IOCCO report on Journalist Sources

The IOCCO yesterday (Feb 4th 2015) released their report [1] on the use of RIPA by police to identify journalistic sources. I had a few thoughts I decided to put down here.

Firstly, the report seems to have been rather rigourous, with some exceptions. The conclusions seem decisive and the recommendations seem sensible. The key conclusion is that “Police forces are not randomly trawling communications data relating to journalists in order to identify their sources.”

As ever, the Interception of Communications Commissioner doesn’t pull its punches, criticising that “the majority of [RIPA] applications did not sufficiently justify the principles of necessity and proportionality” (7.15 and 7.16 of the Report[1]). This lead to conclusions in 8.6 and 8.7, with recommendations in 8.9.

It will be extremely interesting to see if the government responds to these conclusions, either through Primary or Secondary legislation. I wonder if the current Counter-Terrorism and Security Bill [3] may provide an opportunity for this, although as this Government Bill is in Report stage in the Lords, and hence has almost run its course, then it is probably too late – amendments will need to be placed within the next few days.

Organisations outside of scope

It should be noted that possible users of interception warrants beyond the Police forces (see RIPA 2000 6(2)) [2] were not included, as they were out of scope of the investigation by the IOCCO. It’s very unlikely, but not impossible, that the Security Service, SIS, GCHQ, HMRC, or Defence Intelligence, or those in 6(2)(j), would be making RIPA requests which could have been related to journalistic sources.

The Interception of Communications Commisioner may consider including queries regarding journalistic sources within the scope of his annual reporting for all users of interception and communications data warrants, not just the police.

Use after interception

The report was looking for interceptions for investigations which “involve determining if a member of police force or other party have been in contact with a journalist” (Annex B pp. 41 of the Report). Paragraph 4.3 of the report shows how this was a broader remit than just looking at where communications addresses of journalists or their employers were targeted. This is to the IOCCO’s credit.

However, there is a grey area that may not have been covered. Note that it’s possible that a) I’ve misunderstood the law and there is no grey area, b) this was covered by the IOCCO investigation, or c) while the grey area exists, no use is made of it. Indeed, I think (c) to be highly likely when it relates to journalistic sources.

The grey area I refer to is what happens when information of any kind (traffic, subscriber, or service use communications data, or actual intercept) has been acquired under a valid purpose and for a valid reason, and under a valid warrant, not related to journalistic sources. But this information ended up identifying a journalistic source, by ‘accident’ or otherwise, in such a way that it would not fall within the remit of IOCCO’s request in Annex B of their report. Note: I have no reason to believe this is happening, rather this is floated as a “what if?”

I’m differentiating here between purpose (as defined in RIPA 5(3) for interception, and RIPA 22(2) for communications data) and reason. The reason is the specific reason that is entered on the warrant application, e.g. investigation of large scale drug dealing between people A and B.

The grey area relates to the exact meaning of “authorised purposes” in RIPA ss 15.

RIPA 15(3) states that data should be destroyed as soon as it is no longer needed for the authorised purposes, but nowhere is this term defined. If “authorised purposes” means purpose (as defined above), rather than reason, then data intercepted for one reason could be analysed and used for another reason, as long as the other reasons are covered by a purpose. Furthermore, no actual RIPA request is needed for this subsequent analysis. Given this, then RIPA requests which do not in any way relate to journalistic sources, could lead to subsequent analysis and use which does. Thus if the checks for journalistic privilege, or any other privilege, are done at interception rather than analysis, then these checks could be accidentally, or purposefully, circumvented.

Indeed, this has direct analogies in other areas of policing, for example police executing a search warrant for one reason may seize items unrelated to the search warrant if they have reasonable cause. [4]

This is touched upon in paragraph 6.2 of the Interception of Communications Code of Practice[5], but this is essentially just a restatement of the relevant RIPA sections. It is also touched upon in paragraph 8.7 of the IOCCO report, although the report doesn’t address when data was acquired for one reason, but analysed for another.

As an aside, while interception / communications data warrants themselves must be periodically renewed, the intercepted data itself does not need to be – i.e. the data can be retained for as long as it is needed, or “is likely to become” (RIPA 15(4)(a)) necessary, for any of the “authorised purposes”.

For an example of this grey area, let us suppose the police are investigating the leak of sensitive information to a nation state. They make a RIPA request for relevant information, which when analysed identifies the target was in contact with a journalist. The investigating police officer realises that the target was likely the source for a recent embarrassing story by the journalist. The investigation also identifies that the target was not the source of the leak to the nation state.

In the above example the link between journalist and source has been identified, and maybe could be followed up on, by the police despite that the police would not have had sufficient grounds for a RIPA request under Council of Europe Recommendation No R (2000) 7, as described in paragraph 6.41 of the IOCCO report. Furthermore, while Principle 6(b) of that document says that such journalistic source information, irrespective of the purpose (or reason, by my definition) for which it was gained, should not be used as evidence before a court, it says nothing about using the information as the foundation for investigation by the police.

The government should consider defining “authorised purposes” with respect to RIPA, and furthermore should clarify what use can be made of data which has been acquired for a specific purpose and reason.

The IOCCO may wish to consider investigating how common it is that data acquired for one reason is used for a different reason.

References

[1] IOCCO Report: http://www.iocco-uk.info/docs/IOCCO%20Communications%20Data%20Journalist%20Inquiry%20Report%204Feb15.pdf
[2] Interception Warrant users: http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I/crossheading/interception-warrants
[3] Counter-Terrorism and Security Bill: http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity.html
[4] PACE Code B: See section 7, pp 15, for Seizure and retention of property https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/306655/2013_PACE_Code_B.pdf
[5] Interception of Communications Code of Practice: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97956/interception-comms-code-practice.pdf

Advertisements

Missing the point on Edward Snowden

I’ve been watching the Snowden/NSA stories with some interest. There’s the information which keeps dribbling out into the press. There’s the ongoing saga of his search for asylum. There’s the over-reaction of the US government, and the maneuvers behind the scenes with other governments worldwide. And there’s the views of the citizens – covering the entire spectrum from the ‘he deserves a Nobel prize’ camp to the ‘hang him!’ lynch mobs.

It’s been a fun journey, and a small amount of valid and interesting information has sneaked into the press reporting. Unfortunately though, as time has passed, it has increasingly become apparent that most of the press, and the majority of lay people, seem to have missed the point. Instead, stories have deviated into the inconsequential – in fact the same pattern has occurred as we previously saw with wikileaks. Whether this is due to incompetent journalism, the race for ratings, or excellent PR, spin, and redirection by the US government I don’t know – probably a mix of them all.

Initial stories

The first story appeared on 5th June in The Guardian, and revealed that the US government was forcing Verizon to share the phone records of all calls on its system. This was followed by the disclosure of the Prism programme, and related stories on the same theme – that of the widespread surveillance of US (and other) citizens by the US government. This later broadened to include the UK government via GCHQ.

These stories were, and are, important. The widespread compromise of civil liberties in the western world, under cover of the fight against terrorism, child pornography, and other abhorrent acts, should be of concern to anyone. Knowledge of the scope of these compromises is vital, as is an understanding of the oversight bodies and processes that in theory balance security needs with privacy rights. Democracy thrives on information, as only a well informed populace have a chance to make informed decisions on which leaders they want to elect; whether the populace actually pays attention or not, or makes informed decisions is another subject altogether.

The Snowden Story

The focus of the reporting changed on 9th June, when Snowden decided to go public. For the next week the story became Snowden, and not the information he was leaking. Where was he hiding, what was his plans, how hot was his ex-girlfriend? Domestic intelligence stories largely disappeared in the press and while a few more stories cropped up on 20th and 21st June, the focus appears to have irrevocably moved on.

This was a repeat of the progress of the wikileaks story – where it morphed into the Assange story. And with the same effect.

I wonder if maybe a press which is constantly on the hunt for more page hits, and a society which cares more about the Kardashians than the incompetence of the US Congress, are happy to concentrate on these human interest stories rather than spending the time and effort necessary to do good quality journalism.

Hidden within these stories though are some nuggets of reporting on newsworthy events. The international machinations behind Snowden’s search for asylum are valid stories, as are related events like the blocking of the Bolivian president’s flight.

International Espionage

The focus partially moved on on 16th June, when the next leak occurred – with the Guardian reporting that GCHQ had intercepted politician’s comms at the 2009 G20. Many commentators conflated this with the earlier domestic surveillance reports, but this was an egregious error in reporting. I’m not sure if this was a continuation of the search for ratings, a naivety of the realities of international politics, or something else. I am however sure that this leak and the hypocritical and self-serving furor which followed, have managed to dilute and obfuscate the original point.

Governments spy on other governments. Any nation which says otherwise is lying. The scale of that spying will be limited by affordability, and to a lesser extent political concerns. Anyone who isn’t aware of this is, I believe, naive. Reporting that country A has spied on country B isn’t really news, although it may be interesting in the same way that knowing that pop star A is banging TV star B. Titillation rather than news. And in no way constructive.

This is very different from the initial stories. Nations which talk about freedom, while at the same time spying on their own citizens, with minimal, incomplete, or incompetent regulatory frameworks and oversight, should be reported on. Civil servants and militaries who lie to the public, public servants, and oversight bodies, should absolutely be investigated, called out, and brought to task. This is where whistleblowing is vital and should be protected, and where good quality journalism comes in.

The other part of the international espionage part of the story is the reactions of the ‘victims’. The other G20 members, and later the EU, have been vocal in their righteous indignation. The hypocrisy of their response stinks. Does anyone really believe that the French DGSE only spends their 500 million Euro annual budget on chasing terrorists? That said, the pique shown appears to be in accord with norms of international behaviour – country A spies on country B, gets caught, country B complains, and life goes on. This context seems not to be reported on in the press. To quote Hunter S Thompson, “In a closed society where everybody’s guilty, the only crime is getting caught.”

Overreaction of the US government

Running in parallel to these stories, and of considerable interest, is the (over-)reaction of the US (and to a lesser extent UK) government. The US has declared that Snowden is a traitor, has revoked his passport, and behind the scenes threatened governments worldwide not to accept his asylum requests – all allegedly without an international arrest warrant. There are reports that a secret warrant has been issued – which would be somewhat ironic if true.

The US appears to be spending an immense amount of political capital on chasing down a single individual, one who cannot do any more harm than he has already done (given that he has apparently made secure backup copies of all his files). The US again seems to seek revenge rather than justice – a depressingly common attitude in the last couple of decades.

Reporting on the behaviour of the US in this area is definitely worthwhile. The issue is that the press appears to only be able to focus on a couple of things at once; the original civil liberties discussion has disappeared. Whether it will reappear is unknown, but given past history I’m not holding my breath. Binney, Wiebe, Loomis, Roark, Klein, Drake – this particular NSA whistle has been blown many times before, and has consistently failed to elicit any improvement in oversight and civil liberties.

The missed point – Proportionality and Oversight

I have no problem with government agencies having taps on IT and telephony, and performing interception. That is their role, and it is a necessary evil – not just for counter-terrorism, but also serious and organised crime and, yes, military/political espionage. I have no problem with one nation spying on another nation, including against any government or quasi-governmental staff.

It’s a more gray area when espionage is performed for ‘economic’ purposes, most famously by China. But heh, according to RIPA that’s legal in the UK, and (unlike China) we sort-of admit it – it is in a publicly available law after all. Ultimately I think state-sponsored economic espionage is acceptable, with the caveat that those states must realise that when they are caught then they will likely face calls for reparations and sanctions.

I have no issue with police and intelligence having access to citizens data when there’s need. There are lots of bad people in the world, and a lot of them live or operate in the UK.

I stand by all of the above, with a couple of major and all encompassing caveats. Firstly, proportionality – any intrusion on privacy must be proportionate to the crime. Hoovering up everyone’s data and storing it for long periods is potentially very disproportionate. Note that this isn’t limited to SIGINT/COMINT. This also relates to issues such as retention of DNA, criminal records recording arrests without charge and being used against you, etc.

The second issue is oversight. The purpose of the oversight is to enforce proportionality and ensure only that which is necessary is done. Transparency is related to this – there must be transparency of process, and of oversight, but not transparency of each decision – there are often valid reasons for secrecy.

My issues with the US, and possibly the UK, is due to failings in oversight, which has led to failings in proportionality. In the UK there is at least transparency of the oversight process, although there are definitely loopholes in legislation which can be leveraged, whereas US oversight is cloaked in shadows. I don’t blame NSA/GCHQ/whomever for using these failings and loopholes; they have a job to do and can, will, and indeed should, push the limits of what they are allowed to legally do in order to do their job. The failing is in the legal frameworks and oversight which have apparently allowed these organisations to exceed acceptable (nb: a very subjective issue) levels of proportionality.

Ultimately the blame lies with our political masters. It is their job to set these frameworks, and enforce the oversight. In my opinion they have certainly not done so in the US, and to a lesser extent have failed in the UK. To quote Vladimir Putin, “you do have to obtain a warrant for specific policing activities domestically, so why shouldn’t this requirement be valid for intelligence agencies as well?” When you’re being schooled in civil liberties by Putin, worry.