Legislation , Privacy

UK's Snowden Response: Surveillance Debate

Revised 'Snooper's Charter' Could Have Global Impact
UK's Snowden Response: Surveillance Debate

The U.K. government's response to whistleblower Edward Snowden's warnings that the United States and Britain had created a massive surveillance state has been to attempt to codify and expand those surveillance powers while also debating oversight and related matters in public for the first time.

See Also: Faster Payments, Faster Fraud?

On Nov. 4, Britain's ruling Tory party released its proposed revision of the Investigatory Powers Bill, which was first introduced in 2012, at which point it was branded a "Snooper's Charter" and blocked by leaders of the Liberal Democrats.

Home Secretary Theresa May told Parliament Nov. 4 that the revised bill is meant to reflect law enforcement and intelligence operations becoming "vastly more demanding in this digital age," which requires giving agencies expanded powers to do their jobs properly. The new bill's introduction was expected, following the Tory party securing a majority in Parliament in May. It will now be subject to legislative review and public debate, with the government hoping to pass it into law by the end of 2016.

The revised Investigatory Powers Bill seeks to put what intelligence agencies are already doing on a firmer legal footing and require Internet service providers to retain data on all the websites their customers visit for a longer period, while adding some oversight of such activities - for the first time - from a panel of judges.

The revised bill has been welcomed by many law enforcement experts but criticized by some privacy experts and civil rights groups. Furthermore, it's not clear if the provisions of the bill might survive legal challenges, especially over questions of mass surveillance rather than targeted surveillance. "These are extremely intrusive and wide-ranging powers that very likely violate the U.K.'s obligations under human rights and EU law," says human rights lawyer Sarah St. Vincent of the Center for Democracy and Technology, a civil liberties group.

The draft bill follows warnings released earlier this year that the U.K.'s surveillance laws lack transparency and accountability and are so vaguely written as to allow intelligence agencies to collect almost any type of data - and in any quantity.

Authorized: Nation-State Hacking

Here are some of the provisions of the 299-page draft bill:

  • U.K. spies are explicitly authorized to hack into any computer or phone anywhere in the world for national security purposes;
  • Internet service providers must retain all customer data - including lists of all URLs visited - for 12 months, rather than the current 6 months;
  • A panel of senior judges could now veto any "interception, equipment interference and bulk warrants" signed by the Home Secretary;
  • Those judges would provide an annual report on all activities;
  • British companies would be required to comply with all U.K. government requests to hack a device, if it is feasible.

In a notable policy shift, the revised bill would not compel businesses that use cryptography to share a "front door" key with the government to enable intelligence agencies to decrypt data, as Prime Minster David Cameron had been demanding. Then again, numerous leading cryptographers - including Matthew Green at Johns Hopkins University - have dismissed any attempt to impose crypto front doors or backdoors as mathematically impossible. And many experts continue to question how many U.K. government officials or legislators have the technical fluency required to understand or meaningfully debate either cryptography or these proposed surveillance law revisions.

'To MI5 With Love'

The move to give U.K. intelligence agencies more powers - "To MI5 With Love," the Economist has quipped, referring to Britain's domestic intelligence agency - comes as the government has also released new insights into its current bulk data collection practices.

Indeed, for the past decade, Britain's GCHQ - the British analogue of the U.S. National Security Agency - has been collecting vast quantities of telephone data "to identify subjects of interest within the U.K. and overseas," according to U.K. government documents released Nov. 4. Such efforts have been aided by laws that were "so vague that anything could be done under it," David Anderson, the British independent reviewer of terrorism legislation, tells the BBC. "It wasn't illegal in the sense that it was outside the law; it was just that the law was so broad and the information was so slight that nobody knew it was happening."

Spies Launch Charm Offensive

The U.K. intelligence establishment has been out in force in the lead-up to the introduction of the updated Investigatory Powers Bill. Andrew Parker, the director general of MI5, warned in an Oct. 28 speech in London about "the scale and complexity of the three-dimensional terrorist threat we face in the U.K., overseas and online," and called for a public debate about expanding his domestic intelligence agency's powers, albeit within certain parameters. "I hope that the public debate will be a mature one, informed by the three independent reviews, and not characterized by ill-informed accusations of 'mass surveillance,' or other such lazy two-worded tags."

But Eric King, deputy director of the U.K. civil rights group Privacy International, suggests via Twitter that it's difficult to suddenly trust the government "with retained Internet connection records, when retained phone records were harvested and analyzed in bulk in secret."

Likewise, Snowden has taken to Twitter to note that the new surveillance bill "does not require individualized judicial authorization in advance of interception," adding that "such a dragnet is mass surveillance."

Ben Emmerson, the U.N. special rapporteur on counterterrorism and human rights, has also criticized the new bill. "Judicial review after the event is better than no judicial review at all, but it falls short of the requirement to place the power to issue a warrant into the hands of an independent judge, which is where it belongs," he says.

Global Impact

Some privacy experts are warning that the U.K.'s surveillance decisions could have a global impact because of data sharing with other countries, including the United States. Still, some have also cautiously endorsed the U.K.'s move to add more oversight to its otherwise secret surveillance practices.

"While it's a positive step to include some additional oversight of surveillance orders at least where content is concerned, we remain concerned about how thorough that oversight will be, and whether it is actually capable of preventing serious abuses," CDT's St. Vincent says. She also notes that bulk metadata collection - of the type revealed by Snowden's Prism leaks - will apparently continue without any judicial oversight.

Such matters will no doubt continue to be debated throughout the coming year. Taking a big-picture view of the proceedings, however, Green - the Johns Hopkins cryptographer - has lauded Britain's move to at least publicly debate its surveillance practices and related oversight mechanisms.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network