Unsurprisingly, a motion to Liberal Democrat conference against the Investigatory Powers Bill passed overwhelmingly this weekend. Below is the video and text of my contribution to the debate, which I can share with you as I had written it in advance, albeit only a couple of hours earlier!

The myth spread by the Home Office that the technical industry understands the Bill is always something I am keen to dispell, so that was my main purpose in wanting to speak. The quote from the New York Review of Books is also something that’s stuck in my head since I first read it, and I particularly wanted to give it an airing in the debate. (I have verified the quotes given in the article from other sources)

All of this is, sadly, against the backdrop of a very showing from both Labour and the SNP who abstained at the second reading of the bill yesterday. A particular shout out is due to Cambridge’s Labour MP Daniel Zeichner, who said he wants to “robustly challenge” the bill… but abstained anyway.

(The text below is what I wrote in advance, it does not entirely match what I actually said. No autocue for most speakers at conference)


I am a member of the Security & Liberty working group, so it should come as no surprise to you that I would urge you to support the motion. Brian Paddick has already made the case for the motion very well. However, there are some points I would like to make in relation to metadata and some of the claims being made by the current government.

A couple of months ago, I was asked to speak as part of a Q&A panel on the Investigatory Powers Bill at the UK Network Operators Forum. This forum, in case the name is not enough of a giveaway, was a full of a couple of hundred of the people who really run the Internet. I worked as one of those running the internet myself, for over a decade.

I asked – who here understands what data you are being asked to collect by the Home Office? Now, if you believe what we’re being told by the Tories, every hand in that room should have gone up. Because we’re told that – absolutely – Service Providers really understand the limits of what is being asked of them.

But not one hand went up. Nobody understood the limits of the powers Theresa May is asking for. The bill is so confused, and hands Theresa May such sweeping and unchecked power, that the draft bill includes the now-infamous phrase “Data includes any information which is not data”.

Of course, the Tories claim that it’s only meta-data, or “Internet Connection Records” as they’re now calling it. That can’t be too harmful, can it? Here’s a quote from David Cole in the New York Review of Books, in 2014

As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”

No other democratic country in the world gives such powers to its politicians to monitor and collect Internet browsing history to this extent.

Please vote for the motion.

The draft bill has been published, the generic “I have not read this yet but I must say something” statements have been made by politicians, and now it’s time to read what the bill actually says.

First impressions: It’s not a bill I could come close to supporting without major changes, but it’s an improvement on previous attempts. It’s also long. At 299 pages, very long indeed. The 35 page extended press release at the start, titled a “guide to powers and safeguards” is interesting, but of course doesn’t actually have any legal force. Many of the initial comments about the bill made by politicians seem to have been on the basis of reading this guide, and not the full bill. One comment I would pick up on in the initial section is that the bill is “bringing together existing powers”. Simplification on existing legislation always sounds good, but the Equality Act 2010 was also supposedly a consolidation exercise. Many readers will know my less-than-positive feeling on that particular piece of legislation!

Another highlight of the intro is the assertion that there are “862 suspected paedophiles” that this bill might help catch. You can’t publish a bill like this in the UK without using the “but, but… terrorists and paedophiles!” line. As investigations of both are, of course, shrouded in secrecy this makes scrutiny that much harder.

It’s going to take time for everyone to digest it all and figure out where any remaining problems lie, so discussion will probably take weeks before there is any kind of consensus. I’ve read it properly – highlighter in hand – once through so far and it’s likely I’ve missed bits but here’s what I have noticed so far. (This is not a list of what I would want to see in an Investigatory Powers Bill, as that would include things such as notification to individuals, just a commentary on what is actually present)

Judicial Oversight
Rejoice, for we have judicial oversight of interception warrants!

OK, hold on a second. We have some oversight but you can drive a coach and horses through much of it. Three major problems jump out:

The standard of proof required is that of “Judicial Review”. Quoting from the Courts and Tribunal’s web page: “[A Judicial Review] is not really concerned with the conclusions of that process and whether those were ‘right’, as long as the right procedures have been followed“. Essentially, we’ll have a group of very well paid judges checking that the Home Secretary signed the warrants correctly.

Warrants can be modified after issue to add names to them. In the case of “minor” changes, such as adding new phone numbers, they can be authorised by the police themselves. However, major changes only need a minister to approve the change – a judge does not need to be involved.

Finally, “urgent” warrants do not need reviewing for five working days. Judges are already used to being woken up at unsociable hours so that warrants can be applied for, so five days seems excessive. It still requires ministerial approval, and getting hold of a judge would seem easier and quicker than getting hold of a government minister.

Training warrants
Interception warrants can be issued for “testing, maintenance or development” of interception systems and “training of persons” who carry out interception, without any need that data collected should be destroyed without being examined. I do wonder how many people might find themselves “accidentally” intercepting the communications of people they know, or doing it to someone “who won’t possibly mind, because they have nothing to hide”.

Wilson Doctrine & Journalistic Sources
Looking on the positive side, the additional protections given to members of parliament would be put into law for the first time by this bill and explicitly cover members of other many other legislative bodies. However, these protections are watered down significantly from the original doctrine – rather than a blanket ban on interception of MPs communications, any warrant would require that the Prime Minister be consulted.

Journalists fare little better – judicial authorisation is required to get access to data on journalistic sources even in situations where a judge would otherwise not need to be involved. Other professions (Doctors, Lawyers and Ministers of Religion) get “extra consideration” in the Codes of Practice, but no extra safeguards against interception in the main bill. It’s clear that the intent is to make any exceptions to surveillance as limited as possible.

Communications Data Retention
A very important point for many people will be exactly who is required to keep bulk data – ie lists of web sites etc, visited by users. There’s a cost associated with collection that the Home Office may pay for, although they seem to be pushing the cost on to service providers with the latest bill. Luckily, only providers who have been notified by the Home Office that they need to collect data are covered and nothing prevents an operator stating that they have received or not received a retention notice. This allows privacy-conscious ISPs to be able to state publicly that they are not performing bulk retention of data. As Keith points out in the comments, section 77 does prohibit revealing the existence of a retention notice.

Filtering
There is a large section on “filtering” in the bill that deserves some explanation. Although data would be stored by ISPs, the Home Office would like to create a system (An API) so that they can remotely query and filter data on the ISPs systems without necessarily needing to talk to someone at the ISP. This removes a safeguard against wide-scale bulk data access without proper authorisation, and potentially allows someone to go on fishing expeditions that are marginally relevant to a warrant that’s been issues such as allowing queries like “tell me everyone across multiple ISPs who have accessed terrorist-hub.com”.

Security of collected bulk data
The headline issue has been retention of data for 12 months by ISPs, which is longer than many other countries. But how securely is the data kept? The bill answers that in a surprisingly poorly written clause: “subject to at least the same security and protection, as the data on any system from which it is derived“. The draft bill will no doubt have had the attention of many security experts within the Home Office, so it’s surprising that they did not pick up on the obvious point: Hacking a router gives you relatively little ability to capture much data without someone noticing but hacking a pre-existing bulk data archive gives you much more data and is thus a bigger target. As a result of this, the security of retained data needs to be significantly higher than that of other systems and I am surprised not to see reference to some soon-to-be published technical guidance on the measures required.

There is also no prohibition on the use of data collected by service providers for commercial purposes, such as being sold on to marketing companies or used for targeted advertising. (If it’s allowed for in the ISP’s terms and conditions, it’s not unlawful disclosure!) There are major privacy issues here that we’ve seen already on a smaller scale, where people access help sites for domestic violence or LGBT+ issues and then other members of their household receiving targeted advertising as a result. Service providers can do this already to an extent, but it costs money to do. If they’re going to have to do it anyway (Either paying for it themselves or being paid to do it) then they might as well make some money from it.

Finally, and most critically, there is no prohibition on a court ordering the disclosure of collected data to groups like copyright holders. It would become very easy for someone to apply to the courts for a list of everyone who has accessed Pirate Bay, Popcorn Time etc and send them not-so-nice legal letters.

Equipment Interference
…or “hacking into other people’s computers” as most people call it – although the bill would force service providers to cooperate in hacking attempts. Although more analysis of the bill is needed this is one area where the Bill looks like an improvement on the existing situation, as hacking is currently going on without proper scrutiny. The most obvious omission is the lack of any consideration for the side effects of hacking should they cause problems, by taking down critical computer systems or installing back doors into systems that are then abused by others.

Overseas
There has been a history of quid pro quo arrangements between security services where countries spy on each other’s citizens because the law doesn’t allow them to spy on their own citizens. Although the act prohibits formal arrangements of this type, it does not (that I can see) stop someone using information that they have been given that would otherwise have required an interception warrant. The act also allows the Home Secretary to sign agreements with other countries to honour each other’s warrants, but there is little to suggest that warrants from other countries would require the same level of authorisation and oversight as locally issued ones.

I will probably notice more on later re-reads of the draft bill, and I will post again if I find anything substantial.

According to the Open Rights Group, (ORG) who are often right on soon-to-be-published legislation, the forthcoming bill on “IP Address Matching” is about mobile networks performing NAT.

There are probably a few reading this whose eyes have already started to glaze over, given the first paragraph mentions a three letter acronym. It is likely that a few civil servants and ministers suffered from the same. That is worrying because it is entirely possible that this bill may, if ORG are correct, involve collection of communications data – here’s why:

Network Address Translation (NAT) is a way of hiding many computers behind a single Internet address. It was invented because under the system of addressing currently in use in much of the world, there are not enough addresses for every computer to connect at once. Using the analogy of a telephone system, it is like a company having a few well-publicised phone numbers for their major services but hiding all their other staff behind a single generic phone number whenever they make an outbound call.

If someone is making nuisance calls that you are trying to trace, being told that the call came from your generic phone number is not much use. As with IP addresses hidden behind NAT, there could have been tens of thousands of phone calls being made outbound from that phone number at any point in time. You can only trace who made the call if you also logged which number each handset dialed.

Now, the internet also uses port numbers. They are fixed for servers (web servers typically run on port 80 or 443) but randomly assigned for outbound connections, so that the address and port will be unique for anyone talking to a particular service. This makes it theoretically possible to trace a user using both the address and port if you already know which service they were talking to.

Unfortunately for that approach, servers in the internet generally only record source addresses and not source ports.

If the Home Office want the data they are collecting to be useful, this means they will likely also be asking service providers to be storing destination addresses, which brings us back to having to store communications data. It would allow security services, police or even an anti-piracy company with a court order to ask a service provider questions such as “tell me everyone who accessed www.aljazeera.com in the last 12 months”.

Hopefully I’m wrong.

(Some further reading for the more technically inclined is over at ISPReview. The comments are also worth a read.)

It’s been hard to miss the coverage of revelations that the US government has been scooping up data from tech giants such as Apple and Facebook – you’ve probably already seen newspaper reporting on the Prism project slides.

What’s surprising is that people think this is cause for renewed concern. Data in the cloud really should not be considered secure. The Americans have some sort of quasi-legel process for handling this, but I doubt other foreign intelligence is And if you are a big corporate, your data – blueprints, designs, release and pricing information – is probably of more interest to them too, as they can then give it to their own companies to produce cheap knockoffs.

And it’s not like the media in this country are any better behaved either. Personally, I regard all data on Facebook as near-enough public. Privacy settings stop my neighbours snooping but little else.

Rather more concerning is the UK involvement in this. According to the Guardian, “Prism would appear to allow GCHQ to circumvent the formal legal process required to seek personal material such as emails, photos and videos from an internet company based outside the UK.”

This is interesting in light of the recently proposed Communications Data Bill. If the security services already have access to the data, what was the bill for? One option is that it would have allowed open use of Prism data in UK courts, without raising questions as to it’s origin.

Another is rather more concerning: In exchange for Prism data we were expected to be able to generate similar data for the US on data travelling through UK-based servers and networks, building a global network of surveillance by states on each other’s citizens.

As we expected, the Queen’s Speech yesterday did not include a revised “snooper’s charter“. Well, mostly – the Guardian thinks otherwise, but whilst there are areas where the Civil Service are still pushing for better tools to tackle the war-on-terrorists-and-paedophiles they’ve chosen a different tack this time.

The general impression I’ve received from the briefing notes is that whoever prepared them has no idea what they are asking for.

Here is the except from the Queen’s Speech Briefing Notes (PDF link, page 74). I am quoting this at length because the language is important to the following discussion.

When communicating over the Internet, people are allocated an Internet Protocol (IP) address. However, these addresses are generally shared between a number of people. In order to know who has actually sent an email or made a Skype call, the police need to know who used a certain IP address at a given point in time. Without this, if a suspect used the internet to communicate instead of making a phone call, it may not be possible for the police to identify them.

The Government is looking at ways of addressing this issue with CSPs. It may involve legislation

Firstly, let’s look at the notion that a network can associate an IP address with a person. This is fairly easy to refute, because you just have to consider most households have shared computers. So, what about at a computer levels? Well, many households have a single account on a computer and many devices (e.g. iPads, phones, Gaming Consoles) and older operating systems do not have the ability to handle multiple users at all.

This problem is relatively easily solvable, technically. Simply require service providers to operate gateways that end users must log into individually using centrally-issued ID prior to accessing the internet. The technology is there because many large companies run such systems to track abuse and this is certainly a much simpler challenge to solve than previous suggestions around logging everything that happens on the internet. Politically however, such measures would be suicidal. I don’t believe this what is being proposed.

Rather more likely it seems, is the ability to identify an end device, rather than end user. The current generation of IP addressing – IPv4 – does not have enough address space to do this, hence the deployment of Network Address Translation (NAT) to share an IP address between multiple users. Your home broadband probably uses a single public IP for everyone in the house, and large organisations will also use one or a very few public IP addresses for all of their corporate traffic. This is necessary because there are just over 4 billion addresses theoretically available and significantly less than that by the time all the overheads have been taken into account. Ignoring that organisations like Facebook, Twitter and so on need IP addresses themselves to host their content, that’s still less than the number of people on the planet. And many of us have more than one device needing an address.

The next generation of IP, IPv6, has rather more addresses. (Just over three hundred trillion trillion trillion) But IPv6 is not ready yet, and mandating that everyone in the UK use it and could not ever use the older version again would cut us off from large portions of the internet. Economic suicide this time. Even if we could do this, privacy concerns with IPv6 have already been of concern to the technical community. Originally, under a system called EUI-64, the last part of your address was the hardware MAC address of your computer, a unique number rather like a serial number. People realised this allowed devices and users to be tracked rather easily, so they came up with a simple solution – every time your computer connects to an IPv6 network, the last bit of the address is random and changes each time.

As a result, if IPv6 is the solution the mandarins are thinking of, they’ll need to have a specific UK version of computers with this privacy feature disabled. Possible, but difficult to enforce even if they find a way of forcing IPv6 deployment.

There is only one interpretation of the briefing notes that remains that makes sense and the clue is in the last line regarding legislation and service providers. What they are concerned about is large scale address sharing, referred to as Carrier Grade NAT. (CGN) With this, millions of users, such as on Vodaphone or O2, are behind a single IP address. As old-school IPv4 addresses run out, big broadband operators may roll this out for those on fixed lines too. (BT are currently trialling this, for example) The police and security services want to make sure the providers not only log all the technical information for these so they can identify a single household or mobile device, but that they keep the data for long enough to be useful. Where such data is logged by service providers, it is typically only kept for long enough to generate capacity planning reports and handle network abuse – hours or days. Law enforcement works on a much longer timescale, typically weeks or months by which time the data has been thrown away.

However, it would appear the powers required to do all this are already enshrined in the existing Data Retention Directive. So it’s still a little unclear why all this needs to appear in the Queen’s Speech.

As is typical with internet policy matters coming from the government, it’s all a bit vague.

Dear Nick,

We love you really. Particularly after “I’m sorry”.

We were good boys and girls and folk of no particular gender and didn’t make noises about unseating you at conference, because we don’t believe that’s a good idea. (Even if the press would love it)

But you really, really need to learn to stop talking sometimes.

At conference during your Question and Answer session, you were asked about the draft Communications Data Bill. As you probably know this does not make headlines in the Guardian every day but is still something that worries many liberals. When Mark Pack asked you a question on it, you initially responded well with some spot on phrases:

It’s a draft bill“.

Unprecedented levels of scrutiny“.

Julian Huppert“. (Julian’s mention being enough for a round of applause)

And finally, you confirmed what’s become known as “the Huppert Veto“. Despite the name, this is not the latest Tom Clancy thriller.

Well done.

But after about three minutes of not particularly intense questioning, it started falling apart. George Potter asked you if you’d taken any advice on the bill, or even read it before initially endorsing it. It’s fine to say the Home Office misled you. Really, we won’t mind. It happens, and we’re there to catch that sort of thing before it makes it into law. That’s the nice thing about the Liberal Democrats: We can do that, when other parties can’t.

Parroting out the lines that the “principles of the bill are extending existing powers” just makes you sound like you’re reading from a Home Office press release. It’s not just about “extending [existing] powers to other forms of communication, particularly Voice, Skype or whatever“. It’s far more than that, and we know it.

At least when the third questioner challenged you, the response was a reference to “Nasty people”. I’m pleased that we’ve dropped the tired old “paedophiles and terrorists” line. But the “Yeah, yeah” as if you understood what a VPN was didn’t make you look clever.

This is really, really technical.

If I was having to defend a highly technical motion related to the safety of nuclear reactors, or use of certain drugs in hospitals, I’d not even try. I’d get people in who understood the stuff, liberals I trusted, and let them get on with it. Please don’t pretend to understand it because we’re completely OK with the idea that it’s really not that easy.

Frankly, you’ve got other things to do. A country to run. We, lead by Julian, can handle this one.

Instead, just remember these simple four words when questioned on the Communications Data Bill:

I agree with Julian“.

Yours,

Zoe.

Last week, in the Home Affairs Select Committee, Dr Julian Huppert quizzed the Metropolitan Police commissioner on what he might spend £1.8bn of cash on. Those familiar with the draft Communications Data Bill will probably recognise that number: It’s the Home Office estimate of the total cost of implementing the Bill.

Q403 Dr Huppert: Commissioner, if for all of policing, including counter-terrorism and all the other things that you do, you found you had an extra £1.8 billion over the next 10 years, what would be your number one priority for how you choose to spend that money?

One would expect Mr Hogan-Howe to be “on message” when it comes to this as he was quite vocal when the draft bill was announced, describing the powers as necessary to wage a draconian-sounding Total War on Crime. This guy is one of the leading voices asking for the bill. Surely he must think it is good value for money?

Surprisingly, Communications Data would not be a priority. He’d rather spend the cash on other things such community policing and general IT.

In fact, Communications Data didn’t even get a mention.

Bernard Hogan-Howe: It is a good question, and I would need a bit of time to think about it, but there are probably two main things. One would be to enhance the neighbourhood and community policing response. I think there is an opportunity there for us to do more. The second thing is I want to invest more in technology, not to replace the people necessarily, but we in the Met spend about £220 million a years on IT. Across the country policing generally spends £1.2 billion on IT. My point would be that it is more green screen than it is iPad, I am afraid, and it does not seem to catch criminals. Lots of lists, but ANPR catches criminals, facial recognition helps, fingerprints, DNA quick turnaround. These are things that I think over time can make a real difference, and of course it links us into the community and the victims in a far better way in which you see business deliver a service. I don’t think we are anywhere near that yet. So that is the two big areas that I would probably invest in. Probably the other one would be training. We have embarked on a quality programme and I think in the past probably the police service has seen training as a cost not an investment. For me it is an investment provided it is done properly and it is invested towards crime-fighting, which I think is vital.

(You can view this exchange on Parliament TV, starting from 11:02:23)

We already know that the proposals are incredibly expensive compared to the existing system and now even the police force primarily responsible for anti-terrorism don’t believe it’s good value for money.

So why are we doing it?

I’ve already put it online as a PDF, but here’s my submission to the committee on the draft Communications Data Bill in a slightly easier to read format.

QUESTION 1: Has the Home Office made it clear what it hopes to achieve through the draft Bill?

  1. Considering the draft bill itself, there is no apparent restriction on the powers that are granted by it, which does not give any way of assessing exactly what the intentions are. The powers could be used for deployment of “black boxes” en mass throughout the UK, could be used to just to target known hotspots, or could just be used to attempt to intercept information to and from non-cooperative web site owners. They may even be no deployment of interception, with the bill just being used to retain. additional information.

  2. In it’s publicity surrounding the bill, the Home Office (HO) stated legislation was needed because “New communications technologies are generating communications data in different ways and communications data is no longer always retained by communications service providers.” (Emphasis added) In oral evidence to the committee, Charles Farr and Richard Alcock also concentrated on the “data retention” aspect of the bill as being primary, rather than obtaining data via interception. (This is discussed further in answer to question 2)

  3. It would therefore seem that the HO are publicly trying to state that the bill is about retention. However, the powers being asked for include obtaining data via interception, and the use of these powers has not been made clear or publicly discussed in any detail by the HO.

  4. The Home Office (HO) has also stated that it has spoken to a number of service providers who do understand their aims here. However, it is certainly not clear to myself or to anyone else I have spoken to in the industry what the aims are. It may be that those who have been spoken to are not themselves technical, but instead managers in effect bidding for a slice of the £1.8bn on offer. As a result, without knowing who the HO have been communicating with, one should be wary of accepting assurance that the concerned service providers are happy (technically or otherwise) with the HO proposals. Even if the HO genuinely believes the assurances given to it by service providers, the assurances it has received may not be entirely have been made in good faith and from a disinterested position.

  5. Multiple Freedom of Information requests have been made to the Home Office on the topic of who they have spoken to, both for the draft bill and existing data retention regimes, and also enquiring as how they arrived at the costs stated. All have been entirely or mostly refused (1, 2, 3, 4, 5) so there is no clarification available via that route as to either the value of any assurances apparently given by service providers or the aspirations of the bill in general.

  6. Other potentially useful information on the bill has also been suppressed by the HO. For example, they attended a conference run by the London Internet Exchange (LINX) and presented a half hour slot to Internet Service Providers (ISPs) on the bill. The conference attendees were not security cleared and include foreign nationals, but despite this the HO refused permission to allow LINX to release the video for download to members who were not present at the meeting and additionally stated that they would never disclose who in the industry they had talked top in order to stop people simply switching ISPs.

  7. The above facts combined – overly broad content in the bill, concentration on “data retention” in evidence to the committee, refusal to answer Freedom of Information requests and limiting circulation of information would suggest that the HO simply does not want more than vague details of it’s aims to be public knowledge for security reasons. That approach makes any useful, democratic assessment of their request a practical impossibility and also seriously damages any prospect of meaningful oversight.

QUESTION 2: Has the Government made a convincing case for the need for the new powers proposed in the draft Bill?

  1. In evidence given orally to the committee by Charles Farr, Director General of the Office for Security and Counter-Terrorism, states that much of the current problem is down to “ambiguity” in the Data Retention Directive (Q7) and also goes on (Q9) to state that he believes the draft bill will increase the proportion of successful requests for data from 75% to 85%. This concentration on data retention (Versus data acquisition) is further reiterated, including in a response to Question 74 by Richard Alcock (Director of Communications Capability Directorate) in his answer to Q74, who states that the costs are around data retention.

  2. What is not addressed is why simply updating the UK implementation of the data retention directive would not be sufficient to achieve the stated 10% uplift if this is simply a data retention issue.

  3. There is mention in the same session of cooperating with European, not UK, providers in retaining this data and that differences in the implementation of the Data Retention Directive (DRD) across Europe were part of the problem. It is not explained how a bill passed in the United Kingdom could be used to require European providers to retain data: Either the providers somehow fall under UK law by virtue of doing business here (In which case they would be subject to a UK “clarification” or update of the Data Retention Regulations 2009) or they are not subject to UK law, in which case any agreement with them would not be influenced by new legislation.

  4. Although effort has been made to justify retention of additional data, no serious attempt appears to have been made by the Home Office for additional powers of interception and obtaining additional data.

QUESTION 3. How do the proposals in the draft Bill fit within the wider landscape on intrusion into individuals’ privacy?

And:

QUESTION 4. What lessons can be learnt from the approach of other countries to the collection of communications data?

  1. Based on an analysis of data released by Google, the UK has per capita the population most investigated via data communications in the world. Other countries may engage in snooping directly on their citizens, rather than requesting data from companies such as Google, but the UK would be unique amongst western democracies should it engage in such practices and this would largely be uncharted territory.

QUESTION 5. Are there any alternative proposals with regard to the technique and cost of obtaining communications data that the Government could consider?

  1. As discussed previously, updating the Data Retention (EC Directive) Regulations 2009 to cover more data should be considered. However, the HO have been reluctant to release enough information on what they hope to achieve which makes proper consideration of any alternatives difficult.

QUESTION 6. The draft Bill sits alongside the Data Retention Regulations. How will these two pieces of legislation interrelate? Would it be preferable to have one overarching piece of legislation that governs the retention of communications data?

  1. It would appear that, as written, the bill would supersede the Data Retention Regulations in all respects. There would appear to be no circumstances under which it would be worthwhile for the Secretary of State to issue further notices to service providers under section 10 of the regulations should the bill be passed. As a result, the regulations would cease to have any real world effect once all current providers are notified of their new obligations under the proposed bill.

QUESTION 7. If it is concluded that the provisions of the draft Bill are essential, are there any other measures that could be scrapped as a quid pro quo to rebalance civil liberties?

  1. The draft bill gives the potential for near-total omniscience to the state within the communications world. Given that people’s lives are increasingly integrated with electronic devices and the Internet, the scale of any scrapping of existing powers outside of the bill itself to rebalance liberties would have to be staggering in it’s scope.

QUESTION 9. Is the estimated cost of £1.8bn over 10 years realistic?

  1. Despite multiple Freedom of Information requests, as noted in the answer to Question 1, the HO has yet to produce any breakdown of it’s costs beyond simply stating around half the cost is retention. As it has also not been made clear what the aims and objectives of the bill is, it is not possible to determine if this is realistic.

QUESTION 10. The Home Office suggests the benefits that could be delivered by the enactment of the draft Bill could be worth between £5‐6bn. Is this figure realistic?

  1. The HO have not released any breakdown of this benefit, so it is hard to analyse. It would appear some of these benefits, based on evidence given orally by Charles Farr, is based on notional values of human life etc, for which we do not have numbers.

  2. However, a basic sanity check can be performed. There were 414,400 successful requests in 2010 (75% of 552,550) and the HO have stated in oral evidence to the committee that they hope for a 10% increase in successful requests as a result of the bill, meaning an additional 55,255 requests. This would mean that the current Data Retention regime is delivering a value of £3.75bn per year, or £9k per request. That number seems large and I would have expected to see more publicity surrounding the benefits of the existing system, but is a feasible figure given that the HO aims to“prevent revenue loss through tax fraud and facilitating the seizure of criminal assets”.

QUESTION 13. How robust are the plans to place requirements on communications service providers based overseas? How realistic is it that overseas providers could be pursued for breach of duty?

  1. The UK would appear to have no legal recourse against foreign service providers who do not, entirely voluntarily, comply with the proposed bill. If the HO did attempt to find a way to pursue foreign service providers with no UK base, this would set a very unwelcome precedent. UK service providers may then have the burden of complying with laws and regulations in every other country connected to the Internet, in case a user from that country visits their site.

QUESTION 16. Applications for accessing communications data will be subject to a series of safeguards including approval by a designated senior officer within the public authority making the request. How should “designated senior officer” be defined? Is this system satisfactory? Are there concerns about compliance with Article 8 ECHR?

And

QUESTION 17. Would a warrant system be more appropriate? If you favour a warrant system should this apply to all public authorities including law enforcement agencies? Should a warrant be necessary in all circumstances? And what would the resource implications be?

  1. Independent oversight of requests is certainly desirable, but a “warrant” could be granted by the Secretary of State or their nominated representative, which lacks sufficient independence. It would be more appropriate to specify that a judicial warrant is required.

  2. The main objection to requiring warrants by the HO has been time, in critical cases, and cost. On the topic of time, there is no reason why the vast majority of non-time-critical (Priority Grade 3, under the current RIPA system) should not require warrants. Such a system must mandate retrospective judicial approval of any high priority (Grade 1) requests to prevent abuse, with automatic reporting of any failed retrospective requests and investigation by the commissioner. The commissioner has already identified “serious non-compliance” by a number police forces under the current oral approval system which is a major cause for concern if not addressed. (2011 Annual Report of the Interception of Communications Commissioner, Page 35)

    1. For cost, the overall cost of the proposed system amounts to £3,257 per successful request. The cost of applying for a warrant does not appear to constitute a major additional burden in light of this.

    QUESTION 18. Is the role of the Interception of Communications Commissioner and the Information Commissioner sensible?

    1. The roles in theory are welcome, but the commissioners have proven themselves to be relatively toothless and do not properly investigate problems. A much stronger system of oversight is required.

    QUESTION 19. Are the arrangements for parliamentary oversight of the powers within the draft Bill satisfactory?

    1. As noted previously the HO have been extremely reluctant to provide any information to the committee in evidence to support the bill. There is no reason at this stage to believe they would be any more cooperative when it comes to future oversight. The draft bill should enforce tough, thorough and public reporting by the HO and all organisations granted powers or obligations under the bill.

    2. It is notable that the proposed system of interception involves the secretary of state mandating the equipment and configuration to be used by service providers, meaning it is unlikely that service providers will have any meaningful insight into the operation of the system. This will mean that the only organisations who really know what is going on are the HO and the (So far unidentified) suppliers of the equipment. This potentially means that no independent oversight of the technical implementation of the bill will exist at any level.

    QUESTION 21. Are the penalties appropriate for those public authorities that inappropriately request access to communications data? Should failure to adhere to the Code of Practice which is provided for in the draft Bill amount to an offence?

    1. It should be a criminal offence to wilfully disregard any communications data provisions, to prevent managers and staff refusing to take responsibility for the significant powers granted to them, in a similar way to the driver of a vehicle – and not his employer – being liable for offences committed behind the wheel. However, history has shown that prosecutions for such offences rarely take place as they are deemed not to in the public interest and this is as critical a problem as the penalties themselves. Mandating investigation by the commissioner with a strong presumption of prosecution on behalf of the CPS would go some way to solving this issue.

    QUESTION 22. Does the technology exist to enable communications service providers to capture communications data reliably, store it safely and separate it from communications content?

    1. On the scale required by the HO, no. No evidence has been presented by the HO to suggest otherwise, or how they would handle non-standard and ever-evolving protocols used by many sites.

    2. As an example, in the 2010 film “Four Lions”, the jihadists converse over a web site that appears to be based on Disney’s “Club Penguin”, an online game for children. The protocol used for communication between such sites and the client software running on the users computer will be completely proprietary and change entirely at the whim of the developers.

    QUESTION 23. How safely can communications data be stored?

    1. Security is a trade-off between usability and accessibility of the data versus it’s value and the impact if it is compromised. The value of the data held by Service Providers will be huge, representing a valuable asset in corporate espionage potentially funded by foreign governments.

    2. Such a high-value asset needs to be protected very robustly and although service providers generally have a good track record in keeping critical data secure, breaches do happen. This is a significant risk, the impact of which should be properly and fully investigated and reported on by the HO and accepted as being necessary prior to the bill being passed.

    QUESTION 25. How easy will it be for individuals or organisations to circumvent the measures in the draft Bill ?

    1. It would seem to be trivial to circumvent, unless the HO has some mechanism of decrypting all traffic that is not known to the rest of the world. (See discussion in answer to Q26 for more on this)

    2. The government of China, which has thrown significant resources at it’s “Great Firewall of China” project, has been trying to simply block – not even intercept – unapproved internet sites. Despite this, it remains the case today that people are able to bypass this system using technologies such as “tor”. There is no reason to believe the HO would be significantly more successful at interception than other governments would be at the simpler task of blocking.

    QUESTION 26. Are there concerns about the consequences of decryption?

    1. Potentially, yes, as we do not know how the HO intends to break decryption other than a simple statement that they can. There is a real danger that “man-in-the-middle” attacks on encryption might expose UK users to additional security risks or generally destabilise the internet in unwelcome ways. To avoid security and stability problems created by interception, it should be a requirement of the bill that interception may only be passive and not alter the contents of the communication in transit.

    2. Worse, in a nightmare scenario, whatever technology is deployed at the service provider level by the HO to decrypt traffic is stolen from a data centre by criminals or members of foreign intelligence agencies, potentially exposing very large number of users to security risks and huge financial implications.

There was some mention of costs in the recent Communications Data Bill committee hearings and I also ran across an interesting Freedom of Information request on the costs of the current system, so I thought I’d take a look at them side by side. Which system gives better value for money, the existing Data Retention or the proposed Communications Data Bill?

Cost-per-request under the Data Retention Directive

There are three pieces of useful information here. Firstly is the evidence of Charles Farr, Director General of the Office for Security and Counter-Terrorism. From his answer to Question 6 in oral evidence to the Communications Data Bill Committee: “As you know, we have put, based on our survey of the relevant organisations, a figure of 25% of data that organisations would like to get access to but cannot.” (In other words, 75% of the data is available)

Secondly is Question 10 from Michael Ellis MP: “in 2010 there were over half a million requests for communications data: 552,550.” In combination with the above 75%, that gives around 414,400 successful requests in 2010.

And finally, we have a Freedom of Information response to Caspar Bowden from which we have the yearly cost of running the Data Retention programme. Taking an average for 2009-10 and 2010-11 (Presumably Fiscal years) we find an average for 2010 of £13.15 million.

That’s quite a simple calculation to do: Each successful data request has a data retention cost of £31.76.

Cost-per-request under the Communications Data Bill

Again, Charles Farr has given us some useful information here. In response to question 9, he believes they will “improve our coverage to a figure of what we think should be in the region of 85%, as opposed to 75%, which is where we are now”.

I’ll be generous here and assume they actually get an immediate 10% increase, although even Mr. Farr admit that’s not likely and they won’t see the 85% figure until 2018. That means an extra 55,255 requests for data would be successful based on their figures.

As for the cost, Dr Julian Hupperts Question 73 states “The Home Office estimate is that the cost of this Bill as it currently is would be £1.8 billion over the next 10 years.”

So that’s £180 million a year for 55,255 more successful requests – or £3258 per request, over 100 times more expensive than under the current data retention regime.

So this additional cost is all the “black boxes” snooping on people, right?

Not according to Richard Alcock, Director of the Communications Capabilities Development Programme. From question 73: “The majority of the costs are around data retention. Over 50% are associated with working with communications service providers in the UK, to establish data retention stores.” It would seem that despite their claims that the new bill is mostly about improving data retention, their idea of data retention is significant more expensive (And thus much more extensive?) than the current system.

This discrepancy presumably explains why, despite complaints that much of the existing problem is that the Data Retention Directive is “ambiguous” and does not go far enough

But what about the benefits? There is a claim (Question 76) that this will have a benefit of £600 million per year. When asked to justify this by Dr Julian Huppert MP, Charles Farr included the phrase “We then attached a monetary value to lives saved”. In other words, it’s not a saving, just an analysis of the benefits. We do not have the raw numbers as the Home Office have not released them, so we can not assess if that “value” of lives saved is actually better spent not snooping on people, but in hospitals.

If we assuming the Home Office are being honest in response to Freedom of Information requests, it may simply be that the £1.6 billion figure is made up. (This would not be the first time we have caught someone making up such figures) When I requested a breakdown of the costs of the proposed system, they claimed it would take in excess of 100 hours to compile the information. Which rather sounds like “We do not have this”.

Featured on Liberal Democrat VoiceYesterday, the first set of evidence into the Home Office’s controversial interception plans was heard in front of the special committee established to look at the draft bill and you can watch the Video on Parliament’s web site. (More is scheduled for this afternoon).

We learnt a few things about what’s being planned as a result of the evidence given, which was predominantly given by Charles Farr, ex-MI6 man and Director of the Office for Security & Counter-Terrorism.

Firstly, the existing Regulation of Investigatory Powers Act and Data Retention Directive are allowing police and security services to get access to around 75% of the data they are after. It’s envisaged that the wide-scale interception of communications data would increase that to 85% – so by only 10%, which seems a huge cost in both monetary and civil liberties terms for a relatively small increase. The existing shortfall was attributed in part to “ambiguities” in the EU Data Retention Directive as it’s implemented in the UK.

Secondly, when asked about their ability to break cryptography they Home Office mandarins ducked the question, instead saying that their preferred method was to “co-operate” with (I.e. coerce) service providers. This would be the likes of Google, Facebook and Twitter, both UK-based and foreign, so that they stored the communications data themselves.

They were quite clear on this point when asked about “black boxes” too and not just crypto – even though interception is the very first clause in the draft bill, they claim the main thrust is retaining data at the service provider.

A big hole in their argument as a result is that they have not made clear why altering the existing Data Retention Directive to allow this isn’t enough. There is a big difference in liberal terms between being asked to retain data you already have and actually listening in to obtain data.

The issue that remains is foreign non-cooperative service providers who cannot be coerced and the Home Office seems to imagine only intercepting communications as it enters and leaves the UK, and not widespread interception within the UK. This approach will cut the number of boxes they need. They may not even need to talk to big household-name service providers to do this, instead targeting the lesser-known (To the public) fibre providers who offer the bits of glass that go under the oceans, seas and English Channel.

This has the side effect of also intercepting private (Non-internet) traffic and communications transiting the UK from, say, the US to Germany. I’m sure this point hasn’t been lost on those pushing for it.

In terms of capability, the spooks believe it will be nearly impossible to remain anonymous with the volume of data they are able to collect, something that has sinister overtones for anyone with a genuine need to speak out against the establishment or against the police. You don’t even need to look as far as China to see this in action, as it would be the police justifying the use of interception and there is far from universal trust of the police to regulate themselves in this country.

On the topic of the police self-justifying their use of powers, requiring warrants to obtain data for lesser needs (e.g. Harassment and Non-payment of fines) was discussed and the Home Office did not seem to have a good reason why this shouldn’t be the case. Their argument in favour of allowing minor offences to be included is that they might escalate into more serious offences, and that’s OK because they don’t (ab)use these powers much. (Yet…)

Finally, they were asked by one MP if they could rule out “fishing” expeditions where they would obtain the data from hundreds of users but they were not able to do this. The example given was if they know a suspect was at a certain place, they might pull the communications data for everyone in that area at that time.

For those interested in this, there is also an ongoing consultation where you can submit evidence direct to the committee.