snooper's charter – Techdirt (original) (raw)

UK Government Leaders Say Investigatory Powers Act Isn’t Awful Enough, Announce Plans To Make It Worse

from the all-the-things-you-don't-like-but-MORE-OF-THEM dept

The UK government thinks the 2016 Investigatory Powers Act is due for an overhaul. But it has plenty of opposition. Some of the proposed amendments actually appear to be illegal. And at least one major tech company has threatened to exit the market if the proposed amendments become law.

The so-called “Snooper’s Charter” has always been one of the nation’s worst laws. But there are plenty of legislators who believe it can — and shouldbe made worse. Following the “King’s Speech” — the UK equivalent of our State of the Union address only, you know, slightly more colonist — UK leaders are informing the nation they’d very much like to increase the government’s already considerable surveillance powers.

On 8 November, the government introduced legislation to update the Investigatory Powers Act 2016.

The Investigatory Powers (Amendment) Bill was announced in the King’s Speech and will make urgent and targeted amendments to the existing act to ensure our country is kept safe and our citizens protected from harmful threats.

[…]

These amendments will enhance our national security by keeping the public safer from threats such as terrorism, hostile activity from foreign powers and serious and organised crime. The UK is a world leader in ensuring privacy can be protected without compromising security. The bill will maintain and enhance the existing high standards for safeguarding privacy in the 2016 act.

First off, there’s the standard claim that this will do something about national security. Those two words are capable of shutting down certain brains (including those handling judicial challenges) and bypassing objections by making it appear anyone opposing surveillance power expansion must want the terrorists to win.

Second, there’s the hilariously ridiculous claim that the UK is a “world leader in ensuring privacy.” London has been a camera-riddled dystopia for years — a dystopia made even worse by the routine addition of error-prone facial recognition tech. For years, the UK government has compromised privacy to achieve, at best, minimal gains in security.

Finally, claiming there’s anything in the 2016 Investigatory Powers Act that even remotely approaches “high standards for safeguarding privacy” is ludicrous. Claiming that adding even more data retention demands and surveillance options will somehow “enhance” these (lol) “high standards” is even more asinine.

But that’s how UK leaders are portraying this turn of events, spring-boarding off the King’s Speech to push another round of privacy violations and security compromises under the pretense of making the nation safer.

These officials even pretend this won’t give the government more snooping power than it already has.

The targeted reforms will not create new powers in the act. They will instead modify elements of the existing legislation to ensure it is proportionate, provides agencies and oversight bodies with appropriate resilience mechanisms and maintains and enhances the existing measures.

This sure looks like a new power. According to this fact sheet, service providers will now be required to retain certain internet browsing records created by their users. Here’s how things stand now:

There is no current requirement in law for CSPs to keep ICRs [internet connection records] and this information may therefore be unavailable to law enforcement agencies, meaning that often they can only paint a fragmented intelligence picture of a known suspect. Internet protocol (IP) address resolution identifies the sender of online communications.

So, if the government currently doesn’t have access to these records because CSPs (communication service providers) aren’t required to keep them, and the government issues a mandate to retain these records solely for the purpose of being able to access them on demand, that sure seems like a “new power,” even if the collection is being off-loaded (via government mandate) to providers who were never previously obligated to collect or retain this data.

The proposed changes would also expand the definition of bulk personal datasets (BPDs) to cover data collected by third parties, like data brokers. And, while this isn’t technically a “new” power it is definitely an expansion of the government’s existing power:

The bill would also increase the duration of a BPD warrant from six to twelve months in order to better demonstrate the necessity and proportionality of retaining and examining the data, the case for which can be made more effectively over this longer time period.

The government would be able to collect more and hold onto it longer. On top of that, privacy protections for datasets will no longer be equal across all datasets. The amendments would allow the government to declare some datasets more equal than others, lowering privacy protections as needed to access sets that were previously either off-limits or subject to enough restrictions the government rarely got a chance to view or retain them.

Then there’s this phrase, which says things about “resilience” when it clearly means lowering the bar for warrant acquisition:

Increasing resilience of the warranty authorisation processes to allow greater operational agility for the intelligence agencies and National Crime Agency. This will help to ensure they can always get lawful access to information in a timely way so that they can respond to the most serious national security and organised crime threats.

“Greater operational agility” is just a fancy way of saying “make things easier.” When you start altering the rules to increase law enforcement efficiency, you tend to turn protected rights into privileges that only need to be respected when they’re not inconveniencing law enforcement.

None of this is law. Yet. But it’s clear those heading the government firmly believe this is the right way to go.

Filed Under: investigatory powers act, national security, privacy, snooper's charter, surveillance, uk

Apple Says It Will Exit The UK Market If Government Passes Update To Investigatory Powers Act

from the you've-been-warned dept

Apple fought the law and — contrary to the song lyrics — it won. Years later, Apple decided it would get ahead of the law enforcement curve by attempting to engage in client-side scanning of iPhone users’ content. That worked out less well for Apple, which (at least momentarily) decided making governments happy was more important than protecting its customers.

Since setting itself on fire, Apple has reverted to its former self: the company that prides itself on user privacy and security. Plenty of world governments hate Apple for doing this. But they don’t have any leverage. Apple products and services are far more popular with government constituents than the governments themselves. So, when governments start making unreasonable demands, the simplest solution is to GTFO.

Apple has consistently opposed the act, originally dubbed a “snooper’s charter” by critics. Its submission to the current consultation is nine pages long, opposing:

Apple says:

This is Apple’s response to proposed changes to the “Snooper’s Charter,” a.k.a. the Investigatory Powers Act. Apple has already expressed extreme reluctance to engage in encryption breaking or client-side scanning as proposed by the European Union.

Amendments to the IPA would undermine Apple’s security features. Because of that, Apple’s comment submission lets the UK government know that if it moves ahead with these changes, UK customers will no longer have access to FaceTime or iMessage. And if those two offerings aren’t available, it hardly makes senses for UK residents to purchase iPhones if they wish to have access to secure communications options.

And this latest government intrusion would be on top of whatever eventually makes its way into the Online Safety Act, a parallel bit of legislation which would impose client-side scanning on service providers. And that imposition means those offering end-to-end encryption would have to weaken or break their encryption to spy on users’ communications. This proposal has also faced heavy resistance, but proponents of the law seem pretty fucking resilient and have refused to back down from these demands, unlike the EU Commission, which has pretty much abandoned its demands for broken encryption. (Also of note: the EU Court of Justice found IPA’s predecessor to be unlawful back in 2016. Brexit makes this meaningless, but it does demonstrate how far outside the bounds of respected rights this proposal treads.)

If the UK government decides it’s more important to give the government power than give constituents secure communication options, UK residents will end up having to utilize whatever options remain. And those options will be far less secure and far more sketchy than those long-offered by tech companies who have spent years improving the security of their offerings.

Filed Under: encryption, investigatory powers act, security, snooper's charter, surveillance, uk
Companies: apple

High Court Says UK Government Can No Longer Collect Internet Data In Bulk

from the snoopers-charter:-now-with-10%-less-snooping! dept

UK civil liberties group Liberty has won a significant legal battle against the Snoopers Charter. A recent ruling [PDF] by the UK High Court says the data retention provisions, which include mandated extended storage of things like web browsing history by ISPs, are incompatible with EU privacy laws.

The court found the data retention provisions are at odds with civil liberties protections for a couple of reasons. First, the oversight is too limited to be considered protective of human rights asserted by the EU governing body. As the law stands now, demands for data don’t require independent oversight or authorization.

Second, even though the Charter claims demands for data will be limited to “serious crimes,” the actual wording shows there are no practical limitations preventing the government from accessing this data for nearly any reason at all.

The decision quotes the Charter’s stated reasons for obtaining data, which range from “public safety,” to “preventing disorder” to “assessing or collecting taxes.” Obviously, the broad surveillance powers will not be limited to “serious crimes,” contrary to the government’s assertions in court.

First, the wording of the draft declaration is so broad that it would include areas which are outside (or potentially outside) the area of serious crime: for example, the area of national security. As will become apparent later, the issue of whether the area of national security falls within the scope of EU law at all is the subject of dispute between the parties.

The second sentence refers to the government’s argument: that UK national security concerns trump European law. Unfortunately, the High Court does not provide an answer as to whether UK law can ignore CJEU decisions when it comes to securing the nation. This will have to wait until after a decision is handed down in another challenge to the surveillance law.

[I]n our view, although the terms of section 94 of the 1984 Act and the terms of Part 4 of the 2016 Act are not identical, the questions which have been referred by the IPT are not confined to the precise scope of section 94. Rather they raise broader questions about the scope of EU law, having regard to Article 4 TEU and Article 1(3) of the e-Privacy Directive; and also raise the particular question of whether any of the Watson CJEU requirements apply in the field of national security.

For those reasons we refuse the application by the Claimant to make a reference to the CJEU on this question. This part of this claim will be stayed pending the CJEU’s decision in the reference in the Privacy International case.

In the end, the court decides this part of the Snoopers Charter must be stricken and rewritten to comply with EU privacy protections. The UK government has six months to fix the law. Until that point, it appears UK agencies will still be able to demand data in bulk under the Charter draft. Once the fixes are in and enacted, bulk collections of internet browsing data and communications metadata will cease… at least until the UK exits the European Union.

Filed Under: data protection, eu, mass surveillance, privacy, snooper's charter, surveillance, uk

UK Councils Used Massive Surveillance Powers To Spy On… Excessively Barking Dogs & Illegal Pigeon Feeding

from the once-the-power's-there... dept

Over in the UK, we’ve highlighted many of the problems of massively expanding surveillance through the (most likely illegal) “DRIPA” (Data Retention and Investigatory Powers Bill) and the new Snooper’s Charter. And yet, the government there keeps insisting that such powers would never be abused. But, that’s ridiculous. As we’ve seen in the past, it’s difficult to find examples of surveillance powers not being expanded and abused over time. And, now the UK is realizing exactly how that works. The Guardian, via Freedom of Information requests, has discovered that local British councils were given the ability to use surveillance powers under the Regulation of Investigatory Powers Act (RIPA) to spy on all sorts of people for what appear to be minor infractions:

A mass freedom of information request has found 186 local authorities ? two-thirds of the 283 that responded ? used the government?s Regulation of Investigatory Powers Act (Ripa) to gather evidence via secret listening devices, cameras and private detectives.

Among the detailed examples provided were Midlothian council using the powers to monitor dog barking and Allerdale borough council gathering evidence about who was guilty of feeding pigeons.

Remember, of course, that every time these kinds of surveillance powers are discussed in government, everyone is told that they’re necessary to stop the horrible threat of imminent death from terrorism. No one talks about how they’ll stop the scourge of illegal pigeon feeding.

While the article rightly quotes politicians horrified by this abuse of surveillance power — and using it to question why the UK is giving itself more powers under the Snooper’s Charter, which will be similarly abused — there are also some local politicans who defend spying on the public in this manner:

?I?m frankly far more concerned about the rights and civil liberties of the victims and wider council tax-paying public, who are currently having to pick up the tab, than the small minority criminal element who continue to treat the rest of us with open contempt.?

And this is how civil liberties die. By claiming that it’s more important to give them up to capture people involved in petty nuisance activities, and claiming that the government needs to spy on everyone to stop such activities.

Filed Under: barking dogs, investigatory powers, pigeon feeding, ripa, snooper's charter, surveillance, uk

European Court Of Justice Rules Against UK's Mass Surveillance Program

from the will-it-matter-after-brexit? dept

Over the summer, we noted that the Advocate General for the European Court of Justice had sort of punted on the issue of whether or not the UK’s Data Retention and Investigatory Powers Bill (DRIPA) was actually legal. Thankfully, the final ruling is much clearer: “general and indiscriminate retention” of emails and other electronic communications is illegal in the EU according to the court. The only thing that is allowed is targeted interception, used to combat “serious crime.”

This is a pretty big deal, as the original recommendation from the Advocate General had suggested that DRIPA might be found legal. Of course, DRIPA is in the process of being superseded by the even worse Investigatory Powers Bill, better known as the Snooper’s Charter. If DRIPA violates the law, than the Snooper’s Charter almost certainly does so at an even greater level. Of course, there is some irony in all of this, in that the case that came to the CJEU was brought by a Member of Parliament, David Davis, who is now the “Brexit Secretary,” meaning that he’s helping to organize the process by which the UK will be removed from the EU… such that it may not even matter what the EU’s Court of Justice has to say on the matter.

The UK has also made it clear it’s going to appeal the decision, meaning that it will get to drag this process out as long as possible, potentially until the Brexit process is completed, at which point the ruling will not matter.

Still, it should at least raise question in the UK about why their politicians are granting the government powers to snoop on every member of the public at a level that goes way beyond what is considered appropriate.

Filed Under: cjeu, data retention, david davis, drip, dripa, european court of justice, investigatory powers bill, ip bill, mass surveillance, snooper's charter, uk

Parliament Passes Snooper's Charter, Opens Up Citizens To Whole New Levels Of Domestic Surviellance

from the surfing-the-internet-with-The-Man dept

Despite loudly, and repeatedly, raised concerns from activists and members of Parliament, the UK’s Snooper’s Charter (a.k.a., Investigatory Powers bill [PDF]) has been passed by both parliamentary houses and only needs the formality of the royal signature to make it official.

These are the fantastic new things UK citizens have to look forward to with this expansion of government surveillance power.

The law will force internet providers to record every internet customer’s top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand — though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch.

The list of new powers doesn’t end with these. UK intelligence agencies are also given permission to perform “electronic interference” — hack into computers and electronic devices belonging to UK citizens, not just individually, but in bulk. It also codifies secret (and illegal) surveillance of UK citizens that the country’s intelligence agencies have engaged in for years without proper authority or oversight.

The government, of course, is trying to portray this as nothing more than a fine tuning of preexisting laws, specifically the Regulation of Investigatory Powers Act (RIPA). Glossed over in its perfunctory “nothing to see here” explanation is the fact that RIPA was also rushed into existence to codify other secret and illegal surveillance programs.

But it’s no ordinary update of existing investigatory laws. Jim Killock of the Open Rights Group calls the Snooper’s Charter “the most extreme surveillance law ever passed in a democracy.” Thanks to the new powers, UK intelligence agencies should be able to put together very extensive dossiers on pretty much anyone they feel like.

This is the collection of Internet Connection Records (ICRs)—a record of which services every citizen it is connecting to, logged in real-time. This unprecedented level of micro-surveillance is accompanied by a machine to make sense of the mass of data, called a ‘Filter’, but is in essence, a search engine. It can match these ICRs with your mobile phone location data and call histories. It can, we believe, be used to profile the social relationships and the sexual and political activities of every U.K. citizen.

That’s how the UK government wants it, apparently: porn filtered out, but spy agencies let in.

Beyond the expansion of law enforcement and surveillance powers is the precedent set by the government in its continual codification of secret surveillance programs. Like RIPA before it, the new law sends a message to intelligence and law enforcement agencies that all misdeeds will ultimately be legislatively forgiven by their overseers. Agencies are implicitly invited to hide programs from overseers and explore new collection techniques without running it past anyone else in the government first. And years later, it will all be papered over by “updated laws.”

This is also good news for other Five Eyes surveillance partners. The NSA and GCHQ’s information sharing partnership means the US agency now has access to even more data on British citizens. Almost anything GCHQ can acquire, the NSA can access. And now GCHQ can access more than ever.

Filed Under: data retention, gchq, investigatory powers bill, ipbill, metadata, parliament, snooper's charter, uk

from the reading-the-tea-leaves dept

Over at the EU Court of Justice, the Advocate General has weighed in on the legal challenge to DRIPA, the Data Retention and Investigatory Powers Bill (DRIPA) that was rushed through the UK Parliament almost exactly two years ago. The law was challenged by a group made up of cross-party Parliament Members, and the Advocate General has sort of punted on the issue. If you don’t recall, the Advocate General’s role in the EU Court of Justice is basically to make a recommendation for the actual rulings. The court doesn’t have to (and doesn’t always) follow the Advocate General’s suggestion, but does so often enough that the opinions certainly carry a lot of weight and suggest what’s likely to happen. In this case, the opinion stated that, even though the court had previously rejected the EU-wide Data Retention Directive as intruding on privacy — the UK’s data retention law might be okay.

The opinion basically says some data retention laws may be okay if the powers are “circumscribed by strict safeguards” set up by the national courts.

Of course, the timing on this is important, given that the UK is (1) eagerly trying to push through its new surveillance law, the Investigatory Powers Bill which was (2) championed by then Home Secretary Theresa May as a necessary surveillance tool — and May is now the Prime Minister due to a series of issues in the UK you may have heard about lately. And some folks who are trying to read the tea leaves of the Advocate General’s opinion are suggesting that it may actually hint that while the old DRIPA might possibly be okay, the new Investigatory Powers bill probably is not. Of course, a lot of this depends on how you read the opinion and how certain key phrases are interpreted.

Many of those responding to Tuesday’s opinion emphasised the main finding that “solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.”

Basically, it appears that while it may be possible to twist DRIPA into shape so that it’s not violating the court’s required safeguards, the same cannot be said for the new bill. Whether or not that actually stops forward progress on that bill is another story altogether. And, of course, if the UK really is going to go through with its plan to leave the EU entirely, none of this may matter at all. Well, except for the privacy of everyone in the UK.

Filed Under: data retention, dripa, eu court of justice, eucj, investigatory powers bill, ipbill, snooper's charter, surveillance

UK Parliament Ignores Concerns; Moves Snooper's Charter Forward

from the sad dept

This isn’t necessarily a huge surprise, but the UK’s House of Commons overwhelmingly voted in support of the Snooper’s Charter, officially known as the Investigatory Powers Bill. As we’ve discussed, this is a dangerous bill that will give the UK government significantly more surveillance powers (or, in many cases, will “authorize” things that the UK government has already been doing on dubious legal authority), with little to no real oversight. And despite people being upset about it, it still was approved by a vote of 444 to 69. And, yes, the current version of the bill still asks for backdoors to encryption, but leaves a vague exemption if a company claims that it would not be feasible or would be too expensive. That’s better than the alternative, but it’s still a step in the wrong direction. The bill still needs to be considered by the House of Lords, but it’s disappointing that the House of Commons seemed so willing to cave to demands for more surveillance powers.

Filed Under: house of commons, investigatory powers bill, ip bill, snooper's charter, surveillance, uk

UK Government Pushes Forward With Insane Snooper's Charter, Despite Widespread Concerns

from the concerns-can-be-ignored-when-you're-in-power dept

We’ve written a few times in the past year about the latest UK efforts to enact its “Snooper’s Charter” law, officially the Investigatory Powers Bill, which would give the government much greater surveillance capabilities. Right after last year’s election, Prime Minister David Cameron and Home Office Secretary Theresa May made it clear that they were going to go full Orwell, and do whatever possible to grant themselves greater powers to spy on everyone. As more concerns were raised, we noted that the government pretended to back down, while still including all the bad stuff people predicted.

As more and more complaints about the bill were raised, we noted May decided to try to rush the bill through, along with a healthy dose of “if you don’t do this we’re all going to die!” FUD. That included releasing a new draft of the bill, which pretended to address the privacy concerns people raised, but which did so basically by just adding the word “privacy” to a heading and making no substantive changes to protect privacy at all (and possibly changes that made things worse).

Rest assured that a lot of people are seriously uncomfortable with all of this. A group of over 200 leading lawyers in the UK have sent a letter slamming the bill:

At present the draft law fails to meet international standards for surveillance powers. It requires significant revisions to do so.

First, a law that gives public authorities generalised access to electronic communications contents compromises the essence of the fundamental right to privacy and may be illegal. The investigatory powers bill does this with its ?bulk interception warrants? and ?bulk equipment interference warrants?.

Second, international standards require that interception authorisations identify a specific target ? a person or premises ? for surveillance. The investigatory powers bill also fails this standard because it allows ?targeted interception warrants? to apply to groups or persons, organisations, or premises.

Third, those who authorise interceptions should be able to verify a ?reasonable suspicion? on the basis of a factual case. The investigatory powers bill does not mention ?reasonable suspicion? ? or even suspects ? and there is no need to demonstrate criminal involvement or a threat to national security.

These are international standards found in judgments of the European court of justice and the European court of human rights, and in the recent opinion of the UN special rapporteur for the right to privacy. At present the bill fails to meet these standards ? the law is unfit for purpose.

Meanwhile, internet service providers, tech companies, and civil liberties groups have asked the government to delay moving forward with the bill, but it does not appear that May has any interest in doing so.

On Tuesday, the House of Commons had its “Second Reading” of the bill, and the debate about it allowed some to raise concerns, but with various parties deciding to abstain from voting, rather than vote against it, the bill moved forward easily (it’ll come back to Parliament after the House of Lords goes through the bill). Even worse, the main “opposition” to the bill was not that strongly raised:

Andy Burnham, former Home Office minister, stood to offer the Labour party’s official perspective. If there is substantive opposition to the contents of the IP Bill within the Labour party – and I know there is from MPs like Tom Watson and David Winnick – then there was little evidence of it from Mr Burnham’s contribution to the debate. He opened by trotting out the dire need to combat the four horsemen of the infocalypse and the false and distorting ‘balance security with privacy’ dichotomy. From those foundations he was highly unlikely to get anywhere enlightened.

While we’re fighting against backdoors and for encryption here in the US, it looks like the UK government is potentially moving very much in the other direction.

Filed Under: david cameron, investigatory powers bill, ipbill, privacy, snooper's charter, theresa may, uk

Sensing Public Support Waning, UK Fast Tracks Snooper's Charter

from the get-the-damn-thing-through-and-then-spy-on-everyone dept

For some time now, we’ve been covering the UK’s plan — led by Home Secretary Theresa May — to pass a new Snooper’s Charter that would increase surveillance powers greatly in the UK. There’s been a growing amount of criticism of the plan in the UK, so rather than respond to it, May has simply moved to fast track the bill, officially called the Investigatory Powers Bill. The bill will officially be “published” today on March 1, and then will likely be voted on before the end of April.

Of course, this seems like standard operating procedures these days. Two years ago, the UK government did the same thing with its data retention bill. It’s almost as if the UK government would prefer cutting off debate on these issues, and just rushing through much greater surveillance powers for the government.

Filed Under: investigatory powers bill, snooper's charter, theresa may, uk