Whittingdale – missing privacy points.

A lot has been written about the current ‘scandal’ concerning John Whittingdale, the Culture Secretary, and his relationship with a woman described as a sex worker. Many questions have been asked – not least why the press didn’t publish the story until effectively forced into it by a combination of online media, social media, and the pressure group Hacked Off. Was the story suppressed as a result of some secret deal? Was it being held over Whittingdale’s head to stop him from bringing forward stronger regulation of the press? Was it being used as leverage by Murdoch and others? As the Labour’s shadow cabinet minister Chris Bryant put it, “It seems the press were quite deliberately holding a sword of Damocles over John Whittingdale.”

However interesting these questions and the answers to them might be, they rather miss some key privacy points – and indeed the point of privacy, and the problems with the way that the press operates. The focus has been on John Whittingdale as a politician, and on the woman concerned as a sex worker.Both of them, however, are people. Human beings. Not just a politician and a sex worker. And people need and deserve privacy.

In relation to the press, the focus has been on whether or not they publish the story – but the publication is only the last part of the process, and far from the only important part of the process. Privacy is not just invaded when a story about someone’s private life is published, it is invaded through the process that the story is obtained – and in this case, that part of the invasion of privacy had a significant impact. It was the press, in practice, who broke up the relationship. They dug into Whittingdale’s private life, found out who he was in a relationship with, and then told him. By Whittingdale’s own account, when he discovered what her profession was, he broke off the relationship.

We need to think about that a little. The press invaded the privacy of two individuals who were not doing anything illegal, and broke up their relationship. Consenting adults, in a relationship, had that relationship broken up.

Does the fact that the woman involved was a sex worker mean that’s OK? Are sex workers not allowed to have private lives? To have relationships? To have any rights at all?

The press should not be getting up on their high horse and complaining that they’re being attacked for doing exactly what Leveson etc told them they should do by not publishing the story – because their actions in obtaining the story were deeply damaging in the first place.

Hacked Off, however, should also not be proud of their own actions in forcing this story out into the public domain – and certainly not without considering, and considering very seriously, the rights of both John Whittingdale and the woman concerned. The latter seems to have been treated as just a prop in a big political story, by almost everyone. That really should not be acceptable.

UPDATE AND AMENDMENT (3 May 2016)

Evan Harris of Hacked Off has replied to my piece – his full comment is below. This is the substantial part of his response:


“It is totally incorrect for you say – without any source – to say that “the press was “effectively forced into” publishing the story “by a combination of online media, social media, and the pressure group Hacked Off.” This was an assertion made by the Daily Mail, the Times, the Telegraph and the Sun but with never a shred of evidence to back it up.

It seems the allegations had been on twitter for several months and Hacked Off never tweeted about it nor re-tweeted any of those tweets. The story (and allegations of the press withholding publication for political not ethical reasons ) was then published on Byline.com on 1st April. There was no comment, tweet or link from Hacked Off. On 10th April, Jim Cusick, a senior broadsheet journalist, then published a more detailed story – with sources for the allegations of political motivations for non-publication – on Byline.com and Open Democracy. Hacked Off published a blog-post that evening commenting on the allegations of a “cover-up”, but which did not repeat the personal matters.

Our next public comments only occurred after publication of the same allegations of political reasons behind press non-publication by Private Eye and Newsnight. It was Private Eye and the BBC that either embarrassed the newspapers into publication or legitimised their doing so, with the Mail on Sunday producing a 2 page spread with new personal life allegations (mostly with little public interest justification of itself)

I am surprised that you repeat attacks on us made by the press without providing (or even linking to) any justification. For the readers of your excellent blog here is our approach http://www.pressgazette.co.uk/content/hacked-why-we-are-not-hypocrites-over-stance-john-whittingdales-privacy.”


I would like to confirm that I agree with most of what Evan says – and that my suggestion of the press being ‘effectively forced into publishing the story’ was really about Byline and the social media, not about Hacked Off, and that Hacked Off did not repeat or mention the personal issues and private matters.

I remain concerned, however, that the privacy of the woman concerned has been treated – not by Hacked Off directly – as collateral damage, and that her position has been largely ignored, making the story only about Whittingdale. Again, I do not mean this to be about Hacked Off, and can see all too well how certain elements of the press have tried to use this as yet another tool to try to undermine Hacked Off as an organisation.

I would also like to add that as the Hillsborough verdict has emphasised, the position of the press in our society remains one that needs close and careful consideration, and that Hacked Off have played and continue to play a key part in debate over press ethics and press activities. Personally, I think that ‘Leveson 2’, examining the relationship between the press and the police, really needs to happen and happen soon.

3 May 2016

Panama, privacy and power…

David Cameron’s first reaction to the questions about his family’s involvement with the Mossack Fonseca leaks was that it was a ‘private matter’ – something that was greeted with a chorus of disapproval from his political opponents and large sections of both the social and ‘traditional’ media. Privacy scholars and advocates, however, were somewhat muted – and quite rightly, because there are complex issues surrounding privacy here, issues that should at the very least make us pause and think. Privacy, in the view of many people, is a human right. It is included in one form or another in all the major human rights declarations and conventions. This, for example, is Article 8 of the European Convention on Human Rights:

“Everyone has the right to respect for his private and family life, his home and his correspondence.”

Everyone. Not just the people we like. Indeed, the test of your commitment to human rights is how you apply them to those who you don’t like, not how you apply them to those that you do. It is easy to grant rights to your friends and allies, harder to grant them to your enemies or those you dislike. We see how many of those who shout loudly about freedom of speech when their own speech is threatened are all too ready to try to shut out their enemies: censorship of extremist speech is considered part of the key response to terrorism in the UK, for example. Those of us on the left of politics, therefore, should be very wary of overriding our principles when the likes of David Cameron and George Osborne are concerned. Even Cameron and Osborne have the right to privacy, we should be very clear about that. We can highlight the hypocrisy of their attempts to implement mass surveillance through the Investigatory Powers Bill whilst claiming privacy for themselves, but we should not deny them privacy itself without a very good cause indeed.

Privacy for the powerful?

And yet that is not the whole story. Rights, and human rights in particular, are most important when used by the weak to protect themselves from the powerful.The powerful generally have other ways to protect themselves. Privacy in particular has at times been given a very bad name because it has been used by the powerful to shield themselves from scrutiny. A stream of philandering footballers have tried to use privacy law to prevent their affairs becoming public – Ryan Giggs, Rio Ferdinand and John Terry. Prince Charles’ ultimately unsuccessful attempts to keep the ‘Black Spider Memos’ from being exposed were also on the basis of privacy. The Catholic Church covered up the abuses of its priests. Powerful people using a law which their own kind largely forged is all too common, and should not be accepted without a fight. As feminist scholar Anita Allen put it:

“[it should be possible to] rip down the doors of ‘private’ citizens in ‘private’ homes and ‘private’ institutions as needed to protect the vital interests of vulnerable people.”

This argument may have its most obvious application in relation to domestic abuse, but it also has an application to the Panama leaks – particularly at a time when the politics of austerity is being used directly against the vital interests of vulnerable people. Part of the logic of austerity is that there isn’t enough money to pay for welfare and services – and part of the reason that we don’t have ‘enough’ money is that so much tax is being avoided or evaded, so there’s a public interest in exposing the nature and scale of tax avoidance and evasion, a public interest that might override the privacy rights of the individuals involved.

How private is financial information?

That brings the next question: should financial or taxation information be treated as private, and accorded the strongest protection? Traditions and laws vary on this. In Norway, for example, income and tax information for every citizen is publicly available. This has been true since the 19th century – from the Norwegian perspective, financial and tax transparency is part of what makes a democratic society function.

It is easy to see how this might work – and indeed, an anecdote from my own past shows it very clearly. When I was working for one of the biggest chartered accountancy firms back in the 80s, I started to get suspicious about what had happened over a particular pay rise – so I started asking my friends and colleagues, all of whom had started with the firm at the same time, and progressed up the ladder in the same way, how much they were earning, I discovered to my shock that every single woman was earning less than every single man. That is, that the highest paid woman earned less than the lowest paid man – and I knew them well enough to know that this was in no way a reflection of their merits as workers. The fact that salaries were considered private, and that no-one was supposed to know (or ask) what anyone else was earning, meant that what appeared to me once I knew about it to be blatant sexism was kept completely secret. Transparency would have exposed it in a moment – and probably prevented it from happening.

In the UK, however, privacy over financial matters is part of our culture. That may well be a reflection of our conservatism – if functions in a ‘conservative’ way, tending to protect the power of the powerful – but it is also something that most people, I would suggest, believe is right. Indeed, as a privacy advocate I would in general support more privacy rather than less. It might be a step too far to suggest that all our finances should be made public – but not, perhaps, that the finances of those in public office should be private. The people who, in this case, are supporting or driving policies should be required to show whether they are benefiting from those policies – and whether they are being hypocritical in putting those policies forward. We should be able to find out whether they personally benefit from tax cuts or changes, for example, and whether they’re contributing appropriately when they’re requiring others to tighten their belts.

I do not, of course, expect any of this to happen. In the UK in particular the powerful have far too strong a hold on our politics to let it happen. That then brings me to one more privacy-related issue exposed by the Panama papers. If there is no legal way for information that is to the public benefit to come out, what approach should be taken to the illegal ways that information is acquired. There have been many other prominent examples – Snowden’s revelations about the NSA, GCHQ and so on, Hervé Falciani’s data from HSBC in Switzerland in particular – where in some very direct ways the public interest could be said to be served by the leaks. Are they whistleblowers or criminals? Spies? Should they be prosecuted or cheered? And then what about other hackers like the ‘Impact Team’ who hacked Ashley Madison? Whether each of them was doing ‘good’ is a matter of perspective.

Vulnerability of data…

One thing that should be clear, however, is that no-one should be complacent about data security and data vulnerability. All data, however it is held, wherever it is held, and whoever it is held by, is vulnerable. The degree of that vulnerability, the likelihood of any vulnerability being exploited and so forth varies a great deal – but the vulnerability is there. That has two direct implications for the state of the internet right now. Firstly, it means that we should encourage and support encryption – and not do anything to undermine it, even for law enforcement purposes. Secondly, it means that we should avoid holding data that we don’t need to hold – let alone create unnecessary data. The Investigatory Powers Bill breaks both of those principles. It undermines rather than supports encryption, and requires the creation of massive amounts of data (the Internet Connection Records) and the gathering and/or retention of even more (via the various bulk powers). All of this adds to our vulnerability and our risks – something that we should think very, very hard before doing. I’m not sure that thinking is happening.

 

Internet Connection Records: answering the wrong question?

Watching and listening to the Commons debate over the Investigatory Powers Bill, and in particular when ‘Internet Connection Records’ were mentioned, it was hard not to feel that what was being discussed had very little connection with reality. There were many mentions of how bad and dangerous things were on the internet, how the world had changed, and how we needed this law – and in particular Internet Connection Records (ICRs) – to deal with the new challenges. As I watched, I found myself imagining a distinctly unfunny episode of Yes Minister which went something like this:


Screen Shot 2016-03-16 at 10.16.58Scene 1:

Minister sitting in leather arm chair, glass of brandy in his hand, while old civil servant sits opposite, glasses perched on the end of his nose.

Minister: This internet, it makes everything so hard. How can we find all these terrorists and paedophiles when they’re using all this high tech stuff?

Civil Servant: It was easier in the old days, when they just used telephones. All we needed was itemised phone bills. Then we could find out who they were talking to, tap the phones, and find out everything we needed. Those were the days.

Minister: Ah yes, those were the days.

The Civil Servant leans back in his chair and takes a sip from his drink. The Minister rubs his forehead looking thoughtful. Then his eyes clear.

Minister: I know. Why don’t we just make the internet people make us the equivalent of itemised phone bills, but for the internet?

Civil Servant blinks, not knowing quite what to say.

Minister: Simple, eh? Solves all our problems in one go. Those techie people can do it. After all, that’s their job.

Civil Servant: Minister….

Minister: No, don’t make it harder. You always make things difficult. Arrange a meeting.

Civil Servant: Yes, Minister


Scene 2

Minister sitting at the head of a large table, two youngish civil servants sitting before him, pads of paper in front of them and well-sharpened pencils in their hands.

Minister: Right, you two. We need a new law. We need to make internet companies make us the equivalent of Itemised Phone Bill.

Civil servant 1: Minister?

Minister: You can call them ‘Internet Connection Records’. Add them to the new Investigatory Powers Bill. Make the internet companies create them and store them, and then give them to the police when they ask for them.

Civil servant 2: Are we sure the internet companies can do this, Minister?

Minister: Of course they can. That’s their business. Just draft the law. When the law is ready, we can talk to the internet companies. Get our technical people here to write it in the right sort of way.

The two civil servants look at each other for a moment, then nod.

Civil servant 1: Yes, minister.


 

Scene 3

A plain, modern office, somewhere in Whitehall. At the head of the table is one of the young civil servants. Around the table are an assortment of nerdish-looking people, not very sharply dressed. In front of each is a ring-bound file, thick, with a dark blue cover.

Civil servant: Thank you for coming. We’re here to discuss the new plan for Internet Connection Records. If you look at your files, Section 3, you will see what we need.

The tech people pick up their files and leaf through them. A few of them scratch their heads. Some blink. Some rub their eyes. Many look at each other.

Civil servant: Well, can you do it? Can you create these Internet Connection Records?

Tech person 1: I suppose so. It won’t be easy.

Tech person 2: It will be very expensive

Tech person 3: I’m not sure how much it will tell you

Civil servant: So you can do it? Excellent. Thank you for coming.


 

The real problem is a deep one – but it is mostly about asking the wrong question. Internet Connection Records seem to be an attempt to answer the question ‘how can we recreate that really useful thing, the itemised phone bill, for the internet age’? And, from most accounts, it seems clear that the real experts, the people who work in the internet industry, weren’t really consulted until very late in the day, and then were only asked that question. It’s the wrong question. If you ask the wrong question, even if the answer is ‘right’, it’s still wrong. That’s why we have the mess that is the Internet Connection Record system: an intrusive, expensive, technically difficult and likely to be supremely ineffective idea.

The question that should have been asked is really the one that the Minister asked right at the start: how can we find all these terrorists and paedophiles when they’re using all this high tech stuff? It’s a question that should have been asked of the industry, of computer scientists, of academics, of civil society, of hackers and more. It should have been asked openly, consulted upon widely, and given the time and energy that it deserved. It is a very difficult question – I certainly don’t have an answer – but rather than try to shoe-horn an old idea into a new situation, it needs to be asked. The industry and computer scientists in particular need to be brought in as early as possible – not presented with an idea and told to implement it, no matter how bad an idea it is.

As it is, listening to the debate, I feel sure that we will have Internet Connection Records in the final bill, and in a form not that different from the mess currently proposed. They won’t work, will cost a fortune and bring about a new kind of vulnerability, but that won’t matter. In a few years – probably rather more than the six years currently proposed for the first real review of the law – it may finally be acknowledged that it was a bad idea, but even then it may well not be. It is very hard for people to admit that their ideas have failed.


As a really helpful tweeter (@sw1nn) pointed out, there’s a ‘techie’ term for this kind of issue: An XY problem!  See http://xyproblem.info. ICRs seem to be a classic example.

 

Labour and the #IPBill

I am a legal academic, specialising in internet privacy – a lecturer at the UEA Law School. I am the author of Internet Privacy Rights: Rights to Protect Autonomy, published by Cambridge University Press in 2014, and was one of the academics who was a witness before the Joint Parliamentary Committee on the Investigatory Powers Bill. I am also a member of the Labour Party – this piece is written from all of those perspectives.


 Labour and the Investigatory Powers Bill

The Investigatory Powers Bill has its second reading on Tuesday – part of what appears an attempt to pass the Bill with unseemly haste. One of the biggest questions is how Labour will approach the Bill – the messages so far have been mixed. Andy Burnham’s press release on the 1st of March in response to the latest draft was from my perspective the best thing that has emerged from Labour in relation to surveillance in many decades, if not ever.

What is important is that Labour builds on this – for in taking a strong and positive response to the Investigatory Powers Bill Labour has a chance to help shape its future in other areas. What is more, Labour can tap into some of its best and most important traditions and realise the promise of some of its best moments.

Demand more time

The first and most important thing that Labour should do at this stage is demand more time for scrutiny for the bill. There are some very significant issues that have not received sufficient time – the three parliamentary committees that have examined the bill so far (the Science and Technology Committee, the Intelligence and Security Committee and the specially convened Joint Parliamentary Committee on the Investigatory Powers Bill) all made that very clear. The Independent Reviewer of Terrorism Legislation, David Anderson QC has also been persistent in his calls for more time and more careful scrutiny – most recently in his piece in the Telegraph where he said:

“A historic opportunity now exists for comprehensive reform of the law governing electronic surveillance. Those who manage parliamentary business must ensure that adequate time – particularly in committee – is allowed before December 2016.”

David Anderson is right on all counts – this is a historic opportunity, and adequate time is required for that review. How Labour responds could well be the key to ensuring that this time is provided: a strong response now, and in particular the willingness to reject the bill in its entirety unless sufficient time is given, would put the government in a position where it has to provide that time.

As well as pushing for more time, there are a number of things that Labour – and others – should be requiring in the new bill, many of which were highlighted by the three parliamentary committees but have not been put into the new draft bill.

Proper, independent oversight

The first of these is proper, independent oversight – oversight not just of how the powers introduced or regulated by the bill are being used in a procedural way (whether warrants are being appropriately processed and so forth) but whether the powers are actually being used in the ways that parliament envisaged, that the people were being told and so forth. Reassurances made need to be not just verified but re-examined – and as time moves on, as technology develops and as the way that people use that technology develops it needs to be possible to keep asking whether the powers remain appropriate.

The oversight body needs not just to be independent, but to have real powers. Powers to sanction, powers to notify, and even powers to suspend the functioning of elements of the bill should those elements be found to be no longer appropriate or to have been misused.

Independent oversight – as provided, for example, by the Independent Reviewer of Terrorism Legislation – is not just valuable in itself, but in the way that it can build trust. Building trust is critical in this area: a lot of trust has been lost, as can be seen by the rancorous nature of a lot of the debate. It would help everyone if that rancour is reduced.

Re-examine and rebalance ‘Bulk Powers’

One of the most contentious areas in the bill is that of ‘Bulk Powers’: bulk interception, bulk acquisition (of communications data), bulk equipment interference (which includes what is generally referred to as ‘hacking’) and bulk personal datasets. These powers remain deeply contentious – and potentially legally challengeable. There are specific issues with some of them – with bulk equipment interference a sufficiently big issue that the Intelligence and Security Committee recommended their removal from the bill.

It is these powers that lead to the accusation that the bill involves ‘mass surveillance’ – and it is not sufficient for the Home Secretary simply to deny this. Her denials appear based on a semantic argument about what constitutes ‘surveillance’ – and argument that potentially puts her at odds with both the European Court of Human Rights and the Court of Justice of the European Union. It also puts the UK increasingly at odds with opinion around the world. The UN’s Special Rapporteur on the right to privacy, Joseph A. Cannataci, said in his Report to the UN Human Rights Council on the 8th March:

“It would appear that the serious and possibly unintended consequences of legitimising bulk interception and bulk hacking are not being fully appreciated by the UK Government.”

Much more care is needed here if the Investigatory Powers Bill is to be able to face up to legal challenge and not damage not only people’s privacy but the worldwide reputation of the UK. Again, proper and independent oversight would help here, as well as stronger limits on the powers.

An independent feasibility study for ICRs

The Home Office have described ‘Internet Connection Records’ as the one genuinely new part of the Investigatory Powers Bill: it is also one of the most concerning. Critics have come from many directions. Privacy advocates note that they are potentially the most intrusive measure of all, gathering what amounts to substantially all of our internet browsing history – and creating databases of highly vulnerable data, adding rather than reducing security and creating unnecessary risks. Industry experts have suggested they would be technically complex, extortionately expensive and extremely unlikely to achieve the aims that have been suggested. All three parliamentary committees asked for more information and clarity – and yet that clarity has not been provided. The suggestion that ICRs are like an ‘itemised phone bill’ for the internet has been roundly criticised (notably by the Joint IP Bill Committee) and yet it appears to remain the essential concept and underpinning logic to the idea.

Given all this, to introduce the idea without proper testing and discussion with the industry seems premature and ill conceived at best. If the idea cannot be rejected outright, it should at least be properly tested – and again, with independent oversight. Instead of including it within the bill, a feasibility study could be mounted – a year of working with industry to see if the concept can be made to work, without excessive cost, and producing results that can actually be useful, can be properly secured and so forth. If at the end of the feasibility study the evidence suggests the idea is workable, it can be added back into the bill. If not, alternative routes can be taken.

Reassess encryption

Perhaps the most contentious issue of all at present is the way in which the bill addresses encryption. All three parliamentary committees demanded clarity over the matter – particularly in relation to end-to-end encryption. That clarity is conspicuous by its absence in the bill. Whether the lack of clarity is intentional or not is somewhat beside the point: the industry in particular needs clarity. Specifically, the industry needs the government to be clear in the legislation that it will not either ban end-to-end encryption, demand that ‘back doors’ are built into systems, or pressurise companies to build in those back doors or weaken their encryption systems.

The current position not only puts the government at odds with the industry, it puts it at odds with computer scientists around the world. The best of those scientists have made their position entirely clear – and yet still the government seems unwilling to accept what both scientists and industry are telling them. This needs to change – what is being suggested right now is dangerous to privacy and security and potentially puts the UK technology industry at a serious competitive disadvantage compared to the rest of the world.

Working with industry and science

Therein lies one of the most important keys: working with rather than against the IT industry and computer scientists. Plans such as those in the Investigatory Powers Bill should have been made with the industry and science from the very start – and the real experts should be listened to, not ridden roughshod over. Inconvenient answers need to be faced up to, not rejected. Old concepts should not be used as models for new situations when the experts tell you otherwise.

This is where one of Labour’s longest traditions should come into play. Harold Wilson’s famous Scarborough speech in 1963, where he talked about the ‘white heat’ of technology is perhaps even more apt now than it was all those years ago. Labour should be a modernising party – and that means embracing technology and science, listening to scientists and learning from them, using evidence-based policy and all that entails. Currently, the Investigatory Powers Bill is very much the reverse of that – but it still could become that, if appropriate changes are made.

Protecting ordinary people

Labour should also be tapping into another strong tradition – indeed in many ways its founding tradition. Labour was born to support and protect working people – ‘ordinary’ people in the positive sense of that word. Surveillance, in practice, often does precisely the opposite – it can be used by the powerful against those with less power. It can be politically misused – and the history of surveillance of trade unionists, left-wing activists is one of which the Labour Party should be acutely aware. Without sufficient safeguards and limitations, any surveillance system can and will be misused, and often in precisely these kinds of ways.

Labour could and should remember this – and work very hard to ensure that those safeguards and limitations are built in. Some of the measures outlined above – proper oversight, rebalancing bulk powers, a feasibility study on ICRs in particular – are intended to do precisely that.

Not ‘soft’ but strong

Building in these safeguards, working with technology industries and scientists, protecting rather than undermining encryption should not be seen as something ‘soft’ – and any suggestion that by opposing the measures currently in the Bill is somehow being ‘soft’ on terrorists and paedophiles should not just be rejected but should be turned on its head. The current bill will not protect us in the ways suggested – indeed, it will make us less secure, more at risk from cybercriminals, create more openings for terrorists and others, and could be a massive waste of money, time and expertise. That money, time and expertise could be directed in ways that do provide more protection.

What is more, as noted above, the current bill would be much more vulnerable to legal challenge than it should be. That is not a sign of strength: very much the opposite.

Labour’s future direction

Most of these issues are relevant to all political parties – but for Labour the issue is particularly acute. Labour is currently trying to find a new direction – the challenge presented by the Investigatory Powers Bill could help it be found. A positive approach could build on the old traditions outlined above, as well as the human rights tradition build in Blair’s early years: the Human Rights Act is one of New Labour’s finest achievements, despite the bad treatment it receives in the press. A party that forges alliances with the technology industry and with computer science, one that embraces the internet rather than seeing it as a scary and dangerous place to be corralled and controlled, is a party that has a real future. Labour wants to engage with young people – so be the party that supports WhatsApp rather than tries to ban it or break it. Be the party that understands encryption rather than fights against it.

All this could begin right now. I hope Labour is up to the challenge.

 

 

A little more on #IPBill encryption…

Before issuing a ‘Technical Capability Notice’ – for example to remove encryption – a number of things must be taken into account:

Screen Shot 2016-03-04 at 16.37.25

One thing, however, notably absent from this is any other effect on people other than ‘the person (or description of person) to whom it relates’. That, however, could be the crux of the problem. In the Apple vs FBI case, for example, the objection that Apple have to doing what the FBI want, is not the effect it might have on the (deceased) owner of the particular iPhone at all. Rather, the objection relates to the effect first of all on other users of iPhones, next on other people who might be subject to similar court orders, and thirdly on the overall balance between security of individuals and the perceived security of the state.

None of these objections would seem to count in relation to a Technical Capability Notice. Further, the broader context, the implications for human rights and so forth simply don’t enter the equation.

Perhaps they should.

The IP Bill: opaqueness on encryption?

One thing that all three of the Parliamentary committees that reviewed the Draft Investigatory Powers Bill agreed upon was that the bill needed more clarity over encryption.

This is the Intelligence and Security Committee report:

Screen Shot 2016-03-03 at 15.30.32

This is the Science and Technology Committee report:

Screen Shot 2016-03-03 at 15.32.14

This is the Joint Parliamentary Committee on the Investigatory Powers Bill:

Screen Shot 2016-03-03 at 15.33.44

In the new draft Bill, however, this clarity does not appear to have been provided – at least as far as most of the people who have been reading through it have been able to determine. There are three main possible interpretations of this:

  1. That the Home Office is deliberately trying to avoid providing clarity;
  2. That the Home Office has not really considered the requests for clarity seriously; or
  3. That the Home Office believes it has provided clarity

The first would be the most disturbing – particularly as one of the key elements of the Technical Capability Notices as set out both in the original draft bill and the new version is that the person upon whom the notice is served “may not disclose the existence or contents of the notice to any other person without the permission of the Secretary of State” (S218(8)). The combination of an unclear power and the requirement to keep it secret is a very dangerous.

The second possibility is almost as bad – because, as noted above, all three committees were crystal clear about how important this issue is. Indeed, their reports could be seen as models for the Home Office as to how to make language clear. Legal drafting is never quite as easy as it might be, but it can be clear and should be clear.

The third possibility – that they believe they have provided clarity is also pretty disastrous in the circumstances, particularly as the amount of time that appears to be being made available to scrutinise and amend the Bill appears likely to be limited. This is the interpretation that the Home Office ‘response to consultations’ suggests – but people who have examined the Bill so far have not, in general, found it to be clear at all. That includes both technological experts and legal experts. Interpretation of law is of course at times difficult – but that is precisely why effort must be put in to make it as clear as possible. At the moment whether a backdoor or equivalent could be demanded depends on whether it is ‘technically feasible’ or ‘practicable’ – terms open to interpretation – and on interdependent and somewhat impenetrable definitions of ‘telecommunications operator’, ‘telecommunications service’ and ‘telecommunications system’, which may or may not cover messaging apps, hardware such as iPhones and so forth. Is it clear? It doesn’t seem clear to me – but I am often wrong, and would love to be corrected on this.

This issue is critical for the technology industry. It needs to be sorted out quickly and simply. It should have been done already – which is why the first possibility, that the lack of clarity is deliberate, looms larger  that it ordinarily would. If it is true, then why have the Home Office not followed the advice of all three committees on this issue?

If on the other hand this is simply misinterpretation, then some simple, direct redrafting could solve the problems. Time will tell.

An independent review body for the IP Bill?

One of the recommendations of the Joint Parliamentary Committee on the Investigatory Powers Bill was that the Bill should include some kind of a review process or ‘sunset clause’. The new Bill, as I noted in my earlier post on the subject, has included a term that seems to answer that recommendation – but does so in such a cursory way as to be close to irrelevant. This is how it is set out:

222 Review of operation of Act

(1)  The Secretary of State must, within the period of 6 months beginning with the end of the initial period, prepare a report on the operation of this Act.

(2)  In subsection (1) “the initial period” is the period of 5 years and 6 months beginning with the day on which this Act is passed.

(3)  In preparing the report under subsection (1), the Secretary of State must, in particular, take account of any report on the operation of this Act made by a Select Committee of either House of Parliament (whether acting alone or jointly).

(4)  The Secretary of State must

(a)  publish the report prepared under subsection (1), and

(b)  lay a copy of it before Parliament.

So, effectively, this means that the Secretary of State will have to produce a report after six years and lay a copy of it before Parliament – that’s all. Six years is a long time in relation to the internet. Six years ago, for example, WhatsApp had only just been launched, and SnapChat did not even exist. Facebook had 400 million users: it now has 1.6 billion.

Even more pertinently, the Investigatory Powers Bill has some significant new and distinctly controversial powers – most directly some of the ‘Bulk Powers’ and the Internet Connection Records (ICRs) about which I have also written about a number of times (here and here for example). ICRs have been criticised in a number of ways: their potential intrusiveness, the difficulty in defining what they actually are, the costs involved in their collection and retention, and the likelihood of their being able to do what the Bill suggests that they should do. All these matter – and to a great extent all of these are a matter of conjecture. Those like myself who believe that they will end up hugely expensive, highly ineffective and potentially vulnerable are to at least some degree speculating – but so are those who believe they’ll be a crucial tool for law enforcement and the security services, a proportionate and effective response, easily safeguarded and no great burden on the relevant service providers.

Both sides of the argument believe that they’re right – and have provided evidence to back up their opinions. Personally I believe that my evidence is the more compelling – but I would believe that. I am sure that the proponents of the inclusion of Internet Connection Records believe the same about their evidence. Who is right? The best way to tell might well be to have a proper, regular and independent review of the reality. An audit of a kind, to assess all these different aspects. Is it proving easy to define ICRs in all the relevant cases? Are the ICRs being useful? Are they proving expensive to collect and retain? Have they been kept securely or have there been losses through error, hacking, technological malfunction or something similar?

This kind of audit could be required under the Act – and if the drafters had followed the advice of the Independent Reviewer of Terrorism Legislation and created an Independent Intelligence and Surveillance Commission, it could have been the perfect body to perform such an audit. If that Commission had been granted the powers to ask for a part of the bill to be suspended or subject to amendment that would make this possibility even better.

In my oral evidence to the Committee I suggested something further – that the review should include a kind of ‘contextual’ review, looking not just at how the powers were being used in relation to the Bill, but in relation to how people were using communications systems. In effect, assessing whether the powers were still appropriate and balanced because how people use service can, in practice, change how intrusive powers relating to a service can be. Undermining encryption, for example, is far less troublesome if the only people using encryption are the most technologically adept of geeks and nerds than it is if we are all reliant on encryption for our banking and confidential work.

If properly constituted and empowered, a review body could look at this – and rather than being in a position we are now, where outdated laws are being misapplied to situations that have radically changed, we could keep not just the law but how it is used up to date and proportionate. We could learn where mistakes are being made, where resources are being misapplied, what works and what doesn’t work – and not just from those who have a vested interest in telling us that those powers are working and that they need the resources that they’re being given. The two examples we have in this field – the Independent Reviewer of Terrorism Legislation and the Interception of Communications Commissioner’s Office (IOCCO) – have proven their worth in a number of ways. An independent body to oversee the implementation, effectiveness and proportionality of the operations of the Investigatory Powers Bill could be similarly effective.

That, however, is not what the IP Bill currently proposes. The review as it is set out in S 222 is too late, not independent, and without the power to produce any real effect. This could, however, be relatively simply changed. In their response to the consultations, the main objection to making such a change seems to be cost: the response says that it would cost an extra £0.5m/year.  Though that may seem like a lot of money, in the grand scheme of things it really is not. If, as just one (small) example, ICRs are as expensive as it seems likely they will be, and the review body reveals this after three years rather than six, spending that £0.5m/year would be very cheap at the price. Other savings could be made in other areas as revealed by the reviews – and that’s not considering the significant extra level of trust that would be generated by a properly independent review body. The potential benefits are very significant: I hope that those pushing the Bill are willing to consider it.