The IOCCO yesterday (Feb 4th 2015) released their report  on the use of RIPA by police to identify journalistic sources. I had a few thoughts I decided to put down here.
Firstly, the report seems to have been rather rigourous, with some exceptions. The conclusions seem decisive and the recommendations seem sensible. The key conclusion is that “Police forces are not randomly trawling communications data relating to journalists in order to identify their sources.”
As ever, the Interception of Communications Commissioner doesn’t pull its punches, criticising that “the majority of [RIPA] applications did not sufficiently justify the principles of necessity and proportionality” (7.15 and 7.16 of the Report). This lead to conclusions in 8.6 and 8.7, with recommendations in 8.9.
It will be extremely interesting to see if the government responds to these conclusions, either through Primary or Secondary legislation. I wonder if the current Counter-Terrorism and Security Bill  may provide an opportunity for this, although as this Government Bill is in Report stage in the Lords, and hence has almost run its course, then it is probably too late – amendments will need to be placed within the next few days.
Organisations outside of scope
It should be noted that possible users of interception warrants beyond the Police forces (see RIPA 2000 6(2))  were not included, as they were out of scope of the investigation by the IOCCO. It’s very unlikely, but not impossible, that the Security Service, SIS, GCHQ, HMRC, or Defence Intelligence, or those in 6(2)(j), would be making RIPA requests which could have been related to journalistic sources.
The Interception of Communications Commisioner may consider including queries regarding journalistic sources within the scope of his annual reporting for all users of interception and communications data warrants, not just the police.
Use after interception
The report was looking for interceptions for investigations which “involve determining if a member of police force or other party have been in contact with a journalist” (Annex B pp. 41 of the Report). Paragraph 4.3 of the report shows how this was a broader remit than just looking at where communications addresses of journalists or their employers were targeted. This is to the IOCCO’s credit.
However, there is a grey area that may not have been covered. Note that it’s possible that a) I’ve misunderstood the law and there is no grey area, b) this was covered by the IOCCO investigation, or c) while the grey area exists, no use is made of it. Indeed, I think (c) to be highly likely when it relates to journalistic sources.
The grey area I refer to is what happens when information of any kind (traffic, subscriber, or service use communications data, or actual intercept) has been acquired under a valid purpose and for a valid reason, and under a valid warrant, not related to journalistic sources. But this information ended up identifying a journalistic source, by ‘accident’ or otherwise, in such a way that it would not fall within the remit of IOCCO’s request in Annex B of their report. Note: I have no reason to believe this is happening, rather this is floated as a “what if?”
I’m differentiating here between purpose (as defined in RIPA 5(3) for interception, and RIPA 22(2) for communications data) and reason. The reason is the specific reason that is entered on the warrant application, e.g. investigation of large scale drug dealing between people A and B.
The grey area relates to the exact meaning of “authorised purposes” in RIPA ss 15.
RIPA 15(3) states that data should be destroyed as soon as it is no longer needed for the authorised purposes, but nowhere is this term defined. If “authorised purposes” means purpose (as defined above), rather than reason, then data intercepted for one reason could be analysed and used for another reason, as long as the other reasons are covered by a purpose. Furthermore, no actual RIPA request is needed for this subsequent analysis. Given this, then RIPA requests which do not in any way relate to journalistic sources, could lead to subsequent analysis and use which does. Thus if the checks for journalistic privilege, or any other privilege, are done at interception rather than analysis, then these checks could be accidentally, or purposefully, circumvented.
Indeed, this has direct analogies in other areas of policing, for example police executing a search warrant for one reason may seize items unrelated to the search warrant if they have reasonable cause. 
This is touched upon in paragraph 6.2 of the Interception of Communications Code of Practice, but this is essentially just a restatement of the relevant RIPA sections. It is also touched upon in paragraph 8.7 of the IOCCO report, although the report doesn’t address when data was acquired for one reason, but analysed for another.
As an aside, while interception / communications data warrants themselves must be periodically renewed, the intercepted data itself does not need to be – i.e. the data can be retained for as long as it is needed, or “is likely to become” (RIPA 15(4)(a)) necessary, for any of the “authorised purposes”.
For an example of this grey area, let us suppose the police are investigating the leak of sensitive information to a nation state. They make a RIPA request for relevant information, which when analysed identifies the target was in contact with a journalist. The investigating police officer realises that the target was likely the source for a recent embarrassing story by the journalist. The investigation also identifies that the target was not the source of the leak to the nation state.
In the above example the link between journalist and source has been identified, and maybe could be followed up on, by the police despite that the police would not have had sufficient grounds for a RIPA request under Council of Europe Recommendation No R (2000) 7, as described in paragraph 6.41 of the IOCCO report. Furthermore, while Principle 6(b) of that document says that such journalistic source information, irrespective of the purpose (or reason, by my definition) for which it was gained, should not be used as evidence before a court, it says nothing about using the information as the foundation for investigation by the police.
The government should consider defining “authorised purposes” with respect to RIPA, and furthermore should clarify what use can be made of data which has been acquired for a specific purpose and reason.
The IOCCO may wish to consider investigating how common it is that data acquired for one reason is used for a different reason.
 IOCCO Report: http://www.iocco-uk.info/docs/IOCCO%20Communications%20Data%20Journalist%20Inquiry%20Report%204Feb15.pdf
 Interception Warrant users: http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I/crossheading/interception-warrants
 Counter-Terrorism and Security Bill: http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity.html
 PACE Code B: See section 7, pp 15, for Seizure and retention of property https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/306655/2013_PACE_Code_B.pdf
 Interception of Communications Code of Practice: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97956/interception-comms-code-practice.pdf