Where next for the investigatory powers regime?
In 2015, before the IPB was published, there were a number of reports on the investigatory powers regime. On top of that, the UK Prime Minister asked Sir Nigel Sheinwald to talk to some internet companies, the US and other governments to find a better way for countries to access and share data for the fight against crime and terrorism. These conversations led to the Sheinwald report on international data sharing (delivered to government in June 2015).
These reports shaped the government’s thinking in how it developed the IPB.
What was in these reports?
The three reports (summarised below) all agreed that investigatory powers law was fragmented and outdated. They all called for reform. In particular they called for greater transparency and oversight of the powers. But they also disagreed on some big things – like the authorisation of warrants.
The only official, public-domain information on Sir Nigel Sheinwald’s work is a two-page summary of his report. In it he advocates improving government-to-government cooperation, reforming the existing UK / US Mutual Legal Assistance Treaty and building a new international framework for those countries with similar high standards of oversight, transparency and privacy protection.
Privacy and Security: A Modern and Transparent Legal Framework - The Intelligence and Security Committee
The Intelligence and Security Committee (ISC) is a Parliamentary Committee. It has access to the government agencies which use the laws on investigatory powers. Its March 2015 report criticised the current law as outdated, complex and opaque. It recommended:
- A single, new, more transparent law backed up with better oversight.
- New definitions for “communications data”, “communications data plus” and “content-derived information”, with differences reflecting varying levels of intrusiveness.
- Reforming section 94 Telecommunications Act 1984 to clarify when it could be used and why.
- Reforming the Investigatory Powers Tribunal (IPT) which hears claims against government’s use of the regime (often in secret) – to include a right of appeal.
- Government ministers (not judges) should continue to approve warrants for intrusive data requests.
The report also acknowledged that the government uses “bulk interception”. However, the ISC was happy that only a very small percentage of internet traffic was actually collected and an even smaller proportion looked at. On this basis, it said bulk interception is a valuable capability that should remain available to the intelligence agencies.
A Question of Trust - Report of the Investigatory Powers Review - David Anderson QC, Independent Reviewer of Terrorism Legislation
The government asked David Anderson QC to review the current law and recommend changes. He looked at terrorist threats to the UK; the capabilities we’d need to tackle them; safeguards to protect privacy; the challenges of changing technologies; and transparency and oversight. His review identified five key principles for the new law:
- Minimise no-go areas for law enforcement – meaning data shouldn’t be beyond the reach of government simply because of the way it is sent or stored over the internet (for example, if it’s encrypted or sent over the dark net).
- Investigatory powers should be limited powers – to protect privacy.
- Rights compliant – meaning people must know what the intrusive powers are and how they can be used.
- Clear and transparent rules – because “obscure laws corrode democracy”.
- A unified approach – meaning one regime for intelligence communities and law enforcement.
In line with those key principles, his review made a lot of recommendations, including:
- Replacing the relevant parts of RIPA, DRIPA and other related laws with a single new law, “drafted from scratch”.
- Replacing the three existing oversight bodies (or regulators) with a new Independent Surveillance and Intelligence Commission (ISIC).
- Making sure all warrants are issued only by Judicial Commissioners (within ISIC), who must hold, or have held, high judicial office.
- Keeping the data retention laws but bringing them into line with EU law and human rights.
- Limiting specific interception warrants to a single person, or premises (as now) or operation (new category).
- Introducing a new “combined warrant” for interception / intrusive surveillance / property interference.
- Allowing lawful “bulk” interception, with the right safeguards, under EU law.
- Introducing a new type of warrant for “bulk” communications data.
- Adding backstop powers to the new law – along the lines of section 94 Telecommunications Act 1984.
- Reviewing the distinction between content and communications data.
- Keeping the requirement for IP address resolution. But government should show why it needs communications providers to keep internet connection records (weblogs) – which is likely to be justified if there’s good reason, and “third party data” (like data from Facebook or Google) – for which it’s harder to show a good reason to keep.
A Democratic Licence to Operate - Report of the Independent Surveillance Review Royal United Services Institute
RUSI is an independent think-tank on international defence and security. Its report:
- Called for a new and more transparent law.
- Recommended that the definitions of content and communications data should be reviewed.
- Said that bulk communications data collection should be under a warrant.
- Said that there should be more judicial involvement in the issue of warrants.
- Supported the need for a new Mutual Legal Assistance Treaty to allow the better exchange of information between countries for crime and terrorism prevention.
On 4 November 2015, the government published the IPB, which brings together all its powers to obtain content and communications data from communications providers. The IPB, which includes powers drawn not only from RIPA but from other relevant statutes, is due to go through a process of public consultation until early 2016. It will be considered by the Houses of Parliament, as part of a consultation review process before a Joint Committee of Parliament.
In drafting the IPB, the government has also taken into account other views, including ours. There are also a number of important legal cases that may have an impact on the government’s proposals. Some of these cases are over, some are still pending. Some may have a direct impact, some indirect. But they are all potentially significant:
- The Data Retention Directive - In April 2014 the Court of Justice of the European Union (CJEU) declared this invalid in the Digital Rights Ireland case because it didn’t comply with the principle of proportionality. its interference with the right to privacy was not limited to what was strictly necessary.
- DRIPA - In July 2014, DRIPA was passed to make sure the government (and other public bodies) kept a legal right to make communications providers hold onto communications data. It’s due to expire at the end of 2016. The UK High Court said that parts of DRIPA aren’t compatible with Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the European Union’s Charter of Fundamental Rights. The Court of Appeal disagreed with the High Court, has now referred this case to the CJEU and will seek further clarity on the Digital Rights Ireland case.
- Bulk interception – in September 2013 Big Brother Watch asked the European Court of Human Rights (ECtHR) to review whether the UK’s surveillance laws were compatible with the European Convention on Human Rights. This claim was then put on hold because of a similar challenge at the IPT, brought by Liberty, Amnesty International, and Privacy International.
- The IPT found in December 2014 that the UK’s bulk interception regime did not contravene Convention rights. Liberty, Privacy International and Amnesty International effectively appealed this decision by filing a claim at the ECtHR in April 2015.
- The IPT also issued two further decisions in 2015 which related to the December 2014 judgment. In February it found that the lack of transparency around the security services’ policies and procedures breached Article 8 (although the breach had since been fixed). In June, it concluded that the lawfully intercepted communications of Amnesty International and the South African Legal Resources Centre had not been handled in line with GCHQ internal procedures.
- In an unrelated case, the IPT also found in June 2015 that legally privileged documents belonging to a Libyan dissident had been unlawfully intercepted.
- Two other challenges were filed at the ECtHR in September 2014 and are waiting to be heard. In one, the Bureau of Investigative Journalism questioned whether UK law adequately protects the communications of journalists. In the other, Privacy International asked for the disclosure of documents relating to surveillance arrangements between the US, United Kingdom, Canada, Australia, and New Zealand.
- Safe Harbor – in October 2015, the CJEU made an important decision on data protection in the Schrems case. It said that the Safe Harbor scheme (under which personal data can be transferred from the EU to registered bodies in the US) doesn’t adequately protect data. One reason was that the scheme may not be able to stop the US intelligence authorities accessing the transferred data on a large scale. And this isn’t compatible with the right to privacy in the EU Charter of Fundamental Rights.
What do we think the new regime should look like?
In our response to the Anderson Review, we summarised our position like this: “We consider that it is appropriate to maintain a regime that permits access to content and communications data, provided that the circumstances are suitably circumscribed, and provided that all necessary checks and balances are in place to ensure the lawful and proportionate operation of that regime, particularly from a human rights perspective.”8
This is still our view. It will underpin everything we say during the formal consultation on the IPB and its passage through Parliament when it is introduced in 2016. We agree with David Anderson QC that: “the road to a better system must be paved with trust”.
With the publication of the IPB, for the first time, one document sets out the totality of the investigatory powers government thinks are necessary. Reform is overdue, and the IPB provides a foundation for open and meaningful debate. It’s not going to be possible to please everyone in all aspects of these powers, but there’s a tremendous opportunity now to build a much better new regime. We’ll respond formally to the government consultation, but we’ve set out our initial opinion below.
All the powers in the IPB should protect the rights established in the European Convention on Human Rights (as implemented in the UK by the Human Rights Act 1998) and the European Union’s Charter of Fundamental Rights. Bulk powers on interception, communications data and equipment interference – which are potentially extremely privacy-intrusive – should only be used in very rare circumstances, when all other capabilities have been considered.
Bulk interception is controversial. A UK court has said that the current rules are lawful and comply with human rights. David Anderson QC believes that government has shown it needs these powers for both content and communications data. Some privacy campaigners believe that bulk interception is too great an infringement of privacy in a free society. Our view is that government should be able to use bulk powers provided the pending legal cases uphold their validity, and that strong oversight means that they’re only used when it’s necessary and proportionate.
It would help to assess exactly what is and what isn’t proportionate if there were more clarity on the word “bulk”.
It could potentially be broken into separate categories – rather than used as a catch-all term for all warrants not falling into other categories.
The scope of any new power along the lines of section 94 of the Telecommunications Act 1984 should be more limited than it is now. It should also expressly give a right of appeal and be stringently overseen. The relevant clause in the IPB (national security notices) is a big improvement.
We think the position on powers to compel communications providers to keep third party data is unclear. Government has said publicly that it has dropped the idea, but it still seems to be permitted under the IPB. So far, no one has made a compelling case that these powers are necessary and proportionate.
Even though the new proposals making communications providers keep internet connection records aren’t as extensive as those in the draft Communications Data Bill 2012, they still need carefully evaluating in terms of their proportionality feasibility and cost.
Subject to the right checks and balances, we see a strong case for communications providers being compelled to provide help as law enforcement and security agencies pursue suspected criminals, terrorists and threats from overseas. We recognise the IPB has removed some discretionary elements. But others are still there – notably on disclosing communications data. We intend to discuss this with government.
This is a tricky issue. Any new legal definitions must balance covering a broad range of factual circumstances with providing legal certainty. The IPB includes definitions of “content” and “communications data” that are supposed to cover all possible circumstances. The government will need to check very carefully that the new approach works, particularly with online communications. And they must make sure the most intrusive types of data attract the strongest legal protection before they can be accessed.
We understand some things have to be kept secret, but there should be a presumption in favour of openness. If things do need to be secret, the government should try to explain why, so far as possible without giving away crucial details to potential wrongdoers being pursued.
Government should be more consistent in how it tries to keep things secret or confidential. At present, there are too many separate restrictions. The IPB proposes a number of further restrictions.
Harmonising these various restrictions would help strike the right balance between necessary secrecy and transparency.
Better oversight and transparency is crucial. Strong law, with clear checks and balances in place from the start of the process (authorisation) to the end (audit), should give everyone confidence that intrusive powers will only be used when necessary and that any interference with the right to privacy will be kept to a minimum. Regular review of the operation of the law, with input from stakeholders, is important to keep pace with change.
We welcome the proposed creation of the Investigatory Powers Commissioner (IPC) to provide independent oversight, with an expanded remit and greater resources. It should have full powers to disclose an accurate and complete picture of the total number of requests made which affect individuals.
We think that judicial authorisation is needed for more privacy-intrusive powers. So we’re pleased that the IPB mandates this for all warranted activity. We believe there’s a case for extending judicial authorisation to data retention notices and national security notices. But it’s good to see that the IPB envisages that communications providers will have a direct right of review to the Secretary of State in both cases, and that the Secretary will have to take into account the IPC’s views on proportionality. Equally, there is a case for extending the review mechanism to bulk warrants.
The IPC should stick to the same stringent standards whether assessing proportionality for authorisation or review.
This is another difficult area. Overseas providers offering services in the UK may be asked to disclose information in the UK. But such a request could conflict with their own country’s laws.
In the future, an improved Mutual Legal Assistance Treaty process is the best solution. It could be along the lines of the international framework advocated by Sir Nigel Sheinwald. It would mean like-minded countries (with high privacy and human rights standards) would agree a single set of principles on disclosure that would apply to all participants. However, this isn’t likely to happen soon – because those types of multi-state agreement take time.
In the meantime, the UK government should apply the new investigatory powers regime equally to all providers offering services in the UK – whilst acknowledging the difficulties of enforcement. We do not believe that government has made a compelling case that UK-based communications providers like us should keep data relating to other providers.
The rise of encryption is a good example of the challenge government faces in getting the new law right. Both David Anderson QC and the government believe there should be no “dark areas” in communications. Their worry is that if communications can’t be decrypted, criminals and terrorists will be able to place themselves beyond the reach of the law.
On the other hand, encryption helps people communicate securely. It reduces the potential for cybercrime. It empowers free expression in countries without strong and independent legal regimes.9 And there will sometimes be practical constraints on what a provider can do, for example if the data it carries has been encrypted by a third party.
This is a really difficult area. The technology is complex. The arguments on both sides are compelling; the debate is still evolving. Close engagement between government and industry will be key to finding a way forward.
Summary of Public Bodies' Powers to Access Data
i The government has also acknowledged it has used section 94 of the Telecommunications Act 1984 for bulk acquisition of communications data.
ii Unless otherwise stated, all figures in this section are taken from the Interception of Communications Commissioner’s March 2015 Report and relate to the general use of this power, not requests to us.
iii The 0.9% of requests made by other authorities covers a wide range of entities such as the Financial Conduct Authority, Ofcom, the Information Commissioner and the Serious Fraud Office.
iv The 0.5% of other requests were: (a) in the interests of the economic well-being of the United Kingdom; (b) in the interests of public safety; (c) for the purpose of protecting public health; (d) for tax purposes; (e) in relation to a miscarriage of justice; (f) to identify a person unable to identify themselves; or (g) for a combination of these reasons.
v Note that judicial approval is needed for local authority requests or in relation to obtaining journalistic sources for communication data.
vi Figures from the Intelligence and Security Committee’s report Privacy and Security: A modern and transparent legal framework, March 2015.
8 https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Print-Version.pdf section 11.7, page 204
9 Noted by the UN Special Rapporteur on the promotion and protection of the right to free expression and opinion: http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf