Wednesday, November 11, 2015

Science and Technology Committee IP Bill hearings

Some day when you find yourself with a couple of hours free, sit down in front of your computer and watch a debate in parliament on something you know a little about. I couldn’t spare a couple of hours but nevertheless couldn’t resist the Science and Technology Select Committee’s hearings on the draft Investigatory Powers Bill published by the government last week.

My very own MP, Nicola Blackwood, the recently installed Chair of the committee, opened proceedings with a briefing from the Home Office. She assured us that the Home Office had assured her that there were no plans for new powers to ban encryption deployed by overseas companies. I assume that was rushed to Ms Blackwood in advance of the briefing, following Apple chief Tim Cook’s dim view of the Bill headlining the front page of the Telegraph that morning. The only new power in the bill, Nicola assured us, was the facilitation of access to internet connection records. Given the amount of public relations there has been in the run up to the publication of the bill, I was assured that Nicola was assured and that MPs had been assured that all was ok and they need not worry too much about what that bill actually says.

One problem with watching parliamentary proceedings on the Internet, however, is that no, not that the spies/police might be watching when the IP Bill passes, but that the Parliamentlive streaming service can be decidedly flaky. I spent a fair and irritating chunk of my couple of hours watching a buffering circle on my screen.

First up in the witness chairs were Matthew Hare, Chief Executive Officer, Gigaclear, John Shaw, Vice President, Product Management, Sophos, and James Blessing, Chair, Internet Services Providers' Association. All three tried valiantly to enlighten but separating an MP in thrall to a party briefing from a clear view of the world is a bit like trying to separate a toddler from a beloved comfort blanket.

Witnesses:
  • High speed internet connections could result in an annual storage requirement of 15 terrabytes of data, just relating to a single home
  • The amount of data the IP bill requires service providers to collect, indiscriminately, is huge and costly and will not meet the aims of the bill
  • Serious criminals are already using strong encryption the IP Bill won’t address
  • Keeping massive stores of data safe and secure is really difficult... cough… TalkTalk cough…
  • Definitions in the bill are ridiculously broad – not even clear what a service or a service provider is
  • The Bill disadvantages UK companies which appear obliged to hand over data overseas companies do not
  • Internet protocol data networks are not run the same way as telephony networks and assuming they do is a fundamental error
  • Engaging in a population wide data dragnet in order to engage in a historical data fishing expedition at some point in the future is inappropriate
  • What is being proposed in the IP Bill is what has already been done in China
  • With port mirroring everything delivered to a customer can be delivered to 3rd party (MPs eyes glazing over)
  • It’s going to cost taxpayers a lot of money
  • Targeted rather than mass surveillance is a more effective, efficient and practical approach to the aims of the bill. If service providers get a request to intercept traffic to a particular IP address they can and do do that today.
  • The removal of electronic protection aka nobble encryption clause is a baaaaad idea
  • The Bill talks about 3 layers of data – communications data, content and one or the other. Unfortunately, once you capture comms data it becomes content, when you analyse it, it becomes information. (MPs glazing over again)
  • The IP Bill, as it stands, potentially makes it a criminal offense for service providers to share information about security vulnerabilities
In summary their evidence amounted to – the Bill is technically complicated and unclear what it really means in practice; it'll cost a fortune, fail to catch terrorists and other serious criminals, damage business, undermine everyone’s security and result in large numbers of innocent people being inappropriately dragged into the net of suspicion.

MPs:
  • But, but, but…
  • We’re already paying to be spied on – that’s how we fund the secret services
  • It’s ok to have a dragnet for the internet because we have a dragnet for phones and it’s just the same
  • Stella Creasy enthusiastically jumped in to share her knowledge of IPv6 which would fix everything by allowing the “spearfishing” of the baddies’ data from giant data stores and thereby making everything ok with bulk personal data collection. Unfortunately, as the techies heroically tried to explain, IPv6 generates vastly more data and makes everything more not less complicated technically
  • But, but, but…
  • It’s ok because we don’t intend to do all those things you’re complaining about
In summary, but, but but…

Just as the ever excellent Professor Ross Anderson of Cambridge opened for the second collection of witnesses of the day, my dreaded buffering circle kicked in again… The second group also included Professor Mike Jackson, Birmingham City Business School, Dr Joss Wright, Oxford Internet Institute, and Professor Sir David Omand, King's College London.

My feed came back online just in time to hear Nicola Blackwood emphatically declaring that there was no place for ethics in the hearing. The committee was here to be educated purely on the technology issues.  Prof Omand open by profoundly disagreeing with everything Prof Anderson had just said.

Ah shucks. What did I miss?

As far as Prof Omand was concerned the questions underpinning the bill were not ethical in nature but empirical. Unfortunate though the revelations of former NSA contractor, Edward Snowden, were, they demonstrated, empirically and without question, that the intelligence authorities were very good at handling large quantities of data.

Prof Omand went on to explain that in his opinion the main “fuzziness” in the bill was in the distinction between communications data and content. It was, however, a fuzziness with minimal practical relevance. The bill was as close as you can get to clear on the distinction between the two. The word "clear" did draw some sharp intakes of breath in the room but he ploughed on. The real significance was in the authorisation process for intercepting or accessing the data; and since that could be worked out by the insiders with the appropriate expertise, there was nothing to be concerned about.

Joss Wight respectfully disagreed with the good Prof about there being a clear practical line between metadata and content. His main opening concern was with mass retention or “bulk” retention which the government likes to call it. Dr Wight would want to see some respect for proportionality. Prof Omand was a little irritated with this and noted that the mistake the Home Office made in last 5 years was to not update interception and surveillance codes of practice. If the public had known there were secret codes of practice governing everything, all would have been ok and then the Snowden wouldn't have been such a shock.

Prof Anderson was invited back into proceedings again and decided it was time to ground all this abstract stuff in something the MPs might understand – their Google calendars – Google calendar data relating to who they were meeting with, where and when would be within the scope of what the Bill would consider content. Prof Omand jumped in insisting that this was not intended and accusing critics of the bill of using “worst case” examples to undermine it. Theoretically, the Infinite Power (sic) Bill could be abused but trust us, it won’t be.

Dr Wight noted a fundamental misunderstanding underpinning the bill being the assumption that metadata (or communications data) is less sensitive than content. Prof Omand was, metaphorically at least, on his feet again – the authors of the bill (by this stage observers must have been wondering if he was one) were not disagreeing that communications data might be sensitive but "most of the time" it is not.

Dr Wight insisted that comparing web communications data to telephony data is ridiculous. A better analogy is to real life - what shop, home, workplace, place of leisure you visit are all captured. That provides a much more intrusive picture of life than telephone billing records. Content data is not more sensitive than communications data. It is merely differently sensitive.

An MP ventured a really good question (that was not of the variety ‘can you confirm how clever I am’) – how do we frame this kind of surveillance legislation so it is practical now and future proof? 

Prof Anderson bluntly explained you can't. The technology is changing too quickly and parliament will have to continually revisit access to personal data issues for the foreseeable future. Technology and policy are inextricably interlinked and guess what? The internet of things is about to hit us. Also whether we like it or not, the networks are international in nature and Prof Anderson strongly encouraged international cooperation in their regulation.

Dr Wight then pointed out that from an investigatory perspective a targeted approach to surveillance was more effective and more practical. Though he understood the seductive attractions of creating a time machine with which to explore, at some future point, the intimate details of anyone’s past life, it was somewhat unethical. 

Prof Anderson agreed. There may be information gold in them there communications data hills but that didn’t make it ethical to build them. 

Prof Jackson confirmed that even as you continue to construct these data mountains you’ll find only a tiny amount of the data is useful. This is mass surveillance.

Nicola Blackwood was now getting tired of reminding these techies that the panel was here to discuss technology not ethics.

And Prof Omand was having none of it from his fellow witnesses. The British government simply does not and would not indulge in mass surveillance. It’s not the done thing. Mass surveillance is the persistent surveillance of all or large part of population. And since it is only computers that are engaged in the persistent recording, storage and analysis of the intimate details of everyone's lives, that’s perfectly fine. Human beings only look at a small amount of the data you see. [By which measure, incidentally, you could make an argument for installing the most sophisticated modern video cameras, filming 24/7 in every corner of every room and space in the country - it will be ok if nobody looks at it].

Prof Jackson pointed out that when mass databases exist that opens the personal data to the post hoc (rather than real time) equivalent of mass surveillance. Dr Wight agreed – proponets of the IPbill might be claiming there is no mass surveillance going on because human beings only see a small proportion of the data but computers can do a phenomenal amount with mass data before humans ever get involved in the loop. We also need to be cognisant of the clear and empirically measured chilling effects of a population’s awareness of constant surveillance.

Ms Blackwood: No ethics please, we’re here to discuss technological issues!

Profs Anderson, Jackson & and Dr Wight: The elephant in the room here is the destruction of privacy and you cannot deal with this bill without discussing it.

Prof Anderson tried again to bring the discussion back to something the MPs would understand. There are, he noted, significant sensitivities around medical records for example. Likewise bank records – did the MPs want police or other public services trawling through people’s bank records?

Prof Omand was in no doubt that of course we do – it was perfectly reasonable. It was perfectly unreasonable for Prof Anderson to be attempting to scare people witless about abuse of these powers with worst case scenarios. It won’t happen because we will now have stronger oversight including the involvement of judicial oversight. We listened to our US cousins on that one.

Dr Wight, at this point, disputed the notion that the IP Bill was not expanding existing powers. It would additionally lead to a reluctance on the part of commerce to do business in the UK and people seeking to subvert what the bill is trying to do would simply use services overseas.

Prof Anderson again noted that if we’re to get a handle on the regulation of these technologies we have to have international cooperation. Something along the lines of an international cyber evidence convention is called for.

Prof Omand: The security of the internet is the number one priority. The policy in the bill is extremely clear. You simply cannot remove the right of the authorities to deal with pedophiles and the IP bill might give the police and security services a chance to catch them. We do note, however, that the judicial commissioners involved in the oversight processes will need a lot of technical expertise.

Prof Anderson: Yes and the problem with the proposed set up is that the experts on the advisory board will have representatives from police, security services and service providers. No one from civil society or academia is entitled to even a look in – no representatives, in short, for Jo Public. Given big data is manna from heaven for government and commerce, that appears somewhat unbalanced.

Nicola Blackwood watching the clock, with relief, summed up: We’re out of time. We need to give the security services what they need. We need to insure proportionality in the deployment of these powers. She also thanked the witnesses for their heated advice. [Actually it was all reasonably civilised even though there was a split in opinions on the panel]

So, in summary where did we actually get to?

Profs Anderson, Jackson and Dr Wight: The government are collecting digital dossiers on the intimate details of the personal lives of the entire population.  Whatever you choose to call it that is mass surveillance

MPs: But, but, but…

Prof Omand: No it isn’t and it is irritating that people keep saying so

MPs: Ah that’s a relief... and they vacated the room, party briefing comfort blankets still tightly clenched.

Update: The Science and Technology Committee has invited written submissions on the Investigatory Powers Bill by Friday 27 November. As Nicola Blackwood repeatedly reminded her witnesses, they are looking for submissions that focus on technology issues, including:
  • The technical feasibility and costs of meeting the obligations imposed by the Bill 
  • The impact on communications service providers and related businesses 
  • The likely consequences for citizen/consumer use of ICT services
You can submit your thoughts via the UK Parliament website.

Update 2:  A full official transcript of the hearings is now available.