Hands holding a mobile phone

Some initial thoughts on the Investigative Powers Bill

14:41 05 November in Cyber security, Espionage, Privacy

On November 4th the UK government issued a draft of its new Investigative Powers Bill (IBP). Broadly, this proposed legislation lays out the ways and means that UK intelligence, security and law enforcement agencies will have to access their targets’ (i.e. people) internet usage. The full draft is long at 299 pages, however there is more concise supporting documentation, all of which is accessible here.

Full disclosure, I have not yet read the full bill, but have been through the factsheets. I have also written about privacy issues before, including here. I have also, for my sins, spent some of my career in security working for the government, and hence may have something of an insider’s perspective and be inclined towards the more benign interpretation of intent.

So, first impressions…

The good

What the agencies and police can get up to in support of their investigations and other work (intelligence agencies don’t just investigate threats, they collect intelligence. The UK has two intelligence agencies – SIS and GCHQ) is now very clearly laid out for all to see. There is no more stretching of outdated wording in RIPA or other relevant acts. This can only be a good thing – in a democracy these agencies can only operate with our consent, and that consent cannot be properly given if the scope of actions that may be taken are not fully understood. The legislation also introduces more direct oversight from the judiciary, rather than warrants being solely authorised by a Secretary of State as is the case at the moment. This is referred to in the documentation as a ‘double-lock’ protection. I have seen some commentary saying that this is worthless as the judges simply check the procedures have been followed properly, rather than look at any supporting evidence. The devil is in the detail, and this merits a further look, but even so a judge holding the Secretary of State to account is an improvement.

The less good

I’m hesitating to call it the bad right now because I think it deserves further thought, and scrutiny. However, this bill will very fundamentally change the relationship you have with your internet service provider, and in a way that could be problematic for a number of reasons. Modern investigations have come to rely very heavily on looking at who the targets communicate with. Just a few years ago, that really only meant phone calls – either landlines or mobiles. RIPA governed access to this data, and made an important distinction between data considered private, and that which wasn’t private. Access to contents of calls (i.e. the actual conversation) is private – only you and the receiver know what was said. Getting access to this, through full interception, requires a properly authorised warrant (the precise procedures vary depending on the requestor – police, agency or other). However details about your calls – the number dialled and duration, are not considered private. The telephone company has this data, and indeed sends you a monthly bill which lays it all out. Hence, whilst the the telephone company has a duty to protect this data, it was never considered properly private, and hence authorisations for access to this kind of data are much lower (organisations can sign off on this access internally).

Now we all have broadband at home. Broadband providers do not bill by connection, and indeed generally don’t care much what you actually get up to online (with some exceptions) and only care about the total amount of data you download (you may or may not have unlimited broadband – couldn’t live without it personally). Because they don’t care, they don’t collect any data about your online activities. This presents a problem for the investigative authorities who still hanker for the equivalent of the call data details. The IBP will require that ISPs collect this kind of information, and store it for 12 months. There are legitimate reasons for the police and co to want this information. If the connection records show you visit Facebook, they can contact Facebook and find out what you were up to, and with whom you communicated. Given the ubiquity of encryption use by online service providers such as Facebook, they would need to do the same even with a warranted full interception of your internet access.

So this kind of meta data is useful, and if the IBP passes your ISP will be required to store it. However this is not something they do currently, and it is not necessarily that easy to do for a variety of technical reasons. ISPs also have to store this data, and given it will contain lots of personal information about the browsing habits of households across the UK, they will need to do so very carefully. Finally, and for me most significant, is the assumption that this data is not truly ‘private’ and hence subject to the same authorisations as our phone records.

Details of the websites you visit can reveal much more about you than phone calls, even without the specific information about which pages on the site you visited or terms you searched for. We visit websites about personal topics and interests, and reveal more of ourselves to the internet and our service providers than we might our friends and partners.

Personally, the change in our relationship with our ISP makes me somewhat uncomfortable. They have more information about me than my phone company. And the fact that the oversight required to access this information is set much lower than a full interception, when it reveals so much more than our call records ever did, is also difficult and uncomfortable to reconcile. I think the bill needs more scrutiny, and the public need to be more engaged in the debate.

I will read the bill fully, and post a more considered opinion.

Thanks for reading. Any questions, find us on twitter, or use the contact form.  Also if you liked this post why not share it on Twitter or LinkedIn using the link at the top?