A threatened ban on encryption has been banished from a draft bill on surveillance powers in the U.K. -- but the government plans to explicitly allow bulk surveillance of Internet traffic by security and intelligence agencies.
U.K. Home Secretary Theresa May began by listing the things the draft bill did not contain as she introduced it in Parliament on Wednesday.
"It will not include powers to force U.K. companies to capture and retain third-party Internet traffic from companies based overseas. It will not compel overseas communications service providers to meet our domestic data retention requirements for communications data. It will not ban encryption or do anything to undermine the security of people's data," she said.
But she does want police and the security and intelligence services to have the right to track Internet communications in the same way they do phone calls.
"It cannot be right that police could find an abducted child if the suspects were using mobile phones to conduct their crime, but if they were using social media or communications apps they would be out of reach," she said.
How police will be able to do that if companies such as Apple retain the right to offer end-to-end encrypted communications remains to be seen. The devil, as several Members of Parliament remarked in responses to May's statement, is in the details.
The new proposal is not a return to the draft communications data bill of 2012, May said. That was heavily criticized for containing the kinds of measures she ruled out Wednesday, and ultimately blocked by the ruling Conservative Party's coalition partners at the time, the Liberal Democrats.
Draft bills are proposals for legislation that have not yet been debated in one of the two houses of Parliament.
Before those debates begin, May's text will first be examined by a joint committee of the two houses to get it into a form that will encounter less opposition than did its predecessor. The main opposition party, Labour, has already welcomed Wednesday's proposals -- in principle at least.
May intends to have the bill passed into law by Dec. 31, 2016, when previous legislation enabling government surveillance of communications expires.
The new draft frames the abilities of the police and security and intelligence services to acquire and retain communications data, to intercept the contents of communications, and to interfere with equipment so as to obtain data covertly from computers.
It also regulates the bulk use of these powers by the intelligence and security services, May said.
One measure likely to attract criticism is the requirement on ISPs to retain 12 months' worth of "Internet connection records" showing which communications services customers have used.
This is not a record of every web page visited, May said: "If someone has visited a social media website it will only show they have accessed that site, not the pages they visited or what they said. It is simply the modern equivalent of an itemized phone bill."
That comparison "was a bit crass," said Mike Weston, CEO of data science consultancy Profusion. "It's more useful and more intrusive. You can tell quite a lot more about what people are looking at online than you can from an itemized phone bill."
But May said there would be further restrictions on what could be stored: Law enforcement agencies will not be allowed to determine whether someone had visited a news website or a mental health website, only whether they had visited a social media website or a communications service, she said.
However, in certain cases the police will be allowed to determine whether someone has visited a particular IP address -- which will allow them in many cases to determine which website they visited.
In preparing the legislation, the government had consulted with ISPs in the U.K. and in the U.S., May said. Whether they are happy with the cost of capturing and storing all that traffic data for the government is unclear.
"There are suggestions that the cost to businesses could be £245 million over ten years," said Weston.
Boasting of the draft bill's provisions for transparency regarding the activities of the security and intelligence services, May said: "There remain some powers that successive governments have considered too sensitive to disclose for fear of revealing our capabilities to those who mean us harm."
But rather than proposing to finally lift the veil on those powers, she plans to give the agencies explicit permission to obtain data in bulk, putting an end to accusations that they conduct such operations illegally.
She proposed regrouping existing surveillance supervisory powers and handing them to a new Investigatory Powers Commissioner who will hold the intelligence agencies to account, and putting a "double lock" on the authorization of interception warrants by requiring approval from government ministers and from a panel of judicial commissioners.
One of the companies that already knows most about our browsing habits, Google, did not respond to a request for comment. Another, Facebook, said it is reviewing the bill and will follow its progress through Parliament.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.