The Investigatory Powers Bill – it’s time to take a closer look

The so-called ‘Snooper’s Charter’ is being rushed through the UK Parliament.

Philip leriche
Philip Le Riche
@
@pleriche

UK Parliament

The Draft Investigatory Powers Bill was published last November amid much speculation about its implications for privacy. Following a period of consultation, review, and much further work, the Bill itself is now going through the UK Parliament.

In a previous article I concluded that although there were areas of concern the Draft Bill wasn’t half as bad as many of the prophets of doom had predicted. After all, spooky stuff is what we expect our spooks to do, and now, at least, their spookier activities were being brought much more into the open, and what’s more were being placed under judicial review.

The Bill now before Parliament isn’t easy to get to grips with. Together with Explanatory Notes, a Briefing Paper, two Operational Cases, three Committee Reports, six Codes of Practice, 15 Factsheets, a Government Response to Pre-legislative Scrutiny, and several other Overarching Documents, you have (if I can count and haven’t missed anything) some 1360 pages to digest to get the whole picture!

Sign up to our free newsletter.
Security news, advice, and tips.

I’ll be the first to admit that I may not have the whole picture. I’d probably die of boredom first.

One thing that’s clear is that the security and intelligence services themselves are very strongly behind the increase in accountability and transparency. The best defence against a British Edward Snowden is to have nothing to hide, except what you have to hide for operational reasons.

HttpYet it wasn’t the spookier things like equipment interference and interception of communications that seemed to bother people most in the Draft Bill. Retention of Internet Connection Records (ICRs) was something everyone could relate to; someone could be watching your browsing habits.

But it became clear that what was to be collected was only the domain names (e.g. www.example.com), not the full URL (www.example.com/interesting_stuff), nor any search terms in an internet search. In many cases this would considerably reduce the sensitivity of the data collected, though not in others, such as in the case of websites dedicated to particular health issues.

As a result, it seemed to be more than enough to cause alarm but too little, as far as I could see, to be of any real investigative value.

However, the Operational Cases now published are very enlightening. In particular, the one for Retention of Interconnection Records makes a good case for why the proposed collection of metadata would be valuable.

When I use my home broadband I have a unique IP address, shared only with any other members of my household. It may be different tomorrow, but for now it is unique.

Mobile phoneThe situation is quite different when using mobile data – my mobile data provider may be funnelling the traffic from thousands of users through a single IP address, giving each an individual “port number”. In tracing the contacts of a known suspect, only if the port number or the service accessed by each user is recorded can an individual subscriber be identified.

It’s clear from all the examples given in the Operational Case that the ICRs themselves are never the focus of interest or the starting point of an investigation but are only needed in order to trace back to the originator of a connection already identified by other means.

There is one thing, though, that the Operational Cases fail to demonstrate, and that’s why ICRs need to be retained for as long as a year. In the fast moving worlds of terrorism and internet crime it’s hard to imagine that such data would be of much use beyond 6 months. Reducing the retention period accordingly would defuse some of the opposition, as well as the quantity of data at risk in the case of a breach.

The Operational Case for Bulk Powers describes the spookier activities, and although it necessarily goes into much less detail so as not to reveal methods and capabilities, it gives an unprecedented insight into the sort of things the security and intelligence agencies do.

In reviewing the Draft Bill, one of my main concerns was that it contained no clear definition of a Communications Service Provider, now simply referred to as a telecommunications provider. Was it simply those carriers licenced as Telecommunications Providers under the Telecommunications Act 1984? Or was it intended to include providers of higher level facilities such as email, messaging, chat, and even discussion forums? I had hoped the former, as the latter complicates things considerably, but it seems I hoped in vain.

EncryptionIt is at this higher level that encryption is generally applied. An Encryption Factsheet states plainly that the Government regards encryption as essential in protecting personal data, intellectual property and e-commerce.

Yet neither the Bill itself nor the Codes of Practice nor anything else I’ve found states unequivocally that a CSP will not be required to defeat or deactivate end-to-end encryption, where this is applied.

In fact there seems to be a strange reluctance even to use the word “encryption”. Perhaps the intent is to make the Bill technology-agnostic.

But if this is so, the use of the alternative term “electronic protection” fails to achieve the desired end. Encryption is maths, which I wouldn’t mind betting will still be around when electronics is history and instead we’re all using quantum computers or petri dishes full of cultured neurons.

The picture is nicely confused by a Home Office witness to the Science and Technology Committee who stated:

“What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection.”

I’m still trying to get my head around that!

In fact, the Bill does make it quite clear that a CSP can only be required to remove encryption that it has itself applied, or has been applied on its behalf. But if the software on my device encrypts my data, is it working on my behalf or on behalf of the software vendor and service provider? Both interpretations are defensible.

Encouragingly, the same Home Office witness did state that the requirement to provide data in the clear was not intended to apply where the data is encrypted end-to-end.

However, as recognised by all three Committee reports, it’s absolutely vital that this is made explicit in the Bill itself or in the Codes of Practice, as otherwise it could all too easily be interpreted differently by a future government or judicial commissioner. Any doubt could seriously weaken the UK’s position as a leader in IT.

The importance of clarity in this area can hardly be overstated. The Bill requires that before issuing a Technical Capability Notice for the provision of an intercept capability, the Secretary of State must take into account the benefits, technical feasibility, costs and other effects of the Notice.

But it is disagreement on precisely these points that separates Apple and the FBI in their current dispute! The last thing we should be doing is setting ourselves up for a similar dispute on this side of the pond.

I’ve concentrated in this article on a very few points in the Bill, and others will doubtless find many more to ponder. Cardinal Richelieu is quoted as saying:

“Give me six lines in the hand of the most honest of men, and I’ll find enough to hang him”

On that basis the Bill and associated documents probably contain enough to hang 10,000.

The Bill is subject to worryingly short timescales dictated by a sunset clause in the Data Retention and Investigatory Powers Act 2014 (DRIPA), limiting debate in Parliament. Rushed laws tend to be bad laws and some sort of post-legislative review, perhaps after five years, was suggested by several witnesses to the Committees.

Regrettably, it seems the Home Secretary was against this, arguing that a period of stability was required. Stability is no doubt what King Canute would have liked, but unfortunately the tide was against him.

Intelligence gathering in a free society is hard. It’s meant to be hard, and getting it right is even harder and takes time. The only place it’s easy is in a police state, but there it only tells you what you’d already decided you wanted to hear.

Do you agree with Philip Le Riche’s assessment of the bill? Leave a comment below sharing your opinion.


Philip Le Riche is a retired Information Assurance Consultant with over 20 years’ experience working with secure systems and in information security consultancy for various central and local government, defence and police clients. He is a member of the Chartered Institute for Information Security, was a member of the CESG Listed Advisor Scheme for nine years, and is a life member of the BCS, which he joined as a student half a century ago.

7 comments on “The Investigatory Powers Bill – it’s time to take a closer look”

  1. Bob

    It is spelled 'Richelieu' and not 'Richlieu'.

    The Internet Connection Records have been subtly amended to include substantial amounts of information and not what was originally proposed.

    The judicial 'lock' effectively only allows judges to check that the law has been complied with (a sort of mini judicial review) and it doesn't allow them to assess the reasonableness of the request per se. It's paying lip service to people who are concerned that these powers will be abused.

    America have now allowed the FBI to use information that the NSA slurped up (originally for 'national security') to investigate ordinary, domestic crimes. It's very likely this will happen over here and it'll be abused by local councils and other agencies much like occurred with RIPA.

    Australia have a similar system which has been found to be unworkable because the police are being inundated with useless/entirely innocuous information. They haystack is now so big that they're complaining about the level of information provided and that it's hindering their crime prevention capabilities. Australia also allow normal public bodies to use information (allegedly collected for national security) for other purposes. Some bodies also refuse to even admit they're recipients of that information for fear of harming their public image.

    Once we start to collect information our authorities will start to abuse their power. One example is the current practice of the police who are now targeting football fans by abusing counter-terrorism laws.

    Who will retain all of this information? It's massively expensive for ISP's and it risks creating repositories of extremely valuable information for hackers/blackmailers/private investigators. Look at TalkTalk for an example of how not to secure information.

    Think of the recent iMessage flaw – if implementing strong cryptography is hard then think how much harder it'll be if we've got backdoors there. The Bill doesn't mention undermining encryption but it's so loosely worded that it can have the effect of breaking it when a company is forced in secret to compromise their customers.

    Currently VPN's aren't covered but once the Bill is passed into law the Act will be amended to cover VPN's and other emerging technologies. It's mission creep: start off targeting less and gradually expand your capabilities. The same applies to breaking encryption.

    By undermining security systems we're making it harder to maintain national security and several parliamentary committees all say this plan is unworkable. A very respected QC (who was given access to the most classified of information in order to write his report) severely criticised the proposals.

    There are so many reasons that this Bill is a bad idea that I don't have the time to write about them but it's a very dangerous path for us to go down.

    1. Miranda Mowbray · in reply to Bob

      Philip commented "I'm still trying to get my head around that" on the following quote from one of the Home Office witnesses to the pre-legislative scrutiny committees:
      "What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection."

      In the Apple vs FBI case, the FBI didn't ask Apple to decrypt the data, but to remove the phone's anti-password-guessing protection so that the FBI could use brute-force password-guessing to find the password. Anti-password-guessing protection might be the type of "electronic protection" that the Home Office had in mind.

      As the Bill stands, a Technical Capability Notice relating to the removal of electronic protection would be issued just by the Secretary of State. Unlike some other powers in this bill, this power does not require a "double-lock" warrant co-signed by a judicial commissioner.

  2. M Dearlove

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/504189/Comparison_of_ICRs_with_Danish_Session_Logging.pdf

    "ICRs will be generated by CSP from communications data available in their
    networks. There is no single set of data that constitutes an ICR, it will depend
    on the service provider and service concerned. However the core information
    will include source and destination internet protocol (IP) addresses and ports,
    time/date and an account identifier. They may include additional information
    such as the service identifier, URL domain name, and volume of data
    transferred."

    I wonder if combining the domain with the size (volume) of each page on a site would provide enough information to determine the page visited?

  3. coyote

    Warning: I'm dead tired and the only reason I looked is I came across something else with a similar name of 'Powers Bill' earlier today. I haven't read this article in full (actually I didn't even skim it) but I do have a couple remarks (which hopefully make a bit, nibble, byte, word, paragraph or even a page of sense).

    'There is one thing, though, that the Operational Cases fail to demonstrate, and that's why ICRs need to be retained for as long as a year.'

    The Bill itself has the (a) keyword: Powers. That's why. I'm sure there are other reasons but power is one of the reasons.

    'But if the software on my device encrypts my data, is it working on my behalf or on behalf of the software vendor and service provider? Both interpretations are defensible.'

    I'm certain that's by design. Lawyers (and I'd say judges and anyone whose job is to read/write laws) love having ambiguity and anything that allows abuse (which includes loopholes) although they wouldn't admit it as such (if they even recognise it). That's not to say they sometimes won't be very specific but even then judges (more generally people) will interpret things differently and when you are interpreting laws that can be a good or a bad thing depending on your situation (and it might at some point be good for you and then later on bad or vice versa). And in the example you cite what can be done? The only way around it (that comes to mind atm) is actually answering all questions like yours. But what are the odds all questions will be thought of? And even if they did what's to say there won't be additional concerns later (and will they address them)?

  4. Mark Jacobs

    Once we have quantum computers, you won't be able to encrypt a damned thing, without it being easily crackable. Society as we know it would break down completely, since financial transactions would no longer be secure and we couldn't go back to pen and paper because of the sheer volume of things. Oh well!

    1. Phiip Le Riche · in reply to Mark Jacobs

      Oh well. Some theories suggest that if dark energy increases as the universe expands then the Big Rip could shred the entire universe in as little as a couple of billion years. Anyway, quantum computers have taken years even to factorise 15 (or have they now done 21?). They haven't followed Moore's Law up till now so why should they in the future? Battery technology hasn't and if rocketry had we'd probably be on our way to Alpha Centuri in search of Earth 2.0 by now. Oh well. Just make sure you've got a spare nib for your fountain pen and leave your letters in a dead drop under a rock, and you'll be fine.

  5. Philip Le Riche

    Thank you those who have taken the trouble to comment. It seems to me that there are those who are inclined to believe the government is basically benign though inevitably making mistakes (don't we all) and those who believe it's fundamentally flawed, corrupt even, though perhaps trying to show a human face. And every shade of grey between. Those tending towards that latter position should not imagine that the defeat of this Bill would result in less surveillance, but rather in less accountability for the surveillance that would inevitably continue. To pick up on just a few points:

    Bob: Thank you for your spelling correction – slightly embarrassing for someone with a French name!

    There is a recognition that data collected under RIPA has been misused and the range of bodies who will have access to ICRs has been reduced, even from the Draft Bill. Is there a fool-proof way of ensuring abuse can't happen? Let me know of you think of one!

    As for secure storage of ICRs, CESG has published a series of Architectural Patterns for different applications and it's to be hoped that they will publish one for this, aimed at ISPs and other CSPs, and that it will be mandated in any Technical Capability Notice. (If anyone at Cheltenham is reading this, please note!)

    Perhaps you could give us the benefit of a reference to the severe criticism of the very respected QC?

    Miranda: Yes, a TCN is issued by the Secretary of State, but he/she must consult with the operator first, and a CSP can push back, in which case the Secretary of State must consult with the Technical Advisory Board and the Investigatory Powers Commissioner.

    M Dearlove: Yes, all sorts of things can be deduced from big data but a TCN requiring an operator to collect data doesn't authorise anyone examine it – that requires a warrant to examine specific records only.

    Coyote: Lawyers may love ambiguity – teasing it out is how they make a living. But I'm not so sure legislators do – the last thing they want is the judiciary messing with the law they thought they'd set out. When I say both interpretations are defensible, other documents make it clear which is intended, so why not say so in the Bill?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.