Never trust version 1.0 of any software. Wait until the bugs
have been ironed out, only then open your wallet.
The same is becoming true of the UK’s surveillance legislation. No sooner was the ink dry on the
Investigatory Powers Act 2016 (IP Act) than the first bugs, located in the communications
data retention module, were exposed by the EU Court of Justice (CJEU)’s
judgment in Tele2/Watson.
After considerable
delay in issuing required fixes, Version 1.1 is currently making its way
through Parliament. The pending amendments to the Act make two main changes.
They restrict to serious crime the crime-related purposes for which the
authorities may demand access to mandatorily retained data, and they introduce
prior independent authorisation for non-national security demands.
It remains uncertain whether more changes to the data retention
regime will be required in order to comply with the Tele2/Watson judgment. That
should become clearer after the outcome of Liberty’s appeal to the Court of
Appeal in its judicial review of the Act and various pending references to the
CJEU.
Meanwhile the recent Strasbourg judgment in Big Brother Watch v UK (yet to be made final, pending possible referral to the Grand Chamber) has exposed a
separate set of flaws in the IP Act’s predecessor legislation, the Regulation
of Investigatory Powers Act 2000 (RIPA). These were in the bulk interception
and communications data acquisition modules. To the extent that the flaws have
been carried through into the new legislation, fixing them may require the IP
Act to be patched with a new Version 1.2.
The BBW judgment does
not read directly on to the IP Act. The new legislation is much more detailed than
RIPA and introduces the significant improvement that warrants have to be
approved by an independent Judicial Commissioner. Nevertheless, the BBW judgment contains significant implications for the IP Act.
The Court found that three specific aspects of RIPA violated
the European Convention on Human Rights:
- Lack of robust end to end oversight of bulk interception acquisition, selection and searching processes
- Lack of controls on use of communications data acquired from bulk interception
- Insufficient safeguards on access to journalistically privileged material, under both the bulk interception regime and the ordinary communications data acquisition regime
End to end oversight
The bulk interception process starts with selection of the
bearers (cables or channels within cables) that will be tapped. It culminates in various data stores that can
be queried by analysts or used as raw material for computer analytics. In
between are automated processes for filtering, selecting and analysing the
material acquired from the bearers. Some of these processes operate in real
time or near real time, others are applied to stored material and take longer. Computerised
processes will evolve as available technology develops.
The Court was concerned about lack of robust oversight under
RIPA throughout all the stages, but especially selection and search criteria
used for filtering. Post factum audit
by the Interception of Communications Commissioner was judged insufficient.
For its understanding of the processes the Court relied upon
a combination of sources: the Interception Code of Practice under RIPA, the Intelligence and Security Committee Report of March 2015, the Investigatory Powers Tribunal judgment of 5 December 2014 in proceedings brought by Liberty and others, and
the Government’s submissions in the Strasbourg proceedings. The Court described
the processes thus:
“…there are four distinct stages to the section 8(4) regime:
1. The interception
of a small percentage of Internet bearers, selected as being those most likely
to carry external communications of intelligence value.
2. The filtering and
automatic discarding (in near real-time) of a significant percentage of
intercepted communications, being the traffic least likely to be of
intelligence value.
3. The application of
simple and complex search criteria (by computer) to the remaining
communications, with those that match the relevant selectors being retained and
those that do not being discarded.
4. The examination of
some (if not all) of the retained material by an analyst).”
The reference to a ‘small percentage’ of internet bearers derives
from the March 2015 ISC Report. Earlier in the judgment the Court said:
“… GCHQ’s bulk interception
systems operated on a very small percentage of the bearers that made up the
Internet and the ISC was satisfied that GCHQ applied levels of filtering and
selection such that only a certain amount of the material on those bearers was
collected.”
Two points about this passage are worthy of comment. First,
while the selected bearers may make up a very small percentage of the estimated
100,000 bearers that make up the global internet (judgment, [9]), that is not same
thing as the percentage of bearers that land in the UK.
Second, the ISC report is unclear about how far, if at all,
filtering and selection processes are applied not just to content but also to communications
data (metadata) extracted from intercepted material. Whilst the report
describes filtering, automated searches on communications using complex
criteria and analysts performing additional bespoke searches, it also says:
“Related CD (RCD) from interception: GCHQ’s principal source of CD
is as a by-product of their interception activities, i.e. when GCHQ intercept a
bearer, they extract all CD from that
bearer. This is known as ‘Related CD’. GCHQ extract all the RCD from all the
bearers they access through their bulk interception capabilities.” (emphasis
added)
The impression that collection of related communications
data may not be filtered is reinforced by the Snowden documents, which referred
to several databases derived from bulk interception and which contained very
large volumes of non-content events data. The prototype KARMA POLICE, a dataset
focused on website browsing histories, was said to comprise 17.8 billion rows
of data, representing 3 months’ collection. (The existence or otherwise of
KARMA POLICE and similar databases has not been officially acknowledged,
although the then Interception of Communications Commissioner in his 2014
Annual Report reported that he had made recommendations to interception agencies
about retention periods for related communications data.)
The ISC was also “surprised to discover that the primary
value to GCHQ of bulk interception was not in reading the actual content of
communications, but in the information associated with those communications.”
If it is right that little or no filtering is applied to
collection of related communications data (or secondary data as it is known in
the IP Act), then the overall end to end process would look something like this
(the diagram draws on Snowden documents published by The Intercept as well as
the sources already mentioned):
Returning to the BBW
judgment, the Court’s concerns related to intercepted ‘communications’ and
‘material’:
“the lack of oversight of the
entire selection process, including the selection of bearers for interception,
the selectors and search criteria for filtering intercepted communications, and
the selection of material for examination by an analyst…”
There is no obvious reason to limit those observations to
content. Elsewhere in the judgment the Court was “not persuaded that the
acquisition of related communications data is necessarily less intrusive than
the acquisition of content” and went on:
“The related communications data
… could reveal the identities and geographic location of the sender and
recipient and the equipment through which the communication was transmitted. In
bulk, the degree of intrusion is magnified, since the patterns that will emerge
could be capable of painting an intimate picture of a person through the
mapping of social networks, location tracking, Internet browsing tracking,
mapping of communication patterns, and insight into who a person interacted
with…”.
The Court went on to make specific criticisms of RIPA’s lack
of restrictions on the use of related communications data, as discussed below.
What does the Court’s finding on end to end oversight mean
for the IP Act? The Act introduces independent approval of warrants by Judicial
Commissioners, but does it create the robust oversight of the end to end
process, particularly of selectors and search criteria, that the Strasbourg
Court requires?
The March 2015 ISC Report recommended that the oversight
body be given express authority to review the selection of bearers, the
application of simple selectors and initial search criteria, and the complex
searches which determine which communications are read. David Anderson Q.C.'s (now Lord Anderson) Bulk Powers Review
records (para 2.26(g)) an assurance given by the Home Office that that
authority is inherent in clauses 205 and 211 of the Bill (now sections 229 and
235 of the IP Act).
Beyond that, under the IP Act the Judicial Commissioners have
to consider at the warrant approval stage the necessity and proportionality of
conduct authorised by a bulk warrant. Arguably that includes all four stages
identified by the Strasbourg Court (see my submission to IPCO earlier this year).
If that is right, the RIPA gap may have been partially filled.
However, the IP Act does not specify in terms that selectors
and search criteria have to be reviewed. Moreover, focusing on those particular techniques already seems faintly old-fashioned. The Bulk
Powers Review reveals the extent to which more sophisticated analytical
techniques such as anomaly detection and pattern analysis are brought to bear
on intercepted material, particularly communications data. Robust end to end
oversight ought to cover these techniques as well as use of selectors and
automated queries.
The remainder of the gap could perhaps be filled by an
explanation of how closely the Judicial Commissioners oversee the various
selection, searching and other analytical processes.
Filling this gap may not necessarily require amendment of the
IP Act, although it would be preferable if it were set out in black and white. It
could perhaps be filled by an IPCO advisory notice: first as to its
understanding of the relevant requirements of the Act; and second explaining how that
translates into practical oversight, as part of bulk warrant approval or
otherwise, of the end to end stages involved in bulk interception (and indeed
the other bulk powers).
Related
Communications Data/Secondary Data
The diagram above shows how communications data can be
obtained from bulk interception. Under RIPA this was known as Related
Communications Data. In the IP Act it is known as Secondary Data. Unlike RIPA,
the IP Act specifies a category of bulk warrant that extracts secondary data
alone (without content) from bearers.
However, the IP Act definition of secondary data also permits some items
of content to be extracted from communications and treated as communications
data.
Like RIPA, the IP Act contains few specific restrictions on
the use to which secondary data can be put. It may be examined for a reason falling
within the overall statutory purposes and subject to necessity and
proportionality. The IP Act adds the requirement that the reason be within the
operational purposes (which can be broad) specified in the bulk warrant. As
with RIPA, the restriction that the
purpose of the bulk interception must be overseas-related does not apply at the
examination stage. Like RIPA, there is a requirement to obtain specific authority
(a targeted examination warrant, in the case of the IP Act) to select for
examination the communications of someone known to be within the British
Islands. But like RIPA this applies only to content, not to secondary data.
RIPA’s lack of restriction on examining related
communications data was challenged in the Investigatory Powers Tribunal. The
government argued (and did so again in the Strasbourg proceedings) that this was
necessary in order to be able to determine whether a target was within the British
Islands, and hence whether it was necessary to apply for specific authority
from the Secretary of State to examine the content of the target’s
communications.
The IPT accepted this argument, holding that the difference
in the restrictions was justified and proportionate by virtue of the need to be
able to determine whether a target was within the British Islands. It rejected
as “an impossibly complicated or convoluted course” the suggestion that RIPA
could have provided a specific exception to provide for the use of metadata for
that purpose.
That, however, left open the question of all the other uses to
which metadata could be put. If the Snowden documents referred to above are any
guide, those uses are manifold. Bulk intercepted
metadata would hardly be of primary value to GCHQ, as described by the ISC, if
its use were restricted to ascertaining whether a target was within or outside
the British Islands.
The Strasbourg Court identified this gap in RIPA and held
that the absence of restrictions on examining related communications data was a
ground on which RIPA violated the ECHR.
The Court accepted that related
communications data should be capable of being used in order to ascertain
whether a target was within or outside the British Islands. It also accepted
that that should not be the only use to which it could be put, since that would
impose a stricter regime than for content.
But it found that there should nevertheless be “sufficient
safeguards in place to ensure that the exemption of related communications data
from the requirements of section 16 of RIPA is limited to the extent necessary
to determine whether an individual is, for the time being, in the British
Islands.”
Transposed to the IP Act, this could require a structure for
selecting secondary data for examination along the following lines:
- Selection permitted in order to determine whether an individual is, for the time being, in the British Islands.
- Targeted examination warrant required if (a) any criteria used for the selection of the secondary data for examination are referable to an individual known to be in the British Islands, and (b) the purpose of using those criteria is to identify secondary data or content relating to communications sent by, or intended for, that individual.
- Otherwise: selection of secondary data permitted (but subject to the robust end to end oversight requirements discussed above).
Although the Court speaks only of sufficient safeguards, it
is difficult to see how this could be implemented without amendment of the IP Act.
Journalistic
privilege
The Court found RIPA lacking in two areas: bulk interception
(for both content and related communications data) and ordinary communications
data acquisition. The task of determining to what extent the IP Act remedies
the deficiencies is complex. However, in the light of the comparisons below it seems
likely that at least some amendments to the legislation will be necessary.
Bulk interception
For bulk interception, the Court was particularly concerned
that there were no requirements either:
- circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector),
- requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved.
Consequently, the Court said, it would appear that analysts
could search and examine without restriction both the content and the related
communications data of those intercepted communications.
For targeted examination warrants the IP Act itself contain some
safeguards relating to retention and disclosure of material where the purpose,
or one of the purposes, of the warrant is to authorise the selection for
examination of journalistic material which the intercepting authority believes
is confidential journalistic material. Similar provisions apply if the purpose,
or one of the purposes, of the warrant is to identify or confirm a source of
journalistic information.
Where a targeted examination warrant is unnecessary the
Interception Code of Practice provides for corresponding authorisations and
safeguards by a senior official outside the intercepting agency.
Where a communication intercepted under a bulk warrant is
retained following examination and it contains confidential journalistic
material, the Investigatory Powers Commissioner must be informed as soon as
reasonably practicable.
Unlike RIPA, S.2 of the IP Act contains a general provision
requiring public authorities to have regard to the particular sensitivity of any
information, including confidential journalistic material and the identity of a
journalist’s source.
Whilst these provisions are an improvement on RIPA, it will be
open to debate whether they are sufficient, particularly since the specific safeguards
relate to arrangements for handling, retention, use and destruction of the communications
rather than to search and selection.
Bulk communications
data acquisition
The IP Act introduces a new bulk communications data
acquisition warrant to replace S.94 of the Telecommunications Act 1994. S.94
was not considered in the BBW
case. The IP Act bulk power contains no provisions
specifically protecting journalistic privilege. The Code of Practice expands on
the general provisions in S.2 of the Act.
Ordinary
communications data acquisition
The RIPA Code of Practice required an application to a judge
under PACE 1984 where the purpose of the application was to determine a source.
The Strasbourg court criticised this on the basis that it did not apply in
every case where there was a request for the communications data of a
journalist, or where such collateral intrusion was likely.
The IP Act contains a specific provision requiring a public
authority to seek the approval of the Investigatory Powers Commissioner to
obtain communications data for the purpose of identifying or confirming a
source of journalistic information. This provision appears to suffer the same
narrowness of scope criticised by the Strasbourg Court.