Does the Investigatory Powers Bill go far enough?

I received the press release for the call for evidence by the Joint Scrutiny Committee for the Investigatory Powers Bill on Friday, immediately after I had submitted my evidence to the House of  Commons Science and Technology Committee inquiry into the technical aspects of the Bill. I understand that the Commons Committee plans to publish the evidence that it has received next week. That gives a window of three weeks for better informed debate before the deadline for submissions to the main scrutiny committee, just before Christmas.

The Scrutiny Committee asks well targeted general and detailed questions but these need to be placed into context.

The bill is attempting to create a “future proof” regime at a time when the rate of change of architectures and technologies used for on-line communications is accelerating. Any attempt to “define” the services covered, data to be collected and technologies envisaged is therefore likely to be out-of-date before the legislation is implemented.

The legislative framework should therefore:

  • be based on objectives and principles rather than specified services or technologies.
  • apply to all types of communications service provider, large and small, including those yet to be invented.
  • cover the full cost to all service providers, (particularly smaller players such as community broadband operators or wifi providers), whose users include sufficient “persons of interest” for the security services or law enforcement to require data to be retained. [Most will never be worth covering, but it is essential both to avoid “tipping off” criminals on how to evade surveillance and to avoid crippling the potential for the UK communications market to be the world’s most competitive]            
  • cover the duties of those given Investigatory Powers to maintain trained and authenticated single points of contact and have security processes that are fit for the responsibility [The biggest cost will not be recording or even retaining the data, but keeping it secure in the world’s biggest set of “honeypots for hackers”. Many of those with investigatory powers delegate these to junior staff and/or have already been warned or fined by the Information Commissioner’s Office.]  

Viewed in that light, the Bill may have shortcomings but is a massive improvement on RIPA and DRIPA. I particularly welcome the provisions for judicial oversight. 

The scrutiny process is also a great improvement.

I fear, however, that the public debate has not yet matched those improvements. It appears stuck in a time warp – with far too many unrealistic expectations as to how legislation can be both specific and agnostic when it comes to technology issues.

The Bill is, and should be, about a technology neutral framework for investigatory powers as a whole. The debate appears to be about the ability (technical or legal) of Central Government to demand the retention of IPV4 Communications Data in a post-Snowden world, in case it is needed.  Debate is only partially linked only to the application of traditional standards of conduct and law enforcement, including traditional UK partnership policing, to the on-line world and the role, if any, of the security services and GCHQ in the process with regard to addressing the mass-market on-line abuse, fraud and impersonation that so concerns the public.

Over the past 18 months the world has changed in ways that give a whole new context to esoteric and introverted technical debates concerning definitions of the data to be retained data and the processes for authorising access. 

  • I am referring to the convergence and divergence of fixed, mobile, wifi (with li-fi in the wings) and machine to machine communication services over which “persons of interest” may route their traffic. The shortage of IPV4 addresses means that many devices avoid using IP for short range communications and when IPV6 becomes a mass market reality, the volume of those that do may again change the scale of IP communications volumes. 
  • I am referring to the explosive growth of short messages over existing networks generated by apps which include device and transaction tracking to support adware and other forms of spyware , whether or not devices are in active use by a human, Each “user controlled” transaction, message or site visit potentially triggers dozens of monitoring and tracking messages, plus further streams of messages, including as mobile devices change location.
  • I am referring to the known insecurity (as measured by data breaches notified to the Information Commissioner) of many of those entitled to use the powers in the Bill, let alone of those who might be expected to retain data in case it might be needed. The cost of securing such “honeypots for hackers” is likely to be very much greater than the £175 million currently estimated as the cost of implementation.  

My own submission to the Common Select Committee collated views from those with whom I have spent over a decade looking at the issues of “partnership policing” and “enhancing confidence in the on-line world”, as well as at privacy, surveillance and information security issues, This led to me to look at why the Bill is as it is, and what has been left out, rather than criticise what is included – most of which is rather good.  
I believe that those responding to the questions posed by the Scrutiny Committee need to address some wider points:

  • If the legislation is to be meaningful, any communications or internet service provider (large or small) has to potentially “host” interception and/or storage facilities. Whether or not they need to be aware this has been done is another matter.
  • The references to Internet Connection Records captured by network access providers “…e.g. the Internet Service Provider or Wi-Fi operator…”. indicates that  these might be demanded from schools, universities, libraries, banks, coffee shops, community centres and anyone else providing public internet access. If this is not the intention, then these provide a simple way for local communications to by-pass the system. If not, then  assuring users that their communications are not liable to surveillance is “tipping off” and should be as much an offence as telling them that they have been targeted.
  • The statement that small ISPs do not need to worry because they are most unlikely to be of “interest” does not give confidence because it is too easy to envisage circumstances in which community ISPs serving inner city estates or or leafy suburbs should be of interest, whether as centres of organised crime or terrorism or both.
  • Meanwhile technologies such as Tor and Freenet and the adoption of VPNs to proxies in other jurisdictions provide increasingly accessible ways for the hardest and most dangerous targets to bypass “traditional” systems monitoring Tier One (also a fluid definition) communications providers.
  • The necessity and proportionality of (inevitably ineffective) population-scale surveillance is not credible. Costs are likely to increase in proportion to current and expected growth in traffic volumes, adjusted for Moore’s Law. Given changing infrastructure architectures and the cost of securing large databases against increasingly sophisticated attack, they could, however, be an order of magnitude higher.
  • We can therefore expect granular (location and/or service) access to be required, with most communications service providers not required to retain data at any time but even modest operators required to do so when they are identified as serving targets or communities of interest.  If so, the legislation have again to be generic with a “guarantee” to cover the full costs, including those of keeping data secure, incurred by any service provider (large or small) required to retain data.
  • The need for legislation to be technology neutral and to avoid giving too much information to those wishing to avoid investigation also make it unreasonable to define the communications data elements that should be retained. It is more important to consult service providers on how to best to capture and retain information that would help meet generic objectives over the networks and architectures they already run or are planning.
  • There have long been concerns that government and law enforcement agencies (especially those outside the core intelligence services) do not secure data adequately. The number of local authorities suffering data breaches (according to the Information Commissioners’ Office) illustrates that is a serious problem among many of those with investigatory powers. The clauses concerned with unlawful access to data in Part 1 need to be extended to cover the failure to adequately secure retained data, particularly that claimed under warrant, notice or authorisation. Penalties should be linked to, but significantly more severe, than those under Data Protection legislation and cover anyone in industry or government holding such data.

A more serious flaw is that the Bill does not address the organisation of practical co-operation in time to meet operational needs, as occurred during the 2011 London Riots, when law enforcement was unable to make effective use of the information streams on offer from mobile operators and ISPs. Here the need is for access to the real-time computing power of industry in time to make a difference and save lives. This raises problems of governance more profound and difficult than those covered in the bill.

The Bill contains an attempt to improve processes for cross-border co-operation but the extra-territoriality are unlikely to help sufficiently to make a material difference. The need is to make voluntary co-operation, including across borders, very much easier. Thus during the London Riots a communications service provider in North America obtained a local warrant which enabled it to legitimately decrypt communications between gang leaders before UK law enforcement was able to work out how to organise a request.

The current pressures on police budgets also mean that their ability to act as the first line of defence in addressing cyber-crime or terrorism depends on making practical progress with implementing the recommendations for Partnership Policing made by EURIM and IPPR a decade ago

The time has come to also implement the suggestion, discussed in the margins of RIPA, that  all organisations with investigatory powers should route their requests through a well-identified and authenticated “Single Point of Contact” (SPOC) with staff trained to keep the results secure. The security requirement should include physical inspection (not just a paper validation of theoretical processes). Those without such a SPOC should be required to route requests through an organisation which can meet the requirements.

The welcome inclusion of penalties for the abuse of the powers does not address the problem of Councils giving powers to dozens of staff, from senior to junior or lacking the procedures to keep the results secure. Pages 17 and 18 of the guidance from Weymouth and Portland Borough Council (picked because the investigation into the “Portland Spy Ring” is such a good example of the use of the investigatory powers of the day) illustrates why this problem is of such public concern, particularly in other local authorities where officials are expected to work in close co-operation with community leaders who may be more concerned with family honour than personal privacy. A requirement to provide adequate security and protection against potential abuse might well led to a welcome drop in the number of organisations seeking to retain historic powers. 

I also recommended reading the excellent briefing from the House of Commons Library as well as the evidence to the Commons Select Committee when it is published.

I do not expect the Digital Policy Alliance to try to organise an exercise akin to that which we (i.e. EURIM) ran on RIPA, the of the scrutiny arrangements already in train mean that it would add little, but those who think it should organise a round table before 21st December for those planning to submit evidence should contact them, not me. I will, in any case, try to order my thoughts round the questions asked by the scrutiny committee,