If you’re in the habit of leaving legislative scrutiny to legislators – which would seem pretty logical – you might be forgiven for thinking that the Investigatory Powers Bill is largely uncontroversial, with nothing more than perhaps a little light quibbling over details.
That’s because Labour, despite its freshly-burnished left-wing credentials, has opted to abstain rather than oppose the bill at its next reading, meaning that despite opposition from the handful of remaining MPs, it will sail through the Commons with little public attention.
For privacy campaigners, the bill as drafted represents something akin to Game Over: it will reset the basis of most existing court cases, and take years to begin challenging in any forums which will give it any serious challenge (usually the European courts).
It will entrench in clear statute for the first time numerous powers UK agencies have slowly and surreptitiously built up in the Internet era. It will extend those powers. And that’s just what we know from the bits of the bill with a clear meaning: what we don’t know may be even riskier.
Perhaps the best example of the way the bill elides practices revealed in the Snowden leaks, overt extension of powers, and covert extensions of power is that of “equipment interference”: hacking software or hardware to help intercept and collect data.
GCHQ (and the NSA) engage in “bulk” equipment interference – tampering with a router in an internet or phone network data centre, to collect information on thousands or millions of users. “Bulk” interference can also mean backdooring a particular software suite in order to effectively penetrate some or all of its users.
This was not a practice either agency voluntarily disclosed: it emerged in the Snowden documents. The one UK warrant revealed in the stash showed a single ministerial warrant could cover a huge range of bulk activity, including subverting Cisco routers and Kaspersky antivirus software.
“The law will allow the agencies to hack as many people as they like, indefinitely”
The new rules serve to codify what seems to be existing practice: bulk warrants aimed primarily at foreign (ie non-British) targets will be able to stand for up to six months. Agencies will be allowed to hack people who are not themselves surveillance targets in order to aid their surveillance. Agencies will be able to retain data on British citizens obtained through bulk interference and collection, though will need a targeted warrant to look at that individual data.
However, the bill also introduces numerous ambiguously-worded new measures, including a responsibility on “communications providers” to assist in the hacking of their users – a technical and legal headache of monumental proportions for international companies, who face a choice of breaking UK law or the law of other countries which require them to guard their users.
And despite numerous assurances that the bill doesn’t seek to undermine encryption, companies are required to make “reasonable” efforts to remove protection on communications across their networks – i.e. encryption – if they applied it themselves. Needless to say, “reasonable” is not defined.
In short, the law will allow the agencies to hack as many people as they like, indefinitely, whether suspected of misconduct or not, compelling companies across the globe to help them all the while – provided the actions are in support of their overall mission.
And still there is more missing: despite numerous recommendations, the IP Bill only covers hacking for information-gathering purposes. Agencies are permitted to hack for other reasons (including cyber-offence and even defence) – but the rationales and permissions for that will remain private. The new rules may appear so broad and permissive so as to be all-encompassing, but they still aren’t definitive.
This is just one provision of a bill hundreds of pages long, which introduces powers on bulk interception, regulates (or doesn’t) how agencies can use data from other government departments – health records, HMRC data, electoral rolls and more – or bought from other bodies like credit agencies. It governs the storage and retrieval of “internet connection records” – described in debate as basic metadata, but barely defined in the bill.
“‘Data’ includes any information which is not data”
Three parliamentary committees suggested dozens of changes to the bill and suggested redrafting could and should take several months. The alternations made, over a period of barely a fortnight, are often laughable. One major recommendation was to consolidate and extend the privacy protections already in law and put them at the heart of the bill. Instead, the word “privacy” was added into the title of an existing section, which was otherwise barely changed.
A final complication for anyone trying to make sense of a Byzantine bill full of complex power grabs is that almost no word means anything like its usual definition.
The most derided of these in the draft was a sentence which could’ve been plucked from a 21st century Alice in Wonderland reboot: “‘data’ includes any information which is not data”. This would, of course, allow the word to mean…anything.
Of course, after numerous commentators, media outlets, and parliamentary committees noticed this, that original definition could not stand. Here’s what it is now: “‘data’ includes data which is not electronic data and any information (whether or not electronic).”
Which of course is vastly better, and definitely doesn’t still mean whatever GCHQ chooses it to.
The bill is an illiberal mess that even experts cannot unpick and define. It does nothing to bring clarity to how agencies work or to the limits of their powers to do a job virtually everyone agrees is a necessary one.
Despite promises to allow maximum scrutiny, Theresa May has hurried the Investigatory Powers Bill back into the House, and is moving it through parliament at a time where all eyes are fixed on on the EU debate, a goal which Labour’s ineffectual abstention will only aid.
Such a move is the height of complacency at a time when the world should be warning us to be anything but: the refugee crisis is destabilising Europe and far-right parties are on the rise across the continent. A perilously divided America is turning towards the kind of populist demagogue many have good reasons to fear.
If the UK accepts and passes this kind of law, it serves to legitimise the same and worse from states far nastier than ours. And the examples of our neighbours suggest we should not be too relaxed about our own future governments. The Snoopers’ Charter needs more attention, and fast.