Wednesday, 12 August 2015

The Coming UK Surveillance Debate: Legal and policy origins

One of a series of posts on the forthcoming Investigatory Powers Bill
This autumn the UK government will publish its draft Investigatory Powers Bill for pre-legislative scrutiny by a Joint Parliamentary committee. The new legislation will replace the much criticised Regulation of Investigatory Powers Act (RIPA), which since 2000 has regulated the interception and communications data acquisition activities of law enforcement and the security and intelligence agencies. It will also revisit the communications data retention regime currently embodied in the Data Retention and Investigatory Powers Act 2014 (DRIPA).   
The new legislation will draw on three separate published reviews of investigatory powers by the Intelligence and Security Committee ofParliament, by the Independent Reviewer of Terrorism Legislation David Anderson Q.C. and by a Panel established by the Royal United Services Institute.  It will also have to take into account an accumulated body of adverse court and Investigatory Powers Tribunal decisions, a critical report by the Interception of Communications Commissioner and several pending challenges in the European Court of Human Rights.
In Redlines and No-go zones I discussed how far the authorities should in principle be able to go in capturing, analysing and examining the content of our communications and associated communications data.  
Now we can look in our crystal ball and try to discern some of the specific content of the draft Bill, which I will do in a series of connected posts.

The issue that has so far occupied the headlines is whether to move from political to judicial authorisation of interception warrants. Anderson and the RUSI report have both come out in favour of some form of judicial approval system. The ISC report opted for continuing with Ministerial warrants.  

Whichever way the government jumps on judicial approval, the Bill is certain to feature improved oversight.  Independent oversight is desirable in its own right and necessary for human rights compliance.  However it is not a panacea.  A far reaching power may still be so repugnant as to cross a red line even if counterbalanced by oversight, safeguards and a Minister or judge’s belief that the exercise of the power is necessary and proportionate.

In this series of posts I will focus on the substantive scope of the powers rather than on oversight mechanisms.  The substantive powers are the most difficult and confusing area, yet lie at the heart of the legislation.
Two of the most hotly disputed existing powers are bulk interception warrants under section 8(4) of RIPA and mandatory retention of communications data by ISPs and internet companies under DRIPA.  Since none of the investigatory powers reviews has proposed abolishing either of these, it is a safe bet that despite continuing objections from privacy and civil liberties advocates both will reappear in some form unless a final human rights court ruling forces the governments hand.
On that note, in July the English High Court ruled in favour of MPs David Davis and Tom Watsons challenge to the communications data retention elements of DRIPA.  The court disapplied the provisions on three grounds of non-compliance with the EU Charter of Fundamental Rights, but deferred its order until March 2016 to enable the government to bring forward new legislation. The government has said it will appeal. The European Court of Human Rights is due to hear various Snowden-related challenges and the UKs Investigatory Powers Tribunal has issued decisions adverse to the government which will influence some aspects of the Bill.
Several coalescing policy and legal channels will feed into the Bill.
-     Revived Communications Data Bill.  In June 2012 the coalition government published a draft Communications Data Bill, popularly dubbed the Snoopers Charter (a description contested by its supporters and some neutrals). The CDB would have significantly extended communications data retention obligations, would for the first time have required CSPs to generate specified types of communications data and to put in place specific communications data retention technical capabilities, and would have introduced a request filter (a horizontal search facility across data retained by multiple providers).  Much of the substance of the CDB was to be delegated to secondary legislation and, a layer below that, to notices issued by the Secretary of State to communications providers and others.
It was said that the CDB was needed to plug a growing capability gap suffered by the investigatory authorities. The draft Bill and the evidence put forward in its support were roundly criticised by a Joint Parliamentary Committee in December 2012.  The CDB proceeded no further, other than the introduction of powers in the Counter-Terrorism and Security Act 2015 to mandate retention of so-called IP address resolution data.
Since the enactment of RIPA in 2000 the volume, frequency and richness of communications data has increased out of all recognition, particularly as a result of the ubiquity of mobile devices. Many argue that as a result the privacy implications of collecting and accessing communications data can be as great as for content. Certainly communications data can be at least as useful as content. The ISC Report notes the ISC's surprise at discovering that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications. [80]
Home Secretary Theresa May said after the May 2015 general election that the government would be giving the security agencies and law enforcement agencies the powers that they need to ensure theyre keeping up to date as people communicate with communications data and that it intends to bring through the legislation that it was prevented from introducing during the Coalition. Just what that may mean in concrete terms is not yet clear, especially since there are hints in the Anderson Report that the security and law enforcement agencies may be pushing less strongly for some of the CDB powers.
-     DRIPA sunset.  In July 2014 the coalition government rushed the Data Protection and Investigatory Powers Act through Parliament in four days.  The main purposes of DRIPA were to reenact mandatory communications data retention in primary legislation following the CJEUs invalidation of the EU Data Retention Directive, to expand (or as the government would have it clarify) the RIPA definition of telecommunications services and to give extraterritorial effect to RIPAs interception and communications data acquisition powers.  
All these provisions, as well as the retention of IP address resolution data introduced by Section 21 of the Counter-Terrorism and Security Act 2015, expire on 31 December 2016. New legislation will have to be in place before then unless Parliament decides to defer the sunset date. The government said in July that it will publish a draft Bill in the autumn for pre-legislative scrutiny by a joint committee of Parliament and introduce the Bill into Parliament in the early part of 2016. 
The timetable has since been complicated by an earlier deadline of March 2016 for enacting EU Charter compliant communications data retention legislation set by the High Court decision in the Davis/Watson DRIPA judicial review proceedings. Whether that will be revisited on an appeal remains to be seen.
-     Journalistic privilege.  News broke in September and October 2014 that police had been using their RIPA communications data powers to access journalists data and identify their sources. This led to an inquiry and report by the Interception of Communications Commissioner published in February 2015, recommending that judicial authorisation must be obtained where communications data is sought to determine the source of journalistic information.  So far this has been addressed by a revision to the Communications Data Acquisition Code of Practice, laying down that applications to court under the Police and Criminal Evidence Act 1984 should be used until such time as there is specific legislation to provide judicial authorisation. The Bill can be expected to contain specific provisions. 
-     Invalidation of EU Data Retention Directive. In April 2014 the CJEU Digital Rights Ireland decision invalidated the EU Data Retention Directive.  That led in the UK to DRIPA and then to the so far successful court challenge to DRIPA by David Davis MP and Tom Watson MP. Any new legislation will have to comply with the DRI decision.  The closer to the wind the government chooses to sail in the Bill, the more vulnerable the new legislation will be to a further court challenge.  The Davis/Watson case will have brought home to the government that, unlike complaints under the Human Rights Act, a complaint of incompatibility with the EU Charter can result in primary UK legislation being disapplied.
-     Snowden falloutThe Snowden revelations spawned various challenges to surveillance and similar activities, both domestic and in complaints to the European Court of Human Rights.  The Investigatory Powers Tribunal found that there was a historic breach of ECHR Article 8 in respect of receipt of PRISM and (allegedly) UPSTREAM data from the NSA, since (prior to disclosure of internal GCHQ rules during the proceedings) there was no sufficiently clear and accessible law governing it.  The IPT proceedings also revealed a previously unknown government interpretation of RIPA. Indirectly Snowden gave rise to the three investigatory powers reviews and to general acceptance that more transparency, or at least translucency, will be required in the future.
-     Encryption Prime Minister David Cameron has criticised the use of encryption that law enforcement and intelligence agencies may not be able to break: "In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to listen in on mobile communications, ... The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not."

Part III of RIPA already contains powers to require decryption of information by someone who has a key. However ISPs, platforms and consumer software providers often do not have, and never have had, an encryption key in their possession that could decrypt their customers’ communications.  

Mr Cameron says he believes in ‘very clear front doors through legal processes’ not ‘back doors’. Techies are hard put to understand the difference, pointing out that there is no such thing as a door through which only law enforcement can enter.  Where this may end up is anyone’s guess.

-     Intermediaries. In a related vein Mr Cameron said on 20 July that platforms and intermediaries should do more to help identify potential terrorists on their platforms, demanding that Silicon Valley should waveits technology magic wand to make it happen. Whether anything of this nature will find its way into the new legislation is unclear. Legislative action would face a formidable hurdle in Article 15 of the EU Electronic Commerce Directive, which prohibits Member States from imposing general monitoring obligations on conduits, caches and hosts.

According to taste Article 15 is either on outdated provision that should be revisited in the light of the advent of social media, or a prescient piece of legislation that foresaw the still relevant need to prevent Member State governments being tempted to use intermediaries as information choke points.

No comments:

Post a Comment