One of a series of posts on the forthcoming Investigatory
Powers Bill
Previous: Targeted Interception
Extraterritoriality.
DRIPA (the Data Retention and Investigatory Powers Act), enacted in July 2014
gave various kinds of extraterritorial effect to RIPA’s interception
and communications data acquisition provisions. The Home Office insisted that
the amendments clarified RIPA in order to achieve what had always been intended.
Extraterritoriality
is controversial and carries the risk of creating clashes between laws of
different countries. Not surprisingly,
given the speed at which DRIPA was rushed through Parliament, there are oddities and anomalies. Two concern
extraterritoriality:
(a) DRIPA provides that in assessing reasonable practicability of assisting with an interception warrant regard is to be had to restrictions and requirements under the law of a non-UK country in which interception steps are to be taken. This applies only to non-UK providers. Yet a UK provider may have facilities outside
the UK on which following DRIPA it may be required to perform interception.
(b) There is no equivalent provision for compliance
with a communications data acquisition notice.
The government has published a summary of the work done so far by Sir Nigel Sheinwald, who in September 2014 was appointed a Special Envoy for intelligence and
law enforcement data sharing.
The recommendations
of the three Reviews are:
ISC
|
No recommendation
|
Anderson
|
As suggested by the Venice
Commission, the long-term resolution
of this issue may require new
international standards for privacy (5.39) Pending a satisfactory long-term
solution to the problem, extraterritorial application should continue to be
asserted in relation to warrants and authorisations, and consideration should
be given to extraterritorial enforcement in appropriate cases. (Recommendation 25)
|
RUSI
|
No
recommendation
|
Transparency
Transparency goes to the clarity and intelligibility of the published
legislation and to the problem of secret law. If the rules under which the
agencies are operating are not sufficiently public, then the regime may fail
the human rights legality test that law should be accessible and its application reasonably
foreseeable.
Broad discretionary powers are vulnerable to challenge on legality grounds. As the ISC observed:
Anderson emphasises the importance from a trust perspective, of avowing intrusive capabilities:“…the lack of clarity in the existing laws, and the lack of transparent policies beneath them, has not only fuelled suspicion and allegations but has also meant that the Agencies could be open to challenge for failing to meet their human rights obligations due to a lack of ‘foreseeability’. The adequacy of the legal framework and the greater need for transparency have been at the forefront of this Inquiry throughout.” (xvii)
“Whilst the operation of covert powers is and must remain secret, public authorities, ISIC and the IPT should all be as open as possible in their work. Intrusive capabilities should be avowed. Public authorities should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad way in which those powers are used and why additional capabilities may be required.”
The ISC made a similar point in their earlier report (see Recommendation BBB below).
Several capabilities have come to light only since Snowden. Anderson mentions thematic warrants and their underlying interpretation of RIPA Section 8(1) disclosed for the first time in the ISC report in March 2015; use of bulk personal datasets disclosed for the first time in the same report; and Computer Network Exploitation (CNE, or hacking in common parlance). That was disclosed in a Code of Practice in February 2015 as the consequence of legal challenges to the activities disclosed by Snowden.
Several capabilities have come to light only since Snowden. Anderson mentions thematic warrants and their underlying interpretation of RIPA Section 8(1) disclosed for the first time in the ISC report in March 2015; use of bulk personal datasets disclosed for the first time in the same report; and Computer Network Exploitation (CNE, or hacking in common parlance). That was disclosed in a Code of Practice in February 2015 as the consequence of legal challenges to the activities disclosed by Snowden.
An issue that
may arise is whether oversight should consist not just of retrospective audit,
but should include a more proactive transparency function – for instance
publishing interpretations of statutes on the basis of which the agencies are
operating. The controversial Home Office
interpretation of external communications would never have seen the light of
the day but for the post-Snowden challenge to bulk interception in the
Investigatory Powers Tribunal. If law
enforcement and the agencies are operating on the basis of particular
interpretations it is arguable that those form part of the law being applied
and should, if the human rights test of legality is to be satisfied, be made
public.
The recommendations of the reviews do not
go as far as, for instance, requiring the appropriate oversight body
proactively to ascertain and publish any relevant statutory interpretations on
the basis of which law enforcement and the agencies are operating.
The recommendations
of the three Reviews are:
ISC
|
The Intelligence Services Act 1994
and the Security Service Act 1989 provide the legal basis for the Agencies’ activities,
and broad general powers to act in accordance with their statutory functions
and purposes. We have concerns about the lack of transparency surrounding
these general powers, which could be misconstrued as providing the Agencies
with a ‘blank cheque’ to carry out whatever activities
they deem necessary. We therefore recommend that the Agencies’ powers are
set out clearly and unambiguously. (Recommendation MM)
Section 7 of the Intelligence
Services Act 1994 allows for a Secretary of State to sign an authorisation
which removes civil and criminal liability for activity undertaken outside
the British Islands which may otherwise be unlawful under UK law. … consideration
should … be given to greater transparency around the number and
nature of Section 7 Authorisations. (Recommendation OO)
The Intelligence Services Act 1994
and the Security Service Act 1989 provide the legal authority for the
acquisition and use of Bulk Personal Datasets. However, this is implicit
rather than explicit. In the interests of transparency, we consider that this
capability should be clearly acknowledged and put on a specific statutory
footing. (Recommendation X)
Given the nature of current threats
to the UK, the use of Directions under [Section 94 of] the Telecommunications
Act [1984] is a legitimate capability for the Agencies. However, the current
arrangements in the Telecommunications Act 1984 lack clarity and
transparency, and must be reformed. This capability must be clearly set out
in law, including the safeguards governing its use and statutory oversight
arrangements. (Recommendation VV)
The first step is to consolidate the
relevant legislation and avow all of the Agencies’ intrusive
capabilities. This will, in itself, be a significant step towards greater
transparency. … We recognise that much of
the detail regarding the Agencies’ capabilities must be kept
secret. There is, however, a great deal that can be discussed publicly and we
believe that the time has come for much greater openness and transparency
regarding the Agencies’ work. (Recommendation BBB)
|
Anderson
|
The new law should be written so far
as possible in non-technical language. It should be structured and expressed
so as to enable its essentials to be understood by intelligent readers across
the world. It should cover all essential features, leaving details of
implementation and technical application to codes of practice to be laid
before Parliament and to guidance which should be unpublished only to the extent
necessary for reasons of national security. (Recommendations 3-5)
The general power under TA 1984 s94,
so far as it relates to matters covered by this Review, should be brought
into the new law and/or made subject to equivalent conditions to those
recommended here. The same should apply to equipment interference (or CNE)
pursuant to ISA 1994 ss5 and 7, so far as
conducted for the purpose of obtaining
electronic communications; interception pursuant to the Wireless Telegraphy Act
2006 ss48-49; and the acquisition and use of bulk personal data.
(Recommendation 6)
Existing and future intrusive
capabilities within the scope of this Review that are used or that it is
proposed be used should be:
(a) promptly
avowed to the Secretary of State and to ISIC;
(b) publicly
avowed by the Secretary of State at the earliest opportunity consistent with
the demands of national security; and, in any event,
(c) used only if provided for in
statute and/or a Code of Practice in a manner that is sufficiently accessible
and foreseeable to give an adequate indication of the circumstances in which,
and the conditions on which, communications may be accessed by public
authorities. (Recommendation 9)
|
RUSI
|
A clear and transparent new legal
framework and a more coherent, visible and effective oversight regime should
be the basis for a public discussion about the appropriate and constrained
power the British state should have to intrude into the lives of its
citizens. This would be the essence of a new deal between citizen and
government. (5.30)
Transparency: How the law applies to
the citizen must be evident if the rule of law is to be upheld. Anything that
does not need to be secret should be transparent to the public; not just
comprehensible to dedicated specialists but clearly stated in ways that any
interested citizen understands. (Test 8)
Legislative clarity: Relevant
legislation is not likely to be simple but it must be clearly explained in
Codes of Practice that have Parliamentary approval, are kept up-to-date and
are accessible to citizens, the private sector, foreign governments and
practitioners alike. (Test 9)
|
Data
sharing RIPA is silent on soliciting and receiving intercept product from
foreign agencies, such as from the US PRISM programme. The IPT in December 2014 held that receipt of
PRISM data was lawful in the future, on the basis that some internal rules
disclosed by the government during the proceedings now provide a publicly
available legal basis for the activity. The government may think it prudent for rules to be
incorporated in future legislation.
The recommendations
of the three Reviews are:
ISC
|
Future legislation should clearly
require the Agencies to have an interception warrant in place before seeking
communications from a foreign partner. (Recommendation SS)
The safeguards that apply to the
exchange of raw intercept material with international partners do not
necessarily apply to other intelligence exchanges, such as analysed
intelligence reports. While the ‘gateway’ provisions
of the Intelligence Services Act and the Security Service Act do allow for
this, we consider that future legislation must define this more explicitly (Recommendation
TT)
|
Anderson
|
The new law should define as clearly
as possible the powers and safeguards
governing:
(a) the
receipt of intercepted material and communications data from international partners;
and
(b) the
sharing of intercepted material and communications data with international partners;
(Recommendation 8)
Any transfer of intercepted material
or communications data to third countries should be on the basis of
clearly-defined safeguards, published save insofar as is necessary for the
purposes of national security and monitored by ISIC. The same should apply to
receipt, with the addition of a warrant governing any intercepted material
that is sought. The new law should make it clear that neither receipt nor
transfer should ever be permitted or practised for the purpose of
circumventing safeguards on the use of such material in the UK.
(Recommendations 76 to 79)
|
RUSI
|
Currently, there is insufficient clarity
over the powers and safeguards governing the exchange of data and intelligence
between international partners. (5.75)
|
No comments:
Post a Comment
Note: only a member of this blog may post a comment.