In 2015, before the IPB was published, there were a number of reports on the investigatory powers regime. On top of that, the UK Prime Minister asked Sir Nigel Sheinwald to talk to some internet companies, the US and other governments to find a better way for countries to access and share data for the fight against crime and terrorism. These conversations led to the Sheinwald report on international data sharing (delivered to government in June 2015).
These reports shaped the government’s thinking in how it developed the IPB.
The three reports (summarised below) all agreed that investigatory powers law was fragmented and outdated. They all called for reform. In particular they called for greater transparency and oversight of the powers. But they also disagreed on some big things – like the authorisation of warrants.
The only official, public-domain information on Sir Nigel Sheinwald’s work is a two-page summary of his report. In it he advocates improving government-to-government cooperation, reforming the existing UK / US Mutual Legal Assistance Treaty and building a new international framework for those countries with similar high standards of oversight, transparency and privacy protection.
The Intelligence and Security Committee (ISC) is a Parliamentary Committee. It has access to the government agencies which use the laws on investigatory powers. Its March 2015 report criticised the current law as outdated, complex and opaque. It recommended:
The report also acknowledged that the government uses “bulk interception”. However, the ISC was happy that only a very small percentage of internet traffic was actually collected and an even smaller proportion looked at. On this basis, it said bulk interception is a valuable capability that should remain available to the intelligence agencies.
The government asked David Anderson QC to review the current law and recommend changes. He looked at terrorist threats to the UK; the capabilities we’d need to tackle them; safeguards to protect privacy; the challenges of changing technologies; and transparency and oversight. His review identified five key principles for the new law:
In line with those key principles, his review made a lot of recommendations, including:
RUSI is an independent think-tank on international defence and security. Its report:
On 4 November 2015, the government published the IPB, which brings together all its powers to obtain content and communications data from communications providers. The IPB, which includes powers drawn not only from RIPA but from other relevant statutes, is due to go through a process of public consultation until early 2016. It will be considered by the Houses of Parliament, as part of a consultation review process before a Joint Committee of Parliament.
In drafting the IPB, the government has also taken into account other views, including ours. There are also a number of important legal cases that may have an impact on the government’s proposals. Some of these cases are over, some are still pending. Some may have a direct impact, some indirect. But they are all potentially significant:
In our response to the Anderson Review, we summarised our position like this: “We consider that it is appropriate to maintain a regime that permits access to content and communications data, provided that the circumstances are suitably circumscribed, and provided that all necessary checks and balances are in place to ensure the lawful and proportionate operation of that regime, particularly from a human rights perspective.”8
This is still our view. It will underpin everything we say during the formal consultation on the IPB and its passage through Parliament when it is introduced in 2016. We agree with David Anderson QC that: “the road to a better system must be paved with trust”.
With the publication of the IPB, for the first time, one document sets out the totality of the investigatory powers government thinks are necessary. Reform is overdue, and the IPB provides a foundation for open and meaningful debate. It’s not going to be possible to please everyone in all aspects of these powers, but there’s a tremendous opportunity now to build a much better new regime. We’ll respond formally to the government consultation, but we’ve set out our initial opinion below.
All the powers in the IPB should protect the rights established in the European Convention on Human Rights (as implemented in the UK by the Human Rights Act 1998) and the European Union’s Charter of Fundamental Rights. Bulk powers on interception, communications data and equipment interference – which are potentially extremely privacy-intrusive – should only be used in very rare circumstances, when all other capabilities have been considered.
Bulk interception is controversial. A UK court has said that the current rules are lawful and comply with human rights. David Anderson QC believes that government has shown it needs these powers for both content and communications data. Some privacy campaigners believe that bulk interception is too great an infringement of privacy in a free society. Our view is that government should be able to use bulk powers provided the pending legal cases uphold their validity, and that strong oversight means that they’re only used when it’s necessary and proportionate.
It would help to assess exactly what is and what isn’t proportionate if there were more clarity on the word “bulk”.
It could potentially be broken into separate categories – rather than used as a catch-all term for all warrants not falling into other categories.
The scope of any new power along the lines of section 94 of the Telecommunications Act 1984 should be more limited than it is now. It should also expressly give a right of appeal and be stringently overseen. The relevant clause in the IPB (national security notices) is a big improvement.
We think the position on powers to compel communications providers to keep third party data is unclear. Government has said publicly that it has dropped the idea, but it still seems to be permitted under the IPB. So far, no one has made a compelling case that these powers are necessary and proportionate.
Even though the new proposals making communications providers keep internet connection records aren’t as extensive as those in the draft Communications Data Bill 2012, they still need carefully evaluating in terms of their proportionality feasibility and cost.
Subject to the right checks and balances, we see a strong case for communications providers being compelled to provide help as law enforcement and security agencies pursue suspected criminals, terrorists and threats from overseas. We recognise the IPB has removed some discretionary elements. But others are still there – notably on disclosing communications data. We intend to discuss this with government.
This is a tricky issue. Any new legal definitions must balance covering a broad range of factual circumstances with providing legal certainty. The IPB includes definitions of “content” and “communications data” that are supposed to cover all possible circumstances. The government will need to check very carefully that the new approach works, particularly with online communications. And they must make sure the most intrusive types of data attract the strongest legal protection before they can be accessed.
We understand some things have to be kept secret, but there should be a presumption in favour of openness. If things do need to be secret, the government should try to explain why, so far as possible without giving away crucial details to potential wrongdoers being pursued.
Government should be more consistent in how it tries to keep things secret or confidential. At present, there are too many separate restrictions. The IPB proposes a number of further restrictions.
Harmonising these various restrictions would help strike the right balance between necessary secrecy and transparency.
Better oversight and transparency is crucial. Strong law, with clear checks and balances in place from the start of the process (authorisation) to the end (audit), should give everyone confidence that intrusive powers will only be used when necessary and that any interference with the right to privacy will be kept to a minimum. Regular review of the operation of the law, with input from stakeholders, is important to keep pace with change.
We welcome the proposed creation of the Investigatory Powers Commissioner (IPC) to provide independent oversight, with an expanded remit and greater resources. It should have full powers to disclose an accurate and complete picture of the total number of requests made which affect individuals.
We think that judicial authorisation is needed for more privacy-intrusive powers. So we’re pleased that the IPB mandates this for all warranted activity. We believe there’s a case for extending judicial authorisation to data retention notices and national security notices. But it’s good to see that the IPB envisages that communications providers will have a direct right of review to the Secretary of State in both cases, and that the Secretary will have to take into account the IPC’s views on proportionality. Equally, there is a case for extending the review mechanism to bulk warrants.
The IPC should stick to the same stringent standards whether assessing proportionality for authorisation or review.
This is another difficult area. Overseas providers offering services in the UK may be asked to disclose information in the UK. But such a request could conflict with their own country’s laws.
In the future, an improved Mutual Legal Assistance Treaty process is the best solution. It could be along the lines of the international framework advocated by Sir Nigel Sheinwald. It would mean like-minded countries (with high privacy and human rights standards) would agree a single set of principles on disclosure that would apply to all participants. However, this isn’t likely to happen soon – because those types of multi-state agreement take time.
In the meantime, the UK government should apply the new investigatory powers regime equally to all providers offering services in the UK – whilst acknowledging the difficulties of enforcement. We do not believe that government has made a compelling case that UK-based communications providers like us should keep data relating to other providers.
The rise of encryption is a good example of the challenge government faces in getting the new law right. Both David Anderson QC and the government believe there should be no “dark areas” in communications. Their worry is that if communications can’t be decrypted, criminals and terrorists will be able to place themselves beyond the reach of the law.
On the other hand, encryption helps people communicate securely. It reduces the potential for cybercrime. It empowers free expression in countries without strong and independent legal regimes.9 And there will sometimes be practical constraints on what a provider can do, for example if the data it carries has been encrypted by a third party.
This is a really difficult area. The technology is complex. The arguments on both sides are compelling; the debate is still evolving. Close engagement between government and industry will be key to finding a way forward.
i The government has also acknowledged it has used section 94 of the Telecommunications Act 1984 for bulk acquisition of communications data.
ii Unless otherwise stated, all figures in this section are taken from the Interception of Communications Commissioner’s March 2015 Report and relate to the general use of this power, not requests to us.
iii The 0.9% of requests made by other authorities covers a wide range of entities such as the Financial Conduct Authority, Ofcom, the Information Commissioner and the Serious Fraud Office.
iv The 0.5% of other requests were: (a) in the interests of the economic well-being of the United Kingdom; (b) in the interests of public safety; (c) for the purpose of protecting public health; (d) for tax purposes; (e) in relation to a miscarriage of justice; (f) to identify a person unable to identify themselves; or (g) for a combination of these reasons.
v Note that judicial approval is needed for local authority requests or in relation to obtaining journalistic sources for communication data.
vi Figures from the Intelligence and Security Committee’s report Privacy and Security: A modern and transparent legal framework, March 2015.
8 https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Print-Version.pdf section 11.7, page 204
9 Noted by the UN Special Rapporteur on the promotion and protection of the right to free expression and opinion: http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf