The Guardian
Latest version of investigatory powers bill will allow police to hack people’s computers and view browsing history
Powers for the police to access everyone’s web browsing histories and to hack into phones are to be expanded under the latest version of the snooper’s charter legislation.
The extension of police powers contained in the investigatory powers bill published on Tuesday indicates the determination of the home secretary, Theresa May, to get her legislation on to the statute book by the end of this year despite sweeping criticism by three separate parliamentary committees in the past month.
The bill is designed to provide the first comprehensive legal framework for state surveillance powers anywhere in the world. It has been developed in response to the disclosure of state mass surveillance programmes by the whistleblower Edward Snowden. The government hopes it will win the backing of MPs by the summer and by the House of Lords this autumn.
May said the latest version reflected the majority of the 122 recommendations made by MPs and peers, including strengthening safeguards, enhancing privacy protections and bolstering oversight arrangements.
She has, in particular, made changes to meet concerns within the technology industry that the surveillance law would undermine encryption. The latest draft makes clear that the government will take a pragmatic approach, and no company will be required to remove encryption of its own services if it is not technically feasible. The likely costs involved will also be taken into account.
But the publication of the detailed bill has also revealed that, far from climbing down over her proposals, May intends to expand the scope of its most controversial new powers – the collection and storage for 12 months of everyone’s web browsing history, known as internet connection records – and state powers to hack into computers and smartphones.
The bill will now allow police to access all web browsing records in specific crime investigations, beyond the illegal websites and communications services specified in the original draft bill.
It will extend the use of state remote computer hacking from the security services to the police in cases involving a “threat to life” or missing persons. This can include cases involving “damage to somebody’s mental health”, but will be restricted to use by the National Crime Agency and a small number of major police forces.
Four hours after the bill’s publication the Home Office issued a highly unusual “clarification” claiming that its official response published on Tuesday listing the powers to allow the police to use computer and phone hacking as a “key change” was because they had been missed out from the draft bill.
“Documents published alongside the bill today describe the position as having changed as it was not referenced in the draft bill. However it reflects current police practice. The fact that it was not included in the draft bill was an omission that is being corrected in the final bill.”
The Home Office said the hacking powers dated from the 1997 Police Act and would most likely only be used in “exceptional circumstances” such as finding missing people. They would require a “double-lock” warrant with ministerial authorisation and judicial approval.
However evidence given to the scrutiny committee by the head of the Metropolitan police technical unit, Det Supt Paul Hudson, said such hacking powers were used “in the majority of serious crime cases” but refused to give further details in a public forum.
He described it as a “covert activity so nothing that we do under equipment interference would cause any damage or leave any trace, otherwise it would not remain covert for very long”. His colleague said they could provide MPs and peers with data on its use but it was “very confidential” and would have to remain unpublished.
Hudson acknowledged that the technology has long moved on since 1997. Legalised hacking now allows a third party to take remote control of a phone’s camera or microphone to record video and conversations taking place.
The Home Office’s claim that the legalised hacking powers had been missed out of the original draft bill and so escaped the process of pre-legislative scrutiny was greeted with scepticism by at least one member of the scrutiny committee.
The expansion of police powers to access web browsing history as part of their investigations follows pressure from the police, and the use of these powers does not need the “double-lock” ministerial authorisation.
The home secretary told MPs she had rejected the committees’ recommendations to exclude the use of state surveillance powers for the “economic wellbeing” of the UK. She also resisted their demand to scrap warrants allowing GCHQ to undertake bulk computer hacking, describing them as a “key operational requirement”.
May also underlined the “vital part” played by the security agencies’ “bulk powers” – the mass collection and storage of everyone’s communications data in Britain and the bulk interception of the content of communications of those based overseas to acquire intelligence.
The Home Office has made detailed tweaks to the original draft of the bill, including stronger protections for journalists and lawyers, six codes of practice setting out how the powers will be used, and the use of a “double-lock” authorisation of the most intrusive surveillance methods by a minister backed by the approval of a judicial commissioner.
The Home Office has acknowledged that the initial costing of the bill, at around £247m, is not set, and a final figure will be published after detailed consultations with industry.
May said: “This is vital legislation and we are determined to get it right. The revised bill we introduced today reflects the majority of the committees’ recommendations – we have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements – and will now be examined by parliament before passing into law by the end of 2016.
“Terrorists and criminals are operating online and we need to ensure the police and security services can keep pace with the modern world and continue to protect the British public from the many serious threats we face.”
As part of the pre-legislative process, the bill was examined by a draft scrutiny committee, the intelligence and security committee and the science and technology committee.
The MPs and peers called for a fundamental rewrite of the draft bill, with the ISC calling for privacy safeguards to be made the backbone of the legislation and the draft scrutiny committee saying the case had not yet been made for the introduction of new powers to store and access everyone’s web browsing history.
Eric King, director of the Don’t Spy On Us coalition, which includes Liberty, Privacy International and other privacy and digital rights groups, called for a rethink of the bill.
“Rather than a full redraft, we’ve been given cosmetic tweaks to a heavily criticised, deeply intrusive bill,” he said. “Reshuffling safeguards without meaningfully improving protections, authorisations or oversight does nothing to address widespread concerns about mass surveillance. The unsettling absence of a robust, technical, detailed evaluation of those bulk powers means the case still hasn’t been made, and parliament won’t have the information it needs to do its job.
“There simply isn’t time for proper scrutiny of all these powers in the time frame proposed. More than 100 experts called on the Home Office to put on the brakes. The government must think again.”
Shami Chakrabarti, director of Liberty, said: “Less than three weeks ago MPs advised 123 changes to the majorly flawed draft bill. The powers were too broad, safeguards too few and crucial investigatory powers entirely missing.
“Minor Botox has not fixed this bill. Government must return to the drawing board and give this vital, complex task appropriate time. Anything else would show dangerous contempt for parliament, democracy and our country’s security.”
Lord Strasburger, a Liberal Democrat member of the scrutiny committee on the draft bill, said nothing had changed since the committee published its report three weeks ago: “The Home Office just doesn’t do privacy. It does security and ever more intrusive powers they claim will make us safer, but not privacy. The fact that they see simply changing the name of one section to include the word ‘privacy’ as addressing the fundamental concerns about privacy protections in this bill is breath-taking,” he said.
“The speed with which the home secretary is trying to force this bill through parliament shows no respect to the joint committee and ISC who worked so hard to give them workable solutions to problems in the draft bill, to parliament, or to the British people.”