One of a series of posts on the forthcoming Investigatory Powers Bill
This autumn the UK government will publish its draft
Investigatory Powers Bill for pre-legislative scrutiny by a Joint Parliamentary
committee. The new legislation will replace the much criticised Regulation of
Investigatory Powers Act (RIPA), which since 2000 has regulated the
interception and communications data acquisition activities of law enforcement
and the security and intelligence agencies. It will also revisit the
communications data retention regime currently embodied in the Data Retention
and Investigatory Powers Act 2014 (DRIPA).
The new legislation will draw on three separate published
reviews of investigatory powers by the Intelligence and Security Committee ofParliament, by the Independent Reviewer of Terrorism Legislation David Anderson
Q.C. and by a Panel established by the Royal United Services Institute. It will also have to take into account an
accumulated body of adverse court and Investigatory Powers Tribunal decisions,
a critical report by the Interception of Communications Commissioner and several
pending challenges in the European Court of Human Rights.
In ‘Redlines and No-go zones’
I discussed how far the authorities should in principle be able to go in
capturing, analysing and examining the content of our communications and
associated communications data.
Now we can look in our crystal
ball and try to discern some of the specific content of the draft Bill, which I
will do in a series of connected posts.
The issue that has so
far occupied the headlines is whether to move from political to judicial
authorisation of interception warrants. Anderson and the RUSI report have both
come out in favour of some form of judicial approval system. The ISC report opted
for continuing with Ministerial warrants.
Whichever way the
government jumps on judicial approval, the Bill is certain to feature improved
oversight. Independent oversight is
desirable in its own right and necessary for human rights compliance. However it is not a panacea. A far reaching power may still be so
repugnant as to cross a red line even if counterbalanced by oversight,
safeguards and a Minister or judge’s belief that the exercise of the power is necessary
and proportionate.
In this series of posts I will focus on the substantive
scope of the powers rather than on oversight mechanisms. The substantive powers are the most difficult
and confusing area, yet lie at the heart of the legislation.
Two of the most hotly disputed existing powers are bulk
interception warrants under section 8(4) of RIPA and mandatory retention of communications
data by ISPs and internet companies under DRIPA. Since none of the investigatory powers reviews
has proposed abolishing either of these, it is a safe bet that despite
continuing objections from privacy and civil liberties advocates both will
reappear in some form unless a final human rights court ruling forces the
government’s hand.
On that note, in July the English High Court ruled in favour
of MPs David Davis and Tom Watson’s
challenge to the communications data retention elements of DRIPA. The court disapplied the provisions on three
grounds of non-compliance with the EU Charter of Fundamental Rights, but deferred
its order until March 2016 to enable the government to bring forward new
legislation. The government has said it will appeal. The European Court of
Human Rights is due to hear various Snowden-related challenges and the UK’s Investigatory Powers Tribunal has issued decisions adverse
to the government which will influence some aspects of the Bill.
Several coalescing policy and legal channels will feed into the
Bill.
- Revived
Communications Data Bill. In June 2012 the coalition government
published a draft Communications Data Bill, popularly dubbed the Snoopers
Charter (a description contested by its supporters and some neutrals). The CDB
would have significantly extended communications data retention obligations, would
for the first time have required CSPs to generate specified types of
communications data and to put in place specific communications data retention technical capabilities, and would
have introduced a ‘request
filter’
(a horizontal search facility across data retained by multiple providers). Much of the substance of the CDB was to be
delegated to secondary legislation and, a layer below that, to notices
issued by the Secretary of State to communications providers and others.
It
was said that the CDB was needed to plug a growing capability gap suffered by
the investigatory authorities. The draft Bill and the evidence put forward in
its support were roundly criticised by a Joint Parliamentary Committee in
December 2012. The CDB proceeded no
further, other than the introduction of powers in the Counter-Terrorism and Security
Act 2015 to mandate retention of so-called IP address resolution data.
Since
the enactment of RIPA in 2000 the volume, frequency and richness of communications
data has increased out of all recognition, particularly as a result of the ubiquity
of mobile devices. Many argue that as a result the privacy implications of
collecting and accessing communications data can be as great as for content.
Certainly communications data can be at least as useful as content. The ISC Report notes the ISC's surprise at
discovering that the primary value to GCHQ of bulk interception was “not in reading the actual content of
communications, but in the information associated with those communications”. [80]
Home
Secretary Theresa May said after the May 2015 general election that the government
“would
be giving the security agencies and law enforcement agencies the powers that
they need to ensure they’re
keeping up to date as people communicate with communications data” and that it intends to bring through
the legislation that it was prevented from introducing during the Coalition.
Just what that may mean in concrete terms is not yet clear, especially since
there are hints in the Anderson Report that the security and law enforcement
agencies may be pushing less strongly for some of the CDB powers.
- DRIPA
sunset.
In July 2014 the coalition government rushed
the Data Protection and Investigatory Powers Act through Parliament in four
days. The main purposes of DRIPA were to
reenact mandatory communications data retention in primary legislation
following the CJEU’s
invalidation of the EU Data Retention Directive, to expand (or as the
government would have it ‘clarify’) the RIPA definition of telecommunications
services and to give extraterritorial effect to RIPA’s interception and communications data
acquisition powers.
All
these provisions, as well as the retention of IP address resolution data
introduced by Section 21 of the Counter-Terrorism and Security Act 2015, expire
on 31 December 2016. New legislation will have to be in place before then
unless Parliament decides to defer the sunset date. The government said in July
that it will publish a draft Bill in the autumn for pre-legislative scrutiny by
a joint committee of Parliament and introduce the Bill into Parliament in the
early part of 2016.
The
timetable has since been complicated by an earlier deadline of March 2016 for
enacting EU Charter compliant communications data retention legislation set by the
High Court decision in the Davis/Watson DRIPA judicial review proceedings.
Whether that will be revisited on an appeal remains to be seen.
- Journalistic
privilege. News broke in September and October 2014 that
police had been using their RIPA communications data powers to access
journalists’
data and identify their sources. This led to an inquiry and report by the Interception of Communications Commissioner published in February 2015,
recommending that judicial authorisation must be obtained where communications
data is sought to determine the source of journalistic information. So far this has been addressed by a revision
to the Communications Data Acquisition Code of Practice, laying down that
applications to court under the Police and Criminal Evidence Act 1984 should be
used until such time as there is specific legislation to provide judicial
authorisation. The Bill can be expected to contain specific provisions.
- Invalidation
of EU Data Retention Directive.
In April 2014 the CJEU Digital
Rights Ireland decision invalidated the EU Data Retention Directive. That led in the UK to DRIPA and then to the
so far successful court challenge to DRIPA by David Davis MP and Tom Watson MP.
Any new legislation will have to comply with the DRI decision. The closer to
the wind the government chooses to sail in the Bill, the more vulnerable the new
legislation will be to a further court challenge. The Davis/Watson case will have brought home
to the government that, unlike complaints under the Human Rights Act, a
complaint of incompatibility with the EU Charter can result in primary UK legislation
being disapplied.
- Snowden
fallout. The
Snowden revelations spawned various challenges to surveillance and similar activities, both domestic and in
complaints to the European Court of Human Rights. The Investigatory Powers Tribunal found that
there was a historic breach of ECHR Article 8 in respect of receipt of PRISM and
(allegedly) UPSTREAM data from the NSA, since (prior to disclosure of internal GCHQ
rules during the proceedings) there was no sufficiently clear and accessible law
governing it. The IPT proceedings also
revealed a previously unknown government interpretation of RIPA. Indirectly
Snowden gave rise to the three investigatory powers reviews and to general
acceptance that more transparency, or at least translucency, will be required
in the future.
- Encryption Prime Minister David Cameron has criticised the use of encryption that law enforcement and intelligence agencies may not be able to break: "In extremis, it has been possible to read someone’s letter, to listen to
someone’s call, to listen in on mobile communications, ... The question
remains: are we going to allow a means of communications where it simply is not
possible to do that? My answer to that question is: no, we must not."
Part III of RIPA already contains powers to require
decryption of information by someone who has a key. However ISPs, platforms and
consumer software providers often do not have, and never have had, an
encryption key in their possession that could decrypt their customers’
communications.
Mr Cameron says he believes in ‘very clear front doors through legal processes’ not ‘back doors’. Techies are hard put to
understand the difference, pointing out that there is no such thing as a door
through which only law enforcement can enter.
Where this may end up is anyone’s guess.
- Intermediaries. In a related vein Mr Cameron
said on 20 July that platforms and intermediaries should do more to help identify potential terrorists on their platforms, demanding that Silicon Valley should waveits technology magic wand to make it happen. Whether anything of this nature
will find its way into the new legislation is unclear. Legislative action would
face a formidable hurdle in Article 15 of the EU Electronic Commerce Directive,
which prohibits Member States from imposing general monitoring obligations on
conduits, caches and hosts.
According to taste Article 15
is either on outdated provision that should be revisited in the light of the advent of social
media, or a prescient piece of legislation that foresaw the still relevant need to prevent
Member State governments being tempted to use intermediaries as information choke points.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.