Is Government willing to pay for a surveillance regime that is fit for purpose?

Do read the full report of the Science and Technology Select CommitteeInvestigatory Powers Bill: technology issues” released this morning, not just the press cover or even just the summary. It is barely 30 pages (plus appendices) long. Then think about the tension between the desire of Government to consult on supposedly future proof legislation, (without saying how it will actually be used) and the desire for certainty and clarity on the part of those most likely to be affected.  Then re-read the report and ponder the conclusions.

I stand by my view, quoted in the report, that the concept of “internet connection records” is meaningless and that the legislation should be based on something vague like “the addressing information used for electronic communications”.  My reason is that making clear which communications will be monitored, and thus how to avoid monitoring, is incompatible with the objective of the legislation. That marks me out from all those seeking clarity while stating how impossible this is. 

My comments (page 11) are juxtaposed with a comment from Exa Networks that “some of the definitions of the Bill do not seem to accommodate the complexity of Internet Protocol networks”. Andrews and Arnold correctly point out that greater clarity and consistency in definitions would “limit the scope of future governments to expand the retention beyond current limitation without a change to the legislation”.  I agree with the analysis and disagree with the conclusion. It is as though the denizens of Bletchley Park were to be asked, in advance, to define the nature of the wireless networks they wanted monitored, in case they were carrying traffic that some-one might want them to try to analyse to see who was talking to who, and thus whether it might be worth trying to mount a decryption exercise.

Today, as Ross Anderson put it “technology changes just too fast”.

The Home Office said “we will certainly not place obligations on every one of the “200 or 300″ communications service providers”. LINX already handles traffic from over 700 providers and that is barely a third of those whose traffic should already be liable to analysis and monitoring if the current legislation means what it says. The number will rise sharply with the transition to a world of smart and ubiquitous computing. On Friday I saw a poster describing a research project into the practicality of using a modified fitbit as the hub of a communications network.

Richard Clayton is quoted as saying “the present Bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail”. Once again I agree, but draw a different conclusion: scrap the obscuring detail, admit the all-embracing nature of the powers, concentrate on  the accountability and governance of those the targeting the use of those powers.

This raises the interesting question of whether Tech UK is correct in saying that the consequent uncertainty is bad for British business (page10). Provided that the Home Office is willing to cover the full cost and provided the powers are actively used to help protect businesses based in Britain from fraud and abuse, I suspect the overall effect would be positive – although it will require changes to the business models of some leading members of Tech UK.  But the devil is in the governance, including the governance of co-operation. That leads to the question of whether ISPs should be liable to a requirement to open up end-over-end encryption services (if they can) and, if so, under what circumstances. I see this as directly analogous to an old fashioned telephone interception warrant.

When it comes to equipment interference Ross Anderson is well quoted as saying that “The right way to get round encryption is targeted equipment interference, and that is hack the laptop, the phone, the Barbie doll … of the gang boss you are going after, so that you can get access to the microphones, to the cameras and to the stored data.” I agree that “bulk equipment interference” is probably an inefficient method with uncertain (and potentially hazardous) side effects. This an area where the quality of the Technical Advisory Board and its ability to work with the Judiciary to maintain and police effective Codes of Practice will be critical.

The discussion of the impact on the Communications industry is largely confined to those who know they will be affected by the new definitions, but if the Bill is to meet its declared objectives then almost everyone running any kind of network or wifi or blue-tooth hot spot will potentially be affected. Mark Hughes is quite correct to raise the position of ISPs not based in the UK (page 26). The legislation cannot achieve its objectives if these are not covered. The issues of clashes of jurisdiction need to be clearly addressed – perhaps by lifting the veil on the current state of international “mutual assistance” arrangements.

The most interesting discussion was, however, that on cost. If Home Office does plan to reimburse all costs and expect these to be under 200 million pounds, then the ambitions for data retention are very much more targeted (and modest) than current debate implies and the risk of “mission creep” will be controlled by what the security services and law enforcement can afford. The reluctance to include 100% reimbursement on the face of the bill is understandable – but calls in question all other assurances. This is one area where lack of clarity will not help the UK to remain a trustworthy hub for global on-line business.

The recommendation of the Committee (page 32) that “The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full cost incurred by compliance” is therefore, for me, the most important part of a thoughtful and thought provoking report.