Tuesday, 1 March 2016

Investigatory Powers Bill published

http://www.publications.parliament.uk/pa/bills/cbill/2015-2016/0143/cbill_2015-20160143_en_1.htm

Summary

Way too much still in terms of serious powers for the state to spy on its own people. Way too much in the way of bulk powers. Way too much in data retention - snooping on pretty much any data.

Comments to follow...

Retention

78(9) is still as wide scoped as before, but says "and this expression therefore includes, in particular, internet connection records." which does not help matters at all.

84(2) I see retention notices are still secret but can be disclosed with permission from secretary of state, which is some progress I guess.

225(1) slight improvement: “data” includes data which is not electronic data and any information (whether or not electronic),

Encryption

217(4) Still has removal of protection (encryption) though now "applied by or on behalf of that operator to any communications or data" which is an improvement, and 217(3) and 218(4) relate to  orders being "practicable" which is again an improvement. However, reading this, it could require an operator like Apple to change iMessage so that it is possible for them to remove encryption, or any hardware or software supplier in the UK or overseas. This leaves criminals able to encrypt but normal people that do not want that hassle unable to trust operators offering encrypted services.

218(7) looks a bit powerful

218(8) notices are secret but allow for permission to be given to disclose them, slight improvement.

More...

Some people are working on something of a public diff from draft to proposed bill, and that will help comment further on this.

See a diff here https://github.com/StuBez/UK-Investigatory-Powers-Bill/compare/master...StuBez:final?diff=split&name=final&w=1

P.S. I appreciate that I have not said a lot here - there are many more issues, and I'll try and post something much more concrete on this so people have something on which to base letters to their MPs later.

P.P.S. Open Rights Group (as have many others) have done a good page: here. Please contact your MP.

10 comments:

  1. > Still has removal of protection (encryption) though now "applied by or on behalf of that operator to any communications or data" which is an improvement

    Not really, in my opinion — the section is question is just an example of what could be contained under a notice, and it does not prevent a notice from containing things which are not on the list.

    The HO's "control" for this is the presence of clause 218(4), but this expressly only covers the situation in which an operator is asked to remove encryption which it has added, or is added on its behalf. It offers no protection against an order to remove third party encryption.

    ReplyDelete
    Replies
    1. I think it is 218(4) that helps slightly.

      Delete
    2. That's the bit that I don't think helps at all in the context of third party encryption.

      Delete
    3. Shit, yes, that only applies in the narrower scope of removing your own protection and 217(4) is only an example, so yes, they could order removal of third party protection and not have to consider practicality. FFS

      Delete
  2. Any mention on whether you have to keep the fact you requested permission to disclose "something" from the Secretary of State secret?

    ReplyDelete
  3. Are we being allowed the same consultaion as with the original bill, i.e. AAISP and others giving evidence to Parliamentary Committees and so on, or do they now propose passing this bill as it stands regardless?

    ReplyDelete
    Replies
    1. No, this is it in parliament - they debate it - we can write to MPs and the like.

      Delete
  4. Any update on your analysis? According to an Amnesty campaign, this bill will be debated *this Tuesday*, so if there are still things fundamentally broken with it, then presumably it's incredibly urgent that we act now and try to encourage our social networks to all write to their MPs, sign petitions etc. As a subject matter expert, your opinion on the current state of the bill would be extremely helpful when performing this activism ...

    ReplyDelete
    Replies
    1. Sorry, I have to say that I am somewhat despairing about this now - yes, MPs need to be written to. The whole thing is screwed up and pretty much all of the details I raised before still apply only in many cases even worse. It is crazy.

      Delete
    2. I got this reply from my (Labour) MP which I find rather non-commital and disappointing:

      Thank you for contacting me recently regarding the Government's Investigatory Powers Bill.

      I appreciate that a number of organisations and campaigns, including the 'Don't Spy on Us' campaign, have expressed a number of concerns regarding proposed changes to surveillance and data retention laws.

      I, however, support in principle the aim of delivering an up-to-date and comprehensive legal framework to enable the Police and security services to have the powers they need in the digital age to prevent and investigate serious crime.

      Our intelligence and security services undertake vital, often unrecognised, work to protect our security and to counter the growing threats that we face, both internationally and domestically. It is clear, however, that the huge changes we have seen in technology have left our laws governing investigatory powers outdated, and it is important that the relevant authorities have the appropriate up-to-date powers that they need to tackle terrorism, child sexual abuse, serious online crime, and to help locate missing people.

      It is crucial, though, that a new framework for providing these powers can command public trust by balancing strong powers with strong safeguards to protect privacy and long-held liberties. I know that a number of reports on the Government's draft Bill raised substantial concerns.

      Following the publication of the Government's Bill, which has now been introduced to Parliament, there are a number of concerns. Firstly, instead of tightening the criteria for the use of the most intrusive powers, the Bill appears to lower the threshold and allow the authorities to access them in a much broader range of circumstances. I do not believe that the Government has adequately justified this extension to date, and I am sure this will be pressed.

      Furthermore, the widening of access to Internet Connection Records (ICRs) in the Bill is a particular area of concern and it will be important for Parliament to consider whether the powers in relation to the collection and use of ICRs are proportionate and justified.

      This legislation will have major implications for privacy, and how we are governed and policed. It is, therefore, crucial to take time to get this right and I believe it is important to take a responsible and constructive approach in working with the Government on this issue.

      The Bill now has its Second Reading debate in the House of Commons. I am sure this Bill will be scrutinised most carefully. Thank you once again for writing to me and for sharing your views.

      Yours sincerely etc.

      Delete