New U.K. Comms Data Capture Bill Incoming This Week

Reminder: The U.K. government is preparing to publish a draft bill aiming to strengthen and shore up the intelligence and security agencies’ capabilities in the digital era. The proposed legislation, called the Investigatory Powers Bill, is expected to be published on Wednesday — kicking off the parliamentary debate process in earnest as MPs and a special committee get to pore over the proposals in detail.

The bill will replace the contentious DRIPA (which has a sunset clause of 2016): aka the data capture legislation pushed through the House of Commons with unseemly haste back in 2014, as the then-coalition government claimed emergency legislation was necessary to plug the gap left after European data retention powers were struck down as disproportionate by Europe’s top court.

Earlier parliamentary debates on the impending U.K. Investigatory Powers bill have included MPs asking the Home Secretary, Theresa May, whether the government will be adopting specific independent recommendations — such as from the Anderson report — that judicial sign off be required for intercept warrants, rather than allowing senior ministers to grant warrants as is the case now.

Speaking in an interview with the BBC yesterday, May said her decision on this point would be revealed when the bill is presented to Parliament on Wednesday.

As others have also noted, the government PR engine has been spinning up ahead of publication of the draft legislation with May attempting to paint the bill as ‘watered down’ compared to her prior attempt to legislate in this area — aka the 2012 Communications Data bill — which had been dubbed a ‘Snoopers’ Charter’ by critics.

That earlier bill failed to get the support of enough MPs to pass through Parliament. The government clearly wants to avoid being handed another legislative scalp.

“It doesn’t have some of the more contentious powers that were in that bill. So, for example we won’t be requiring communication service providers from in the UK to store third-party data, we won’t be making the same requirements in relation to data retention on overseas CSPs,” said May yesterday, of the new bill.

“And crucially, we will not be giving powers to go through people’s browsing history. That is not what the investigatory powers bill is about.”

However media reports suggest ISPs will in fact be required to retain web browsing history for 12 months and this data will be accessible to intelligence and security agencies without a warrant — with only specific pages visited within a website requiring the authorization of a warrant.

It remains to be seen exactly what the bill will propose but measures to sanction state-powered hacking are another possibility, given such powers were also mooted in the Anderson report as a possible workaround for strong encryption.

There have been recent moves by the government to clarify some of its anti-encryption rhetoric — with the Internet Safety Minister last week stating the government will not be attempting to ban encryption, as Prime Minister David Cameron had appeared to suggest earlier this year.

But given that a ban on encryption would never have been workable (not to mention politically untenable), this encryption ‘u-turn’ is best viewed as a strategic exercise in misdirection — i.e. to detract from other measures the government is seeking to control, and screws it does plan to tighten, in the incoming legislation.

“Encryption is important for people to be able to keep themselves safe when they are dealing with these modern communications in the digital age but we will be setting out the current position, which does enable the authorities with proper authorisation to issue warrants,” May told the BBC yesterday.

What would happen in the case of a warrant being issued on a service provider to decrypt data when they have implemented end-to-end encryption and thus have zero access to the data being sought remains to be seen.

Another area the bill is expected to tackle is the oversight regime for investigatory powers — with a view to replacing the problematic, 15-year-old RIPA legislation with a clear legal framework for surveillance. On this point, the Anderson report noted:  “The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent.  It is time for a clean slate.”

We’ll find out more on Wednesday when the draft bill is finally made public.

At the same time as the U.K. seeks to legislation for greater data retention powers, Europe as a whole continues to move the other way — with the European Court of Justice last month invalidating the 15-year-old Safe Harbor data-transfer agreement between the EU and the US owing to concerns about the privacy impact of government mass surveillance programs on European’s fundamental privacy rights.