Parcel of rogues
This column has long argued that whenever we consider granting the State increased surveillance powers we should imagine life down the road if those powers are available to a government less benign than the present one. Now, two US 2016 presidential primaries in, we can say it thusly: what if the man wielding the Investigatory Powers Bill is Donald Trump?
We cannot, of course, imagine how having to govern instead of play bait-the-media would change Trump. But let's imagine his statements as government policy, a thought suggested by this item in Ross Anderson's summary of the Cambridge symposium on the bill: "Anthony Glees notes that it's no longer unthinkable that people on the extreme right or extreme left might hold political office in Britain, and use these powers for other purposes." So for "Donald Trump" substitute your personal extremist, whether that's Jeremy Corbyn, Bernie Sanders, Nigel Farage, Theresa May, Barack Obama, or David Cameron. (Autocue Steeleye Span: Such a parcel of rogues in a nation.)
As this week's Intelligence and Security Committee report complains, the bill's provisions are hard to make out through the foggy lack of clarity. A conspiracy theorist would suggest it's deliberate: you can't stray outside of hazy boundaries. Both the ISC and the Joint Committee, which also reported this week, want the Home Office to define terms like "bulk", "telecommunications service provider", "service", "data", and, of course, "internet connection records" (which, the Joint Committee agreed are not much like telephone records).
Trump is not as irrelevant as he should be because on February 2 the EU announced "Privacy Shield", an intended replacement for the dubious Safe Harbor deal under which companies transferred EU citizens' personal data to countries lacking comparable privacy protections. Like the Investigatory Powers bill, much of how Privacy Shield would work is unknown, as EPIC has established, even to the signatories. Government vaporware?
The basis for the case that ended Safe Harbor was Edward Snowden's revelation of the US security services' ready access to EU citizens' data. The Investigatory Powers bill can't change that: what Britain seems to want more is access to data stored in the US. Ars Technica reports that the UK and US are negotiating a deal whereby MI5 and other unspecified agencies would be able to serve orders on US companies like Google and Facebook for live interception of British citizens' communications. We knew they wanted something like this from the apparently absurd extraterritorial jurisdiction clause in DRIPA. No one could fathom its enforcement and now we know: through "I'll show you mine if you show me yours" deals leveraged by the US companies' fear of being forced to conform to EU data protection law. It's not wholly new, since it's long been known that the spy agencies operate on each other's behalf.
Whether all this will pass muster in the European courts may not matter as much as we'd like, even though it's unlikely that Cameron and May would take exiting the EU over letting it interfere with British surveillance. Business would hate "Brexit", and it would hasten Scotland's exit from the UK). Instead, University of Essex professor of EU and Human Rights law Steve Peers suggests that the EU courts will bend. Even if they don't, you can indelibly embed a lot of systems and do a lot of spying while a legal challenge Jarndyces through. One obstacle is already being removed: the US Congress has passed the Judicial Redress Act allowing EU citizens to sue the US government for infringing their privacy rights.
The bill is even fuzzier on encryption, which Wired thinks will be a key issue in the Presidential race even though few prospective candidates know much about it. However, Bruce Schneier's new survey (PDF) shows that neither US nor UK has much control. As a consequence of the early 1990s crypto wars, much development of cryptography products left the US (as activists predicted it would); today, 865 products incorporating encryption come from 55 different countries, and 63% come from outside the US. The leader is Germany, with 112 products. The UK has 54. There's your economic disadvantage.
Finally, Privacy International found found "thematic warrants" hiding in paragraph 212 of the explanatory notes and referenced in clauses 13(2) and 83 of the draft bill. PI calls this a Home Office attempt to disguise these as "targeted surveillance". They're so vaguely defined - people or equipment "who share a common purpose who carry on, or may carry on, a particular activity" - that they could include my tennis club. PI notes that such provisions contravene a long tradition of UK law that has prohibited general warrants, and directly conflict with recent rulings by the European Court of Human Rights.
Yet here in Britain the response is just to take Henry VIII powers to legalise all the illegal things that GCHQ had been up to, and hope that the European courts won't strike the law down yet again.
Sounds like something Trump would do.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.