The UK government has agreed to an independent review of so called “bulk collection” — aka mass surveillance — powers in proposed new surveillance legislation, one of the most controversial elements of the Investigatory Powers bill which is currently before parliament. It’s aiming to get the bill onto the statute books before the end of this year.

Bulk powers set out in the IP bill include a provision for ‘bulk equipment interference‘ — aka mass hacking — allowing the security and intelligence agencies to compromise multiple devices/services as part of their investigations.

A further provision relating to state hacking capabilities set out in a Code of Practice associated with the draft bill notes that communications service providers may be required to maintain a “technical capability” to enable their users’ data to be intercepted — including having user data harvested in bulk — a scenario that human rights group Privacy International described to TechCrunch as “the worst form of backdoor“.

The bulk powers review was one of the concessions called for by the opposition Labour Party’s Shadow Home Secretary, Andy Burnham, in April when the party abstained on a vote on the legislation. Burnham said substantial changes were needed before the party would consider supporting the bill.

Speaking about the latest developments in parliament yesterday, Burnham described Home Secretary Theresa May agreeing to an independent review of the case for bulk powers as “a major concession” and “something which will build trust in this process”.

He also said May’s letter clarified that state agencies cannot use surveillance powers to monitor legitimate trade union activity — another key concern for Labour.

Independent terrorism reviewer returns

The planned bulk powers review, due to report this summer, will be led by QC David Anderson — who previously played a key role for the government as it was drafting the IP bill, as its independent terrorism legislation reviewer.

In his letter to the Home Secretary back in April, Labour’s Burnham described it as “imperative” an independent review of bulk powers be set up, writing: “I would be open to a discussion about the various forms this independent review could take but it is imperative that we get it up and running. I will consider carefully the nature and extent of the bulk powers in this Bill in light of the review.”

Yesterday in parliament he said he was “pleased” the government had agreed to a review and approached Anderson to lead it. “We, on this side of the House, strongly welcome that development and we believe in the end it will build trust and support behind her Bill,” he added.

“There are other areas in which we wish to see significant movement and we will continue to work in a constructive spirit to achieve it. But this letter shows that the Home Secretary is listening and that bodes well for the rest of this Bill’s passage.”

A flagship recommendation from Anderson’s earlier report on this area of legislation was that government ministers should hand intercept warrant sign offs to the judiciary — a suggested change only partially reflected in the bill before parliament now, which has a so called ‘double lock’ sign off mechanism, involving both judiciary and senior ministers (although it also allows for the Home Secretary to solely authorize so called ’emergency warrants’ which are then retrospectively reviewed by a judge).

Anderson also considered bulk powers in his prior report which was generally supportive of security agencies being able to use the controversial capability — leading to criticism of the review by civil rights groups.

Liberty for example, which is challenging the legality of bulk collection/mass interception in the European Court of Human Rights, criticized the earlier report for offering only six Agency case studies as justification for bulk collection — arguing that this “vague and limited information” was not substantial enough to assess security outcomes had other more targeted surveillance methods been used.

That said, Anderson’s prior support for bulk powers was predicated upon there also being “strict additional safeguards” in the associated legislation — including: judicial authorization; tighter operational/mission definitions of the purposes for which bulk data is being sought; and bulk warrants being typically targeted at the communications of people believed to be outside the UK at the time of the sought for communications.

So it remains to be see whether Anderson will judge the IP bill includes enough of these safeguards to justify continued state used of mass interception powers. Since his prior report, multiple parliamentary committees have scrutinized the draft bill and been critical of its overly broad powers, a lack of clarity and not enough privacy safeguards.

It is also not clear whether the bulk powers review will include the IP bill’s web logging proposals — aka the Internet Connection Records (ISCs) that ISPs will be required to record and retain for 12 months, creating records of all the websites and services accessed by their users for the past year. A Home Office spokesman declined to specify whether ISCs will be included in Anderson’s forthcoming review.

Logging the digital activity of every UK citizen ‘just in case’ sounds very much like a bulk capability that sorely needs reviewing for proportionality so let’s hope so. Update: Burnham’s spokesman has now confirmed the review will not include ISCs but only focus on capabilities badged as “bulk” in the bill. So that’s a missed opportunity then.

In a statement a spokesman for the Home Office added: “The Home Secretary has always been clear she will listen to the constructive views of politicians from all sides of the House to ensure the passage of this important Bill. The Government will be bringing forward amendments at Report Stage.”

At the European level, EU mass surveillance legislation was overturned by the European Court of Justice, back in April 2014, which judged such bulk intercept powers as contravening fundamental privacy and human rights.

This post was updated with additional comment