Tuesday saw the first debate of the Investigatory Powers Bill in the House of Commons.
The debate raised some useful arguments, but many speeches avoided the key point: that the Bill would bring in a huge, unparalleled extension of surveillance powers that had never been debated by MPs before.
The Open Rights Group, ORG, will be proposing amendments to change the Bill. It's unfit for purpose at the moment, permitting and extending mass surveillance. We're particularly concerned about the lack of discussion of the filter which turns
retained data into a massive searchable police database of your location, phone and Internet data. We've delved into the significant new powers for the police below.
The debate on the Investigatory Powers Bill has focused a lot on the new extension to police powers, and the collection of Internet Connection Records to keep a log of everyone's web browsing. Critics like myself worry about the ability this
creates to see into everyone's most intimate thoughts and feelings; while proponents are prone to say that the police will never have time to look at irrelevant material about innocent people.
However, the really novel and threatening part of this proposal isn't being given anywhere near the level of attention needed.
The truly groundbreaking proposal is the filter , which could be seen as a government Google search to trawl your call records, Internet and location data. The filter is clearly named so that it sounds helpful, perhaps boring or else maybe
something that filters down information so that it is privacy friendly. It is anything but. It is so intrusive and worrying, I would rather you think of the Filter as the PHILTRE: the Police Held Internet Lets Them Read Everything.
Remember when these proposals started, back in the late 2000s, under the last Labour government? Maybe not, but that's how long Home Office officials have been trying to make this happen. Their original plan was to build a single database that would
store everything they could find about who you email, message and what you read?, and where you are, as logged by your mobile phone. Place all that information in a single searchable database and the dangers become obvious. So obvious that the
Conservative opposition was up in arms.
How on earth would you stop abuse, if all this information was placed into a single database? Surely, it would lead to fishing trips, or police searches to find lists of all the environmental protesters, trades unionists or libertarians, and to identify
who it is that seem to be their leaders? How would you stop the police from producing pre-arrest lists of miscreants before demonstrations, or from deciding to infiltrate certain public meetings? Indeed, who would be able to resist using the database
from working out who was at the location of relatively petty offenses, perhaps of littering or vandalism, or calculating who had been speeding by examining everyone's mobile phone location data.
So the current government does not want try to hoard everyone's data into a single database. Instead, they've come up with the PHILTRE, which can query lots of smaller, separate databases held by each private company. As this PHILTRE can be applied to
separate data stores, all at once, we are in effect back with a proposal for a single government database and all the same problems -- but in a way that government can claim that it is not a single government database .
But as long as the data can be queried and sorted in parallel, it becomes immensely powerful and just as intrusive. For instance, for a journalist to protect against revealing a whistleblower, they would need to avoid not just phoning them, but meeting
them while both were carrying their mobiles and creating matching location logs. All of the profiling and fishing expeditions are just as easily achievable.
Most worrying is the authorisation process. Police, agencies and tax authorities will continue to authorise their own access of our personal data, just as they do today with phone call records -- there's not a judge anywhere near the day to day use of
this search facility.
The Home Office is selling this Google-style search through the population's mind as a privacy enhancement. Only the relevant search results will be returned. Masses of irrelevant information about other people will not have to be given to officers. They
give the example of mobile phone mast data -- where the filter could cut the required information down to just that about the person you need to know about.
This might sometimes be true. But two things make me suspect this is a highly partial story. For one thing, the search engine can tell you about the kinds of things it thinks it might tell you -- perhaps social graphs, location histories, dodgy website
visits, organisations supported -- before you ask it. This is to educate and help police get the right information. It is also an invitation to make increasing use of the tool. If it is limited in its purpose, this seems an unnecessary step.
Secondly, there are no limits to what results the search engine might be asked to produce. Nothing for instance, says that only a single person or place can be searched against, so that only one person's contacts might be returned, or just the people at
a single crime scene. Thus the prospect of fishing trips is given no legislative limit. The only serious limit is that this information might be kept for no longer than 12 months.
For years privacy campaigners have been trying to explain how your web history and location data can be dangerous tools for personal and whole population surveillance. Now it seems the UK government wants to engage in a whole population experiment to
show us what it really means. Parliament, the courts, but most of all, you, can help stop them.
In Saturday's edition of the New York Times, Matt Apuzzo reports that the Department of Justice is locked in a prolonged standoff with WhatsApp. The government is frustrated by its lack of real-time access to messages protected by the company's
end-to-end encryption . The story may represent a disturbing preview of the next front in the FBI's war against encryption.
It appears that the Department of Justice is considering pursuing another, similarly dangerous legal attack on encryption. The fact that the government is even considering such an action proves that our worst fears were right.
This time they're targeting WhatsApp, the Facebook-owned messaging app which started adding strong end-to-end encryption in 2014 . According to the New York Times, the government has obtained a wiretap order, authorizing real time acquisition of the
WhatsApp messages (probably text chats rather than voice calls, but that's unclear at this stage) in an ongoing criminal investigation. WhatsApp is, of course, unable to provide decrypted text in response to the wiretap order, just as it was unable to
comply with a similar order by a Brazilian court earlier this month. The whole point of end-to-end encryption is that no one but the intended recipient of a message is able to decipher it.
From the New York Times' reporting, it looks like the government has so far only obtained an initial wiretap order--demanding WhatsApp to turn over message content it can't access. The Department of Justice has not yet decided whether to ask the court
for a follow-on order that would compel WhatsApp to decrypt the messages. Presumably, that second order would look similar to the San Bernardino order and direct WhatsApp to write code that would break its own encryption and allow it to provide plain
text in response to the wiretap order.
If the government decides to seek that second order against WhatsApp, it would almost certainly be grounded, not in the All Writs Act but in the technical assistance provision of the Wiretap Act . So while the result of the All Writs Act
litigation in San Bernardino wouldn't directly control the outcome of any Wiretap Act case against WhatsApp, courts apply similar tests in the two contexts. In both All Writs and Wiretap Act cases, courts evaluate whether compliance with an order would
constitute an undue burden. Therefore all the rather convincing arguments Apple has made in San Bernardino would be available to WhatsApp as well.
As of now, we're unable to find any additional publicly available information regarding the order against WhatsApp. The New York Times reports that, unlike in the San Bernardino case, the WhatsApp litigation is being kept under seal. We'll keep an eye
out for any additional documents, and will continue to blog as more becomes public. For now however, we applaud WhatsApp (and Facebook) for standing strong in the face of orders, whether Brazilian or American, to do the impossible or to compromise our
security for the sake of enabling click-of-the-mouse surveillance.
The Special Rapporteur on the right to privacy has heavily criticised the Investigatory Powers Bill in his first report to the Human Rights Council.
The report calls for disproportionate, privacy-intrusive measures such as bulk surveillance and bulk hacking as contemplated in the Investigatory Powers Bill [to] be outlawed rather than legitimised.
Jim Killock, Executive Director of Open Rights Group responded to the report's findings:
The Special Rapporteur's report is yet another damning criticism of the Investigatory Powers Bill. Not only does it call for the disproportionate powers in the Bill to be 'outlawed rather than legitimised', it points out that the Bill does not comply
with recent human rights rulings, which means it could be open to legal challenges.
The report also voices another serious concern -- that the impact of this extreme legislation will be felt around the world, and copied by other countries.
The Government cannot continue to ignore the overwhelming evidence that the IPB is a deeply flawed piece of legislation.
The Honorable John Holdren, Director of White House Office of Science and Technology Policy
The Honorable Susan Rice, United States National Security Advisor
The Honorable Jeffrey Zients, Director of the White House National Economic Council
RE: Civil Society Input on Human Rights and Civil Liberties Protections Online
Dear Mr. Holdren, Ms. Rice, and Mr. Zients,
The undersigned organizations recognize that the U.S. government faces complex security challenges, and we appreciate the role of a variety of stakeholders including technology companies. However, we are writing to you today because we believe that when
the government sits down with private sector entities to discuss the future of free expression and privacy online, civil liberties and human rights advocates need to be at the table, too.
Over the past year, technology companies have been under increasing pressure from a range of policymakers to weaken the security of their products and to aggressively monitor, censor, or report to the government users' communications, with the hope that
such steps will help to prevent or investigate acts of terrorism. This campaign to push the tech sector to police the Internet at the government's behest was recently highlighted by the White House's high-profile visit to Silicon Valley for a
confidential meeting with top tech company CEOs.
In international fora, the United States has consistently promoted a multi-stakeholder approach to decision-making concerning the Internet, an approach that includes not only government and corporate stakeholders, but civil society as well. As this
Administration has regularly asserted, when billions of people rely on the Internet to exercise their human rights to speak freely and communicate privately, it only makes sense that experts and advocates whose primary goal is to protect those rights be
included in discussions about the Internet's future. Such participation helps ensure that governments do not unduly pressure companies to take steps that would harm human rights, and where such pressure is applied, ensures that all stakeholders can
respond accordingly with appropriate evidence and objections, and a suggested path forward.
We are heartened that, based on reporting about the memos circulated to attendees of the recent Silicon Valley meeting, the Administration appears to recognize that there are serious questions raised by enlisting broad voluntary assistance from Internet
companies. The potential threat to human rights is especially acute because so-called U.S. counter-extremism
programs, while framed as not addressing a particular ideology or religion, currently overwhelmingly target Muslim and other marginalized communities and individuals.
However, the best ways to ensure that human rights are protected are:
First, for the Administration to engage in a dialogue with those civil society organizations that focus on the protection of human rights and civil liberties online, to the same extent that it is in dialogue with the Internet companies themselves, and to
provide to civil society any proposals provided to those companies; and
Second, for both the Administration and the companies to be as transparent as possible regarding the steps being taken in response to the government's requests, especially in regard to any changes in the security features of any products or services, or
any changes to policies or practices that determine what speech is censored or reported to the government.
Internet freedom begins at home. When the government sits down secretly with those companies that have practical control over a broad swath of public speech and private communication, and especially if and when those conversations lead to voluntary
surveillance or censorship measures that would be illegal or unconstitutional for the government to undertake itself, the consequences are truly global. The U.S. government may embolden abusive governments around the world to continue exerting pressure
on tech companies to assist in crackdowns on dissent and the targeting of human rights defenders. The U.S. could also set dangerous examples to ally governments who are likewise contemplating new counter extremism measures.
While the United States certainly faces complex national security risks, forfeiting human rights principles and the protections laid down in the Constitution is not the solution. Therefore we look forward to working with your team to ensure that as the
government and the Internet industry discuss how best to address the threats the U.S. faces, the rights of all people--both in the U.S. and around the world--are duly represented.
An open letter to the leaders of the world's governments SIGNED by organizations, companies, and individuals:
We encourage you to support the safety and security of users, companies, and governments by strengthening the integrity of communications and systems. In doing so, governments should reject laws, policies, or other mandates or
practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies.
Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
Governments should not mandate the design or implementation of "backdoors" or vulnerabilities into tools, technologies, or services;
Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate
insecure encryption algorithms, standards, tools, or technologies; and
Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
Access Now, ACI-Participa, Advocacy for Principled Action in Government, Alternative Informatics Association, Alternatives, Alternatives Canada, Alternatives International, American Civil Liberties Union, American Library
Association, Amnesty International, ARTICLE 19, La Asociación Colombiana de Usuarios de Internet, Asociación por los Derechos Civiles, Asociatia pentru Tehnologie si Internet (ApTI), Association for Progressive Communications (APC), Association for
Proper Internet Governance, Australian Lawyers for Human Rights, Australian Privacy Foundation, Benetech, Bill of Rights Defense Committee, Bits of Freedom, Blueprint for Free Speech, Bolo Bhi, the Centre for Communication Governance at National Law
University Delhi, Center for Democracy and Technology, Center for Digital Democracy, Center for Financial Privacy and Human Rights, the Center for Internet and Society (CIS), Center for Media, Data and Society at the School of Public Policy of Central
European University, Center for Technology and Society at FGV Rio Law School, Chaos Computer Club, CivSource, Committee to Protect Journalists, Constitutional Alliance, Constitutional Communications, Consumer Action, Consumer Federation of America,
Consumer Watchdog, ContingenteMX, Courage Foundation, Críptica, Datapanik.org, Defending Dissent Foundation, Digitalcourage, Digitale Gesellschaft, Digital Empowerment Foundation, Digital Rights Foundation, DSS216, Electronic Frontier Finland, Electronic
Frontier Foundation, Electronic Frontiers Australia, Electronic Privacy Information Center, Engine, Enjambre Digital, Eticas Research and Consulting, European Digital Rights, Fight for the Future, Föreningen för digitala fri- och rättigheter (DFRI),
Foundation for Internet and Civic Culture (Thai Netizen Network), Freedom House, Freedom of the Press Foundation, Freedom to Read Foundation, Free Press, Free Press Unlimited, Free Software Foundation, Fundacion Acceso, Future of Privacy Forum, Future
Wise, Globe International Center, The Global Network Initiative (GNI), Global Voices Advox, Government Accountability Project, Hiperderecho, Hivos, Human Rights Foundation, Human Rights Watch, Institute for Technology and Society of Rio (ITS Rio),
Instituto Demos, the International Modern Media Institute (IMMI), International Press Institute (IPI), Internet Democracy Project, IPDANDETEC, IT for Change , IT-Political Association of Denmark, Jonction, Jordan Open Source Association, Just Net
Coalition (JNC), Karisma Foundation, Keyboard Frontline, Korean Progressive Network Jinbonet, Localization Lab, Media Alliance, Modern Poland Foundation, Movimento Mega, Myanmar ICT for Development Organization (MIDO), Net Users' Rights Protection
Association (NURPA), New America's Open Technology Institute, Niskanen Center, One World Platform Foundation, OpenMedia, Open Net Korea, Open Rights Group, Panoptykon Foundation, Paradigm Initiative Nigeria, Patient Privacy Rights, PEN American Center,
PEN International, Pirate Parties International, Point of View, Privacy International, Privacy Rights Clearinghouse, Privacy Times, Protection International, La Quadrature du Net, R3D (Red en Defensa de los Derechos Digitales), R Street Institute,
Reinst8, Restore the Fourth, RootsAction.org, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC), Security First, SFLC.in, Share Foundation, Simply Secure, Social Media Exchange (SMEX), SonTusDatos (Artículo 12, A.C.),
Student Net Alliance, Sursiendo; Comunicación y Cultura Digital, Swiss Open Systems User Group /ch/open, TechFreedom, The Tor Project, Tully Center for Free Speech at Syracuse University, Usuarios Digitales, Viet Tan, Vrijschrift, WITNESS, World Privacy
Forum, X-Lab, Xnet, Zimbabwe Human Rights Forum
The French government has rejected an amendment to its forthcoming Digital Republic law that required backdoors in encryption systems.
Axelle Lemaire, the Euro nation's digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected. She said:
Recent events show how the fact of introducing faults deliberately at the request - sometimes even without knowing - the intelligence agencies has an effect that is harming the whole community
Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to
fuel the debate, but this is not the right solution according to the Government's opinion.
Lemaire called the proposal a plan to introduce vulnerability by design, and said that while she was aware that law enforcement would like such powers they were not a good idea, and could be used without the proper legal processes that the
government supported. She said that, like the Dutch government, her party supported strong encryption.
The Dutch government has issued a statement in defence of strong encryption, bucking the recent trend of governments and intelligence agencies arguing for
weaker encryption. Ard van der Steur, the Dutch minister of security and justice, wrote that:
The government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.
Encryption supports respect for privacy and the secret communication of citizens by providing them a means to communicate protected data confidentially and with integrity. This is also important for the exercise of the freedom of expression. For example,
it enables citizens, but also allows empowers important democratic functions like journalism by allowing confidential communication.
Security experts have welcomed the statement. Nithin Thomas, CEO of London-based security company SQR Systems called the announcement a powerful example that other world governments should follow .
Microsoft will warn email and OneDrive users if it detects apparent attempts by governments to hack into their accounts.
Google, Facebook, Twitter and Yahoo already offer similar government hacker alert systems to the one just introduced by Microsoft. Alerts are far from rare. Google, for example, reportedly tells tens of thousands of users every few months that they've
been targeted by foreign spooks.