Published by The Lawfare Institute
in Cooperation With
The United Kingdom is a surveillance state, one far beyond the world envisioned by George Orwell. Between the GCHQ's efforts to bulk-record Internet traffic at the UK's borders, the modern data collected and accessible to law enforcement, and the panopticon of cameras, UK citizens are already living in Orwell's nightmare. The proposed Draft Investigatory Powers Bill makes it official and further strengths the surveillance state.
The whole bill is huge, some 300 pages of legal text, explanatory notes, and scare stories designed to frighten people with terrorists, murderers, and child pornographers. Undoubtedly there are other interesting privacy landmines lurking in the text. But a bit of simple searching reveals a parade of easy to abuse horribles.
Communications data, what the US generally calls "metadata", is expanded in requirements, including a specific requirement that enables forcing Internet Service Providers to maintain metadata. Clause 71 enables the Home Secretary to mandate the retention of "Relevant communication data" for all customers for a year. This includes sender, recipient, time and duration, type of communication, the location, the IP address and other identifiers.
For ISPs, this requires effectively keeping both netflow records and DNS logs for all customers to create "Internet Connection Records". Netflow records "Computer X talked to computer Y at time T, transferring this many bytes", while DNS logs say "Computer X looked up name N". Although its true this isn’t "all URLs", it does represent a huge swath of a user’s web surfing. A snooper with this data doesn’t know the individual page, but does know the site and, using volume and timing, can potentially learn considerably more. It does explicitly exclude the actual URLs, so the snooper can know which porn sites a target visits but, without significant inference, won’t be able to determine what particular fetish attracts the target.
Another issue is location. The cellular companies can (and undoubtedly will) be mandated to act as a global tracker for everyone on British soil, as every SMS message, data push request, or phonecall generates a communication data record which should include the user’s location. We already know that some providers in the US maintain such data to 200m resolution, so it can be reasonable to expect British carriers to meet the same requirement.
Critically, there is no warrant or other outside oversight required for authorities to access this data, but just an affirmation to a designated individual in the particular investigatory organization responsible. And the resulting data really is massive: "everywhere a person goes, every site he visits, everyone he contacts". Clause 46 (7) details the complete conditions, including "economic wellbeing", any crime, collecting taxes, and public safety. Yes, this is effectively a general warrant for the entire picture of a person's life, without even the paperwork of a general warrant.
The crypto wars are not over. Unlike CALEA, which specifically exempts providers from breaking crypto if they don’t have a key, this bill does not include such an exception. Instead clause 31 simply requires that the operator not have to take any steps which are not "reasonably practical". So under this clause, all that needs to happen is for the British government to claim that adding a backdoor to the crypto is "reasonably practical" (if insanely stupid) and they can force providers, including Apple, to include such backdoors. It also doesn’t matter where the provider is, the wiretap section claims universal jurisdiction.
This bill legalizes what the GCHQ already does: Intercept and record, in bulk, a massive amount of content and metadata with a "one side foreign" standard for data access. So unless a communication exists entirely within the British Islands, GCHQ can sweep it up into their systems. It doesn’t represent a new power on collection, it just simply ensures that what they do is technically legal. But the use is potentially sweeping (Clause 107). Not only are bulk warrants justified for national security, but also "preventing or detecting serious crime" (something clearly outside the more restrained NSA mandate) or "in the interests of the economic well-being of the United Kingdom". To me, this reads like an invitation for what the rest of the world would call economic espionage.
Information sharing with the NSA, or any other intelligence agency, remains intact (Clause 118), as the Home Secretary can simply certify that the NSA is going to follow the same rules as the GCHQ. Finally, accessing the bulk data depends on location of the "target" (Clause 119). If the target is non-UK, even if they are communicating with a UK person or are a UK citizen just outside of the country, there is no warrant requirement for searching the data.
Bulk Personal Datasets
Probably the most scary portion, however, concerns "Bulk Personal Datasets" (clause 150), permission to use large datasets which are acquired by the intelligence agencies. The bill does not specify how the intelligence agencies can acquire such data, but once they have it, they can basically do anything they want to with it. The oversight is on acquiring the data, not using it.
So what is "Bulk Personal Datasets"? Basically anything. Drivers license data for everyone in Britain. People who’ve ever expressed an interest in gun ownership. If the GCHQ can persuade Facebook (perhaps with a suitable pile of money), they could get everybody’s page views through the Like button. The potential for abuse of these datasets is limitless. The only real constraint is how the data is acquired. The intelligence agencies can beg, borrow, buy, or steal, but this (currently) includes no mechanism to legally compel.
Overall, the British Investigatory Powers Bill appears to be a big pile of bad news for inhabitants of the British Isles. The world proposed by this bill makes Orwell’s telescreens seem comfortably quaint.