Quick note if you’ve come here from Twitter: I joined Twitter a couple of months ago and am still learning the ropes. @frabcus pointed out that my timeline is hard to read, so I’ve now Storified my relevant Tweets from Tuesday night – along with those of a few others who were also commenting as they read the Joint Committee’s report on the draft Communications Data Bill.
While the Joint Committee has been scrutinising the government’s draft Communications Data Bill, the Intelligence and Security Committee (ISC) has been conducting a parallel inquiry into the use of communications data by the intelligence and security Agencies. [@smithsam points out I should clarify that the ISC’s inquiry was also into the draft Bill.]
On Tuesday it published the conclusions of its investigation. The ISC takes pains to point out that it has a different frame of reference from the Joint Committee, and states:
We have taken detailed evidence, much of which is highly classified as it relates to the current capabilities – and lack of capabilities – of our intelligence Agencies. We have sent a classified report on our findings to the Prime Minister. However we are conscious that the question of access to communications data is one which is generating significant public debate – and rightly so, since any intrusion into an individual’s personal life should not be done lightly. We are, therefore, intending to publish in due course as much of the content of that report as possible.
The ISC is a cross-party body of peers and MPs. It has had an opportunity to look at evidence the Joint Committee has not. Though the language of its summary is quite naturally circumspect there are some striking parallels in its conclusions:
5. Turning to the draft Bill, we strongly recommend that more thought is given to the level of detail that is included in the Bill, in particular in relation to the Order-making power. Whilst the Bill does need to be future-proofed to a certain extent, and we accept that it must not reveal operational capability, serious consideration must be given as to whether there is any room for manoeuvre on this point: Parliament and the public will require more information if they are to be convinced.
i.e. Clause 1 is much too broadly drafted (cf. paras 287-297, JC summary of recommendations). The report continues:
6. We have similar concerns regarding the background information accompanying the Bill. Whilst we recognise the need to take action quickly, the current proposals require further work. In particular, there seems to have been insufficient consultation with the Communications Service Providers on practical implementation, as well as a lack of coherent communication about the way in which communications data is used and the safeguards that will be in place. These points must be addressed in advance of the Bill being introduced.
i.e. there has been a failure to consult (cf. paras 284-286, JC Report) and the Home Office has failed to provide a proper explanation of how communications data will be handled in practice and how oversight and other ‘safeguards’ will actually work (cf. paras 300-317, JC Report). The message is perfectly clear: ‘not good enough, try again’.
The ISC also notes:
We do not believe that there is any benefit in providing superficially precise estimates of the size of this ‘capability gap’: unless there is a demonstrable basis for such figures they can be misleading.
Ah, superficial precision without evidence – a speciality of Home Office figures! Of course, this was also noted by the Joint Committee (cf. paras 34-39, JC Report). And there’s more on ‘the gap’:
We therefore welcome the decision by the Home Office to make public information on the three core elements of the gap: subscriber details showing who is using an Internet Protocol address; data identifying which internet services or websites are being accessed; and data from overseas Communications Service Providers who provide services such as webmail and social networking to users in the UK. This is a positive step. However, we recommend that more thought is given as to whether this can be reflected on the face of the Bill.
i.e. the core purposes of the scheme aren’t reflected in the wording. When the raisons d’être for a piece of legislation fail to appear on the face of the Bill, it is a bad Bill. Full stop. We live under the rule of law, which means the law must be clear and explicit; law by insinuation should not stand.
Unsurprisingly and sort-of-understandably, the ISC is of the opinion that judicial oversight for the security and intelligence Agencies is unnecessary. Sticking to its frame of reference, it remains mute as regards police or other bodies’ access to detailed dossiers on the communications behaviour of every person in the UK:
Any move to introduce judicial oversight of the authorisation process could have a significant impact on the intelligence Agencies’ operational work. It would also carry a financial cost. We are not convinced that such a move is justified in relation to the Agencies, and believe that retrospective review by the Interception of Communications Commissioner, who provides quasi-judicial oversight, is a sufficient safeguard.
Though the ISC may be strictly correct in describing the IoCC as ‘quasi-judicial oversight’, you don’t have to read too far between the lines to see that the Joint Committee clearly didn’t think very much of him (paras 187-199, JC Report).
Moving on past the rather chilling sentence, “While legislation is not a perfect solution, we believe it is the best available option” the ISC again points out that the Home Office can’t expect communications companies to snoop on its behalf without actually stating in law that they will be required to do so, and on what basis:
Whilst we recognise the UK Communications Service Providers’ concerns, we believe they would be willing to co-operate in deploying Deep Packet Inspection technology to obtain third-party data. We are however sympathetic to their argument that the Home Office should have to demonstrate due diligence before resorting to the use of Deep Packet Inspection to collect communications data from overseas Communications Service Providers, and we recommend that this should be reflected on the face of the Bill.
It may be worth noting that the Communications Service Providers are backing the Deputy Prime Minister’s call for the Home Office to go “back to the drawing board”. Though some, including Jimmy Wales, are more outspoken against the scheme than others they are all going to need a ‘get out of jail free’ card if this scheme is to proceed. The retributive risks of being known snoopers on ‘third party data’ from repressive regimes may not have escaped some. Nor the reputational and other risks of some possible domestic effects.
In discussing the ‘Request Filter’ – the search engine intended to mine what would be, in practice, a distributed database of detailed information about everyone in the UK (para 113, JC Report) – the ISC suggests that in the hands of the Agencies it may mitigate “collateral intrusion”. This is more optimistic by what it omits than the Joint Committee, which deploys the same euphemism but sees this “Government owned and operated data mining device” in the hands of other bodies as providing the temptation to go on “fishing expeditions” (para 126, JC Report).
The ISC highlights some of the complexities of implementation, both bureaucratic and technical, ending its delicately-worded advice with an assessment we know all too well to be true:
The technology seems to exist to provide this. It will be a significant challenge to integrate the numerous data sets from different Communications Service Providers to make the filter work, as well as manage the expectations of the various Departmental and Agency stakeholders. The record of government in managing such complex IT projects is mixed at best.
For a Parliamentary body which has had access to highly confidential material, dealing with actual national security issues to arrive at such similar conclusions regarding the draft Bill as the Joint Committee is remarkable.
Or maybe it isn’t.
The draft Communications Data Bill is a monstrosity, the scheme behind it even worse. Anyone who can see beyond their own nose (or self-interest) should be able to discern that. As I’ve said elsewhere it is over-reaching, poorly drafted, ill-defined, not based on evidence or proper consultation and misleadingly costed. But the answer is not a re-write, as many seem to be suggesting. What is required is a fundamental re-think of surveillance law. And I’m not the only one who thinks so*.
The machinery is broken. We can’t fix it by slapping on another kludge. And we certainly shouldn’t let the outfit that has bodged the job so badly time and again anywhere near it. (Yes, Home Office – I mean you!)
The Joint Committee itself said, “The language of RIPA is out of date and should not be used as the basis of new legislation” (para 167, JC Report). The current legislation is not fit for purpose; the government must sort that out properly before it even considers any more.