No evidence of Balance: the Joint Committee on draft Investigatory Powers Bill

The Joint Committee on the IP Bill has now been stood up, and we’ve finally got the names of the Lords appointed. Following on from an underwhelming start as I’ve previously noted I continue to be underwhelmed, maybe even dismayed, by the Lords appointed. I hope to be pleasantly surprised, but am not confident. Fundamentally, the committee appears to have a pro-authoritarian slant, and has virtually no experience with technology – not a great combination.

Before I discuss the membership in detail, I also wanted to make a point on time. The joint committee is due to report by 11 February 2016. That gives at most 7 weeks for the committee to review the draft bill, and report. This is not much time, especially with Christmas and New Year in the middle of the period. It may be sufficient, but this is definitely something to keep an eye on.

And now to the membership.

Membership Overview

From the perspective of the Lords, there are 2 Conservative, 2 Labour, 1 Crossbench, 1 Bishop(!), and 1 Liberal Democrat. 3 of the 7 have been government Ministers, and 1 was the Head of the Civil Service. None have any in-depth technical knowledge. Overall, the Lords’ contingent is definitely an ‘insiders’ group – indeed 2 are or were members of the Intelligence Services Committee. When looking at speaking history for DRIPA, the draft IP Bill, and the Anderson report, most have been silent, showing little interest in the subject. Only Lord Strasburger appears to have a pro-civil liberties stance, and only he had involvement with the previous draft Communications Data Bill.

When we include the MPs, there are 6 Conservative, 4 Labour, 1 SNP, 1 LibDem, 1 Crossbench, and 1 Bishop. A minority (1 MP+3 Lords) have spoken on DRIPA, the Anderson Report, or the IP Bill. The overall committee are less insiders (4 Lords+1 MP) than the Lords’ appointees would suggest, but there remains (in my estimation) a very authoritarian slant – I can only point at 2 (Stuart McDonald MP, Lord Strasburger) who are likely to have a more civil liberties view.

Lords Appointees

Baroness Browning (Conservative 2010, was Minister for Crime Prevention and Anti-Social Behaviour Reduction, Home Office (2011))
Wiki TheyWorkForYou
Hasn’t spoken in any of the recent related debates. Expect to be pro-existing bill/authoritarian.

Lord Butler of Brockwell (Crossbench 1998, was Civil Service (Head of, 88-98), ISC 2010-15)
Wiki TheyWorkForYou
Was pro-DRIPA, although against the emergency process. Spoke on Anderson report, with mixed views. Was affected by IRA Brighton bombing. Expect to be relatively authoritarian, but may bring useful civil service views.

Bishop of Chester (Bishop 2001)
Wiki TheyWorkForYou
Has no relevant experience – not sure why selected. Did speak on the Anderson report. Seems generally rather pro-authoritarian, and while likes privacy, willing to give it away. Similar views in Counter-Terrorism and Security Bill.

Lord Hart of Chilton (Labour 2004, was Solicitor)
Wiki TheyWorkForYou
Barely speaks in debates. Has committee experience of legislative scrutiny. Unknown views.

Lord Henley (Conservative 1977, was Minister of State, Home Office (2011-12) – Crime Prevention and Anti-Social Behaviour Reduction)
Wiki TheyWorkForYou
Barely speaks at debates. Sits on Joint Committee on Human Rights, but am not sure of impact in that role. Expect to be authoritarian.

Lord Murphy of Torfaen (Labour 2015, was Sec State Wales/NI, Shadow Defence, sat on ISC 2001-08)
Wiki TheyWorkForYou
Has voted for mass retention before. Hasn’t spoken in any relevant debates. Expect to be very authoritarian.

Lord Strasburger(Liberal Democrat 2011, was Private Sector, sat on Draft Communications Data Bill committee)
Wiki TheyWorkForYou
Has been significantly involved in all related legislation. Pro-oversight, pro-civil liberties. Only member with experience of draft Communications Data Bill.

Improving OpenVPN security on Synology NAS

This guidance refers to DSM 5.2-5592 Update 4, with VPN Server 1.2-2456, and the official Android client v1.1.16 (build 74).

When setting up a VPN on a Synology NAS, you can make a choice between PPTP, OpenVPN, and L2TP/IPsec. For assorted reasons, I chose OpenVPN. However, I was underwhelmed with the security stance of the default Synology configuration. Specifically, the default was TLS/1.0, and used a username/password combo for authentication. TLS/1.0 has issues – the current best-practice is to use TLS 1.2. Just relying on a username/password opens you up to brute-force attacks, especially if you use a weak password as many people do in their intranet.

I have changed this configuration to use TLS 1.2, and TLS-authentication. I opted not to use a user key.

Below I have documented how to install and configure OpenVPN at this security level on a Synology NAS. I am using CloudStation to distribute files between my NAS and my clients – other approaches such as SMB shares would also work.

1) Install the VPN Server

Identify and set up a way to distribute files from the NAS to your client computers (e.g. phone, laptop, etc). I used CloudStation, with the Android and Windows DS Cloud clients.

Set up Dynamic DNS. Go to Control Panel, External Access, DDNS, and click Add. Follow the relevant instructions. Make a note of the hostname you pick. Alternately, from your home network browse to WhatIsMyIP.com or similar and make a note of your public IP address. Note: Most ISPs will give you a dynamic public IP address, which can change over time, hence the recommendation for Dynamic DNS.

Install VPN Log onto the NAS with admin credentials. Go to Package Center, Utilities, and click on Install for VPN Server (by Synology Inc).

Set up Port Forwarding. If your home router supports UPnP, go to Control Panel, External Access, Router Configuration. Click on Set up router, if prompted. When set up, click Create, Built-in application, and check the row which says “VPN Server UDP 1194 1194”. Click Apply, and then Save. If you encounter problems with this, you may not be using a UPnP server. In which case you need to go into your home router config, and set up port forwarding. You’ll want to forward traffic from your external IP UDP/1194, to the IP address of your NAS (e.g. 10.0.0.5) UDP/1194.

Optional: You may want to use a non-standard port rather than 1194. If so, you’ll either need to select a Custom Port in the router configuration page, or manually configure on your router. Just replace all mentions of 1194 in the above with the port you select, making sure you don’t use a port which is already in use.

Set up Auto Block. Go to Control Panel, Security, Auto Block. Check the “Enable auto block” checkbox, set the settings as appropriate. I recommend clicking on Allow/Block list, and adding the IP address of the computer you use to administer the NAS from to the “Allow List”. This will stop the NAS from blocking you even if you get the password wrong a few times. Click Apply when done.

2) Configure the VPN Server

GUI Setup

Go to VPN Server, General Settings, and uncheck “Grant VPN permission to newly added local users”. Verify that Auto Block is set up. Click Apply.

Go to VPN Server, Privilege, then uncheck all check boxes except the OpenVPN entries for the users you want to allow OpenVPN access. (Note: I’m assuming you’re not using PPTP/L2TP). I highly recommend you don’t allow admin to VPN in. Click Save when done.

Go to VPN Server, OpenVPN. Check the Enable checkbox, and set up your Dynamic IP address range etc. This must be a different subnet to your home network. If you chose to use a different port/protocol in step 1, change the Port and Protocol values. When complete, click Apply.

Click Export configuration – this will download a zip file to your local machine. Unzip that into your CloudStation folder.

Terminal Setup

SSH in. After doing the above, SSH into your NAS, as user “root”, using the same password as “admin”. If you cannot SSH in, go to Control Panel, Terminal & SNMP, and verify that “Enable SSH service” is checked, and configured as you expect.

Do the following commands, where $user is the username you’re using for cloudstation, and assuming the folders are in volume 1, and you unzipped the downloaded configuration into a folder called openvpn.


> cd /var/packages/VPNCenter/target/etc/openvpn/keys
> openvpn --genkey --secret ta.key
> cp ta.key /volume1/homes/$user/CloudStation/openvpn/
> chown $user.users /volume1/homes/$user/CloudStation/openvpn/ta.key
> vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

Add the following lines:-

tls-version-min 1.2
tls-auth /var/packages/VPNCenter/target/etc/openvpn/keys/ta.key 0

Save the changes (Esc, :wq), then optionally exit the SSH session.

Restart the VPN server. This can be done by going to Package Center, Installed, VPN Server, and Clicking Action->Stop, then when stopped clicking Action->Start.

3) Configure the client

Edit the openvpn.ovpn file in your CloudStation. Find the YOUR_SERVER_IP and replace it with the dynamic DNS hostname or IP address you identified in step 1. Then add the following line:

tls-auth ta.key 1

Save the file.

Upload the ca.crt, openvpn.ovpn, and ta.key files on to your phone – they all need to be in the same directory. If using CloudStation, this will be done automagically when your phone is on your home WiFi.

Install the client “OpenVPN Connect” package on Android. Run it. Press the three dots in the top right, and go to Preferences. Scroll down to Minimum TLS version, and set to TLS 1.2. Go back to the main screen.

Press the three dots again, and select Import. Then “Import Profile from SD Card”. Browse to wherever you downloaded the openvpn.ovpn file, and select it. Enter your username and password.

Disconnect your phone from your home WiFi, and make sure mobile data is enabled. Click Connect. Fingers crossed, after a few seconds, a connection should happen.

If you don’t connect, and no error is shown, try the following:-

  • Verify that you’re using the correct IP/hostname
  • Verify you’ve set up port forwarding correctly
  • If you can’t tell the above, try changing the protocol to TCP. This can be done via the Synology GUI, or by changing the “proto udp6” in the server file to “proto tcp-server”. You’ll also need to change the openvpn.ovpn line “proto udp” to “proto tcp-client”. Don’t forget to restart the server, and delete and reimport the client.
  • Verify that the changes you made manually to the server config are still present, by ssh’ing in and checking with vi. It’s possible that changing settings via the GUI will clobber any manual changes you have made.

4) Optional improvements

By using a non-standard port (i.e. not 1194) you’ll be less likely to turn up on port scans.

Using the ta.key with tls-auth means that anyone attempting to connect to your server will need that key. If you want to use a user key instead or as well as a password, that could add extra security.

By default, with TLS1.2, the connection seems to be TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 which should be sufficient. If you want a different TLS cipher, first identify the string by SSHing to the server and running: openvpn –show-tls You can then set the selection through adding a “tls-cipher <: delimited ciphers>” in both the server and client.

The importance of specificity in Intelligence-related laws

Over the next week, I will be publishing my detailed thoughts on the  draft Investigatory Powers Bill Be warned – they’ll be long, and boring…

But before I do that, I want to discuss something which never seems to be covered. When discussing bills to do with surveillance and intelligence matters, there is always a discussion of the morality of the laws, of the interminable tug of war between privacy and safety. The debates in parliament often cover that, as well as some specific modifications, but what never seems to be discussed is how very different such bills are compared to most others, from a judicial and enforcement perspective.

The legal system in the UK is based around Common Law, generally through an adversarial system. I will below make the case that the legislation created for Intelligence and Surveillance related matters is insufficient, because of shortcomings in our legal system.

But first a bit of background… And a caveat – I am not a lawyer – the below is my understanding of the process and problems, and I would love to be corrected where I’ve made errors. Note: I have used civil liberties groups as an example of the opposition to government, but the relevant aspects could apply to any member of public.

Primary Legislation

Law generally begins with a need. The government decides that something should be made illegal, or should definitively be made legal. The government, or rather the specific departments, will provide a description of what they want to accomplish and pass this to the Office of Parliamentary Council. The OPC will draft a Bill. Eventually this Bill (after multiple iterations) will go through parliament, be voted on, and maybe become an Act of parliament, and law. See [1] for more details.

Secondary Legislation

An aim for Primary Legislation is for it to change slowly and rarely. However, the world changes – government departments are opened, closed, and disbanded. Technology changes. If the Primary Legislation is overly detailed, then parliament would spend all its time updating this legislation for minor tweaks rather than looking at the big picture. Most Primary Legislation therefore normally allows the government to provide minor updates, and more detailed instructions, through the use of Secondary Legislation.

This Secondary Legislation is limited by the Primary – i.e. the Primary specifically says what limited powers are conferred on the government. The Secondary Legislation, normally “Statutory Instruments” such as regulations, are written by the government and normally still need parliament to vote on and pass. However, these votes are generally quite pro-forma, and don’t have the large debates or proposed amendments that occur with primary legislation.

Common Law

A third class of law is created by the courts, rather than government. As cases are brought to the courts for judgement, case law [2] is created. Essentially, during the process of a trial the defendant and prosecution argue with each other (the adversarial system [3]). Ultimately the judge (and jury to a lesser extent) try to make a determination of what the law actually means, and whether the defendant is guilty or at fault. When a decision is made, case law is created – i.e. the court decides that the law, in this instance and any other similar/identical one, means x.

This case law can then be relied on for future interpretation of the primary and secondary legislation. Over time, a set of case law is created for any primary legislation, which will be much more detailed than anything parliament could, or would want to, create.

The Problem

Lack of case law

Intelligence related laws go through the normal process in their creation, both as primary and secondary legislation. However, I assert that they aren’t treated the same at the Common Law stage.

Intelligence related matters are necessarily secret. It is vital that the details of methods and techniques remain out of the hands of the country’s adversaries, as knowledge of them would allow these adversaries to avoid our intelligence agencies. This is a key reason why much intelligence-type surveillance is not allowed as evidence in trials. If included in evidence, then due to the adversarial system the defence would be able and indeed required to delve into how the evidence was obtained. As court proceedings are generally public, this would lead to sensitive information on methods and techniques becoming public.

Under some Acts of parliament, evidence may be introduced in secret, at closed hearings. A ‘special advocate’ is normally nominated to argue the defendants case in such a situation – however it should be noted that the defendant themself generally doesn’t know what happens in such courts, nor do their lawyers. There is therefore a lot of nervousness about whether the ‘special advocate’ is doing their job and has access to all relevant information. Furthermore, the detailed conclusions of such hearings do not become public, leading to such either not becoming case law, or leading to a secret set of case law such as that created by the US FISA courts [7].

Therefore, the main route by which intelligence-related law is tested in the courts and case law created, does not occur.

An alternate route to bring such laws into review and interpretation by the courts is through the public either suing the government because they believe the law has been broken (e.g. Amnesty and others over surveillance[4]), or seeking a judicial review if they think the process by which a law has come into effect was incorrect (e.g. David Davis MP and Tom Watson MP over DRIPA[5]).

A judicial review can only be used if there has been an error in process, in the case above the error being that EU law wasn’t correctly applied/followed when creating DRIPA. The result will generally to quash, or allow, law or specific parts. It will not, I believe, generally result in case law about the interpretation of meaning existing law.

The public can only sue if they have evidence that wrongdoing has taken place. Due to the secrecy inherent in intelligence matters, such evidence does not generally become public. Subjects of surveillance are not, as a rule, aware that they are under surveillance, irrespective of whether it is lawful or not. The suit brought by Amnesty et al was only possible due to the Snowden leaks.

Ultimately therefore, except when egregious errors are made in process, or whistleblowers leak possible areas of unlawfulness, the courts do not get to see these matters in public, and so no case law can be created.

Difference of opinion

Another way of saying the above is that there is no way to clarify what the government thinks a law says, and whether that tallies with what the public thinks it says. Primary Legislation is very vague, and Secondary Legislation is often not much less so. Furthermore, Secondary Legislation generally goes through much less rigourous examination.

A concrete example is that of the phrase “external connection” in RIPA. The government believed it referred to any communication with an external endpoint, including any servers the data routes through. So, for example, if your email server is external to the UK, then it is an external connection, even when using that email to talk to another person in the UK [6]. This was at odds with what a lot of people, including civil liberties organisations, believed to be the case.

Due to our adversarial system, a judge cannot act as inquisitor, delving into the truth. Instead, they remain an impartial arbiter as two parties fight to convince the judge of their interpretation. Without the laws going through the courts, there is no opportunity for this fight, leaving the legislation wide open for interpretation, and without any realistic check or balance that the government is interpreting. Oversight bodies are limited in their powers. They additionally run the ever-present danger of internalising the government’s interpretations (especially within, for example, the Intelligence and Security Committee of Parliament) without realising they are doing so.

Possible Solutions

Ultimately, I think a combination of things are needed for Intelligence-related (which includes Surveillance, such as the draft Investigatory Powers Bill) legislation. This includes changes in the way that such legislation is drafted, the government being more open of interpretation, and ways to create case law outside of traditional approaches.

The first item needed is greater specificity in both primary and secondary legislation. This runs the risk of creating law which needs changing more often, and so a case can be made that this should be done in regulations rather than the bills themselves. However, it must be recognised that secondary legislation normally go through on the nod, without much or any debate. If specifics will be implemented in secondary legislation then there must be a recognition that more debate and review will be needed at that stage.

The next is that the government should be open about interpretation of law, even when it applies to potential methods and techniques. This will help build trust between civil liberties groups and the government, and will also help the government avoid situations such as that which the IPT found in the Amnesty case – that the government had been breaking the law but that due to the leaks of Snowden it was now not doing so, because the leaks had made public facts that should already have been public.

Finally, there must be a recognition that the courts do not have the opportunity to create case law in these matters – a situation the current draft Investigatory Powers Bill makes no better, and indeed s171(3) of that draft may make worse. Alternate approaches should therefore be considered. For example, an approach somewhat akin to Moot courts [8] where civil liberties groups and government can work together to introduce representative test cases, with the government taking part in a neither-confirm-nor-deny approach with respect to methods and techniques actually being used. The results of such moot trials could be allowed as case law, which the government would be required to treat as real case law.

I submit that the status quo is insufficient, and has contributed to the current breakdown in trust between the people and government. We must look outside normal practices, while staying inside established principles of legislation and jurisprudence, in order to help heal this wound. Failure to do so will only lead to increased recriminations on all sides.

[1] https://www.gov.uk/guidance/legislative-process-taking-a-bill-through-parliament
[2] https://en.wikipedia.org/wiki/Common_law
[3] https://en.wikipedia.org/wiki/Adversarial_system
[4] http://www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf
[5] https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf
[6] http://www.theguardian.com/world/2014/jun/17/mass-surveillance-social-media-permitted-uk-law-charles-farr
[7] https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court#Secret_law
[8] https://en.wikipedia.org/wiki/Moot_court

An underwhelming start on IPBill

So, the Draft Investigatory Powers Bill has now been released. I’m in the process of working through the draft myself, and will post something here soon. In the interim though, the House of Commons has nominated 7 people to sit on the joint committee of Commons and Lords, to discuss the draft. The names are below.

At a first look, I’m pretty underwhelmed. The makeup (4 Con, 2 Lab, 1 SNP) reflects the breakdown of MPs (not public vote %) which is pretty standard, but I’m disappointed there’s no Lib Dem. The LD have been easily the most vocal party for civil liberties, and killed the outrageous snoopers charter. Maybe that’s why they’re not included.

Furthermore, it’s of note that 4 of the 7 are new MPs (4 Con, 1 SNP), and so it’s to be expected they’ll do what their party bosses require of them. Only 1 (Suella Fernandes) commented on Wednesday’s debate on the bill. The rest seem to have no real interest in the subject, or applicable knowledge (I’ll come back and edit this when I read more). In the interim, below are the people, with links to their TheyWorkForYou profiles.

EDIT: I’ve now had some time to look into their profiles. Generally relevant-ish qualifications – there’s a load of lawyers but only 1 person with any technology knowledge, and he was just a journalist who specialised in consumer technology. Most appear likely to follow party lines, overall there’s definitely a pro-authoritarian slant.

Victoria Atkins [Con, 2015-]
TheyWorkForYou

Barrister (Serious & Organised Crime) will have good relevant knowledge. Expect to be pro-authoritarian.

Suella Fernandes [Con, Barrister, 2015-]
TheyWorkForYou
Debate

Suella may be a good pick. Has knowledge of the law, and at least some interest, despite being a fresh MP. Knowledge of international (US) law.

Mr David Hanson [Lab, 1992-]
TheyWorkForYou

2010 Shadow Minister at the Home Office. Experienced MP, has some knowledge/experience. Expected to be pro-authoritarian (has previously voted for ID cards, and for Data Retention)

Stuart C. McDonald [SNP, 2015-]
TheyWorkForYou

Has worked for immigration services as a Human Rights Solicitor. May be balanced in views.

Dr Andrew Murrison [Con, 2001-, voted against Iraq war]
TheyWorkForYou

Voted against Iraq war, which took balls as a Conservative. Voted for data retention but against ID cards. Not sure of views, but unlikely to be cowed by whips on moral matters.

Valerie Vaz [Lab, 2010-]
TheyWorkForYou

Has law experience. Seems not to have had an interest in surveillance etc, and has voted in line with government. Not sure why picked. Likely to follow the party line.

Matt Warman [Con, 2015-]
TheyWorkForYou

Only person nominated who has any knowledge of tech (was previous Consumer Technology Editor at the The Daily Telegraph newspaper. Sits on the Science and Technology Select Committee. Probably shallow knowledge of tech.

DRIPA disapplied following judicial review

I told you so :)  (see previous DRIPA commentary when I said “This bill doesn’t address the shortcomings highlighted in the ECJ ruling, and so it would inevitably be over-ruled in the future.”)

The UK High Court has just ruled that DRIPA section 1 (data retention) has been ruled inconsistent with European Law. As such, they have disapplied that section of the law – essentially making it no-longer be law. They have however suspended their ruling until March 2016, in order to give the UK government time to respond.

For most of those interested in the subject, this was no surprise. DRIPA was rushed through and didn’t appear to mitigate the issues that had previously caused the ECJ to rule the EU Data Retention Directive invalid/unlawful. It is a kick in the teeth to the government, and will help civil liberties campaigners who had always asserted that DRIPA shouldn’t have been rushed through the way it was.

What is of real interest now is what this means for the upcoming interception/surveillance bill, due to be introduced in Autumn 2015. This bill is aimed at updating RIPA, merging in DRIPA, and potentially (as recommended in both the RUSI and Anderson reports) simplifying the interception/surveillance laws in the UK. There was already a hard deadline for this new bill to receive royal assent – DRIPA has a sunset clause of December 2016 – and many people had already indicated that it will be a rush to get this bill through by then, given it’s scope. Trying to do the same before March 2016 will be a nightmare, especially given the large number of aspects where many MPs and the general public are diametrically opposed.

So, what will the government do? Firstly, I expect them to appeal – they’ve been given the right to do so, and they lose nothing by doing so. Assuming the appeal fails, they’ve a few options:

  1. DRIPA #2: Rush through a hack to fix DRIPA. In which case, will they keep the existing sunset clause, or try to extend it? Any expedited action would be very unpopular amongst MPs – even those in favour of broad interception etc powers were upset by the government’s tactics last time. Likewise, any attempt to extend the sunset clause would be very unpopular, despite that any DRIPA #2 would take up valuable time in the parliamentary calendar.
  2. Compress RIPA-replacement timescale: Rather than aiming for a December 2016 Royal Assent, they could aim for a March 2016 one. This would be feasible, but non-trivial. The committee stages would need to be greatly shortened. It would also leave the government to procedural actions to delay progress, which could lead to them accepting pro-civil-liberties amendments. It may also require a reduction in the scope of the proposed legislation, so that it will just be a RIPA(+DRIPA) replacement, rather than also covering all other ways that interception can legally take place.
  3. Keep to existing timescale: They could just accept that all the extra data that the government wants retained under RIPA could be lost between March 2016 and Dec 2016. Note that this doesn’t mean they won’t be able to access retained data – they still can using RIPA – nor that companies won’t retain data – they still will as they may need it for their own internal use – but it will mean that companies may (or will, due to the Data Protection Act) stop retaining any extra data that the government had previously required they do. The government and intelligence services wouldn’t be happy with this, but they could quite quickly contact the telecoms providers and see what data will be lost – it may well be a manageable amount. However, it would be politically bad, as the fact that the intelligence services and police could get by without this data would help the civil liberties argument that they don’t need the data.

I honestly don’t know which of these will happen. My gut says (2), or (3) if the data lost isn’t vital.

The actual judgement states that:

The order will be that s 1 is disapplied after that date:
a) in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences; and
b)in so far as access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.

I am most certainly not a lawyer, but it seems to me that this means that DRIPA s1 could still be applied for “serious offences” if the retention notices themselves state that in order to access the data, there must be prior review by a court – i.e. a warrant or similar. DRIPA s1(4)(d) seems to allow the secretary of state to quickly update regulations (i.e. secondary legislation, which doesn’t go through parliament for debate etc) to do this as “The Secretary of State may by regulations make further provision … Such provision may… include provision about… access to… data retained by virtue of this section”

For more reading, the judgment can be found here: https://www.judiciary.gov.uk/judgments/david-davis-and-others-v-secretary-of-state-for-the-home-department/

See also the Independent Reviewer of Terrorism Legislations first thoughts on the matter: https://terrorismlegislationreviewer.independent.gov.uk/dripa-2014-s1-declared-unlawful/

Turnout requirements for strikes

The current Tory government has long threatened, and is now enacting, legislation to require that a certain minimum turnout is needed for a strike, and with an even higher level for public sector. Specifically, for non-public sector there would have to be a 50% turnout. For public sector, there is an additional requirement that 40% of eligible members would need to back a strike.

The ostensible reason for this is that a number of strikes over the last decade have occurred with relatively small turnouts. For example, in 2014, the GMB union strike only had 23% turnout, and only 17% of eligible members voted in favour of a strike.

The current rules state that only a majority of actual votes are needed. In the most extreme (and unrealistic case), if a union had a million members, but only 1 person replied to the ballot, and voted for a strike, then all one million members would go on strike. This is obviously absurd. The other extreme of requiring all one million to vote in favour is equally absurd.

The situation as is favours the “noisy majority” – those who are politically active and radical are more likely to vote, and so they are more likely for their voice to be heard, giving their views disproportionate strength. It seems logical to me that there has to be a sensible minimum turnout and/or minimum ‘in favour’ – the question is what is that number?

The current law controlling this is the Trade Union and Labour Relations (Consolidation) Act 1992 and there is a useful Code of Practice for ballots etc. It’s seriously complicated, but very interesting – well worth a read if you’re bored sometime.

One reason for low turnouts is the rules in the law/CoP about how a ballot must take place. The law is very prescriptive about how a ballot takes place, including the format of the ballot, and most importantly that the ballot has to be done on paper, generally sent via first class mail. There are lots of reasons for low turnout due to this – ballots can be lost in the mail, filled out incorrectly, people may be on holiday, or frankly people suck at remembering to post a letter in time etc. I think apathy is the main reason but have no evidence for that.

A simple way to partially meet these concerns – making turnouts higher and thus it more likely that turnout will be significant enough to be the obvious will of the union membership, is to allow electronic voting, ensuring of course that the confidentiality of the secret ballot is maintained, and the integrity of the result. This is a non-trivial, but certainly solvable, problem. Giving unions the option to do electronic ballots is, IMHO, the correct way to go.

IOCCO report on Journalist Sources

The IOCCO yesterday (Feb 4th 2015) released their report [1] on the use of RIPA by police to identify journalistic sources. I had a few thoughts I decided to put down here.

Firstly, the report seems to have been rather rigourous, with some exceptions. The conclusions seem decisive and the recommendations seem sensible. The key conclusion is that “Police forces are not randomly trawling communications data relating to journalists in order to identify their sources.”

As ever, the Interception of Communications Commissioner doesn’t pull its punches, criticising that “the majority of [RIPA] applications did not sufficiently justify the principles of necessity and proportionality” (7.15 and 7.16 of the Report[1]). This lead to conclusions in 8.6 and 8.7, with recommendations in 8.9.

It will be extremely interesting to see if the government responds to these conclusions, either through Primary or Secondary legislation. I wonder if the current Counter-Terrorism and Security Bill [3] may provide an opportunity for this, although as this Government Bill is in Report stage in the Lords, and hence has almost run its course, then it is probably too late – amendments will need to be placed within the next few days.

Organisations outside of scope

It should be noted that possible users of interception warrants beyond the Police forces (see RIPA 2000 6(2)) [2] were not included, as they were out of scope of the investigation by the IOCCO. It’s very unlikely, but not impossible, that the Security Service, SIS, GCHQ, HMRC, or Defence Intelligence, or those in 6(2)(j), would be making RIPA requests which could have been related to journalistic sources.

The Interception of Communications Commisioner may consider including queries regarding journalistic sources within the scope of his annual reporting for all users of interception and communications data warrants, not just the police.

Use after interception

The report was looking for interceptions for investigations which “involve determining if a member of police force or other party have been in contact with a journalist” (Annex B pp. 41 of the Report). Paragraph 4.3 of the report shows how this was a broader remit than just looking at where communications addresses of journalists or their employers were targeted. This is to the IOCCO’s credit.

However, there is a grey area that may not have been covered. Note that it’s possible that a) I’ve misunderstood the law and there is no grey area, b) this was covered by the IOCCO investigation, or c) while the grey area exists, no use is made of it. Indeed, I think (c) to be highly likely when it relates to journalistic sources.

The grey area I refer to is what happens when information of any kind (traffic, subscriber, or service use communications data, or actual intercept) has been acquired under a valid purpose and for a valid reason, and under a valid warrant, not related to journalistic sources. But this information ended up identifying a journalistic source, by ‘accident’ or otherwise, in such a way that it would not fall within the remit of IOCCO’s request in Annex B of their report. Note: I have no reason to believe this is happening, rather this is floated as a “what if?”

I’m differentiating here between purpose (as defined in RIPA 5(3) for interception, and RIPA 22(2) for communications data) and reason. The reason is the specific reason that is entered on the warrant application, e.g. investigation of large scale drug dealing between people A and B.

The grey area relates to the exact meaning of “authorised purposes” in RIPA ss 15.

RIPA 15(3) states that data should be destroyed as soon as it is no longer needed for the authorised purposes, but nowhere is this term defined. If “authorised purposes” means purpose (as defined above), rather than reason, then data intercepted for one reason could be analysed and used for another reason, as long as the other reasons are covered by a purpose. Furthermore, no actual RIPA request is needed for this subsequent analysis. Given this, then RIPA requests which do not in any way relate to journalistic sources, could lead to subsequent analysis and use which does. Thus if the checks for journalistic privilege, or any other privilege, are done at interception rather than analysis, then these checks could be accidentally, or purposefully, circumvented.

Indeed, this has direct analogies in other areas of policing, for example police executing a search warrant for one reason may seize items unrelated to the search warrant if they have reasonable cause. [4]

This is touched upon in paragraph 6.2 of the Interception of Communications Code of Practice[5], but this is essentially just a restatement of the relevant RIPA sections. It is also touched upon in paragraph 8.7 of the IOCCO report, although the report doesn’t address when data was acquired for one reason, but analysed for another.

As an aside, while interception / communications data warrants themselves must be periodically renewed, the intercepted data itself does not need to be – i.e. the data can be retained for as long as it is needed, or “is likely to become” (RIPA 15(4)(a)) necessary, for any of the “authorised purposes”.

For an example of this grey area, let us suppose the police are investigating the leak of sensitive information to a nation state. They make a RIPA request for relevant information, which when analysed identifies the target was in contact with a journalist. The investigating police officer realises that the target was likely the source for a recent embarrassing story by the journalist. The investigation also identifies that the target was not the source of the leak to the nation state.

In the above example the link between journalist and source has been identified, and maybe could be followed up on, by the police despite that the police would not have had sufficient grounds for a RIPA request under Council of Europe Recommendation No R (2000) 7, as described in paragraph 6.41 of the IOCCO report. Furthermore, while Principle 6(b) of that document says that such journalistic source information, irrespective of the purpose (or reason, by my definition) for which it was gained, should not be used as evidence before a court, it says nothing about using the information as the foundation for investigation by the police.

The government should consider defining “authorised purposes” with respect to RIPA, and furthermore should clarify what use can be made of data which has been acquired for a specific purpose and reason.

The IOCCO may wish to consider investigating how common it is that data acquired for one reason is used for a different reason.

References

[1] IOCCO Report: http://www.iocco-uk.info/docs/IOCCO%20Communications%20Data%20Journalist%20Inquiry%20Report%204Feb15.pdf
[2] Interception Warrant users: http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I/crossheading/interception-warrants
[3] Counter-Terrorism and Security Bill: http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity.html
[4] PACE Code B: See section 7, pp 15, for Seizure and retention of property https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/306655/2013_PACE_Code_B.pdf
[5] Interception of Communications Code of Practice: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97956/interception-comms-code-practice.pdf