The draft Investigatory Powers Bill (IPB) is a proposed new law on surveillance that was presented to parliament in November 2015. The bill is currently before the Joint Committee (i.e. both Houses of Parliament) which is investigating the content of the bill and will report its recommendations to the Houses in February 2016. The first step of the procedure having been a call for written evidence, which had to be submitted by 21 December 2015, as well as public hearings in November, December 2015 and January 2016. Since the IPB has obvious implications for privacy and digital rights, I decided to take a closer look at the Bill (despite it being 299 pages long).
The IPB represents both a continuation of the push for more investigatory powers, as was the case with the “emergency” Data Retention and Investigatory Powers Act of 2014 (DRIP), as well as a response to the ‘Snowden revelations’ regarding numerous (mass) surveillance operations (e.g. Tempora) by GCHQ, which revealed a lack of judicial oversight and transparency in the procedures governing surveillance by UK national security agencies.
The need for a systematic review and overhaul of the regulations regarding intelligence gathering, especially from the internet, certainly exists. At present the UK regulations on this are a patchwork of, often rushed, regulations including:
- Data Retention and Investigatory Powers Act of 2014 (DRIP)
- Regulation of Investigatory Powers Act 2000 (RIPA)
- Police Act 1997
- Justice and Security act 2013 (JSA)
- Intelligence Services act 1994
- Section 94 of the Telecommunications Act
With the results that oversight regarding the use of surveillance by UK security agencies is split between:
- Parliamentary oversight carried out by the cross-party ISC
- The Interception of Communications Commissioner (IoCC) who oversees how public authorities use their interception and communications data powers under RIPA and powers under section 94 of the Telecommunications Act.
- The Chief Surveillance Commissioner (CSC) who oversees how law enforcement agencies use covert surveillance powers and covert human intelligence sources under RIPA Part II and the Police Act 1997.
- The Intelligence Services Commissioner (ISCom) who oversees how the intelligence agencies use the powers available to them under RIPA Part II (covert surveillance and covert human intelligence sources) and the Intelligence Services Act 1994.
- Investigatory Powers Tribunal (IPT) which investigates complaints that law enforcement and the security and intelligence agencies have used their covert investigative techniques unlawfully or claims that the intelligence or law enforcement agencies have breached human rights legislation. It is an independent tribunal comprised of judges and senior members of the legal profession.
As a result, even civil rights organizations like Open Rights Group (ORG) have for some time now been calling for a revision of the complete surveillance regulation. Unfortunately, the actual content of the proposed bill is not exactly what they were looking for.
The new bill provides a framework of warrants for the security and intelligence agencies to engaging in:
- Interception and examination of communications data
- Obtaining of communications data (a.k.a. meta-data)
- Require Communications Service Providers (i.e. any company that has anything to do with communications data, including ISPs, social network providers (e.g. Facebook), hardware manufacturers (e.g. Cisco) etc.) to retain communications data
- Engage in equipment interference (i.e. computer/device hacking)
- Bulk data interception (i.e. untargeted mass collection of data)
- Bulk data acquisition
- Bulk equipment interference
The warrants will be issued by the Secretary of State and must be approved by a Judicial Commissioner before coming into force (except in the case of ‘exceptional circumstances’ in which case the warrant must be approved by a Judicial Commissioner within five days). Grounds on which warrants can be applied for are:
- The interest of national security
- Preventing or detecting serious crime
- In response to a request from a foreign agency with which there exists an international mutual assistance agreement
- Safeguarding the economic well-being of the UK (in circumstances relevant to the interests of national security)
In each case, the warrant must be specific, detailing the kind of investigation that will be undertaken and its duration, which must be “necessary and proportionate to what is sought to be achieved”.
Unfortunately my reading of the IPB has failed to provide any clear definitions for what constitutes ‘interest of national security’, the definition of ‘serious crime’ or a clear concept of ‘necessary and proportionate’ (the most detail is given for Interception of communications, i.e. content of messages, where there is a clause requiring that there must be sufficient indication that the sought information could not reasonably be obtained by other means). For each of these it seems we would have to trust in the judgement of the Secretary of State and the Judicial Commissioner. Before taking a closer look at the proposed position of Judicial Commissioner, I should also point out that recent history, revealed by Snowden documents, suggests that 3. will need to be closely monitored to prevent it being abused by close collaboration between agencies for circumventing national restrictions (e.g. NSA putting in a request on behalf of GCHQ). Also, it is not at all clear to me why 4. is included as a possible ground for applying for a warrant. If “safeguarding the economic well-being of the UK” is being pursued “in circumstances relevant to the interest of national security”, couldn’t the warrant be applied for on the grounds of “interest of national security”, i.e. 1.? The inclusion of 4. thus has a strong sense of ‘industrial espionage’ to it.
It should also be noted that an additional ground (not mentioned in the summary of the bill) for which warrants can be given is for “testing or training activities”, defined as:
- the testing, maintenance or development of apparatus, systems or other capabilities relating to the interception of communications in the course of their transmission by means of a telecommunication system or to the obtaining of related communications data, or
- the training of persons who carry out, or are likely to carry out, such interception or the obtaining of such data.
Such ‘testing or training’ warrants clearly present another potential for abuse of power unless they are very closely monitored.