The Investigatory Powers Bill – which could allow police to hack mobile phones, computers and web browsing history – provides a unique opportunity to lead global surveillance regulation. But, rushing the Bill through parliament without adequate scrutiny is a potential recipe for disaster.
That’s according to Ray Corrigan, senior lecturer in maths, computing and technology at the OU. Here he reports on the most recent updates to the Investigatory Powers Bill, including its flaws…
Following serious criticism by three parliamentary committees, the UK government have presented a revised 242-page version of their Investigatory Powers Bill to parliament.
It is a mammoth task to expect parliamentarians to analyse this long and complex Bill in a short timescale. But it looks as though that is what they will be asked to do.
Only ‘seen’ by computers
There is a basic misunderstanding at large in Westminster – the idea that collecting and retaining bulk personal data is acceptable as long as most of it is only ‘seen’ by computers and not human beings.
This is a line that has been promoted by successive governments for years and seems to be widely accepted. Yet it is seriously flawed.
The logical extension of such an argument is that we should place sophisticated electronic audio, video and data recording devices in every corner of every inhabited space; thereby assembling data mountains and digital dossiers on the intimate personal lives of the entire population.
Unlawful bulk data retention
Whether or not mass indiscriminate personal data collection and retention is only ‘seen’ by computers it has been repeatedly found to be unlawful. It has been described by many courts as unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications.
I would contend that this bulk powers approach is unnecessary, disproportionate and incompatible with the rule of law. Just as Graham Smith has noted, state-compelled lists of our reading habits are repugnant.
Real or cosmetic changes?
The government insist they reflected most recommendations made by MPs and peers in the new draft. Yet, since the last of those critical committees published their report only a little over a couple of weeks ago, it appears they have simply made cosmetic changes to the original Bill. It would have been astonishing if they had been able to address all of the criticisms substantively in such a short time.
What policymakers need to understand is that finding a terrorist is a needle in a haystack problem; and this Bill will throw infinitely more needle-less hay on the stack.
Past perpetrators of terrorism (Paris, 9/11, Lee Rigby murder) were known to security services but were lost in the oceans of data they are drowning in. Even if an IP Bill mandated magic terrorist catching-machine, watching the entire population of the world, and was 99 per cent reliable, it would flag too many innocents for the security services to investigate and swamp the services in unproductive activity.
Digital technologies need to be used intelligently and engage in the surveillance of individuals about whom authorities have reasonable cause to harbour suspicion.
Security is hard
Generally speaking, giving the government the power to hack the internet is really bad security hygiene, undermining communications infrastructure for everyone.
Securing systems of the magnitude of those used by security agencies and industry, and effectively proposed in the IP Bill, from external hackers or the multitude of insiders who have access to these databases, is incredibly difficult. The recent TalkTalk hack compromising the personal data of 157,000 customers should be a salutary lesson on this front. There was an even more serious and potentially life threatening compromise of the systems of US government’s Office of Personnel Management. The complete dossiers of tens of millions of US federal employees, their families and others who had applied for government jobs were stolen.
When you create large and valuable databases they attract attackers.
Less protection than a criminal
The government has the right to intercept, retain and analyse personal information, when someone is suspected of a serious crime. However, current operations and the powers and processes proposed in the draft IP Bill involve collection of personal data indiscriminately, in bulk and without suspicion. This is, in effect, mass surveillance.
Due process requires that surveillance of a real suspected criminal be based on much more than general, loose, and vague allegations, or on suspicion, surmise, or vague guesses. To operate the mass data collection and analysis systems proposed in the IP Bill, thereby giving the entire population less protection than a genuine suspected criminal, is indefensible.
It’s time Parliament brought these modern costly, ineffective and damaging surveillance practices into line with that rule of law rather than, as with the IP Bill, attempting to shape the law to facilitate and expand them in scale and scope.
The Investigatory Powers Bill provides a unique opportunity to create a modern world-leading framework for surveillance regulation. Rushing the Bill through parliament without adequate scrutiny is a sure fire recipe for making the situation worse not better.