Friday, March 18, 2016

Circles of suspicion and the Investigatory Powers Bill

I attended an absolutely terrific conference in Cambridge, Oversight or Theatre? Surveillance and Democratic Accountability, in early February which I've meaning to write up here but simply haven't found the time. It was organised by John Naughton and Nora Ní Loideáin from the Technology and Democracy CRASSH project at Cambridge University and Ross Anderson live blogged it.

The recordings of all the panels and the subsequent well-informed question and answer sessions with the audience are now available at the CRASSH website. I particularly recommend the contributions of Conor Gearty, who opened proceedings, David Anderson, Richard Clayton, Lorna Woods, Ross Anderson and Nora Ní Loideáin.

The whole day constituted the most informed public debate on the Investigatory Powers Bill I've witnessed to date. Significantly higher quality than most the discussion on the 2nd reading of the Bill in the House of Commons earlier this week.

A copy of my slides from the second panel on the day -
I talked about internet connection records (ICRs) and recommended they be removed from the Bill but set up the discussion by considering the very persuasive case Professor David Omand makes for the bulk powers in the Bill.

Prof Omand, quite reasonably, suggests the guilty forfeit their right to privacy in connection with nefarious activities and the authorities are entitled, also, to collect and peruse the data of the suspicious. Those in the suspicious category may be innocent but if law enforcement and the security services have a justifiable cause to harbour suspicion, they have a duty to investigate such persons. The data of the innocent gets tangled up in all this but that's not a problem, the good professor suggests, since law enforcement and the security services are not interested in the innocent.

I figured it would be interesting to get a picture of the relative proportions of guilty v suspicious v innocent by throwing some hypothetical numbers at the problem. Since successive government spokespersons for the past 16 years have talked in terms of thousands of dangerous individuals here, I started with the hypothesis that there might be 6,000 dangerous people and 600,000 suspicious types resident in the UK, in a population of a little over 60 million. If that is anywhere close to the real numbers the relative areas of our guilty, suspicious and innocents' circles look like this -

So the collection of everyone's data in bulk for investigatory purposes begins to look somewhat disproportionate. If the numbers of guilty rise to 600,000 and the suspicious to 6 million the picture changes again -

By playing around with the relative numbers we can get a picture of how big we think the guilty and suspicious circles have to get, before we consider it proportionate to justify the bulk powers in the Investigatory Powers Bill.

Even with that latter diagram assuming 600,000 guilty and 6 million suspicious, it doesn't look reasonable to me that the remaining 54 million or so innocents get dragged into the digital net of suspicion.

The bottom line is that we only start to get a real picture of what the Investigatory Powers Bill bulk powers mean when we get into the detail of how they will operate or are expected to operate in practice. As far as ICRs go, the government should not be collecting, indiscriminately, for perusal and analysis, primarily electronic or otherwise - the excuse being the data will only be "seen" by computers - the reading, viewing and listening lists and other online activities of the entire population. Especially not those of tens of millions of innocents.

Thursday, March 17, 2016

Investigatory Powers Bill 2nd Reading: Part 1 Government v Labour

The Investigatory Powers Bill got its 2nd reading in the UK parliament Tuesday, 15 March 2016, an ironically appropriate date, given how much this little understood law may change the world.

At about 1.30pm the Home Secretary moved the 2nd reading of the Bill, expressed her desire for it to stand the test of time, lauded the 3 comprehensive reviews from David Anderson, RUSI and the Intelligence and Security Committee and the wide consultation the government had conducted.

She seemed to feel, having had several goes with the snoopers charter, been denied and widely criticised, she had done her penance and now needed to be allowed to put the Bill on the statute books. It was completely unreasonable - ridiculous - to be accused of rushing it through parliament when she has spent years of effort on it.

Yet despite all these years of work, her opening claim that the Bill had been thoroughly shaped and improved needs to be taken with a substantial fistful of salt. The rhetoric about enhanced rigorous oversight, world leading legislation, unparalleled transparency, privacy forming the backbone of the Bill, a legislative panacea to tackle terrorists and pedophiles, doesn't stand up to close scrutiny.

Can we just clarify, to begin with, that secret suspicionless surveillance indiscriminately directed against the entire population - as collecting the everyone's communications data to trawl in the hope of finding incriminating evidence undoubtedly is - is the essence of a police state, and not, as I understand it, tolerable under international human rights law. Regardless of whether it was legal or not, the facilitation of government collection of the intimate and comprehensive reading habits of all citizens would be deeply objectionable.

Both the European Court of Human Rights and the Court of Justice of the European Union have repeatedly held this to be the case. Pick your case - Huvig v France (1990) S & Marper v UK (2008), Digital Rights Ireland & Seitlinger (2014), Google Spain v Gonzales (2014), Shrems (2015), Zakhorov v Russia (2015), Szabo & Vissy v Hungary (2016). (The one interesting anomalous decision in recent years was the Willems case where the CJEU strangely ruled biometric data collected for passports could be merrily shared for other purposes, as such activity was not covered by EU law. But generally there is an arms race between the two courts over which can be seen to be the toughest protector of privacy).

Secondly, taking years to put a badly drafted law, which collects together the most expansive bulk surveillance activities that have operated or can be conceived of, is not the best test for its efficacy or sustainability. This is especially so when you substantially ignore or at best pay lip service to carefully crafted recommendations for a framework for such a law, as well as serious structural and detailed critiques of the initial draft of the Bill.  Addressing the Intelligence & Security Committee's recommendation to make privacy the backbone of the Bill, for example, by putting the word privacy in the title of part 1, is straight out the Sir Humphrey Appleby playbook: "always dispose of the difficult bit in the title - it does less damage there than in the text."

The Home Secretary stated that intelligence services will not be able to go to overseas agencies to bypass the safeguards in the IP Bill i.e. the kind of cosy legal arbitrage GCHQ and NSA have reportedly been engaged in for years (NSA spies on Brits when GCHQ prohibited from doing so, GCHQ vice versa on Americans). I'm not sure what explicit provision in the Bill prevents this in practice.

Dominic Grieve, surprisingly enough since he's a pretty well informed critic of the Bill as chair of the Intelligence and Security Committee, intervened and invited the Home Secretary to declare the 200+ distinguished lawyers, who wrote a letter to the Guardian raising concerns about the “generalised access to electronic communications contents” facilitated by the IP Bill, wrong. Mrs May happily obliged.
"15 Mar 2016 : Column 816
Mr Dominic Grieve (Beaconsfield) (Con): The Home Secretary may have seen the letter in The Guardian today from a large number of lawyers who suggested that the legislation was intended to give
“generalised access to electronic communications contents”.
Does she agree that that is the very thing that the Bill does not do, and that the double-lock mechanism is there as an assurance that that will not happen? 
Mrs May: My right hon. and learned Friend is absolutely right."
Mr Grieve, later in the debate, passionately asserted that if such generalised access was going on - and he is convinced that it is not - it would be completely wrongheaded and illegal.

Ken Clarke was worried about the limited judicial review powers the investigatory powers commissioners would have. Theresa May suggested the commissioners would decide the nature and extent of scrutiny they would wish to apply and it was laughable that anyone might think they would act as rubber stamps for Secretary of State warrants.

She then went on to make a collection of assertions -
  • government have justified IP Bill bulk powers
  • internet connection records are only about the initial point of contact
  • she has taken the advice of the joint committee in broadening the use of ICRs
  • the IP Bill contains significant protections for legal and parliamentary privilege
  • companies agree communications data and metadata are easily distinguishable
  • absence of access to communications data "makes it impossible to identify child abusers"
  • (in response to a question from Nicola Blackwood MP, chair of the Science and Technology Committee) 100% of industry compliance costs in dealing with internet connection records will be met by government
  • Part 5 equipment interference powers are already in operation and vital for law enforcement, counter terrorism and military operations
  • Bulk personal data sets are already being used to keep people safe and should be continued to be used
  • s217 will mean service providers will be required to maintain "permanent technical capabilities to give effect to warrants" and to decrypt their own communications but not necessarily those from 3rd party systems ("It would not—and under the Bill could not—be used to ask companies to do anything it is not reasonably practicable for them to do")
  • The Bill provides unparalleled transparency, robust safeguards and an unprecedented oversight regime
  • The Bill had been subject to unprecedented levels of scrutiny
She concluded by suggesting the government were in advanced negotiations with the US on Nigel Sheinwald's recommendations on intelligence data sharing, to develop an international framework to ensure that multinational companies can disclose data. This, along with the promise to pay 100% compliance costs for ICRs, were possibly the two most significant things the Home Secretary said on the day.

Andy Burnham, former Home Office minister, stood to offer the Labour party's official perspective. If there is substantive opposition to the contents of the IP Bill within the Labour party - and I know there is from MPs like Tom Watson and David Winnick - then there was little evidence of it from Mr Burnham's contribution to the debate. He opened by trotting out the dire need to combat the four horsemen of the infocalypse and the false and distorting 'balance security with privacy' dichotomy. From those foundations he was highly unlikely to get anywhere enlightened.

In summary he -
  • wants the law updated and "agrees with the principles" of the Investigatory Powers Bill
  • labelled critics of the IP Bill as "lazy" and "insulting to people who work in the police and in the security services" [I feel obliged to point out this is a non sequitur but will attempt to refrain from commenting on the rest] 
  • criticised abusive surveillance of Baroness Lawrence and the Hillsborough families
  • doesn't want to play politics with the IP Bill [so much so he repeated this frequently]
  • criticised the government abuse of the Shrewsbury 24, blacklisting of construction workers and overreaching seizure of privileged journalistic materials in the plebgate affair
  • felt the Home Secretary had responded to the recommendations - but only half of them - of the three parliamentary committees who had scrutinised the first draft of the Bill
  • wants privacy protections in the Bill
  • wants further protection for MPs and stronger legal privilege provisions
  • thinks ICRs should only be used in serious crime cases, wants them more clearly defined since they are wide open to mission creep; and wants access to them strictly limited to a reduced list of authorities
  • asserted "national security" has been used as an excuse by government in the past when there was no question of a national security issue
  • wants "national security" and "terrorism" defined more clearly and the "economic well-being" test dropped from the Bill
  • wants to ensure trade unionists don't get unfairly targeted as they have been in the past [At this point the Home Secretary intervened to accuse Mr Burnham of questioning the integrity of the judiciary by suggesting they would be complicit in underhandedly targeting trade unionists. Mr Burnham responded by suggesting it was "absolutely rotten" for Mrs May to misconstrue his words in such a way]
  • accepts the need for bulk powers to deal with bad guys even though the government's operational case is not convincing, so would like an independent review of bulk powers
  • wants stronger judicial oversight
  • wants misuse of powers to be a criminal offence
He concluded by saying he had outlined "six substantive issues that must be addressed" and if the government didn't address them Labour would withdraw their support for the timetabling of the Bill. If I understood him correctly I think Mr Burnham's six concerns were they need -
  1. more privacy
  2. higher threshold for engagement of powers
  3. to dial back ICRs
  4. independent review to justify bulk powers
  5. stronger judicial oversight
  6. to criminalise misuse of powers
This is where Mr Burnham, at least, is drawing the Labour Party red line on the Investigatory Powers Bill. Whether it constitutes sufficiently robust analysis of or opposition to the current hugely flawed draft of probably the single most important piece of legislation in a generation, I'll leave the reader to decide.

I'll endeavour to report on other contributions to the debate when time allows. Dominic Grieve, David Davis, Ken Clarke, Stella Creasy and Joanna Cherry were particularly worthy of attention, if anyone feels inclined to peruse Hansard in the meantime.