The Coming UK Surveillance Debate: Bulk interception, Part 1

One of a series of posts on the forthcoming Investigatory Powers Bill

Previous: Legal and policy origins

Next: Bulk interception, Part 2

GCHQ’s bulk communications interception activity was one of the most significant of the Snowden revelations. Serially renewed Ministerial warrants under RIPA Section 8(4) are the authority under which GCHQ is able to conduct its TEMPORA programme, capturing communications in bulk from transatlantic fibreoptic cables.  The programme was said to process 40 billion items a day in 2012.  For more about the Section 8(4) warrant, see here and here.

The ISC report recorded, as at 12 December 2014, 18 Section 8(4) warrants covering interception with the assistance of ISPs and one covering GCHQ’s own interception operations.  The subsequent Anderson Report recorded 20 Section 8(4) warrants, as did the Interception of Communications Commissioner’s Annual Report as at 31 December 2014. 

The most fundamental question about Section 8(4) is whether a power to harvest communications in bulk and then fish for suspicious material in the resulting information pool should exist at all. 

The ISC report ([viii] and [70]) rejects any suggestion that Section 8(4) legitimises fishing expeditions (in the sense of analysts searching freely).  Certainly Section 8(4) does not, as the Interception Commissioner has said, permit random trawling of communications.  To continue the metaphor, RIPA places limits on what GCHQ can fish for in the pool and on the kinds of hook that it can use. But a Section 8(4) warrant is nonetheless a broad permit to go fishing for suspicious material in the pool of captured communications and associated communications data - a pool containing both external (at least one end outside the British Islands) and collaterally acquired internal (both ends within the British Islands) communications.

Since none of the three reviews has recommended abolition of bulk interception warrants and so far they have survived human rights challenges, it seems inevitable that they will be retained in some form in this autumn’s draft Bill.

However Section 8(4) has thrown up a raft of problems that are likely to be addressed in some way in the new Bill.

 

External communications. Section 8(4) is supposed to be about intercepting external communications – those where at least one end is outside the British Islands. Litigation in the IPT revealed, for the first time, that the Home Office had adopted a surprisingly broad interpretation of external communications. 

In any event the distinction between external and internal is unclear and increasingly arbitrary, particularly with mobile communications when it is often impossible to know whether the communication being intercepted is internal or external (see my submissions to Anderson at [31] to [54], cited in the Report at [12.25]).  This unsatisfactory situation is not, incidentally, an example of RIPA going out of date.  It was explained by the Home Office Minister in Parliament during passage of the Bill.

Section 8(4) allows internal communications to be swept up if, which is typically the case, they cannot be separated from external communications.  Once captured, internal and external communications form a single pool and are treated alike.  Limitations on selecting communications for examination rely on the location of the target at the time of selection, not on whether the communication was internal or external when it was sent or received.

The drafters of the new Bill will have to decide what to do about the internal/external communications divide.  The three reviews have made differing recommendations:

ISC	The Government must publish an explanation of which internet communications fall under which category, and ensure that this includes a clear and comprehensive list of communications. (Recommendation O)
Anderson	The existing distinction is outdated in the context of internet communications and should be abandoned (14.76) Instead, bulk interception warrants should be required to be targeted at the recovery of intercepted material comprising the communications of persons believed to be outside the UK at the time of those communications. If the recommendation for a self-standing bulk communications data warrant were to be accepted, consideration should be given to whether an analogous restriction is necessary or desirable. (Recommendation 44)
RUSI	No recommendation

Restrictions on targeting people within the UK assume greater significance in the light of the security agencies' suggestion to Anderson that they anticipate a need in future to apply GCHQ’s overseas bulk data analysis methods domestically:

"domestic security work will increasingly rely on the use of bulk data, including the examination of communications data within the UK. The spread of encryption and the multiplicity of identities used online by individuals mean that the kind of target search and discovery familiar from overseas operations will be needed in the domestic sphere.”  [10.24]

There could also be pressure to extend the use of such powers from the intelligence agencies to conventional law enforcement:

“There are still investigatory powers that only the security and intelligence agencies deploy: notably bulk data collection and CNE. I have not suggested that this should change. But as technology develops, bulk data analysis (notably by private companies) becomes a standard feature of everyday life and digital investigation techniques become more widespread, the trend may prove to be towards convergence rather than the reverse.” [13.42]