[caption id="attachment_135" align="alignleft" width="128"]

Paul Heritage-Redpath, Product Manager[/caption]

Labour tried it with the IMP (Interception Modernisation Programme), then the coalition Government tried it with CCDP (Communications Capabilities Development Programme). When that failed they morphed it into the Communications Data Bill which also failed, so then the new Tory Government hastily introduced DRIP (Data Retention and Investigatory Powers Bill) but that has a sunset clause of December 2016. It’s not surprising then that last week yet another new draft Bill was announced - this time it’s called the Investigatory Powers Bill. So what will this latest iteration which has already been widely nicknamed the ‘Snooper’s Charter 3.0’ have in store for us?

The Register: Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands

If the new Bill successfully passes through the standard Parliamentary process and into law next Spring, it will require ISPs to store the details of every website their customers visited for the last 12 months for access by the security agencies, police and other public bodies. It will not require information regarding specific pages and content within that website, just the actual website visited and times etc. Theresa May was keen to highlight that this version of the legislation is subject to “world leading oversight arrangements”, something previous versions have fallen down on. They are:

A new investigatory powers commissioner, Sir Stanley Burnton, will oversee the new powers
Warrants for surveillance will be issued by ministers but only acted on when approved by judges, what has been described as a "double lock" (although we query whether domestic interception should ever originate as a political decision, and ministers are not known for transparency on questions of security)
A new domestic right of appeal against potential abuse of the new rules will also be introduced and it will now be a criminal offence, punishable by up to 2 years in jail, to “wilfully or recklessly acquire communications data” from a telecommunications operator without lawful authority
Make explicit the provisions for intelligence agencies to acquire information in bulk stating: “bulk interception and bulk equipment interference warrants are only to be issued where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK. Conduct within the UK or interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose, and under oversight.”
Formalise the Wilson Doctrine, meaning the communications of MPs, members of the House of Lords, UK MEPs and members of the Scottish, Welsh and Northern Ireland Parliaments/Assemblies can't be accessed without approval from the Prime Minister and Safeguards on requests for communications data in other “sensitive professions” such as medical doctors, lawyers, journalists, and Ministers of Religion to be written into law
Part 6 deals with bulk interception, acquisition, interference, bulk data sets. It is, in effect, making explicitly legal for the first time the existing mass surveillance practices of GCHQ and other police and security agencies to hack into and bug computers and phones

Interestingly, Internet providers will be effectively ‘gagged’ from speaking about their involvement because the Bill also states they “must not disclose the existence or content of a data retention notice“

ISPReview.co.uk: UK Gov Publish New ISP Internet Snooping Investigatory Powers Bill

Labour's Andy Burnham, whose party also supports the reforms, said that "strong powers must be balanced by strong safeguards for the public to protect privacy. This is neither a snooper's charter nor a plan of mass surveillance."

Wired.com: Investigatory Powers Bill: what's in it, and what does it mean?
The Guardian: Investigatory powers bill: the key points

Whilst this new draft Bill seems to be gathering cross party support it’s expected to receive ongoing criticism from privacy advocates, just like its previous iterations. The good news is that this draft has been developed from over 200 recommendations from three separate reports including the Anderson review which investigated existing laws and their effectiveness. It will also undergo several months worth of Parliamentary scrutiny and, hopefully, further industry input - unlike DRIP which was hastily rushed into law. Will encryption be banned? A key area for debate and speculation in the lead up to this announcement has revolved around the potential ‘banning’ of end-to-end encryption on the Internet which clearly wouldn’t work as it’s essential to protect against fraudulent activity and provide privacy in a vast array of uses across the Internet, none more so than the protection of consumers and businesses in all online transactions for example. This has since been dismissed by Theresa May who has confirmed end-to-end encryption will not be banned but the Government is still requesting help from companies in the decryption of data when a warrant is obtained, which could be harder than they seem to think as the companies involved don’t always have the ability or access to decrypt such information e.g. Apple’s iMessage.

The Telegraph: Wikipedia founder urges Apple to stop selling iPhones in UK if government bans encryption
ISPReview.co.uk: Apple CEO Fires Encryption Warning Shots at UK Internet Snooping Bill

One area of the bill which receives no mention in the (misleading and not binding) official explanatory notes is S.189 (4) (c) which requires CPs to have the capability for the “removal of electronic protection applied by [any person who provides telecommunications services] to any communications or data”, which sounds to our ears like the ability to defeat encryption. It looks like they are still trying to find their way around encryption at the very least, which continues to raise security concerns. First Impressions of the Draft Bill So, it’s safe to say we can all agree that existing UK laws are out of date and a massive overhaul is needed to bring them in line with new technologies and the ever increasing penetration of the Internet into daily life. Similarly, we think few would argue that getting the balance between protecting national security and privacy right is difficult to say the least and, on the face of it, this iteration seems the most promising thus far. They have at least considered the need for safeguards more thoroughly this time around but this is still a massively intrusive Bill which is likely to face huge amounts of ongoing criticism. The simple fact that this is now in its third iteration despite previously fierce opposition demonstrates the Government’s determination to get updated and more encompassing surveillance and data retention laws passed, which makes us think its introduction is inevitable this time. No doubt further details will continue to emerge as it faces further scrutiny before next Spring, which will help us to decipher the exact requirements on ISPs - including who pays for all the hard drives needed for all of the “retention of internet connection records (ICRs)” - and the impact it will have on us all as citizens. There is currently no requirement in law for ISPs to keep ICRs. If the Bill passes, Entanet like all other ISPs will be required to keep ICRs for a maximum period of 12 months and maintain infrastructure and facilities to give effect to interception and other warrants. Given we are asked to store more data, it initially seems odd that the impact assessment has fallen from a cost of around £2 billion for the previous bills to a “mere” £247 million over 10 years this time round. We think this is because the costs estimates so far have not taken into account the cost of interception of bulk personal data. Certainly Entanet has not been asked to estimate the cost of storage of intercepted information to us yet. Another one to keep watching as it makes its way through the Parliamentary process in 2016.

The Register: UK's internet spy law: £250m in costs could balloon to £2 BILLION

Have your say! What do you think about the new draft Bill? Does it go too far or not far enough? If you’re an ISP are you concerned about the potential requirements regarding data retention? Let us know your thoughts by leaving us a comment below. Related articles