In the United Kingdom, Parliament is currently considering the Investigatory Powers Bill, which will encompass all government surveillance powers. This Bill is necessary and welcome in that it makes public all available surveillance powers, many of which were previously undisclosed. However, it is hugely problematic from a human rights perspective. It affords the government wide-ranging, invasive powers, without providing an adequate judicial check on the exercise of these powers. Also, the Bill is worded so vaguely that it is difficult to determine exactly what the government may or may not do. Privacy campaigners are so worried about the proposed scheme that they have compared the Bill to surveillance laws in Russia and China.
Last week, the Public Bill Committee, which was charged with marking up the Bill, reported its amendments to the House of Commons. During the Committee stage, civil society groups proposed amendments to remedy the ways in which the Bill undermines privacy rights and the freedoms of expression and opinion. Many of these amendments were tabled, i.e. discussed and put to votes. However, the Committee adopted none of them. The House of Commons as a whole has a final chance to amend the Bill during the upcoming Report stage, after which it will pass to the House of Lords.
Below are some of the major problems with the Bill, and our thoughts on how the House of Commons could address them:
Bulk and thematic warrants
The Bill provides for bulk interception and acquisition warrants. Interception warrants allow surveillance of the content of communications in real time, while acquisition warrants allow the government to collect communications data – or metadata – from service providers. These bulk powers will allow the government to access any communication in the world that it is technologically capable of accessing, when either the sender or recipient is outside of the British Islands. A thematic warrant, while supposedly targeted, permits the surveillance of members of groups who share a common purpose or engage in a particular activity. It also permits surveillance of multiple organizations and multiple premises within the UK. This, for example, could include all members of a particular religion or political party.
The great scope of these powers creates the possibility of nearly ubiquitous surveillance. At the very least, this is incompatible with the European Court of Human Rights’ requirement for individualized suspicion in surveillance.
The House of Commons should remove bulk powers from the Bill, and also remove or narrow the scope of thematic warrant provisions.
The Bill authorizes “equipment interference (EI),” a euphemism for government hacking. EI powers are poorly defined and can include a variety of activities, such as undermining the security of a computer or device by altering its code for greater access, or turning on a camera or microphone without the user’s knowledge. Additionally, the Bill permits thematic and bulk equipment interference warrants, the consequences of which are almost inconceivable.
Yet neither the Bill nor a draft code of practice (i.e. regulations) provides an exhaustive list of permissible activities. This is inconsistent with both the rule of law generally, and also the European Court of Human Rights’ requirement that a surveillance law give adequate notice by providing sufficient detail about the surveillance activity that is authorized.
An exhaustive list of permissible equipment interference activities should be added to the Bill, or at least inserted into a code of practice before the House of Commons votes on the Bill. Also, provisions allowing bulk warrants should be removed, and the scope of thematic warrants narrowed.
End-to-end encryption “scrambles” a communication, so that only those with a key (e.g., only the sender and recipient, and not the service provider or manufacturer) can “unlock” the communication and read it. A “backdoor” provides a third party with a copy of this key, which makes the communication accessible. It also allows anyone capable of hacking into the third party’s system, or bribing an employee of the third party, to acquire the key and access the communication.
The Bill may enable the government to mandate backdoors. It allows the government to send a technical capability notice to a service provider, which, among other things, creates “obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data” when it is “reasonable” and “practicable.” Currently, the government accepts that it is not reasonable and practicable for a service provider to decrypt end-to-end communications when it does not possess the key. However, the Bill does not codify this policy. Given the US government’s recent attempts to impose backdoor requirements on Apple, it is likely that the UK government will act similarly.
If the UK, which has been influential in setting standards for democracy and the rule of law worldwide, undermines encryption in this way, it would set a precedent that authoritarian regimes would surely adopt. Alternatively, they could simply exploit the vulnerabilities created by backdoors for the UK government. This would deprive reformers of one of the few tools they possess to facilitate their work and avoid persecution.
The Bill should be amended to explicitly state that the government will not consider it reasonable and practicable to require decryption of end-to-end encrypted communications.
The Bill states that a Judicial Commissioner will decide whether to approve a warrant issued by the Secretary of State or other appropriate authority, after evaluating the decision according to the judicial review standard. In UK courts, judicial review is a very deferential evaluation of a law or decision, which focuses not on its merits, but rather looks only for irrationality, illegality, or procedural impropriety.
By precluding an independent assessment of the facts, this authorization scheme would not prevent abuse of the government’s immense powers. It would be inconsistent with universal democratic principles, as well as European Court of Human Rights case law, which requires merits-based judicial assessments for surveillance.
The Bill should be amended to ensure that a Judicial Commissioner will review the factual basis for suspicion, which could most easily be done by striking the sub-clauses that call for judicial review.
One last chance
The House of Commons is about to approve legislation that could make surveillance in the UK ubiquitous, and powerful surveillance authorities unaccountable. Also, by serving as a model for the rest of the world, it puts human rights at risk everywhere.
This post outlines major problems with the legislation, about which CDT has submitted evidence (public comments). Yet, these make up only a small portion of the Bill’s shortcomings. Other problems include the vague definition of internet connection records, which could be interpreted to allow the retention and collection of a user’s entire browsing history, threats to lawyer-client and journalistic privileges, and extraterritorial jurisdiction. This information is not new to Members of Parliament, as human rights advocates and technologists have commented on these problems repeatedly.
During the upcoming Report stage, the House of Commons as a whole will have its last significant opportunity to improve the Bill. We are hopeful that it will adopt amendments to address these concerns. After the vote in Commons, the Bill will move to the House of Lords for further consideration.