The UK Joint Committee has revealed its long-awaited report into the feasibility of the surveillance proposals in the controversial draft Investigatory Powers Bill – also known as the Snoopers' Charter. The report is roughly 200-pages long and contains 86 recommendations in total to the government on issues such as bulk snooping, targeted surveillance and encryption.
First unveiled in November last year by Home Secretary Theresa May, the bill aims to bolster the spying powers available to the UK government, police and intelligence agencies. The text includes proposals that would force service providers to store data for 12 months, allow cyber spooks to legally hack into targeted computers and expand the use of bulk spying capabilities. In many cases, it seeks to legitimise many of the powers exposed by former NSA whistleblower Edward Snowden back in 2013.
While the latest release is the third report to scrutinise the governments' snooping plans, upon analysis is decidedly less critical than its predecessors. Here's what you need to know:
Communications metadata spying has been going on for years under the Regulation of Investigatory Powers Act (RIPA) yet the new bill aims to moderise the collection of medadata - which is the information around a message but not its content.
In its report, the committee said it acknowledged the difficulty of providing definitions broad enough to capture the sheer scope of 'communications data', however, it voiced clear concern about how the government, police and law enforcement will seek to snoop on data from major social media and technology firms.
"We are concerned about the potential detail that entity data might encompass in relation to telecommunications providers, such as Facebook and Google, who build detailed automated profiles of their users," it noted. "The government should say whether it wishes to acquire such data in principle and, if not, how it will ensure that the entity data it requests and receives is not of that level of detail."
Internet Connection Records (ICRs)
The collection of so-called internet connection records (ICRs) is one of the new powers the bill seeks to enact. The Joint Committee agreed with the bill that there is a clear use case for the collection of such records, however also raised some valid criticism. "We have concerns about the definitions and feasibility of the existing proposal, which the Home Office must address," it said. "It is also important for ICRs to be properly authorised and overseen, and these issues will be considered in subsequent chapters."
The committee also urged the government to publish concise 'codes of practice' to detail how service providers would seek to "minimise the risks" of ICR requests, especially in regards to how it works alongside existing data protection law.
"While we recognise that ICRs could prove a desirable tool for law enforcement agencies, the government must address the significant concerns outlined by our witnesses if their inclusion within the Bill is to command the necessary support. We do not believe that ICRs are the equivalent of an itemised telephone bill. However well intentioned, this comparison is not a helpful one," it warned.
Bulk collection, interception and retention of data continues to be one of the most powerful surveillance tools open to the government. Yet, with the draft Investigatory Powers Bill, it is the first time Parliament has had the chance to question the existence of such powers. In its latest report, the Joint Committee indicated it was not yet convinced about how they are used.
"We recommend that the government should publish a fuller justification for each of the bulk powers," it noted, before adding that more independent scrutiny of the powers is needed.
However, the committee admitted that because of "national security consideration" it is not yet able to fully assess the value of bulk powers. "We believe that it is difficult to make a thorough assessment of the effectiveness of further safeguards without a greater understanding of the way in which bulk powers are operated in practice. We agree that bulk communications data has the potential to be very intrusive," it added.
While advocates of the bill, from Home Secretary Theresa May to GCHQ director Robert Hannigan, made numerous claims about not wanting to weaken encryption or insert backdoors into digital products, major technology firms remained adamant the proposals would still have this effect.
In its recommendations, the Joint Committee noted that it should be the government's policy to be able to access to encrypted communications when armed with a warrant. However, the final draft of the bill said the government needs to enforce that end-to-end encryption, often used in products like Snapchat, WhatsApp and iMessage, will not be tampered with.
"The government still needs to make explicit on the face of the bill that CSPs [communications service providers] offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so," it said.
According to Shami Chakrabarti, director of campaigning group Liberty, the committee report is evidence the surveillance bill needs a complete redraft. "The government needs to pause, take stock and redraft – to do anything else would show astonishing contempt for parliamentarians's concerns and our national security," she said.
"This report shows just how much homework the government has to do on this landmark legislation.
"Despite reams of evidence from the Home Office, the committee finds the case for unprecedented powers to bulk hack, intercept and collect our private data has not been made."
Meanwhile, Anne Jellema, chief executive officer of the World Wide Web Foundation said in response that the report skirts around the issue of mass surveillance.
"All three committee reports have made some sensible recommendations. Yet the elephant in the room remains the government's desire to introduce mass surveillance by default," she said.
"Does the UK really want the dubious honour of introducing powers deemed too intrusive by all other major democracies, joining the likes of China and Russia in collecting everyone's browsing habits? This would trample on long-cherished British freedoms and would hurt British businesses, not to mention that we have little evidence that it would make us safer."
Meanwhile, according to Mark Taylor, partner at international law firm Osborne Clarke, the bill may face a number of hurdles from a legal perspective. "The most divisive provisions remain those on Internet Connection Records," he said. "While the committee seems to accept that these are desirable, they require further work to reflect a variety of concerns, such as the privacy implications of ICRs containing sensitive personal data. Ultimately doubts on whether the usefulness of any data obtained will justify the intrusion and considerable cost are reinforced by the committee."
Prior to the Joint Committee assessment, the UK Intelligence Committee branded a key section of the bill 'largely incomprehensible'.