Today I have been transported back in time, to that surreal period following the Snowden revelations in 2013 when anyone who knew anything about the previously obscure RIPA (Regulation of Investigatory Powers Act 2000) was in demand to explain how it was that GCHQ was empowered to conduct bulk interception on a previously unimagined scale.
The answer (explained here) lay in the ‘certificated warrants’ regime under S.8(4) RIPA for intercepting external communications. ‘External’ communications were those sent or received outside the British Islands, thus including communications with one end in the British Islands.
Initially we knew about GCHQ’S TEMPORA programme and, as the months stretched into years, we learned from the Intelligence and Security Committee of the importance to GCHQ of bulk intercepted metadata (related communications data, in RIPA jargon):
Once the Investigatory Powers Bill started its journey into legislation the RIPA terminology started to fade. But today it came back to life, with the European Court of Human Rights judgment in Big Brother Watch and others v UK.
The fact that the judgment concerns a largely superseded piece of legislation does not necessarily mean it is of historic interest only. The Court held that both the RIPA bulk interception regime and its provisions for acquiring communications data from telecommunications operators violated Article 8 (privacy) and 10 (freedom of expression) of the European Convention on Human Rights. The interesting question for the future is whether the specific aspects that resulted in the violation have implications for the current Investigatory Powers Act 2016.
The Court expressly did not hold that bulk interception per se was impermissible. But it said that a bulk interception regime, where an agency has broad discretion to intercept communications, does have to be surrounded with more rigorous safeguards around selection and examination of intercepted material. [338]
It is difficult to be categoric about when the absence of a particular feature or safeguard will or will not result in a violation, since the Court endorsed its approach in Zakharov whereby in assessing whether a regime is ‘in accordance with the law’ the Court can have regard to certain factors which are not minimum requirements, such as arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law. [320]
That said, the Court identified three failings in RIPA that were causative of the violations. These concerned selection and examination of intercepted material, related communications data, and journalistic privilege.
Selection and examination of intercepted material
The Court held that lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst, meant that the RIPA S. 8(4) bulk interception regime did not meet the “quality of law” requirement under Article 8 and was incapable of keeping the “interference” with Article 8 to what is “necessary in a democratic society”.
As to whether the IPAct suffers from the same failing, a careful study of the Act may lead to the conclusion that when considering whether to approve a bulk interception warrant the independent Judicial Commissioner should indeed look at the entire selection process. Indeed I argued exactly that in a submission to the Investigatory Powers Commissioner. Whether it is clear that that is the case and, even if it is, whether the legislation and supporting public documents are sufficiently clear as to the level of granularity at which such oversight should be conducted, is another matter.
As regards selectors (the Court’s greatest concern), the Court observed that while it is not necessary that selectors be listed in the warrant, mere after the event audit and the possibility of an application to the IPT was not sufficient. The search criteria and selectors used to filter intercepted communications should be subject to independent oversight. [340]
Related communications data
The RIPA safeguards for examining bulk interception product (notably the certificate to select a communication for examination by reference to someone known to be within the British Islands) did not apply to ‘related communications data’ (RCD). RCD is communications data (in practice traffic data) acquired by means of the interception.
The significance of the difference in treatment is increased when it is appreciated that it includes RCD obtained from incidentally acquired internal communications and that there is no requirement under RIPA to discard such material. As the Court noted: “The related communications data of all intercepted communications – even internal communications incidentally intercepted as a “by-catch” of a section 8(4) warrant – can therefore be searched and selected for examination without restriction.” [348]
The RCD regime under RIPA can be illustrated graphically:
This is a potentially significant holding. In IPAct terms this would appear to require that selection for examination of secondary data for any purpose other than determining whether an individual is, for the time being, in the British Islands should be subject to different and more stringent limitations and procedures.
It is also noteworthy that, unlike RIPA, the IP Act contains provisions enabling some categories of content to be extracted from intercepted communications and treated as secondary data.
Journalistic privilege
The Court found violations of Article 10 under both the bulk interception regime and the regime for acquisition of communications data from telecommunications service providers.
For bulk interception, the court focused on lack of protections at the selection and examination stage: “In the Article 10 context, it is of particular concern that there are no requirements – at least, no “above the waterline” requirements – either circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved. Consequently, it would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications.” [493]
For communications data acquisition, the court observed that the protections for journalistic privilege only applied where the purpose of the application was to determine a source; they did not apply in every case where there was a request for the communications data of a journalist, or where such collateral intrusion was likely. [499]
This may have implications for those IPAct journalistic safeguards that are limited to applications made ‘for the purpose of’ intercepting or examining journalistic material or sources.
The answer (explained here) lay in the ‘certificated warrants’ regime under S.8(4) RIPA for intercepting external communications. ‘External’ communications were those sent or received outside the British Islands, thus including communications with one end in the British Islands.
Initially we knew about GCHQ’S TEMPORA programme and, as the months stretched into years, we learned from the Intelligence and Security Committee of the importance to GCHQ of bulk intercepted metadata (related communications data, in RIPA jargon):
“We were surprised to discover that the primary value to GCHQ of bulk interception was not in the actual content of communications, but in the information associated with those communications.” [80] (Report, March 2015)According to a September 2015 Snowden disclosure, bulk intercepted communications data was processed and extracted into query focused datasets such as KARMA POLICE, containing billions of rows of data. David (now Lord) Anderson QC’s August 2016 Bulk Powers Review gave an indication of some techniques that might be used to analyse metadata, including unseeded pattern analysis.
Once the Investigatory Powers Bill started its journey into legislation the RIPA terminology started to fade. But today it came back to life, with the European Court of Human Rights judgment in Big Brother Watch and others v UK.
The fact that the judgment concerns a largely superseded piece of legislation does not necessarily mean it is of historic interest only. The Court held that both the RIPA bulk interception regime and its provisions for acquiring communications data from telecommunications operators violated Article 8 (privacy) and 10 (freedom of expression) of the European Convention on Human Rights. The interesting question for the future is whether the specific aspects that resulted in the violation have implications for the current Investigatory Powers Act 2016.
The Court expressly did not hold that bulk interception per se was impermissible. But it said that a bulk interception regime, where an agency has broad discretion to intercept communications, does have to be surrounded with more rigorous safeguards around selection and examination of intercepted material. [338]
It is difficult to be categoric about when the absence of a particular feature or safeguard will or will not result in a violation, since the Court endorsed its approach in Zakharov whereby in assessing whether a regime is ‘in accordance with the law’ the Court can have regard to certain factors which are not minimum requirements, such as arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law. [320]
That said, the Court identified three failings in RIPA that were causative of the violations. These concerned selection and examination of intercepted material, related communications data, and journalistic privilege.
Selection and examination of intercepted material
The Court held that lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst, meant that the RIPA S. 8(4) bulk interception regime did not meet the “quality of law” requirement under Article 8 and was incapable of keeping the “interference” with Article 8 to what is “necessary in a democratic society”.
As to whether the IPAct suffers from the same failing, a careful study of the Act may lead to the conclusion that when considering whether to approve a bulk interception warrant the independent Judicial Commissioner should indeed look at the entire selection process. Indeed I argued exactly that in a submission to the Investigatory Powers Commissioner. Whether it is clear that that is the case and, even if it is, whether the legislation and supporting public documents are sufficiently clear as to the level of granularity at which such oversight should be conducted, is another matter.
As regards selectors (the Court’s greatest concern), the Court observed that while it is not necessary that selectors be listed in the warrant, mere after the event audit and the possibility of an application to the IPT was not sufficient. The search criteria and selectors used to filter intercepted communications should be subject to independent oversight. [340]
Related communications data
The RIPA safeguards for examining bulk interception product (notably the certificate to select a communication for examination by reference to someone known to be within the British Islands) did not apply to ‘related communications data’ (RCD). RCD is communications data (in practice traffic data) acquired by means of the interception.
The significance of the difference in treatment is increased when it is appreciated that it includes RCD obtained from incidentally acquired internal communications and that there is no requirement under RIPA to discard such material. As the Court noted: “The related communications data of all intercepted communications – even internal communications incidentally intercepted as a “by-catch” of a section 8(4) warrant – can therefore be searched and selected for examination without restriction.” [348]
The RCD regime under RIPA can be illustrated graphically:
In this regard the IPAct is virtually identical. We now have tweaked definitions of ‘overseas-related communications’ and ‘secondary data’ instead of external communications and RCD, but the structure is the same:
The only substantive additional safeguard is that examination of secondary data has to be for stated operational purposes (which can be broad).
The Court accepted that under RIPA, as the government argued (and had argued in the original IPT proceedings):
The Court accepted that under RIPA, as the government argued (and had argued in the original IPT proceedings):
“the effectiveness of the [British Islands] safeguard [for examination of content] depends on the intelligence services having a means of determining whether a person is in the British Islands, and access to related communications data would provide them with that means.” [354]But it went on:
“Nevertheless, it is a matter of some concern that the intelligence services can search and examine “related communications data” apparently without restriction. While such data is not to be confused with the much broader category of “communications data”, it still represents a significant quantity of data. The Government confirmed at the hearing that “related communications data” obtained under the section 8(4) regime will only ever be traffic data.
However, … traffic data includes information identifying the location of equipment when a communication is, has been or may be made or received (such as the location of a mobile phone); information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication; routing information identifying equipment through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e-mail headers (other than the subject line of an e-mail, which is classified as content)); web browsing information to the extent that only a host machine, server, domain name or IP address is disclosed (in other words, website addresses and Uniform Resource Locators (“URLs”) up to the first slash are communications data, but after the first slash content); records of correspondence checks comprising details of traffic data from postal items in transmission to a specific address, and online tracking of communications (including postal items and parcels). [355]
In addition, the Court is not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content. For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with. [356]
Consequently, while the Court does not doubt that related communications data is an essential tool for the intelligence services in the fight against terrorism and serious crime, it does not consider that the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content. While the Court does not suggest that related communications data should only be accessible for the purposes of determining whether or not an individual is in the British Islands, since to do so would be to require the application of stricter standards to related communications data than apply to content, there should nevertheless be sufficient safeguards in place to ensure that the exemption of related communications data from the requirements of section 16 of RIPA is limited to the extent necessary to determine whether an individual is, for the time being, in the British Islands.” [357]
This is a potentially significant holding. In IPAct terms this would appear to require that selection for examination of secondary data for any purpose other than determining whether an individual is, for the time being, in the British Islands should be subject to different and more stringent limitations and procedures.
It is also noteworthy that, unlike RIPA, the IP Act contains provisions enabling some categories of content to be extracted from intercepted communications and treated as secondary data.
Journalistic privilege
The Court found violations of Article 10 under both the bulk interception regime and the regime for acquisition of communications data from telecommunications service providers.
For bulk interception, the court focused on lack of protections at the selection and examination stage: “In the Article 10 context, it is of particular concern that there are no requirements – at least, no “above the waterline” requirements – either circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved. Consequently, it would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications.” [493]
For communications data acquisition, the court observed that the protections for journalistic privilege only applied where the purpose of the application was to determine a source; they did not apply in every case where there was a request for the communications data of a journalist, or where such collateral intrusion was likely. [499]
This may have implications for those IPAct journalistic safeguards that are limited to applications made ‘for the purpose of’ intercepting or examining journalistic material or sources.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.