Coffee Space


Listen:

Investigatory Powers Bill (HC Bill 143)

Introduction

This Bill has been widely condemned by Security experts, with the British Government said to be rushing the Bill into affect by 31 December this year. That same article drove this small blog piece to being written. With so much content to search through, I thought I would do my part in reading and trying to understand the implications of the content therein.

The full text can be found here.

It may be obvious, that the content here will be extremely biased. I personally don't believe that this loss in freedom is worth the small amount of anti-terrorism gained. I believe the "war on terrorism" will be equivalent to that of the "war on drugs", in the sense that piling in efforts against it also seems to be part of it's driving force. Blowing up a lot of people is a lot more terrifying if people have been ensured they are safe.

The below review is just for the "National security notices", which I quickly started referring to as "notices" as you'll probably want to hand yours in as soon as you get one.

216. National security notices

0001 (1) The Secretary of State may give any telecommunications operator in the United
0002     Kingdom a notice (a “national security notice”) requiring the operator to take
0003     such specified steps as the Secretary of State considers necessary in the
0004     interests of national security.
0005 
0006 (2) The Secretary of State may give a national security notice only if the Secretary
0007     of State considers that the conduct required by the notice is proportionate to
0008     what is sought to be achieved by that conduct.

This sounds a bit like a license to kill. "You will receive an envelope. In that envelope will contain a message. You are to carry out the instructions in that message. After reading this message, please destroy all reference.". This is some very scary power, especially given that the Secretary of State may not have to consult any other person. The Secretary of State for Home Office is of course the person making the rules. She's effectively giving herself the capability to do as she sees fit without further process.

We should be careful about giving such power to one person. It's true that as the number of hoops required to jump in order to complete a process make such a process slower, it's also important to slow decisions down in order for their effect to be fully realised.

0009 (3) A national security notice may, in particular, require the operator to whom it
0010     is given—
0011 
0012     (a) to carry out any conduct, including the provision of services or
0013         facilities, for the purpose of—
0014 
0015         (i)  facilitating anything done by an intelligence service under any
0016              enactment other than this Act, or
0017 
0018         (ii) dealing with an emergency (within the meaning of Part 1 of the
0019              Civil Contingencies Act 2004);
0020 
0021     (b) to provide services or facilities for the purpose of assisting an
0022         intelligence service to carry out its functions more securely or more
0023         effectively.

A "notice" to "carry out any conduct"? That's an extremely broad statement to make. Basically anything the intelligence agency asks you to do must be done without refute. It's one thing for a security agency to collect freely available data, it's another to force people to make that data available to you. If data and/or information is purposefully hidden, it's usually not without reason and harmful in several senses to go back on that security for any reason.

0024 (4) But a national security notice may not require the taking of any steps[,] the main
0025     purpose of which is to do something for which a warrant or authorisation is
0026     required under this Act.

Other than being very badly worded, it seems to me as if this may be giving way to the ability to override the need for a warrant or authorisation if the request if in the form on one of these notices. If that's correct, it's just a free pass to bypass this document given the Home Secretary's signature.

0027 (5) A national security notice must specify such period as appears to the Secretary
0028     of State to be reasonable as the period within which the steps specified in the
0029     notice are to be taken.

Oh, at least they may do what they want only for a specified period of time - something they specify themselves to some arbitrary measurement.

0030 (6) Sections 218 to 220 contain further provision about national security notices.

Don't mind if I do...

218. Further provision about notices under section 216 or 217

0031 (2) Before giving a relevant notice to a person, the Secretary of State must consult
0032     that person.

As if that really matters. It says nothing to the affect of the outcome of the consultation. What if that person does not agree or gives conflicting advice to that of GHCQ? It's just courtesy, like telling somebody they're going to receive a fine in the post. It's nice to know, but makes zero difference to that fine arriving a while later.

0033 (3) Before giving a relevant notice, the Secretary of State must, among other
0034     matters, take into account—
0035 
0036     (a) the likely benefits of the notice,
0037 
0038     (b) the likely number of users (if known) of any postal or
0039         telecommunications service to which the notice relates,
0040 
0041     (c) the technical feasibility of complying with the notice,
0042 
0043     (d) the likely cost of complying with the notice, and
0044 
0045     (e) any other effect of the notice on the person (or description of person) to
0046         whom it relates.

That doesn't seem like a strenuous activity, if not a just a tad worrying that such an important process is effectively left to one person.

0047 (4) Where the relevant notice would impose any obligations relating to the
0048     removal by a person of electronic protection applied by or on behalf of that
0049     person to any communications or data, in complying with subsection (3) the
0050     Secretary of State must in particular take into account the technical feasibility,
0051     and likely cost, of complying with those obligations.

Of course, this seems to be aimed at encryption without directly stating it. "electronic protection", of course this means encryption in this case. It's smartly worded to also include any future communications too. This for example, means that given a notice in the UK, the Apple vs FBI case would have gone through without argument.

0052 (8) A person to whom a relevant notice is given, or any person employed or
0053     engaged for the purposes of that person’s business, must not disclose the
0054     existence or contents of the notice to any other person without the permission
0055     of the Secretary of State.

Not only are these notices extremely shady, you're also not allowed to disclose the contents of such to anybody without permission - of course will instantly be denied on grounds of security.

0056 (9) A person to whom a relevant notice is given must comply with the notice.

This was expected. The "consultation" is a bit of a joke, you have to comply regardless of the outcome.

0057 (10) The duty imposed by subsection (9) is enforceable—
0058 
0059      (a) in relation to a person in the United Kingdom, and
0060 
0061      (b) so far as relating to a technical capability notice within subsection (11),
0062          in relation to a person outside the United Kingdom,
0063 
0064      by civil proceedings by the Secretary of State for an injunction, or for specific
0065      performance of a statutory duty under section 45 of the Court of Session Act
0066      1988, or for any other appropriate relief.

Doesn't seem too bad, until you read the Court of Session Act 1988, section 45 which specifically states:

0067 The Court may, on application by summary petition— 
0068 
0069     (a) order the restoration of possession of any real or personal
0070         property of the possession of which the petitioner may have been
0071         violently or fraudulently deprived; and
0072 
0073     (b) order the specific performance of any statutory duty, under such
0074         conditions and penalties (including fine and imprisonment, where
0075         consistent with the enactment concerned) in the event of the order
0076         not being implemented, as to the Court seem proper.

Feel free to disagree, but obviously go straight to jail and don't collect £200. This completely unregulated notice handed out as one person seems fit has the power to put people in prison or at best, fine them as the court seem fit. What on earth could possibly go wrong?

220. Review by the Secretary of State

So there is a review process, but ultimately it comes down to this paragraph which sums it up well:

0077 (9) The Secretary of State may, after considering the conclusions of the Board and
0078     the Commissioner—
0079 
0080     (a) vary or revoke the notice under section 219, or
0081 
0082     (b) give a notice under this section to the person confirming its effect.

There are a nice few paragraphs explaining the rights of the person, but ultimately it just comes back down to the decision of the Secretary of State, who will of course side with government authorities.

Wrapping Up

This document needs to be examined past the proposed date in order to realise it's full affect. 6 months or so is simply not enough to future proof a document. Not enough is done to govern bad practices currently in operation which are considered unlawful and there is no clear way of regulating the power outlined in this document. It's extremely worrying, no wounder why security experts all over the UK have themselves worked up about this.

In short, the notices grant the following power:

And I thought it would be scary?