MISC-11: Review Draft Investigatory Powers Bill



Issue Information

Issue Type: Task
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Miscellaneous (MISC)
Resolution: Done (2017-07-06 15:49:14)
Affects Version: Draft IPB Reading,
Target version: Draft IPB Reading,
Labels: Interception, Interpretation, IPB, Legislation, Mass-Collection, Privacy,

Created: 2015-11-04 19:14:04
Time Spent Working
Estimated:
 
360 minutes
Remaining:
 
360 minutes
Logged:
 
0 minutes


Description
Have already had a skim read of the published Draft IPB, but need to have a more thorough review of the published IPB. Creating this issue to record notes whilst reading the bill and other resources.

LAN-64 is concerned with the measures required to ensure our data isn't caught up in the proposed dragnet, so may require updating depending on what is noted within this issue.



Issue Links

Draft Investigatory Powers Bill (Projects Static)
A Practical Demonstration of what IPB will allow (bentasker.co.uk)
Toggle State Changes

Activity


Linking to a mirror of the current draft of the bill in case the source link (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf) is updated or changes at some point in the future.
btasker added 'IPB Interception Interpretation Legislation Mass-Collection Privacy' to labels
This bit is particularly scary (from https://conspicuouschatter.wordpress.com/2015/11/05/uk-draft-ip-bill-the-last-policy-discussion-about-surveillance-before-the-mass-gagging/)

Keeping surveillance evidence out of courts, and the defenseÂ's hands
S.42(1-4) of the Draft IP Bill prevents anyone involved in interception from ever mentioning it took place as part of any legal proceedings. Note that this section is absolute: it does not have exceptions, for example in relation to the public interest: such as the ability to discuss the benefit or downsides of part interception activities; no exception for talking about this to MPs, or other democratic representatives; or even to exculpate anyone who otherwise would be wrongfully found guilty. Similar provisions (S.120(a)) keep the fruits of bulk interception out of courts.


The gagging applies to (as a minimum)

- Equipment Interference (Cracking)
- Bulk Communications Data Collection
- Implementing Interceptions Capability
- Retention Notices
- Targeted Warrants
- "Technical Capability Notices" (Implementing backdoors)

Essentially, any power the IPB bill grants is protected by permanent, absolute secrecy. What a fine democratic nation we live in.....
As with RIPA, in order to view Internet Connection Records (ICR), Plod only need sign-off from a "desginated" superior officer.

Judicial sign off will be required for
- trying to identify a Journalist's confidential source (excludes the Intelligence agencies)


Government minister followed by "Judicial Commissioner" sign-off required for
- Interception of content of communications

In "urgent" cases, the minister can bypass the commissioner.

For the definition of Content, the bill's a little flimsy, but as far as Web browsing goes they've specifically limited themselves:
Content of a communication
(6) The content of a communication is the elements of the communication, and any
data attached to or logically associated with the communication, which reveal
anything of what might reasonably be expected to be the meaning of the
communication but—
(a) anything in the context of web browsing which identifies the
telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any
data relating to the transmission of the communication is to be
disregarded.


and
190 Subsection (9)(f) provides for the retention of internet connection records. Internet connection
records are a record of the internet services that a specific device connects to – such as a website
or instant messaging application – captured by the company providing access to the internet.
They could be used, for example, to demonstrate a certain device had accessed an online
communications service but they would not be able to be used to identify what the individual
did on that service. Clause 47 provides certain restrictions on the acquisition of internet
connection records. Clause 193 provides that in the particular context of web browsing
anything beyond data which identifies the telecommunication service (e.g. bbc.co.uk) is
content.

and
451 Subsection (6)(a) provides that in the particular context of web browsing anything beyond data
which identifies the telecommunication service (e.g. bbc.co.uk) is content. Accordingly
bbc.co.uk, google.co.uk or facebook.com would be communications data but data showing
what searches have been made on Google or whose profiles have been viewed on Facebook
would be content.


Which ignores just how identifying/embarassing a list of visited domains could be.
btasker changed Project from 'Home' to 'Miscellaneous'
btasker changed Key from 'HOME-23' to 'MISC-11'
btasker added 'Draft IPB Reading' to Version
btasker added 'Draft IPB Reading' to Fix Version
btasker changed status from 'Open' to 'In Progress'
The "Request Filter" from the Draft Communications Data Bill (http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf) is still ever-present, and as before it basically translates to "We're going to build a fuck-off big database of everything we can, but don't worry there's going to be an interface in front off so requests can be limited down to the 'relevant' stuff".

Mind you, seems the Home Office don't like it when it's portrayed like that - https://twitter.com/TheRegister/status/662335345921363968
As others are way ahead of me at reading the bill, and doing a fantastic job of identifying the issues, I'm not going to bother doing a writeup of the bill.

Instead, I've moved onto running a practical demonstration of what can actually (and incredibly easily) be pulled out at a network level, including effectively bypassing the protection that a lot of people assume HTTPS will give them.

Will start writing it up shortly so I can publish
btasker changed status from 'In Progress' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'