The Intelligence and Security Committee of Parliament has warned the Government that it needs to make "substantive amendments" to its draft Investigatory Powers Bill, before proceeding to outline changes which don't appear to be very "substantive" at all.

The committee said the new draft provides insufficient safeguards and limits on the intelligence agencies' ability to monitor British citizens.

“Taken as a whole, the draft Bill fails to deliver the clarity that is so badly needed in this area,” said the committee's chairman, Dominic Grieve QC MP, in a statement accompanying the 18-page report (PDF).

The ISC's report – essentially a diligence exercise in legislative drafting – criticised the bill's weak and inconsistent privacy protections; its over-broad and unclear provisions regarding bulk interception and hacking; and the “inconsistent and confusing” approach to the examination of Communications Data.

These were described as “substantive issues of principle” by the report, which also suggested a number of specific amendments on “more detailed matters”. Its strong language, however, was largely targeted at the bill's sloppy and rushed construction, and its redundant warrant processes, rather than the powers contained therein.

The committee stated that: “We consider these changes necessary if the Government is to bring forward legislation which provides the security and intelligence Agencies with the investigatory powers they require, while protecting our privacy through robust safeguards and controls.”

The report is the second of four Parliamentary inquiries into the draft legislation to be published. It follows the Science and Technology Committee's inquiry, which reported that the financial burden companies faced in complying with the bill were so high it would be necessary for taxpayers to foot their costs.

Privacy protections

Given the background to the draft Bill and the public concern over the allegations made by Edward Snowden in 2013, it is surprising that the protection of people’s privacy – which is enshrined in other legislation – does not feature more prominently.

The draft legislation lacks “an overarching statement at [its] forefront”, according to the ISC, and as such privacy protections have been specified separately in each instance of an investigatory power. This “results in a lack of clarity which undermines the important of the safeguards associated with these powers.”

Additionally, the protections afforded to sensitive professions – such as lawyers, doctors, politicians, and journalists – were also criticised as inconsistent. The report noted: “Clause 61 sets out that a Judicial Commissioner must approve an authorisation to obtain Communications Data for the purpose of identifying a source of journalistic information. However, this clause does not apply to the Agencies.”

Although the Wilson Doctrine – an informal promise that the Prime Minister would not spy on other Members of Parliament – had been declared to have no legal effect last year, the bill attempted to institute some protections for MPs for the purposes of protecting Parliament's sovereignty over the agencies. These protections were also inconsistent, according to the Parliamentary committee.

A further example is the protection afforded to a “member of a relevant legislature”: whilst the Secretary of State is required to consult the Prime Minister before issuing a Targeted Interception, Targeted Examination or Targeted Equipment Interference warrant where the communications are sent by, or intended for, a person who is a “member of a relevant legislature”, similar protections are not provided for in relation to Bulk Personal Dataset or Bulk Acquisition warrants.

Bulk Powers: Hacking

The ISC recognised the necessity of the Agencies' hacking capabilities (formally known as Equipment Interference or EI) but stated it was concerned that there are several different forms of hacking which do not fall under the draft Bill: “These IT operations will continue to sit under the broad authorisations provided to the Agencies under the Intelligence Services Act 1994.”

The committee had previously criticised the Intelligence Services Act 1994 in its report of last March, titled “Privacy and Security: A modern and transparent legal framework” (PDF), when it stated it had “serious concerns about the adequacy of the current legislative framework governing and constraining the Agencies’ activities.”

It also declared it was concerned about the use of equipment interference powers “where the primary purpose is not to obtain information”, and noted that the spooks had failed to provide it “with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn.”

14. As set out above, the draft Bill provides for Targeted and Bulk EI warrants. However, despite the name, a Targeted EI warrant is not limited to an individual piece of equipment, but can relate to all equipment where there is a common link between multiple people, locations or organisations. In evidence, the Director of GCHQ suggested that, hypothetically, a Targeted EI warrant could cover a target as broad as an entire hostile foreign intelligence service. It is therefore unclear what a ‘Bulk’ EI warrant is intended to cover, and how it differs from a ‘Targeted’ EI warrant – a concern recognised by the Director of GCHQ who noted that “the dividing line between a large-scale targeted EI and bulk is not an exact one”.

As such, the committee recommended that “Bulk Equipment Interference warrants are removed from the new legislation” – though only because the other warrants do the job just as well.

Bulk Powers: Snooping

The ISC defined Bulk Personal Datasets (BPDs) as “large databases containing personal information about a wise range of people”, though a memo regarding the Government's line on the word database seems to have reached the committee, as the report replaced it with the tautological dataset.

The committee found the “acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation.”

In circumstances where BPDs are obtained “opportunistically” the committee noted that “the draft Bill does not impose any time limit by which [a] warrant application must be made. In theory, therefore, an Agency could hold a BPD without authorisation indefinitely.”

The Committee recommended that “a time limit of one month is introduced for the Agencies to hold a UK-sourced Bulk Personal Dataset without a warrant temporarily whilst a specific warrant application is made and determined.”

Communications Data

The committee further criticised the “inconsistent processes and safeguards for the examination of Communications Data”, and the opacity of “arrangement relating to how the Agencies obtain Internet Connection Records (ICRs).”

Different methods for obtaining communications data have resulted in “a variety of different safeguards and authorisation procedures for obtaining and examining the same information.”

An example provided regarding “GCHQ's collection of [related communications data (RCD)] via its Bulk Interception capabilities.”

RCD encompasses all aspects of the communication apart from the actual content. GCHQ does not seek to collect the communications of people in the UK, but some incidental interception is inevitable because the origin of the sender or recipient is not always clear – for example, an email address ending ‘.com’ could belong to a person in the UK. To provide protection for any such material incidentally collected, there is a prohibition on searching for and examining any material that relates to a person known to be in the UK (therefore, even if it is collected, it cannot be examined unless additional authorisation is obtained). However, these safeguards only relate to the content of these communications.The RCD relating to the communications of people in the UK is unprotected if it is collected via Bulk Interception. In direct contrast, if the same material were collected and examined through other means (for example, a direct request to a CSP) then the draft Bill sets out how it must be authorised (i.e. through a Designated Senior Officer). Again, the Agencies may choose to apply the same processes in both circumstances as a matter of policy and good practice, but this is not required by the draft Bill. To leave the safeguards up to the Agencies as a matter of good practice is simply unacceptable: this new legislation is an opportunity to provide clarity and assurance and it fails to do so in this regard.

As such, the draft bill's approach towards communication data examination is “inconsistent and largely incomprehensible” and the committee recommended that the same process for authorising examinations be adopted across the board, and must be “set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.”

Furthermore, the committee stated that the provisions in the legislation for the spooks to acquire the mysterious Internet Connection Records from CSPs were misleading: “The Agencies have told the Committee that they have a range of other capabilities which enable them to obtain equivalent data.” The very definition of ICRs has been a continued source of questions, however.

The report will be followed by the Joint Committee, which will be publishing its 400-odd page report on Thursday morning. ®