The new IP Bill…. first thoughts…

This morning, in advance of the new draft of the Investigatory Powers Bill being released, I asked six questions:

At a first glance, they seem to have got about 2 out of 6, which is perhaps better than I suspected, but  not as good as I hoped.

1. On encryption, I fear they’ve failed again – or if anything made things worse. The government claims to have clarified things in S217 and indeed in the Codes of Practice – but on a first reading this seems unconvincing. The Communications Data Draft Code of Practice section on ‘Maintenance of a Technical Capability’ relies on the idea of ‘reasonability’ which in itself is distinctly vague. No real clarification here – and still the possibility of ordering back-doors via a ‘Technical Capability Notice’ looms very large. (0 out of 1)
2. Bulk Equipment Interference remains in the Act – large scale hacking ‘legitimised’ despite the recommendation from the usually ‘authority-friendly’ Intelligence and Security Committee that it be dropped from the Bill. (0 out of 2)
3. A review clause has been added to the Bill – but it is so anaemic as to be scarcely worth its place. S222 of the new draft says that the Secretary of State must prepare a report by the end of the sixth year after the Bill is passed, publish it and lay it before parliament. This is not a sunset clause, and the report prepared is not required to be independent or undertaken by a review body, just by the Secretary of State. It’s a review clause without any claws, so worth only 1/4 a point. (1/4 out of 3)
4. At first read-through, the ‘double-lock’ does not appear to have been notably changed, but the ‘urgent’ clause has seemingly been tightened a little, from 5 days to 3, but even that isn’t entirely clear. I’d give this 1/4 of a point (so that’s 1/2 out of 4)
5. The Codes of Practice were indeed published with the bill (and are accessible here) which is something for which the Home Office should be applauded (so that’s 1 and 1/2 out of 5)
6. As for giving full time for scrutiny of the Bill, the jury is still out – the rumour is second reading today, which still looks like undue haste, so the best I can give them is 1/2 a point – making it a total of 2 out of 6 on my immediate questions.

That’s not quite as bad as I feared – but it’s not as good as it might have been and should have been. Overall, it looks as though the substance of the bill is largely unchanged – which is very disappointing given the depth and breadth of the criticism levelled at it by the three parliamentary committees that examined it. The Home Office may be claiming to have made ‘most’ of the changes asked for – but the changes they have made seem to have been the small, ‘easy’ changes rather than the more important substantial ones.

Those still remain. The critical issue of encryption has been further obfuscated, the most intrusive powers – the Bulk Powers and the ICRs – remain effectively untouched, as do the most controversial ‘equipment interference’ powers. The devil may well be in the detail, though, and that takes time and careful study – there are people far more able and expert than me poring over the various documents as I type, and a great deal more will come out of that study. Time will tell – if we are given that time.

 

Happy Christmas from the IP Bill – part 3

Happy Christmas from the Investigatory Powers Bill – Part 3

A ‘mature debate’ on surveillance? Yes please!

Andrew Parker, the head of MI5, has said in a speech that he is hoping for a ‘mature debate’ on what he calls ‘intercepting communications data’ rather than surveillance: I’m sure that most people working in the area would very much welcome such a call. I know that I do. Mature debate is exactly what is needed. The question that immediately springs to mind is whether what Andrew Parker means by ‘mature debate’ is the same as what I would understand by the words. The record of the intelligence and security services and the government in relation to such a debate is not a very convincing one: it has been those who challenge surveillance powers who have shown more desire and willingness to debate than the services and their masters in government.

To suggest otherwise – indeed to hint that those challenging them have behaved like petulant, hyperbolic children – flies in the face of the experience of the last few years. There has been hype on both sides, of course – I can see why Parker and others dislike the term ‘Snoopers’ Charter’, for example – but on the other side the claims have been equally lurid and offensive: the suggestions by Theresa May and others that privacy advocates have ‘blood on their hands’ for opposing new powers have been regular and repellent. The record of seeking debate, however, has been distinctly one-sided. Back in 2012, when the coalition government first put forward the Communications Data Bill – dubbed by its ‘hyperbolic’ opponents the Snoopers’ Charter – the intention was to push it through without any real debate at all. Indeed, the hints were that it would be passed in a matter of weeks before the London Olympics. It took a lot of pressure to force the bill into proper scrutiny, and a special Joint Parliamentary Committee was eventually formed to examine it. Debate was very much sought by those interested in interception and surveillance powers: over 600 pages of written evidence was submitted to the committee from more than 100 witnesses (including myself). So yes, we want mature debate, whenever we get the chance.

That first batch of ‘mature debate’ did not get the results that the proponents of the Communications Data Bill wanted: the report of the Joint Parliamentary Committee was highly critical, and after the intervention of the then Deputy Prime Minister, Nick Clegg, the bill was dropped, with a promise of further debate and a new Bill to scrutinise. That new Bill, however, never materialised (though I understand that it was drafted) and neither did the promised further debate. Again, it was not those who challenged surveillance and interception that were avoiding the debate. Very much the opposite: we wanted more information and more debate, and our questions were largely fobbed off.

That debate, however, began to happen even without the participation of the intelligence and security services, when in June 2013 Edward Snowden dropped his bombshell on the whole business. The debate that followed might not have been mature at all times, but it was a debate – despite the efforts of the intelligence and security services, not because of those efforts. Indeed, most of the efforts seemed to be to shut down the debate, to shut Edward Snowden up, along with those in the media who worked with him, arresting them at airports, smashing their hard drives and so forth. Keith Vaz questioning whether Guardian Editor Alan Rusbridger ‘loved his country’ was a particularly mature part of this debate. All this was accompanied by yet more mature suggestions about opponents of surveillance having blood on their hands. The maturity level was immense.

Then, when the mature debate actually began – the three big inquiries, from the Intelligence and Security Committee, the Independent Reviewer of Terrorism Legislation and the Royal United Services Institute – along came the next attempt to shut down that debate: DRIP. The shabby process through which the Data Retention and Investigatory Powers Act was rushed through parliament in a matter of days without any opportunity for public debate and only a few brief hours of parliamentary debate – in a mostly empty chamber with MPs preoccupied with preparations for the forthcoming election – was about as far from opening up to mature debate as could be imagined. Barely a debate at all, let alone a mature one.

Even after that, there was a further attempt to force through legislation without debate – four members of the House of Lords, all associated in the past with the security side of government, tacked on pretty much the entire, rejected Communications Data Bill to the back of another bill, very late in the parliamentary process, to try to sneak in those powers once more without debate.

So, Andrew Parker, let’s have this mature debate. Please. As soon and as deeply as we can. But don’t pretend that you’ve been seeking it all along, or that those who are challenging you have wanted anything else.  What is more, let’s make sure it is a mature debate, and not the sort of ‘debate’ that happens when one side has all the power and has predetermined the result, like a parent telling a three-year-old what the rules are for their behaviour. A mature debate must leave a chance for different results. In this case in particular, mature debate does not mean a Brian Clough style discussion where you tell us your opinion, we tell you your opinion, and we agree that you are right. There has to be a possibility – and you have to be open to this possibility – that the powers of the intelligence and security services are in practice (as well as in law) curtailed. If there is no possibility of change, the debate – mature or immature – is meaningless.

Are you ready for this kind of debate? I hope so. Let’s have it as soon as we can.

GCHQ: I’m not charmed yet….

A little over a week ago, GCHQ gave us a show. A giant poppy, part of the 2014 Armistice Day appeal. It was spectacular – and, for me at least, more than a little creepy.

The poppy display seems to have been part of something bigger: the term that immediately sprang to mind was ‘charm offensive’. GCHQ has, over the last year or so, been trying to charm us into seeing them as purely positive, despite the revelations of Edward Snowden. They’re trying to appear less secretive, more something to be admired and supported than something to be concerned about and made accountable. The poppy was an open symbol of that. Look at us, GCHQ seemed to be saying, we’re patriotic, positive, part of what makes this country great. Support us, don’t be worried about it. Love us.

I assume that the speech by Robert Hannigan, the new Director of GCHQ, was intended to be part of that charm offensive. For me, however, it had precisely the opposite effect. The full speech was published in the FT here – but I wanted to pick out a few points.

Privacy an absolute right?

The first, which made the headlines in the Guardian and elsewhere, is Hannigan’s statement that ‘privacy is not an absolute right’. He’s right – but we all know that, even the staunchest of privacy advocates. Privacy is a right held in balance with other rights and needs – with freedom of expression, for example, when looking at press intrusions, with the duty of governments to provide security and so forth. That’s explicitly recognised in all the relevant human rights documents – in Article 8 of the European Convention of Human Rights, for example, it says of the right to a private life that:

“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”

So we already know that privacy is not an absolute right – so why is Hannigan making the point? It’s hard to see this as anything but disingenuous – almost as though he wants to imply that foolish privacy advocates want to help terrorists by demanding absolute privacy. We don’t. Absolutely we don’t. What we want is to have an appropriate balance, for the interference in our privacy to be lawful, proportionate and accountable. At the moment, it’s not at all clear that any of that is true – there are legal challenges to the surveillance, deep doubts as to its proportionality and little evidence that those undertaking the surveillance are properly accountable. On the accountability front, it’s interesting that he should make such a speech at a time when the Intelligence and Security Committee of Parliament, are undertaking a consultation – it made me wonder whether he’s trying to steer the committee in a particular direction.

Facebook – a tool for terrorists?

The other headline from the speech is the way Hannigan seems to be attacking Facebook and others for being too helpful to terrorists – which is an interesting reverse from the more commonly held view that they’re too helpful to the authorities. The argument seems to go that the ‘old’ forms of terrorists, exemplified by Al Qaeda, use the ‘dark web’, while the ‘new’ forms of terrorists, exemplified by IS, are using the social media – Facebook, Twitter and so forth. It’s an interesting point – and I’m sure there’s something in it. There’s no doubt that ‘bad guys’ do use what’s loosely called the dark web – and the social media activities of ‘bad guys’ all around the world are out there for all to see. Indeed, that’s the point – their visibility is the point. However, on the face of it, neither of those ‘facts’ support the need for the authorities to have better, more direct access to Facebook and so forth. Neither, on the face of it, is any justification for the kinds of mass data gathering and surveillance that seem to be going on – and that GCHQ and others seem to be asking us to approve.

By its very nature, the ‘dark web’ is not susceptible to mass surveillance and data gathering – so requires a more intelligent, targeted approach, something which privacy advocates would and do have no objection to. Social media – and Facebook in particular – don’t need mass surveillance either. To a great extent Facebook is mass surveillance. All that information is out there – that’s the point. It’s available for analysis, for aggregation, for pretty much whatever the authorities want it. And if Hannigan imagines that the secret activities of IS and others are undertaken on Facebook he’s more naive than I could imagine anyone in the intelligence services could be – they can’t have chosen to use Facebook and Twitter instead of using the dark web, but in addition to it. The secret stuff is still secret. The stuff on Facebook and Twitter is out there for all to see.

What’s more, there are already legal ways to access those bits of Facebook and Twitter than are not public – which is why the authorities already request that data on a massive scale.

Charming – or disarming?

Hannigan must know all of this – so why is he saying it? Does he think that the charm offensive has already worked, and that the giant GCHQ poppy has convinced us all that they’re wonderful, patriotic and entirely trustworthy? They may well be – I’m no conspiracy theorist, and suspect that they’re acting in good faith. That, however, is not the point. Trust isn’t enough here. We need accountability, we need transparency, we need honesty. Checks and balances. Not just charm.