Home Secretary Theresa May just introduced the draft Investigatory Powers Bill to the Commons. We covered the context of the bill here, but now to the meat: what powers would the bill actually give to the government and security services if it became law?
What could the police see?
The Bill would allow the police to look at what Cameron and May both called the equivalent of a standard phone bill: the domain visited by a web browser, but not the pages visited, content looked at, or anyone communicated with.
Even this will be heavily restricted:
Strict limits will apply to when and how that data can be accessed – over and above those safeguards that apply to other forms of communications data. And we will ban local authorities from accessing such data.
What about the security services?
An awful lot more. May admitted in her speech that security services have engaged in “bulk collection” of data (as revealed by Edward Snowden). Now, she wants to make this more transparent:
So the Bill will make explicit provision for all of the powers available to the security and intelligence agencies to acquire data in bulk. That will include not only bulk interception provided under the Regulation of Investigatory Powers Act and which is vital to the work of GCHQ, but also the acquisition of bulk communications data, both relating to the UK and overseas.
Essentially: they’re still going to do it, but at least we know about it now.
What data would companies have to store about you?
As expected, the bill dictates that web and phone companies must store records of all your digital activities (including the content of messages, for example) for 12 months.
They’ll still be able to use encryption in their services, but must assist security services in bypassing this encryption if deemed necessary.
These points could actually make it more likely that communications companies could suffer hacks or leaks, as they would have to build in bypasses to encryption, plus store all that data for extended periods of time.
Who gets to decide when intrusions of privacy can take place?
May was under pressure from all sides to introduce a “judicial oversight” in this bill – so warrants would need to be approved by judges, not just ministers.
She’s gone for a strange halfway point: intercept warrants must be approved by a minister and by a panel of seven judicial commissioners, except in “urgent” cases. May calls this a “double-lock”.
Requests from law enforcement to access limited information about browsing history will not be approved by judiciary.
At the moment, surveillance is monitored by three “oversight commissioners”, who would be replaced under the bill with a single investigatory powers commissioner (who must also be a senior judge).
In cases where security services wish to intercept MPs’ communications, the Prime Minister must be consulted first.
And good news for journalists: the bill would put into statute a “requirement for all applications for all applications to access the communications data for the purpose of identifying or confirming the identity of a journalist’s source to be authorised by a Judicial Commissioner”. Sources: you’re safe. Tips to the usual address.