What’s all the fuss about the U.K.’s Investigatory Powers Bill?

The U.K.'s current Investigatory Powers Bill fails to successfully address the negative publicity surrounding mass surveillance, in fact it's doing quite the opposite. Here's why.

The surveillance-happy U.K. Government is currently speeding a new law, the Investigatory Powers Bill (IPB) through Parliament. Here’s what people are saying:

• It’s "worse than scary", according to Joseph Cannataci, the United Nations privacy chief.

• NSA’s former Director of Technology Bill Binney said that the plans were "totalitarian” and would make people "more vulnerable”.

• Facebook, Google, Microsoft, Twitter, and Yahoo stated that they reject “proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means”.

Beyond the content of the Bill, the process is coming under fire for only allowing 2 weeks to hear witnesses. Worse, the Government has just denied the key committee more time to examine the Bill.

So what’s this all about?

The IPB is the first major piece of new surveillance law since the Snowden revelations. It is an attempt to address much of the (well-deserved) negative publicity surrounding mass surveillance and GCHQ. Unfortunately it is doing so in a backwards way— by making many unpopular and invasive surveillance practices legal, rather than taking steps to strengthen our privacy and address public concern.

Whilst people may be happy to know more about ongoing spying, simply legalising all the shocking practices (and then a little more) doesn’t actually restore people’s faith in the U.K. Government, let alone strengthen safeguards against government spying.

There are 4 main problem areas in the Bill:

1. Bulking up.

The IPB forces British Internet Service Providers to store a record of every website and every app anyone visits in the U.K., for a whole year, regardless of suspicion towards them. This bulk collection of Internet Connection Records can then be accessed by both intelligence services and the police through different processes of varying privacy protection.

Collecting and storing everyone’s browsing history actually makes us all less safe by exposing it to attack. Consider that one ISP, TalkTalk, was recently the subject of a massive user data hack. There’s no guarantee that government agents are the only people who’ll be able to find this incredibly private information. In fact, it’s very likely that hackers will compromise this data. It’s a question of when, not if.  

What’s more, it won’t work. William Binney, NSA veteran and whistleblower, flew to the U.K. and testified that from his vast experience, mass data collection “is 99 per cent useless,” and it will cost lives, he emphasised, swamping analysts with too much information and distracting them from real threats.

Despite the risks, the IPB is preoccupied with scooping up all the data it can— the text of the law itself even uses the word ‘bulk’ 500 times!

2. Lack of effective safeguards

The U.K. Government has been arguing that there will be better oversight of mass surveillance: Theresa May, Home Secretary, who authorises access to all this information, will now also need these warrants signed off by a judge as well. It sounds like more oversight, right?

On closer inspection, this is anything but reassuring. It is not the target, or the content, or the legality of the warrants that they are supposed to check off on: judges will only check that she is following the correct procedure.

There were 2,345 warrants approved by the Home Secretary in 2014. With no one else taking the time to check them for fairness and legality, the new oversight system is little more than bureaucratic fluff, with all the power resting in one person.

As Shami Chakrabarti, Director of Liberty, said, “They have spun it as a double lock, but the second person, the judge, does not actually have a key."

3. Weakening our encryption

There’s another big concern in the new law, and that’s the freedom it gives security services to attack encryption by requiring “backdoors”.

OpenMedia recently joined a coalition of nearly two hundred groups globally to ask world leaders to stand up for encryption and to halt these kind of laws.

Yet the Bill forces Internet companies to help in attacking their own customers, obligating them to carry out the “removal of electronic protection” on their own software. The U.K.Government insists it won’t harm security, but there’s no getting around it: asking companies to put special backdoors in their encryption will have the effect of making all encryption weaker, exposing a huge range of internet sites and services to massive risk.

We know governments badly want access to encryption-breaking technology. But the lengths they’re willing to go to get it are disturbing: last year, it was revealed that British and U.S. spies worked together to hack the largest SIM manufacturer in the world, stealing encryption keys to access millions of call records.

With the IPB, the U.K. government aims to retroactively make this kind of dangerous access legal.

4. Hacking our security

The IPB also gives government agents the right to break into our laptops and mobile phones, including powers for non-targeted mass hacking, referred to as ‘bulk equipment interference’. This means accessing a device, either physically or remotely, perhaps to access files, or a webcam or discover passwords. It is often used to get around tough encryption.

Non-targeted mass hacking of innocent people’s devices makes us all less safe, full stop.

These proposals together show no understanding of the practical reality behind the rhetoric. Deliberately weakening security systems and introducing backdoors in programs we all use will help bad actors and make us all more vulnerable, full stop.  

The Investigatory Powers Bill is currently being scrutinised by U.K. Parliament committees. After only 2 weeks to hear witnesses, the final version of the Bill will be released in mid February, and voted on by MPs shortly after.

It’s never been so important to speak out against the IPB--because things are already bad when it comes to our privacy. We can’t let them get worse.  As community member Chris told us on Facebook “They are already spying on us, they just want public approval so they can do whatever they want without hiding it.”

What to do?

To take action against the Bill you can join in with these U.K. groups:

• Write to your MP or sign the petition at Open Rights Group’s IPB campaign hub.

• Sign up to Don’t Spy on Us, the U.K.’s coalition of civil liberties and privacy groups.

• Add your voice to Liberty’s Safe & Sound campaign.

Or share articles like this one: 10 reasons why you should be worried