Saturday, 31 December 2016

The Investigatory Powers Act - swan or turkey?

The Investigatory Powers Bill, now the newly minted Investigatory Powers Act, has probably undergone more scrutiny than any legislation in recent memory. Rarely, though, can the need for scrutiny have been so great.

Over 300 pages make up what then Prime Minister David Cameron described as the most important Bill of the last Parliament. When it comes into force the IP Act will replace much of RIPA (the Regulation of Investigatory Powers Act 2000), described by David Anderson Q.C.’s report A Question of Trust as ‘incomprehensible to all but a tiny band of initiates’. It will also supersede a batch of non-RIPA powers that had been exercised in secret over many years - some, so the Investigatory Powers Tribunal has found, on the basis of an insufficiently clear legal framework. 
None of this would have occurred but for the 2013 Snowden revelations of the scale of GCHQ’s use of bulk interception powers. Two years post-Snowden the government was still acknowledging previously unknown (except to those in the know) uses of opaque statutory powers. 
Three Reviews and several Parliamentary Committees later, it remains a matter of opinion whether the thousands of hours of labour that went into the Act have brought forth a swan or a turkey. If the lengthy incubation has produced a swan, it is one whose feathers are already looking distinctly ruffled following the CJEU judgment in Watson/Tele2, issued three weeks after Royal Assent. That decision will at a minimum require the data retention aspects of the Act to be substantially amended. 
So, swan or turkey?
Judicial approval
On the swan side warrants for interception and equipment interference, together with most types of power exercisable by notice, will be subject to prior approval by independent Judicial Commissioners. For some, doubts persist about the degree of the scrutiny that will be exercised. Nevertheless judicial approval is a significant improvement on current practice whereby the Secretary of State alone takes the decision to issue a warrant.
Codified powers
Also swan-like is the impressive 300 page codification of the numerous powers granted to law enforcement and intelligence agencies. A Part entitled ‘Bulk warrants’ is a welcome change from RIPA’s certificated warrants, which forced the reader to play hopscotch around a mosaic of convoluted provisions before the legislation would give up its secrets.
Granted, the IP Act also ties itself in a few impenetrable knots. Parts are built on shaky or even non-existent definitional foundations. But it would be churlish not to acknowledge the IP Act’s overall improvement over its predecessors. 
Parliamentary scrutiny
When we move to consider the Parliamentary scrutiny of bulk powers things become less elegant.
The pre-legislative Joint Committee acknowledged that the witnesses were giving evidence on the basis of incomplete information. In response to the Joint Committee’s recommendation the government produced an Operational Case for Bulk Powers alongside the Bill’s introduction into Parliament. That added a little light to that which A Question of Trust had previously shed on the use of bulk powers. 
But it was only with the publication of David Anderson’s Bulk Powers Review towards the end of the Parliamentary process that greater insight into the full range of ways in which bulk powers are used was provided from an uncontroversial source. (By way of example ‘selector’ - the most basic of bulk interception terms - appears 27 times in the Bulk Powers Review, five times in A Question of Trust and twice in the Operational Case, but not at all in either the Joint Parliamentary Scrutiny Committee Report or the Intelligence and Security Committee Report.)
By the time the Bulk Powers Review was published it was too late for the detailed information within it to fuel a useful Parliamentary debate on how any bulk powers within the Act should be framed. David Anderson touched on the timing when he declined to enter into a discussion of whether bulk powers might be trimmed:
“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path. Technology and terminology will inevitably change faster than the ability of legislators to keep up. The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards. If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
In the event the legislation was flagged through on the Bulk Powers Review’s finding that the powers have a clear operational purpose and that the bulk interception power is of vital utility.
Fully equipped scrutiny at an early stage of the Parliamentary process could have resulted in more closely tailored bulk powers. As discussed below (“Vulnerability to legal challenge”) breadth of powers may come back to haunt the government in the courts.
Mandatory data retention
Views on expanded powers to compel communications data retention are highly polarised. But swan or turkey, data retention will become an issue in the courts. The CJEU judgment in Watson/Tele2, although about the existing DRIPA legislation, will require changes to the IP Act. How extensive those changes need to be will no doubt be controversial and may lead to new legal challenges. So, most likely, will the extension of mandatory data retention to include generation and obtaining of so-called internet connection records: site-level web browsing histories.  
Many would say that officially mandated lists of what we have been reading, be that paper books or websites, cross a red line. In human rights terms that could amount to failure to respect the essence of privacy and freedom of expression: a power that no amount of necessity, proportionality, oversight or safeguarding can legitimise.
Limits on powers v safeguards
The Act is underpinned by the assumption that breadth of powers can be counterbalanced by safeguards (independent prior approval, access restrictions, oversight) and soft limits on their exercise (necessity and proportionality). 
Those may provide protection against abuse. That is of little comfort if the objection is to a kind of intended use: for instance mining the communications data of millions in order to form suspicions, rather than starting with grounds for specific suspicion.
The broader and less specific the power, the more likely it is that some intended but unforeseen or unappreciated use of it will be authorised without prior public awareness and consent. That happened with S.94 of the Telecommunications Act 1984 and, arguably, with bulk interception under RIPA. Certainly, the coming together of the internet and mobile phones resulted in a shift in the intrusion and privacy balance embodied in the RIPA powers. This was facilitated by the deliberate future-proofing of RIPA powers to allow for technological change, an approach repeated (not to its benefit, I would argue) in the IP Act.
In A Question of Trust David Anderson speculated on a future Panopticon of high tech intrusive surveillance powers:
“Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.”
He went on to say, in relation to controlling the exercise of powers by reference to fundamental rights principles of necessity and proportionality:
“Because those concepts as developed by the courts are adaptable, nuanced and context-specific, they are well adapted to balancing the competing imperatives of privacy and security. But for the same reasons, they can appear flexible, and capable of subjective application. As a means of imposing strict limits on state power (my second principle, above) they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be.”
The IP Act abjures hard-edged rules. Instead it grants broad powers mitigated by safeguards and by the day to day application of soft limits: necessity and proportionality.
The philosophy of granting broad powers counterbalanced by safeguards and soft limits reflects a belief that, because the UK has a long tradition of respect for liberty, we can and should trust our authorities, suitably overseen, with powers that we would not wish to see in less scrupulous hands. 
Another view is that the mark of a society with a long tradition of respect for liberty is that it draws clear red lines. It does not grant overly broad or far-reaching powers to state authorities, however much we may believe we can trust them (and their supervisors) and however many safeguards against abuse we may install. 
Both approaches are rooted in a belief (however optimistic that may sometimes seem) that our society is founded on deeply embedded principles of liberty. Yet they lead to markedly different rhetoric and results.
Be that as it may, the IP Act grants broad general powers. Will the Act foster trust in the system that it sets up? 
The question of trust
David Anderson’s original Review was framed as “A Question of Trust”. Although we may believe a system to be operated by dedicated public servants of goodwill and integrity, nevertheless for the sceptic the answer to the question of trust posed by intrusive state powers is found in a version of the precautionary principle: the price of liberty is eternal vigilance.
Whoever may have coined that phrase, the slavery abolitionist Wendell Phillips in 1852 emphasised that it concerns the people at large as well as institutions:
“Eternal vigilance is the price of liberty; … Only by continued oversight can the democrat in office be prevented from hardening into a despot; only by unintermitted agitation can a people be sufficiently awake to principle not to let liberty be smothered in material prosperity.”
Even those less inclined to scepticism may think that a system of broad, general powers and soft limits merits a less generous presumption of trust than specifically limited, concretely defined powers. 
Either way a heavy burden is placed on oversight bodies to ensure openness and transparency. To quote A Question of Trust: “…trust depends on verification rather than reputation, …”. 
One specific point deserves highlighting: the effectiveness of the 5 year review provided for by the IP Act will depend upon sufficient information about the operation of the Act being available for evaluation.
Hidden legal interpretations
Transparency brings us to the question of hidden legal interpretations. The Act leaves it up to the new oversight body whether or not proactively to seek out and publish material legal interpretations on the basis of which powers are exercised or asserted
That this can be done is evident from the 2014 Report of Sir Mark Waller, the Intelligence Services Commissioner, in which he discusses whether there is a legal basis for thematic property interference warrants. That, however, is a beacon in the darkness. Several controversial legal interpretations were hidden until the aftermath of Snowden forced them into public light. 
David Anderson QC in his post-Act reflections has highlighted this as a “jury is out” point, emphasising that “the government must publicise (or the new Commission must prise out of it)” its internal interpretations of technical or controversial concepts in the new legislation. In A Question of Trust he had recommended that public authorities should consider how they could better inform Parliament and the public about how they interpret powers.
Realistically we cannot safely rely on government to do it. The Act includes a raft of new secrecy provisions behind which legal interpretations of matters such as who applies end to end encryption (the service provider or the user), the meaning of ‘internet communications service’, the dividing line between content and secondary data and other contentious points could remain hidden from public view. It will be interesting to see whether the future Investigatory Powers Commission will make a public commitment to implement the proposal.
Vulnerability to legal challenge
In the result the Act is long on safeguards but short on limits to powers. This structure looks increasingly likely to run into legal problems. 
Take the bulk interception warrant-issuing power. It encompasses a variety of differing techniques. They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
The Act makes no differentiation between these different techniques. It is framed at an altogether higher level: necessity for general purposes (national security, alone or in conjunction with serious crime or UK economic well-being), proportionality and the like.
Statutory bulk powers could be differentiated and limited. For instance distinctions could be made between seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could specify its use for that purpose and restrict others. Such limitations could prevent it being used for attempting to detect and predict suspicious behaviour in the general population, Minority Report-style. 
  
The lack of any such differentiation or limitation in relation to specific kinds of bulk technique renders the Act potentially vulnerable to future human rights challenges. Human rights courts are already suggesting that if bulk collection is not inherently repugnant, then at least the powers that enable it must be limited and differentiated.
Thus in Schrems the CJEU (echoing similar comments in Digital Rights Ireland at [57]) said:
“…legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage … without any differentiation, limitation or exception being made in the light of the objective pursued.” (emphasis added)
The same principles are elaborated in the CJEU’s recent Watson/Tele2 judgment, criticising mandatory bulk communication data retention:
“It is comprehensive in that it affects all persons using electronic communication services, even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Further, it does not provide for any exception, and consequently it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy ….
106 Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime …” (emphasis added)
The CJEU is also due to rule on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to the kind of generalised target discovery techniques that could be applied to bulk data obtained under the IP Act powers. As described by Advocate General Mengozzi in his Opinion of 8 September 2016 this involves cross-checking PNR data with scenarios or profile types of persons at risk:
“… the actual interest of PNR schemes … is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks.”
AG Mengozzi recommends that the Agreement must (among other things):
- set out clear and precise categories of data to be collected (and exclude sensitive data)
- include an exhaustive list of offences that would entitled the authorities to process PNR data
- in order to minimise ‘false positives’ generated by automated processing, contain principles and explicit rules:
  • concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared, which must
  • to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime, and which must
  • not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation.
As bulk powers come under greater scrutiny it seems likely that questions of limitation and differentiation of powers will come more strongly to the fore. The IP Act’s philosophy of broad powers counterbalanced with safeguards and soft limits may have produced legislation too generalised in scope and reach to pass muster.

Success in getting broad generally framed powers onto the statute book, though it may please the government in the short term, may be storing up future problems in the courts. One wonders whether, in a few years’ time, the government will come to regret not having fashioned a more specifically limited and differentiated set of powers.

[Amended 31 December 2016 to make clear that not all of RIPA is replaced.]

1 comment:

  1. Despite your reservations, I still think the IP Bill is a welcome step in the right direction.

    ReplyDelete