Friday 15 April 2016

Future-proofing the Investigatory Powers Bill

[Based on a presentation to BILETA 2016 on 11 April 2016]

If we know one thing about the Investigatory Powers Bill, it must be future-proof. Legislation should, self-evidently, stand the test of time in the face of rapid technological change and not become out of date overnight.

However the task is not a simple matter of spraying a coat of future-proof paint on to the Bill. Future-proofing can give rise to serious difficulties when the legislation furnishes the state with intrusive powers over its citizens. An attempt to future-proof blighted the current Regulation of Investigatory Powers Act (RIPA). The signs are that some of the mistakes of RIPA are about to be repeated in the 
Investigatory Powers Bill.

How should we set about future-proofing legislation? In the communications surveillance field two techniques have been tried.

One is a broad, flexible, order-making power. The statute would empower the Secretary of State to make and revise regulations from time to time, subject to less Parliamentary scrutiny than for primary legislation. However when considering the primary legislation Parliament has only the mistiest outline of what it is being asked to approve. The features of the landscape do not appear until it is too late.

That was the approach adopted in the draft Communications Data Bill (CDB), which in 2012 was stopped in its tracks by a Joint Parliamentary Committee. Clause 1 of the draft Bill was a general order-making power that could be used to mandate collection, generation and retention of communications data. Home Office official Charles Farr said in evidence to the Committee:

"Future-proofing and flexibility are at the heart of the language we have used in clause 1."
The Committee noted the "wide anxiety raised by the breadth of clause 1". It concluded:
"We do not think that Parliament should grant powers that are required only on the precautionary principle. There should be a current and pressing need for them."
Remnants of the CDB approach survive in parts of the Investigatory Powers Bill. 

The power to serve technical capability notices on telecommunications operators sets out a list of obligations that can be imposed, including the obligation to remove electronic protection applied by or on behalf of the operator. Although the list is fairly specific, the power itself is open-ended. The obligations that may be specified in regulations merely "include, among other things" the items in the list.

The direct descendant of Clause 1 of the CDB is Clause 78 of the IP Bill. Clause 78, u
nlike the CDB, sets out a list of ‘Relevant Communications Data” that can be the subject of data retention notices issued by the Secretary of State. The items on the list are still described in quite general terms, including for instance “data which may be used to identify, or assist in identifying, … the type, method or pattern, or fact, of communication”.

Clause 78 also retains a strong bias towards the ‘precautionary principle’ deprecated by the 2012 Joint Committee. At present notices under DRIPA can require retention of a few specific types of data in respect of limited categories of communication such as internet e-mail, SMS messages and internet telephony. The Counter Terrorism and Security Act 2015 added IP address resolution data. The financial projections in the Home Office’s IP Bill Impact Assessment allow only for the addition of so-called internet connection records. Yet Clause 78 is much broader than that, encompassing for instance the machine to machine communications that will underpin the internet of things. There has been no attempt to explain or justify this broad scope.

Another method of future-proofing is technological neutrality. This approach contrasts with technology-specific legislation. The objective is to draft at a sufficiently abstract level to allow for future changes in technology.

IT and technology lawyers have been brought up to think of technologically neutral legislation as a Good Thing. Professor Chris Reed observed in 2007 that technological neutrality had become part of the general wisdom: 'motherhood and apple pie'. And so it was, when we were trying to avoid problems such as statutory writing requirements that assumed paper. However technological neutrality runs into trouble when applied to intrusive state powers.

The first problem is that abstract drafting has a tendency to be unintelligible. The obvious example is RIPA. Sir David Omand, the Permanent Secretary in the Home Office at the time RIPA was prepared, told the Commons Home Affairs Select Committee in February 2014:

“The instructions to parliamentary draftsmen were to make it technology-neutral, because everyone could see that the technology was moving very fast. Parliamentary draftsmen did an excellent job in doing that, but as a result I do not think the ordinary person or Member of Parliament would be able to follow the Act without a lawyer to explain how these different sections interact.”
RIPA is notoriously impenetrable, even to lawyers. It has been criticised almost from birth:
"We have found RIPA to be a particularly puzzling statute" (R v W, Court of Appeal, 2003)
"longer and even more perplexing" than the "short but difficult" Interception of Communications Act 1985. (Lord Bingham, A-G’s Ref (No 5 of 2002), 2004) 
"this impenetrable statute … one of the most complex and unsatisfactory statutes currently in force." Professor David Ormerod (2005) 
"a complex and difficult piece of legislation" Mummery LJ (then President of the Investigatory Powers Tribunal, 2006) 
"RIPA 2000 is a difficult statute to understand" (Sir Anthony May, IOCC Report for 2013) 
"RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates" (David Anderson Q.C., A Question of Trust, 2015.)
Unintelligibility is a direct consequence of the attempt to future-proof by technologically neutral, abstract drafting.

Intelligibility is not just a lawyer's nice to have. Where intrusive powers are concerned it is a rule of law principle that the public should be able to know with reasonable certainty the kind of circumstances in which the powers may be used against them. Unintelligible legislation fails that test. A Question of Trust said:

“The desire for legislative clarity is more than just tidy-mindedness. Obscure laws –and there are few more impenetrable than RIPA and its satellites – corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean.”
A Question of Trust challenged the government to produce legislation that is both comprehensive and comprehensible.

A second problem with applying technological neutrality to intrusive powers arises from the fact that where the technology goes, so the powers automatically follow.

This of course is what the technique is intended to achieve. As people use technology in ways that were unknown at the time of the legislation, the powers will apply to the new behaviour. However the result is that the balance between privacy and intrusion that Parliament contemplated at the time it passed the legislation is liable to shift due to mere accidents of technology.

Again, RIPA is a prime example. Mobile phones existed in 2000, as did the internet. But they were not yet combined. When they merged on the smartphone all kinds of human activity that were previously untouched by RIPA suddenly fell into its scope.

It will be said that that is how it should be: conspirators who used to communicate by telephone and now use over-the-top messaging should be subject to equivalent powers. That may be so. But entirely personal behaviour that does not involve any kind of messaging between two or more human beings has also been swept up. We never used to read books or newspapers over the telephone. Now we read websites remotely. RIPA counts this activity, equivalent to sitting at home reading a book, as a communication - as if it were the same as e-mailing or text messaging a contact.

The mobile internet was not contemplated by the legislators in 2000. The result of this accident of technology is a major shift in the privacy/intrusion balance, without Parliament ever having had the opportunity to consider it. Now that Parliament is considering it, it is doing so against the background of a sense of entitlement to the bounty of data that adventitiously fell into the laps 
of intelligence agencies and law enforcement bodies.

What should we do? The key is to ask what we should be seeking to future-proof: the powers themselves or the privacy/intrusion balance settled upon by Parliament when it enacts legislation of this kind. My own view is that we should learn the lesson of RIPA and seek to future-proof the privacy/intrusion balance, not the powers.

That would require a fundamentally different approach: concrete, technology-specific drafting, sunsetting of powers, frequent review by Parliament and continued openness by the government about how the powers have been used. The latter is critical if Parliament is to engage in an informed debate when powers come back for renewal.

Regrettably, the IP Bill has gone down a similar track to RIPA. It has tried to future proof the powers and, as with RIPA, the predictable result is unintelligibility. The House of Commons Science and Technology Committee said in its report on the draft Bill:

“The Home Secretary told us subsequently that the definitions for ‘communication data’ and ICRs were intended to be “technology neutral and flexible in order that, should user behaviour and technology change, they will still apply”. The definitions were to be applied “to the full range of powers and obligations under the draft Bill” which had subsumed provisions from several current statutes. As a result, “the definitions as they are formulated are necessarily abstract”.” (emphasis added)
The Committee concluded:
“The government, in seeking to future-proof the proposed legislation, has produced definitions of internet connection records and other terms which have led to significant confusion on the part of communications service providers and others.”
The "others" include the general public, whose communications form the subject of the Bill and who should, as a matter of the rule of law, be able to understand the scope of the powers.

The government, responding to a recommendation by the Joint Committee, has included provision for review of the Bill after five and a half years. However that is insufficient without addressing the problems of over-abstract drafting. Nor is hiving off detail to Codes of Practice a good approach. It is not the function of Codes of Practice to compensate for obscure legislation. 

Further reading on technology neutrality

Alberto Escudero Pascual and Ian Hosein, The hazards of technology-neutral policy: questioning lawful access to traffic data, by (Communications of the Association for Computer Machinery (CACM) Journal Published 29 Feb 2004)

Chris Reed, Taking Sides on Technology Neutrality, (2007) 4:3 SCRIPTed 263

Graham Smith, Are Techlaw principles in the Ascendency? Intellectual Property Forum: journal of the Intellectual and Industrial Property Society of Australia and New Zealand, Issue 96 (Mar 2014)

[Amended 15 April 2016 to make specific reference to mobile internet.]

Friday 1 April 2016

An official announcement

The following official statement was issued this morning.
“A temporary ceasefire has been agreed among combatants in the Semantic Wars. 
A list of banned words and phrases has been drawn up including ‘Itemised Phone Bill’, ‘The Outside of an Envelope’ and ‘We only want to do what [named Silicon Valley company] does’.

Any permutation of (indiscriminate, blanket, mass, dragnet, random, uncontrolled, at will) and (surveillance, trawling, snooping, browsing, monitoring) is also prohibited, whether accusations or denials thereof.
Use of the term 'Snoopers Charter' will be regarded as grounds for immediate termination of the accord.”

Early indications are that the truce is unlikely to hold.

[BREAKING NEWS, 10.45 am. Unconfirmed reports suggest that teams of inspectors are in the process of being deployed to eliminate stockpiles of unused non-denial denials.]