Monday 13 July 2015

Red lines and no-go zones - the coming surveillance debate

The first in a series of posts on the forthcoming Investigatory Powers Bill.

Next: Legal and policy origins

The government is gearing up for a rewrite of the UKs telephone and internet surveillance laws. RIPA, the Regulation of Investigatory Powers Act, is 15 years old. Some think RIPA gives law enforcement, intelligence agencies and public authorities the ability to intrude too far into private communications, especially through the bulk collection powers routinely used by GCHQ. Others argue that RIPA has been overtaken by technology and needs to be reinforced to maintain existing capabilities, or that existing powers should be extended.

One thing everyone agrees upon is that RIPA is incomprehensible and needs to be rewritten. Its interaction with other legislation governing the intelligence and security agencies is, in the words of the Intelligence and Security Committee of Parliament, "absurdly complicated".  David Anderson QC, the Independent Reviewer of Terrorism Legislation, said in his recent report 'A Question of Trust':
"RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates. A multitude of alternative powers, some of them without statutory safeguards, confuse the picture further. This state of affairs is undemocratic, unnecessary and in the long run intolerable." [35]
The Anderson Report, commissioned under the Data Retention and Investigatory Powers Act 2014 (DRIPA), was debated in the House of Commons on 25 June and in the House of Lords on 8 July. It is the second of three reports presaging a new Investigatory Powers Bill, to be published in draft this autumn for pre-legislative scrutiny by a Joint Parliamentary Committee. The other reports are the Intelligence and Security Committee of Parliament report published in March and the Royal United Services Institute report 'A Democratic Licence to Operate' to be launched on 14 July. The Bill itself is to be introduced in Parliament early in 2016. 

The Anderson Report is lengthy: 373 pages and 124 separate recommendations.   It ranges from matters of principle to the arcane detail of the existing legislation and the practices of the agencies and law enforcement.  As such it provides a solid reference point for all shades of opinion. 

The Reports recommendations mainly concern oversight and safeguards.  Most attention has focused on the proposal that the power to issue warrants should be shifted from Ministers to independent Judicial Commissioners.  The Report proposes no major curtailment of interception powers.  With that has probably receded any realistic prospect that the forthcoming legislation will reduce existing powers, unless the governments hand is forced by some future human rights ruling.

Privacy campaigners were particularly disappointed that the Report did not recommend cessation of bulk collection and analysis, although the Report was careful not to offer a view on whether, as a matter of human rights law, those powers are proportionate. GCHQ makes use of serial warrants under Section 8(4) of RIPA to capture from transatlantic cables and process (according to the Snowden documents) 40 billion data items a day. The Reports most significant recommendation in this area is to suggest a communications data only bulk interception warrant, to be used where a full Section 8(4) warrant collecting both content and communications data is unnecessary.

The new legislation is likely to cover a broad canvas.  It will have to deal with interception offences and warrants, communications data acquisition and mandatory communications data retention.   It is also likely to include powers to demand decryption and to engage in CNE (computer network exploitation, or hacking).

In future articles I will pick out some specific points to look for.  First, some matters of principle.

Competing principles
The Report identifies five principles that should underpin investigatory powers:  minimise no-go areas, limited powers, rights compliance, clarity and a unified approach.

The key passages are those in which the Report seeks to reconcile the competing first and second principles: on the one hand that law enforcement and intelligence agency no-go areas should be minimised as far as possible; but on the other hand that their powers need to be limited in the interests of privacy.

Limited powers the red line principle
The Report squarely confronts the issue of limited powers. It is not necessarily enough to clothe any given investigative power, however far-reaching, in a comforting cocoon of controls, safeguards and oversight.  Some powers may be too intrusive and repugnant to be acceptable on any terms:
"Firm limits must also be written into the law: not merely safeguards, but red lines that may not be crossed."    
"Some might find comfort in a world in which our every interaction and movement could be recorded, viewed in real time and indefinitely retained for possible future use by the authorities. Crime fighting, security, safety or public health justifications are never hard to find." [13.19] 
The Report then gives examples, such as a perpetual video feed from every room in every house, the police undertaking to view the record only on receipt of a complaint; blanket drone-based surveillance; licensed service providers, required as a condition of the licence to retain within the jurisdiction a complete plain-text version of every communication to be made available to the authorities on request; a constant data feed from vehicles, domestic appliances and health-monitoring personal devices; fitting of facial recognition software to every CCTV camera and the insertion of a location-tracking chip under every individual's skin.

It goes on:
"The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart." [13.20]   
"[T]he crucial objection is that of principle. Such a society would have gone beyond Bentham's Panopticon (whose inmates did not know they were being watched) into a world where constant surveillance was a certainty and quiescence the inevitable result. There must surely come a point (though it comes at different places for different people) where the escalation of intrusive powers becomes too high a price to pay for a safer and more law abiding environment." [13.21]
Minimising no-go areas
Juxtaposed against the red line principle is Andersons first principle: minimising no-go areas for law enforcement as far as possible, whether in the physical or the digital world.
"My first principle applies in the physical sphere. If the State is to discharge its primary duty of protecting its population, it needs the power to do the most sensitive things that can be imagined: bug a bedroom, search a safe, trick a person into a relationship, read a personal diary, eavesdrop on a conversation between lawyer and client or journalist and source. None of those things will be appropriate save in exceptional and occasional circumstances. Even then, they may well be completely impracticable to implement. But the issue is when it should be lawful to exercise such powers, not whether they should exist at all. [13.10]  
The same is true of the digital sphere. There may be all sorts of reasons  not least, secure encryption  why it is not physically possible to intercept a particular communication, or track a particular individual. But the power to do so needs to exist, even if it is only usable in cases where skill or trickery can provide a way around the obstacle. Were it to be otherwise, entire channels of communication could be reduced to lawless spaces in which freedom is enjoyed only by the strong, and evil of all kinds can flourish. [13.11]  
This does not mean that state access to communications should be made easy.  Far preferable, on any view, is a law-based system in which encryption keys are handed over (by service providers or by the users themselves) only after properly authorised requests. [13.12] 
But in an imperfect world, in which many communications threatening to the UK are conducted over services whose providers do not or cannot comply with such requests, there is a compelling public interest in being able to penetrate any channel of communication, however partially or sporadically. Paedophiles should not be able to operate on the dark net with guaranteed impunity, and terrorists should not be able to render themselves undetectable simply by selecting an app on which their communications history will never be known even to the provider. Hence the argument for permitting ingenious or intrusive techniques (such as bulk data analysis or CNE) which may go some way towards enabling otherwise insuperable obstacles to be circumvented. Hence, also, the argument for requiring certain data to be retained so that they can be used in piecing together a crime after the event."  [13.13]
The Report records Law Enforcement as urging that no-go areas are unacceptable:
"The principle of policing by consent is applied by the police to the digital world, where it refers to the use of techniques that command general acceptance. I was told that just as the public would not accept the existence of physical no-go zones in towns and cities, so they expect the police to have the capacity, in appropriate cases and when duly authorised, to trace any kind of communication." [9.8]
If the goal of law enforcement is to eliminate impracticabilities in the digital world, that goes further than Anderson's first principle.  Anderson acknowledges that in both the physical and digital world a power may be impracticable to implement.  In the House of Lords debate Lord Blair cited the Loch Lomond effect, an incident in which police officers in pursuit of terrorists, tracking them by their mobile phones, lost contact in a notorious mobile dead spot around Loch Lomond.   Self-evidently this was due not to insufficient police powers, but to incomplete mobile coverage. 

Lord Blair used Loch Lomond as a metaphor for loss of capability due to technological change if the Anderson recommendations were not implemented. But the Loch Lomond metaphor would resonate more strongly with a demand that mobile non-spots should be filled in to aid law enforcement. That is paralleled in the digital world where, as often as not, the demand is for more comprehensive data to be retained and even generated for the benefit of law enforcement. In the physical world the more traditional notion of liberty is that law enforcement takes the world as it finds it, imperfections and all.

The claim that in the physical world the public would not accept no-go zones in towns and cities demands careful scrutiny. Towns and cities are full of physical no-go zones for law enforcement, protected by the law.  Our liberty depends on them. While the police may patrol where they wish in public areas like the streets, private homes and premises are off limits. The police may not enter without consent or a targeted warrant, or in exceptional situations such as a breach of the peace, saving life or preventing serious damage to property. Even on the public streets the police do not have free rein. They are constrained by law in what they may do to people and their vehicles.  

It will of course be said that law enforcement does not claim the power to roam freely through our private online spaces, but to enter only in carefully defined and limited circumstances when necessary and proportionate and subject to extensive safeguards and oversight. Even accepting that characterisation (and many would not in respect of bulk collection and mandatory communications data retention), it is pertinent to recall the reach of physical world powers when considering the extent of powers demanded over our online private spaces. 

In our private houses we do not generally have to let the police in without a warrant. We are not required to keep the curtains open so that they can check whether we are up to no good.  We do not have to make and retain a record, to be produced on demand, of our movements, of our visitors, of those with whom we have spoken or of the books and magazines that we have read. We do not have to leave a front door key at the local police station, nor a key to the locked drawer in the desk.  We do not have to pass through a security scanner when we exit our front door. If the police obtain a search warrant it is specific, not general. These private no-go zones for law enforcement are essential to our traditional notion of liberty. The public, unless it has already subsided into a state of supine acquiescence, would not accept otherwise.

The golden period
In todays mobile era we unconsciously create and leave behind us minute by minute traces of everything we do. Law enforcement submissions to the Anderson Review hint at digital technologys gift of an unprecedented amount of data:
As a senior counter-terrorism officer put it to me: We have had 15 years of digital coverage being the main thing  a golden period. But the way people run their lives is not so accessible to us now. [9.36]
Lord Paddick, speaking of the IRA era in the House of Lords debate, reinforced the impression:
Fixed-line and mobile communication data, including text messaging and who was contacting who, from where and at what time, could easily be accessed because mobile phone service providers need this information so that they can bill the customer.    
As Anderson says, quoting from one of the Snowden documents, we were in a golden age in terms of the accessibility of intelligencenever before had the police and the security services had such a wealth of information about the communication between criminals, terrorists or otherwise.
The golden period of bountiful data came into existence unnoticed by the general public, an accidental by-product of digital technology that may empirically have altered the balance between intrusive powers and privacy even if the powers themselves remained the same. 

Anderson relates that:
the NCA and police see their current [communications data acquisition] powers as, in large part, a translation of that well-established resource [(phone logs)] into the current age. Indeed they fear its dilution…” [9.32]
Is what we are seeing now less a dilution of traditional powers and more a reversion to the position that obtained in the physical world before the serendipitous golden age? When law enforcement speak of wishing only to keep pace with technology, of dilution of powers, or of needing a wider range of techniques to gain comparable insight, the baseline against which the comparison is being made has to be carefully examined. 

Anderson records that:
law enforcement does want a record to exist of an individuals interaction with the internet to which it can obtain access [9.61]
Law enforcement, seeking to preserve its golden age, appears to be on a quest for perfect traceability - a goal that we can confidently predict will remain tantalisingly out of reach. The problem with setting an unattainable goal is that there is no end to the powers that can be demanded in its fruitless pursuit.  It has already taken law enforcement and the intelligence agencies beyond anything that the public would accept in the private zones of the physical world. 
Granted, unlike in the physical world a vast amount of digital data comes into existence in any event. That is what ushered in the golden period.  It is said that it would be negligent not to empower law enforcement and the agencies to make use of it.  That still begs the question whether the data should be swept up for the benefit of law enforcement like leaves in the public streets, or whether it should be treated as part of the contents of a private house.  One points to bulk collection and retention, the other to targeted preservation and access.

Hogan J in the High Court of Ireland case of Schrems suggested that our electronic communications are an extension of the home:
"By safeguarding the inviolability of the dwelling, Article 40.5 provides yet a further example of a leitmotif which suffuses the entire constitutional order, namely, that the State exists to serve the individual and society and not the other way around."   
In this regard, it is very difficult to see how the mass and undifferentiated accessing by State authorities of personal data generated perhaps especially within the home - such as e-mails, text messages, internet usage and telephone calls - would pass any proportionality test or could survive constitutional scrutiny on this ground alone. The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life within the home would be immune from potential State scrutiny and observation.
Should our internet life be treated, for privacy purposes, as taking place within the home?  We tolerate intrusive measures in a sensitive public area such as an airport. That does not mean that the same would be acceptable in the home. If our communications are an extension of the home, then to turn our smartphones and the internet into the equivalent of an airport security zone would surely cross a red line.
On the coat tails of the private sector
One response (ventilated in the Anderson report at [8.104] to [8.106]) to the question of how far communications should be treated as an extension of the private home is that we already share our data with many internet and social media companies and that the needs of the state may be thought to be more pressing than the profit-making aims of commercial companies. In a related vein, GCHQs Technical Director recently said: At its heart, the internet economy is fundamentally incompatible with privacy.
But however often we may decide to share data with an internet company, and however constrained some may regard our freedom of action to be when dealing with internet companies, we make that choice to engage with another private entity.  It is hard to see why that should affect our expectation of privacy as against the coercive powers of the state. If we let a stranger into our home the invitation does not implicitly extend to state agencies.  Nor is the state thereafter entitled to treat that home as any less of a private space for law enforcement purposes.  If the argument is that law enforcement and intelligence agencies should be freer to harvest and analyse our data because of what Silicon Valley companies do, that is to ignore the fundamental difference between consensual transactions of private actors and the coercive activities of the state.
International human rights standards
Anderson recognises that combining his first and second principles is not easy:
"It may be objected that the result in combination of my first two principles is uncertain. They would deprive criminals of sanctuary, whilst imposing limitations (for the protection of the innocent) on the methods that can be used to catch them. [13.22]  
To that, I would answer as follows: 
(a) It is how things are: criminals and enforcers are locked in a digital arms race, where neither can be sure of having the upper hand. 
(b) It is how things should be. When no human institution is perfect, and when the great majority of those using private communications enhance blameless lives by doing so, it is right that there should be legal limits on when and how those communications may be intruded upon. That is so, even if those limits from time to time diminish the effectiveness of law enforcement and result in more bad things happening than would otherwise be the case." [13.23]
He observes that:
"Understanding the need for legal limits on state power is easier than knowing where those limits are to be placed." [13.24]
To resolve that conundrum he turns to the principle of respect for internationally guaranteed human rights and freedoms. Assuming that a law is sufficiently clear and foreseeable, the balancing of security and privacy is founded on the concepts of necessity and proportionality. Anderson recognises their limitations:
"As a means of imposing strict limits on state power   they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be. [13.28]  
This highlights the vital importance of ensuring that where potentially intrusive powers are concerned, the necessity and proportionality tests are applied according to a thorough set of criteria, and in an independent spirit." [13.29] 
In his recommendations Anderson has himself gone beyond human rights requirements, aiming to produce a modern, fair and workable law, not just one that may hope to survive future court scrutiny [13.30]. Andersons most eye-catching recommendation judicial approval of warrants is not at present required by Strasbourg human rights law.

That aptly illustrates the difficulty of relying only on human rights law to reconcile conflicting principles of minimising no go areas and limiting powers. At least where direct interference by the state is concerned, human rights law sets only minimum standards. Compliance with minimum standards may still produce a result that does not live up to the best traditions of a liberal society.

Ultimately, as Anderson acknowledges, different people will draw their red lines in different places.  Many will argue that the red line should be drawn short of empowering bulk collection of communications and mandatory communications data retention, just as comparable powers and requirements do not exist and would be unacceptable within the private home in the physical world.
Extended powers?
These issues are significant when we look to the future. The Anderson report suggests that at least in some respects the States appetite for capturing and analysing bulk data is likely to spread further into the domestic arena:
The Agencies also anticipate that domestic security work will increasingly rely on the use of bulk data, including the examination of communications data within the UK. The spread of encryption and the multiplicity of identities used online by individuals mean that the kind of target search and discovery familiar from overseas operations will be needed in the domestic sphere.  [10.24]
Concomitantly, there could be pressure to extend the use of such powers from the intelligence agencies to conventional law enforcement:
There are still investigatory powers that only the security and intelligence agencies deploy: notably bulk data collection and CNE. I have not suggested that this should change. But as technology develops, bulk data analysis (notably by private companies) becomes a standard feature of everyday life and digital investigation techniques become more widespread, the trend may prove to be towards convergence rather than the reverse. [13.42]
The Anderson Report has recommended no significant limitation of existing powers, but has focused on the need for a compelling case to be made for their extension. Realistically the forthcoming draft Bill is unlikely to contain any significant curtailment of powers unless that is forced by a future court ruling. It is most likely to revolve around greater powers, future-proofing, transparency, judicial warrants and improved oversight and safeguards.

Future articles will delve into some specific areas to look out for in the draft Bill.

[14 August 2015. Age of RIPA corrected from 16 to 15 years. 'European' human rights law changed to 'Strasbourg' for clarity. References to a future second article changed to a series of articles.]