The full text of a draft of the Investigatory Powers Act, an authoritarian surveillance bill being pushed by UK prime Minister David Cameron, has been released to the public. In the days leading up to its release many sites were warning that the draft contained dangerous provisions that would threaten the privacy of communications and would force companies like Apple to put backdoors in their encrypted messaging services. It turns out those concerns were justified.
Many sites are prominently featuring in the headline the fact that the bill does not outright ban encryption, something which the government has been using to defend the bill from criticism. Even though it does not completely ban all encryption, it does require companies like Apple to decrypt communications if an agency like the GCHQ serves them a warrant. So this merely bans useful encryption. As long as companies have encryption weak enough to be broken or circumvented in some way, it's allowed.
Strangely enough, many of the powers in the bill are claimed to already exist under current law and this is merely putting them together in a single piece of legislation for clarity. This include the requirement that companies must be able to decrypt any messages their services encrypt. The bill states, "RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates."
Another aspect of the bill that is raising concern is a requirement for ISPs to keep records of 12 months of Internet connection records. Home Secretary Theresa May defended the requirement stating, "If someone has visited a social media website it will only show they have accessed that site, not the pages they visited or what they said. It is simply the modern equivalent of an itemized phone bill." However, Mike Weston, CEO of data science consultancy Profusio, disagreed with May's comparison saying, "It's more useful and more intrusive. You can tell quite a lot more about what people are looking at online than you can from an itemized phone bill."
One silver lining in all this is the inclusion of a so-called double-lock in order for intelligence agencies to get a warrant for their snooping activities. Under the current law the Secretary of State has the authority to approve warrants for surveillance by these agencies. However this bill would add the requirement that warrants must be approved by a judge in addition to the Secretary of State. This addition of judicial oversight is a welcome change, even if most of the other provisions in the bill are awful.
It is also noteworthy that due to the intelligence sharing treaty between the US, UK, Canada, Australia and New Zealand, also known as the five eyes, any communications intercepted by the GCHQ will also be shared with intelligence agencies in the other four countries. This would apply to decrypted communications, ISP records, or anything else the GCHQ can get its hands on.
Is this law a threat to privacy, or is it okay? Leave your comment below.