Building Trust Improving Technical Security Privacy Public Policy

Is the UK Investigatory Powers Bill Fatally Flawed?

The big privacy and policy story of the day in the UK is the publication of the Intelligence and Security Committee’s report on the draft Investigatory Powers Bill – which is currently being pushed  through an abbreviated parliamentary process.

The Bill’s authors get a rough ride from the committee. This is from the ISC Chairman’s covering press release:

“Taken as a whole, the draft Bill fails to deliver the clarity that is so badly needed in this area. The issues under consideration are undoubtedly complex, however it has been evident that even those working on the legislation have not always been clear as to what the provisions are intended to achieve. The draft Bill appears to have suffered from a lack of sufficient time and preparation.”

Here’s the ISC’s site with a link to the report itself:

And here are a couple of good, short pieces of analysis from reliable tech/policy commenters:

Ian Dunt ( –

Glyn Moody ( –

The Bill is criticised in almost every respect:

  • it doesn’t achieve its stated goal of bringing all the interception powers into a single statutory instrument;
  • it fails to bring clarity to the purpose and goals of the policy it embodies;
  • it does not include operational justifications, without which parliament cannot decide on its adequacy – and will not include them until after it is expected to be passed into law;
  • its provisions for privacy protection are piecemeal and unclear;
  • the safe guards applied to use of comunications data are “inconsistent and largely incomprehensible”.

In other words, it has been drafted in haste, by people some of whom don’t know – or can’t articulate – what it is supposed to do. As a result, it is confusing and grants over-broad powers with insufficient safeguards.

If the Bill were to be passed as is, the ISC’s report would offer a ready supply of ammunition to anyone seeking to challenge it on grounds of necessity, proportionality and legal certainty. 

For the ISC’s report to be so frankly critical is somewhat unexpected. Under its previous chairman, the committee said little, and what little it did say consisted of bland reassurances that the security and intelligence services were doing a fine job. (See my personal blog post “pelted with marshmallows“, from just over two years ago…).

This Bill has been rushed through an abbreviated consultation period: the Home Secretary used the November Paris attacks to justify shortening the normal parliamentary process. The Bill’s consultation committee was given about 3 weeks of parliamentary time to conduct its expert witness hearings and consider any written evidence submitted, either side of the Christmas/New Year parliamentary recess. It is due to publish its own report on Thursday.

This puts the consultation committee in an interesting position. If its report is less critical than that of the Intelligence and Security Committee (which is, after all, the specialist in this area), its credibility will be called into question. If its report is equally critical, the Bill itself will be even more deeply discredited.

Photo Credit: Licensed under Creative Commons, attribution: non-commercial 
Building Trust Human Rights Internet Governance Privacy

The Brazilian Experience of Public Consultation for the “Marco Civil Da Internet” and The Data Protection Law

In 2014, we saw Brazil take a strong leadership role in the global community on Internet issues and we expect 2015 to be no different. As Brazil looks to implement a framework of principles and rights for Internet use, its open participatory process is giving its citizens the opportunity to help shape the future of the Internet in Brazil.


Brazil has been referenced for a long-time as an example of the multistakeholder approach to Internet governance, with the establishment of the – the Brazilian Internet Steering Committee started in 1995. It has also played an important role in advocating for the model of a bottom-up, transparent and multistakeholder approach in the World Summit on the Information Society tracks and the Internet Governance Forum.

Fueled by the Edward Snowden revelations back in mid-2013, Brazil has undertaken several efforts to reinforce clear framework on the Internet space.

At the international level, President Dilma Roussef called for principles for the use of the Internet

(UN GA 68th Speech) and strengthened rights to privacy and data protection online (UN GA 69th A/RES/69/166) . Early in 2014, Brazil also hosted a Global Multistakeholder Meeting called NETmundial, which resulted in the São Paulo Declaration on principles and roadmap for the Internet Governance.

On the national level, Brazil focused on protecting Internet user’s rights by adopting the Brazilian Civil Rights Framework for the Internet, known as Marco Civil da Internet, that sets principles, rights and responsibilities for Internet use in Brazil. A roughly translated version of Marco Civil da Internet can be found here.

In 2015, the policy process in Brazil will focus on implementing the Marco Civil framework. Fortunately, the government will endeavor to maintain the same bottom-up and multistakeholder approach in implementation that went into construction of the original law, by opening it up to public consultation. In parallel, the government will also move forward on new legislation regarding data protection.

Last week, the government of Brazil launched two tracks for open public consultations on the implementation of the Marco Civil da Internet, and the new draft Data Protection Law.

“Marco Civil da Internet”

Sanctioned 23 April 2014, under Law no. 12,965, the “Marco Civil” has been a result of a long process that began with a set of principles for the use of Internet from

issued in 2009. These principles were the basis for two rounds of public consultation, in an open and participatory manner, to finalize a common text submitted for the National Congress in 2011.

To keep up the good pace that led to this legislation, the next steps towards the implementation of the Law maintain the multistakeholder approach and collaborative processes, taken by flexible mechanisms to accommodate the dynamic evolution of the Internet.

The consultative process for the implementation of the Marco Civil da Internet is open into 4 main axes: Net Neutrality, Privacy, Data Log Records and Other Topics.

Net Neutrality

The principle of Net Neutrality, for instance, has been safeguarded under article 9 as The agent in charge of transmission, switching and routing is obliged to treat any data packets with isonomy, regardless of content, origin and destination, service, terminal or application.

However the same article has the exceptional provisions for discrimination or degradation of traffic due to technical requirements and emergency services prioritization. This part is subject to consultation to determine which are the exceptions and under which conditions.

Privacy and Data Retention

Privacy, Private Life, Freedom of Expression, and Honor are among the rights already safeguarded in Marco Civil. Moreover, major provisions on privacy and personal data issues will be tackled by the subsequent track on Data Protection Law. Now, the focus is on how to turn those principles into implementable rules.

Below are the pieces of Marco Civil that are up for discussion as part of the Data Retention consultation:

Article 10: the security and confidentiality standards that the provider needs to follow in acting for the record retention of Internet Connection and Access to Application logs.

Article 13: consolidated rules and liabilities for the Autonomous System Administrator to retain the connection records under strict confidentiality, in a controlled and safe environment for 1 year. The law has already foreseen some situations, e.g., precautionary connection logs required by law enforcement agencies.

Article 15: consolidate rules and liabilities for the Internet Application providers to retain access to application records under strict confidentiality, in safe and controlled environment, for at least 6 months.

Draft Data Protection Law

The second track under public consultation is the Data Protection law, which has a similar consultative process that brought about Marco Civil da Internet in 2014.

Now that Marco Civil da Internet has entered into force, the data protection piece (which has been largely stalled since 2011) is ready to go for a second round on the consultative process.

The current consultation has 52 articles, divided into 13 main axes: scope and reach; personal, anonymous or sensitive data; principles; consent; end of processing; data owner rights; communication, interconnection and sharing of data; international data transfer; parties liabilities; secrecy and security of personal data; best practices; safeguard of rights; and temporary provisions.

The current text has a strong influence from the EU regulation, mainly the Convention 108, on the definition, consent ruling, international data transfer and oversight, following the pattern adopted by many countries in South America. However, it also brings pieces of the US model, for example, adopting the market balance on the best practices, self-regulation. A roughly translated version Draft Data Protection Law here.

International Focus in 2015

We fully expect that Brazil will continue its international leadership on Internet issues through its ongoing involvement in the NETmundial Initiative, activities in the UN regarding online privacy, preparations for the follow-up to the UN World Summit on the Information Society, and with its hosting of the Global Internet Governance Forum in João Pessoa, northeast of Brazil.


It is critical that the Brazilian Internet community works together to ensure that this ground-breaking legislation is well-implemented and continues to evolve in a way that supports the global, open Internet; that protections of human rights remain strong; and that the Internet environment in Brazil is open for innovation, creativity, competition and free expression. Fortunately, the process of implementation is open for participation – it is up to Brazilians to seize the opportunity to shape the future of the Internet in our country.