Current approach sends the wrong message to our citizens and the world
It is critical the UK gets its cybersecurity legislation right, because so much depends on our digital presence today. The Boston Consulting Group estimates the internet economy will be 5.3% of GDP in G20 countries in 2016, so we cannot afford to let trust in our internet infrastructure fail. At the same time, we must give citizens confidence that the laws we enact will balance the controls and freedoms we have become accustomed to; The Economist expressed its concern earlier this month that the various geopolitical and technology changes could lead to the “splinternet.”
My doubts are more fundamental. If the UK wants to be regarded as a safe place to live, which protects a citizen’s right to privacy and enshrines the right to free speech, then we need a much more considered approach to our cybersecurity laws. If we want to be seen by the rest of the world as “open for business” and not encouraging less scrupulous leaders to exploit the internet for their purposes, we need to spend more time debating this policy. The answer is not simple, because we are dealing with an incredibly important, emotive subject, but equally that means it deserves our full attention. I believe there are several key questions we need to ask and seek answers for; we may not get a perfect solution, but they require fuller debate than we have seen.
The intelligence services claim the ability to store and analyse huge volumes of metadata is crucial in today’s fight against terrorists and cyber criminals. I’m not so sure, as we have not seen categoric evidence backing up this approach. The Independent Reviewer of Terrorism Legislation, David Ander- son QC, who had previously expressed concerns, gave an unconvincing assessment of the passing of the Investigatory Powers Bill when speaking to The Financial Times: “There are some very extensive powers in the Bill and in the wrong hands are capable of being abused, no doubt about that…But the Bill does subject everything to a legal framework, so there is no excuse for agencies to do anything they are not fully authorised to do.”
This leads very quickly to the next question; who will be watching the watchmen?
Legislation in this country had to be updated to keep up with changes in technology and the ever-evolving threats. Yet many critics with a broad spectrum of opinions have voiced concern over the way the Bill has been worded. Paul Bernal, human rights expert and IT lecturer at the University of East Anglia, told the International Business Times that: “These powers are actually better suited for monitoring and controlling political dissent than catching criminals and terrorists − they’re ideal for an authoritarian clampdown should a government wish to do that. A future government might well.”
The biggest concern is abuse of power and to David Anderson’s suggestion that there is “no excuse for agencies” to misbehave, history clearly suggests we have never been good at sticking to the legal framework. Do you remember councils being caught using the Regulation of Investigatory Powers Act (Ripa) to check whether parents were cheating on school catchment area regulations or flouting bin rules? Also, let us not forget that the Investigatory Powers Tribunal, the only body authorised to investigate the security services’ actions, declared they had illegally gathered information for 17 years without adequate safeguards.
For many concerned onlookers, the Investigatory Powers Act is now legalising what was previously seen as illegal acts and the layer of regulatory oversight is not convincing enough. Warrants will need approval, but when you consider that everyone from the Food Standards Agency to the Scottish Ambulance Service Board and the Department for the Economy in Northern Ireland will be able to apply to see UK citizen browsing histories you have to question the purpose of such sweeping powers. James Vincent pointed out on the Verge that last year the UK police made more than half a million requests for metadata, so if we believe this will not become an essential tool for daily policing moving forward we should reconsider.
What’s more concerning is the ambiguity in the Bill in relation to key powers. Amelia Tait in the New Statesman outlined how vague the wording was around the issuance of warrants, particularly in the context of journalists and the protection of their sources: “The Bill provides that all warrants authorising access to the content of communications must be necessary in the interests of the prevention or detection of serious crime, in the interests of national security, or to protect the economic well-being of the United Kingdom when it is also relevant to national security, and must be proportionate to what is sought to be achieved. All warrants must be approved by a judicial commissioner before they can be issued and can only be granted when another, less intrusive means is not available.” The Government will point to the role of judicial oversight in the case of warrants, but with such language it is easy to see how the law will be open to interpretation.
What message does this send to the world?
Freedom House has stated that internet freedom has declined for the sixth consecutive year in 2016. 67% of internet users now live in countries where criticism of the government, military or the ruling family is subject to censorship. Perhaps we do not believe such conditions might ever be replicated here, but let’s face it, 2016 has been the year of the unexpected. Do we want to take that risk?
If we are going to impose demands for access to encrypted information and force internet service providers to store information for a year, creating enticing honeypots for hackers, what message does this send about our openness for business? When re-announcing the Cybersecurity Strategy Philip Hammond said “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.” True, but when the legislation governing that infrastructure is so ill-thought through why would technology start-ups be attracted to this country.
In the financial services industry, we have seen the importance of regulation in simplifying and unifying markets, but we have also seen poor legislation create the conditions for market abuse and failure. Certainly, I would imagine less scrupulous regimes will be looking at the UK’s Investigatory Powers Act, widely seen as the toughest rules in the world, as license to impose tougher controls and oversight on the internet.
I shall leave you with a comment from David Davis, who like Andy Burnham, appears to have melted into the background as we have entered the final stages of the Bill’s approval. Back in February Davis estimated that the time available to the 300-page draft bill meant MPs would have no more than five seconds a page. Clearly this is not sufficient time and Davis said as much (the “they” he is referring to is the Government he is now a member of): “It all keeps with their strategy, which is to rush everything through. They know when they engage with experts they lose. This is the way they will try to get this through – on the rush. There’s no doubt about it.”
Nine months later and a trawl of reputable news sites finds no fresh challenges from Davis critical of the legislation. Who would have thought that such an ardent opponent would have fallen silent? We should learn to expect the unexpected.
Nick Lambert is chief operating officer of Maidsafe.