 of my evidence to the Joint Committee, including reference to the usefulness of the alleged KARMA POLICE events database as a hypothetical touchstone by which to test these provisions of the draft Bill).

The Joint Committee comments: “We recognise that, given the global nature of the internet, the limitation of the bulk powers to “overseas-related” communications may make little difference in practice to the data that could be gathered under these powers. We recommend that the Government should explain the value of including this language in the Bill.” [57] If this were to lead to abandonment of the “overseas-related” restriction that would be a radical departure from wording that, in its current ‘external communications’ form, has limited the purpose for which bulk interception can be performed since S.4 of the Official Secrets Act 1920.

RCD is an area in which some of the most impenetrable provisions of RIPA have been carried over into the draft Bill.  The potentially far-reaching nature of the power to intercept and use RCD becomes apparent only by daisy-chaining a series of collateral powers – effectively by navigating through the back alleys of the statute.

The potential reach of RCD powers is further expanded by the new power in the draft IP Bill to extract communications data from the content of communications and treat it as RCD.

[Bill comments: Related Communications Data is now replaced by new terminology, Secondary Data, reflecting the fact that RCD is wider than Communications Data. There are also other changes to the metadata definitions - see 'All about the metadata'.

Questions:  Would a hypothetical KARMA POLICE database be possible under the Bill? Given the new power to extract secondary data from content, would a hypothetical 'KARMA POLICE PLUS' be possible? Is either of these intended?  If not, should the Bill be amended to prevent that? If yes, is it appropriate for such a universal database of internet browsing profiles (domestic and foreign) to be capable of being built as a by-product of powers whose overall purpose is the interception of overseas-related communications?  Should the purposes for which such a database could be accessed be more limited, at least for persons located in the British Islands?]

More light may be shed on these issues in the future. In the meantime, here is my diagram illustrating the draft Bill’s provisions on communications data. [Replaced with revised diagram reflecting the Bill's terminology and including Bulk Personal Datasets.]


Sunday, 7 February 2016

No Content: Metadata and the draft Investigatory Powers Bill

Puzzled and confused by the draft Investigatory Powers Bill? You are in good company, according to the House of Commons Science and Technology Committee which last week delivered a report on the technological issues raised by the draft Bill. Lack of clarity featured heavily in its concerns.

If that was the starter, this week we get the main course when the Joint Parliamentary Committee appointed to scrutinise the draft Bill delivers its report (Thursday 11 February, 9.30am). We await the results of its deliberations with anticipation.  It has received over 1,500 pages of written evidence as well as oral evidence from nearly 60 witnesses, no mean achievement in the abbreviated timetable allowed for its deliberations.

One of the many areas of controversy around the draft Bill is the proposal to extend the Home Secretary's existing power to require communications service providers to retain communications data. The power would go beyond retention into generating and obtaining data. This would include so-called Internet Connection Records (logs of visited websites) but is far broader than that, potentially reaching out into all aspects of our online lives and into the internet of things as it develops. The government suggests that ICRs are no more than the modern equivalent of an itemised phone bill, a comparison which really does not stand up to scrutiny.  

Communications data retention is itself part of a bigger picture regarding law enforcement and the intelligence agencies' acquisition and use of metadata. Metadata does not include the content of our communications, but the distinction seems to matter less and less when so much can be inferred about our lives from the breadcrumb trail that we leave behind us on the internet.

The Intelligence and Security Committee of Parliament reported in March last year that GCHQ found metadata more useful than content:









The Committee also noted that GCHQ obtained most of its communications data as a by product of bulk interception:


As for law enforcement, David Anderson reported in 'A Question of Trust' that "it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access."

With all this in mind it will be especially interesting to see what the Joint Committee makes of the powers for acquisition and use of metadata. It is, be warned, a complicated topic even without uncertainties about the dividing line between content and metadata. Metadata could be acquired through different routes under the draft Bill and, depending in part on how it is acquired, could be used by different bodies for different purposes.  

So to whet your appetites, and in the hope that it might come in handy in understanding the debate that is about to take place, here is a one page (inevitably oversimplified, I am afraid) visualisation of how metadata fits in to the draft Bill. 

The warrants illustrated are all bulk warrants. While metadata can be acquired under targeted and themetic warrants, to include them would have rendered an already overcrowded graphic impossibly complex. Similarly warrants for Bulk Personal Datasets are not shown. Nor is the residual national security notice under clause 188.  

And if you want to know more about Related Communications Data, take a look at paragraphs 115 onwards in my evidence to the Joint Committee (PDF).