Extending the itemized phone bill
"Try to think of the new powers as just an extended itemized phone bill," Home Secretary Theresa May told MPs this week in introducing the Investigatory Powers bill (PDF). Excellently sketching the scene in the Commons as the bill was unveiled, the Guardian's John Crace noted, "When Theresa May tells you to relax, the natural reflex is to do the exact opposite." Quite. Especially when the act she's introducing makes it entirely legal for GCHQ to hack any device they like.
I can see why May likes the analogy. It sounds harmless and familiar, obviously unobjectionable. Other Yes, Minister language on display: "bulk", which means mass surveillance, and, my favorite, "equipment interference", which means hacking computers. The newly arrived "internet connection records" is not so easily translated, but seems to be the bit May had in mind with the "extended telephone bill" comparison.
At UCL, George Danezis has helpfully deconstructed the proposed law into its component "juicy bits". The ultra-short version seems to be that the UK government's response to Edward Snowden's revelations is to legalize everything that Snowden revealed the security services were already doing. This may explain Theresa May's reported characterization of the IP act as both granting and not granting new powers.
Additional helpful analyses include Andrew Cormack's study of the bill's encryption provisions, Chris Pounder's review of the history of bulk data collection; Paul Bernal's discussion of "internet connection records"; and the UK Human Rights blog's spotlight on oversight, authorization, and warrants . Simplifying the legal framework, strengthening oversight, and providing greater transparency were key recommendations that emerged from this spring's three reviews of Britain's communications surveillance laws.
Taken together, the picture is one in which very little of our online lives is off-limits. As Bernal says, the phone bill comparison is misleading: it utterly downplays the level of intrusion the bill appears to authorize. Less critically, David Anderson, the independent reviewer of terrorism legislation, is pleased that the bill opens up Britain's surveillance laws for Parliamentary scrutiny and debate. Yes, although making sure Parliamentarians understand the technology involved will be a challenge.
We'll take three things here: the future and the phone bill metaphor; the separation of metadata (which I imagine is what is meant by "internet connection records") and content or meaning; and the notion that it isn't interception until a human accesses the data. The last of these was discussed here in July 2013; little has changed except that machine learning and data analytics have progressed significantly since then, and the risks of automated decision-making (as Bernal also explains) have only grown since then.
The origins of the separation of content and metadata are outlined in a forthcoming paper, "It's Too Complicated: The Technological Implications of IP-based Communications on the Content/Non-Content Distinction and the Third Part Doctrine" by Susan Landau, Steve Bellovin, Matt Blaze, and Stephanie K. Pell. In the US at least, it goes back to postal mail; the laws surrounding wiretapping were derived from rules that granted privacy protection to the contents of packages but not to the publicly visible address on the wrapping. Bellovin's talk about the paper outlines the difficulties they found in trying to apply this long-held distinction to IP-based communications under US law. UK law is somewhat different, but the difficulties they found seem to me to still apply: some metadata can be analyzed to reveal content; and content and metadata are much harder to separate than they were, a point made by the late Caspar Bowden back in 2013.
Phone bills were and are produced as a necessary part of billing for telephone service. This has never been true of internet connections, which are billed at a flat rate with, these days, some element of being based on the bulk amount of data you use every month. The systems that retain logs of what we do, where we go, and what we buy online are all aimed, in one way or another, at surveilling us, whether it's for the benefit of data-mining advertisers or data-mining governments. The benefit to us, other than the vague promise of "personalized" services, is unclear. As a separate issue, we are all able to look at and dispute our phone bills; probably only the technically savvy know how to analyze their internet connections using Wireshark.
But what happens in the future as the Internet of Things grows around us? Is the contact between your child's Hello Barbie and its mother ship an internet connection? When your fridge alerts your online grocery store that you're out of milk, is that one, too? Today, content and metadata are no longer fully separable; soon the physical and virtual worlds won't be either. The Scottish Daily Record reports that Suspect Search software running on Glasgow's CCTV system can track individuals as they move around the city - exactly what we were reassured years ago that CCTV couldn't do. Will these involuntary check-ins be internet connection records?
Run a few years into the future, and it's entirely possible that this bill will have granted the state far greater powers to probe deeply into our intimate lives than it ever dreamed of: basically, everything we touch will have to be regarded as a spy.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.