UK home secretary Theresa May has defended proposals in the Draft Investigatory Powers Bill during a two-hour session at a joint select committee hearing.
V3 has picked out the top six moments from the session, from answers about bulk data retention to the definition of internet connection records (ICRs).
1. The UK does not conduct mass surveillance - except when it does
May was adamant on several occasions that the UK does not conduct "mass surveillance", despite the disclosures from whistleblowers that claim the opposite.
"You indicated that what we're doing is mass surveillance. You described it as mass surveillance. The UK does not undertake mass surveillance. We have not and we do not undertake mass surveillance and that's not what the Investigatory Powers Bill is about," she told the committee.
"I must challenge the reference to UK authorities collecting all of the data all of the time. We do not collect all of the data all of the time and I wish to be very clear with this committee that it would be a mis-description and a misrepresentation of the UK authorities."
However, in what some may deem a contradictory statement, May conceded that bulk acquisition is clearly proposed in the bill.
"You referred to bulk equipment interference. This is important. There will be cases where it's necessary to use that to keep pace with those who want to do us harm, where it's not possible to disrupt and intervene on activities through interception," she said.
"You can't look for the needle in the haystack unless you've got the haystack, so you need to be able, in some cases, to access this data to identify it."
2. The terminology is clear - except when it's not
Critics of the bill frequently highlight the lack of clarity in terms such as ‘internet connection record' (ICR), which has been a sticking point for the companies that could be forced to monitor and collect this data in bulk.
The unspecific nature of the phrase is designed to keep the proposals "technology neutral", according to May.
"We have tried to be very clear on what ICRs are and indeed have limited the use of ICRs in this legislation. I know law enforcement has argued perhaps for a wider use of them, but we are proposing that the balance is best met by limiting those within the bill," she said.
May attempted to clear things up when pushed on the subject. "I will try to do it in an equivalence way in the sense that when you have somebody who is accessing a particular site ... or is using the internet for a particular communication you wish to be able to identity that," she said.
"You are not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise. It is simply about that access to the particular site or the use of the internet [in] a communication."
3. From coffee shop Wi-Fi to universities, no network is safe
May revealed that no network will be immune when it comes to data collection and storage. When asked about proposals that will allow police and intelligence agencies to request internet data from coffee shops, universities and company networks, May said that the subject is "left open, and rightfully so".
"If you look at how people are conducting their business today, conducting their interactions and their communications, they are doing that on the move, they are doing it in a whole variety of settings, so it may very well be that there are circumstances where it is appropriate to have that discussion and potentially ask for information to be retained. I don't think it would be right for us to exclude types of networks," she said.
4. Privacy concerns are 'unwarranted'
"The safeguards that are available for individuals in relation to the powers are various. First of all there are the authorisation procedures and obviously in relation to the most intrusive powers, namely interception, we are enhancing the authorisation procedure by introducing the double-lock of having the judicial commissioner looking at a warrant as well as the secretary of state," she told the committee.
5. It's going to cost a lot of money
It quickly became apparent during the evidence session that no-one knows exactly how much the bill is going to cost. On paper, the cost of data retention amounts to roughly £247m, while it has been estimated that the collection of ICRs alone will cost the UK taxpayer around £17m a year in forcing providers to store the required data for 12 months.
"We have provided some indicative figures. We are still in discussion with individual communication service providers about ways in which these capabilities are to be provided. We do provide a reasonable cost recovery when we require these companies to provide these capabilities," said May.
"We are having detailed discussions with providers. We have been talking to them about the sort of ways [collection] will be provided, about the technical feasibility and about the sort of sums of money that would be necessary."
No final figure was forthcoming, but the home secretary promised a number soon and said that discussions with technology firms and service providers are still ongoing.
"We haven't just been sitting there at the Home Office saying we think this is a good idea, let's pluck a figure out of thin air and put it into the bill," she said.
6. Any ‘bulk data set' discussion is off the table
The UK public may not be subjected to "mass surveillance", according to the home secretary, but it is almost certainly a victim of bulk data set snooping.
This process is the collection of information on UK citizens, the vast majority of whom are not suspected of any crime, including medical records, bank account information, electoral details, passport data and firearms lists.
Echoing statements made in previous sessions, May refused to acknowledge exactly which data sets are used, collected or desired by GCHQ, and claimed that the collection is for the protection of the public.
"What we are doing in the bill is not listing the data sets but providing for a greater degree of safeguard in relation to the acquisition of data sets through the warrant process with the double-lock authorisation," she said.
"As soon as you start excluding certain data sets that gives messages to those that would seek to do us harm about the way in which the authorities operate. We do not feel it's right to go down the route of giving information about the sort of data sets that would look to be acquired and the sort of data sets that would not be acquired."
The evidence from the home secretary follows several written submissions from technology firms, civil rights groups and security experts.
Most recently, tech companies including Facebook, Google and Microsoft teamed up to denounce the proposals and warn that user trust, data security and privacy of the public are all at risk if the bill is made law.
"The actions the UK government takes here could have far-reaching implications for our customers, for your own citizens, and for the future of the global technology industry," the companies warned.
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams