The need for proper and legitimate powers to enable intelligence and law
enforcement agencies to do their job and keep everyone safe requires little
justification. We live in a dangerous and uncertain world where anyone can be a
victim of intolerance. So in a show of political awareness and legislative
dexterity, the UK government is currently seeking to adopt a comprehensive and
sophisticated framework of modern law enforcement and intelligence gathering
powers. However, in our data-rich and uber-connected way of life, those powers
necessarily involve a substantial degree of intrusion into our digital comings
and goings, and that makes things complicated—in a democratic state, at least.
In November 2015, the UK Government presented its draft Investigatory
Powers Bill—an attempt to strike a balance between intelligence and law
enforcement needs with the protection of ordinary citizens’ privacy. The bill
is currently being scrutinised by a parliamentary committee and subject to
public consultation. The document—including explanatory notes—stands at 299
pages and the Bill itself is made up of 202 clauses and nine schedules. As
complex pieces of legislation go, this one is right at the top.
Despite its rather impenetrable nature, the bill is of crucial importance
for the future of our democratic values and liberties as, once it is enacted,
it will set the parameters for lawful surveillance in the name of public
safety. But even more significantly, the bill is bound to have a global impact,
since it will serve as a model for other jurisdictions and its application
extends well beyond the UK. Global Internet and communications companies would
be forgiven for thinking that this is just a domestic piece of legislation
affecting UK players, but they would be making a mistake.
The bill has at least four huge implications for them.
First, it expands the concept of who will be subject to data retention and
access obligations. Under previous legislation, those obligations affected
traditional telcos but not the whole range of app-based services we all love
and use to communicate with each other–including the bad guys. Understandably,
the UK government wants to change that so the providers of so-called
over-the-top services are also caught by the provisions dealing with the
retention and access to communications data.
In addition, the Bill does not restrict the data retention obligations to
the provision of these services in the UK. It also explicitly says that the
government will be entitled to request data relating to conduct or persons
outside the UK, so there really are no jurisdictional boundaries.
To make matters worse, one of the most controversial measures under the
Bill–”bulk equipment interference” (aka hacking en masse)—is primarily aimed at
acquiring intelligence relating to individuals outside the UK. Therefore, it is
only logical to think that if this power seeks to facilitate access to
overseas-related communications, private information and equipment data, the
main target will be providers of cloud computing or digital networking-type
services based overseas.
Finally, although the government has given up on the idea of banning
certain forms of encryption for now, the matter is far from closed. Tucked away
at the end of the bill, there is room for the passing of regulations, which
will allow for the “removal of electronic protection” (aka encryption) applied
by technology providers. This has been fiercely resisted by those providers in
the past and the UK is set to be the next battlefield.
All in all, behind the legal and political complexities affecting this
area, the simple truth is that the type of services and technologies that have
emerged from places like Silicon Valley are now very directly affected by the
public policy debate in the Palace of Westminster.
This entry originally was published on the International Association of
Privacy Professionals’ (IAPP) Privacy Perspectives blog.
No comments:
Post a Comment