What is at stake with the Investigatory Powers Bill?

I want to begin by thanking Ross Anderson for reminding me to attend the recent Scrambling for Safety event on the Investigatory Powers Bill. I will not try to reprise the full event, I recommend watching the livestream recording from end to end. Also George Danesis has posted summaries of Session 1 and Session 2. As with previous Scrambling events it intertwined the profound and paranoid. I leave you to work out which is which and will simply comment below on the points which made the most impact on me.

The first was made at the beginning of the debate by Sir David Omand and echoed again and again by other speakers: This is the first attempt in 500 years to bring the surveillance activities of the state under rule of law instead of “the prerogative of the crown”. More-over the UK is one of very few states attempting to do this and our success or failure has profound implications for our position as a global hub for on-line financial transactions, e-commerce and content.

I was very pleased when Gail Kent, who recently moved from the NCA to Facebook pointed out that the legislation has to be put into international context so that those running cross-border are not trapped by extra-territoriality conflicts between UK and, for example, US. The Draft Bill has made a start on this, but is not yet consistent.  

Credible judicial oversight requires the support of security vetted, competent and independent technical expertise in order to be able to assess proportionality and balance of risk (e.g. when “interfering” with equipment in order to find out what it is being used for). That will not be easy to source and maintain. Those who can provide it are likely to be in global demand – with all that entails.

For me the second most important point was made by David Anderson when he said, towards the end of the event, that in his experience the security services did not want more powers. They did not want useless powers. They did not want encryption keys. But they did want proper supervision. He said they were staffed by young idealists, rather like the audience, but who saw the dangers our society was facing. Those comments were in response to a series of accusations from the audience about demands from the state for ever more information and comments about the futility of bulk data collection and the dangers of “interfering” with systems in order to collect it and giving authority to “them” to trawl through our personal information. Ross Anderson asked for a term for “bulk data collection” worthy of Caspar Bowden.. I afterwards suggested they be called “Hoover Powers”, as in both the use by J Edgar Hoover of his “imprecise authority” and in collecting big bags of rubbish and fluff that might, but more probably will not, contain something of value.

I do not believe the surveillance services want bulk data. They want targeted data, with the dross filtered out. The problem is how to get it. If that is correct then we need to move the debate away from debating “how many angels there are on the head of  a pin”, with regard to the shapeshifting (as technology changes) world of communications data (alias internet communications records). We need instead to look at the governance of the techniques for filtering whatever is available – in order to make effective the use of the limited resources (including time) that are usually available. Here we have a problem, illustrated by the fate of Gordon Welchman when he attempted to trigger such a debate by publishing a History of Hut 6 in 1982. The currently available version of his book omits the “controversial” material so we can assume that well-informed debate, is still off-limits.

The current Bletchley “story” focuses on their success in decrypting that proportion of German Traffic they tried to break rather, than the much larger traffic analysis operation that tracked the German Order of Battle and targeted the codebreaking effort. The processes for the latter still sit at the heart of modern surveillance (including Google et al) and were not leaked until Edward Snowden published them – thus also leading to the pressure to bring the state surveillance operations of the UK and US under judicial accountability. Describing the techniques for targeting makes it easier to evade them. This makes the credibility of the judges providing secret, but credible and effective governance all the most important. 

The third point that came through from a number of speakers at the Scrambling for Safety event was the inability of law enforcement to make timely and effective use of the information already available – while still supposedly asking for more. Hence again my continuing focus on partnership policing and the need for industry to be permitted to help the police identify abusers (of all kinds) in time to take action. That too raises many issues of governance, including with regard to the status of the “Codes” intended to put flesh on the Bill – will they have statutory authority (implying clunky predictability) or be akin to “judges’ rules” implying reactive evolution in the face of bad practice as it is identified by those exercising oversight?

For those who want further robust debate on the technical practicalities I commend the next meeting of the Real Time Club, where Adrian Kennard will be explaining and defending, (hopefully from well-informed attack) the ISP position. His original and subsequent supplementary written evidence to the scrutiny committee illustrate why I took such a different tack in my own evidence – leading to a call to focus on the governance of partnership policing and of ALL those being given powers, including regulatory agencies and local authorities.

[I also commend listening to the “in memoriam” thoughts on Caspar Bowden – if these are on the Scrambling for Safety video – I confess I have not checked – as Caspar would have done. I found it too difficult to order my own thoughts but his character and contribution were well summarised by those who gave their memories. I first met him at a Trades Union event before the 1997 election. I was told I should make a point of inviting him to any relevant discussion meetings because he would make well-informed trouble if I did not. I quickly realised that we were both being used as “litmus paper” to test for the “toxicity” of specific proposals. Our approaches were very different but we came to the same conclusion surprisingly often. Over nearly twenty years I found his attention to detail invaluable, even when I did disagree with his conclusions. Meanwhile he never gave up on trying to educate me …]