Privacy International briefing on A Question of Trust: Report of the Investigatory Powers Review

News & Analysis
Privacy International briefing on A Question of Trust: Report of the Investigatory Powers Review

On legal reform

"RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates. A multitude of alternative powers, some of them without statutory safeguards, confuse the picture further. This state of affairs is undemocratic, unnecessary and – in the long run – intolerable." [E.S. 35]

This report is confirmation of the pressing need for wholesale reform of Britain's surveillance laws. Mr Anderson is resounding on this point: the current legal authorities for interception and collection of data are unclear, obscure and not fit for purpose. The response must be a new, consolidated piece of legislation that not only adds clarity and rigour to existing surveillance laws, but brings presently unregulated practices such as hacking and intelligence sharing within the letter of the law. In distinguishing his report from the Intelligence and Security Committee's (ISC) analysis, Mr Anderson rejected that committee's recommendations for a separate piece of legislation regulating the intelligence services, proposing instead one piece of law that would regulate all surveillance powers, whether they be deployed by the police or by the spies. 

On specific interception warrants

"Specific interception warrants should be limited to a single person, premises or operation. Where a warrant relates to an operation, each person or premises to which the warrant is to apply, to the extent known at the time of the application, should be individually specified on a schedule to the warrant, together with the selectors (e.g.telephone numbers) applicable to that person or premises." [R. 27]

Mr Anderson has recommended a number of positive changes that provide clarity and rigour to a system long criticised for being overly complex. Mr Anderson's proposals for "specific interception warrants" promises to streamline the process, and the introduction of judicial commissioners into the warranty process is an important step towards greater accountability in this process. However, we are disappointed to see that Mr Anderson has not recommended the introduction of a "reasonable suspicion" requirement as a pre-requisite condition to the commencement of interception or access to data. Requiring the existence of a suspicion would ensure that surveillance is only used in limited and exceptional circumstances.

On blanket measures (bulk interception and mandatory data retention)

"Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practiced by GCHQ is proportionate). A number of such questions are currently before the courts..." [1.12]

It is disappointing that Mr Anderson didn't see fit to condemn the very idea of bulk interception. Although we appreciate his deference to the courts in determining the proportionality of indiscriminate surveillance, we believe this report was a missed opportunity to recommend an end to mass surveillance, and bring the UK in line with developing international legal standards in this field. With respect to blanket data retention, Mr Anderson approved of this practice for the government going forward, even as he noted that it would have to comply with the CJEU's decision in Digital Rights Ireland, leaving open the door for this practice to be rolled back depending the British Courts' decisions in the case brought by David Davis MP and Tom Watson MP. 

On internal/external distinction and discriminatory privacy provisions

"The distinction between internal and external communications was widely attacked as arbitrary and misleading by civil society groups who made submissions to the review... I agree with them that the distinction is outdated in the context of internet communications and should be abandoned." [14.76]

Mr Anderson reiterates what Privacy International has been saying for sometime—RIPA is written in a manner that not only confuses readers but obfuscates the powers it contains. The arbitrary internal/external distinction, which has previously formed the basis of the government's justification for its mass surveillance, has been exposed as being empty, confusing and meaningless. Mr Anderson rightly recommends moving away from the distinction. However, we are disappointed that he hasn't taken this opportunity to speak out against discriminatory privacy protections that afford one level of privacy rights to British persons and another to foreigners. His recommendations enshrine the government's position that mass surveillance of foreigners is an acceptable activity of a democratic state, and improve protections for Britons while entrenching privacy intrusions for everyone else. 

On warrants for the defence of the UK or its foreign policy

"(a) Where a warrant (specific or bulk) is sought for a national security purpose relating to the defence of the UK or its foreign policy, I recommend that the Secretary of State should have the power to certify that the warrant is required in the interests of the defence and/or foreign policy of the UK. In the case of a bulk warrant, the Secretary of State should also have the power to certify that the warrant is required for the operation(s) and/or mission purposes identified on the warrant...

(b)  The Judicial Commissioner should be able to depart from that certificate only on the basis of the principles applicable in judicial review: an extremely high test in practice, given the proper reticence of the judiciary where matters of foreign policy are concerned.

(c)  Responsibility for verifying that the warrant satisfied the requirements of proportionality, and for authorising the warrant, would remain with the Judicial Commissioner." [14.64]

Mr Anderson has sought to accommodate the concerns of the intelligence agencies about extending judicial authorisation to bulk warranting processes, a measure which we believe is long overdue, by limiting the role of judicial commissioners when warrants relate to "defence of the UK or its foreign policy". We fundamentally believe that, even when such interests are at stake, a legal analysis of whether interception is justified should still trump a political analysis. 

On extraterritorial powers

"I understand those who argue that extraterritorial application sets a bad example to other countries, and who question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others’ properly warranted requests, which must surely be the long-term goal. But some service providers find it easier to assist if there is a legal power purporting to require them to do so; and despite the fact that extraterritorial enforcement has not yet been tried, the presence on the statute book of DRIPA 2014 s4 has been of some assistance in securing vital cooperation from service providers. On that pragmatic basis I suggest that it should remain in force, at least for the time being. [14.59] Pending a satisfactory long-term solution to the problem, extraterritorial application should continue to be asserted in relation to warrants and authorisations (DRIPA2014 s4), and consideration should be given to extraterritorial enforcement inappropriate cases..."[ R. 25]

We welcome Mr Anderson's criticisms of the extraterritoriality provisions of DRIPA, which we believe set a dangerous precedent for less democratic states who might follow Britain's example and seek to assert their own power to intercept communications and access data outside their borders. While we would have preferred to see Mr Anderson recommending the immediate repeal of DRIPA's extraterritoriality provisions, we encourage further pursuit of a multilateral arrangement that includes appropriate safeguards to ensure extraterritorial requests comply with international human rights standards. In this regard, it should be noted that Sir Nigel Sheinwald's report will provide important guidance and should be published without haste or redaction. 

On the Snoopers Charter

"I have no doubt that retained records of user interaction with the internet would be useful. But that is not enough on it's own to justify the introduction of new obligations on CSPS, particularly one which could be portrayed as potentially very intrusive on their customers activities." [14.33]

'In relation to the subject-matter of the 2012 Communications Data Bill:

a, The provisions for IP resolution in the Counter Terrorism and Security Act 2015 are useful and should be kept in force.

b, The compulsory retention of records of user interaction with the internet (weblogs or similar) would be useful for attributing communications to individual devices, identifying use of communications sites and gathering intelligence or evidence on web browsing activity. But if any proposal is to be brought forward, a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.

c, There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues have been fully bottomed out." [R. 13]

The report is clear that the Communications Data Bill should not be progressed until a compelling operational case for the powers it contains has been made. Mr Anderson reiterates that the government has so far failed to do so. This is a resounding condemnation of the government's plans to introduce the Snoopers Charter, which should now be scrapped once and for all. 

On content/communications data distinction

"As to the distinction between content and communications data... The borderline is neither as clear nor as simple as when it could be explained in terms of the content of the letter versus the writing on the envelope... I do not recommend removing the distinction... A difference in terms of intrusiveness between “what is said or written” on the one hand and “the who, when, where and how of a communication” on the other is generally recognised, including in the practice of other States and in the case law of international courts. But there is a case for (a) defining content in the new law and (b) reviewing the borderline between content and communications data (in the new law or its Codes of Practice) so as to ensure that it reflects the reality of modern technology. CSPs pointed to web logs, cloud services and social media as areas of ambiguity... Thought has undoubtedly been given to these matters within the security and intelligence agencies, but no proposal was ready to be put before me. Accordingly I recommend a review which should be as open and inclusive as possible." [14.11]

While Mr Anderson stopped short of recommending that content and communications data be given equal consideration in legal frameworks, he made the important recommendation that the definitions of both be addressed. He sadly stopped short of requiring judicial commissioners to approve of requests for access to communications data, retaining the status quo in this regard, and recommended the introduction of a new bulk communications data warrant. 

On privileged material

"There can be no fairness in litigation involving the state if one party to it has the ability to monitor the privileged communications of the other." [2.12] "[...] in recognition of the fact that some communications data may be relatively intrusive, I have recommended that in some circumstances, including but not limited to privileged and confidential material, there should be judicial determination of an application to access communications data." [14.11]

Mr Anderson recommended raising the level of protection afforded to those in positions to which legal privilege attached, stipulating that decisions for access to communications data of such persons would have to be approved by a judicial commissioner. 

On judicial commissioners

"The ISC suggested that judges might approve more warrant applications thanMinisters (Privacy and Security Report, para 203); but the Foreign Office made to me the opposite point: that judicial authorisation might “disadvantage the UK” because judges would be liable to refuse applications that Ministers accept. Were it the case that Ministers might be tempted to issue warrants in circumstances where it is illegal do so, that would seem to me a strong argument in favour of judicial authorisation rather than against it." [14.57]

"Through its Judicial Commissioners, who should be serving or retired senior judges, ISIC should also take over the judicial authorisation of all warrants and of certain categories of requests for communications data, in addition to the approval functions currently exercised by the OSC in relation to other forms of surveillance and the ability to issue guidance." [E.S. 30]

Mr Anderson's recommendation that surveillance warrants be signed off by independent commissioners is a critical one; eradicating ministerial warrants and introducing impartial arbiters into the process of authorising surveillance will make the system more rigorous and accountable. While the report does not go as far as we would like, stopping short of recommending a role for the courts in the authorisation of warrants, we think Mr Anderson's recommendations if heeded by the government would constitute a considerable improvement over the current system. 

On the Independent Surveillance and Intelligence Commission

"ISIC should be public-facing, transparent, accessible to media and willing to draw on expertise from different disciplines." [E.S. 32] "ISIC, on its own initiative or at the suggestion of a public authority or CSP, should have additional powers to notify subjects of their right to lodge an application to the IPT." {E.S. 31] ISIC "would be a well-resourced and outward-facing regulator both of all those involved in the exercise of surveillance powers and of the security and intelligence agencies more generally." [14.94]

ISIC would merge the existing functions of its three predecessor Commissioners (including those only recently announced: bulk personal data and TA 1984 s94) and take on, in addition:

(a)  the audit and inspection functions referred to in Recommendations 91-93;

(b)  the warrant-issuing powers currently vested in the Secretary of State, to be exercised only by Judicial Commissioners who must hold or have held high judicial office, or Assistant Judicial Commissioners who have themselves held judicial office (Recommendations 84-88), and after hearing submissions from independent standing counsel where necessary (Recommendation 110(c));

(c)  a new power to authorise communications data requests which are novel or contentious or which are made for the purpose of determining matters that are privileged or confidential (Recommendation 84(e)); and 

(d) the ability to issue guidance as referred to in 14.86 above, and to participate in the preparation of Codes of Practice (Recommendation 84(f)). 

The current surveillance commissioners are drastically under resourced and under staffed, so any reform which improves the powers, resources and responsibilities afforded to oversight mechanisms is warmly welcomed. Mr Anderson's suggestion of establishing a one-stop-shop commission that would authorise, scrutinise and oversee all investigatory powers could go a long way toward improving the effectiveness and efficiency of surveillance oversight.  The implementation of this recommendation will have to be scrutinised closely to ensure that there is sufficient independence in the various arms of the ISIC. We welcome the suggestion that the ISIC would be empowered to notify individuals of errors in making affecting them, and to let them know of their right to lodge an application at the IPT. 

On the Investigatory Powers Tribunal

"The Investigatory Powers Tribunal (IPT) should have an expanded jurisdiction and the capacity to make declarations of incompatibility; and its rulings should be subject to appeal on points of law."31 

"The jurisdiction of the IPT should be expanded (or clarified) to cover circumstances where it is a CSP rather than a public authority which was at fault (for example, by intercepting the wrong communications address and/or disclosing the wrong communications data)." [R 113]

Mr Anderson has made a strong recommendation with respect to the Tribunal, asserting that it must be empowered to make declarations of incompatibility, and that their must be a right of appeal from decisions of the Tribunal, on points of law. 

On the Intelligence and Security Committee

"The ISC was reformed by the JSA 2013. However, concerns remain that the ISC is insufficiently robust and independent of governmental pressure." [12.90] "There should continue to be a committee of parliamentarians with oversight of the work of the security and intelligence agencies and trusted by them with classified information, not only because parliamentary oversight is desirable in principle but because of the knowledge and understanding that its members bring to parliamentary debates with national security implications, e.g. in relation to terrorism legislation and proscription orders. " [R 118] "The future of the ISC is a matter for Parliament, and I am concerned only to ensure that its functions do not overlap with those of ISIC." [14.109]

Mr Anderson did not recommend any major changes, instead leaving questions as to the scope and operation of the Committee to Parliament.

On encryption

"There may be all sorts of reasons – not least, secure encryption – why it is not physically possible to intercept a particular communication, or track a particular individual. But the power to do so needs to exist, even if it is only usable in cases where skill or trickery can provide a way around the obstacle. Were it to be otherwise, entire channels of communication could be reduced to lawless spaces in which freedom is enjoyed only by the strong, and evil of all kinds can flourish." [13.11]

Mr Anderson's principle of "minimising no-go areas" raises a number of concerns about the Government's entitlement to prevent individuals from communicating secretly and anonymously. However, even though Mr Anderson expresses some controversial opinions about the need to ensure there are legal powers that extend the government's reach to all parts of the internet, notably he makes no recommendations for bolstering legal powers in this area.