The Investigatory Powers Act

Also known as the ‘snoopers’ charter. The government has just finished consulting on some changes to this prompted by a couple of CJEU (EU Court of Justice) rulings (Joined Cases C-203/15 and C-698/15).  So I decided to respond the consultation.  This is my response.

I have one general concern and some specific points to make about these proposals.

My general concern is that these recommendations, along with the Investigatory Powers Act 2016, underestimates the dangers to the public, to security and to this country of keeping blanket records of all individuals’ communications data.

While the EU judgements referred to appear to be framed in the context of planned, limited retention and access of data the UK government appears to have envisaged blanket indiscriminate retentions and the tone of the response in these proposals reflects the desire to continue these retentions.

Risks of creating such large repositories of information are well known and well demonstrated in other scenarios (loss of data by banks, NHS, government departments) in spite of the stringent protections now being proposed for this new, much larger repository. Although apparently the security services have been consulted about the Act and these proposals I would suggest their job is to maximize their apparent success which will disregard risks to innocent individuals in favour of intelligence successes.

Just to list a few of the attendant risks again:

• Hacking by criminals, and foreign states or simple theft by rogue employees. This exposes individuals and businesses to blackmail, identify theft, industrial espionage and a host of other interferences which could, at some level, threaten financial systems and state security. This is made worse because many breaches may never be discovered or reported. The weakness of current arrangements could not have been put into starker relief when it transpired that the contractor Carillion, a company under huge pressure and with a poor record for service and governance, was running services in GCHQ itself.
• Oversharing of information with partners. For example as shown in the Snowden leak – the USA was sharing information with over 700,000 individuals (many working for government contractors with very mixed reputations) with full access while the US government provides very little protection for the data of non-US citizens. In this context it is almost inconceivable that the data wasn’t available to numerous malicious entities. Indeed it cannot be ruled out that the US government or its less scrupulous contractors have already used some of this data for industrial espionage.
• Spoofing whereby people are targeted by apparently incriminating communications – as in the recent ‘swatting’ case in the USA. This means the security services may wind up spending large amounts of time and even convict innocent people.
• Temptation for political use and ‘mission creep’.

This lack of concern over risks to individuals I would suggest is partly due to naivety on the part of ministers – most of whom have no experience in these areas.  For example, often quoted is ‘if you have nothing to hide you have no concern’ – completely overlooking the implications for finance, business, leaking of medical information, the potential damage to relationships – a recent episode in BBC of ‘Silent Witness’ painted a very plausible scenario where a small breach of NHS data led to murders and blackmail. I think ministers also seem to have little understanding of how useful a large repository of information can be to malefactors who can simply run scanning software looking for likely targets.

Although some effort has been put into only collection ‘Internet Connection Records’ – these can, nevertheless, contain passwords when, for example, someone accidentally types a password into their browser address bar by mistake. Also it is envisaged that user ids of senders and recipients of email are to be collected.  Since it’s unclear how ISPs will collect all this data quickly it is likely they will ‘retain’ much more than the minimum as a shortcut to compliance. Even if only the intended data is collected malicious parties can both make the same use as security services intend to make of this data (eg by inferring networks of users, plotting movements etc) and can also use any ‘hits’ for further more targeted attacks on individuals and corporations.

The exclusion of security services from the obligations here points to a possible continuation of the practice of sharing this data with foreign powers including the United States and, as described above, thereby exposing uses to indiscriminate access by authorized third parties which is so loose that unauthorized access is certain rather than merely likely. In fact if this blanket indiscriminate sharing continues (or even if it is just allowed) then the retained data should be considered both effectively unprotected both in law and in fact.

Another problem with this blanket collection of innocent parties data is that it may lead to perverse consequences for the internet with responsible corporations trying to avoid the risks identified above.  For example, people (both legitimate and criminal) may flood the internet with bogus communications to disguise real ones.  Terrorists may simply write software to invent thousands of ‘plots’ involving innocent citizens or rival groups – severely degrading the information. The ultimate consequence may a more expensive internet.

My specific concerns are:

1. 1. There is no clarity describing what may be retained vs what may be accessed. I suspect this ambiguity is to allow the blanket retention envisaged.  It should be clarified whether the retained data may contain more than the absolutely required information and clearly laid out that the overwhelming number of individuals subject to retention will have no connection with the actual object of the retention.
   2. The reliance of ISPs to retain, store and protect data provides a further weakness while at the same time allowing the government to disavow responsibility for leaks of data it itself instigated the collection of.  This seems wrong, especially when it comes to data being collect for the security services. To this extent this type of collect may be considered to fall under EU competencies for example.
   3. The proposals (‘significance of communications data in prevention and detection’) fail to analyse where targeted data collection would have been successful vs blanket collection.
   4. Penalties and redress for breaches etc aren’t laid out here (maybe they are in the Act?) beyond a rather weak right to go to a Tribunal to contest the retention (which presumably is pointless under blanket retentions). This area again seems problematic if ISPs have to take out insurance against claims.
   5. It seems perverse to remove tax evasion from the list of reasons for collection of data and suggests political motivation.
   6. It is asserted that going through the Officer for Communication Data Authorizations is to be the main route for data to be retained / acquired. For blanket retention this is clearly vacuous but for authorizations there appears to be no indication why the various authorities would prefer this to the ‘urgent’ requires where an ‘officer’ can authorize it. At the very least all urgent requests should be scrutinized after the fact.
   7. Because in many cases government employees or employees of companies will make requests and consequently they are unlikely to be too concerned about penalties for incorrect use (because they won’t personally be liable) – so the only recourse seems to be to make any unauthorized access a criminal offence.
   8. I would suggest that only government employed authorized officials are ever given direct access to private data except in the normal circumstances where it is released for public interest reasons.
   9. I was not convinced by the argument to disregard the obligation to notify people their data was being retained ‘once the danger had passed’.

So to reiterate – in my opinion:

Government significantly underestimates the risk to personal privacy in this regard.

The general effect of this blanket data gathering will be to expose honest citizens while criminals will take action to protect themselves and exploit the data of honest citizens.