The Investigatory Powers Bill recommendations for the Labour Party March 2016
Executive Summary The Investigatory Powers Bill (IPB) marks the culmination of the debate about mass surveillance in the UK. On the one hand, it is an extraordinary step forward. It brings the activities of GCHQ, Britain s communications spy agency, out into the open and gives them a firm legal basis. On the other hand, the Bill enshrines into law many of the surveillance practices that have generated public concern, while offering inadequate safeguards to prevent their misuse. Worse still, the effectiveness of the proposed powers remains in doubt. There is strong reason to believe they are at best a distraction from effective counterterrorism techniques, and at worse wholly counter-productive. This briefing covers a range of issues in the debate around the IPB, including the Bill s likely impact on privacy, the potential for misuse and the proposed oversight system, encryption, and the efficacy of the powers. LCHR supports a Bill that would switch to a system of targeted surveillance, incorporating the highest standard of safeguards and protecting encryption. To this end, we recommend Labour MPs pursue the following changes to the IPB: Remove the section of the IPB proposing bulk retention of internet connection records in its entirety. Replace provisions for bulk communications intercept with targeted intercept only, abolishing the system of general warrants and replacing them with a system of individual warrants issued on the basis of reasonable suspicion. This will be more effective and avoid alienating communities. Switch from a system of ministerial authorisation of interception warrants to a system of judicial authorisation, with a judge playing the exclusive oversight role. Failing this, ensure judges have the scope (including access to all relevant material) to conduct a full merits review of warrants rather than just examine the procedure. Ensure the new Investigatory Powers Commission is properly resourced. Reform the Intelligence and Security Committee so that it is chaired by an opposition MP, information cannot be withheld from it, and its membership selection is not subject to a prime ministerial veto. Ensure the IPB protects encryption by removing provisions that may force companies to provide back doors to encrypted data for the security services.
Introduction The Labour Campaign for Human Rights has been campaigning on mass surveillance since our formation in August 2013. Since then we have attempted to stimulate discussion and debate within Labour about its efficacy and its impact on privacy. We have met Labour MPs on both sides of the debate, hosted parliamentary events, authored articles, consulted experts, produced briefings, and taken the discussions to dozens of CLPs through our workshop events. The Investigatory Powers Bill marks the culmination of the debate about mass surveillance in the UK. On the one hand, it is an extraordinary step forward. It brings the activities of GCHQ, Britain s communications spy agency, out into the open and gives them a firm legal basis. On the other hand, the Bill enshrines into law many of the surveillance practices that have generated public concern, while offering inadequate safeguards to prevent their misuse. Worse still, the effectiveness of the proposed powers remains in doubt. There is strong reason to believe they are at best a distraction from effective counter-terrorism techniques, and at worse wholly counter-productive. The IPB should not be viewed in isolation. It is one element of a broader strategy by the Tory government to strengthen executive power. Taken together with the Trade Union Bill, plans to abolish the Human Rights Act, freedom of information review and boundary changes, this Bill is part of a bigger story that ends with a dramatic shift of power away from political opposition, civil society, and citizens, and towards the government. This briefing covers a range of issues in the debate around the IPB, including the Bill s likely impact on privacy, the potential for misuse and the proposed oversight system, encryption, and the efficacy of the powers. The IPB s impact on privacy Part 6 of the Investigatory Powers Bill enshrines in law the sweeping powers of mass surveillance that were first revealed to the public by Edward Snowden in 2013. Instead of using individual warrants to conduct targeted surveillance on the basis of suspicion, under this system approximately twenty general warrants are used to target entire communications systems or sections of the public. GCHQ is believed to collect, en masse, approximately 50 billion communications events per day, including emails, browsing records, webpages, locations, and other data. 1 The vast majority of this data is collected from people who are under no suspicion. While these powers are focused on external communications, in practice the nature of the modern internet means even communications that are domestic will often pass through servers based abroad, thus allowing them to be treated as external. Moreover, according to the Draft Bill, material collected in this way can be examined for general purposes for which there is currently little guidance. As Liberty has stated in its evidence to the Joint Committee on the Draft Investigatory Powers Bill, the definition of this could in theory be as broad in its nature as the three grounds on which the warrant was originally justified. 2 Bulk data collection is highly invasive. It allows the data of millions of innocent people to be gathered and potentially examined either by computer software or human analysts. This includes information about which websites we visit, where we are located when we send messages, and the content of our emails. From this information a detailed portrait can be drawn of our lives, including about our personal relationships, financial details, health and legal issues, and daily movements. 1 Evidence by Liberty to Joint Committee on the Investigatory Powers Bill, 82 (http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draftinvestigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26430.pdf) 2 Evidence by Liberty to Joint Committee on the Investigatory Powers Bill, 84 (http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draftinvestigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26430.pdf)
The Bill also includes a new provision to allow for the bulk retention of internet connection records. This means every internet user s browsing histories will be stored automatically by internet service providers for 12 months. Considering the variety of modern internet uses, this provides for a further intrusion into people s daily lives. As the respected technology blogger Paul Bernal has said, Monitoring the websites we visit isn t like having an itemised telephone bill it s like following a person around as they visit the shops go the pub, go to the cinema, turn on their radio, go to the park, visit the travel agent, look at books in the library and so forth. 3 It also helps to build a picture of trends and patterns in people s lives over time. Even worse, a plethora of public authorities will have access to these internet connection records, including HMRC and the Food Standards Agency. Moreover, a warrant will not be required for access, with access instead being authorised by a designated person within the relevant public authority. LCHR believes both the bulk intercept powers and the bulk retention of internet connection records provided for in this Bill represent an unacceptable infringement on privacy, fundamentally upsetting the correct balance of power between state and citizen in a modern, healthy democracy. LCHR s recommendation: - Remove the section of the IPB proposing bulk retention of internet connection records in its entirety. - Replace provisions for bulk communications intercept with targeted intercept only, abolishing the system of general warrants and replacing them with a system of individual warrants issued on the basis of reasonable suspicion. Potential for misuse and the oversight system Potential for misuse The security services have a long history of misusing their powers, including in cases that have affected the Labour movement directly. For example, intelligence agencies carried out surveillance on trade unions in the 1970s and 1980s as part of counter-subversion activities meant to halt the spread of communism. Even MI5 operatives sometimes thought the government went too far in applying this to industrial disputes, and the future director general commented in 1977 that senior officials tended to equate subversion with activity which threatens a Government s polices. 4 This surveillance of the unions reached a peak during the 1984-5 miners strike, under the orders of the Thatcher government. The security services tapped the phones of the entire national and local leadership of the National Miners Union (NUM), rented the building opposite the NUM s headquarters in Sheffield in order to spy at close quarters, and bugged a hotel and restaurant frequented by top union officials. 5 The police and security services infiltrated the union s highest levels in the 1970s, the NUM s president was himself an informant for Special Branch, 6 while a chief executive who accused the union leadership of corruption and embezzlement was later accused in parliament of having been an MI5 agent. 7 Further details on the police s surveillance of unions after the Cold War was revealed by whistleblower Peter Francis, who said that in his career as an undercover police officer he 3 A few words on Internet Connection Records, Paul Bernal https://paulbernal.wordpress.com/2015/11/05/a-few-words-on-internet-connection-records/ 4 Christopher Andrew, The Threat of Subversion, MI5 History. https://www.mi5.gov.uk/home/aboutus/who-we-are/mi5-history/the-cold-war/the-threat-of-subversion.html 5 Seumas Milne, The Enemy Within (2014), p. 342 6 BBC, Former NUM chief was police informer,24 October 2002. http://news.bbc.co.uk/1/hi/programmes/true_spies/2351547.stm 7 Early Day Motion 2352, Mrs Stella Rimington and the Miners' Union, 20 July 1993. http://www.parliament.uk/edm/1992-93/2352
spied on members of unions including: Unison, the Fire Brigades Union, Communication Workers Union, National Union of Teachers, and the National Union of Students. 8 He confirmed the identity of former undercover officer Mark Jenner, who posed as a joiner and used a false name to join UCATT, a construction workers union, and gather information on its members some of whom were added to blacklists. 9 The police and intelligence services also have a history of spying on Labour politicians. The police special branch carried out covert monitoring of 10 MPs during the 1990s all of them from the Labour Party, according to recent revelations by former undercover officer Peter Francis. Several became cabinet ministers in this period: Jack Straw, Harriet Harman and Peter Hain. The files contained personal information on the politicians finances and private lives. 10 Labour MP Sadiq Khan was also bugged by police while visiting prison in 2005 and 2006 as part of his campaign to help a terror suspect avoid extradition to the United States. 11 According to MI5 s official history, the Thatcher government saw the peace movement as the biggest source of subversive threat. 12 The agency targeted the Campaign for Nuclear Disarmament (CND) in the 1970s and 1980s, and held a permanent file on CND secretary general Bruce Kent, who they described as a possible anarchist. 13 Covert monitoring of activists continued after the fall of the Soviet Union. One officer, who lived undercover as an environmental activist for seven years, was unmasked as part of a court case in 2011. There is evidence of the police s recent attempts to spy on student groups, including video footage of an officer trying to recruit an activist to report on the activities of students from Cambridge University in exchange for money. 14 Whistleblower Peter Francis has also revealed his work in the 1990s to infiltrate anti-racism groups under a false identity and gather information to discredit the family of murdered teenager Stephen Lawrence. 15 Meanwhile, documents leaked by Edward Snowdon revealed that GCHQ, along with the NSA, have been using their mass surveillance capabilities to collect communications data from civil society groups such as Médecins du Monde and the United Nations bodies UNDP and UNICEF. 16 In July 2015, UK s Investigatory Powers Tribunal also revealed that GCHQ has been intercepting, accessing, and storing the communications of human rights group Amnesty International. Other notable revelations about GCHQ s activities include evidence from the Snowden files that they have intercepted and collected millions of people s private webcam images, targeting 1.8 millions users in one month alone. 17 This includes sexually explicit material. 8 Paul Lewis and Rob Evans Covert police unit spied on trade union members, whistleblower reveals, The Guardian, 13 March 2015. http://www.theguardian.com/uk-news/undercover-with-paul-lewis-androb-evans/2015/mar/13/covert-police-unit-spied-on-trade-union-members-whistleblower-reveals 9 Nick Sommerlad, Undercover cop joined construction union UCATT to spy on workers, The Mirror,2 March 2015. http://www.mirror.co.uk/news/uk-news/undercover-cop-joined-construction-union-5261174 10 Rob Evans and Rowena Mason, Police continued spying on Labour activists after their election as MPs, The Guardian, 25 March 2015. http://www.theguardian.com/uk-news/2015/mar/25/police-spiedon-labour-mps-whistleblower 11 BBC MP was bugged twice, report says, 21 February 2008. http://news.bbc.co.uk/1/hi/uk_politics/7256421.stm 12 Christopher Andrew, The Defence of the Realm: The Authorized History of MI5, 2012 13 Christopher Andrew, The Defence of the Realm: The Authorized History of MI5, 2012 14 Rob Evans and Mustafa Khalili, Police tried to spy on Cambridge students, secret footage shows, The Guardian, 14 November 2013. http://www.theguardian.com/uk-news/2013/nov/14/policecambridge-university-secret-footage 15 Rob Evans and Paul Lewis, Police 'smear' campaign targeted Stephen Lawrence's friends and family, The Guardian, 24 June 2013. http://www.theguardian.com/uk/2013/jun/23/stephen-lawrenceundercover-police-smears 16 James Ball and Nick Hopkins, GCHQ and NSA targeted charities, Germans, Israeli PM and EU chief, The Guardian, 20 December 2013. http://www.theguardian.com/uk-news/2013/dec/20/gchqtargeted-aid-agencies-german-government-eu-commissioner 17 http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
There is an often mistaken assumption that the security services only use powers to protect the public. In fact, as the evidence above demonstrates, throughout their history and right up until the present day, they have used them for reasons that stretch far beyond this. Spying on unions, activists, and human rights groups as well as politicians and millions of webcam users suggests not only a risk but a propensity for misuse. In light of this, it is concerning that the IPB is set to grant the security services such extensive powers with such poor checks and balances. Oversight system The IPB proposes two main changes to the system of oversight surrounding mass surveillance. The changes are billed as an improvement to current safeguards, but as they stand are wholly inadequate. The first proposal is to switch from ministerial authorisation for intercept warrants to a doublelock system of ministerial authorisation combined with judicial review. While at first seeming to incorporate the key proposal of the Anderson report to allow independent, judicial authorisation of intercept warrants, the proposed change stops far short of this. 18 As Andy Burnham, the Shadow Home Secretary, stated in a letter to the Home Secretary last year, the proposed system only allows a judge to review the procedure by which a warrant is authorised rather than weigh the evidence for the warrant itself: 19 [You] created the impression that both the home secretary and a senior judge would review the evidence. Indeed, you may recall that I asked you in the House about what would happen if there were a difference of opinion between the two. On closer inspection of the wording of the bill, it would seem that it does not deliver the strong safeguard that you appeared to be accepting. The current wording of the draft bill requires the judge to review the process undertaken by the Home Secretary in the same way applied to a judicial review. 20 Without full judicial oversight, the government is effectively signing off on its own warrant requests. No other country in the five eyes intelligence community, including the USA, Canada, New Zealand, and Australia, uses this system. However, by giving a judge the ability to review the proportionately and necessity of warrant requests, an independent safeguard would be assured. The IPB also proposes that in urgent cases, ministerial authorisation is enough by itself so long as it is followed by judicial review within a period of five days. The definition of urgent must be tightly worded to ensure this procedure is not abused. The second major proposal is for the Interception of Communications Commissioner, the Intelligence Services Commissioner, and the Chief Surveillance Commissioner to be merged into a new Investigatory Powers Commission. It is vital that this new body is properly resourced so that it can play its oversight role effectively. The IPB does not include provisions to reform the Intelligence and Security Committee (ISC), which provides parliamentary oversight of the intelligence services. The ISC has lost much credibility over its perceived closeness to the intelligence community following the Snowden revelations and it could benefit from reform to ensure its independence from the government. 18 http://www.theguardian.com/world/2015/jun/11/anderson-report-tests-surveillance-laws-judicialwarrant-analysis 19 http://www.theguardian.com/politics/2015/nov/09/andy-burnham-investigatory-powers-bill-judicialsafeguards-letter-theresa-may 20 Letter from Andy Burnham MP to the Home Secretary http://www.newstatesman.com/politics/uk/2015/11/labour-demands-stronger-safeguards-investigatorypowers-bill
LCHR s recommendations: - Switch from a system of ministerial authorisation of interception warrants to a system of judicial authorisation, with a judge playing the exclusive oversight role. Failing this, ensure judges have the scope (including access to all relevant material) to conduct a full merits review of warrants rather than just examine the procedure. - Ensure the new Investigatory Powers Commission is properly resourced. - Reform the Intelligence and Security Committee so that it is chaired by an opposition MP, information cannot be withheld from it, and its membership selection is not subject to a prime ministerial veto. The IPB s impact on encryption Encryption refers to the process of transforming data from plain text into cipher text so that only authorised parties can access it. It is one of the prime ways of ensuring internet data security and privacy as encrypted communications can only be accessed by using an encryption key or password. The original Draft IPB aimed to change the current state of encryption by making it a legal obligation for companies to bypass encryption when possible in order to allow security services to hack into and bug computers or phones for surveillance purposes. It demanded that companies submit decrypted communications to the Home Office, if requested. This may mean that end-to end encryption has to be banned because these strongly encoded communications cannot undergo decryption. However, the recent re-draft of the Bill makes it clear that the government will take a pragmatic approach and not ask companies to remove encryption unless it s technically feasible and affordable. Nonetheless, there is still considerable concern about potential overreach with these powers. Apple, which applies end-to-end encryption in its imessage, is critical of the Bill, insisting that [w]e believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat. In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers. 21 Similarly, Facebook, Google, Microsoft, Yahoo Microsoft and Twitter submitted written evidence to the Joint Committee on the Draft Investigatory Powers Bill stating that [w]e reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means. 22 Encryption is highly important because it ensures that information is kept private and inaccessible to third parties. This is important in terms of sharing any sensitive data such as financial transactions or emails. Alongside protecting individual citizens data, there is also the national interest to consider. One of the significant current security threats to Britain is cyberwarfare. Cyber security campaigners representing 42 countries recently signed an open letter to world governments attempting to uphold the importance of encryption, writing that [s]trong encryption and the secure tools and systems that rely on it are critical to improving cybersecurity. 23 Yet the IBP could actually legalise a form of cyber-warfare. LCHR s recommendation: - Ensure the IPB protects encryption by removing provisions that may force companies to provide back doors to encrypted data for the security services. 21 Written evidence. Available at: http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatorypowers-bill-committee/draft-investigatory-powers-bill/written/26341.html 22 Written evidence. Available at: https://www.globalnetworkinitiative.org/sites/default/files/written%20evidence%20- %20Facebook%20Inc.%2C%20Google%20Inc.%2C%20Microsoft%20Corp.%2C%20Twitter%20Inc.pdf 23 Security For All. Available at: https://securetheinternet.org/
Effectiveness There are serious reasons to doubt the effectiveness of mass surveillance. Not only is it remarkably inaccurate as a detection tool, it also diverts significant resources away from traditional methods that would do more to prevent terrorist attacks. Moreover, mass surveillance may make the fight against terrorism harder in the long run by alienating communities and contributing to radicalisation. A 2009 report by the US government found that only 1.2 per cent of tips provided to the FBI by mass surveillance techniques made a significant contribution to counter-terrorism efforts. 24 Another recent study by the New America Foundation found that National Security Agency mass data collection played a role in, at most, 1.8 per cent of terrorism cases examined. 25 By contrast, traditional investigative methods initiated 60 per cent of investigations. 26 The technology itself is the reason for its lack of utility, being highly inaccurate. Indeed, computer scientist Ray Corrigan has written, Even if your magic terrorist-catching machine has a false positive rate of 1 in 1,000 and no security technology comes anywhere near this every time you asked it for suspects in the UK it would flag 60,000 innocent people. 27 Perversely, this lack of precision means mass surveillance can actually frustrate counterterrorism efforts. Both Michael Adebolajo and the Hebdo killers were well known to security services prior to their attacks, indicating the intelligence failures were to do with lack of attention rather than lack of data. Mass surveillance means intelligence analysts are forced to spend their time sifting through a large amount of data rather than carrying out the targeted monitoring and detection that s really needed. Counter-radicalisation experts have also argued that mass surveillance may alienate Muslim communities and possibly contribute to radicalisation. In 2014, Jonathan Russell from the counter-extremism group Quilliam wrote that the introduction of a sweeping [mass surveillance] law will be exploited by extremists to show that the government wants to spy on its own citizens [and] that all Muslims are suspected of being terrorists. 28 LCHR s recommendation: - Remove all provisions for bulk data collection by the security services in order to free up resources for targeted surveillance and to avoid alienating communities. Conclusion LCHR believes the mass surveillance provisions outlined in the Investigatory Powers Bill represent a disproportionate infringement on privacy, are ineffective against terrorism, and are not currently accompanied by adequate safeguards to prevent misuse. We recommend that Labour MPs pursue the following changes to the Bill: Remove the section of the IPB proposing bulk retention of internet connection records in its entirety. Replace provisions for bulk communications intercept with targeted intercept only, abolishing the system of general warrants and replacing them with a system of individual warrants issued on the basis of reasonable suspicion. This will be more effective and avoid alienating communities. Switch from a system of ministerial authorisation of interception warrants to a system of judicial authorisation, with a judge playing the exclusive oversight role. Failing this, 24 https://fveydocs.org/document/report-psp/ 25 https://www.newamerica.org/downloads/is_nsa_surveillance.pdf 26 https://www.newamerica.org/downloads/is_nsa_surveillance.pdf 27 http://www.slate.com/articles/health_and_science/new_scientist/2015/01/mass_surveillance_against_t errorism_gathering_intelligence_on_all_is_statistically.html 28 http://www.independent.co.uk/voices/comment/new-surveillance-laws-will-only-help-fuel-terrorism- 9592365.html
ensure judges have the scope (including access to all relevant material) to conduct a full merits review of warrants rather than just examine the procedure. Ensure the new Investigatory Powers Commission is properly resourced. Reform the Intelligence and Security Committee so that it is chaired by an opposition MP, information cannot be withheld from it, and its membership selection is not subject to a prime ministerial veto. Ensure the IPB protects encryption by removing provisions that may force companies to provide back doors to encrypted data for the security services.