The Intelligence and Security Committee (ISC), which is responsible for overseeing all the intelligence agencies in the UK, including the GCHQ, MI5 and MI6, issued a scathing review of the government’s Investigatory Powers Bill (IPB), calling it inconsistent, overly broad in its definitions, and lacking serious privacy protections. The criticism comes after another Parliamentary committee criticized the bill for many of the same shortcomings.
Lack Of Transparency
The first criticism is that the bill doesn’t even achieve one of its primary goals, which was to consolidate all the other scattered surveillance bills in the UK. This is also a problem for transparency, because it’s not clear how the surveillance powers will be used in all cases. The ISC recommended last year that the previous legal framework should be replaced by a new Act of Parliament, wherein all the capabilities and how they can be used can be specified.
The ISC strongly believes that this bill should enable higher transparency, as the lack of transparency was one of the main reasons why the intelligence agencies were involved in large controversies over the past few years in the first place. If the transparency is there, then it will be easier to verify in exactly what type of actions the intelligence agencies engage.
No Universal Privacy Protections
The Committee criticized the government for specifying privacy protections only for certain sensitive professions (journalists, lawyers, etc.), but the bill doesn’t include universal privacy protections that apply in all situations. The ISC believes there should be an additional part in the bill that covers this.
The Committee actually seems surprised that after all of the Snowden revelations, which made many people much more aware of their privacy, the IPB doesn’t take privacy more seriously.
“One might have expected an overarching statement at the forefront of the legislation, or to find universal privacy protections applied consistently throughout the draft Bill. However, instead, the reader has to search and analyse each investigatory power individually to understand the privacy protections which may apply. This results in a lack of clarity which undermines the importance of the safeguards associated with these powers,” said the Intelligence and Security Committee.
Although the Investigatory Powers Bill seems to have been built around the surveillance powers and then with some privacy protections tacked on, the ISC thinks it should’ve been written the other way around -- the privacy protections should’ve been the backbone of the bill, with certain clear exceptions for surveillance where needed.
The Committee also said that terrorist attacks shouldn’t be used as an excuse to unnecessarily override fundamental privacy rights.
Bulk Hacking Too Broad
The ISC thinks that the “Bulk Equipment Interference” (another word for hacking), and “Bulk Personal Datasets and Communications Data,” are defined too broadly and aren’t clear enough.
Some of the intelligence capabilities for “property interference,” given by Intelligence Services Act 1994, were not brought into the IPB, which means they remain “secret” and without proper safeguards. The Committee recommended that all IT operations are brought under the provisions of the new legislation.
The bill includes provisions for Targeted and Bulk Equipment Interference, but Targeted EI seems to cover targets as broad as another country’s intelligence agency. Therefore, the ISC is not convinced that the Bulk EI is necessary at all. The head of the GCHQ also couldn’t properly explain why Bulk EI may be necessary now or in the future. The Intelligence Committee recommended that all Bulk EI provisions are removed from the bill.
The ISC also found it “curious” that the bill says that the Targeted EI requires only a “warrant” (from the Home Secretary) when the surveillance is done within the UK, but the warrant becomes “optional” when the surveillance happens abroad. However, the Committee believes this is a mistake, because if the warrant becomes optional, then the agents will never ask for it. It recommended that a warrant should be necessary for a Targeted EI whenever it is practical to obtain one.
Agencies Too Reliant On Bulk Surveillance
In the Investigatory Powers Bill, there are two types of Bulk Personal Datasets: the Specific BPD, which requires approval from the Home Secretary, and the Class BPD, which does not. An example of Class BPD would be “travel data.” The intelligence agencies told the Committee that, more often than not, the requests will be for Class BPDs and not Specific BPDs.
The ISC said that class authorizations should be kept at an absolute minimum and they should be subject to greater safeguards. Although the agencies said it would be too much work to ask for individual warrants, the Committee thinks that privacy rights are too important to be dismissed as easily as the agencies do it. It also said the intelligence agencies shouldn’t be too reliant on bulk surveillance, which provides too much unnecessary data. The ISC recommended that the provisions for Class Bulk Personal Datasets should be completely removed from the bill.
The Committee also found that the provisions for bulk surveillance of communications data were inconsistent and unclear. The bill leaves it up to the intelligence agencies to define their own policies for collection of communications in bulk. The ISC believes that this shouldn’t be left up to the agencies, and the policies should be included in the IPB, as law.
The bill includes language that allows the Secretary of State to issue warrants for both “national security” reasons and for “economic well-being, if relevant to national security.” However, the ISC believes the latter is redundant, if it’s indeed covered by national security. It also couldn’t get a straight answer from the intelligence agencies as to why that clause would be necessary.
The Committee asked the government to be more clear in what it means by “operational purpose” when the intelligence agencies request bulk surveillance warrants.
The IPB currently provides a loophole for the agencies to spy on a UK person for five days without needing any warrant. The ISC recommended that there should be additional safeguards, such as allowing mandatory retrospective scrutiny by the Judicial Commissioners. It also said the five-day grace period should be reduced to two working days. Six month-long “thematic” warrants should also be shortened to one month.
Although, for instance, in the U.S., the Senate Intelligence Committee was quick to defend the NSA’s mass surveillance actions in light of Snowden’s revelations, it’s refreshing to see that the UK Intelligence Committee actually wants to put strong safeguards in the new Investigatory Powers Bill that takes privacy rights as a given. The Committee believes that the government should take its time to do the bill right this time, before proposing another draft.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.