Illustration by Ben Jennings

The power to intrude

Has the government found a balance between privacy and security with the Investigatory Powers Bill?
January 21, 2016

Read a further piece on the tension between security and privacy, also published in the February 2016 issue of Prospect

For Islamist terrorists, the prospect of prosecution and punishment is no deterrent. They expect to be killed, either by their own bombs or by those enforcing the law. So public protection depends on thwarting potential terrorists before they can attack. And that, in turn, depends on intelligence—much of it obtained through covert means.

Improving the UK’s intelligence gathering was a priority for Alex Carlile QC, a Liberal Democrat member of the House of Lords, immediately after the Paris attacks on 13th November last year. Between 2001 and 2011, he acted as the government’s independent reviewer of terrorism legislation and called on parliament to pass the Investigatory Powers Bill before the end of 2015.

But that was never going to happen. The government had published a draft of its bill a few days earlier, to allow plenty of time for parliamentary scrutiny. More to the point, the bill adds relatively little to the powers that the UK’s security and intelligence agencies already have at their disposal. Its aim is to modernise those powers, make them easier to understand and to strengthen oversight.



"Until recently, the intelligence services could have traced your contacts by asking your phone provider for your billing records"

But one new power involves what the bill calls internet connection records. These are records of the internet services a specific device has connected to, such as a website or instant messaging application. They could be used to demonstrate that a certain device had accessed an online communications service but not to identify what the user did on that service. While there is currently no requirement for communications service providers to keep these records, in future they will be required to retain them for up to 12 months so that they can be disclosed to law enforcement agencies if the request is considered necessary and proportionate.

Until recently, it was still possible to identify individuals from the unique Internet Protocol (IP) address that was assigned to every device on the internet, rather like looking up the names of suspects from their phone numbers. Nowadays, though, scarce IP addresses may be shared among as many as 5,000 users at a time. So the new law will require telecoms providers to retain additional identifying information, such as port numbers. Once it’s known which services a suspect has used to communicate online, investigators can make further enquiries. Until recently, they could have traced your contacts by asking your phone provider for your billing records. But that won’t help them if you make video calls on Skype or send instant messages on WhatsApp.

Even so, law enforcement agencies believe the bill does not give them all the powers they need. Keith Bristow, Director-General of the National Crime Agency, told a committee of MPs and peers that the police would not be able to use internet connection records merely to identify further leads—which flights a suspect had booked, for example.

Tracking communications is not the only weapon in the spooks’ armoury. They also hack into people’s computer equipment and mobile phones. This is referred to in the draft bill as equipment interference, although it is better known in the trade as computer and network exploitation (CNE). Its existence was first acknowledged by the Home Office as recently as February 2015, when a draft code of practice was published. But it has been lawful since the passing of the Intelligence Services Act 1994, which permitted “interference with property” if a secretary of state was satisfied it was necessary and proportionate.

A remarkably frank account of equipment interference was given to the Investigatory Powers Tribunal, a court to which the intelligence and security agencies are answerable, by a senior official at GCHQ, the government’s eavesdropping centre.



"This government needs the bill to become law by the end of this year, when temporary data retention legislation expires"

Ciaran Martin, the organisation’s Director for Cyber Security, said that “CNE is a set of techniques through which an individual gains covert and remote access to a computer”—which may be a laptop, router or a mobile. At the most basic level, Martin explained, it may involve using an administrator’s credentials to log into the device. “More sophisticated CNE operations involve taking advantage of weaknesses in software.”

That weakness might allow an implant—also called a “backdoor” or “Trojan”—to be installed, perhaps by persuading a user to click on a link or open a document. A simple implant will transmit information input by an unsuspecting user over the internet. But other implants “might monitor the activity of the user of the target device or take control of the computer.”

This presumably includes switching on a device’s camera and microphone, even when it’s not being used to make calls. The draft bill allows “observing or listening to a person’s communications or other activities” to obtain “information relating to a person’s private or family life.” Martin accepted that CNE operations could be “highly intrusive.” But so is hiding a camera in your bedroom, which will not require prior judicial authorisation.

Critics have claimed that equipment interference will allow the agencies to create viruses that take on a life of their own. Shane Harris, a senior correspondent at the Daily Beast, suggests in his book, @War, that in the build up to the invasion of Iraq in 2003 “military leaders [in the United States] called off a planned cyber attack on Iraq’s banking system for fear the malware might migrate from Iraqi computer networks to those used by banks in France. Owing to the interconnected architecture of the internet, the two countries’ financial systems were linked.” He also suggests that, in the process of infecting insurgents’ phones and computers, it was possible that the malware could come back and infect US devices. But those in the know say that creating widespread vulnerabilities would not be in the agencies’ interests, quite apart from being illegal. As Martin said, intelligence agencies seek to make minimal, and ideally the most transient, changes to targeted devices. GCHQ doesn’t want anyone to know who it’s monitoring.

The draft bill also allows bulk interference with equipment—as well as bulk interception of communications and related data—sent to or from people outside the borders of the British Isles. And the bill permits the intelligence services to obtain and use bulk personal datasets. These contain information about a number of people—in the case of the electoral roll, for example, a very large number—most of whom are of no interest to the authorities.

Again, it was only in 2015 that the use of these powers was publicly acknowledged—or “avowed”—even though they have been authorised under legislation dating back to 1984. Under the draft bill, though, the intelligence services would need to obtain a bulk warrant from a secretary of state. And—as with warrants for interception of communications and equipment interference—warrants would also have to be approved by a judicial commissioner, one of the bill’s main innovations.

The commissioner could be a serving high court judge, seconded for a three-year term. But going back on the bench after working for the government would pose problems and commissioners are more likely to have retired from the judiciary. It’s thought that around seven will be needed, headed by a high-profile investigatory powers commissioner—in my opinion most likely to be Heather Hallett, a senior Court of Appeal judge, unless she becomes Chief Justice first. The government needs the bill itself to become law by the end of this year, when temporary data retention legislation expires, but the new commissioners will not be appointed until some time in 2017.

In approving the secretary of state’s decision to issue a warrant, a judicial commissioner must consider whether the action it authorises is necessary and proportionate. The commissioner must apply the same principles as a court would when hearing an application for judicial review. That provision in the draft bill has persuaded some critics that the commissioner would be powerless at best and a rubber-stamp at worst.

Judicial review, as developed by the courts over the past 40 years or more, used to be more about process than substance. But the test is now more stringent, as the three former judges who monitor the existing legislation made clear to the parliamentary committee set up to consider the draft bill. A commissioner may defer to the agencies on whether a particular warrant was necessary. But any former judge can assess the level of collateral intrusion and decide whether it goes too far.

You might think that people working in intelligence and law enforcement would resent the imposition of judicial commissioners. Certainly, the agencies will need new systems and secure links. But it’s thought they will be happy enough, so long as the arrangements for issuing or amending warrants at very short notice work effectively (because “flash-to-bang” can be very quick). One advantage of judicial oversight is that it might reduce the risk of subsequent legal challenges. Another advantage is in reassuring potential sources.

David Anderson, the current independent reviewer of terrorism legislation, told MPs and peers of a message he had received from “someone at GCHQ.” It said: “I hope these new commissioners really make [the agencies] work hard to prove that what they are doing is necessary and proportionate.” In Anderson’s view, everybody wanted to put investigatory powers on to a sound legal footing. “If you are trying to recruit people on the pavements of Shoreditch to come and use their technical skills to work for GCHQ, you do not want to be seen to be working in some shadowy grey area where you are dodging in and out of the law.”



"In the end, it comes down to trust. Can we rely on those who work in the secret world and those who oversee them?"

Anderson believes that there is “now a complete avowal of significant capabilities, at least in outline.” But there are still broadly-drawn powers towards the end of the draft bill that could be abused by a future government. We can have little idea of what techniques these powers might permit the agencies to use in future, just as we had little idea until recently of how the existing legislation was being used. Campaign groups say we could be told more about the agencies’ capabilities without undermining their effectiveness.

In the end, it all comes down to trust. Can we rely on those who work in the secret world and those who oversee them? Do they come across as honest, decent people?

It’s cultural, as much as anything else: there are some things the UK’s agencies just won’t do. Their staff demand reassurance that their activities are lawful. And they know that co-operation from outsiders—on which they rely for their effectiveness—will be offered more willingly if they have a reputation for rectitude.

As we try to find our way through a largely uncharted online world, we require the agencies to respect our personal privacy while defending us from attack. Those two requirements are bound to conflict. It’s now for parliament to decide whether this bill has got the balance right.