Politics

What should we make of the Investigatory Powers Bill?

Experts examine the government's new proposals for police and spies

November 04, 2015
The debate sparked by NSA whistleblower Edward Snowden has partly prompted the drafting of this bill. © Vincent Yu/AP/Press Association Images
The debate sparked by NSA whistleblower Edward Snowden has partly prompted the drafting of this bill. © Vincent Yu/AP/Press Association Images
Establishing how much privacy we are willing to sacrifice for security is one of the most important questions Britain faces. But whatever your view on the matter, for a proper debate to happen, police, security services and government must be open and clear about what powers they are able to use, and what safeguards there are on those powers. The draft Investigatory Powers Bill unveiled today by Home Secretary Theresa May is ostensibly an attempt to do just that: to take the convoluted and outdated legislation which currently governs what snooping on our communications is permitted and consolidate it into an up-to-date, effective and balanced "licence to operate" for law enforcement and security services, democratically approved by parliament and clearly understood by the British people. Such powers are currently defined by a bewildering spread of legislation including the Data Retention and Investigatory Powers Act 2014, the Computer Misuse Act 1990 and the Telecommunications Act 1984.

The Bill stands at 299 pages and is being pored over by journalists, campaigners and politicians. There is much discussion of it to come. But already, some key proposals have attracted attention. On the one hand, some opponents of the government, including the Labour party, have welcomed the inclusion of a "double lock" on interception warrants for individuals' communications data, which would mean such activity would have to be approved not just by a Secretary of State, but also by a judge. On the other, the bill includes a controversial proposal that internet companies should be required to hold some data on users' internet browsing for 12 months. Many fear what such data would be used for were it to be stolen in a cyberattack similar to that recently conducted on the internet service provider TalkTalk. It includes in statute for the first time powers for MI5, MI6 and GCHQ to engage in bulk collection of some communications data.

Is this another "snoopers' charter," as critics dubbed the government's last attempt to introduce such legislation, intended only to invite the long nose of the law further into our private lives? Or is it a realistic check on those who would otherwise overstep their remit in pursuit of criminals and terrorists? We asked a panel of experts their view.

The three Rs

David Omand—Security expert and former head of GCHQ

A new democratic licence to operate is needed for the security and intelligence agencies and for law enforcement. A licence for intrusive investigation that is based on three Rs: rule of law, regulation and restraint through the legal requirement for necessity and proportionality. Parliament has the opportunity with the draft legislation to reassure the public that—with strict controls and oversight to ensure respect for our privacy—law enforcement and intelligence agencies can continue to have warranted access to the Internet and to digital data to uncover new terrorist connections and networks and to detect, classify, attribute and disrupt criminal and hostile state cyber attacks directed against us. If Parliament gets this right the legislation will establish the gold standard for Europe and beyond for how a democracy can enjoy both security and privacy. If Parliament gets this wrong then it will have neutered the very digital intelligence capabilities that are needed to keep the public safe from those who mean us harm.

A breathtaking attack

Shami Chakrabarti—Director of Liberty

After all the talk of climbdowns and safeguards, this long-awaited Bill constitutes a breathtaking attack on the internet security of every man, woman and child in our country. The blanket retention of “internet connection records” is so intrusive that suspicionless compulsory retention is not allowed in any other EU or Commonwealth countries, the US or Canada—Australia recently passed a law against it! To top it all off, hacking—the most appalling form of surveillance there is—has been extended to all police forces, and far from the substantive judicial role called for by experts and cross-party MPs, their part will be nothing more than a rubber stamping exercise. We now look to Parliament to step in where Ministers have failed and strike a better balance between privacy and surveillance.

Results, not policies

Peter Kellner—President of YouGov

What we've found consistently over the years is that whenever the choice is posed in terms of security vs civil liberties, we always get around two to one in favour of security. In terms of initial reactions to the measures, then, I don't think the government will have much trouble at all with public opinion. But there is a second layer. In the short run, people respond to policies. In the long run, they respond to results. If there is—god forbid—another 7/7 event and it turns out that the oversight system produced delays in stopping it, the public will be aggrieved. If on the other hand it turns out innocent people have had their privacy invaded—for the sake of argument, say a junior intelligence officer leaked the fact a celebrity had been watching porn to the tabloid press—the public would be appalled. So initial support could be overturned further down the line.

Look to the future

Chi Onwurah—Shadow Minister for Culture and the Digital Economy

There are a number of positive changes that Theresa May has introduced, as Andy Burnham highlighted in his response today. That's welcome. But I am still concerned that the bill is not forward looking enough. This is replacing existing legislation whose safeguards were undermined by technological evolution. What I didn't hear from Theresa May was what thinking had been done to prevent that happening again. It’s a hard job second guessing technology, but there are certain trends you can identify. Data flows will go up exponentially with the rise of the internet of things, personal data stores could make individuals their own data guardians. That's just two examples, what others are there?

A public debate

David Evans—Director of Community and Policy at BCS, the chartered institute for IT

At BCS we've long been concerned by a lack of public debate on this issue, and that's been heard; we've seen more engagement by the government than ever before, which is very welcome. We've seen progress on the proportionality of the measures, the scope, and the oversight. This is potentially very powerful data and day-to-day access by individuals needs to be very tightly controlled, and there is a lot to explore about the implications. So this moves us forward—and as we get into the detail we'll see how far—but we want to recognise a very welcome step forward in the fundamental approach to public debate by the government and the role this will play in building trust with the citizen.

Edited by Josh Lowe