The tone of the draft Investigatory Powers Bill debate was set for me when I spotted a story in the Telegraph ("Protecting children from paedophiles trumps your privacy", apparently) illustrated by a picture of a finger pressing a backspace key but captioned: "
The BBC apparently used an image from the same stock photo-shoot in their coverage of the Home Secretary's announcement to the Commons, which reinforced the impression that we're witnessing a large-scale PR exercise that spans the political spectrum. I wouldn't go so far as to suggest that the suspension of UK flights to Sharm-el-Sheikh was a piece of opportunism in this regard, but the insistence by Philip Hammond that the UK government had intelligence not available to the Egyptian and Russian authorities was a clear nod to the utility of data interception and surveillance, not to mention a feather in the cap of the spooks. Of course, we'll never know whether this is just the inflation of boastful chatter by wannabes or something more serious, though we can be pretty sure that actual terrorists do not discuss their plans online even with the benefit of encryption and router masking.
Labour's Andy Burnham has come in for criticism for being so accommodating, welcoming the Home Secretary's proposal and dismissing the suggestion that it constitutes a "snooper's charter", though I think his lack of scepticism is more residual Blairism than evidence that Theresa May has compromising photos: "In a world where the threats we face internationally and domestically are growing, parliament cannot sit on its hands and leave blind spots where the authorities can't see". The notion of the "growing" threat, like "blind spots", is a classic securocrat trope, while the elevation of our concern to "the world" is totalising neoliberalism. The draft bill is not informed by any threat analysis that would justify this claim, or at least not one the government feels able to share even in redacted form. This is about maximising potential capability, not minimising anticipated risks.
In her speech, the Home Secretary insisted that law enforcement agencies access to communications data would be tightly controlled. They "would only be able to make a request for the purpose of determining whether someone had for example accessed a communications website, an illegal website or to resolve an IP address." She did not explain how "illegal" websites would be defined, nor why you'd need to access Web logs to resolve an IP address (presumably she's never heard of WHOIS). What this means in practice is the ability to trawl bulk data by IP address, which in turn implies an obligation on the part of ISPs to provide address assignments by device and account. In other words, every end-point will be "on-grid". There will be no more blind-spots.
The draft bill's own blind-spots are much the same as those that were evident in the Anderson Review that reported on the UK's data investigatory powers earlier this year: little concern with the behaviour of business, in terms of its responsibilities to data-providers (i.e. we, the people); no interest in personal data as property or as having inherited human rights (EU privacy judgements are conspicuous by their absence); and an assumption that "additional protections" should be limited to institutional elites (MPs, journalists, lawyers etc). In other words, companies like TalkTalk can continue to have shockingly poor levels of data security, companies like Facebook can continue to expropriate user data in any way they wish, and your "right to privacy" means transparency to others.
As is now traditional, the government have made great play of the difference between "Internet Connection Records" and content, even wheeling out the "itemised phone bill" analogy one more time. The Guide to Powers and Safeguards issued with the draft bill defines them thus: "A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs [communication service providers] by law enforcement and the security and intelligence agencies. An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page" (section 44-45).
This is disingenuous. The Internet is "stateless", which means that there isn't a persistent connection. Every individual request (i.e. what happens when you click a link or a button) is a separate connection, which means that accessing a single website may produce scores of separate records. In contrast, an analog telephone connection (which is what the deliberately misleading phone-bill metaphor conjures up) is "stateful" in that a fixed connection is maintained for the duration of the call (imagine a manual switchboard and an operator saying "I'll put you through"). The claim that ICRs will only record domain names rather than resources (i.e. specific pages or images to the right of the "/") is dubious, and that's without considering the complication of redirects and aliases. The C/ISP weblogs record the full URL. The idea that commercial operators would go to the trouble of truncating these before providing access to state agencies beggars belief.
The issue of content, like encryption, is a red herring. The security services are interested in network analysis, not reading your emails. Content is overwhelmingly noise and there is simply too much of it. This is why the government can claim there is no "mass surveillance", meaning individual surveillance extended to most people. When they do wish to eavesdrop, which will be on a tiny percentage of the population, full content can be secured through "equipment interference" while encryption can be circumvented by infecting target devices with keyloggers and screen-grabbers (which incidentally means the state has an interest in keeping devices vulnerable to malware). The state has always gathered data in bulk. Without Snowden and the Tempora revelations, the only reason for a bill to regularise this would be to compel business cooperation. As we now know, business is happy to cooperate and willing to support opaque language that keeps the arrangements secret (as was the case with the 1984 Telecommunications Act).
Ostensibly, the draft bill is not about giving the security services more powers, but about providing legal cover for established practice, both to absolve business of responsibility and to protect the state from legal challenge. Where it does seek to extend powers is by future-proofing the security services' surveillance capabilities in respect of the Internet of Things (IoT). Its definition of communication data includes "signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus" (section 193.2.b). In other words, if you use a smartphone app to remotely-control your central-heating, that will count as communications data, and so too will a thermostat automatically turning on a boiler. Within your home, a LAN or Wi-Fi constitutes a "private telecommunications system" that would come within the bill's scope (193.14). If it hadn't already been taken by a mobile phone operator, the strapline for this bill could be "Everything, Everywhere".
As more and more of our lives are mediated by networked devices, so more and more of our activities and associations come within the view of both businesses and intelligence agencies. It is this pattern of "entities" and "events", in the language of the draft bill, that constitutes value for both parties in the surveillance economy, not the specifics of our communications. When we talk or write, we are presenting a persona rather than our "true" selves. But what we do, and who we associate with, does not so easily dissemble. The "party animal" who tweets about a mental night out while streaming Netflix to her TV and having ordered a pizza online may be misleading her friends, but she's not misleading the harvesters of bulk data. Perhaps the most significant aspect of the public reaction to the draft bill is the failure to appreciate this imperial ambition: a form of biopolitics that makes George Orwell's 1984 look unimaginative.