Cybersecurity & Standards, European Policy, Government Surveillance
CDT Submits Evidence Opposing Orwellian UK Surveillance Law
(Note: Due to a quirk in British Parliamentary procedure, we were unable to publish the text of the CDT submission until January 7, 2016. The full text of CDT’s submission is now posted.)
The United Kingdom is flirting with an online surveillance state of staggering proportions.
Parliament is currently considering new surveillance legislation – called the Draft Investigatory Powers Bill – that would gravely impact the human rights of the British people as well as people around the world. CDT submitted evidence this past Monday to the the Joint Committee on the Draft Investigatory Powers Bill arguing that the proposed legislation is deeply flawed, overly vague, and fundamentally hostile to human rights. The Draft Bill would require Internet companies to keep records of all Internet communications; it would allow poorly targeted government hacking, as well as bulk government hacking of many thousands of devices simultaneously (and require companies to help the government hack their own users); and it would pose a significant threat to communications security by undermining end-to-end encryption.
In CDT’s submission, we argue:
- The features of the Draft Bill make it clearly incompatible with EU law and human rights treaties. There is no judicial approval required at all for certain kinds of highly intrusive surveillance practices in the Draft Bill. Further, the data retention elements require retaining communications data for every individual in the UK, a form of generalized surveillance that has been ruled illegal in the EU (by the Court of Justice of the EU in Digital Rights Ireland). Even where these new powers are “targeted,” the language allows essentially unconstrained forms of surveillance to be used on arbitrarily large groups of people, making it reckless and untargeted.
- The definitions in the Draft Bill are insufficient and overly broad. Definitions should map unambiguously onto current features of Internet protocols and architecture so that Internet companies can understand what they will need to collect, retain, and be prepared to produce.
- The scope and scale of data retention in the Draft Bill is beyond the pale. The level of intrusiveness involved in retaining records of all Internet communications – intruding into the private lives of innocent people – is disproportionate and, we believe, contravenes EU law and human rights treaties.
- Targeted equipment interference represents an extreme and dangerous form of intrusion. “Equipment interference” (EI) refers to the practice of government-sanctioned hacking; that is, where law enforcement is authorized to “hack” into devices and services as part of crime prevention and investigation. The risks involved with EI are substantial (CDT’s Greg Nojeim recently published an essay discussing risks involved with private-sector “hacking back.”). As such, it is paramount that EI should only be used in a manner that is strictly lawful, necessary, and proportionate, and where other means are not feasible.
- Neither the police nor the security and intelligence services should have access to powers to undertake bulk equipment interference. Given the risks of EI, allowing the government to engage in EI in an untargeted manner or in a manner that would affect thousands to hundreds of thousands of devices at once is risky and could leave them open to hacking and exploitation by criminals, hostile governments, or others.
- The Draft Bill should clarify whether the government can compel service providers to cease offering end-to-end encryption in their products and services. A part of the Draft Bill appears to allow the UK government to demand Internet companies to cease offering encrypted communications and services where the company could not produce the encryption key, decrypt the data, or provide copies of the underlying unencrypted data. If law, this would mean no private online conversations or transactions would truly be possible using services provided in the UK, completely undermining the trust needed to do business and the confidentiality and integrity needed to engage in private, predictable lives.
We are encouraged to hear that many other groups from civil society also submitted evidence on this Bill, and news reports indicate that submissions from Apple and Yahoo! emphasize many of the same concerns from CDT’s submission.
The Joint Committee on the Draft Investigatory Powers Bill will take all of the submitted evidence under consideration in the next few months before it must – in February – submit recommendations to the whole of Parliament on the Draft Bill. We expect the revised Bill to be considered by Parliament this coming Summer, and we will be there every step of the way.