Theresa May has sought to clarify the draft Investigatory Powers Bill’s stance on encryption, telling the select committee in charge of scrutinising the bill that the proposed legislation does not require companies to install “backdoors” into software.
“We believe encryption is important. We are not proposing to make any changes to encryption and the legal position around that.”
May went on to say that, although the government doesn’t seek to ban encryption, it will require companies to hand over decrypted messages if given the lawful warrant.
“Where we are lawfully serving a warrant on a provider […] they are required to provide certain information to the authorities. The company should take reasonable steps to ensure they are able to comply with the warrant. That is the position today and it will be the same tomorrow under the new legislation,” she said.
Elsewhere in the hearing, May told the committee that small-scale networks, such as those found in cafés, hospitals and libraries, would need to comply with the legislation and hand over customer or patient data when served with a notice. “I do not think it would be right for us to exclude any networks,” she said. “If you look at how people do their business these days, it is on the move.”
May also rejected calls for a “sunset clause” on the legislation that would allow it to be revisited in five to seven years to handle the rapid pace of technological change. She said that the bill was “technology-neutral” to allow for future developments.
Draft Investigatory Powers Bill: What is it?
State surveillance ahoy! In November 2015, home secretary Theresa May announced plans for legislation – dubbed the draft Investigatory Powers Bill – that would force phone and internet companies to store details of the websites, emails and texts sent and visited by customers for a minimum of 12 months.
There has since been a great deal of reaction to the proposed bill, from cries against bulk collection of data to warnings that it will leave information open to third-party hacking.
The bill is being proposed on its alleged ability to tackle issues such as terrorism and child pornography, but it ultimately represents a seismic shift in how the state can access your online life. Does this sound scary? Yes. But what does the process involve and what does it mean for your emails and web history?
Draft Investigatory Powers Bill: At a glance
- Security services will have full access to every site visited per user for a minimum of 12 months.
- Content of communications will require a “double lock” warrant signed by a secretary of state and a judge.
- Judicial oversight can be bypassed in “urgent cases”, with a secretary of state signing a warrant and a judge subsequently confirming it.
- The legislation would enforce an obligation for technology firms to provide unencrypted communications for government and law agencies if the latter were in possession of a warrant
Draft Investigatory Powers Bill: Current status
Theresa May’s draft Investigatory Powers Bill is currently being scrutinised by Parliament’s Science and Technology Committee, following concerns from internet service providers (ISPs) over the scale of data storage required by the revamped Snoopers’ Charter.
An official committee is conducting a “short inquiry” into the practicality of the proposed bill, hearing evidence from a range of technical experts, civil liberty groups and academics. This follows oral evidence given by the chair of the Internet Services Providers’ Association, James Blessing.
“We are very concerned,” James Blessing said at the time. “The whole idea of an internet connection record does not exist as far as internet service providers are concerned. We do not have an internet connection record.”
“We do not store information about what our customers do online in this particular way. It is not clear from the bill what constitutes a connection record.”
The committee claims it is investigating “the extent to which communications data and communications content can be separated and the extent to which this is reflected in the draft Bill”. Amongst those giving evidence is Mozilla, which called the draft legislation a “harmful step backwards” and warned that the mandatory data retention at the heart of the legislation runs the risk of making private data vulnerable to attack.
Tech UK’s Anthony Walker has also given evidence to the committee, warning that smart toys, such as Hello Barbie and My Friend Cayla – both talking, Wi-Fi-enabled dolls – could be used to gain information by intelligence agencies. Apple has also provided evidence, as we’ve outlined on the previous page.
Background: What’s the Snoopers’ Charter?
In 2013, Theresa May proposed a piece of legislation called the draft Communications Data Bill (dubbed the Snoopers’ Charter), which the Liberal Democrats blocked during the coalition government. November’s proposed bill is a revived version of that bill – back from the dead, edges smoothed off and a new judge-friendly face installed.
Another key piece of prior legislation to be aware of is the Data Regulation and Investigatory Powers Act (DRIPA), pushed through in July 2014. This allowed security services to have access to internet and phone records, but was challenged by Labour’s Tom Watson and the Conservatives’ David Davis. It was subsequently ruled as illegal by the High Court.
When the High Court rules something as illegal, you might suspect that boundaries have been overstepped. The judges said that the Act failed to provide “clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offence”. The government was told it needed to come up with new legislation by March 2016, hence today’s proposal.
What’s changed since the original Snoopers’ Charter?
One of the big changes is a “double lock” on approval of interception. This involves the appointment of a specially appointed panel of judges, who will be responsible for authorising the police before they can access the content of an individual’s information. For the most intrusive warrants to be approved, they’ll need to go through a secretary of state and then confirmed by a judge. Any warrant covering an MP will need to be approved by the prime minister.
From the authorities’ perspective, this means consolidation of a gangly system currently fragmented across three different commissioners. The Home Office says this will improve the transparency of the intelligence service’s activities, but critics are saying this new process is unwieldy. The judicial procedure will not apply to “urgent cases” – so there are inevitably questions about what does and doesn’t consist of an urgent case. May has said that access to a journalist’s source will require a warrant, for example, but if that information was deemed “urgent” it would suggest that a secretary of state can sign a warrant without a judge. 
At the moment, senior ministers including the home secretary can sign warrants allowing security services to look at the contents of communications. Over 2,700 of these were signed last year. The new proposal means that appointed judges will be able to overrule ministers, which in theory would give independent oversight to the process. In reality, this process may not always be so clean cut. May has said that the legislation will include cases where a warrant applies after a secretary of state approves it, as long as a judge subsequently confirms it.
Former Lib Dem leader Nick Clegg has said there may be flaws “under the bonnet” of the new legislation and that the process may be cumbersome. Technology journalist Adam Banks has questioned how forcing a judge to sign after a warrant has been issued would work in practice.
Will the government be able to look at my browsing history whenever it wants?
Yes and no. May has said that the security services won’t have full access to look through your browsing content, but will instead be able to access the domains you’ve visited.
This means they will be able to see if you’ve visited www.bbc.co.uk, for example, but not the page itself. There will also be information on where you’ve visited pages from, along with calls you’ve made, who you’ve sent text messages to – essentially the “who, what, where and when” of your communication information.
To get access to the actual content of those communications will require a warrant. That’s where the judges and content warrants come in.
Jim Killock, executive director of privacy advocates Open Rights Group, said that the draft Investigatory Powers Bill will “redefine the relationship between the state and the public for a generation”.
“At first glance, it appears that this Bill is an attempt to grab even more intrusive surveillance powers and does not do enough to restrain the bulk collection of our personal data by the secret services,” he said. “It proposes an increase in the blanket retention of our personal communications data, giving the police the power to access web logs. It also gives the state intrusive hacking powers that can carry risks for everyone’s internet security.”
Meanwhile, Edward Snowden sent out a series of tweets on Wednesday morning calling the revived Snoopers’ Charter “the most intrusive and least accountable surveillance regime in the West.”
Will the legislation work on a practical level?
One important point – somewhat separate from the legalities of who actually has the authority to issue an intrusive surveillance warrant – is whether or not internet service providers (ISPs) actually have the resources to log data on the web pages being accessed by customers.
Adrian Kennard, owner of the ISP Andrews & Arnold, wrote in a blog that the draft legislation seem to require ISPs to capture and generate data that they don’t currently collect: “At present it is possible for an ISP to be subject of an order requiring retention of certain data which it processes. This is data the ISP has, and it simply means the ISP has to keep it for 12 months,” wrote Kennard.
“The new scheme seems to require an ISP to actually generate new data, Internet Connection Records which mean logs of the IP addresses and connections. This is a huge step – as an ISP we do not have that data or the equipment to generate or retain that data.”
After following up with Kennard on the phone, it became clear that the draft legislation has the potential to involve large costs for ISPs – from installing new equipment in the network to providing added security to safeguard the data. We’ll be covering the practicalities of the draft legislation in more detail once ISPs have had time to properly sift through the documentation.
Won’t storing data leave it susceptible to hacking?
Indeed. One of the worries is that asking internet service providers (ISPs) to keep and store customer data for 12 months will leave companies (and your data) open to large scale cyber-attacks.
Given the recent TalkTalk hack, along with the spate of hacks including attacks on T-Mobile and affair-dating site Ashley Madison, there are serious concerns regarding the ability of companies to safely store large quantities of sensitive customer information.
Large US firms with stringent security capabilities, such as Google and Facebook, won’t even be susceptible to the new bill, which does raise the issue of how global terrorist groups will be affected when data can be easily stored with non-UK companies.
There’s also the worry of the government itself being susceptible to hacks. Greg Aligiannis, senior security director at message encryption provider Echoworx, claims that centrally storing data risks putting innocent citizens in danger:
“In addition to the concerns of privacy we must also consider how this may put people at risk,” said Aligiannis. “History has shown that the government is subject to attacks just as much, if not more so than other organisations that look after data for their customers. All of the data collected by the government will need to be stored somewhere, what’s to stop someone hacking into and exposing that data?”
What next?
A joint committee are currently looking at the draft bill, and a proper bill will then be published in the spring.
The bill will first need to get through the Commons, and the Lords. Its success is likely to hinge on how its integration of judiciary powers goes down. David Davis, the Tory MP who helped bring down DRIPA, said on BBC’s Sunday Politics that the bill “will fail” unless it clearly gives judges oversight.
The integration of judges into the process is a positive step, but there are still worries about the types of personal data retained and the practicalities of asking companies to bulk store information.
The 299-page draft Investigatory Powers Bill can be read here.
Ex-NSA director warns UK mass surveillance “undermines security”
Data collection in one thing. Knowing what the hell to do with it all is another. That is the core of ex-NSA technical director William Binney’s argument to the joint select committee, currently inspecting the draft Investigatory Powers Bill (draft IP Bill).
The retired NSA boss turned whistleblower has called for the draft IP Bill to be rewritten, citing the dangers posed to citizens as a result of clumsy bulk data collection.
In front of the committee on Wednesday, Binney argued that mass data retention would decrease the efficiency of security services: “The end result is so much bulk data, that their analysts can’t figure out what they have. That’s the real problem.
“The end result is de-functionality of the analyst, and no prediction of intention [or] capabilities, no stopping of any attacks, people die, then when they die you find out who did it,” he continued.
Binney conducted and led signal intelligence operations for the NSA for 36 years, and during that time worked as the lead analyst for strategic warnings concerning the Soviet Union. His comments echo those made in his written evidence to the committee, in which he claims that “bulk data overcollection from internet and telephony networks undermines security and has consistently resulted in loss of life in my country and elsewhere, from the 9/11 attacks to date.”
The draft IP Bill says that the proposed legislation “provides for the use of interception, communications data and equipment interference powers in bulk,” and that these can be used to obtain “large volumes of data”. Binney essentially argues that this isn’t an efficient way to do things – that it is in fact a dangerous way to conduct surveillance and that security agencies should instead be focusing on a more targeted basis.
“It’s not helpful to make the haystack orders of magnitude bigger, because it creates orders of magnitude more of difficulty for finding the needle,” he said.
Apple comes out swinging
Apple has launched a broadside against the UK government’s plans to hand greater power to surveillance agencies, claiming the legislation stands to weaken the “personal data of millions of law-abiding citizens”.
Apple has passed on an eight-page written submission to the parliamentary committee currently scrutinising the draft Investigatory Powers Bill (draft IP Bill). In the statement, the US-based firm has called for major changes to the bill before it is passed.
Apple has formed its argument around three main concerns: undermining encryption, international law and forcing the private sector to be complicit in hacking.
Weakening encryption
Apple uses end-to-end encryption in its iMessage and FaceTime services, but sections of the draft IP Bill suggest that private companies would be forced by authorities to provide “backdoors”, enabling surveillance agencies to break the encryption and read messages. While the draft Investigatory Powers Bill doesn’t go so far as to ban encryption outright, it would enforce an obligation for technology firms to provide unencrypted communications for government and law agencies if the latter were in possession of a warrant.
“The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers,” Apple said in its statement. “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”
Apple argues that providing keys to its encryption would leave the security of its services vulnerable to other parties. Weakening encryption, the firm claims, would leave the data of its customers open to attack.
“Strong encryption is vital to protecting people from malicious actors,” wrote Apple. “This bill threatens to hurt law-abiding citizens in its effort to combat the very few bad actors who have a variety of ways to carry out their attacks. Strong encryption does not eliminate Apple’s ability to give law enforcement metadata or other categories of data.”
International law and complicity in hacking
The second area Apple has concerns about is the legal implications of the bill applying extraterritorially. While Apple is based in the US, many aspects of the legislation would still apply. This gives sections of the bill international scope despite being domestic legislation for the UK. Apple claims this will force international companies to face a conflicting set of international and domestic laws.
“Those businesses affected will have to cope with a set of overlapping foreign and domestic laws,” Apple said. “When these laws inevitably conflict, the businesses will be left having to arbitrate between them, knowing that in doing so they might risk sanctions. That is an unreasonable position to be placed in.”
Connected to this is Apple’s third concern: that the bill “seems to threaten to extend responsibility for hacking from government to the private sector”. This would make Apple complicit in the hacking of its own customers, the firm argues.
“It would place businesses like Apple – whose relationship with customers is in part built on a sense of trust about how data will be handled – in a very difficult position,” Apple said in its submission.
Tim Cook on encryption
This is not the first time that Tim Cook has spoken out against weakening encryption. Speaking to The Telegraph last month, Cook warned against introducing legislation that would inhibit the effect of encryption. “We believe very strongly in end-to end-encryption and no backdoors,” said Cook. “We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.”
“Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
Cook also said that he was “optimistic” that pressure from the public and press could lead Theresa May and the government to rethink the proposed plans on encryption. “When the public gets engaged, the press gets engaged deeply, it will become clear to people what needs to occur. You can’t weaken cryptography. You need to strengthen it. You need to stay ahead of the folks that want to break it.”
Earlier this year, Cook criticised the US government for its intention to create backdoors into encryption systems on the grounds of national security. “We think this is incredibly dangerous. We’ve been offering encryption tools in our products for years, and we’re going to stay on that path,” Cook said at the time.
“If you put a key under the mat for the cops, a burglar can find it too. Criminals are using every technology tool at their disposal to hack in to people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.”
For more surveillance news, read about how the US Senate has passed the controversial CISA bill.
Related Posts
How To Fix ‘This Site Can’t Provide a Secure Connection’
Does Telegram Use End to End Encryption? It Can, Yes
Using Google Drive Encryption – A Guide
How To Get Around and Bypass a Ban in Discord
How to Get Around an Instagram Ban
How to Get Around a Reddit Ban
How to Get Around a TikTok Ban
How to Bypass a Ban in Roblox
How to Bypass a Ban in Pokemon Go
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
