February 2, 2016 | By Eva Galperin and Danny O'Brien

UK’s Investigatory Powers Bill: Loopholes Within Loopholes Will Lead to Unbridled Surveillance

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations, including EFF. The report is the first of three investigations by different Parliamentary committees. While it was intended to concentrate on the technological and business ramifications of the bill, their conclusions reflect the key concern of lawmakers, companies, and human rights groups about the bill’s dangerously vague wording.

The Investigatory Powers Bill, as written, is so vague as to permit a vast range of surveillance actions, with profoundly insufficient oversight or insight into what Britain’s intelligence, military and police intend to do with their powers. It is, in effect, a carefully-crafted loophole wide enough to drive all of existing mass surveillance practice through. Or, in the words of Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre at the University of Cambridge, in his submissions to the committee: “the present bill forbids almost nothing ... and hides radical new capabilities behind pages of obscuring detail.”

The bill is 192 pages long, excluding over 60 pages of explanatory notes. Our comments to the committee focused on just one aspect of the bill, what they call “equipment interference.” Despite our emphasis on just one small part of the bill, our analysis revealed multiple ambiguities and broad new powers that would allow the security and intelligence agencies, law enforcement and the armed forces, to target electronic equipment such as computers and smartphones in order to obtain data, including communications content. The bill also provides for the UK government to compel companies and individuals to comply with its surveillance demands, including those located outside Britain, and to bar companies from revealing that they were the subject of such demands. As the committee says in its conclusions, “We believe the industry case regarding public fear about ‘equipment interference’ is well founded.”

The bill also includes a new mandate for data retention whose breadth is similarly ambiguous. Terms like “internet connection records,” “telecommunications service,” “relevant communications data,” “communications content,” “technical feasibility,” and “reasonable practicable” were all criticized in the report for their vague and overbroad use. The government’s excuse is that it wants to create a “future-proof” bill, but loose language is bad for businesses trying to understand what obligations they are under. And it’s certainly bad for civil liberties when governments exploit those ambiguities to obtain or hold onto new powers.

The details of these definitions and safeguards surrounding them should not be punted into secondary legislation. As the committee notes, a disturbing degree of detail about the Investigatory Powers Bill is deferred to future “Codes of Practice.” We’ve been down this road before in the UK. IPB’s predecessor, the Regulation of Investigatory Powers Act (2000) also placed its devilish details into future statutory instruments, which were often slipped past Parliamentarians with little warning or debate. The result was years of expansion of RIPA powers, to the point where powers originally intended for the intelligence services were delegated to over four hundred public bodies. Even the head of MI5, Lady Manningham-Buller, who lobbied for the RIPA powers, was shocked by the eventual overreach:

I can remember being astonished to read that organizations such as the Milk Marketing Board, and whatever the equivalent is for eggs, would have access to some of the techniques. On the principle governing the use of intrusive techniques which invade people's privacy, there should be clarity in the law as to what is permitted and they should be used only in cases where the threat justified them and their use was proportionate.

This is why, as the committee says, “it is essential that this timetable does not slip and that the Codes of Practice are indeed published alongside the Bill so they can be fully scrutinized and debated.”

We would go further: EFF believes that a productive discussion around the Investigatory Powers Bill can only begin once all the cards are on the table. The UK government needs to answer all the questions raised by the committee, including those currently postponed to Codes of Practice, and embed those answers in a revised bill, which can then be more seriously considered, or it's destined for a future of abuse followed by dismantlement in the courts.

The series of successful challenges in the UK and EU against previous surveillance law and practice shows that vague and unbounded language cannot survive a serious challenge in the courts. If the UK government wants its surveillance rules to stand the test of time, it needs to build them on a firm foundation of clarity, necessity, and proportionality.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

We're glad to see that adoption of HTTPS encryption has skyrocketed. https://pardonsnowden.org/new... h/t @PardonSnowden

Oct 20 @ 12:42pm

The Student Privacy Pledge stops short of fully protecting students and their information. https://www.eff.org/deeplinks...

Oct 20 @ 10:44am

Snowden's effect on tech? People have adopted better security habits.

Oct 20 @ 10:06am
JavaScript license information