Stuart Monk - Fotolia

It’s not too late to turn the tide on Investigatory Powers Bill

The government has set David Anderson QC an almost impossible task in his review of the sweeping bulk powers proposed in the Investigatory Powers Bill – but it is not too late to make a difference

In May 2016, then home secretary Theresa May commissioned a review of the “operational case” for the bulk surveillance powers in her flagship Investigatory Powers Bill.

It was an admission that the government, despite months of pre-legislative scrutiny and reams of written evidence, had failed to justify why bulk surveillance powers are necessary.

On 7 August, May, now prime minister, received David Anderson QC’s report, which assesses whether the bulk powers demanded by the government are proportionate.

Anderson, the government’s independent reviewer of terror legislation, didn’t call for submissions to his inquiry. Human rights organisation Liberty submitted anyway.

Everyone’s communications data and web browsing history will be collected

If passed, the Investigatory Powers Bill, also referred to as the snoopers’ charter, will fundamentally shift the relationship between citizen and state, allowing mass interception and mass hacking, forcing internet and phone companies to store everyone’s communications data and web browsing history, and retention of bulk personal datasets, which are population-level databases.

Given how unprecedentedly intrusive these proposals are, the least we should demand from the government is an exhaustive analysis of the core question: Is spying on each and every law-abiding citizen truly the only way to fight terror and serious crime?

Human rights laws require that secret surveillance measures can only be justified where it can be shown that they are “strictly necessary for the obtaining of vital intelligence in an individual operation”.

As the review takes place, trust in our intelligence agencies is strained. The Chilcot report heavily criticised the agencies’ culture, leadership and over-reliance on flawed intelligence. Now more than ever, an unquestioning acceptance of agency and government assurances – with no detailed evidential basis – just will not wash.

Will the Anderson Review deliver?

To be credible and effective, the Anderson Review must forensically scrutinise the operation of every practice that falls under the term “bulk” – not just inspecting evidence of claimed successes, but failures too.

It must robustly question whether, but for the scope of these powers, critical information resulting in serious offences being prevented or detected would not have been obtained – and it must provide detailed evidence and methodology to support its conclusions.

Crucially, this must include a thorough assessment of whether the same information could have been gathered using an alternate, targeted system.

There is no compelling operational case for bulk surveillance powers

Liberty’s submission laid out a thorough analysis of whether there is a compelling operational case for each of the IP Bill’s bulk powers. The answer is no. For each bulk power, an exploration of the technical options available to our spies shows that a targeted approach would do the job just as well.

Liberty has also provided an analysis of every example put forward in the government’s “operational case” – a 47-page document published with the bill. Most of these scant anecdotal examples are too vague or hypothetical to qualify as evidence, but Liberty’s conclusion in each case is the same: every one manifestly fails to prove the strict necessity of bulk powers.

Why targeted surveillance is a better alternative

All aims are, or could be, met by targeted methods – collecting and storing data on known suspects and their social networks, visitors to websites hosting illegal content, and conflict zones. By defining zones of suspicion and gathering intelligence from within them, you create rich, relevant, manageable data that leads to the rapid discovery of targets and threats.

The Investigatory Powers Bill is in the last stages of parliamentary scrutiny, but it’s not too late to turn the tide and move toward targeted surveillance that would better keep us safe and respect our human rights.

Sadly, the government has granted little time for the review, and thereby reduced the pool of witnesses available to Anderson to those who already have security clearance. A panel tasked with this sort of inquiry must be seen as institutionally independent of the security and law enforcement agencies. That his three-person team includes former GCHQ and National Crime Agency directors casts doubt on this.

Anything less than a thorough, comprehensive and procedurally irreproachable review will do a disservice to this important public debate. But, by undermining due process from the start, the government has set the panel what looks like an impossible task.


Silkie Carlo is policy officer for technology at Liberty.




This was last published in August 2016

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Yes. But what's a concerned and informed citizen to do?
Cancel
I keep telling people about the ICR logs, David Anderson himself said they should not be used.

They log every site your PC visits, so for a web site like this, that's this site, every 3rd party image host, every 3rd party script host and every site those scripts access content on.

Most people know nothing about these sites, but they'll be in the ICR log

These are the sites the bad guys target when they want to plant malware, 3rd party advertising for example was responsible for the BBC website serving ransomware to it's visitors in the middle of 2016
( https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising )

So here's a scenario you may not have considered.

Lets say the bad guys compromise a 3rd party adserver & add a couple of lines of javascript to an existing script.

These lines download content from a child porn or terrorist website and put the download in a variable which is then discarded and not displayed.

You know nothing about this and after a few weeks the bad guys go back & remove their modification so there is no evidence of tampering.

Your ICR log, which you have no access to, now has a record of your PC or whatever you surfed the web with accessing content from a child porn or terrorism site, while you were sat in front of it.

The first you will know of this will be when the police kick your door in at 4am and take you & every piece of electronic equipment you possess away for investigation.

Not finding any evidence will just make them look harder.

They may eventually give up after not finding anything but can you guarantee you'll still have a family, home or job by then, plus you won't be innocent, they found some evidence they just can't find any more, so you'll be monitored for the rest of your life just in case.

Alternatively the bad guys could try and exfiltrate some personal data & track you down themselves, in which case you can expect a phone call outlining the previous scenario and asking for money so they don't make an anonymous tip to the police to go looking in your ICR log.

While we have ICR logs, using the internet is a game of Russian roulette

ICR logs are too easily tainted, they are not fir for purpose & should be removed
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close