Security services and governments need adequate digital powers to gather intelligence. Many of these already exist in law — but they want more.
Next week the government will publish details of how it plans to lawfully increase its investigatory powers. The potential changes to the legislation may give security services and agencies the power to hack into mobile phones, tablets, and computers, internet data to be kept for a year, take away powers from ministers, and remove authorisation powers away from politicians. A myriad of legislation and powers will potentially be altered.
These plans won’t just affect terrorists and criminals. They will have an impact on the phone calls, internet use, text messages, emails, and online lives of every person in the UK and, in some circumstances, abroad.
Critics including transparency and human rights group, say that the new laws could pose significant threats to privacy, while those working within security agencies argue more powers are needed to protect people.
The draft law stems from the scrapped Draft Communications Data Bill, more popularly known as the “snoopers’ charter” — which was blocked by the House of Lords and Lib Dems. But government ministers revived the plans in the Queen’s speech to “address gaps” in intelligence and surveillance laws.
The full text of draft Investigatory Powers bill can’t be fully interpreted until it’s published — sources say in the middle of next week — but there is plenty of indication of what is likely to be included.
Internet companies may be forced to keep the ‘who, where, when and what’ of everyone’s internet browsing history, for up to 12 months. This would allow, with approval of a warrant, security services to request access to the information.
The power is something that police, according to the Guardian, have been pressuring government ministers to include.
“From a privacy perspective we would be very uncomfortable about it,” Harmit Kambo, from Privacy International, told WIRED. In a similar nature an independent report on surveillance powers from experts at the Royal United Services Institute said that policies allowing security and intelligence agencies to collect and analyse data retention should be “subject to regular review” to “ensure they remain proportionate.
The European Court of Justice judged upon rules around data retention last year, when it said the Data Retention Directive was invalid. The judgment said it was not permissible for the content of messages and communications to be retained, and any interference has to be “strictly necessary”.
Pam Cowburn from the Open Rights Group (ORG) told WIRED any proposed plans for data retention would be closely scrutinised against the EU court’s decision. However, the government is going to challenge this ruling, civil rights group Liberty said.
The concerns about “aggressive hacking,” push further than privacy issues Karmit said. They could result in more circumstances like the hacking of TalkTalk.
“Data retention, as the government wants, will increase that risk significantly for everyone of us, the more service providers that are retaining our data the more vulnerability that exists out there for our data to be released,” he said.
The justification for security services to hack into electronic devices may be included in the bill.
ORG’s Cowburn suggested the code of practice “may become law to hack into devices”. Although, she conceded it “may be necessary” for surveillance agencies to hack into devices at times she said there should be clear oversight for the practice.
At present hacking provisions exist in codes of practice, not legislation. In February the Home Office issued the draft Equipment Interface Code of Practice, which is being consulted on, sets out the type of equipment — including phones, servers, computers — that can be hacked into and safeguards, which should be in place.
The code of practice gives security services the power to used hacked equipment to “enable and facilitate surveillance activity”.
The ability to hack into devices, including encrypted ones, as revealed by documents from Edward Snowden, has caused concern with the UK’s independent advisor on terrorism legalisation.
David Anderson QC, in his 379 page report analysing current surveillance powers, said that gave a “dizzying array of possibilities to the security and intelligence agencies”.
Both the independent reports from RUSI and Anderson have recommended that the power to issue surveillance warrants should be taken by judges.
“Requests for interception for the prevention and detection of serious crime in future be authorised by a senior judge”, said the RUSI panel, while Anderson concluded there should be: “requirement of judicial authorisation (by Judicial Commissioners) of all warrants for interception”
At present politicians have the power to issue warrants for surveillance. In particular Home Secretary Theresa May is responsible for issuing warrants for surveillance activities to be undertaken.
Any steps away from the recommendations would be a “big rejection” of the independent reports, said Cowburn. Loz Kaye, from the Open Intelligence think tank said allowing politicians to make the decisions: “undermines public confidence”.
In recent days reports, first by the Sun, have attributed Home Office sources as saying the government intends to stay away from the reports’ recommendations on this issue.
The tabloid reported a government minister to have said judges making decisions over surveillance would slow the process down: “It would be totally irresponsible of government to allow the legal system to dictate to us on matters as important as terrorism,” the paper’s source said.
A modern framework
Despite the numerous concerns of civil liberties groups and independent reviewers over the current legislation the bill is expected to be welcomed as an opportunity to clarify the powers of security agencies.
“While we welcome the introduction of a bill that’s going to tidy that all up and put it into one more transparent legal framework we are concerned that there is going to be considerable extension of powers that we would not be happy about in relation to its impact on people’s privacy,” said Privacy International’s Karmit.
Andrew Parker, the chief of Mi5, used a public speech this week to say the security agencies aren’t seeking to introduce “sweeping new intrusive powers in that legislation”.
He continued to say that the bill would give his and other security services a “modern legal framework” that keeps up with technology and “allows us to continue to keep the country safe”.
The consolidation of the law is one also advocated by Anderson, who put forward 150 recommendations. In his report the judge said “the current law is fragmented, obscure” and requires a “clean slate”.
The draft bill that will be published next week offers this opportunity.