Written evidence submitted by Graham Seaman (DIP0023)
Executive summary
If short of time, the key points in this evidence are in paragraphs 6, 8, 9 and 10.
Introduction
1. I am making this submission in a personal capacity. I do not represent anyone apart from myself. However, while my situation is not typical of the majority of British citizens, I believe it is similar to that of a significant minority of people of particular relevance in regard to this bill. My immediate concern is the impact that the Bill is likely to have on myself and my family, and my larger concern, the impact on British democracy.
Background
2. I was educated in the 1950s and 60s by a generation of teachers who had lived through the 2nd World War and inculcated in us the belief that that war had been fought to defend people's right to a life with a minimum of interference by the state and other parties. In my working life I have been a Unix Systems Administrator - a profession with a strong ethic of defending computer systems users' information against use of this information by others; I have been involved with the free software movement and associated bodies concerned with software freedom since its beginnings; and I have trained and worked in Libraries, which have an ethical code requiring non-divulgation of the titles read by library patrons.
3. As a result of these experiences I have been careful to minimize the ways in which data about myself may be used by others, though until now my concern has been with commercial actors.
For example, I do not use Google mail or other similar mail services where the service owner may access email contents (though I have sometimes done so when required by employers). Instead, since around 1999 I have run my own private mail server. I am not an active user of Facebook or similar social media. I use an ISP which attempts to guarantee my privacy, to the extent permissible by law. I have tried to prevent my medical data from being uploaded without a clear guarantee that it will not be sold to commercial interests. When websites request personal information for no clear reason, I do not provide it. I try to ensure that any critical information about myself is kept encrypted. To summarize, I try to maintain my privacy online (to the limited extent that this is practical today) both for my own security and in the belief that this is consistent with the values I have absorbed both as a British citizen and as a worker in the evolving technology and information industries.
4. None of the practices listed above are intended to block, or are capable of blocking, any targeted enquiry into myself by the Security Service or any other lawfully entitled body. They are purely intended to maintain as far as practically possible my own privacy, something which has until recently been unproblematic, even if only very partially effective.
The Bill and its effects
5. The use of Bulk Personal Datasets clearly overrides my personal preference for privacy in terms of financial data, telephone communications, and presumably much beyond this. I understand that the relevant sections of this Bill have already been put into practice (Oral evidence: Investigatory Powers Bill: technology issues , HC 573, Qs 26 and 76). As this is a fait accompli, all I can do is register my abhorrence both at the thing itself and at the way in which it has been done.
6. If I wish to continue with my preference for personal privacy - at least in areas not covered by the Bulk Personal Datasets - without breaking the law, then some of the things I will need to do if the Bill in its present form becomes law are clear. Stop using services in the UK (for example, virtual hosting) and replace them with equivalent services in other countries. Switch to routine use of a VPN for communication with such services. I do not believe that anyone has the right to keep a record of what I read 'just in case', and will therefore use Tor on a regular basis for browsing. It appears that the Bill would not make any of these things illegal. Other things are less clear.
7. Until now running my own mailserver has been a mere personal quirk. I believe (but am not certain) that the Bill will now classify me as a Personal Telecommunications Provider required by law to maintain copies of emails for a minimum of 12 months. Since the practical reason for this would be to provide evidence against myself or members of my family (which the relevant authorities could in any case find much more simply by just taking the server) there is clearly no incentive for me to do this. Then will running my own email server as I do now put me in breach of the law? I don't know. Since I would previously have been of no interest to any investigatory bodies anyway, this would never before have been of any practical importance. But with the Bill, those of us pushed into using more encrypted communications and moving to non-UK provided services will presumably become persons of interest to those bodies. To cope with such huge quantities of data investigators will necessarily use statistical methods, and I and people like me will show up as a group apparently attempting to evade detection. At which point whether or not I am breaking the law by running my email server without fulfilling all the requirements of a Communications Provider suddenly becomes of huge practical importance. If to avoid the uncertainty I close it down and am obliged to use a commercial provider I may still find myself a person of interest.
8. I therefore believe that the Bill will have the consequence of pushing people like myself into a position of being semi-criminalized; permanently of interest, and likely to be harassed in various apparently random ways, for what to us is the upholding of one of the most basic British values. Many other people in the IT industry are likely to react in the same ways as me to some extent. In terms of the aims of the Bill this is clearly counterproductive, but I do not think this is the main point. The main point is that in imposing bulk collection of our data, part of the British population will be put on the opposite side from its own state in terms of defending fundamental values, and this is not something that can lead to good results for either side.
Recommendations
9. Targeted surveillance is clearly sometimes necessary, and needs to be enabled. Bulk data collection is so damaging I believe it cannot be justified, and needs to be minimized as far as possible. The two worst aspects of this immediately visible in the Bill as it stands are both disguised in layers of ambiguity and misdirection. They are:
a. The bulk retention of communications data, wrapped in a pretended distinction between content and metadata. It is quite clear that in application there can and will be no real distinction between the two (concrete examples of this have been pointed out by various witnesses, in particular Professor Anderson). The fiction that they are separate should be dropped; bulk retention of communications means bulk retention of contents. Even better, bulk retention should never be done.
b. The creation of the 'Internet Connection Record', presented in the Bill as if it were a real thing, an inherent part of the Internet, instead of something new which will need to be designed and created from scratch by ISPs (as also pointed out by various witnesses, in particular Mr Kennard), makes it seem as though ISPs already had a list of websites we visit and it was just a question of making this list available. If this had been presented as it actually is: a requirement on ISPs to do large amounts of work to create from scratch lists of the reading material of the whole British public, MPs would surely have reacted in horror. The sections on ICRs should be replaced with a description of the actual data to be examined and retained, which I believe would then make it clear that retention of ICRs is incompatible with democratic rule (as indeed is retention of all our emails).
10. Further to these two issues, bulk interception does not only destroy trust in official bodies. I use a small ISP because I have personal trust in the ethics of the owner. Under the Bill he will be obliged to lie to me about his treatment of my data. Although the claimed justification is security, it is hard to see how this applies to bulk, rather than targeted, interception. It is contrary to practice elsewhere in the world, which (outside a few countries such as Russia, China and Iran) do not permit bulk retention at all, and where even targeted interception may be notified to the individual concerned (eg by both Twitter and Google). Requirements forcing companies to lie regarding bulk interception should be dropped.