No evidence of Balance: the Joint Committee on draft Investigatory Powers Bill

The Joint Committee on the IP Bill has now been stood up, and we’ve finally got the names of the Lords appointed. Following on from an underwhelming start as I’ve previously noted I continue to be underwhelmed, maybe even dismayed, by the Lords appointed. I hope to be pleasantly surprised, but am not confident. Fundamentally, the committee appears to have a pro-authoritarian slant, and has virtually no experience with technology – not a great combination.

Before I discuss the membership in detail, I also wanted to make a point on time. The joint committee is due to report by 11 February 2016. That gives at most 7 weeks for the committee to review the draft bill, and report. This is not much time, especially with Christmas and New Year in the middle of the period. It may be sufficient, but this is definitely something to keep an eye on.

And now to the membership.

Membership Overview

From the perspective of the Lords, there are 2 Conservative, 2 Labour, 1 Crossbench, 1 Bishop(!), and 1 Liberal Democrat. 3 of the 7 have been government Ministers, and 1 was the Head of the Civil Service. None have any in-depth technical knowledge. Overall, the Lords’ contingent is definitely an ‘insiders’ group – indeed 2 are or were members of the Intelligence Services Committee. When looking at speaking history for DRIPA, the draft IP Bill, and the Anderson report, most have been silent, showing little interest in the subject. Only Lord Strasburger appears to have a pro-civil liberties stance, and only he had involvement with the previous draft Communications Data Bill.

When we include the MPs, there are 6 Conservative, 4 Labour, 1 SNP, 1 LibDem, 1 Crossbench, and 1 Bishop. A minority (1 MP+3 Lords) have spoken on DRIPA, the Anderson Report, or the IP Bill. The overall committee are less insiders (4 Lords+1 MP) than the Lords’ appointees would suggest, but there remains (in my estimation) a very authoritarian slant – I can only point at 2 (Stuart McDonald MP, Lord Strasburger) who are likely to have a more civil liberties view.

Lords Appointees

Baroness Browning (Conservative 2010, was Minister for Crime Prevention and Anti-Social Behaviour Reduction, Home Office (2011))
Wiki TheyWorkForYou
Hasn’t spoken in any of the recent related debates. Expect to be pro-existing bill/authoritarian.

Lord Butler of Brockwell (Crossbench 1998, was Civil Service (Head of, 88-98), ISC 2010-15)
Wiki TheyWorkForYou
Was pro-DRIPA, although against the emergency process. Spoke on Anderson report, with mixed views. Was affected by IRA Brighton bombing. Expect to be relatively authoritarian, but may bring useful civil service views.

Bishop of Chester (Bishop 2001)
Wiki TheyWorkForYou
Has no relevant experience – not sure why selected. Did speak on the Anderson report. Seems generally rather pro-authoritarian, and while likes privacy, willing to give it away. Similar views in Counter-Terrorism and Security Bill.

Lord Hart of Chilton (Labour 2004, was Solicitor)
Wiki TheyWorkForYou
Barely speaks in debates. Has committee experience of legislative scrutiny. Unknown views.

Lord Henley (Conservative 1977, was Minister of State, Home Office (2011-12) – Crime Prevention and Anti-Social Behaviour Reduction)
Wiki TheyWorkForYou
Barely speaks at debates. Sits on Joint Committee on Human Rights, but am not sure of impact in that role. Expect to be authoritarian.

Lord Murphy of Torfaen (Labour 2015, was Sec State Wales/NI, Shadow Defence, sat on ISC 2001-08)
Wiki TheyWorkForYou
Has voted for mass retention before. Hasn’t spoken in any relevant debates. Expect to be very authoritarian.

Lord Strasburger(Liberal Democrat 2011, was Private Sector, sat on Draft Communications Data Bill committee)
Wiki TheyWorkForYou
Has been significantly involved in all related legislation. Pro-oversight, pro-civil liberties. Only member with experience of draft Communications Data Bill.


The importance of specificity in Intelligence-related laws

Over the next week, I will be publishing my detailed thoughts on the  draft Investigatory Powers Bill Be warned – they’ll be long, and boring…

But before I do that, I want to discuss something which never seems to be covered. When discussing bills to do with surveillance and intelligence matters, there is always a discussion of the morality of the laws, of the interminable tug of war between privacy and safety. The debates in parliament often cover that, as well as some specific modifications, but what never seems to be discussed is how very different such bills are compared to most others, from a judicial and enforcement perspective.

The legal system in the UK is based around Common Law, generally through an adversarial system. I will below make the case that the legislation created for Intelligence and Surveillance related matters is insufficient, because of shortcomings in our legal system.

But first a bit of background… And a caveat – I am not a lawyer – the below is my understanding of the process and problems, and I would love to be corrected where I’ve made errors. Note: I have used civil liberties groups as an example of the opposition to government, but the relevant aspects could apply to any member of public.

Primary Legislation

Law generally begins with a need. The government decides that something should be made illegal, or should definitively be made legal. The government, or rather the specific departments, will provide a description of what they want to accomplish and pass this to the Office of Parliamentary Council. The OPC will draft a Bill. Eventually this Bill (after multiple iterations) will go through parliament, be voted on, and maybe become an Act of parliament, and law. See [1] for more details.

Secondary Legislation

An aim for Primary Legislation is for it to change slowly and rarely. However, the world changes – government departments are opened, closed, and disbanded. Technology changes. If the Primary Legislation is overly detailed, then parliament would spend all its time updating this legislation for minor tweaks rather than looking at the big picture. Most Primary Legislation therefore normally allows the government to provide minor updates, and more detailed instructions, through the use of Secondary Legislation.

This Secondary Legislation is limited by the Primary – i.e. the Primary specifically says what limited powers are conferred on the government. The Secondary Legislation, normally “Statutory Instruments” such as regulations, are written by the government and normally still need parliament to vote on and pass. However, these votes are generally quite pro-forma, and don’t have the large debates or proposed amendments that occur with primary legislation.

Common Law

A third class of law is created by the courts, rather than government. As cases are brought to the courts for judgement, case law [2] is created. Essentially, during the process of a trial the defendant and prosecution argue with each other (the adversarial system [3]). Ultimately the judge (and jury to a lesser extent) try to make a determination of what the law actually means, and whether the defendant is guilty or at fault. When a decision is made, case law is created – i.e. the court decides that the law, in this instance and any other similar/identical one, means x.

This case law can then be relied on for future interpretation of the primary and secondary legislation. Over time, a set of case law is created for any primary legislation, which will be much more detailed than anything parliament could, or would want to, create.

The Problem

Lack of case law

Intelligence related laws go through the normal process in their creation, both as primary and secondary legislation. However, I assert that they aren’t treated the same at the Common Law stage.

Intelligence related matters are necessarily secret. It is vital that the details of methods and techniques remain out of the hands of the country’s adversaries, as knowledge of them would allow these adversaries to avoid our intelligence agencies. This is a key reason why much intelligence-type surveillance is not allowed as evidence in trials. If included in evidence, then due to the adversarial system the defence would be able and indeed required to delve into how the evidence was obtained. As court proceedings are generally public, this would lead to sensitive information on methods and techniques becoming public.

Under some Acts of parliament, evidence may be introduced in secret, at closed hearings. A ‘special advocate’ is normally nominated to argue the defendants case in such a situation – however it should be noted that the defendant themself generally doesn’t know what happens in such courts, nor do their lawyers. There is therefore a lot of nervousness about whether the ‘special advocate’ is doing their job and has access to all relevant information. Furthermore, the detailed conclusions of such hearings do not become public, leading to such either not becoming case law, or leading to a secret set of case law such as that created by the US FISA courts [7].

Therefore, the main route by which intelligence-related law is tested in the courts and case law created, does not occur.

An alternate route to bring such laws into review and interpretation by the courts is through the public either suing the government because they believe the law has been broken (e.g. Amnesty and others over surveillance[4]), or seeking a judicial review if they think the process by which a law has come into effect was incorrect (e.g. David Davis MP and Tom Watson MP over DRIPA[5]).

A judicial review can only be used if there has been an error in process, in the case above the error being that EU law wasn’t correctly applied/followed when creating DRIPA. The result will generally to quash, or allow, law or specific parts. It will not, I believe, generally result in case law about the interpretation of meaning existing law.

The public can only sue if they have evidence that wrongdoing has taken place. Due to the secrecy inherent in intelligence matters, such evidence does not generally become public. Subjects of surveillance are not, as a rule, aware that they are under surveillance, irrespective of whether it is lawful or not. The suit brought by Amnesty et al was only possible due to the Snowden leaks.

Ultimately therefore, except when egregious errors are made in process, or whistleblowers leak possible areas of unlawfulness, the courts do not get to see these matters in public, and so no case law can be created.

Difference of opinion

Another way of saying the above is that there is no way to clarify what the government thinks a law says, and whether that tallies with what the public thinks it says. Primary Legislation is very vague, and Secondary Legislation is often not much less so. Furthermore, Secondary Legislation generally goes through much less rigourous examination.

A concrete example is that of the phrase “external connection” in RIPA. The government believed it referred to any communication with an external endpoint, including any servers the data routes through. So, for example, if your email server is external to the UK, then it is an external connection, even when using that email to talk to another person in the UK [6]. This was at odds with what a lot of people, including civil liberties organisations, believed to be the case.

Due to our adversarial system, a judge cannot act as inquisitor, delving into the truth. Instead, they remain an impartial arbiter as two parties fight to convince the judge of their interpretation. Without the laws going through the courts, there is no opportunity for this fight, leaving the legislation wide open for interpretation, and without any realistic check or balance that the government is interpreting. Oversight bodies are limited in their powers. They additionally run the ever-present danger of internalising the government’s interpretations (especially within, for example, the Intelligence and Security Committee of Parliament) without realising they are doing so.

Possible Solutions

Ultimately, I think a combination of things are needed for Intelligence-related (which includes Surveillance, such as the draft Investigatory Powers Bill) legislation. This includes changes in the way that such legislation is drafted, the government being more open of interpretation, and ways to create case law outside of traditional approaches.

The first item needed is greater specificity in both primary and secondary legislation. This runs the risk of creating law which needs changing more often, and so a case can be made that this should be done in regulations rather than the bills themselves. However, it must be recognised that secondary legislation normally go through on the nod, without much or any debate. If specifics will be implemented in secondary legislation then there must be a recognition that more debate and review will be needed at that stage.

The next is that the government should be open about interpretation of law, even when it applies to potential methods and techniques. This will help build trust between civil liberties groups and the government, and will also help the government avoid situations such as that which the IPT found in the Amnesty case – that the government had been breaking the law but that due to the leaks of Snowden it was now not doing so, because the leaks had made public facts that should already have been public.

Finally, there must be a recognition that the courts do not have the opportunity to create case law in these matters – a situation the current draft Investigatory Powers Bill makes no better, and indeed s171(3) of that draft may make worse. Alternate approaches should therefore be considered. For example, an approach somewhat akin to Moot courts [8] where civil liberties groups and government can work together to introduce representative test cases, with the government taking part in a neither-confirm-nor-deny approach with respect to methods and techniques actually being used. The results of such moot trials could be allowed as case law, which the government would be required to treat as real case law.

I submit that the status quo is insufficient, and has contributed to the current breakdown in trust between the people and government. We must look outside normal practices, while staying inside established principles of legislation and jurisprudence, in order to help heal this wound. Failure to do so will only lead to increased recriminations on all sides.


An underwhelming start on IPBill

So, the Draft Investigatory Powers Bill has now been released. I’m in the process of working through the draft myself, and will post something here soon. In the interim though, the House of Commons has nominated 7 people to sit on the joint committee of Commons and Lords, to discuss the draft. The names are below.

At a first look, I’m pretty underwhelmed. The makeup (4 Con, 2 Lab, 1 SNP) reflects the breakdown of MPs (not public vote %) which is pretty standard, but I’m disappointed there’s no Lib Dem. The LD have been easily the most vocal party for civil liberties, and killed the outrageous snoopers charter. Maybe that’s why they’re not included.

Furthermore, it’s of note that 4 of the 7 are new MPs (4 Con, 1 SNP), and so it’s to be expected they’ll do what their party bosses require of them. Only 1 (Suella Fernandes) commented on Wednesday’s debate on the bill. The rest seem to have no real interest in the subject, or applicable knowledge (I’ll come back and edit this when I read more). In the interim, below are the people, with links to their TheyWorkForYou profiles.

EDIT: I’ve now had some time to look into their profiles. Generally relevant-ish qualifications – there’s a load of lawyers but only 1 person with any technology knowledge, and he was just a journalist who specialised in consumer technology. Most appear likely to follow party lines, overall there’s definitely a pro-authoritarian slant.

Victoria Atkins [Con, 2015-]

Barrister (Serious & Organised Crime) will have good relevant knowledge. Expect to be pro-authoritarian.

Suella Fernandes [Con, Barrister, 2015-]

Suella may be a good pick. Has knowledge of the law, and at least some interest, despite being a fresh MP. Knowledge of international (US) law.

Mr David Hanson [Lab, 1992-]

2010 Shadow Minister at the Home Office. Experienced MP, has some knowledge/experience. Expected to be pro-authoritarian (has previously voted for ID cards, and for Data Retention)

Stuart C. McDonald [SNP, 2015-]

Has worked for immigration services as a Human Rights Solicitor. May be balanced in views.

Dr Andrew Murrison [Con, 2001-, voted against Iraq war]

Voted against Iraq war, which took balls as a Conservative. Voted for data retention but against ID cards. Not sure of views, but unlikely to be cowed by whips on moral matters.

Valerie Vaz [Lab, 2010-]

Has law experience. Seems not to have had an interest in surveillance etc, and has voted in line with government. Not sure why picked. Likely to follow the party line.

Matt Warman [Con, 2015-]

Only person nominated who has any knowledge of tech (was previous Consumer Technology Editor at the The Daily Telegraph newspaper. Sits on the Science and Technology Select Committee. Probably shallow knowledge of tech.

DRIPA disapplied following judicial review

I told you so :)  (see previous DRIPA commentary when I said “This bill doesn’t address the shortcomings highlighted in the ECJ ruling, and so it would inevitably be over-ruled in the future.”)

The UK High Court has just ruled that DRIPA section 1 (data retention) has been ruled inconsistent with European Law. As such, they have disapplied that section of the law – essentially making it no-longer be law. They have however suspended their ruling until March 2016, in order to give the UK government time to respond.

For most of those interested in the subject, this was no surprise. DRIPA was rushed through and didn’t appear to mitigate the issues that had previously caused the ECJ to rule the EU Data Retention Directive invalid/unlawful. It is a kick in the teeth to the government, and will help civil liberties campaigners who had always asserted that DRIPA shouldn’t have been rushed through the way it was.

What is of real interest now is what this means for the upcoming interception/surveillance bill, due to be introduced in Autumn 2015. This bill is aimed at updating RIPA, merging in DRIPA, and potentially (as recommended in both the RUSI and Anderson reports) simplifying the interception/surveillance laws in the UK. There was already a hard deadline for this new bill to receive royal assent – DRIPA has a sunset clause of December 2016 – and many people had already indicated that it will be a rush to get this bill through by then, given it’s scope. Trying to do the same before March 2016 will be a nightmare, especially given the large number of aspects where many MPs and the general public are diametrically opposed.

So, what will the government do? Firstly, I expect them to appeal – they’ve been given the right to do so, and they lose nothing by doing so. Assuming the appeal fails, they’ve a few options:

  1. DRIPA #2: Rush through a hack to fix DRIPA. In which case, will they keep the existing sunset clause, or try to extend it? Any expedited action would be very unpopular amongst MPs – even those in favour of broad interception etc powers were upset by the government’s tactics last time. Likewise, any attempt to extend the sunset clause would be very unpopular, despite that any DRIPA #2 would take up valuable time in the parliamentary calendar.
  2. Compress RIPA-replacement timescale: Rather than aiming for a December 2016 Royal Assent, they could aim for a March 2016 one. This would be feasible, but non-trivial. The committee stages would need to be greatly shortened. It would also leave the government to procedural actions to delay progress, which could lead to them accepting pro-civil-liberties amendments. It may also require a reduction in the scope of the proposed legislation, so that it will just be a RIPA(+DRIPA) replacement, rather than also covering all other ways that interception can legally take place.
  3. Keep to existing timescale: They could just accept that all the extra data that the government wants retained under RIPA could be lost between March 2016 and Dec 2016. Note that this doesn’t mean they won’t be able to access retained data – they still can using RIPA – nor that companies won’t retain data – they still will as they may need it for their own internal use – but it will mean that companies may (or will, due to the Data Protection Act) stop retaining any extra data that the government had previously required they do. The government and intelligence services wouldn’t be happy with this, but they could quite quickly contact the telecoms providers and see what data will be lost – it may well be a manageable amount. However, it would be politically bad, as the fact that the intelligence services and police could get by without this data would help the civil liberties argument that they don’t need the data.

I honestly don’t know which of these will happen. My gut says (2), or (3) if the data lost isn’t vital.

The actual judgement states that:

The order will be that s 1 is disapplied after that date:
a) in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences; and
b)in so far as access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.

I am most certainly not a lawyer, but it seems to me that this means that DRIPA s1 could still be applied for “serious offences” if the retention notices themselves state that in order to access the data, there must be prior review by a court – i.e. a warrant or similar. DRIPA s1(4)(d) seems to allow the secretary of state to quickly update regulations (i.e. secondary legislation, which doesn’t go through parliament for debate etc) to do this as “The Secretary of State may by regulations make further provision … Such provision may… include provision about… access to… data retained by virtue of this section”

For more reading, the judgment can be found here:

See also the Independent Reviewer of Terrorism Legislations first thoughts on the matter:

Turnout requirements for strikes

The current Tory government has long threatened, and is now enacting, legislation to require that a certain minimum turnout is needed for a strike, and with an even higher level for public sector. Specifically, for non-public sector there would have to be a 50% turnout. For public sector, there is an additional requirement that 40% of eligible members would need to back a strike.

The ostensible reason for this is that a number of strikes over the last decade have occurred with relatively small turnouts. For example, in 2014, the GMB union strike only had 23% turnout, and only 17% of eligible members voted in favour of a strike.

The current rules state that only a majority of actual votes are needed. In the most extreme (and unrealistic case), if a union had a million members, but only 1 person replied to the ballot, and voted for a strike, then all one million members would go on strike. This is obviously absurd. The other extreme of requiring all one million to vote in favour is equally absurd.

The situation as is favours the “noisy majority” – those who are politically active and radical are more likely to vote, and so they are more likely for their voice to be heard, giving their views disproportionate strength. It seems logical to me that there has to be a sensible minimum turnout and/or minimum ‘in favour’ – the question is what is that number?

The current law controlling this is the Trade Union and Labour Relations (Consolidation) Act 1992 and there is a useful Code of Practice for ballots etc. It’s seriously complicated, but very interesting – well worth a read if you’re bored sometime.

One reason for low turnouts is the rules in the law/CoP about how a ballot must take place. The law is very prescriptive about how a ballot takes place, including the format of the ballot, and most importantly that the ballot has to be done on paper, generally sent via first class mail. There are lots of reasons for low turnout due to this – ballots can be lost in the mail, filled out incorrectly, people may be on holiday, or frankly people suck at remembering to post a letter in time etc. I think apathy is the main reason but have no evidence for that.

A simple way to partially meet these concerns – making turnouts higher and thus it more likely that turnout will be significant enough to be the obvious will of the union membership, is to allow electronic voting, ensuring of course that the confidentiality of the secret ballot is maintained, and the integrity of the result. This is a non-trivial, but certainly solvable, problem. Giving unions the option to do electronic ballots is, IMHO, the correct way to go.

IOCCO report on Journalist Sources

The IOCCO yesterday (Feb 4th 2015) released their report [1] on the use of RIPA by police to identify journalistic sources. I had a few thoughts I decided to put down here.

Firstly, the report seems to have been rather rigourous, with some exceptions. The conclusions seem decisive and the recommendations seem sensible. The key conclusion is that “Police forces are not randomly trawling communications data relating to journalists in order to identify their sources.”

As ever, the Interception of Communications Commissioner doesn’t pull its punches, criticising that “the majority of [RIPA] applications did not sufficiently justify the principles of necessity and proportionality” (7.15 and 7.16 of the Report[1]). This lead to conclusions in 8.6 and 8.7, with recommendations in 8.9.

It will be extremely interesting to see if the government responds to these conclusions, either through Primary or Secondary legislation. I wonder if the current Counter-Terrorism and Security Bill [3] may provide an opportunity for this, although as this Government Bill is in Report stage in the Lords, and hence has almost run its course, then it is probably too late – amendments will need to be placed within the next few days.

Organisations outside of scope

It should be noted that possible users of interception warrants beyond the Police forces (see RIPA 2000 6(2)) [2] were not included, as they were out of scope of the investigation by the IOCCO. It’s very unlikely, but not impossible, that the Security Service, SIS, GCHQ, HMRC, or Defence Intelligence, or those in 6(2)(j), would be making RIPA requests which could have been related to journalistic sources.

The Interception of Communications Commisioner may consider including queries regarding journalistic sources within the scope of his annual reporting for all users of interception and communications data warrants, not just the police.

Use after interception

The report was looking for interceptions for investigations which “involve determining if a member of police force or other party have been in contact with a journalist” (Annex B pp. 41 of the Report). Paragraph 4.3 of the report shows how this was a broader remit than just looking at where communications addresses of journalists or their employers were targeted. This is to the IOCCO’s credit.

However, there is a grey area that may not have been covered. Note that it’s possible that a) I’ve misunderstood the law and there is no grey area, b) this was covered by the IOCCO investigation, or c) while the grey area exists, no use is made of it. Indeed, I think (c) to be highly likely when it relates to journalistic sources.

The grey area I refer to is what happens when information of any kind (traffic, subscriber, or service use communications data, or actual intercept) has been acquired under a valid purpose and for a valid reason, and under a valid warrant, not related to journalistic sources. But this information ended up identifying a journalistic source, by ‘accident’ or otherwise, in such a way that it would not fall within the remit of IOCCO’s request in Annex B of their report. Note: I have no reason to believe this is happening, rather this is floated as a “what if?”

I’m differentiating here between purpose (as defined in RIPA 5(3) for interception, and RIPA 22(2) for communications data) and reason. The reason is the specific reason that is entered on the warrant application, e.g. investigation of large scale drug dealing between people A and B.

The grey area relates to the exact meaning of “authorised purposes” in RIPA ss 15.

RIPA 15(3) states that data should be destroyed as soon as it is no longer needed for the authorised purposes, but nowhere is this term defined. If “authorised purposes” means purpose (as defined above), rather than reason, then data intercepted for one reason could be analysed and used for another reason, as long as the other reasons are covered by a purpose. Furthermore, no actual RIPA request is needed for this subsequent analysis. Given this, then RIPA requests which do not in any way relate to journalistic sources, could lead to subsequent analysis and use which does. Thus if the checks for journalistic privilege, or any other privilege, are done at interception rather than analysis, then these checks could be accidentally, or purposefully, circumvented.

Indeed, this has direct analogies in other areas of policing, for example police executing a search warrant for one reason may seize items unrelated to the search warrant if they have reasonable cause. [4]

This is touched upon in paragraph 6.2 of the Interception of Communications Code of Practice[5], but this is essentially just a restatement of the relevant RIPA sections. It is also touched upon in paragraph 8.7 of the IOCCO report, although the report doesn’t address when data was acquired for one reason, but analysed for another.

As an aside, while interception / communications data warrants themselves must be periodically renewed, the intercepted data itself does not need to be – i.e. the data can be retained for as long as it is needed, or “is likely to become” (RIPA 15(4)(a)) necessary, for any of the “authorised purposes”.

For an example of this grey area, let us suppose the police are investigating the leak of sensitive information to a nation state. They make a RIPA request for relevant information, which when analysed identifies the target was in contact with a journalist. The investigating police officer realises that the target was likely the source for a recent embarrassing story by the journalist. The investigation also identifies that the target was not the source of the leak to the nation state.

In the above example the link between journalist and source has been identified, and maybe could be followed up on, by the police despite that the police would not have had sufficient grounds for a RIPA request under Council of Europe Recommendation No R (2000) 7, as described in paragraph 6.41 of the IOCCO report. Furthermore, while Principle 6(b) of that document says that such journalistic source information, irrespective of the purpose (or reason, by my definition) for which it was gained, should not be used as evidence before a court, it says nothing about using the information as the foundation for investigation by the police.

The government should consider defining “authorised purposes” with respect to RIPA, and furthermore should clarify what use can be made of data which has been acquired for a specific purpose and reason.

The IOCCO may wish to consider investigating how common it is that data acquired for one reason is used for a different reason.


[1] IOCCO Report:
[2] Interception Warrant users:
[3] Counter-Terrorism and Security Bill:
[4] PACE Code B: See section 7, pp 15, for Seizure and retention of property
[5] Interception of Communications Code of Practice:

Snooper’s Charter via the back door

The Counter-Terrorism and Security Bill[1] is currently going through the Lords Committee stage[2] of parliamentary scrutiny. The stage allows interested parties to comment and provide feedback on the bill, and a line by line examination of the bill. The general purpose is to tweak and amend the bill such that it is consistent, coherent, and actually meets the stated aims for the bill.

A number of amendments often result from this process. These are generally quite small, technical tweaks to clarify wording or include missing features. What they generally aren’t are massive changes which attempt to re-introduce other bills via the back door. An amendment proposed this week though does just that, attempting to sneak in the much maligned Snooper’s Charter.

Why should I care?

The powers being requested are, in my opinion, over-broad, with insufficient oversight and controls, confusingly drafted in places, and ultimately represent great potential danger to civil liberties. They’ll be expensive to implement, potentially harmful to your data security and privacy, and may not actually make you any safer.

And furthermore the powers are being sneaked in at the eleventh hour, circumventing a lot of parliamentary processes.

Who is moving the amendment?

The following Lords have moved this amendment:-
      Lord King of Bridgwater: Conservative member who served as Secretary of State for Defence, Northern Ireland, and others, under Thatcher. Chaired the Intelligence and Security Select Committee 1994-2001.
      Lord Blair of Boughton: Crossbench (i.e. of no specific party) was previously the Commissioner of the Met Police.
      Lord West of Spithead: Labour member, was Minister for Security and Counter-Terrorism.
      Lord Carlile of Berriew: Liberal Democrat, was the Independent Reviewer of Anti-Terrorism laws, succeeded by David Anderson QC. Was generally deemed ineffectual and pro-establishment when in this post, being in favour of control orders and 42 day detention periods.

These Lords are all ‘establishment’ members, whose backgrounds may imply their being more in favour of security controls rather than civil liberties. Personally I find it inconcievable that the government, and Theresa May MP, were not involved in the production of this amendment.

What is the amendment?

Essentially it’s a reintroduction of the Snooper’s Charter, vastly expanding retention beyond that provided for in the Data Retention and Investigatory Powers Act. For the text, see paragraphs 79-99 of [8].

It allows the Secretary of State to require that telecommunications operators (e.g. ISPs and mobile phone operators) must retain an assortment of data related to communications data for up-to 12 months, and provide the data to certain public authorities when requested. It also allows the Secretary of State to require that telecoms operators use specific techniques, equipment, and systems.

As ever, the devil is in the detail for all these powers and requirements – and there are some serious devils in there. Please see the section “Criticism and Comments” for more information on this.

Why is it an amendment

This is an excellent question, if I do say so myself. The Draft Communications Data Bill (aka Snooper’s Charter) was drafted by the government in 2012 but introduction to parliament was blocked by the Deputy PM Nick Clegg (Lib Dem).

Since then the government rushed through the Data Retention and Investigatory Powers Act 2014, ostensibly to fix data retention notices (from RIPA 2(1)) which had been ruled against by the ECJ. DRIP was very contentious for assorted reasons (see [3],[4]) but was successfully pushed through. A sunset clause of December 2016 was included, and it is expected that the whole subject of data retention and interception will be re-examined early next parliament.

So, the government couldn’t pass the Draft Communications Data Bill due to the Lib Dems blocking it, and couldn’t do too much in the Data Retention and Investigatory Powers Bill as that was emergency legislation and was controversial enough as it was. Theresa May has repeatedly asserted that she wants to pass the Communications Data Bill, and more recently David Cameron has signaled his renewed support in the light of the terrorist incidents in France (despite the fact that France already has something like the Communications Data Bill, which didn’t stop the attacks).

It seems to me therefore that this is an opportunistic attempt to reintroduce a long-standing policy of the Conservative party, taking advantage of the recent terrorist incidents around the world.

Why now?

As mentioned, the recent events in France and elsewhere provides a veneer of justification and shielding, and allows defenders of the amendment to brand opponents as leaving the UK vulnerable to such attacks, despite the evidence that such assertions are wrong.

Interestingly, during the debates on DRIP, one issue was why the sunset clause was so far in the future, and indeed why DRIP was urgent (it was pushed through in just a few days). The government, and supporters, claimed that there was urgency due to the ECJ ruling, and that the sunset clause date was to allow sufficient consideration of an upcoming review by David Anderson QC (and others, see “Reviews of RIPA and DRIP” in [4]).

“I recognise that a number of Members have suggested that this sunset clause should be at an earlier stage. I say to them that the reason it has been put at the end of 2016 is that we will have a review by David Anderson which will report before the general election.” Theresa May [6]

“If Members think about the processes that we want to go through to ensure a full and proper consideration of the capabilities and powers that are needed to deal with the threat that we face and then about the right legislative framework within which those powers and capabilities would be operated, they will realise that that requires sufficient time for consideration and then for legislation to be put in place. That explains the need for the sunset clause at the end of 2016.” Theresa May [6]

“My feeling is that a great deal of work could be done during those 12 months and a set of recommendations could be made available to an incoming Government in May to June 2015.” Lord Hodgson of Astley Abbots [5]

See also comments by Lord Taylor of Holbeach (Hansard HL Deb, 16 July 2014, c600 and c659)

The question therefore is why include the amendment now, before David Anderson’s review has been completed, and before there has been “sufficient time for consideration”.

To be fair, Lord Hodgson did state that “It is important to remember that the presence of a sunset clause, while it is absolute in its end date, does not mean that legislation could not be considered before that time if a Government decided that they were in a position to present it in Parliament.” [7] But I believe the point still stands – what is the urgency?

Furthermore the amendment has a sunset clause built in of December 2016 – the same as DRIP. So even if passed, this amendment will only survive for less than two years. The amendment allows the Secretary of State to require telecommunications providers to use specific equipment and systems, and provide remuneration, with an estimated cost of £1.8 billion (from the equivalent requirements in the Draft Communications Data Bill). There are also requirements to secure the data and systems sufficiently, and secondary legislation needs to be prepared before all this can happen. Surely therefore there is a significant risk that vast amounts of money and time will be invested into something which will expire, and may not be reintroduced, in less than 2 years time. Maybe the government believes that this money, once spent, would provide additional justification to reintroduce the bill in the future – this amendment playing the egg to the Communications Data Bill’s chicken?

Criticism and Comments

Process and timing

Before commenting on the substance of the amendment, I wanted to comment on the process of using an amendment in House of Lords Committee stage. In short, it’s despicable. The HL Committee stage is one of the last stages for the bill – it has already been through the majority of stages which could have considered and commented on this amendment – the House of Commons Second Reading, Committee and Report stage, and Third Reading stages, and House of Lords Second Reading. The only remaining stages are the House of Lords Third Reading and the final Consideration of amendments.

Sneaking in such a large amendment, which would be large enough to be a separate Bill on its own, at such a late stage doesn’t allow parliament the proper time to consider and comment on the proposed powers. It doesn’t allow proper time for the public and interested parties to review the powers, and communicate with their MPs – in fact all the stages at which an MP would normally propose changes to an amendment have already been passed.

Waiting so long to propose such a large amendment with such an impact on civil liberties can be nothing but an attempt to game the system and sneak in an unpopular policy via the back door.

Blanket retention

The amendment does not specifically require blanket retention, however it does provide for the Secretary of State to issue notices which would result in blanket retention. Conceptually I’m torn on this subject – I can see the usefulness of having long-term records of communications data, which can be queried after the fact, by authorised officials. However it’s also very dangerous having such a large amount of sensitive data collected, and there’s a real danger from the fishing expeditions that can be performed on such data.

Ultimately, the acceptability of such retention is reliant on how securely the data is stored, and the quality of the safeguards and oversight on access to the data by both the authorities and the telecoms operators themselves. Unfortunately this amendment is very weak regarding oversight and safeguards, and provides no limits on what the telecoms operator may themselves do with the data.

On the latter point, retention is normally governed by the Data Retention (EC Directive) Regulations 2009, implementing Directive 2006/24/EC of the EU Parliament, together with the Data Protection Act 1998 (DPA). I am assuming that the telecoms operators will not be allowed to use data retained due to this amendment, for their own purposes no related to the amendment. Doing so would be contrary to Data protection principle #2 “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” of the DPA.

It should be noted that Communications Data could be “Sensitive personal data” as defined in the DPA, for example information that a user is using Grindr would classify as sensitive personal data under subsection (2)(f) “personal data consisting as to […] his sexual life”. As such any processing done with that data in accordance with Schedule 3 of the DPA [15] – I think section 7 of that schedule allows this processing, but I’m not sure.

Amendment – Terms

It will be useful to be familiar with certain terms – described below. References to the amendment will be to the PDF of the amendments [9]. Note that I’m not covering the parts relating to postal services.

  • Communications Data: The set of all traffic data, use data, and subscriber data. Defined in pp14 section 1.
  • Authorisation Data: Communications data which is data obtained in order to gain authorisation to obtain communications data. This is defined under “Filtering arrangements”, wherein communications data can be obtained and processed without an authorisation, in order to provide evidence for an authorisation to be sought. Defined on pp 11 subsection (1).
  • Traffic Data: Data to do with the addressing, protocols, timestamps, and related information. See “Traffic Data” for some comments. Defined on pp17 subsections (2), (3).
  • Use Data: Data about how, when, where, etc a user uses the telecommunications service. Explicitly doesn’t include contents of the communication. Defined on pp17 subsection (4).
  • Subscriber Data: Information held by the telecoms service provider which isn’t Use Data or Traffic Data, about the user of the telecoms service. Defined on pp17 subsection (5).
  • Part 3B Data: Seems to be another word for Communications Data, but maybe specifically just the communications data which is being obtained/requested by a public authority. Defined pp 6 section 1.
  • Interception: Has the same meaning as in RIPA (sections 2 and 81), but see “Interception” below.
  • Relevant public authority: The police (and similar), National Crime Agency, and intelligence services. Defined on pp12.
  • Technical Oversight Board: Board established by section 13 of RIPA, which “shall consider the technical requirements and the financial consequences, for the person making the reference, of the notice referred to them and shall report their conclusionts on those matters to that person and to the Secretary of State” RIPA 12(6)(b) [11]

Traffic Data

The Traffic Data, defined on pp 17, may be extremely broad. I believe it may include data that would traditionally be considered content, with subsections (2)(a) and (2)(b)(v) especially broad.

Subsection (3) is one of the most opaque sentences I’ve ever read – I still don’t know what it means or is trying to say: “Data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication is not “traffic data” except to the extent that the file or program is identified by reference to the apparatus in which it is stored.”

Retention Period

By default data will need to be retained for 12 months ((Period for which data is to be retained) pp 3), but optionally may be shorter if the Secretary of State so desires. However, this can be extended indefinitely if a public authority informs the telecoms provider that the data is or may be required for the purpose of legal proceedings.

Given that all data may be required, then this could result in public authorities requiring permanent storage of data. Furthermore the clause doesn’t specify that only the subset of data which is needed, should be retained. For example, if there’s possibly legal proceedings regarding subscriber X, and an extension is needed, should only user X’s data be retained beyond the 12 months, or all data.

Subsection (4) does require that a public authority inform the telecoms provider as soon as reasonably practicable when the data is no longer needed, which may be a sufficient safeguard against indefinite storage of all or most data.

One question I have is why the data needs to be retained after it has been provided to the public authority. The only reason I can think of is if the defence in legal proceedings is entitled to access to the data direct from the telecoms provider – nothing in the amendment directly allows for this, although there is the standard “otherwise as authorised by law” ((Access to data) subsection (1)(b) on pp 4).

Authorisation for Test Purposes

In addition to being able to get authorisation to communications data for specific investigations and purposes, subsection (1)(b)(ii) of (Authorisations by police and other relevant public authorities) on pp 6 allows authorisation to be given for “the purposes of testing, maintaining or developing equipment, systems or other capabilities”.

While I can see the need for access to live data in order to test equipment, this should very much be the exception rather than the rule. This subsection is the only mention of such authorisation or use for test purposes, and there are no additional safeguards to ensure this is a rare event and that privacy and proportionality is considered. For example, while I can understand if my subscriber data is accessed in pursuance of an investigation into some criminal behaviour, I would be incensed if it is accessed without my knowledge to test some equipment, especially as such testing may take several weeks and lead to a protracted attack on my privacy.


Subsection (4) of (Power to ensure or facilitate availability of data) on pp2 states that “Nothing in this Part authorises any conduct consisting in the interception of communications in the course of their transmission by means of a telecommunication system.” This is further restated in (Authorisations by police and other relevant public authorities) subsection (5)(a) on pp7. Interception is defined according to sections (2) and (81) of RIPA.

Interception normally would require a RIPA section 8(1) warrant. However, as stated in a witness statement [13] by Charles Farr of the Home Office, communications which terminate or originate outside the UK only need the very broad 8(4) warrant.

In the appeal between Coulson/Kuttner v Regina [12], the Lord Chief Justice ruled that despite court rulings such as R v E [14], where the court said that “”interception” denotes some interference or abstraction of the signal, whether it is passing along wires or by wireless telegraphy, during the process of transmission.” (para 20) that listing to voicemails stored on a server still counts as interception. Thus the courts seem to think that even temporary caching and storing in intermediary servers still counts as transmission, and hence accessing these would count as “interception”.

In that appeal, the Crown submitted that “The Crown does not maintain that the course of transmission necessarily includes all periods during which the transmission system stores the communication. However, it does submit that it does apply to those periods when the system is used for storage ‘in a manner that enables the intended recipient to collect it or otherwise have access to it’.” (para 11)

The question remains from the Crown contention – what “periods during which the transmission system stores the communication” do not count as the “course of transmission” and hence access to would not count as interception?

Furthermore, while subsection (4) of the amendment doesn’t authorise interception, neither does the amendment disallow interception. How, therefore, do the requirements for retention in subsection (3)(b) tally with a RIPA 8(4) warrant. Can a (3)(b) requirement in a retention notice be used to facilitate access to data under a RIPA 8(4) warrant?

Filtering Arrangements

Several pages of the amendment deal with “Filtering arrangements” – see pages 9-13. Even after having read these sections several times I’m still not sure what exactly they mean. But if they mean what I think they mean – the ability to go fishing for data without any warrant or per-case authorisation being needed – then I’m not happy at all.

(Filtering arrangements for obtaining data) subsection (2) states that these “filtering arrangements” may “involve the obtaining of Part 3B data in pursuance of authorisation – i.e. obtaining communications data, in order to get authorisation to get communications data. The data will be obtained (subsection (2)(b)(i)), processed ((2)(b)(ii)) then disclosed to a designated senior officer ((2)(b)(iii)).

Now this may mean that a designated senior officer ((1)(a)) may be able to do a limited query to verify whether a request for authorisation is valid. For example, a police force requests authorisation to request details about subscriber X for IP address Y, so a designated senior officer does a quick check by querying the subscriber data for IP address Y, to verify that it does belong to subscriber X. This appears to be a use of the filtering arrangements on pp 9/10 (Use of filtering arrangements in pursuance of an authorisation). If this is the purpose for the section then I can see the usefulness of it, as long as it is secure and limited, and has good oversight.

It may however mean that a designated officer can grep for specific information, for example all subscribers which are using Tor, and use this as justification to provide authorisation against these subscribers. If this is the purpose, then I’m very much not happy. This sort of fishing trip when there’s no definitive evidence of a crime having happened or being planned, is a big no-no.

As drafted, I honestly don’t know what the purpose or mechanism for these “filtering arrangements” is. This whole set of clauses needs to be reworked to be more precise IMHO.

As an aside, some parts of these sections seem to imply that the Secretary of State themselves must do the querying etc.

Requirements on Telecoms Service Providers

The Secretary of State can impose an assortment of requirements on telecoms operators when serving them with a retention notice. These are defined on pp 2 (Power to ensure or facilitate availability of data) subsection (3), as part of an under under subsection (2)(b).

Also under (2)(b) the Secretary of State can impose ‘restrictions’. What ‘restrictions’ may be imposed is not defined.

The most critical of the requirements is that the secretary of state can mandate that telecoms operators must “acquire, use or maintain specified equipment or systems” (subsection (3)(b)(ii)).

Essentially the government can order telecoms providers to put a black box on their network, which may provide the government a back door into their system. The telecom provider may not know what the box does, and may not be allowed to test it. The government can just say “trust us” and the telecoms operator must accept it. The government is also not liable for any losses if the black box goes wrong.

While the box cannot be used for “any conduct consisting in the interception of communications in the course of their transmissions” (subsection (4)), the actual definition of “interception” is rather fluffy – as discussed in the “Interception” section above.

If I was a telecoms operator I would be extremely unhappy with this, and as a user of such services I’m not comfortable either.


It’s interesting to note that nowhere in the amendment is there a requirement for the telecoms provider to maintain the confidentiality of any request(s) for data by public authorities. So a telecoms provider could a) tell the subject of such a request that the police have asked for their data, b) provide summary information to the public about how many such requests there have been, and/or c) detail publicly what information they collect and retain and so what information relevant public authorities could query for.

It’s possible that such a requirement of confidentiality may be raised according to (Power to ensure or facilitate availability of data) (subsection (3)), but I’m not sure this is covered in that section. Or confidentiality may be deemed a restriction, according to subsection (2)(b) – the allowed scope of such restrictions isn’t defined anywhere.

Personally I’m a fan of transparency where possible – I think ISPs should report what data they’re retaining, and provide summary information on what is being requested (such as # of users per year) – although this can and should also be reported by the IOCCO or similar – but I can also understand why they should not be allowed to tell their customers that they specifically are being targetted.


Speaking of the IOCCO, the subject of oversight is incompletely covered – specifically it is only covered where it relates to “Filtering Arrangements”.

The Secretary of State is required to give the Interception of Communications Commissioner certain information (pp 9, (Filtering arrangements for obtaining data) subsection (4)), provide an annual report (pp 11, (Duties in connection with operation of filtering arrangements) subsection (5)(b)) and report any significant contravention of the rules (subsection (7)). Whether the annual report will provide sufficient information for the IOCCO, I don’t know, but at least the subsection (4) requirements seem sufficient for the IOCCO.

There is not, however, any discussion of judicial oversight, appeals, or complaints other than by the telecoms provider, for retention orders or ‘Part 3B’ requests for the retained data. The IOCCO does not appear to have the power to investigate complaints nor impose penalties as the data retention from the amendment doesn’t derive from a RIPA warrant. It’s possible that other bodies may be able to investigate complaints by citizens, but this isn’t specifically called out – the situation is very complex as shown by the Surveillance Roadmap [10] (I especially recommend the table toward the back).

Telecoms providers can refer the retention notice to the “Technical Oversight Board” but they’re only providing oversight on the technical requirements and financial consequences (subsection (6)(b) of [11]), not the legality etc of the request. Furthermore, the Secretary of State can ignore the feedback from the Technical Oversight Board, and once ignored the subject cannot be referred again to the Technical Oversight Board.

There is also a requirement for the Secretary of State to consult OFCOM, the Technical Advisory Board, and the telecoms providers, before issuing a retention notice (pp 2 (Consultation Requirements)), but what a consultation means isn’t defined, nor is there any requirement for the Secretary of State to actually pay any attention to any feedback from such consultation, nor that such consultation should be public.

There are at least two stages where safeguards should apply, retention notices from the Secretary of State, and authorisation for and the obtaining of data by relevant public authorities of data that has been retained. Currently there is a requirement for the former to be “in writing” (pp 4 (Other Safeguards) subsection (1)(a)). For the latter, authorisation must be documented as described in pp 7 (Form of authorisation and authorised notices).

It should be noted though that the amendment doesn’t say who, if anyone, can review or comment upon any of this documentation.

So, in summary, the oversight in this amendment is not fit for purpose.

Part 3B requests against People

Normally it would be expected that telecoms operators would be the recipients of both retention notices, and requests for communications data (Part 3B data) which has been retained. However, (Authorisations by police and other relevant public authorities) subsections (3)(b) and (3)(c) allow for the latter to be served against individuals – “any person whom the authorised officer believes is, or may be in possession or Part 3B data” or “is capable of obtaining it”. So, rather than serving the notice against an ISP who would have a legal team to investigate the legality of the request, and may fight it in the courts if they desire, an authorised officer could serve it against one of the people who work as a system administrator at the ISP.

That seems dangerous to me – there are undoubtedly reasons why an individual rather than a company may need to be served, but this is ripe for misuse, especially if such a notice can have any such confidentiality clause, such that the individual may be required ((Duties of telecommunications operators in relation to authorisations) subsection (2), pp 8) to provide such data without the knowledge or permission of their employer.

Liability and Compensation

People acting in accordance with Part 3A (i.e. retention notices) are protected from any civil liability according to (Enforcement and protection for compliance) subsection (4), pp 5. There does not, however, seem to be any such protection for Part 3B (i.e. public authorities obtaining data). Furthermore given that there is an obligation in Part 3A (Data security and integrity) on pp 3 to secure the data, I do wonder if such protection from civil liability would exist if, for example, a user’s communication data was stolen due to security shortcomings in their system.

Furthermore, who would be liable for civil suit if data was stolen from equipment, or due to standards or practices, which the Secretary of State has mandated ((Power to ensure or facilitate availability of data) subsection (3)(b).

This issue of liability needs further clarification.

(“Operators” costs of compliance with Parts 3A and 3B) states that the government must recompense operators for the costs incurred, or likely to be incurred, to do with this amendment. The amendment obviously doesn’t estimate how much this may cost HMG, but it should be noted that estimates for the Draft Communications Data Bill were £1.8 billion.

Part 3C

There is no Part 3C. However it’s mention on pages 2, 13, 14, and 18. I wonder what it was, and why it’s missing.

Obviously this is a well drafted amendment…


This amendment is a shocking attempt to circumvent opportunities for comment and railroad an unpopular policy through parliament. This is just the latest in a series of such attempts by the government.

The amendment is badly drafted and is confusing. It solves a problem that doesn’t exist – retention is already required by DRIP. There is absolutely insufficient oversight and no judicial involvement, with no way for individuals or telecoms companies to complain.


[1] Counter Terrorism and Security Bill homepage
[2] House of Lords Committee stage
[3] DRIP Introduction (Blog)
[4] Update on DRIP (Blog)
[5] Hansard HL Deb, 17 July 2014, c726
[6] Hansard HC Deb, 15 July 2014, c714
[7] Hansard HL Deb, 17 July 2014, c736
[8] Counter-Terrorism and Security Bill, Amendments (HTML) (Note: Different order to PDF)
[9] Counter-Terrorism and Security Bill, Amendments (PDF)
[10] Surveillance Roadmap
[11] RIPA 200 Section 12
[12] Coulson v R Appeal
[13] Charles Farr Witness Statement
[14] Regina v E appeal
[15] Data Protection Act Schedule 3