In the shadow of the tragic attacks in Paris recently, people will undoubtedly be asking themselves again what could possibly be done to improve the safety of innocent civilians and protect all us of from further violence of that, or any other, kind. Predictable, voices will be calling for more powers for security agencies and urging government to rush the newly proposed Investigative Powers Bill (IPB) through parliament so that GCHQ can drag their search net though the internet and stop any future attacks from happening.
Even though we at CaSMa are not legal experts and are focused more on questions of ethics related to research practices, the potential implication of the IPB on everything that uses the internet are too great to allow it to be rushed through parliament without being properly examined and challenged in accordance with the proper democratic process. Even though MPs, legal expert, civil rights groups and academics (with the proper legal expertise) are still busy digesting the 299 pages of the bill, it has already become apparent that the wording of the bill is frequently too vague, with the risk of being interpreted too broadly.
For example, Dr George Danezis (Reader in Security and Privacy Engineering at UCL) writes on his Conspicuous Chatter bolg that the IPB draft “all sorts of obligations on telecommunications operators, including obligations to collaborate with warrants to facilitate surveillance, hack, notices to retain data, handing it out in bulk, and even obligations to implement back doors, as well as gagging orders. Despite their centrality, it is surprisingly difficult to clearly understand who exactly is a “telecommunication operator”, and therefore on whom these obligations apply.”
Judging by Andy Burnham’s (MP) change of heart concerning the bill, even seasoned politicians like the shadow home secretary seem to have difficulty understanding the wording of the IPB. In his case the main point of confusion appears to have been the level of judicial safeguards in the bill regarding the use of investigative powers. In brief, the ‘judicial safeguards’ Andy was referring to are the proposed procedure whereby the interception of communications, such as the content of a telephone call, email or social media message require that warrant is obtained from the secretary of state and signed off by a panel of independent judges. Home secretary Theresa May referred to these new powers of oversight as a “double lock”. Communications metadata, which includes very revealing information including website browsing history, however appears not to require a warrant at all. This arguably reinforces indiscriminate mass surveillance, as this type of data is in many cases more telling and valuable than content of communications.
An interesting comment that was added in the Conversation article on this topic by Eliza Watt (PhD Research on Cybersecurity, Surveillance and Privacy at University of Westminster), is that “[t]his provision seems especially at odds with the recent European Court of Justice ruling in favour of Digital Rights Ireland, in which it unequivocally stated that this sort of bulk retention of metadata of all individuals by internet service providers was a particularly serious infringement of the right to privacy. The bill even gives explicit powers to police and security agencies to hack into and bug computers and phones, and to require companies to assist them in bypassing encrypted information where possible.”
Another section of the draft bill that has been discussed in the media and in a Conversation article by Dr Paul Bernal ( Lecturer in Information Technology, Intellectual Property and Media Lay, University of East Anglia) is a demand that service providers would need to store 12 months’ internet connection record. A record of every website visited and internet service connected by every customer of the ISP. While the article in the Guardian focused on the massive cost that implementing such data storage would be have, £175m according to the Internet Service Providers’ Association, Paul’s article focused on explaining what the privacy implications would be. In brief, “access to the websites we visit, for an entire year, is not at all comparable to having an itemised telephone bill. It’s more equivalent to tailing someone as they visit the shops, the pub, the cinema, listen to the radio, go to the park and on holiday, read books and magazines and newspapers, and much more. It’s not just the data that’s revealing, it’s the sort of direct, logical inferences that can be made given a web browsing history.” Another important point that is brought up by Paul is the security risk that would be created by such a mandatory storage of web access histories. “By storing so much personal and potentially revealing or damaging information on their users, ISPs would become the target for criminals harvesting data for identity theft, scamming, blackmail (Ashley Madison style) and more.”
For anyone who is interested in learning more about the IPB and its possible implications, I wholeheartedly advise checking the linked articles in this post and maybe getting in touch with an organizations like Open Rights Group.
Finally, some words to think about for anyone who might feel that concerns about government surveillance aren’t relevant to them because they “have nothing to hide”.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
— Edward Snowden,
“… the premise [is] that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.”
— Bruce Schneier,
And for those who enjoy a good TED talk, here is Glenn Greenwald on “Why privacy matters”