Investigatory Powers Bill: Security Vs Privacy

30 Jun, 2016

The UK government is soon to introduce the Investigatory Powers Bill with the intention of cracking down on legal transparency, but while the Human Rights Committee deems this a “significant step forward,” it states that there is a need for more safeguards.

UK MPs and their peers have stated that the collection of personal data on a large scale is not “inherently incompatible” with privacy laws. Civil liberties groups are concerned over privacy infringement surrounding the bill. The bill is in its last stages of approval after a thorough year of amendments due to the opposition of three parliamentary committees. Labour has recently backed the Tory government’s proposed law and the bill is now sat before the House of Lords.

The joint committee heading up the bill says the powers it allows are not “inherently incompatible with the right to respect for private life,” and are “capable of being justified if they have a sufficiently clear legal basis, are shown to be necessary, and are proportionate.” It did however also state that further improvements are called for “to enhance further the compatibility of the legal framework with human rights.”

Some MPs state the bill’s clauses are “too broadly drafted” and should be narrowed to prevent larger groups of the public falling under its radar.

So the questions that arise are: Where is the moral and legal line drawn? How can the clauses be less vague? How can we make sure the right targets are under the scope?

This month Lawyer Monthly spoke to several sources in the legal, political and technology fields on the matter; here’s what they had to say.

Yuval Ben-Moshe, Senior Forensics Technical Director at Cellebrite, a leading provider of mobile forensic technology:

“There’s been much debate over Home Secretary Theresa May’s Investigatory Powers Bill. The legitimate concerns over the general public’s privacy point to the importance of taking measures, with technology, to promote safeguards and ensure compliance while also proceeding forward to deal efficiently with emerging threats.

“Digital forensic analysis, especially on mobile devices and Cloud stored data, now plays such a key part in criminal investigations as all of us now have a digital footprint reflecting our character, whereabouts and future plans.

“In specific cases that warrant action, if intelligence agencies are granted access to an individual or group’s mobile and online activity, the data should be handled sensitively and by fully trained and qualified professionals. It’s important for agencies to have the correct technology in place to ensure forensic investigations are as full, accurate and focused as possible on extracting and analysing only the data relevant to bring those responsible for criminal activity to justice, as well as proving innocence.”

Jonathan Parker-Bray, CEO and Founder of Pryvate (a new network agnostic encryption app that allows all business and personal communications to remain private and free from hacking):

“We would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age. However, this should not override every UK citizen’s hard-fought right to privacy nor hamper the essential security requirements for businesses to thrive. We believe that law-abiding individuals and corporations have a fundamental right to privacy, and everyone should have the right to choose whether or not to keep their communications private. The Government must seriously consider the potential damage that the Investigatory Powers Bill could do to the UK economy when debating the bill. It’s important that they do not react to a tragedy with an unconsidered response, that will have little or no effect on national security, but will have an impact on both people’s and business’ right to privacy.

This is especially the case in the legal world, where professionals have both ethical and legal responsibilities to protect their clients’ data. It’s therefore increasingly imperative that lawyers and law firms should be free to take all reasonable steps to ensure their clients are safe from cybercrime and surveillance, using whatever encryption tools are at their disposal to achieve such ends. Using services that encrypt email, texts, instant messages, file transfers, storage etc. to ensure they can’t be intercepted or traced, should be one of the first actions taken by a legal company’s IT team to ensure that the government cannot abuse its powers.”

Willy Leichter, Vice President of Marketing at CipherCloud, a specialist cloud security firm:

“The UK IPB is unclear and problematic in a number of areas. Similar to other laws that seek to control new technology, the drafters seem to have an incomplete understanding of technical realities. For example:

–              The IPB allows collection of data on websites visited, but not specific web pages. This is an arbitrary and often meaningless distinction – many URLs point to specific web pages, and home pages often reveal extensive content. Imagine law enforcement learning that you’ve read the ‘Communist Manifesto’ but saying ‘we’re not snooping on which pages you’ve read’.

–              The bill seems to have reasonable judicial oversight, but then allows sweepings powers to intercept bulk data. This will inevitably lead to collecting massive amounts of data on citizens who are in no way connected to investigations.

–              The law requires CSPs to “assist” law enforcement. This is a very slippery slope – with the Apple encryption case, the FBI sought to have Apple right new software to break into own systems. Essentially, this can require CSP technicians to be forced into compulsory hacking.

–              Most troubling, the bill creates a new criminal offence for CSPs or employees who reveal that data has been requested. Imposing gag orders on providers who are forced to assist can lead to massive, unchecked overreach, and a general loss of public trust in the integrity of the cloud.

–              The bill appears to be extremely naïve around the topic of encryption. It requires CSPs to decrypt information that they have encrypted. This is completely meaningless as individuals, businesses, and terrorists alike can all use their own encryption, which is impenetrable by the CSP.

The bill also stipulates that foreign CSPs will not be required to decrypt data – simply recognition of what would be impossible in a connected world.

Overall the IPB is a strange combination of very targeted and seemingly limited steps, along with sweeping data collection powers, broad unchecked legal authority and gag orders that will stifle oversight and legitimate objections from service providers.”

Paul Oliver, Solicitor at Stokoe Partnership Solicitors, a criminal litigation practice that specialises in defending very serious crime:

“The IPB has rightly been heavily scrutinised, however, it is important to remember that individual freedom and liberty is a key aspect of liberal democracies, and the starting point should therefore be the principle of protection from intrusion by the state, with specific exceptions being made only where it can be justified.

It has been previously shown that warrants are a very important mechanism for this, requiring state agencies to obtain judicial authority for specific, and limited, powers of intrusion. The importance of this was noted by the Parliamentary Intelligence and Security Committee (PISC), which commented as follows: “privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built… privacy considerations must form an integral part of the legislation, not merely an add-on.”

It has been suggested that a ‘Class Warrant’ for Bulk Personal Data, rather than specifically targeted warrants, would make for a broad brush approach. In this case, particularly, this would have harmful effects, catching many more people in the net whose privacy will be invaded without just cause. Naturally – by making it more difficult to pin down and scrutinise the justifications for such wide ranging action – this increases fears surrounding the bill.

The PISC has stated that “class authorisations should be kept to an absolute minimum and subject to greater safeguards”, and have gone further, saying that Class Bulk Personal Dataset warrants should be removed entirely from the legislation. These would increase the safeguards for privacy in the bill, putting the onus on security services to ensure their case to place any targets under surveillance would only be approved after undergoing judicial scrutiny, rather than simply bundling through whole groups of people in Class Warrants.”

Nicola Fulford, Head of Data Protection and Privacy at Kemp Little, a boutique technology-focused law firm based in London:

Current privacy law permits interference with an individual’s right to privacy by public authorities only where it is: (1) in accordance with the law; and (2) it is necessary in a democratic society to achieve a legitimate aim (such as in the interests of national security). To withstand legal challenge, any interference with the right to privacy needs to be proportionate to what is being achieved by the interference. Legally, there is a balance to be struck between the right to privacy on the one hand, and national security on the other hand. This balancing act involves moral and legal dimensions, which are inherently intertwined.

Clarity and proportionality in the legislation is key in order to avoid challenge of the IPB on human rights grounds. The definition of ‘internet connection records’ in the Bill needs to be clarified, as there is currently no consistent understanding of the term and the requirement for businesses to keep records of information not currently captured could have significant operational and cost implications on those affected.

The IPB does not require a warrant to access ‘internet connection records’ but it does require a warrant to access ‘content’.  This division is technically difficult to implement in practice and would require internet companies to filter through data in order to separate what can and cannot be released without a warrant.

The bulk surveillance powers in the Bill mean that it won’t always be the personal information of individuals posing a risk to national security that is accessed by the authorities. Access to irrelevant personal information can be avoided by targeting investigatory powers where there is a suspicion of a serious crime being committed. This will also help to ensure that the use of surveillance is proportionate to achieving a legitimate aim. Privacy intrusion can be further minimised by making sure that the data is only accessible by organisations on a need to know basis. HMRC currently has the same investigatory powers as intelligence services under the Bill, which does not seem necessary and proportionate.

Finally, proper scrutiny is vital in making sure that the right targets are under the scope of any bulk surveillance. There are safeguards included in the Bill in the form of Judicial Commissioners who need to approve warrants. From a privacy perspective, these safeguards could be further strengthened to ensure that only the right targets are under the scope of any surveillance.

To read more stories like this, and stay up to date with the latest Lawyer Monthly news, click here to subscribe.

About the author

Related Posts

Leave a reply