As published in the Financial Times:
UK government’s missed chance to fix broken surveillance system
The UK security services have at last begun to put some effort into their PR. With the publication of the draft investigatory powers bill coinciding with the release of the latest Bond film, we have seen a concerted effort in the past week or two to sex up the security services — complete with gushing, gullible accounts from people giddy at being allowed into GCHQ, the electronic eavesdropping agency.
The publicity campaign may have descended into claim and counterclaim, but there is one thing of which we can be sure: the current legislative framework surrounding surveillance powers is a mess. There are at least 66 statutory bases for surveillance, and the interaction between them is opaque. Many of these powers were designed when the internet was in its infancy, and certainly before the world become so reliant on instant communications and data.
It is no wonder David Anderson QC, the UK’s independent reviewer of terrorism legislation, described the present situation as “incomprehensible to all but a tiny band of initiates”, and said: “This state of affairs is undemocratic, unnecessary and — in the long run — intolerable.”
A consequence of this mess is that the surveillance programme has been plagued by a steady drip of embarrassing stories of massively expanding official powers at the expense of personal privacy in recent years. They range from the revelations ofEdward Snowden, the former US security contractor, to the Karma Police operation, where GCHQ collected the browsing habits of every “visible user” on the internet. At least it cannot be claimed that the agency does not have a sense of humour: Karma Police is named after a Radiohead song that includes the line, “This is what you’ll get when you mess with us”.
So new legislation is certainly necessary. But the draft bill, while moving fractionally in the right direction, has serious flaws. The government has tried to bring its multitudinous powers together in a single bill. In this it has failed, with a number of important powers still lying outside the scope of the checks and oversights proposed under the draft legislation.
The supposed strength of the new legislation is its “double lock” authorisation process, with both ministerial and judicial approval required for the grant of any warrant. However, the decision to retain the home secretary’s authorisation process for domestic interception — the first lock of the double lock — is utterly irrational. Domestic interception should not be a political decision. In any event, this system does not offer any accountability, as ministers never answer questions on security and certainly never admit to security errors.
Even with surveillance powers other than domestic interception, the proposed “double lock” falls far short of what is needed, and fails to live up to government promises. Limiting judicial commissioners to considering warrants on judicial review principles means they can overrule a home secretary only if he or she is deemed to have acted utterly unreasonably. The government has hamstrung the process, in essence turning it into a judicial rubber stamp.
The Americans, with their foreign intelligence surveillance courts and privacy advocates, have a far more robust authorisation and oversight regime than we are even daring to dream of. They, along with our other “five eyes” intelligence allies in Australia, Canada and New Zealand, will not be impressed by the UK’s proposals.
The government’s approach to encryption also leaves much to be desired. At least it did not go ahead with Prime Minister David Cameron’s unwise proposal this year to ban end-to-end encryption — the unbreakable code that makes it impossible to read our online messages and transactions even if they are intercepted. Such a move would have had devastating consequences for all financial transactions and online commerce, not to mention the security of all personal data. Its consequences for the City do not bear thinking about.
Instead, government policy is likely to strangle UK tech businesses, by prohibiting the spread of encryption to those services that do not already use it. This will put our communications companies at a severe disadvantage, as their overseas competitors are permitted to offer fully secure services forbidden to UK companies.
The government has also retained the power to demand data from overseas service providers. However, companies will be permitted to refuse to hand over customers’ data where doing so would place them in breach of laws in the country where they are based.
The consequences have not been thought through. Under this regime, tech start-ups will prefer Iceland or Switzerland or Germany, where users’ data will be protected from our government’s demands by local regulations.
And speaking of overseas communications, the government’s definition of this is still a fudge, concocted by Home Office mandarins to scoop up the largest quantity of data. With everyone’s emails and communications already passing through servers located overseas, there is no way to differentiate between national and overseas traffic. All data will be collected, without distinction.
As it stands, this draft bill is a 290-page missed opportunity. The chance to embrace the new consensus among the likes of Mr Anderson, the technology industry, our Five Eyes allies and a large number of other experts that judicial authorisation is vital for all surveillance, has not been grasped. The proposed authorisation and oversight are nowhere near as intelligent as the American, Canadian, German or Dutch systems. The claim by Theresa May, home secretary, that ours will be one of the strongest systems in the world is laughable. It will arguably still be the worst.
Parliament will need to correct large parts of the draft bill. Early signs are that the joint committee reviewing it will be packed with those keen to please the government, or those who simply do not understand the complexities surrounding this issue. When the draft bill is finally subjected to the scrutiny of the whole of parliament, the Commons and the Lords will have to put it right.
The writer is a Conservative MP and a former shadow home secretary