Saturday, 5 September 2015

Predicting the UK’s new surveillance law

What will this autumn’s draft Investigatory Powers Bill contain?  We can take a reasonable guess at the outline. Interception powers will get a makeover: at a minimum RIPA has to be rewritten intelligibly and reinforced to comply with human rights norms.  In the post-Snowden climate there may be a little more openness about how law enforcement and agencies use their powers.  We will hear a lot about proportionality, safeguards and oversight. 

Filling in the picture is more difficult.  Three surveillance reviews have reported in the last 6 months and between them have made almost 200 recommendations. As yet there is little indication of which ones the government intends to take up. Some of the recommendations would involve wide consultation before a decision could be taken. Yet time for consultations is running out if the draft Bill is to be put before a Joint Parliamentary Committee for pre-legislative scrutiny this autumn.

Perhaps the greatest uncertainty is around the government’s stated intention to press on with the Communications Data Bill – dubbed the Snoopers’ Charter – which stalled in December 2012 following severe criticism of the draft Bill by an all-party Joint Parliamentary Committee.  The CDB would have significantly expanded the amount and types of communications data that service providers could be required to retain (and, for the first time, be compelled to generate) for access by public authorities. After pressure from the Committee the Home Office identified three particular datatypes that it wanted UK service providers to retain: IP address resolution data, weblog data and third party data (explained below).

Bringing back the CDB is not a simple matter of dusting off the 2012 draft. Retention of some IP address resolution data was implemented earlier this year by the Counter Terrorism and Security Act.  The Anderson report accepted that retention of weblog data would be useful, but went on:
“[I]f any proposal is to be brought forward, a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.”
For third party data Anderson said:
“There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues have been fully bottomed out.”
If those recommendations are heeded, that leaves only compulsory generation of data and possibly the ‘request filter’ (see below) that could be brought forward without first making a new case for them. In any event the Anderson report contains hints that law enforcement themselves may not now be pushing so strongly for some of the most ambitious and expensive parts of the CDB. On the CDB generally Anderson comments that “law enforcement itself wishes to reserve its detailed position on these proposals pending further discussions with a Government that has a political mandate to take it forward.” [9.67]

Nor could the government reintroduce unchanged the controversial Ministerial order-making power in Clause 1 of the CDB, described by Anderson as “excessively broad”. The power was at the heart of the CDB and was intended to future-proof the legislation.  It would also have served to keep from public sight operational details of what data was being retained. The Home Office told the Joint Committee in 2012 that it would review the approach in Clause 1:  “We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved.”

A revised draft Communications Data Bill does exist within the Home Office. Anderson reports that:
“The Home Office sought to take the recommendations of the JCDCDB into account and produced a pared-down draft Bill in early 2013, which I have been shown. … Though I asked Ministers in late 2014 for permission to show the draft Bill (or at least a summary of it) to CSPs with whom I discussed the issues … that permission was not forthcoming. It became clear that in the absence of unified political will to progress the proposals, there has been little discussion of them with important stakeholders.”
Add into the mix the Snowden fallout (the Chair of the CDB Joint Committee was unamused to find that it had not been ‘even given any hint’ of the existence of PRISM and TEMPORA), suggestions that the technological systems proposed in the CDB are no longer as relevant or appropriate as they seemed in 2012 (Anderson para 14.29) and a clutch of recent court decisions that, among other things, have invalidated (suspended until March 2016) the existing communications data retention regime under DRIPA (the Data Retention and Investigatory Powers Act 2014) and we have a crystal ball that is cloudy in the extreme. 

Despite all of this, we can take a shot at predicting some of what may be in the new draft Investigatory Powers Bill. (For a more comprehensive survey of the coming debate see here.)

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  According to the Snowden documents back in 2012 TEMPORA processed some 40 billion items a day.

Section 8(4) is primarily a foreign investigatory tool, but has significant domestic overlap.  While it focuses on capturing external communications (at least one end outside the British Islands), those communications are mixed up in the cable with wholly internal communications (both ends within the British Islands). In that situation Section 8(4) allows internal communications to be collaterally swept up into a common pool. The stream of data is filtered down by computers.  GCHQ’s analysts can then track communications of known suspects, search for suspicious material or try to join the dots of communications data to identify unknown suspects

GCHQ’s computers and analysts cannot trawl indiscriminately in the pool of external and internal communications. RIPA Section 16 is their fishing permit. It specifies what they can fish for and some types of hooks that they cannot use.  They may examine intercepted messages only within broad categories certified by the Minister. Without special authorisation the analysts cannot search by content for communications of people known to be within the British Islands at the time. However these constraints do not apply to communications data captured along with the intercepted communications. 

For: Regarded as a valuable tool for tracking the communications of known suspects and identifying previously unknown threats.

Against: General warrants went out with John Wilkes, yet Section 8(4) has the vice of the general warrant: collect in bulk first, then use the intercepted material to form suspicions. By contrast a targeted warrant is (or should be) justified only when there are pre-existing grounds for suspicion. There are also many specific criticisms of the bulk warrant system including the opaqueness of the drafting of RIPA Section 16, the relative absence of controls over searching and analysing captured communications data, the unworkability of the external/internal communications distinction and the ability of the Minister to authorise a search in the pool for the communications of someone known to be within the British Islands.

Status: None of the reviews has recommended abolition of bulk warrants.  Anderson has recommended several changes, including that each warrant should be much more specific in its objectives.  He has also recommended a standalone bulk communications data warrant, to be used where interception of content is not necessary.

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Watch out for: Greater clarity of powers; public avowal of how they are used; specific objectives for warrants; tighter constraints on searching for communications of persons within British Islands; a framework for searching captured communications data; a standalone communications data warrant (perhaps including content-derived communications data); prior judicial or quasi-judicial authorisation; tighter limits on who can apply for a bulk warrant. 

More on bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

For: Future proofing.

Against: Future proofing is inappropriate where intrusive powers are concerned due to unknown consequences. Legislative powers and actual capabilities should be aligned. Overly broad powers breed suspicion. If the real substance is buried two layers down in secret notices to CSPs then neither MPs nor the public can properly understand what is being voted on. An extended designated equipment power (the current RIPA power applies only to interception capability) smacks of surveillance by design, especially in conjunction with the power to compel communications data generation.

Status: Home Office told the Joint CDB Committee that it would look again at Clause 1.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Watch out for: A guessing game to work out how the powers are intended to be used. Or will the government heed the ISC and Anderson’s recommendations that all intrusive capabilities should be publicly avowed?

More on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

For: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Against: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Status: A centrepiece of the original draft Communications Data Bill. Anderson wants a detailed operational case to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.

Prediction: Bank on this one coming back in some form.

Watch out for: Ambiguity and unintelligibility of datatypes: accurate, clear explanations of the datatypes to be retained are essential if an informed debate is to take place. Will a new case be made? Will there be prior consultation separate from the pre-legislative Parliamentary scrutiny? Will it be limited to law enforcement and service providers or will the wider public and NGOs be consulted? How will invalidation of the existing data retention powers in DRIPA be addressed?

More on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

For: The ability to access a minute by minute map of our lives is useful to law enforcement.

Against: Not much different from the authorities putting a tracking bug on every one of us.

Status: The voluntary ATCSA Retention Code, which dates from 2003, specifies retention of location data for phone calls (12 months) and text messages (6 months), in latitude/longitude form.  DRIPA includes the mobile phone cell ID at the start of the communication (up to 12 months). Location data was in scope of the Secretary of State’s powers to direct retention under the draft CDB. The current German draft data retention Bill would require location data to be kept for 4 weeks.

Prediction: Probable.

Watch out for: This could get lost in the detail.

Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

For: Law enforcement want the records to be made.

Against: Crosses a line into surveillance by design: requiring systems to be designed for benefit of the authorities. Could be used to require e.g. public wi-fi providers to collect name and address information from users.

Status: Proposed in the draft Communications Data Bill. Not yet implemented. Surprisingly little attention was paid in the three reviews to this significant extension of existing powers. 

Prediction: Data generation to reappear.

Watch out for: Will there be a lot of noise about it?

More on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Status: Anderson recommended that the boundary (including sub-divisions) should be reviewed, with input from all interested parties including service providers, technical experts and NGOs. The Intelligence and Security Committee suggested an intermediate category of ‘communications data plus’ and that content-derived information should continue to be regarded as content.

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.

Watch out for: Full consultation? A definition of content? Treatment of content-derived communications data.

More on the content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

For: A way of giving the authorities access to communications data that they can’t collect from overseas providers.

Against: Expensive, utility unclear.

Status: As well as demanding that a compelling operational case be made out before any proposals are progressed (see above), Anderson hints that law enforcement may be less keen than they were in 2012: “Law enforcement is also conscious that the proposal of third party data retention was a particularly expensive one, and that its utility will be peculiarly susceptible to technological developments. It may therefore be that this aspect of the Communications Data Bill is no longer judged to be the priority that it once was, even within the law enforcement community.” [9.64]

Prediction:  Anyone's guess.

Watch out for: Lack of clarity over any proposed powers; dividing line between content and communications data.

More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

For: said to be less intrusive by focusing searches

Against: Federated search implies storing detailed profiles to link the databases together (CDB Joint Committee [114]).

Status: Anderson: “The Communications Data Bill contained provision for the retention of third-party data and for a request filter. Law enforcement still endorse the operational requirements which those provisions were meant to address, but want to engage further with industry on the best ways of meeting them.”

Prediction:  Anyone’s guess.

Watch out for: Clarity of technical proposal; consultation?

More on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

For: The principle of the matter. The UK is out of step with most other liberal democracies. Internet and tech companies based in the USA may be more comfortable co-operating with judicial warrants.

Against: Ministers are in a better position to judge the political implications of issuing a sensitive warrant. They are politically accountable for their actions.

Status: Up in the air.  Anderson has recommended a new Judicial Commission to take over authorising interception warrants. RUSI has recommended a more limited scheme. The judgment in the Davis/Watson judicial review of DRIPA has said (subject to appeal) that the CJEU DRI decision means that there must be prior independent authorisation of requests for mandatorily retained communications data. It could be said that the same should apply to interception warrants.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Watch out for:  Concentration on this issue to the detriment of others. It is important, but the scope and reach of powers is critical.