One of the much vaunted features of the IPB by the Home Secretary is the so called ‘double lock’ provided by the requirement that the Judicial Commissioner has to sign off on any warrant in order for it to take effect. So what do we know about the position of the Judicial Commissioner, and how they will be appointed?
“The draft Bill will create a single new independent and more powerful IPC [Investigatory Powers Commissioner]. The Commissioner will be properly supported and will have a significantly expanded role in authorizing the use of investigatory powers and a wide-ranging and self-determined remit to oversee any aspect of how law enforcement and the security and intelligence agencies use the powers and capabilities available to them.
The IPC will be a senior judge and with his supporting staff will have three key roles:
- To authorize and approve the use of investigatory powers. Judicial Commissioners, who will be serving or former High Court judges, will undertake this role.
- There will be an inspection role. The IPC will audit compliance and undertake investigations. Judicial Commissioners will undertake this role and will be supported by a team of expert inspectors.
- The new Commissioner will have a clear mandate to inform Parliament and the public about the need for and use of investigatory powers. The Commissioner will report publicly and make recommendations on what he finds in the course of his work. He will also publish guidance when it is required on the proper use of investigatory powers. The Commissioner will have a strong public profile and active media and online presence so that he is quickly established as an authoritative source of advice and information. To support these three roles, the Commissioner will also have dedicated legal, technical and communications support.”
While the mandate of the Commissioner to inform Parliament and the public about the use of investigatory powers through an annual public report appears promising, the draft IPB unfortunately provides no further indications about the level of detail that should be expected in such a report. It is therefore very likely that such a report would be restricted to the barest of statistic, especially since the security agencies are likely to cite ‘national security requirement’ as a reason for obscuring as much as possible about their activities.
On the topic of how the IPC and Judicial Commissioners are to be appointed, the draft IPB states:
- The Prime Minister must appoint—
- the Investigatory Powers Commissioner, and
- such number of other Judicial Commissioners as the Prime Minister considers necessary for the carrying out of the functions of the Judicial Commissioners.
- A person is not to be appointed as the Investigatory Powers Commissioner or another Judicial Commissioner unless the person holds or has held a high judicial office (within the meaning of Part 3 of the Constitutional Reform Act 2005).
- Before appointing any person under subsection (1), the Prime Minister must consult—
- the Scottish Ministers, and
- the First Minister and deputy First Minister in Northern Ireland.
- Before appointing a Judicial Commissioner under subsection (1)(b), the Prime Minister must also consult the Investigatory Powers Commissioner.
- The Prime Minister must inform the Scottish Ministers and the First Minister and deputy First Minister in Northern Ireland of an appointment under subsection (1).
- The Investigatory Powers Commissioner is a Judicial Commissioner and the Investigatory Powers Commissioner and the other Judicial Commissioners are to be known, collectively, as the Judicial Commissioners.
Clearly, with the exception of a rather vague requirement to ‘consult’ with the Scottish Ministers and the First Minister and deputy First Minister in Northern Ireland, the appointment of these vital Commissioners, who must provide the independent oversight on the decisions of the Secretary of State, is completely in the hands on the Prime Minister. Nowhere is there any requirement for parliamentary approval or public scrutiny.
Two clauses, which apply to each of the types of warrants (Interception and examination of communications data; Obtaining of communications data; Require Communications Service Providers to retain communications data; Engage in equipment interference; Bulk data interception; Bulk data acquisition; Bulk equipment interference) and which have cause most of the concern from industry as well as civil rights organisations, are the “Duty of operators to assist with implementation” and the “Duty not to make unauthorised disclosures”.
The “Duty of operators to assist with implementation” means a Communications Service Providers (CSP), or even private individuals, would be required to do everything that is reasonably doable to help the security services in collecting data, decrypting communications (via deliberate security weaknesses, i.e. ‘backdoors’) and hacking into systems/service the CSP provides to its customers. The “Duty not to make unauthorised disclosures” means that it would be a criminal offense for the CSP to notify anyone of the fact that they had been compelled to cooperate with such a warrant. This would seriously undermine the ability of CSPs to engender trust in any of their security product, e.g. Apple’s end-to-end encrypted iMessenger. The fact that companies would not even be allowed to provide statistics about the number of warrants they had been served would also dramatically reduce the ability for journalists and civil rights organisations to independently monitor the level of state surveillance.
There is also a great deal of concern regarding the implications for cybersecurity. On the one hand, it has been shown that backdoors to unlocking encrypted services fundamentally undermine overall security, or as Apple phrased it in their comments to the draft IPB: “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.” On the other hand, potentially requiring CSPs to retain large amounts of meta-data for up to 12 months could produce very attractive targets for cybercriminals who are interested in any information about people’s online behaviours in order to ‘optimize’ attacks such as phishing.
A third potential cybersecurity vulnerability, that has not been discussed much, is the potential criminals to con people into believing that they were being served a genuine ‘equipment interference’ warrant, especially since the “duty not to make unauthorised disclosures” might stop them from being able to adequately verify any such warrant.
Clearly there is much still to do before the bill is truly fit for purpose. In all of this I haven’t even touched yet on any of any issues regarding the international dimension. Issues such as serving of IPB warrants to CSPs outside the UK, or the (in-)compatibility of requirements on CSPs under the IPB and under EU data protection regulations, which are currently in final stages of being redrawn.
Please feel free to leave comments below if you think I’ve misinterpreted anything in the IPB, or have failed to mention anything you consider to be especially important.