GreenNet opposes plans to legalise mass surveillance and malware

It's been a while since GreenNet last updated our members on our legal case against the British Government and UK Government Communications Headquarters (GCHQ) in the Investigatory Powers Tribunal (IPT), but things have been proceeding at a typical speed for such detailed legal judgements.  Meanwhile, there have been three official reports into surveillance and interception by the secret services and police, several changes to the law, several admissions that extreme (and in many cases likely illegal) powers have been used by the secret services, and one huge proposed "draft Investigatory Powers bill" (DIPB), that by some reckoning includes the fifth attempt at a "Snooper's Charter", the zombie legislation that will not die, and looked at by four (inevitably underinformed) Parliamentary committees.

GreenNet submitted evidence to two of these committees; you can see our attempt at a technical analysis below or with other submissions; we are far from the only specialist organisation concerned that the draft has not been thought through technically.  GreenNet is very concerned that the draft bill grants the executive almost unlimited powers to compel people to spy on others and, given the history of the way such powers have been used, regard it as a massive threat to individual freedom, freedom to associate and political progress.  There is still a chance to comment on human rights implications until 4 January, but so far there has been insufficient time to have the right questions answered.  We've also been working with other members of the Internet Service Providers' Association (ISPA) to try to help MPs understand some of the likely implications of the bill. Early next year any pressure on representatives may help, although we're concerned the secret services will not give up lightly the powers they have claimed, and maybe the best hope is proper judicial oversight and safeguards for journalists and activists.  Open Rights Group have produced a good briefing on draft IPB that could help engage media and politicians. The position of the Labour party in particular is crucial.

The structure of the new draft is a bit of a pot-pourri: roughly part 1 of RIPA, which prevents things like the newspaper phone hacking, is swapped in; followed by part 2 allowing interception by agencies and the police, and part 3 which allows law enforcement to request communications data without a warrant; and it's not until part 4 where we get effectively the whole "Snooper's Charter" draft bill from 2012, this time with Deep Packet Inspection (DPI) disguised as "Internet Connection Records" (there are no such things; we should know), and a massively powerful search of all individuals called the "Request Filter".  Then part 5 makes explicit how the Intelligence Services Act has been used for targeted hacking; part 6 and 7 explicitly permit even greater powers for mass cracking, interception and access to stored data; and part 8 includes the safeguards, one commissioner instead of the current three. It's been described as a list of Christmas presents for the police (and other investigating agencies such as Ofcom and the Department of Work and Pensions).

On 1-4 December 2015, there were public hearings of the main evidence in the IPT case (there are also "closed" hearings where the real facts can be discussed between the government and the panel of judges, but no one else is allowed to know what's happening.)  See Privacy International's update including the outline arguments put cogently on behalf of us and progressive ISPs outside the UK by Blackstone Chambers and Bhatt Murphy. The Government is making panicked moves, apparently realising the secret services have been doing things that are incompatible with human rights or even the terms of legislation establishing the intelligence services themselves.  As one example, if GCHQ interfered with GreenNet equipment off their own bat (rather than for MI5), it could be illegal because they are confined to signals intelligence outside the UK; the new draft bill contains a small amendment to legalise this.  The crucial amendment to the Computer Misuse Act this year that made an exception so that government agencies could hack passed without a word of debate in Parliament.

much of the debate for the last 15 years appears to have been a charade about data that the government very likely already held. It is also clear that the legislation that the government relied upon was being interpreted in ways that Parliament never imagined

David Davis MP in an article by Duncan Campbell about PRESTON

GCHQ, by a twisted and unforeseeable interpretation of the law, have claimed scary powers to interfere with any digital device in the UK or abroad.  We also know they spied on Amnesty International illegally, and if they are so opaque, we cannot know if they are interpreting 'national security' in a political way.  Now the police want access to these powers.  If they play fast and loose in this way with existing law, who knows what they'll make of the new Investigatory Powers bill? The right to privacy isn't something we can leave up to ministers and judges operating in secret - it's something necessary to us all as human beings and to society, and we should all be involved in the discussion.

While some have worried that we're putting our head above the parapet, GreenNet would not be party to the complaint if we did not believe that it is likely to improve transparency, privacy and security for the internet as a whole as well as for our users.  The new draft bill, if passed without thorough amendments, would create additional "disclosure" and "tipping-off" offences by those given notice to spy on others.   In the next year or two, that probably applies mostly to mobile operators (and maybe broadband wholesalers), but the authorities would have no limit on whom they can give notice to.  As of December 2015, GreenNet can categorically state that we have not been asked to retain or hand over information on our users or their communications.  If you ask, we won't lie to you about having received a notice.

Encryption alone is unlikely to completely remove the threat of mass surveillance, although Ed Snowden and other whistleblowers have made us all more paranoid about security in general, and rightly so.  There are lots of good tools for routine encryption and anonymisation: for instance we're now using Tox as an instant messenger, and Enigmail to apply OpenPGP encryption to email.  One thing we would like to organise in the new year is a "cryptobuffet" to demonstrate and discuss some of these tools.  For more advanced users, including those working in hostile regimes, the Centre for Investigative Journalism produces an up-to-date guide to computer security.  Another possible response is activists networking offline and locally, as described in a fascinating piece by Paul Mobbs in the Ecologist.

Among other related policy things we've been up to in 2015, we've been at a conference on Digital Citizenship and Surveillance organised by Cardiff University's school of journalism and media, and contributed to their report on online policing of "Domestic Extremism" (a term that has included journalists and comedians as well as ordinary activists, such as "non-violent extremists" who are a bit extreme in their non-violence.)  If you're confused about the various post-Snowden cases, there's a list here.

We look forward to the IPT's judgement in the new year, and hope for some moves towards transparency and accountability at the very least.  Please do contact us if you have any questions.