The Information Commissioner’s Office (ICO) of the United Kingdom has criticised the draft Investigatory Powers Bill, sending a warning that the law would pose significant risks for both privacy and security.
The Investigatory Powers Bill is provisioned to update and expand the UK government’s surveillance capabilities, merging several existing legislations, including the Regulation of Investigatory Powers Act of 2000 (also known as RIPA) into a single, uniform law.
Under the draft’s current provisions, intelligence agencies, including the GCHQ, will be granted power to collect and store mass amounts of citizens’ private data for up to a year. Internet companies, including UK VPN services, would also need to comply with requests to weaken their encryption – a key barrier between private information and the increasingly frequent cyber attacks.
Speaking at a parliamentary committee on 6th January 2016, the Information Commissioner Christopher Graham denounced the UK government’s plans to pass the controversial snooper’s charter law.
In response to whether the legislation offers a good balance between individual privacy and national security, the ICO chief said it is “very difficult to judge”, emphasising that little explanation had been provided by the government to justify the retention of private information for a period of 12 months or more. According to the ICO, “there is no indication of the use that such information is being put to over many months or years in the normal way or dealing with serious crime or terrorism.”
During his address to the cross-party commission, Graham added that weakened encryption would inflict serious consequences for individuals.
“The constant stream of security breaches only serves to highlight how important encryption is towards safeguarding personal information. Weakened encryption safeguards could be exploited by hackers and nation states intent on harming the UK’s interests.”
Graham argued that the authors of the bill had not identified bulk data sets that would or would not be accessed under the legislation, pointing out that provided examples only encompassed already publicly available information.
The head of the UK privacy watchdog underlined that upon making its decision to approve the bill, the parliament should recognise the “various data protection rights afforded to invidivuals.”
Within his feedback, Graham questioned whether the the bill, in its current form, was essentially “a blank cheque to authorities” for satisfying their necessity to gather bulk amounts of sensitive information, referencing data protection as a “fundamental right under the charter of fundamental rights of the European Union”.
Highlighting the risks of careless data retention, Graham stated that excessive collection of data is a risk in itself, as governments bodies in charge of it have already demonstrated proneness to mismanaging private information, as was the case with the NHS (UK’s National Health Service) after it lost records of over 3,000 patients. “People may do stupid things with it” added Graham.
The ICO chief admitted that calculated gathering of information is nonetheless important to identify criminals as well as to prevent terror attacks, but stressed on the importance of making surveillance subject to regular parliamentary review in order to conclude on its usefulness.
In its written evidence to the committee, the ICO outlined several key points on its stance against the current draft bill including:
- The draft bill has potential to intrude on private lives of individuals;
- The Parliament has responsibility for scruitinising the bill’s provisions and the wider context of the expansion of mass surveillance;
- The legislation must be regularly reviewed by the parliament;
- Insufficient justification has been presented for retaining data for 12 months;
- ICO’s own role in auditing gathered data needs to be strengthened;
- Data sets of particular sensitive nature should be considered for exemption;
Furthermore, the ICO criticised clause 189, which would permit the Secretary of State to order the “removal of electronic protection” (i.e. encryption) from communications protocols and data. The proposed measure is viewed to have the potential to create “detrimental” repercussions through the public’s confidence in the handling of their personal information.
Home Secretary Theresa May – a leading proponent of the snooper’s charter, is soon set to face heated questioning by a committee of MPs and Lords on why bulk data collection should be expanded.
Amidst growing pressure to justify the most significant reform of surveillance schemes in the country for 15 years, May will respond on several key points of the draft bill, including data retention, internet connection records, communications data, authorisation and oversight.
The committee is expected to report on its finding by 11th February, however, critics of the legislation have accused the government of attempting to hurry the law into effect.
Despite the bill’s provisions suggesting that implementation of encryption is to be at the behest of the government, the Home Secretary has publicly denied that it would be banned altogether, even going as far as admitting in a BBC interview that “encryption is important for people to be able to keep themselves safe when they are dealing with these modern communications in the digital age.”
Shadow Home Secretary Andy Burnham, had also previously attempted to calm the storm by labelling the public reaction as “over-hysterical”, adding that it could leave the United Kingdom with an outdated set of laws and systems, in comparison to its international counterparts.
However, Burnham, who had initially welcomed the draft bill and denied that the legislation would drastically expand surveillance, has himself raised concerns over the absence of judicial authorisation for intercept warrants, in a letter addressed to May.
“On closer inspection of the working of the Bill, it would seem that it does not deliver the strong safeguard that you appeared to be accepting.” The initial draft indicates that a judge would be required to review the ‘process’; however Burnham has since ‘discovered’ that there is nothing in the draft to suggest the requirement of a double-lock warrant authorisation. In other words, a warrant should also be subject to a judicial review, which would oversee authorisation from both the Home Secretary and the Judicial Commissioner.
Among the bill’s stern corporate opponents is Apple. In an eight-page letter to the UK government, the global tech giant voiced its discontent with the draft, noting that it “threatens to hurt law-abiding citizens in its effort to combat the few bad actors” who, according to the US-based company, possess an array of methods to carry out potential attacks.
Apple’s CEO Tim Cook has also heavily criticised the US government for not taking a pro-privacy stance in the ongoing encryption debate. Cook stated what most other tech companies agree upon, in that the White House should firmly say “no backdoors”, and oppose pressure from its own administration and from the FBI.
Together with Apple, other prominent tech companies including Google, Facebook, Twitter and Microsoft equally view the bill as a threat to Internet users.
Other opponents include the UN’s first privacy chief, who has dubbed the British initiative “a joke”, calling for a Geneva convention style law that would safeguard privacy from mass surveillance.