Push For Greater State Surveillance Powers Could Have Chilling Effect On U.K. Tech Sector

The U.K. government is lining up a new piece of legislation to expand the state’s digital data capture powers. The incoming bill, the Investigatory Powers Bill, was announced in the Queen’s speech this week. It has not yet been published in draft form so specific details of what is being planned remains unclear, but in recent times the Conservative party has been banging the drum to expand the type and volume of captured comms data. The U.K. Prime Minister has even appeared to suggest that strong encryption should be outlawed.

The Telegraph newspaper this week suggested new powers to be outlined in the Bill will require companies like Google and Facebook to give U.K. intelligence agencies access to the encrypted conversations of suspected terrorists and criminals. That scenario presupposes Internet companies have the ability to access their users’ encrypted messages. While that is certainly true for some digital services with a sloppy attitude to security (or with business models that rely on data mining their users), others, such as Apple, claim they intentionally do not hold encryption keys — which presumably sets up a legal clash with security- and privacy-conscious tech companies and the U.K. government. Does the Tory government intend to make iMessage illegal? That really will be a *gets popcorn* moment…

The Tory’s prior attempt to expand the state’s data capture powers, the Communications Data Bill — widely criticized as a ‘Snoopers’ Charter’, on the grounds that it would have required ISPs to retain detailed data on web usage — failed to pass through Parliament owing to the lack of support from the Conservative’s Lib Dem coalition partners. The new Tory majority government has no such limitation. Former Lib Dem MP Julian Huppert, who lost his seat in the election this month but was a prominent critic of the Communications Data Bill, tells TechCrunch he has concerns about the surveillance powers that the government will be pushing for.

The concept of keeping track of every website everybody ever goes to, or of requiring ISPs to keep track of what you do on Facebook all the time are deeply intrusive.

“We’ll have to see how much they’ll try and throw in to it. When they were trying to push the Communications Data Bill, initially, the first version was incredibly broadbrush and afforded powers to do any data collection. They then admitted, during the process of our [parliamentary committee] enquiry, that actually there were only three things they particularly wanted. One of which was IP addressing matching, which there was good evidence for and we agreed to do… One was about requiring ISPs to keep track of web logs, effectively. So a list of every website you go to, and things like that. And the third thing was to have a power to require ISPs to keep track of third party information — so what you do on Facebook, what you do on any other site,” says Huppert.

“Those were the three things they said they wanted. The IP address matching basically was the only thing they had any evidence for. And it doesn’t involve any significant privacy intrusions but has huge advantages. Whereas I think the concept of keeping track of every website everybody ever goes to, or of requiring ISPs to keep track of what you do on Facebook all the time are deeply intrusive. And actually they couldn’t come up with any significant evidence of why it was useful.”

“There should be a clear piece of legislation that sets out what is ok, what is not ok, what the processes are for changing it. And it needs to be written with an acceptance of the need for accountability. And the need to have as much transparency as is consistent with the genuine requirements for operational work. But that’s not the approach that’s been taken before. It’s not the approach that the Home Secretary has previously urged. Maybe she will change her mind this time but I’m sceptical,” he adds.

“I worry that the Home Secretary will largely try to simply procure more powers for the state without justifying it or consider the count of balancing issues that there are. And certainly, like we’ve seen with the Prime Minister’s comments about encryption, those are huge threats to the UK technology sectors. And is definitely not the right way to proceed.”

Beyond the overreach and privacy intrusion of having the state require systematic logging of citizens’ web browsing habits and social media activity, another reason to oppose more expansive state data retention is that it makes the intelligence agencies’ job harder — given it increases the noise to signal ration, as Huppert notes.

“There’s no doubt that if you demand more things you have more data, and if you believe that the problem the intelligence services face at the moment is a shortage of data then it would address the problem. I think the problem is they don’t know what to do with all the data that they have. If you look at the killing of [U.K. soldier] Lee Rigby for example the problem isn’t that they have no idea. The problem is they have so much data they couldn’t prioritize it properly,” he argues.

“So unlike IP address matching where there really was a strong case, there isn’t a clear case here. Beyond ‘we can think of some situations where it might be useful’. And I think one of the things that people should look very very carefully at this is what is the evidence for any of the claims that are made. We certainly found the ones given initially were, I think the word we used was ‘misleading’.”

He also notes that the Joint Committee report on the draft Communications Data bill was hugely critical about the lack of data ministers were able to provide to support assertions that expanding data capture powers for counter-terrorism purposes would save lives. So that’s another thorny problem with legislation in this area — the government can and does shroud its arguments in claims of national security secrecy. Saying, in essence, ‘we need more data — but we can’t tell you why’.

And where the U.K. Parliament’s Intelligence and Security Committee should be playing a robust role in holding the government to account in such a sensitive area, Huppert says there has been further failure. So he’s also not putting much store in claims that the Investigatory Powers Bill will “provide for appropriate oversight and safeguard arrangements”.

“We do need better oversight. The intelligence services play an incredibly important role and we want them to be able to do their jobs in a clear and accountable way. But the ISC has not played that role,” he adds. “The Investigatory Powers Tribunal ruled against the government but the executive response was to do nothing and soon after deny that the ruling had happened. So I don’t have much confidence in that.”

One portion of U.K. legislation he does support overhauling is RIPA. Aka the Regulation of Investigatory Powers Act 2000, which regulates the powers public bodies have to carry out surveillance and communications interception. Briefing notes for the Investigatory Powers Bill state it will aim to “modernise our law in these areas and ensure it is fit for purpose”.

RIPA has been criticized for years for eroding press freedoms and sanctioning disproportionate surveillance — by, for instance, enabling police and local councils to spy on journalists. Or, in another instance, a local authorities to check if a family was living in a school catchment area. So there’s a clear need for ripping up RIPA and starting again.

But again Huppert has concerns about the government’s approach here.

“RIPA does need to be re-written. There’s no doubt about that,” he says. “It is an atrociously written piece of legislation… I think that everybody agrees RIPA is not fit for purpose. And that would include strong critics like myself but also if you look at some of the things that [Commissioner for the Global Commission on Internet Governance] David Omand has said… He’s argued for full public and parliamentary understanding of new powers… So I do think we need to have a re-write of RIPA but the correct way to do that is through the joint committee process, thinking about it slowly and carefully — not something rammed through by a new government eager to get on with it.

“And the intention, which the Tories had agreed to or stated publicly, was that [to get this balance] there would be a joint committee set up between both houses to consider how to re-do RIPA. And it does seem to me that they are jumping the gun somewhat on it.”

Huppert is not alone in his concerns either. This week a UN report dubbed encryption an essential tool for protecting the right of freedom of opinion and expression in the digital age. While Sir Tim Berners-Lee, inventor of the world wide web, called for checks and balances on government surveillance. Speaking at an Internet festival taking place in London this week he asked of politicians: “Can you show us that you can build a system which is accountable to us, where when the security services take the ability to look at private data, they do it in a way where it goes through a court, they do in way so my personal data is not going to be snooped on and when people do have their data snooped on it’s only used in a very serious process of tracking down organised crime and terrorism?”

The Investigatory Powers Bill is one of a series of initial bills announced in the Queen’s speech, which sets out the government legislative agenda for the new Parliament — so shoring up and expanding state surveillance and data capture powers is evidently front of mind and a clear priority for the new U.K. government. How that preoccupation with supporting and enabling greater state powers of intrusion on the one hand vs an apparent desire to modernize problematic older laws pertaining to interception powers plays out remains to be seen. But the government’s anti-encryption rhetoric suggests another serious clash of politics vs technology is incoming — the outcome of which will ripple out to affect both U.K. web users and their online behavior, and global companies doing business in the U.K.

The U.K. is often referred to as the most surveilled country in the world — typically a reference to the pervasive use of CCTV. At the last count there were estimated to be between 4 million and 5.9 million of these surveillance cameras in the U.K. (which has a population of around 64 million), although the vast majority are privately owned and operated — rather than being directly controlled by the state. (The number of publicly operated cameras in England and Wales is around 100,000.)

This month the U.K.’s surveillance camera commissioner warned that budget cuts are forcing councils to switch off CCTV cameras. But the idea that state surveillance capabilities will diminish because of shrinking government resources seems fantastical. Rather the role of providing state surveillance apparatus continues to be outsourced to private operators. So U.K. police and intelligence agencies obtain whatever CCTV footage they’re after from the private operator funding a camera in their shop or carpark or driveway — or, hey, even that in-home Dropcam or the lens on that life-logging wearable that never stops recording what’s going on around you. Imagine the power of state surveillance tapping into an expansive Internet of Things infrastructure that ceaselessly gathers real-time data on every point of human intersection — public and ‘private’.

When it comes to surveillance of digital comms data, this same outsourcing modus operandi used with CCTV is being applied by governments to Internet companies — with the U.K. government now preparing to push one of the most hawkish data retention agendas in the Western world, and that despite the censure that has been directed at systematic digital dragnets in the wake of the Snowden revelations. How hugely powerful commercial digital platforms respond to being co-opted as the coal face of state surveillance, where their user data is then subject to systematic mining by the state as a byproduct of citizens’ digital participation, continues to be one of the most pressing issues of our technology-fueled times.