On November 4, the United Kingdom’s Secretary of State for the Home Department, Theresa May, presented a draft bill to Parliament that would revise and consolidate the UK’s existing legislation on secret surveillance. The bill—known as the Draft Investigatory Powers Bill—is the most recent of a long-running series of efforts by the Home Secretary to widen the scope of the UK’s Internet surveillance powers. The bill takes the positive step of consolidating the country’s surveillance laws into a single act, and clarifies that the content of communications cannot be the subject of bulk interception warrants if those communications are both sent and received in the UK. (The UK’s intelligence agencies had previously claimed they could lawfully intercept certain domestic communications in bulk if the communications were processed by Internet service providers based outside the UK, including large tech companies in the US.) However, the legislation would also give the force of law to a set of extremely intrusive and wide-ranging surveillance practices that are not consistent with the UK’s obligations under the European Convention on Human Rights or European Union law.
Moreover, although the Home Secretary has portrayed the new surveillance authorization system the bill would create as a “double lock” that would prevent abuses, the reality is that this system would be severely undermined by its lack of independence as well as by procedural flaws that would place a heavy thumb on the scale in favor of surveillance.
At present, the bill remains a draft and has not yet been formally introduced. In the meantime, it is imperative for the Home Secretary to place much stronger limits on the surveillance authorities the draft bill grants and improve the proposed oversight mechanism.
Intrusive, Dangerous, and Bulk Surveillance
Among the highly invasive surveillance practices the draft bill would cement, create, or expand are:
- “Equipment interference,” also known as hacking, which the government could do in bulk and which would severely jeopardize both privacy, security and trust. Under the draft bill, the Home Secretary could issue warrants for secret interference with devices—or even entire systems—to obtain broad categories of communications and other private information. Perhaps most astonishingly, the draft bill provides that such interference may involve the secret visual and/or audio recording of individuals without their knowledge, as has reportedly already occurred under the Optic Nerve program revealed by Edward Snowden. Furthermore, the vulnerabilities that such hacking may create in devices or systems could leave them open to further exploitation by criminals or hostile governments. Additionally, users’ knowledge that their government may seek to monitor them through (for example) the surreptitious delivery of malware may inhibit them from trusting and installing the software updates they receive—including critical security updates.
- Bulk and indefinite interception of the content of private communications, as well as “targeted” interception that may be discriminatory or excessive. The draft bill provides for bulk interception warrants for the monitoring of any private correspondence between people in the UK and those outside the country. Although these warrants would only initially be valid for six months, they could be renewed indefinitely for additional six-month periods. Even where the authorities are seeking to intercept content in a “targeted” manner, the draft bill would empower them to monitor groups of people “who share a common purpose or who carry on, or may carry on, a particular activity.” The latter provision— which also appears in the section of the bill concerning targeted equipment interference — may lead to surveillance that is discriminatory or excessive: for example, it might cover everyone who visits a particular house of worship (since they might be regarded as sharing a common purpose or carrying on a particular activity).
- Bulk and indefinite collection of communications data, also known as metadata — that is, information about a communication such as its sender, recipient, date, time, and duration. The publication of this draft bill represents the first time the UK has publicly acknowledged that it collects its own citizens’ communications data in bulk. It also represents a significant rejection of the rights protections that have recently been adopted in the United States through the USA FREEDOM Act, which ended the nationwide collection of telephone metadata and outlawed the bulk domestic collection of Internet metadata. Under the UK draft bill, even the “targeted” collection of metadata could lead to the monitoring of very large numbers of people, since the bill would allow the authorities to conduct such surveillance for such broad purposes as “preventing or detecting” any criminal offense (however minor), “preventing disorder,” and assessing or collecting taxes. It is also disturbing that the bill would not give any independent oversight mechanism a role in authorizing the targeted collection of metadata, and would further allow senior law enforcement officers to order such collection in their own investigations — without any external approval at all—in some circumstances.
- Mandatory blanket data retention by companies, including records of websites a user has visited — a practice CDT believes would be a clear violation of EU law as set out in the Court of Justice of the European Union’s recent judgment in Digital Rights Ireland. The Home Secretary could unilaterally order companies to retain users’ data simply by issuing a notice (without even the nominal initial oversight provided by the Judicial Commissioners; see below). These notices would be valid for up to a year, and the Home Secretary could renew them indefinitely. The companies that could be forced to retain such private data include “a particular operator” such as Google, or “any description of operators,” such as (for example) all search engines. Additionally, the mandates could be sweeping: under the legislation, they could require the companies to retain “all data or any description of data.” These data could even include Internet connection records: that is, a log of every website an individual has visited, although reportedly not each page within a site.
- Potentially, weakening encryption, risking further privacy breaches and affecting users around the world. Under the current legislation, the UK authorities have the power to order users or communications service providers to decrypt communications, at least where the individual or company concerned has the encryption keys (or otherwise has the ability to decrypt the information). The draft bill, however, empowers the Home Secretary to impose obligations on companies “relating to the removal of electronic protection” they have applied “to any communications or data.” In practice, this may mean that the Home Office plans to issue regulations that would effectively prevent companies from protecting communications through end-to-end encryption. If this is the case, the weakening of encryption could lead to further privacy breaches and would also affect users worldwide: as Apple CEO Tim Cook has observed regarding these draft laws, “Any back door is a back door for everyone.”
Certain differences that are not discussed here would apply in Scotland.
Critically, the legislation would allow the UK authorities to issue any of the above-mentioned warrants, authorizations, or notices to communications service providers outside of the country, meaning that UK mandates (including those that do not per se involve the weakening of encryption) could ultimately have an effect on users and companies elsewhere.
Weak Oversight Incapable of Preventing Abuses
Meanwhile, although the new legislation would create a body of “Judicial Commissioners” who would be responsible for approving the Home Secretary’s surveillance warrants, the reality — as commentators increasingly point out — is that these commissioners would not provide scrutiny and oversight in the way a traditional court would, nor would they have the independence enjoyed by judges in such courts. As a result, this mechanism would not be capable of preventing abusive surveillance practices.
- The Judicial Commissioners, the head of whom would be known as the Investigatory Powers Commissioner, would be appointed solely by the Prime Minister; Parliament would not have a role in vetting or approving candidates, nor would any other independent body (although the each of the commissioners would need to hold, or have previously held, a high judicial office). The Prime Minister would be required to consult only with the Investigatory Powers Commissioner before appointing other Judicial Commissioners. These factors greatly increase the risk that the ruling party will be able to select commissioners who are sympathetic to its own wishes in the area of surveillance, without adequate transparency or accountability.
- The Judicial Commissioners and IPC would be appointed exclusively by the executive branch — the same branch of government that is conducting the surveillance.
- The Judicial Commissioners would review the Home Secretary’s decisions to issue warrants or authorizations based on what is known in UK law as the “judicial review” standard, which is relatively weak and would not involve a full, independent assessment of the relevant evidence. This weakened standard has prompted the UK organization Liberty to describe the commissioners’ oversight function as “a rubber-stamping exercise.”
- If a Judicial Commissioner other than the IPC decided not to approve a surveillance warrant or authorization, the Home Secretary would get a second bite at the apple: she or he could approach the IPC in the hopes of obtaining a different decision.
- In “urgent” cases, the Home Secretary or other authorities would be able to conduct the surveillance for up to five working days after the day on which they issue the relevant warrant or order before getting approval from a Judicial Commissioner. If the commissioner ultimately decided not to approve the warrant or order, she or he would not be obligated to order the destruction of the collected data.
- Judicial Commissioners would serve three-year terms that could be renewed indefinitely; however, they would not have guaranteed lifetime tenure. This raises the specter of commissioners who could be long-serving but whose positions would be inherently insecure, raising a risk that their independence will suffer in practice.
- The Judicial Commissioners would have no role in approving data retention notices (see above) or the targeted surveillance of metadata, except where the latter is done to “identify or confirm journalistic sources” — itself a highly problematic proposition — or is conducted by members of a municipal authority.
The UK, and the users worldwide whose privacy and security would be affected by these measures, deserve far better than this. In line with the UK’s commitments under human rights law and EU law, all surveillance should be strictly necessary and proportionate. Moreover, these types of surveillance demand a strong, expert level of authorization and oversight, using stringent legal standards that are fully capable of protecting individual rights. The draft Investigatory Powers Bill falls far short of even the minimum protections that are necessary and must be revised.