Click here to load reader

Investigatory Powers Bill & ICRs

  • View

  • Download

Embed Size (px)

Text of Investigatory Powers Bill & ICRs

IP Bill & ICRs

IP Bill & ICRsOversight or Theatre? Surveillance and Democratic Accountability

Ray Corrigan5 February 2016 Wolfson Hall, Churchill College, University of Cambridge

Almost universal agreementSerious threats terroristsorganised crimedangerous dictators

SIS & LE need intelligenceskillstoolsresources12/01/2016Ray Corrigan, Open University

Guilty, suspicious, innocent


Guilty, suspicious, innocent

Guilty, suspicious, innocent

Guilty, suspicious, innocent

John Inglis, NSA Deputy Director, 3 hops Congressional testimony, 31 July 2013 6

ICRsinternet connection record/s appears in -192 page draft bill in s47 only 3 timesGuide to Powers and Safeguards (once in contents page) x3 (ICR/sx11)Explanatory Notes x6 (ICR/sx1)Home Office written evidence to Joint Committee x29 (ICR/sx18) & Technology Committee report x27 (ICR/sx53)Correspondence from Home Secretary (IPB0065) x11 (ICR/sx10) case for the Retention of Internet Connection Records x13 (ICR/sx88)

EXPLANATORY NOTES What these notes do These Explanatory Notes relate to the Investigatory Powers Bill as published in Draft on 4 November 2015 (Cm 9152). These Explanatory Notes have been produced by the Home Office in order to assist the reader of the Bill and to help inform debate on it. They do not form part of the Bill and have not been endorsed by Parliament. These Explanatory Notes explain what each part of the Bill will mean in practice; provide background information on the development of policy; and provide additional information on how the Bill will affect existing legislation in this area. These Explanatory Notes might best be read alongside the Bill. They are not, and are not intended to be, a comprehensive description of the Bill. So where a provision of the Bill does not seem to require any explanation or comment, the Notes simply say in relation to it that the provision is self-explanatory. 7

ICRs S47 Additional restrictions on grant of authorisations

(6) In this section internet connection record means data which may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).

Draft Investigatory Powers Bill 8

ICRs s71 Powers to require retention of certain dataExplanatory notes (s190) say S71(9)(f) defines internet connection records:(9) In this Part relevant communications data means communications data which may be used to identify, or assist in identifying, any of the following[](f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program. In this subsection identifier means an identifier used to facilitate the transmission of a communication.Not an ICR in sight

s71Insert data here from

ICRs in Guide to Powers and Safeguards ICR Nota persons full internet browsing historyICR isrecord of the services they have connected to

ISPs required to retain ICRs for 12 months

ICRs in Explanatory Notes records captured by a network access provider of the internet services with which a person or device interactswould not be able to be used to identify what the individual didPublic authority ICR access purpose: to ID sender/services/criminalityCSPs not currently required to retain ICRs by lawClause 71(9)(f) of this Bill provides for the retention of internet connection records (71(9)(f) does not use term internet connection record/s)ICRs relevant communications data?Local authority access to ICRs prohibited

ICRs in Science & Tech Committee reportGov say ICRs the only substantially new requirements provided for in the draft BillCttee: ICRs the subject of uncertainty and concern from business due to lack of clarity Goverment should pay full costsTech Advisory Board should advise on CoP requirements for protecting ICR dataGovt & business should advise on annual updates of CoPsconfusion about the extent to which internet connection records will have to be collectedessential that the Government is more explicit about the obligations it will and will not be placing on industrydefinitions of internet connection records and other terms have led to significant confusionDr Joss Wright OII comparing it with telephony is ludicrousCf Denmark session logging abandoned 2012Home Secretary: Definitions ICRs & CD intended to be technology neutral & necessarily abstractHome Offices Chief Scientific Adviser, Professor Bernard Silverman: ICR definition pinned down in a way that satisfies both a legal and a scientific requirementFeasibility of collection questionable ISPA: ICR does not exist BT: cannot realistically scope technical feasibility or cost Andrews & Arnold: DPI?Security difficult: massive volume of ICR dataORG: request filter one of the most concerning aspects

Correspondence from the Home Secretary, Rt Hon Theresa May MP (IPB0065) ICR details with industryconfident feasible (industry reps disagree)Internet Connection Records is a record of the internet services a specific device is connected toEach ICR is a record of a single Internet Protocol event

Not retained under existing law

Future aspiration

Simple example of ICR for mobile phoneData FieldsExampleWhat does it represent?Account Reference13109976224The mobile telephone numberSource IP : Port Private10.13.26.70 : 5256What the client looks like to the Communication Service Provider for Internet access.Source IP : Port - Public232.99.52.12 : 80What the client looks like to the Internet.Destination IP : Port135.20.32.87 : 80The Internet Service being accessed by the client.URI domainwww.socialmedia.comThe Internet Services web domain.*Service identifierSocial MediaThe Internet Services name.Session Start Time14:30:01 GMT 03/09/2015The time and date for the start of session.Session End Time14:40:29 GMT 03/09/2015The time and date for the end of session.Data Volumes Transferred1253 outgoingThe number of Bytes Transferred and direction.

* A URI retained as part of an ICR may only contain the elements of the address which identify the communication service concerned.

ConcernsDefinitions vagueICRs, telecommunications service, relevant communications data, communications content, equipment interference, technical feasibility and reasonably practicables195: data includes any information which is not dataGovernment insist clear but necessarily abstractTechnical feasibility questionableCostly for government & CSPsMass invasion of privacyIllusion bulk collection ok as long as only computers see dataExtraterritoriality & jurisdictional conflictOthers including despots watching for UK benchmark

ConcernsCSPs sustainability, security, legal & operational uncertaintiesQuestionable efficacy for crime/terrorism detection/prevention Comms infrastructure security nightmare combined with targeted and/or bulk:interceptionacquisitionretention equipment interferenceSecuring bulk personal datasets extremely difficult

How they might be improvedAbandon retention of ICRsTargeted judicially supervised retention of data of those about whom authorities have reasonable suspicionWill need international cooperation & political signoff wont wash

Political obstacles Unreasonably short timetableAbsolute commitment of Home Secretary & government to have something called the Investigatory Powers Act on the statute booksMedia spotlightIncentive to avoid concessions to avoid perceived weakness(e.g. partial move towards David Anderson judicial oversight recommendation called u-turn)

On the plus side, opportunity Mature debate (Andrew Parker)NatureScopeReachProportionalityNecessityLegalityClarityPracticalityEtc

Historic first (David Omand): Bring secret state intelligence operations fully under rule of law

Insanity of bureaucracySacrifice/distortion of core services on altar of simplistic metricsLoss of institutional ethical memory/values over timeEducationNHSSocial welfareEconomyCriminal justice

From Solove to KafkaNo known cure for a bureaucrat with a target (mission creep)

Bureaucracy/algorithms make life-changing decisions based on secret information, while denying the subject/s of the data the ability to inform, see or challenge

Image The Open University

Communications infrastructure of police state will not be permanently deployed benevolentlyNeed respect for:the person (personal data should not be treated as industrial raw material)existing human rights laws

Search related