UK Surveillance Powers Bill Slammed For Privacy, Clarity And Targeting Failures

One of the UK parliamentary committees that is scrutinizing proposed new surveillance legislation has published its report on the draft Investigatory Powers bill — and it makes for uncomfortable reading for the government.

Another committee, the Science and Technology committee, had already warned about a lack of clarity in the bill’s language, including on encryption. But the Intelligence and Security Committee (ISC) report is critical of a range of issues — including what it judges to be inconsistent and inadequate privacy protections, and overly broad intrusive powers, including state hacking capabilities.

For its part, the government has claimed an expansion of surveillance powers is necessary to plug what it terms “capability gaps” for the intelligence and law enforcement agencies — although part of the committee’s critique is a failure by the government to provide operational justification for some of the more expansion and intrusive powers it is seeking to legislate for. ISC members are able to review classified evidence so you might expect the committee to fall more in line with the security services’ perspective on surveillance. But instead it is highly critical of the draft legislation.

Civil rights groups have dubbed the ISC report a “serious body blow” to the draft bill. “Once again the proposals have been defined as too broad and lacking in clarity,” said Big Brother Watch in a statement following the report’s publication.

“We urge the Home Office to take on board the wide-ranging criticisms that the tech sector, civil society, and now even the Parliamentary committee that oversees the surveillance capabilities of the police and intelligence agencies, have made of their proposals,” added Privacy International in another statement. “The ISC’s report is clear on the requirement of a root and branch reconsideration of the legislation, pushing privacy to the forefront.”

In a press statement accompanying the publication of its report, ISC chairman, Dominic Grieve calls out the draft bill’s failure to encompass all the agencies’ intrusive capabilities — a key recommendation of a privacy and security report the ISC published last year — as a “missed opportunity” to create the sought for comprehensive legal framework for all the various surveillance powers.

“Taken as a whole, the draft Bill fails to deliver the clarity that is so badly needed in this area,” the ISC argues. “The issues under consideration are undoubtedly complex, however it has been evident that even those working on the legislation have not always been clear as to what the provisions are intended to achieve. The draft Bill appears to have suffered from a lack of sufficient time and preparation.”

The committee notes the government’s own squeezed timetable in this regard, with current emergency surveillance legislation DRIPA (passed without proper Parliamentary scrutiny, back in late 2014) due to expire by the end of this year, leaving only a small window to legislate to replace the sunsetting powers. With the suggestion being the draft IP bill is a rush job.

The ISC also has some robust recommendations on privacy — and some significant criticism of what it dubs the government’s “piecemeal approach” here.

“We had expected to find universal privacy protections applied consistently throughout, or at least an overarching statement at the forefront of the legislation,” it writes. “Instead, the draft Bill adopts a rather piecemeal approach, which lacks clarity and undermines the importance of the safeguards associated with these powers.

“We have therefore recommended that the new legislation contains an entirely new Part dedicated to overarching privacy protections, which should form the backbone of the draft legislation around which the exceptional powers are then built. This will ensure that privacy is an integral part of the legislation rather than an add-on.”

The committee is recommending what it terms “major changes” to the powers contained in the bill in three areas: equipment interference (aka hacking powers); bulk personal datasets (aka “large databases containing personal information about a wide range of people” which are used by intelligence agencies to identify individuals during investigations, establish links between Subjects of Interest, and verify information they have gathered through other means); and communications data (aka metadata).

On hacking powers it wants to see all associated operations brought under the same legislation — “with the same authorisation process and the same safeguards” — rather than being split with the Intelligence Services Act 1994 regime, as is currently the case.

It is also recommending the provision allowing bulk equipment interference (aka mass hacking) be removed entirely, noting “we have not been provided with sufficiently compelling evidence as to why ‘Bulk’ Equipment Interference warrants are required”, and suggesting that ‘Targeted’ Equipment Interference warrants “can be drawn sufficiently broadly that a separate ‘Bulk’ warrant is unnecessary”.

Critics of the draft bill have previously slammed the overly broad capabilities offered by bulk warrants, noting for example that it is pretty hard to judge proportionality if you don’t know who exactly you’re targeting.

The committee also wants “general class” bulk personal dataset warrants removed from the legislation (class in this context referring to a whole class or type of data such as travel data) — again on the grounds that they are not targeted enough and will inevitably infringe the privacy rights of multiple people.

“As a general principle the Committee consider that class authorisations should be kept to an absolute minimum,” it writes. “In this case, given that each Bulk Personal Dataset potentially contains personal information about a large number of individuals — the majority of whom will not be of any interest to the Agencies — the Committee considers that each dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the legislation.”

On communications data, the committee slams the government’s “inconsistent and confusing” approach to examining this. “The Committee considers it essential that the same safeguards are applied to the examination of all Communications Data, irrespective of how it has been acquired. This must be clearly set out on the face of the legislation: it is not sufficient to rely on policy and good practice,” it notes.

A range of additional specific amendments are also suggested by the committee, including a call for a shortening of the five-day-long grace period currently afforded for ‘urgent’ warrants to be back-checked by a judicial commissioner to just two days; a shortening of the length of time allowed for ‘thematic’ warrants (from six months to just one); and “a clear line of separation” between the investigatory teams who are requesting approval for a particular activity and those within the agency that approve it, to name just three of multiple additional suggested tweaks.

“The draft Bill requires this division when obtaining Communications Data but the Agencies are exempt from this requirement,” the ISC report notes on the latter point. “Whilst we have been told that this would create an unnecessary burden and time delay, given how regularly the Agencies use Communications Data, we nevertheless consider separation an important matter of principle and recommend that this is reconsidered before legislation is brought forward.”

Another committee — a joint-select committee — is due to publish its report into the draft bill on Thursday, having taken evidence from a range of witnesses since the bill was introduced to parliament in the fall, including the Home Secretary herself.