MI6. Britain to recruit 2000 spies in wake of Paris attacks. Demotix/ Amer Ghazzal. All rights reserved.The Home Secretary, Rt Hon Theresa May MP, on 4 November 2015 stated that the new Investigatory Powers Bill represents “a signature departure” from past attempts to reform the current regime governing the use of surveillance powers by public authorities in the UK.
According to the Home Secretary, this new legislative framework will be “clear and understandable”, “strengthen safeguards” and “introduce world-leading oversight arrangements”. The expressed intention to fulfill these three key commitments are to be welcomed following the unsuccessful Communications Data Bill 2012 (otherwise known as the “Snoopers’ Charter” for its far-reaching scope) and the roundly criticized emergency legislation of the Data Retention and Investigatory Powers Act 2014 (DRIPA) that was fast-tracked through Parliament (a substantive part of which was recently held by the High Court as inconsistent with EU law in David and Watson v Home Secretary).
Accessibility and foreseeability
A clear consensus that emerged from the three reports (by the Intelligence Security Committee (ISC), David Anderson QC, Independent Reviewer of Terrorism Legislation (otherwise known as the Anderson Report) and the Royal United Services Institute (RUSI)) drawn on by the UK Government to review the existing legal framework was the need for any future law to be clear and precise in its language, requirements and safeguards.
This recommendation reflects the two key requirements of the legality test (accessibility and foreseeability) mandated under the right to respect for private life under Article 8 of the European Convention on Human Rights (ECHR) that the laws of Contracting States to the ECHR (such as the UK) must satisfy.
First, the interference with the right to respect for private life must be in accordance with domestic law. Secondly, the legality test governing the exercise of this state power requires that the surveillance measure must comply with the rule of law and thereby provide protection against arbitrary interference with an individual's rights under Article 8 ECHR. This means that domestic law must be sufficiently accessible and clear in its terms to give individuals an adequate indication to foresee the circumstances and the conditions in which public authorities are empowered to resort to the measure in question.
In line with the principle of the rule of law, it is essential that covert surveillance powers must be based on law that is particularly precise with clear and detailed rules as the technology used is continually becoming more sophisticated (Huvig v. France). UK law requires all public authorities (including the courts) to act in a way that is compatible with ECHR rights and requires Ministers to make a statement regarding a legislative bill’s compatibility/incompatibility with ECHR rights (Human Rights Act 1998).
Following this unanimous recommendation made by all three reports, the IP Bill adds some long overdue clarity to the complex and “unnecessarily secret” (ISC Report, para 275) surveillance powers regime currently in force. This has been achieved through the consolidation in the IP Bill of the broad legal patchwork currently governing the interception and processing of content and communications data, including relevant provisions from the Telecommunications Act 1984, the Regulation of the Investigatory Powers Act 2000 (RIPA) and DRIPA 2014. This aggregation will assist in ensuring that a more informed and considered assessment takes place in Parliament when examining this detailed and legally, and technically, complex piece of draft legislation.
Necessity and proportionality
Another notable aspect to be welcomed in the IP Bill is the limit placed on the scope of public authorities and their access to communications data. This change includes excluding local authorities from having access to web browsing data history, otherwise referred to under the IP Bill as “Internet Connection Records” (ICRs). By limiting such powers, the IP Bill addresses both the ‘mission creep’ and data security concerns that persist under the current legislation.
This proposed reform reflects the well-established principles of EU data protection law (Directive 95/46/EC) and the right to protection of personal data as guaranteed under both Articles 7 and 8 of the EU Charter of Fundamental Rights, particularly the tenet that personal data be retained for specific purposes within a scope that is necessary and proportionate. Also reflected in this aspect of the IP Bill, are the privacy and data protection standards established in the 2014 judgment by the Court of Justice of the EU in Digital Rights Ireland. This landmark ruling, delivered by the Grand Chamber of the EU’s highest court, struck down an EU law (Directive 2006/24/EC), that imposed a mandatory duty on communication service providers to undertake the mass and indiscriminate retention of communications data for secret intelligence and law enforcement authorities across the EU, for its disproportionate scope and incompatibility with Articles 7 and 8 of the EU Charter.
Underpinning the above EU law are the necessity and proportionality tests that also form part of the conditions to be met by Contracting States under Article 8 ECHR. The necessity test for the covert surveillance of communications can be justified under the ECHR when undertaken in pursuit of one of the broad list of legitimate aims provided for under Article 8(2), including those pursued by the IP Bill - interests of national security, public safety or the economic wellbeing of the country.
The more difficult and often decisive test of proportionality requires that an interference must be ‘necessary in a democratic society’ as well as being lawful and serving a legitimate aim in order to justifiably restrict a right guaranteed under Article 8(1). States must establish this by showing that the impugned measure in question is responding to “a pressing social need” and that the interference with the protected rights is no greater than is necessary to address that pressing social need. Furthermore, the Strasbourg Court has established that the term ‘necessary’ is not as flexible as ‘reasonable’ or ‘desirable’ (Leander v. Sweden).
In practice, this means that powers allowing for the secret surveillance of communications must have adequate and effective guarantees against abuse. It is important to note that the view of the Strasbourg Court is that powers of secret surveillance, characterising as they do the police state, are tolerable under the ECHR only in so far as strictly necessary for safeguarding democratic institutions. Accordingly, States must ensure that adequate safeguards govern the use of these surveillance powers to prevent against their abuse or misuse.
The assessment of these safeguards is relative and may take into account the nature, scope and duration of the monitoring involved, the grounds required for its use, the authorities competent to permit, carry out and supervise the relevant measure and the kind of remedy provided by the national law. In practice, the proportionality test has been met in challenges before the Strasbourg Court where sufficiently tight controls of such measures have included the imposition of strict conditions on the use of this power by the public authorities, both in its authorisation and implementation (e.g. Klass v. Germany).
Thirdly, in line with the recommendations of the Anderson Report, Part 8 of the IP Bill proposes the establishment of a single body of oversight to replace and carry out the duties of the three current oversight institutions, the Interception of Communications Commissioner’s Office (IOCCO), the Office of Surveillance Commissioners (OSC) and the Intelligence Services Commissioner (ISC).
In an unprecedented reform, the IPC will have an oversight role in the authorisation of warrants (IP Bill, s.169). In response to consistent calls from the current oversight bodies for greater resources (e.g. OSC 2015 Annual Report), it has been promised that the IPC will be well resourced (IP Bill, s.176) and more engaged with the public. As highlighted in the IP Bill’s Explanatory Notes (p.8), the IPC will have “significantly greater powers and resources compared to the current oversight regime” and “will be a more visible body”.
Areas that raise concern
Overall, however, reactions to the promises made by the Home Secretary concerning the new IP Bill have expressed more concern than welcome, especially with regard to the obtaining and disclosing of bulk personal datasets, the acquisition of bulk communications data, requiring industry to provide backdoor access to encrypted communications and the effectiveness of the proposed “double lock” warrant regime.
In addition to the many other issues it has raised, the House of Commons Science and Technology Committee has questioned the publication of policy documents that became law on the same date as the IP Bill governing the “handling arrangements” for the acquisition of bulk communications data and the obtaining and disclosing of bulk personal datasets by the Security and Intelligence authorities (namely MI5, the Secret Intelligence Service (MI6) and GCHQ). The scope and operation of this power will form part of the review of the IP Bill (ss.150-166). Nevertheless, these policy documents reveal that the use of these specific types of surveillance (only now clarified and made available to the public for the first time) have already entered into force without having been subject to any open parliamentary scrutiny assessing their legality, necessity or proportionality.
The fact that these documents have now been made accessible to the public does not prevent an application to the European Court of Human Rights challenging the compatibility of the prior operation of such measures (up until 4 November 2015) with the right to respect for private life as guaranteed under Article 8 ECHR. As the Strasbourg Court has held consistently since 1984 (Malone v. United Kingdom), the law must indicate with sufficient clarity at the material time the extent of the discretion of the relevant public authorities or the way in which this discretion should have been exercised.
Secondly, computer security experts (including Cambridge Professor Ross Anderson) and major communication service providers (Apple CEO, Tim Cook) have warned of the “dire consequences” of requiring industry to provide backdoor access to encrypted communications under the IP Bill (s.189(4)(c)). This provision raises significant questions of the risks posed by creating an environment of inadequate and insufficient data security. The danger of such a situation was recently demonstrated in the hacking of TalkTalk, a major UK mobile phone and internet provider, which resulted in 156,959 customers having their personal details accessed (15,656 of which had their bank account numbers and sort codes stolen). Arguably, of greater concern is the fact that this was the third successful cyberattack on TalkTalk within the past year. As discussed below, this specific requirement also raises the issue of the limited redress available to communication service providers under the IP Bill, if seeking to challenge the necessity or proportionality of a warrant or data retention notice.
The double lock oversight mechanism
Thirdly, the double lock oversight mechanism provides that any interception of content, access to bulk personal datasets or bulk communications data (with the exception of urgent cases) will in future only take place with prior approval from both the Secretary of State and an independent officer with judicial experience from the proposed office of the IPC.
David Anderson, the UK’s Independent Reviewer of Terrorism Legislation (Response to IP Bill) has stressed that this is a step forward on the ground that the system provides for the first time since the seventeenth century that no warrant will enter into force without judicial approval.
Sir Mark Waller, the current Intelligence Services Commissioner, has also expressed his support for the shared responsibility represented by this regime for parliamentary accountability and judicial oversight. Specifically, the Commissioner commends the scope of the judge's role as it takes into account the lack of experience that judges from the proposed IPC will have in matters of national security.
However, the double lock mechanism provides that a judge has a “vital role” in assessing “whether the necessity test and whether the proportionality test has been applied” and to ensure that an “improper use of powers” does not occur.
However, leading civil society organizations have criticized the double lock regime for effectively proposing a diluted form of independent judicial oversight that will lack effectiveness in practice. Big Brother Watch and Liberty have described the mechanism as “impractical” and a “rubber-stamping exercise”. Both NGOs are bringing proceedings before the European Court of Human Rights challenging the use of mass surveillance measures by GCHQ as revealed by the Edward Snowden revelations (App.No.58170/13). Former Deputy Prime Minister Nick Clegg has also criticized the proposed prior oversight regime on the similar basis that “judges will have very little discretion” in the decision-making process.
A growing list of questions to enhance the framework
A Joint Committee has been established to examine the growing list of questions and concerns surrounding the IP Bill (as raised above) and will produce a report on the draft legislation early in 2016.
In contributing to this important open debate on the IP Bill, the following
points consider the mass and indiscriminate retention of communications data and
ways in which the oversight and transparency framework governing the use of
covert surveillance powers generally in the UK could be enhanced.
1. Retention of ICRs for 12 months – has the “compelling operational case” been made?
Regarding the level of intrusiveness posed by the indiscriminate and blanket year-long retention of ICRs (website data - but not webpages), the Home Secretary has described this mass personal data processing as equivalent to an ‘itemised phone bill’. Based on this reasoning, this information is considered to fall under the framework of “communications data” (e.g. website browsing/ICRs, times, location, parties, devices involved in a communication) under Part 4 of the IP Bill.
On the basis that this information is not considered to reveal as much as content, communications data is consequently accorded a lower level of safeguards and oversight. Hence, under the IP Bill, access to the content of an e-mail requires a warrant whereas access to who you Skype, when you Skype them and how often (described as “entity” and “event” data under the IP Bill) only requires the authorisation of a designated senior person within the public authority seeking the communications data. The IP Bill includes a general requirement that this designated person is not to be directly involved in the investigation that requires the communications data.
Strikingly, however, the IP Bill provides that this requirement may be effectively ignored if the public authority in question is too small (“size of the relevant authority … is not practicable”) to comply with the essential safeguards governing the authorisation procedure (IP Bill, s.47).
Instead, the IP Bill could be amended in order to provide that the Judicial Commissioners (who must hold or have held “high judicial office”) who will form part of the proposed office of the IPC could undertake such a role.
Notably, this oversight body would provide a qualified form of judicial oversight as the proposed IPC would be an independent institution (not a court), whose Commissioners are currently judges (or have judicial experience). Nevertheless, such an amendment would reflect Article 8 ECHR jurisprudence that this oversight role is best carried out by the judiciary on the ground that judicial control offers the best guarantees of independence, impartiality and a proper procedure (Kennedy v United Kingdom).
Furthermore, the rare number of such authorisations from smaller public authorities would be unlikely to place an undue burden on the resources of the IPC. Although this change would change the traditional role of the current oversight bodies that perform audits of public authorities, the “additional functions” of the IPC could be amended to expand this role (IP Bill, s.172).
This additional role would also assist in strengthening the oversight functions of the IPC by giving the institution direct experience of the authorisation process.
Regarding the necessity and proportionality of the proposed mass and indiscriminate retention of website browsing data, the value to law enforcement having access to such information has been outlined in some detail, e.g. identifying individuals involved in networks concerning terrorism or serious crime through tracking their online communications, such as fraud or drugs trafficking (Operational Case for the Retention of Internet Connection Records and Impact Assessment: Communications Data).
However, less consideration appears to have been given to showing detailed and comprehensive evidence and reasons justifying the scope of which public authorities should have access to this personal data, and how long the retention period should be, in other words an evidence-based approach seems lacking here. Instead of a 12-month retention period, why not a period of 3 months, 6 months or 2 years? As highlighted in the RUSI Report (para 5.52), the longer the data is held, the greater the risk that the data may be lost and/or stolen.
The Operational Case policy document (see pp.14-18) draws its recommendation for the 12-month retention period principally from the findings of only two studies. The first concerns the ability of law enforcement to investigate referrals made by National Centre for Missing and Exploited Children (NCMEC) involving an examination of 6025 referrals over a 9-month period. The second study concerns an analysis of the use of mobile devices in relation to approximately 600 suspects in serious crime investigations in order to show the prevalence of the use of online communications services by these individuals.
No information is provided in the second study regarding over how long a time period these serious crime investigations took place. Notably, no references to findings based on the operation of similar laws in other jurisdictions have been included to support the proposed scope for this new surveillance power under the IP Bill.
It is also important to note that the focus of both of these studies concern the investigation of serious crime. However, no detailed studies have been included to provide compelling evidence for the justification of allowing access to website browsing history spanning 12 months for the many other purposes under the IP Bill, such as tax assessment or protecting public health (IP Bill, s.46(7)).
The IP Bill provides that 46 public authorities (including the Food Safety Authority) will be authorised to access all types of communications data, including website browsing history (IP Bill, Schedule 4).
Access to such long term website browsing history (12 months in this instance) could identify an individual’s personal and professional relationships, their racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning their health or sex life.
Of course, detailed studies may have been undertaken showing why all of these public authorities should be granted access to such an extensive amount of sensitive personal data. However, while a handful of anecdotal cases have been provided as examples, no comprehensive statistical-based evidence has been made publicly available as yet.
Notably, the Home Secretary was asked in Parliament on the publication of the IP Bill regarding what evidence resulted in the adoption of a 12-month retention period for communications data. Her response was that the Government had relied on the Digital Rights Ireland judgment as justification for this retention period. However, the Grand Chamber of the Court of Justice of the EU makes no endorsement in its judgment for a 12-month period for the mass and indiscriminate retention of communications data, or any specific period for that matter. Instead, the Luxembourg Court established that the determination of the period of communications data retention “must be based on objective criteria in order to ensure that it is limited to what is strictly necessary” (Digital Rights Ireland, para 64).
compelling operational case for the current provisions of the IP Bill
concerning its proposed scope for the mass and indiscriminate retention of
website browsing history for 12 months, and its proposed accessibility to such
a broad range of public authorities, remains to be made.
2. Greater surveillance should mean greater oversight
Perhaps not unsurprisingly, concern has been expressed regarding the secrecy that the IP Bill imposes on the warrants and data retention notices issued to communication service providers (e.g. IP Bill, s.77). These provisions are consistent with current legislation (RIPA, s.19). However, as warned by Dr George Danezis (UCL Computer Security expert), these “gagging orders” on the operation of warrants and communication data notices prevent “even the possibility of a mature debate”.
Furthermore, the negative impact of these non-disclosure requirements (if left unchanged) arguably extend even further and serve to undermine the future IPC’s ability to provide effective oversight and to ensure that these measures are being used in a manner that is lawful, necessary and proportionate.
These provisions under the IP Bill come directly into conflict with current law (RIPA, s.58) that imposes a duty on every person to comply with any request made by a Commissioner from the IOCCO, OSC or ISC to disclose or provide all such documents and information as the Commissioner may require to carry out their functions. This provision of RIPA has been incorporated under the proposed inspection powers of the IPC (IP Bill, s.175).
On a related point, as highlighted by the IOCCO (Submission to Anderson Report, p.23), there is currently no means of redress for a communications service provider should they consider a notice requiring the retention of communications data is or has become disproportionate and should be cancelled or if there has been a refusal to cancel it.
As a result, the continuation of these sweeping secrecy requirements under the IP Bill seem certain to undermine the IPC’s key oversight role and run counter to the commitment made by the Home Secretary to a legislative framework of “world-leading oversight arrangements”. Consequently, it is proposed that the scope of the above provisions affecting the role of communication service providers be reviewed in order to strengthen and better inform the oversight powers and auditing process of the IPC (as provided for under IP Bill, s.175).
Finally, it has been promised that the proposed IPC will be adequately resourced. This commitment is paramount if such an institution is to be in a realistic position of effectively carrying out a growing number of detailed audits involving technological and surveillance developments in everyday communications that are becoming ever more sophisticated. One such example is the “Internet of Things”, where more and more personal devices will become ‘smart’/Internet-enabled leading to environments where most of our possessions can be monitored for personal data, e.g. cars, houses, children’s toys.
It is submitted that the Counter-Terrorism and Security Act 2015 should be amended to ensure that the Privacy and Civil Liberties Board (provided for, but not yet established, under s.46 of the Act of 2015) should form part of the oversight regime of the IP Bill in order to further enable the IPC in this task.
The Board could provide the necessary wide range of skills and expertise (e.g. former law enforcement and intelligence officials, forensic experts, computer scientists, lawyers, civil society, individuals with a media/communications background) that the IOCCO considers necessary to “ensure that the public authorities are robustly held to account and that all critical views are represented”.
3. Final thoughts
The issues of legality, necessity and proportionality surrounding the above aspects (and other aspects) of the IP Bill raise significant questions for the rights review (the compliance of laws with human rights principles and safeguards) of the IP Bill and the overall legislative cycle (drafting, implementation and review) of surveillance law reform in the UK.
This will be an area subject to the robust scrutiny of the Joint Committee on Human Rights (JCHR), the UK Parliament’s legislative rights review body (the work of which has been praised by leading international rights review experts), which will examine the IP Bill’s compatibility with human rights.
Most importantly, the JCHR will be in a position to exert substantial pressure on the UK Government to provide detailed arguments and evidence-based reasons that explain and justify policy proposals that implicate rights or reports which assert that the IP Bill complies with the legality, necessity and proportionality tests of Article ECHR. The JCHR are currently accepting submissions on the IP Bill.
In conclusion, following the recent tragic attacks in Paris and Beirut, it is timely to bear in mind the recent call by MI5 Director General Andrew Parker for surveillance laws that prioritize both proportionality and efficiency: “We do not seek sweeping new intrusive powers … but rather a modern legal framework that reflects the way that technology has moved on, and that allows us to continue to keep the country safe”.
It is hoped that the debate and review of the current draft IP Bill will take into account the recommendations of the JCHR and result in an evidence-based regime that complies with the privacy and data protection standards of the ECHR and the EU Charter of Fundamental Rights. This would be a lawful, necessary and proportionate surveillance powers framework of world-leading oversight arrangements.
There is an acute and growing tension between the concern for safety and the protection of our freedoms. How do we handle this? Read more from the World Forum for Democracy partnership.