Coffee Space 
This Bill has been widely condemned by Security experts, with the British Government said to be rushing the Bill into affect by 31 December this year. That same article drove this small blog piece to being written. With so much content to search through, I thought I would do my part in reading and trying to understand the implications of the content therein.
The full text can be found here.
It may be obvious, that the content here will be extremely biased. I personally don’t believe that this loss in freedom is worth the small amount of anti-terrorism gained. I believe the “war on terrorism” will be equivalent to that of the “war on drugs”, in the sense that piling in efforts against it also seems to be part of it’s driving force. Blowing up a lot of people is a lot more terrifying if people have been ensured they are safe.
The below review is just for the “National security notices”, which I quickly started referring to as “notices” as you’ll probably want to hand yours in as soon as you get one.
0001 (1) The Secretary of State may give any telecommunications operator in the United 0002 Kingdom a notice (a “national security notice”) requiring the operator to take 0003 such specified steps as the Secretary of State considers necessary in the 0004 interests of national security. 0005 0006 (2) The Secretary of State may give a national security notice only if the Secretary 0007 of State considers that the conduct required by the notice is proportionate to 0008 what is sought to be achieved by that conduct.
This sounds a bit like a license to kill. “You will receive an envelope. In that envelope will contain a message. You are to carry out the instructions in that message. After reading this message, please destroy all reference.”. This is some very scary power, especially given that the Secretary of State may not have to consult any other person. The Secretary of State for Home Office is of course the person making the rules. She’s effectively giving herself the capability to do as she sees fit without further process.
We should be careful about giving such power to one person. It’s true that as the number of hoops required to jump in order to complete a process make such a process slower, it’s also important to slow decisions down in order for their effect to be fully realised.
0009 (3) A national security notice may, in particular, require the operator to whom it 0010 is given— 0011 0012 (a) to carry out any conduct, including the provision of services or 0013 facilities, for the purpose of— 0014 0015 (i) facilitating anything done by an intelligence service under any 0016 enactment other than this Act, or 0017 0018 (ii) dealing with an emergency (within the meaning of Part 1 of the 0019 Civil Contingencies Act 2004); 0020 0021 (b) to provide services or facilities for the purpose of assisting an 0022 intelligence service to carry out its functions more securely or more 0023 effectively.
A “notice” to “carry out any conduct”? That’s an extremely broad statement to make. Basically anything the intelligence agency asks you to do must be done without refute. It’s one thing for a security agency to collect freely available data, it’s another to force people to make that data available to you. If data and/or information is purposefully hidden, it’s usually not without reason and harmful in several senses to go back on that security for any reason.
0024 (4) But a national security notice may not require the taking of any steps[,] the main 0025 purpose of which is to do something for which a warrant or authorisation is 0026 required under this Act.
Other than being very badly worded, it seems to me as if this may be giving way to the ability to override the need for a warrant or authorisation if the request if in the form on one of these notices. If that’s correct, it’s just a free pass to bypass this document given the Home Secretary’s signature.
0027 (5) A national security notice must specify such period as appears to the Secretary 0028 of State to be reasonable as the period within which the steps specified in the 0029 notice are to be taken.
Oh, at least they may do what they want only for a specified period of time - something they specify themselves to some arbitrary measurement.
0030 (6) Sections 218 to 220 contain further provision about national security notices.
Don’t mind if I do…
0031 (2) Before giving a relevant notice to a person, the Secretary of State must consult 0032 that person.
As if that really matters. It says nothing to the affect of the outcome of the consultation. What if that person does not agree or gives conflicting advice to that of GHCQ? It’s just courtesy, like telling somebody they’re going to receive a fine in the post. It’s nice to know, but makes zero difference to that fine arriving a while later.
0033 (3) Before giving a relevant notice, the Secretary of State must, among other 0034 matters, take into account— 0035 0036 (a) the likely benefits of the notice, 0037 0038 (b) the likely number of users (if known) of any postal or 0039 telecommunications service to which the notice relates, 0040 0041 (c) the technical feasibility of complying with the notice, 0042 0043 (d) the likely cost of complying with the notice, and 0044 0045 (e) any other effect of the notice on the person (or description of person) to 0046 whom it relates.
That doesn’t seem like a strenuous activity, if not a just a tad worrying that such an important process is effectively left to one person.
0047 (4) Where the relevant notice would impose any obligations relating to the 0048 removal by a person of electronic protection applied by or on behalf of that 0049 person to any communications or data, in complying with subsection (3) the 0050 Secretary of State must in particular take into account the technical feasibility, 0051 and likely cost, of complying with those obligations.
Of course, this seems to be aimed at encryption without directly stating it. “electronic protection”, of course this means encryption in this case. It’s smartly worded to also include any future communications too. This for example, means that given a notice in the UK, the Apple vs FBI case would have gone through without argument.
0052 (8) A person to whom a relevant notice is given, or any person employed or 0053 engaged for the purposes of that person’s business, must not disclose the 0054 existence or contents of the notice to any other person without the permission 0055 of the Secretary of State.
Not only are these notices extremely shady, you’re also not allowed to disclose the contents of such to anybody without permission - of course will instantly be denied on grounds of security.
0056 (9) A person to whom a relevant notice is given must comply with the notice.
This was expected. The “consultation” is a bit of a joke, you have to comply regardless of the outcome.
0057 (10) The duty imposed by subsection (9) is enforceable— 0058 0059 (a) in relation to a person in the United Kingdom, and 0060 0061 (b) so far as relating to a technical capability notice within subsection (11), 0062 in relation to a person outside the United Kingdom, 0063 0064 by civil proceedings by the Secretary of State for an injunction, or for specific 0065 performance of a statutory duty under section 45 of the Court of Session Act 0066 1988, or for any other appropriate relief.
Doesn’t seem too bad, until you read the Court of Session Act 1988, section 45 which specifically states:
0067 The Court may, on application by summary petition— 0068 0069 (a) order the restoration of possession of any real or personal 0070 property of the possession of which the petitioner may have been 0071 violently or fraudulently deprived; and 0072 0073 (b) order the specific performance of any statutory duty, under such 0074 conditions and penalties (including fine and imprisonment, where 0075 consistent with the enactment concerned) in the event of the order 0076 not being implemented, as to the Court seem proper.
Feel free to disagree, but obviously go straight to jail and don’t collect £200. This completely unregulated notice handed out as one person seems fit has the power to put people in prison or at best, fine them as the court seem fit. What on earth could possibly go wrong?
So there is a review process, but ultimately it comes down to this paragraph which sums it up well:
0077 (9) The Secretary of State may, after considering the conclusions of the Board and 0078 the Commissioner— 0079 0080 (a) vary or revoke the notice under section 219, or 0081 0082 (b) give a notice under this section to the person confirming its effect.
There are a nice few paragraphs explaining the rights of the person, but ultimately it just comes back down to the decision of the Secretary of State, who will of course side with government authorities.
This document needs to be examined past the proposed date in order to realise it’s full affect. 6 months or so is simply not enough to future proof a document. Not enough is done to govern bad practices currently in operation which are considered unlawful and there is no clear way of regulating the power outlined in this document. It’s extremely worrying, no wounder why security experts all over the UK have themselves worked up about this.
In short, the notices grant the following power:
And I thought it would be scary?