The Draft Investigatory Powers Bill
Today, on the 4th of November, 2015, the UK government published its draft Investigatory Powers Bill. The bill in terms of its introduction by the home secretary in Parliament, as well as in terms of a few bullet points it boasts like judicial signoff of warrants, is wrapped in and designed to exude a certain degree of reasonability. This is all to distract, of course, from its eminent and extreme unreasonability.
This article describes various issues with the bill, in a somewhat unordered fashion, as I have only gone over it once due to its size. If I have made any error in my analysis here, or you merely think another interpretation is plausible, public or private comments are welcome. My conclusions here are merely a first draft and may not be accurate.
Internet Connection Records
I will cut to the chase: the most alarming provision which directly affects internet users is the “Internet Connection Records” proposal. (For telecommunications providers — and that term is defined as open-endedly as possible — there are a dizzying array of nasties in this bill, which of course will indirectly affect internet users).
The proposal is that the domain names you visit shall be recorded (so your visit to devever.net would be recorded, but not the fact that you specifically accessed devever.net/~hl/investigatorypowers, this page). Initially I assumed the idea was that when the authorities know about a particular person and an internet connection in their name, they can obtain a list of domains visited within the past year. This is disturbing, unacceptable and not adequately justified, but it gets worse.
It was only later that I realised that this could cut both ways: such information could be used not just to obtain a list of the domains visited by a given person, but of all people who have visited a given website. This bill has confirmed this fear; it explicitly states the expectation that the state will be able to query this dataset in both “directions”.
In justification of this power the government has articulated a case whereby people accessing a child abuse imagery website cannot be readily identified. I am going to assume this is because after the seizure of the server it was found not to keep logs with IP addresses, or because the server is beyond the reach of the UK jurisdiction. The UK government, then, essentially states that they would like to be able to effortlessly obtain a list of who has accessed this site.
In other words, the government has explicitly stated that it intends to arrest people for visiting given websites. Regardless of how compelling the “child abuse imagery” angle is, this is an extremely alarming power to be granting to the government. (It also raises the substantial question of how false alarms will be identified. A malicious entity could easily trick a person's web browser — via malicious code delivered by web advertising, for example - into silently making a request to a child abuse imagery website. These people would have their life turned upside down and their reputation destroyed as a result of appearing to have visited such a website. Even if they are eventually exonerated, the damage to their reputation and life will be permanent in the form of the period of disruption it caused, and the allegation of paedophilia may not fade socially even in the face of a full acquittal.)
Ironically, the fact that the government does not intend to require retention of the paths under a given domain a person accessed may actually work against the innocent, because it provides no way to distinguish between a person who has completely accidentally stumbled upon an illegal website and an intentional user who quite clearly and deliberately explores the site to its fullest depths.
It is not speculative that someone's browser could be led to connect to such a website surreptitiously, or that someone could maliciously trick someone into visiting such a website. There have, in the past, been cases where people have been found to have planted child abuse imagery on other people's computers to frame them for possession of it. Of course, we only know of these cases because they represent the circumstance where the police realise something is not quite right with the allegations. Thus, we have no way of knowing how many people have been successfully so framed, or the rate of occurrence.
This doesn't even begin to get into the issues this will cause to people who operate Tor exit nodes or web crawlers.
By the way, did I mention that this information can be obtained without a warrant? And may be held in a central government database under the euphemism of a “Request Filter”?
The desire for “Internet Connection Records” also represents a severe imposition on ISPs, who currently have no business or technical reason to collect this data. This is a substantial move beyond the existing imposition of the state, whereby ISPs were essentially required to retain data they already had to collect anyway. The precedent of itemised phone bills is used to justify this imposition, but this just proves the point, as phone companies collected that data anyway as it reflected how they wanted to bill people. The internet is essentially being penalised for having a billing model that doesn't happen to necessitate the collection of information that a previous, increasingly obsolete network needs to collect due to its expensive circuit-switched architecture.
It should also be noted that other countries, including other members of the Five Eyes, who seem usually happy to adopt very similar surveillance impositions as their partner nations, such as Australia, have concluded that “Internet Connection Records” are simply too invasive, and prohibited their collection outright. Other European countries and the US have also decided against their use.
(The provisions requiring and enabling the collection of “Internet Connection Records” appear to be 71(9)f and also 193(6)a, as well as the wording of 71(8)b, for those who wish to quote the specific article in any correspondence with their representatives. You can write to your MP online quite effortlessly; remember to always use your own words and do not use copied and pasted prepared statements, as these will be ignored. Consider that the government's slim majority in the Commons, and the recent rebelliousness of the Lords may make challenge to this bill more feasible than might otherwise be the case.)
In order to enable the collection of this information, the government is redefining the meaning of the term “metadata” to a definition that an ISP would not naturally use. This demonstrates that the metadata/content distinction is essentially meaningless as the government will twist and redefine the definition of “metadata”, and narrow the definition of “content”, as much as it pleases to enable its desired ends.
Owning up
Much of the bill appears designed to essentially own up to the practices which the security and intelligence services have been engaging in already. This at least is a first step to putting it on an explicit statutory footing, rather than secret interpretations of old, vague, open-ended laws (RIPA), which is probably welcome. Of course, the fact that the bill is simply more honest about what is done is not to say that those practices are justifiable.
The security and intelligence services are, perversely, still denying that they engage in mass surveillance, despite the direct evidence to the contrary. As far as I can tell, these people think that it's okay to collect this information, so long as they don't look at most of it.
I don't know about you, but if I were a customer of TalkTalk in the wake of its recent hacking, it wouldn't be of particular comfort to me if the hackers stated they didn't intend to actually look at the data.
When they do want to look at the information they've collected, they seem to view that a warrant is only required if the information concerns people or activities inside the UK. When conducted on the rest of the world, a warrant so broad as to be meaningless can be applied — such an instrument is not even really deserving of the term “warrant”. The premise seems to be that mass surveillance is okay when conducted on the entire rest of the world rather than the UK — perversely, a category that includes their presumably trusted Five Eyes partners.
Here's a list of the different types of warrant the bill creates, as well as other instruments the state may wield:
- Targeted powers
- Targeted Interception Warrants
- Targeted Equipment Interference Warrants
- Mutual Assistance Warrants
- Bulk powers
- Bulk Interception Warrants
- Targeted Examination Warrants
- Bulk Acquisition Warrants
- Bulk Equipment Interference Warrants
- Bulk Personal Dataset Warrants
- “Ensuring that ISPs operate as we want them to” powers
- (Data) Retention Notices
- National Security Notices
- Technical Capability Notices
Interestingly, Bulk Interception Warrants are constrained to overseas communications. Hold on, let me give you a table for the warrants:
Geographic restrictions | Subject data | Coercee | US Analogue | |
---|---|---|---|---|
Targeted Interception Warrants | Worldwide | Full-take traffic feed | Telco | CALEA? |
Bulk Interception Warrants | Overseas only | Full-take traffic feed | Telco | FISA |
(Targeted) Mutual Assistance Warrants1 | Worldwide | Full-take traffic feed | Foreign Jurisdiction (ultimately Telco) | — |
Targeted Examination Warrants | — | 4 | ||
Targeted Equipment Interference Warrants | Worldwide | Hacking, specifically for obtaining data | N/A | |
Bulk Equipment Interference Warrants | Targeting overseas3 | Hacking, specifically for obtaining data | N/A | |
Bulk Acquisition Warrants | “Relating to” overseas only | Communications data, to be provided on request | Telco | 2 |
Bulk Personal Dataset Warrants | Worldwide | “Bulk Personal Datasets” | Coercee or mode of acquisition unclear, but warrant needed for use of already held data |
1 Mutual Assistance Warrants don't really authorize anything in themselves; they appear to be an authorization the UK grants itself to be allowed to ask other countries to intercept traffic for it.
2 The US has PATRIOT s. 215 and the National Security Letters power, but those aren't restricted to overseas use.
3 But this doesn't seem to mean that domestic equipment can't be targeted in furtherance of this end. 119(4)
4 The sole purpose of Targeted Examination Warrants appears to be to authorize the security and intelligence services to examine subsets of information which they have previously collected via Bulk Interception Warrants which appear to relate to persons inside the British Isles.
Interestingly, these powers actually align somewhat with what appears to be the operational framework of organisations like GCHQ: collect everything travelling on submarine cables or other international vessels (covered by Bulk Interception Warrants); do not “wittingly” collect information on people in the British Isles via this method, but if you do, you can still use it if you get a “Targeted Examination Warrant” when you do want to use such information.
Do not assume that the targets of hacking will be guilty parties. The intelligence agencies have demonstrated, via their targeting of system administrators as a stepping stone, that they see no issue with hacking innocent bystanders to achieve their ends.
Section 101 provides that telecommunications providers (i.e. third parties) may be obliged to assist with implementation of equipment interference. In other words, the state can force any third party to help it hack into anything. Thus, “equipment interference” covers not just the state bothering to hack things itself; it also covers simply obtaining warrants authorizing equipment interference, then making other parties implement them.
It should be noted that this bill only regulates hacking by security and intelligence services to the extent that it is for the purpose of obtaining data. Hacking for other purposes is still governed by the Intelligence Services Act 1994, as the bill explicitly states.
Judicial Accountability?
The bill makes a big show of requiring a “Judicial Commissioner” to sign off on all warrants, except in emergencies, where the signoff can be deferred; in that case, if, when the commissioner reviews the warrant, he decides not to issue it, he may order any data already collected destroyed. The emergency protocol seems reasonable. Of more concern is who these “Judicial Commissioners” are.
The Judicial Commissioners are headed by the Investigatory Powers Commissioner, essentially the chief Judicial Commissioner. All Judicial Commissioners are appointed by the Prime Minister..
The prerequisite for being appointed as a Judicial Commissioner is that “[...] the person holds or has held a high judicial office (within the meaning of Part 3 of the Constitutional Reform Act 2005)” (meaning the Supreme Court or one of the High Courts or Courts of Appeal, or the Court of Session).
It seems quite likely, then, that the Judicial Commissioners will be less judges and more ex-judges. They are political appointees of the government.
Training Warrants
Perhaps the power in the bill which most demonstrates how unseriously these powers are taken is the apparent issue of warrants for training purposes (yes really, this is not a joke). See 23(6) and 23(7). It appears that warrants may be issued permitting the use of interception technology for the purposes of testing that technology or training personnel in the use of the technology. There appear to be similar provisions for hacking — er, “equipment interference”.
This really demonstrates how fundamentally broken the bill's idea of a “warrant” is. A warrant is supposed to be something specific in terms of what it targets and based on a specific and particular suspicion. It is hard to see how a bulk interception “warrant” can relate to any specific instance of suspicion. The fact that data collected under a bulk interception “warrant” must be further endorsed by a targeted examination warrant if it turns out to relate to someone in the UK only goes to demonstrate that the bulk interception “warrant” really... isn't. If the bulk interception power constitutes a warrant, then why is another warrant needed in case it turns out to relate to a UK person? The demand for another warrant demonstrates the lack of any real faith in the integrity or meaning of bulk interception warrants.
This observation aside, the issuance of training warrants demonstrates how casually the idea of interception warrants is taken. The “judicial accountability” claimed will only serve to replicate the US's FISA-style rubberstamp.
Controlling how ISPs operate
I now turn to the notices which the Secretary of State may serve on telecoms providers (and remember, this bill defines telecommunications provider as open-endedly as can be imagined).
Firstly, there are Data Retention Notices. These are fairly straightforward; they require a telecoms provider to keep information, just as the Data Retention and Investigatory Powers Act 2014 and before that the Data Retention Directive 2009 did. Of course, the insidious element is the radical redefinition of “metadata” and “content” so that the web domains visited must be logged, as explained above.
National security notices sound like something taken directly from the US playbook, though their shape and purpose is not necessarily the same. I will show the whole text of the section here, as it is not long and it is all relevant:
- The Secretary of State may give any telecommunications operator in the United Kingdom a notice (“a national security notice”) requiring the operator to take such steps as the Secretary of State considers necessary in the interests of national security.
- The Secretary of State may give a national security notice only if the Secretary of State considers that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct.
- A national security notice may, in particular, require the operator to whom it is given—
- to carry out any conduct, including the provision of services or facilities, for the purpose of—
- facilitating anything done by an intelligence service under any enactment other than this Act, or
- dealing with an emergency (within the meaning of Part 1 of the Civil Contingencies Act 2004);
- to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.
- But a national security notice may not require the taking of any steps the main purpose of which is to do something for which a warrant or authorisation is required under this Act.
- Sections 190 and 191 contain further provision about national security notices.
(Bland requirements for “proportionality” are omnipresent throughout the bill. These are apparently incorporated as a technocratic attempt to satisfy the requirements of the European Convention on Human Rights.)
Notice how subsection (3) appears to merely list possibilities and does not appear to limit the power of the provision. This makes the power remarkably general, essentially an arbitrary executive authority in matters of surveillance.
Technical capability notices are perhaps the most interesting and concerning of the three notice-issuing powers the bill affords the Secretary of State, if only because they give more of a hint as to how they will be used. The power seems to be described in almost deliberately vague terms, probably to politically obfuscate its relation to the coerced defeat of encryption technologies: “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data”. This is almost certainly referring to the use of encryption, and essentially means that no UK telecommunications operator can be trusted to provide any encryption technology, unless it proves (and does not merely claim) that it has no ability to decrypt; but then, this capability suggests that no entity would be capable of offering such a product in the UK anyway.
Both national security notices and technical capability notices require the Secretary of State to “consult” the persons who will be given the notice beforehand. The notices come with the right to review by referring the notice back to the Secretary of State; the bill seems to expect that this will be done where some measure is not technically feasible or is cost prohibitive. On careful inspection, it appears that such a referral can be made only once per notice.
(Update:) It turns out, however, that neither national security notices nor technical capability notices are new in this bill. As pointed out in the scl.org review, the Telecommunications Act 1984 s. 94 provided a similar capability to national security notices, while the Regulation of Investigatory Powers Act s. 12 provides for technical capability notices, as amended by regulations. This suggests that the inclusion of these powers into the bill does not indicate an immediate and significant power grab, which makes their inclusion somewhat less alarming. Rather, these powers fall into the ever-enlarging category of powers which are extremely open-ended and rely only on the good intentions of the Secretary of State for them not to be wielded in an unduly burdensome or concerning fashion.
If an ISP doesn't take a technical capability notice seriously, it could come back to bite them. Firstly, of course, technical capability notices are enforceable in themselves, specifically by civil proceedings. But 31(6) states that for the purposes of complying with warrants, compliance by a telecoms provider is deemed reasonably practicable if compliance would have been reasonably practicable if it had complied with all obligations imposed by technical capability notices. This is important as it is the lack of reasonable practicability that allows a telecoms operator to avoid complying with a warrant. This leads to the quite Kafkaesque situation in which a telecoms operator may be prosecuted for failing to comply with a warrant that was reasonably practicable for them to comply with, even when it wasn't — because the law specially defines “reasonably practicable” so that compliance may be deemed “reasonably practicable” even when it isn't (because it might have been).
Warrant Canaries
Interestingly, one provision of the bill appears to explicitly authorize the use of a (general) warrant canary in which an organization specifies how many warrants they have received. Or does it?
“[...] is made by a [...] telecommunications operator in accordance with a direction given by the Secretary of State, and relates to the number of warrants given under Chapter 1 to which the operator has given effect or has been involved in giving effect.”
It is unclear whether this is intended to allow ISPs to publish this information, or allow the Secretary of State to control or restrain them from doing so — it could cut either way. Either way, the existence of this clause implies that the state thinks its power to impose non-disclosure in relation to each warrant empowers it to in some way regulate the making of statements with regard to the number of warrants imposed, or even if there have been any warrants so imposed. The clause also does not provide for warrants which have been issued but which have not yet taken effect.
Any ISP which wishes to operate a canary which at least informs the public as to whether they have received any such warrants might do well to immediately make a statement such as “We will always state whether we have facilitated any warrants under the Investigatory Powers Act or any other surveillance, intelligence or security bill unless we are legally prevented from doing so.” This will at least allow the public to be notified of the initial use of these powers in relation to a specific organisation if the Secretary of State's regulations in terms of the release of transparency reports does not turn out to be as pleasant as the above clause might be trying to make it appear.
It also appears that the explicit provision for transparency reports above does not extend to all types of warrant provided for by the bill, as the above clause is not duplicated into the secrecy provisions for some of the warrants and notices which may be issued; for example, 190(8).
In fact, 190(8) seems to prohibit telling anyone about such a notice even where such communication would be necessary to implementation of it. How can you implement such a notice if you can't tell your employees? For that matter, a notice may be delivered to a person which is an organization, which means that nobody is allowed to know about the notice, not even a director. 190(8) is also unusual as many other places in the bill which require secrecy provide for a defence where disclosure was authorized by the state, but 190(8) does not. This raises the question of whether a telecommunications operator receiving a technical capability notice or national security notice may legitimately refuse to comply with it on the grounds that compliance would require it to violate 190(8); but by doing so, they violate 190(9) (requirement to comply). But such a notice may be referred back to the Secretary of State, so an operator could presumably refer a notice back on the grounds that clause 190(8) makes it impossible to comply with any such notice.
This power of secrecy appears to be new, and not something carried over from RIPA or its amending regulations.
Curiously, there does not appear to be any sort of penalty proscribed for violation of 190(8).
Reach
It should be noted that while the notice powers in this bill are assumed to be intended for ISPs, nothing in the bill precludes their use with transit providers, or indeed with last-mile infrastructure providers (i.e. BT Openreach). Thus any transparency reports issued by ISPs in this regard may be essentially meaningless.
The first and most obvious hole in the bill is its inevitable inability to command the actions of those entities outside the United Kingdom, especially with no assets or operations conducted inside the United Kingdom that may be seized by the government. Even the explanatory notes to the bill admit that compliance with notices served on overseas entities is ultimately optional.
The bill does have some provision for serving notices upon overseas entities, which is interesting. I would guess that this is intended to offer something to organizations which feel they can only safely comply with such requests for data if they have some sort of nominally authoritative piece of paper, regardless of whether they are technically bound by the relevant jurisdiction. But I may be wrong.
Much of the bill only applies to operators to which a notice or warrant has been issued, which means that the bill is inapplicable in pragmatic terms to any entity which manages to avoid becoming subject to such a notice, for example by simply being small enough as a service provider not to have drawn attention to themselves; or by not advertising their services to the public, but only providing them to those invited by an existing customer; or by obfuscating the relationship of data which a government might ordinarily use to infer the existence of an ISP (e.g. RIR IP address range records) to the ISP (for example, transferring IP address ranges to an out-of-country holding company).
However, the bill is not toothless in this regard; it may, instead of specifying a specific operator to which it applies, specify a “description of operators” to which it applies; further, the actual requirement that an affected operator be notified may be satisfied merely by giving or publishing it (71(6)).
Operational Climate: Tor
It really does remain to be seen, under this legislative climate, for how long the UK government will tolerate the continued use of Tor within the United Kingdom or operation of relay or exit nodes within the United Kingdom. The degree of hostility to anything not monitorable in the bill means, if anything, it would be quite plausible for them to use the open-ended notice-giving powers to essentially render at least Tor relay and exit nodes inoperable. This is assuming that Tor relay and exit nodes would choose to cease operating rather than adapt the Tor software (no doubt at considerable cost) to comply with a technical capability notice. Such compliance would be likely to pose a threat to the integrity of the Tor network and the security of its users.
Recording of telephone calls
An interception is deemed authorized if both the sender and intended recipient of a communication have given consent for such interception. Does this prohibit the recording of telephone calls where only one party consents? I think not, because it presumably isn't interception — it's one legitimate, intended party to a call deciding on its own terms what to do with the data it sends and receives.
Were this bill to obstruct such recording, this would be a blow to people who exercise their right to record telephone calls to obtain evidence against e.g. scam callers and persons violating cold calling laws.
Filtering Arrangements
There seems to be a hope on behalf of the government that some sort of filtering system will be developed whereby communications data can be pooled for centralized access by the government, filtered by what is allowed to be accessed by any given requester. The bill is most vague on these matters, even moreso than usual. scl.org has one possible interpretation in their own take on the Investigatory Powers Bill.
Legal Challenges
It seems almost inevitable that this bill, if passed, will be challenged under the same ECHR rights under which the Data Retention Directive 2009 was invalidated. It is difficult to see how, given the fact that the retention requirements under this bill are far in excess of anything the Data Retention Directive proposed, it (or at least the data retention provisions) could survive such a challenge.
That said, it would be unwise to presume that such an invalidation will be forthcoming and thereby neglect to appropriately protest the most objectionable features of this bill, such as the 'Internet Connection Records' provision.
Error Reporting
The bill grants the Investigatory Powers Commissioner (remember, someone appointed by the Prime Minister) the power to inform a person where errors “caused significant prejudice or harm to the person concerned.” However it also clarifies that “the fact that there has been a breach of a person's [European] Convention [on Human Rights] rights [...] is not sufficient by itself for an error to be a serious error.”
Trustworthiness of any Telecommunications Provider
Any telecommunications provider with “skin” in the UK jurisdiction would be essentially by definition untrustworthy under this bill. By this I do not refer to the fact that they would engage in interception in targeted cases, which may be eminently reasonable.
Rather, by virtue of technical capability notices, and the duty to assist in implementation of equipment interference warrants, any telecommunications provider can be essentially commandeered into compromising the security of any communications system it operates or creates.
In this regard, under the climate created by this bill, all British entities must be regarded as untrustworthy not just for the retention of cryptographic secrets (already the case under RIPA's key disclosure provisions), but for the manufacture of cryptographic systems, as they are not guaranteed freedom in the unmolested dissemination of such software as they would wish it. This merely enhances an already patently necessary preference for open source implementations, especially with reproducible builds where binaries are provided.
It should be noted once again that the term “telecommunications provider” is defined very widely and it may be prudent simply to assume it to mean “any entity” unless otherwise very carefully established.
Code Quality
Were this bill a computer program (and it reads like one), it would be considered badly written, with large amounts of refactoring work sorely needed. In many cases text appears to have been simply copy and pasted with words changed to cover different cases. In some of these cases the text has been further fleshed out, but in other very similar cases in neighbouring sections they are not. (The inconsistency between the disclosure prohibitions and their exceptions specified for warrants and specified for technical capability notices is one such example of this.) This leads to a high degree of inconsistency and is likely indicative of a high degree of bugginess. I give this program one star out of ten.
See also: Literary Merit of the Investigatory Powers Bill
External links: scl.org's take on the bill; RevK's take on the bill (Part 1, Part 2, Part 3, Part 4)
Other coverage: Ars