On March 15, the UK’s Investigatory Powers Bill had its second reading in the House of Commons (see my earlier posts on the bill here and here). It passed with 281 votes in favor and 15 against, despite the facts that: (a) on the preceding day, The Guardian published a letter from around 200 lawyers and legal academics denouncing the bill for failing “to meet international standards for surveillance powers,” and (b) the preceding week, UN Special Rapporteur on Privacy Joseph Cannataci expressed “serious concern about the value of some of the revisions most recently introduced” in the bill in his report. The bill will now proceed to be considered by the Public Bill Committee.

Highlights from the second reading include the following:

The Shadow Home Secretary’s six specific concerns

During the reading, Shadow Home Secretary Andy Burnham expressed six specific concerns with the current version of the bill.

1. Privacy: Burnham argued that people have a right to maximize their personal privacy and commended the Intelligence and Security Committee’s recommendation that privacy considerations take on a more central role in the updated draft of the bill. Despite the Home Secretary’s assurances that privacy protections are hardwired into the bill, Burnham said: “I see the changes on this point as more cosmetic; they have not directly answered the Committee’s concerns.” He pushed for the government to include stronger privacy requirements that cover all of the powers granted in the bill.

2. The thresholds for using the powers in the bill: Burnham also expressed concern that the thresholds for use of the wide-ranging powers in the bill were either too low or too vague. As a specific example, he pointed out that the bill lacks a clear statement of when the government can use Internet connection records (ICRs) — records of the website domains users’ have visited. Putting the concern in stark terms, he said, “The question for the House is this: is it acceptable for this level of personal information to be accessed in connection with any crime — antisocial behaviour or motoring offences, for instance?” He went on to say that ICRs may soon become “common currency in law enforcement” and that the more information that is collected on individuals without appropriate safeguards, the higher the potential that those records will be misused.

3. The content and potential uses of ICRs: According to the Home Secretary, the bill does not allow collection of individuals’ web histories; only the domain level visits can be collected, not information about which specific pages were visited. However, the Shadow Secretary argued the the definition of ICRs in the bill is still quite vague and broad, and that nothing in the definition “would prevent them from becoming much more detailed and intrusive over time, as technology evolves.” As a result, he requested that a provision be added to make it clear that ICRs cannot include specific URLs (they can only pertain to the domain level). Separately, Burnham raised a concern about the number and range of public agencies that will be able to access ICRs.

4. Bulk powers: Burnham argued that the government has failed to present a convincing case for the need for the bulk collection powers contained in the bill. Despite arguments that bulk powers may be the only way to extract information that can help identify criminals and terrorists, he contended that the “routine gathering of large quantities of information from ordinary people presents significant privacy concerns, and points to a need for the warrants to be as targeted as possible.”

5. Judicial oversight: Burnham recognized that the government has “given significant ground” on judicial oversight, but argued that such oversight should be further strengthened. He asked that the judicial review clause be deleted from the bill to “make it absolutely clear this is not just a double lock but an equal lock, in which the judicial commissioner has the same ability look at the entire merits of the case.”

6. Potential misuse of the powers: Finally, Burnham raised concerns about the misuse of the powers contained in the bill. Specifically, he argued that the bill needs to be clearer that there is an overarching criminal offense for the deliberate misuse of any of the powers — whether that activity is related to the obtaining of data in the first place or the subsequent use of the information.

The Intelligence and Security Committee’s concerns

Dominic Grieve, chair of the Intelligence and Security Committee, commended the government’s response to nine of the committee’s 22 recommendations. He took time to discuss the government’s responses to three of the committee’s main concerns with the previous draft of the bill.

1. Authorization procedures: During its review of the previous draft of the bill, the committee was worried that the safeguards on authorization procedures for gathering communications of people in the UK were insufficient. The earlier language allowed law enforcement to access communications data either via a specific request issued to a provider, which needed to be approved by a senior officer, or via GCHQ bulk interception capabilities. Whilst there were safeguards in place for the latter type of authorization, there were fewer in relation to the former. In response, the government pointed out that adding the requested safeguards “could make the burden too onerous for senior officers.” However, Grieve said the committee was hopeful that the matter could be revisited and addressed before passage of the bill.

2. Agencies’ use of equipment interference: The committee was previously concerned about how the use of equipment interference (i.e., hacking techniques) would be authorized. While the committee believes there is a need for such powers, Grieve said the committee wants to see proposed “safeguards and controls in detail” and “hope[s] to do so in the near future.”

3. Authorization for obtaining bulk personal datasets: In Grieve’s words, “It is undoubtedly necessary and proportionate that agencies should have the power to obtain [bulk datasets], because they can be vital to their work in helping to identify subjects of interest, but they largely contain private information on large numbers of people of no relevant or legitimate interest to the agencies at all.”

Technical concerns

Finally, during the second reading, Stella Creasy, a member of the Science and Technology Committee (which she called “Parliament’s geek squad”), raised a set of technical concerns with the bill as it currently stands.

She started by saying she was unsure whether the technical aspects of the bill will actually work, and wondered whether the legislation is “designed for digital natives who are comfortable with the modern world” or whether it was designed by “people who run away from the reality of the modern technical advances with which we are trying to deal.”

Creasy said that there seems to be a fundamental challenge at the heart of the bill: It relies on the idea that it is possible to separate metadata from content data, something many Internet companies have said is increasingly difficult. For phone records, it is relatively easy to distinguish between the two types of data, but she pointed out that “the legislation has to cope with the world to come, not the world that has gone.” Metadata on the Internet often communicates a great deal about our habits and lives — the metadata of a meeting invite conveys significant details about that meeting and the domains we visit on the Internet often communicate content information. As a result, all three committees that examined the bill called for tighter definitions of what qualified as an ICR. However, Creasy said that to date, the government hasn’t shown an understanding that the metadata/content distinction is not viable, so she called for clearer definitions within the bill moving forward.

Creasy also discussed how the bill may affect encryption, saying it is not clear what the bill means when it “gives the Secretary of State the power to serve technical capability notices, and to require companies to remove their electronic protection.” She said the lack of clarity is a continuing and real concern within the legislation.

Finally, Creasy raised concerns related to data security. Despite previous efforts by Conservatives to “turn[] back the surveillance state,” she said she believes this bill represents an attempt to privatize many of the databases they had said they did not want to see developed. In doing so, however, Creasy raised concerns about the security of the data that companies are now being asked to hold. She pointed out that holding onto everyone’s data may be a “honeypot to hackers.” But the fact that the government has not been clear about who will bear the costs of security creates a gap that “consumers will be deeply interested in.” Creasy called on the government to be “much clearer about how they will make sure they protect consumers from having their information hacked as a result of requiring companies to gather data.”