No evidence of Balance: the Joint Committee on draft Investigatory Powers Bill

The Joint Committee on the IP Bill has now been stood up, and we’ve finally got the names of the Lords appointed. Following on from an underwhelming start as I’ve previously noted I continue to be underwhelmed, maybe even dismayed, by the Lords appointed. I hope to be pleasantly surprised, but am not confident. Fundamentally, the committee appears to have a pro-authoritarian slant, and has virtually no experience with technology – not a great combination.

Before I discuss the membership in detail, I also wanted to make a point on time. The joint committee is due to report by 11 February 2016. That gives at most 7 weeks for the committee to review the draft bill, and report. This is not much time, especially with Christmas and New Year in the middle of the period. It may be sufficient, but this is definitely something to keep an eye on.

And now to the membership.

Membership Overview

From the perspective of the Lords, there are 2 Conservative, 2 Labour, 1 Crossbench, 1 Bishop(!), and 1 Liberal Democrat. 3 of the 7 have been government Ministers, and 1 was the Head of the Civil Service. None have any in-depth technical knowledge. Overall, the Lords’ contingent is definitely an ‘insiders’ group – indeed 2 are or were members of the Intelligence Services Committee. When looking at speaking history for DRIPA, the draft IP Bill, and the Anderson report, most have been silent, showing little interest in the subject. Only Lord Strasburger appears to have a pro-civil liberties stance, and only he had involvement with the previous draft Communications Data Bill.

When we include the MPs, there are 6 Conservative, 4 Labour, 1 SNP, 1 LibDem, 1 Crossbench, and 1 Bishop. A minority (1 MP+3 Lords) have spoken on DRIPA, the Anderson Report, or the IP Bill. The overall committee are less insiders (4 Lords+1 MP) than the Lords’ appointees would suggest, but there remains (in my estimation) a very authoritarian slant – I can only point at 2 (Stuart McDonald MP, Lord Strasburger) who are likely to have a more civil liberties view.

Lords Appointees

Baroness Browning (Conservative 2010, was Minister for Crime Prevention and Anti-Social Behaviour Reduction, Home Office (2011))
Wiki TheyWorkForYou
Hasn’t spoken in any of the recent related debates. Expect to be pro-existing bill/authoritarian.

Lord Butler of Brockwell (Crossbench 1998, was Civil Service (Head of, 88-98), ISC 2010-15)
Wiki TheyWorkForYou
Was pro-DRIPA, although against the emergency process. Spoke on Anderson report, with mixed views. Was affected by IRA Brighton bombing. Expect to be relatively authoritarian, but may bring useful civil service views.

Bishop of Chester (Bishop 2001)
Wiki TheyWorkForYou
Has no relevant experience – not sure why selected. Did speak on the Anderson report. Seems generally rather pro-authoritarian, and while likes privacy, willing to give it away. Similar views in Counter-Terrorism and Security Bill.

Lord Hart of Chilton (Labour 2004, was Solicitor)
Wiki TheyWorkForYou
Barely speaks in debates. Has committee experience of legislative scrutiny. Unknown views.

Lord Henley (Conservative 1977, was Minister of State, Home Office (2011-12) – Crime Prevention and Anti-Social Behaviour Reduction)
Wiki TheyWorkForYou
Barely speaks at debates. Sits on Joint Committee on Human Rights, but am not sure of impact in that role. Expect to be authoritarian.

Lord Murphy of Torfaen (Labour 2015, was Sec State Wales/NI, Shadow Defence, sat on ISC 2001-08)
Wiki TheyWorkForYou
Has voted for mass retention before. Hasn’t spoken in any relevant debates. Expect to be very authoritarian.

Lord Strasburger(Liberal Democrat 2011, was Private Sector, sat on Draft Communications Data Bill committee)
Wiki TheyWorkForYou
Has been significantly involved in all related legislation. Pro-oversight, pro-civil liberties. Only member with experience of draft Communications Data Bill.

The importance of specificity in Intelligence-related laws

Over the next week, I will be publishing my detailed thoughts on the  draft Investigatory Powers Bill Be warned – they’ll be long, and boring…

But before I do that, I want to discuss something which never seems to be covered. When discussing bills to do with surveillance and intelligence matters, there is always a discussion of the morality of the laws, of the interminable tug of war between privacy and safety. The debates in parliament often cover that, as well as some specific modifications, but what never seems to be discussed is how very different such bills are compared to most others, from a judicial and enforcement perspective.

The legal system in the UK is based around Common Law, generally through an adversarial system. I will below make the case that the legislation created for Intelligence and Surveillance related matters is insufficient, because of shortcomings in our legal system.

But first a bit of background… And a caveat – I am not a lawyer – the below is my understanding of the process and problems, and I would love to be corrected where I’ve made errors. Note: I have used civil liberties groups as an example of the opposition to government, but the relevant aspects could apply to any member of public.

Primary Legislation

Law generally begins with a need. The government decides that something should be made illegal, or should definitively be made legal. The government, or rather the specific departments, will provide a description of what they want to accomplish and pass this to the Office of Parliamentary Council. The OPC will draft a Bill. Eventually this Bill (after multiple iterations) will go through parliament, be voted on, and maybe become an Act of parliament, and law. See [1] for more details.

Secondary Legislation

An aim for Primary Legislation is for it to change slowly and rarely. However, the world changes – government departments are opened, closed, and disbanded. Technology changes. If the Primary Legislation is overly detailed, then parliament would spend all its time updating this legislation for minor tweaks rather than looking at the big picture. Most Primary Legislation therefore normally allows the government to provide minor updates, and more detailed instructions, through the use of Secondary Legislation.

This Secondary Legislation is limited by the Primary – i.e. the Primary specifically says what limited powers are conferred on the government. The Secondary Legislation, normally “Statutory Instruments” such as regulations, are written by the government and normally still need parliament to vote on and pass. However, these votes are generally quite pro-forma, and don’t have the large debates or proposed amendments that occur with primary legislation.

Common Law

A third class of law is created by the courts, rather than government. As cases are brought to the courts for judgement, case law [2] is created. Essentially, during the process of a trial the defendant and prosecution argue with each other (the adversarial system [3]). Ultimately the judge (and jury to a lesser extent) try to make a determination of what the law actually means, and whether the defendant is guilty or at fault. When a decision is made, case law is created – i.e. the court decides that the law, in this instance and any other similar/identical one, means x.

This case law can then be relied on for future interpretation of the primary and secondary legislation. Over time, a set of case law is created for any primary legislation, which will be much more detailed than anything parliament could, or would want to, create.

The Problem

Lack of case law

Intelligence related laws go through the normal process in their creation, both as primary and secondary legislation. However, I assert that they aren’t treated the same at the Common Law stage.

Intelligence related matters are necessarily secret. It is vital that the details of methods and techniques remain out of the hands of the country’s adversaries, as knowledge of them would allow these adversaries to avoid our intelligence agencies. This is a key reason why much intelligence-type surveillance is not allowed as evidence in trials. If included in evidence, then due to the adversarial system the defence would be able and indeed required to delve into how the evidence was obtained. As court proceedings are generally public, this would lead to sensitive information on methods and techniques becoming public.

Under some Acts of parliament, evidence may be introduced in secret, at closed hearings. A ‘special advocate’ is normally nominated to argue the defendants case in such a situation – however it should be noted that the defendant themself generally doesn’t know what happens in such courts, nor do their lawyers. There is therefore a lot of nervousness about whether the ‘special advocate’ is doing their job and has access to all relevant information. Furthermore, the detailed conclusions of such hearings do not become public, leading to such either not becoming case law, or leading to a secret set of case law such as that created by the US FISA courts [7].

Therefore, the main route by which intelligence-related law is tested in the courts and case law created, does not occur.

An alternate route to bring such laws into review and interpretation by the courts is through the public either suing the government because they believe the law has been broken (e.g. Amnesty and others over surveillance[4]), or seeking a judicial review if they think the process by which a law has come into effect was incorrect (e.g. David Davis MP and Tom Watson MP over DRIPA[5]).

A judicial review can only be used if there has been an error in process, in the case above the error being that EU law wasn’t correctly applied/followed when creating DRIPA. The result will generally to quash, or allow, law or specific parts. It will not, I believe, generally result in case law about the interpretation of meaning existing law.

The public can only sue if they have evidence that wrongdoing has taken place. Due to the secrecy inherent in intelligence matters, such evidence does not generally become public. Subjects of surveillance are not, as a rule, aware that they are under surveillance, irrespective of whether it is lawful or not. The suit brought by Amnesty et al was only possible due to the Snowden leaks.

Ultimately therefore, except when egregious errors are made in process, or whistleblowers leak possible areas of unlawfulness, the courts do not get to see these matters in public, and so no case law can be created.

Difference of opinion

Another way of saying the above is that there is no way to clarify what the government thinks a law says, and whether that tallies with what the public thinks it says. Primary Legislation is very vague, and Secondary Legislation is often not much less so. Furthermore, Secondary Legislation generally goes through much less rigourous examination.

A concrete example is that of the phrase “external connection” in RIPA. The government believed it referred to any communication with an external endpoint, including any servers the data routes through. So, for example, if your email server is external to the UK, then it is an external connection, even when using that email to talk to another person in the UK [6]. This was at odds with what a lot of people, including civil liberties organisations, believed to be the case.

Due to our adversarial system, a judge cannot act as inquisitor, delving into the truth. Instead, they remain an impartial arbiter as two parties fight to convince the judge of their interpretation. Without the laws going through the courts, there is no opportunity for this fight, leaving the legislation wide open for interpretation, and without any realistic check or balance that the government is interpreting. Oversight bodies are limited in their powers. They additionally run the ever-present danger of internalising the government’s interpretations (especially within, for example, the Intelligence and Security Committee of Parliament) without realising they are doing so.

Possible Solutions

Ultimately, I think a combination of things are needed for Intelligence-related (which includes Surveillance, such as the draft Investigatory Powers Bill) legislation. This includes changes in the way that such legislation is drafted, the government being more open of interpretation, and ways to create case law outside of traditional approaches.

The first item needed is greater specificity in both primary and secondary legislation. This runs the risk of creating law which needs changing more often, and so a case can be made that this should be done in regulations rather than the bills themselves. However, it must be recognised that secondary legislation normally go through on the nod, without much or any debate. If specifics will be implemented in secondary legislation then there must be a recognition that more debate and review will be needed at that stage.

The next is that the government should be open about interpretation of law, even when it applies to potential methods and techniques. This will help build trust between civil liberties groups and the government, and will also help the government avoid situations such as that which the IPT found in the Amnesty case – that the government had been breaking the law but that due to the leaks of Snowden it was now not doing so, because the leaks had made public facts that should already have been public.

Finally, there must be a recognition that the courts do not have the opportunity to create case law in these matters – a situation the current draft Investigatory Powers Bill makes no better, and indeed s171(3) of that draft may make worse. Alternate approaches should therefore be considered. For example, an approach somewhat akin to Moot courts [8] where civil liberties groups and government can work together to introduce representative test cases, with the government taking part in a neither-confirm-nor-deny approach with respect to methods and techniques actually being used. The results of such moot trials could be allowed as case law, which the government would be required to treat as real case law.

I submit that the status quo is insufficient, and has contributed to the current breakdown in trust between the people and government. We must look outside normal practices, while staying inside established principles of legislation and jurisprudence, in order to help heal this wound. Failure to do so will only lead to increased recriminations on all sides.

[1] https://www.gov.uk/guidance/legislative-process-taking-a-bill-through-parliament
[2] https://en.wikipedia.org/wiki/Common_law
[3] https://en.wikipedia.org/wiki/Adversarial_system
[4] http://www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf
[5] https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf
[6] http://www.theguardian.com/world/2014/jun/17/mass-surveillance-social-media-permitted-uk-law-charles-farr
[7] https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court#Secret_law
[8] https://en.wikipedia.org/wiki/Moot_court

An underwhelming start on IPBill

So, the Draft Investigatory Powers Bill has now been released. I’m in the process of working through the draft myself, and will post something here soon. In the interim though, the House of Commons has nominated 7 people to sit on the joint committee of Commons and Lords, to discuss the draft. The names are below.

At a first look, I’m pretty underwhelmed. The makeup (4 Con, 2 Lab, 1 SNP) reflects the breakdown of MPs (not public vote %) which is pretty standard, but I’m disappointed there’s no Lib Dem. The LD have been easily the most vocal party for civil liberties, and killed the outrageous snoopers charter. Maybe that’s why they’re not included.

Furthermore, it’s of note that 4 of the 7 are new MPs (4 Con, 1 SNP), and so it’s to be expected they’ll do what their party bosses require of them. Only 1 (Suella Fernandes) commented on Wednesday’s debate on the bill. The rest seem to have no real interest in the subject, or applicable knowledge (I’ll come back and edit this when I read more). In the interim, below are the people, with links to their TheyWorkForYou profiles.

EDIT: I’ve now had some time to look into their profiles. Generally relevant-ish qualifications – there’s a load of lawyers but only 1 person with any technology knowledge, and he was just a journalist who specialised in consumer technology. Most appear likely to follow party lines, overall there’s definitely a pro-authoritarian slant.

Victoria Atkins [Con, 2015-]
TheyWorkForYou

Barrister (Serious & Organised Crime) will have good relevant knowledge. Expect to be pro-authoritarian.

Suella Fernandes [Con, Barrister, 2015-]
TheyWorkForYou
Debate

Suella may be a good pick. Has knowledge of the law, and at least some interest, despite being a fresh MP. Knowledge of international (US) law.

Mr David Hanson [Lab, 1992-]
TheyWorkForYou

2010 Shadow Minister at the Home Office. Experienced MP, has some knowledge/experience. Expected to be pro-authoritarian (has previously voted for ID cards, and for Data Retention)

Stuart C. McDonald [SNP, 2015-]
TheyWorkForYou

Has worked for immigration services as a Human Rights Solicitor. May be balanced in views.

Dr Andrew Murrison [Con, 2001-, voted against Iraq war]
TheyWorkForYou

Voted against Iraq war, which took balls as a Conservative. Voted for data retention but against ID cards. Not sure of views, but unlikely to be cowed by whips on moral matters.

Valerie Vaz [Lab, 2010-]
TheyWorkForYou

Has law experience. Seems not to have had an interest in surveillance etc, and has voted in line with government. Not sure why picked. Likely to follow the party line.

Matt Warman [Con, 2015-]
TheyWorkForYou

Only person nominated who has any knowledge of tech (was previous Consumer Technology Editor at the The Daily Telegraph newspaper. Sits on the Science and Technology Select Committee. Probably shallow knowledge of tech.

DRIPA disapplied following judicial review

I told you so :)  (see previous DRIPA commentary when I said “This bill doesn’t address the shortcomings highlighted in the ECJ ruling, and so it would inevitably be over-ruled in the future.”)

The UK High Court has just ruled that DRIPA section 1 (data retention) has been ruled inconsistent with European Law. As such, they have disapplied that section of the law – essentially making it no-longer be law. They have however suspended their ruling until March 2016, in order to give the UK government time to respond.

For most of those interested in the subject, this was no surprise. DRIPA was rushed through and didn’t appear to mitigate the issues that had previously caused the ECJ to rule the EU Data Retention Directive invalid/unlawful. It is a kick in the teeth to the government, and will help civil liberties campaigners who had always asserted that DRIPA shouldn’t have been rushed through the way it was.

What is of real interest now is what this means for the upcoming interception/surveillance bill, due to be introduced in Autumn 2015. This bill is aimed at updating RIPA, merging in DRIPA, and potentially (as recommended in both the RUSI and Anderson reports) simplifying the interception/surveillance laws in the UK. There was already a hard deadline for this new bill to receive royal assent – DRIPA has a sunset clause of December 2016 – and many people had already indicated that it will be a rush to get this bill through by then, given it’s scope. Trying to do the same before March 2016 will be a nightmare, especially given the large number of aspects where many MPs and the general public are diametrically opposed.

So, what will the government do? Firstly, I expect them to appeal – they’ve been given the right to do so, and they lose nothing by doing so. Assuming the appeal fails, they’ve a few options:

  1. DRIPA #2: Rush through a hack to fix DRIPA. In which case, will they keep the existing sunset clause, or try to extend it? Any expedited action would be very unpopular amongst MPs – even those in favour of broad interception etc powers were upset by the government’s tactics last time. Likewise, any attempt to extend the sunset clause would be very unpopular, despite that any DRIPA #2 would take up valuable time in the parliamentary calendar.
  2. Compress RIPA-replacement timescale: Rather than aiming for a December 2016 Royal Assent, they could aim for a March 2016 one. This would be feasible, but non-trivial. The committee stages would need to be greatly shortened. It would also leave the government to procedural actions to delay progress, which could lead to them accepting pro-civil-liberties amendments. It may also require a reduction in the scope of the proposed legislation, so that it will just be a RIPA(+DRIPA) replacement, rather than also covering all other ways that interception can legally take place.
  3. Keep to existing timescale: They could just accept that all the extra data that the government wants retained under RIPA could be lost between March 2016 and Dec 2016. Note that this doesn’t mean they won’t be able to access retained data – they still can using RIPA – nor that companies won’t retain data – they still will as they may need it for their own internal use – but it will mean that companies may (or will, due to the Data Protection Act) stop retaining any extra data that the government had previously required they do. The government and intelligence services wouldn’t be happy with this, but they could quite quickly contact the telecoms providers and see what data will be lost – it may well be a manageable amount. However, it would be politically bad, as the fact that the intelligence services and police could get by without this data would help the civil liberties argument that they don’t need the data.

I honestly don’t know which of these will happen. My gut says (2), or (3) if the data lost isn’t vital.

The actual judgement states that:

The order will be that s 1 is disapplied after that date:
a) in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences; and
b)in so far as access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.

I am most certainly not a lawyer, but it seems to me that this means that DRIPA s1 could still be applied for “serious offences” if the retention notices themselves state that in order to access the data, there must be prior review by a court – i.e. a warrant or similar. DRIPA s1(4)(d) seems to allow the secretary of state to quickly update regulations (i.e. secondary legislation, which doesn’t go through parliament for debate etc) to do this as “The Secretary of State may by regulations make further provision … Such provision may… include provision about… access to… data retained by virtue of this section”

For more reading, the judgment can be found here: https://www.judiciary.gov.uk/judgments/david-davis-and-others-v-secretary-of-state-for-the-home-department/

See also the Independent Reviewer of Terrorism Legislations first thoughts on the matter: https://terrorismlegislationreviewer.independent.gov.uk/dripa-2014-s1-declared-unlawful/

IOCCO report on Journalist Sources

The IOCCO yesterday (Feb 4th 2015) released their report [1] on the use of RIPA by police to identify journalistic sources. I had a few thoughts I decided to put down here.

Firstly, the report seems to have been rather rigourous, with some exceptions. The conclusions seem decisive and the recommendations seem sensible. The key conclusion is that “Police forces are not randomly trawling communications data relating to journalists in order to identify their sources.”

As ever, the Interception of Communications Commissioner doesn’t pull its punches, criticising that “the majority of [RIPA] applications did not sufficiently justify the principles of necessity and proportionality” (7.15 and 7.16 of the Report[1]). This lead to conclusions in 8.6 and 8.7, with recommendations in 8.9.

It will be extremely interesting to see if the government responds to these conclusions, either through Primary or Secondary legislation. I wonder if the current Counter-Terrorism and Security Bill [3] may provide an opportunity for this, although as this Government Bill is in Report stage in the Lords, and hence has almost run its course, then it is probably too late – amendments will need to be placed within the next few days.

Organisations outside of scope

It should be noted that possible users of interception warrants beyond the Police forces (see RIPA 2000 6(2)) [2] were not included, as they were out of scope of the investigation by the IOCCO. It’s very unlikely, but not impossible, that the Security Service, SIS, GCHQ, HMRC, or Defence Intelligence, or those in 6(2)(j), would be making RIPA requests which could have been related to journalistic sources.

The Interception of Communications Commisioner may consider including queries regarding journalistic sources within the scope of his annual reporting for all users of interception and communications data warrants, not just the police.

Use after interception

The report was looking for interceptions for investigations which “involve determining if a member of police force or other party have been in contact with a journalist” (Annex B pp. 41 of the Report). Paragraph 4.3 of the report shows how this was a broader remit than just looking at where communications addresses of journalists or their employers were targeted. This is to the IOCCO’s credit.

However, there is a grey area that may not have been covered. Note that it’s possible that a) I’ve misunderstood the law and there is no grey area, b) this was covered by the IOCCO investigation, or c) while the grey area exists, no use is made of it. Indeed, I think (c) to be highly likely when it relates to journalistic sources.

The grey area I refer to is what happens when information of any kind (traffic, subscriber, or service use communications data, or actual intercept) has been acquired under a valid purpose and for a valid reason, and under a valid warrant, not related to journalistic sources. But this information ended up identifying a journalistic source, by ‘accident’ or otherwise, in such a way that it would not fall within the remit of IOCCO’s request in Annex B of their report. Note: I have no reason to believe this is happening, rather this is floated as a “what if?”

I’m differentiating here between purpose (as defined in RIPA 5(3) for interception, and RIPA 22(2) for communications data) and reason. The reason is the specific reason that is entered on the warrant application, e.g. investigation of large scale drug dealing between people A and B.

The grey area relates to the exact meaning of “authorised purposes” in RIPA ss 15.

RIPA 15(3) states that data should be destroyed as soon as it is no longer needed for the authorised purposes, but nowhere is this term defined. If “authorised purposes” means purpose (as defined above), rather than reason, then data intercepted for one reason could be analysed and used for another reason, as long as the other reasons are covered by a purpose. Furthermore, no actual RIPA request is needed for this subsequent analysis. Given this, then RIPA requests which do not in any way relate to journalistic sources, could lead to subsequent analysis and use which does. Thus if the checks for journalistic privilege, or any other privilege, are done at interception rather than analysis, then these checks could be accidentally, or purposefully, circumvented.

Indeed, this has direct analogies in other areas of policing, for example police executing a search warrant for one reason may seize items unrelated to the search warrant if they have reasonable cause. [4]

This is touched upon in paragraph 6.2 of the Interception of Communications Code of Practice[5], but this is essentially just a restatement of the relevant RIPA sections. It is also touched upon in paragraph 8.7 of the IOCCO report, although the report doesn’t address when data was acquired for one reason, but analysed for another.

As an aside, while interception / communications data warrants themselves must be periodically renewed, the intercepted data itself does not need to be – i.e. the data can be retained for as long as it is needed, or “is likely to become” (RIPA 15(4)(a)) necessary, for any of the “authorised purposes”.

For an example of this grey area, let us suppose the police are investigating the leak of sensitive information to a nation state. They make a RIPA request for relevant information, which when analysed identifies the target was in contact with a journalist. The investigating police officer realises that the target was likely the source for a recent embarrassing story by the journalist. The investigation also identifies that the target was not the source of the leak to the nation state.

In the above example the link between journalist and source has been identified, and maybe could be followed up on, by the police despite that the police would not have had sufficient grounds for a RIPA request under Council of Europe Recommendation No R (2000) 7, as described in paragraph 6.41 of the IOCCO report. Furthermore, while Principle 6(b) of that document says that such journalistic source information, irrespective of the purpose (or reason, by my definition) for which it was gained, should not be used as evidence before a court, it says nothing about using the information as the foundation for investigation by the police.

The government should consider defining “authorised purposes” with respect to RIPA, and furthermore should clarify what use can be made of data which has been acquired for a specific purpose and reason.

The IOCCO may wish to consider investigating how common it is that data acquired for one reason is used for a different reason.

References

[1] IOCCO Report: http://www.iocco-uk.info/docs/IOCCO%20Communications%20Data%20Journalist%20Inquiry%20Report%204Feb15.pdf
[2] Interception Warrant users: http://www.legislation.gov.uk/ukpga/2000/23/part/I/chapter/I/crossheading/interception-warrants
[3] Counter-Terrorism and Security Bill: http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity.html
[4] PACE Code B: See section 7, pp 15, for Seizure and retention of property https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/306655/2013_PACE_Code_B.pdf
[5] Interception of Communications Code of Practice: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97956/interception-comms-code-practice.pdf

Update: Data Retention and Investigatory Powers Bill

The debate within Parliament on DRIP is now largely over, after a day in the Commons and two in the Lords. At lot of points were made over the three days, some valid, some vastly less so. It was apparent that irrespective of MP or peer views on the content of the bill, there was widespread anger about the fast track process being used. I hadn’t realised that this was far from the first such, but this seemed to be a special case as all participants recognised the sensitivity of the bill and the overall lack of trust the public has in government at the moment. After watching all three day’s debate on the subject, I thought it may be of interest to a couple of my readers (literally) if I summarised the points made over the days. I’ve italicised my own thoughts, to try to differentiate between reporting and commentary. I apologise for the length of this post – there were a lot of interesting points raised in the debates, and I thought they deserved reporting.

Key Points (aka TL;DR)

  • Widespread anger amongst debate participants about the process used by the bill, but apathy by many others
  • The sunset clause is generally acceptable, although not ideal
  • RIPA is going to be replaced, and there are assorted reports coming up over the next couple of years which will help this
  • There is a need for DRIP following the ECJ ruling, but there’s a lot of reasonable concern that this Bill may be vulnerable to some of the same issues flagged in that ruling.
  • There’s less of a need for the RIPA parts of the bill, especially being fast-tracked.
  • Many assert that Clause 5 of the bill does confer new powers, contrary to the government view.
  • It’s obvious that many MPs and Peers don’t understand RIPA etc, and even fewer have the technical competence to understand the technical aspects.
  • Typical straw men arguments were used by many bill supporters, including the government, which was frankly disgusting.
  • Overall, the government were incompetent in how they assembled and presented this bill.

 

Timing and Process

As mentioned, a significant amount of the debate covered the anger about the fast-track process, and other timing issues.

Why the delay/fast-track?

Many people asked why it’s taken around three months for the bill to come to parliament, given that the ECJ ruling was hardly a surprise. The government asserts this has been due to the time taken to evaluate the ECJ ruling, and craft a Bill which meets these needs, and that they have been in discussions with communications providers. The former seems unlikely to me, and while the latter is undoubtedly true this doesn’t fully explain the delay. Participants gave other reasons: i) a ploy by the Home Office to suppress scrutiny, ii) due to disagreement within the coalition. This latter is an interesting point, which I expect will come up during the upcoming election. Generally though, there was an understanding that the ECJ Ruling meant that the data retention clauses may need fast tracking. Some people did dissent on the other clauses of the bill though, such as the Constitution Committee report on DRIP “It is not clear why [clauses 4-5] need to be fast-tracked.” The government had asserted that this was because foreign companies, which had been helpful previously, were beginning to get nervous and require a legal shield urgently. The reason for this, and the reason for the major change from 2012 when this wasn’t a problem, was explained as being due to Snowdon. That makes eminent sense to me. Overall, while I think there shouldn’t have been a need for the fast-track, or as fast a fast-track, I can understand that there is a need for urgency.

Sunset clause

The Bill contains a sunset clause for the end of 2016. There was a lot of disagreement with this debate, with amendments proposed by the Common’s to make this only 6 months, and the Lord’s for end of 2015 – both failed/were withdrawn. The primary reason given by the government, and others, for the end of 2016 are: a) that there are numerous reports due which would help come up with new guidance, but these aren’t due for several months, b) the legislative process for a full rewrite of RIPA (as is needed) will take 6+ months by itself, c) the upcoming general election. Taking the election period first, parliament is due to dissolve on 30th March 2015 and return some time after 7th May 2015 [10]. Obviously no legislation can be progressed while parliament is dissolved, and it was asserted that it wouldn’t be feasible for anything to be done in the first six months of the new government. Furthermore, Lord Hodgson stated that “[Political] campaigns are bound to be conducted in primary colours to gain public attention. We are balancing the difficulties of issues of privacy and national security that have nuances and require light and shade, which do not lend themselves well to the hurly-burly of a general election campaign.” I find the arguments about the general election partly fair, but I think the public deserves to be able to take into account the views of the candidates and parties on the matter of data privacy. Waiting until after the election to have these discussions is a disservice to the public. Regarding the reviews and reports, please see the “Reviews of RIPA and DRIP” section. There are indeed several reports due which may be useful, although most are due prior to mid-2015, although notably the independent RUSI report and Independent Privacy and Civil Liberties Oversight Board are due after. Mid-2016 may have been a more feasible amendment. There were a couple of requests for detailed timescales to justify the end-2016 sunset. It would have been useful if the Home Office had drafted a rough indicative schedule in order to help explain why they had selected that date. Overall, I still don’t like the end-2016 sunset, but I had forgotten the general election was due, and so it’s barely acceptable to me now.

Reviews of RIPA and DRIP

Current/Recent Reviews

The Select Committee of Home Affairs supports the Bill, as does the Intelligence Services Committee. The ISC was informed about the Bill the day before the Home Secretary’s statement, and has discussed with the agencies. Overall, they are happy that it doesn’t “simply add to the powers” of RIPA, which would have made them uncomfortable.

Reviews in DRIP

The opposition secured two significant amendments from the government. The first (clause 6) added a 6-monthly review on DRIP by the Interception of Communications Commissioner’s Office (IOCCO). They already review RIPA (2013 report is a good read [12]) so this is a small increase in their powers, although it should be noted that the retention aspects of the Bill were not previously within their purview. The IOCCO is relatively understaffed, so I do wonder how they’ll find this additional workload. I doubt they’ll find much of note, to be honest. The second (clause 7) provides for a review of Investigatory Powers and RIPA, by the independent reviewer of terrorism legislation, David Anderson QC, to be completed before 1st May 2015 (and hence before the election). There have been several areas of concern raised about this. Regarding the clause itself, the report goes to the PM, not parliament, and the PM can choose not to report to parliament any issue that  “it appears to the Prime Minister that the publication of any matter […] would be contrary to the public interest” (Bill clause 7(6)). This is weaker than only allowing the PM to hide things prejudicial to national security. As an aside, Lord Blencathra mentioned that he had already addressed 7(2)(b)-(f) when looking at draft Communications Data Bill – it would be interesting to read his comments. Regarding David Anderson QC, there are claims that he is under-staffed as it is, and so concerns about adding to his workload. Additionally, he is possibly being replaced (or his role is being ‘developed’) by the Independent Privacy and Civil Liberties Oversight Board – what does this mean for this clause? A Joint committee of parliament will look at that report, plus the Intelligence Services Committee. I expect this joint committee to kick off the discussion on the replacement for RIPA.

Other Reviews

An Independent Privacy and Civil Liberties Oversight Board [11] is due to be set up, with legislation coming in this session (i.e. before 30th March 2015). This will be made up of four members, and will replace the role of the independent reviewer of terrorism legislation. Their first report will be due a year after being established – so likely sometime around mid-2016. Two areas of concern were flagged up in the debate. Firstly, whether the members will have sufficient access to classified material to fulfil their role. The second was that it was noted that as even the Intelligence Services Committee apparently didn’t know about the GCHQ Tempora project, it’s unlikely the Oversight Board would be able to fulfil their role. I do have my concerns on this likewise. The Labour opposition have asserted that they want to do the following:-

  • Strengthen the ISC and have an Opposition Chair (i.e. make the chair of the ISC a member of the opposition, rather than the government)
  • Overhaul of commissioners – there are too many and the reports they produce are not public facing
  • Change the focus of the commisioners, often they are limited to assessing compliance of existing legislation vs looking at whether legislation is still appropriate/effective

Royal United Services Institute (RUSI) are conducting an independent surveillance panel [14] which will extend beyond the 2015 general election.

ECJ Ruling

The need for the ECJ rules comes from the confluence of two things. Firstly, the ECJ ruling that the EU Data Retention Directive was unlawful. This then left the UK implementation of that directive in danger, as it was not implemented as primary legislation. The second is the Data Protection Act, which requires companies to delete customer data as soon as it is no longer needed. If the UK retention laws were overruled, then companies would be legally required to delete any data they had retained under the UK law, which they themselves did not need to retain. There is a judicial review which asserts the unlawfulness of UK data retention legislation, which has been stayed while the ECJ ruled. This is due to report very soon, and I wonder if the government had strong suspicions that the review would conclude that it was unlawful, hence the need for the Bill. The Constitution Committee has reported that they believe the UK regulations now lack legal authority[1]. The Home Office had previously told companies to ignore the ECJ ruling, as the law remained in the UK. This was widely seen as a stopgap. The government has asserted that DRIP, together with already existing laws, meet the key issues identified by the ECJ. There was a lot of concern during the debate that this is not the case, for example while variable retention terms are added, as per the ECJ ruling, neither DRIP nor the regulations provide objective measures for determining what retention term to use. Some MPs and peers believe there are other issues not addressed. David Davis (Con): “While the Bill may be law by the end of the week, it may be junk by the end of the year.” The question of whether the new law will be safe is still not decided. The Joint Committee on Human Rights has asked for the government to publish an analysis of the ECJ ruling and how the proposed UK legislation matches up, but this has not been done. Publishing such an analysis would be useful in working out how safe the law is.

RIPA

Extra-territoriality

Unlike the retention aspect of the bill, there was less evidence that the RIPA extra-territoriality terms needed to be fast-tracked. The Constitution Committee said they didn’t understand why needed to be fast-tracked. [1] The government asserted several times that companies had previously been friendly and complied, on an extra-territorial basis, with exceptions, but that recently companies who were previously compliant were requesting legal cover. No reason for this was given initially, however eventually the government asserted that this is since Snowdon. However, while the magnitude of the problem may have grown recently, this was not a new problem – Lord Davies: “The Joint Committee on the Draft Communications Data Bill noted in its report (published in December 2012) that ‘many overseas CSPs [communication service providers] refuse to acknowledge the extraterritorial application of RIPA’”.” The question remains therefore why this needed to be fast-tracked now, some 7+ months later, rather than addressed during what many debaters asserted was a light legislation session. As for whether extra-territoriality is new, Jack Straw (one of the RIPA architects) confirmed that initial intent of RIPA had included Extraterritoriality. Therefore government assertions that clause 4 of the Bill don’t add any new powers are possibly true, or at least in accordance with the initial intent. A concern was raised that this reading of RIPA didn’t tally with what other people thought, and that such a reading of RIPA was a ‘secret’. I’m not convinced by this, but do agree that there is confusion due to the purposefully complex construction of the law. However, extra-territoriality isn’t the only modification to RIPA in the Bill. Clause 5 modifies the description of a “telecommunications service” in an extremely broad way. It was stated that Liberty, the lawyer Graham Smith, and others believe that Clause 5 does confer new powers – rubbishing the government’s assertion that nothing in the Bill does so. This point was only concretely discussed by the Lords – I believe the Commons somewhat missed this. An unanswered question raised in both houses was what to do if companies say no. There was some government handwaving, but no real answer given. Finally, and not in the bill itself, the government has asserted that they will assign a Senior Diplomat to look at bi/multi-lateral agreements to cover extra-territoriality, such as the Mutual Legal Assistance Treaty (MLAT) with the US. For example, “mutual recognition of national warrants”. This does make me somewhat nervous, as the US courts are not renowned for the quality of their jurisprudence in national security matters.

What is “National Security”?

While people were generally happy about the attempt to limit RIPA use for ‘economic’ purposes to only apply to national security aspects of the economy, there was still the question of what is “national security” in this area. Katy Clark (Lab) asked, for example, whether this could be used “in a situation such as the miners’ strike of 1984-85?” There was reassurance from the government that such was certainly not the intention.

Replacement of RIPA

Clause 7 has been added to support an investigation of RIPA, and there seems to be cross-party agreement that RIPA needs replacement. I’m pretty confident that this is going to happen in the next parliament – it’ll be interesting to see what happens. In the interim, there has been much discussion that a number of bodies which can issue RIPA requests. It turns out only 13 are being removed.

Snowdon

Snowdon was mentioned several times, and generally when discussing several different points. Firstly, his releases were used as one of the explanations for why the public no longer trust the intelligence services and government oversight. Secondly, there was discussion about how these were handled differently in the US versus the UK. Attention was drawn to the generally lackluster reception in the UK parliament, and minimal discussion that has occurred. The proposed Independent Privacy and Civil Liberties Oversight Board was seen as one way to address this, largely aping the US equivalent set up several months ago. Thirdly, and related to the first point, there is concern over future oversight. Generally people think that GCHQ have behaved legally, although on the border of law, and that the complexity of RIPA has meant that many, including MPs and peers, didn’t fully understand what was allowed. There was concern that the government has had private or secret interpretations of RIPA, which has allowed justification of behaviour contrary to the understanding of many – for example the ‘external’ aspect of RIPA. I was generally not surprised about the interception/’external’ aspects of RIPA – I had read it in some depth – and in fact I was rather surprised that so few other people had. However, I’ve long had concerns about oversight, RIPA as it applies beyond the intelligence services, and several other related areas. Overall, if Snowdon has made a few people open their eyes, then good.

Lords vs Commons

It was interesting seeing the difference between the debates in the Commons and Lords. I found the Lords debate much more fact based, however that could be due to the abridged nature of the debates – several of the reports referenced in the Lords were only published after the Commons had concluded their debate. The Lords also ranged somewhat more widely in their discussion, looking beyond just this immediate Bill and a bit of RIPA. This included consideration of Extraordinary Rendition, and wider security matters. The turnout for both was relatively poor, albeit no worse than many other debates. It’s possible that as this was a party vote, and so was inevitably going to pass, many couldn’t be bothered. It’s also possible that some didn’t want this around their necks for the general election. Overall, I was slightly underwhelmed by both debates, and especially that in the Commons. That said, the debate over the next 30 months(!) on the replacement for RIPA is likely to be much hotter – there are definitely strongly held opinions and this is just any early battle in a much larger war.

Other Points

Differentiation between types of data and aspects of RIPA etc

There appeared to be a lot of confusion in the debates between retention, acquisition, and interception, plus confusion between communications data and relevant communications data. For example Alan Johnson defended RIPA as being not intrusive by comparing the 221,000 postal items opened in 1969 with the only 2,670 intercept warrants in 2013. However he failed to note the 514,000 RIPA authorisations and notices which were also made. I’m going to assume Mr Johnson just made an error, rather than actively trying to mislead. The debate highlighted the unnecessary complexity and confusion inherent in DRIP, RIPA, and similar.

Need for retention

Several different statistics were provided to highlight why retention and RIPA were needed. According to the CPA, “Communications data is used in 95% of Serious and Organised Crime”, however no information was given about the types of data, or types of RIPA request – there’s a big difference between a request for subscriber information and full interception, not least that the latter requires a warrant from a Secretary of State. Several concrete examples were given for why data should be retained, however it was interesting that all those given only needed twenty-four hours of data at most – something which no MP flagged up. There was however an assertion that almost 50% of communications data used in child abuse cases are more than six months old. It’s unknown whether this referred to “communications data” or “relevant communications data”.

Communications Data Bill

Several references were made to the Communications Data Bill (aka snooper’s charter). Generally this appeared to be by fans of that Bill, who were attempting to tie the need for this Bill to the Lib Dems blocking that Bill. There was furthermore an assertion that the unpublished draft of that bill is no longer a snoopers charter.

Secondary legislation (Regulations)

Clause 1(3) of the bill allows for Regulations to be written, which are available in draft form [4]. There are questions about when these will actually go before parliament, as they are necessary – no schedule has been given. The clause has also been flagged up as having problems by the Constitution Committee (that while it gives power to make regulations, there’s no requirement to do so) [1] and the Delegated Powers and Regulatory Reform Committee (that the powers aren’t restricted) [2]. I’m not sure I agree with this latter, as I thought 1(4) restricted the powers, but it depends very much on what “may” means.

The Public

It seemed to me that MPs and peers don’t have a great handle on what the public think of the Bill or RIPA. Some debators asserted that lots of people cared and knew about RIPA/DRIP, others asserted that very few people knew. Personally I think that a lot of people care, but very few really know, largely due to the opaque way such legislation occurs. Quoting Baroness Kennedy (Lab) “We should always remember that it is the practice of those who draft legislation about the functions of the security services to make it as complex and impenetrable as possible, and that is what this legislation is—obscurantist lawmaking at its height. ” Additionally, few people are interested enough to do much research, I find I agree with Hazel Blears: “[the IOCCO] report has probably been read by perhaps a handful of people in this country.” Generally there was agreement amongst many that it is important to get the public on side, to have a public debate, and to build trust.

Transparency

Dr Julian Huppert (LD) raised two amendments, which were both withdrawn in the interests of time, knowing that neither would pass. I thought both of these were excellent amendments. The first amendment proposed to require collection of data on RIPA etc requests, to provide better analysis. The government asserted that they are already going to be doing annual transparency reviews, and will look at amending the code of practice on acquisition and disclosure of Communications data later this year. Personally I’d have been happier if there was a statutory requirement rather than the government just saying “trust us”. The second amendment was to allow companies to report statistics on the number of RIPA requests received – to allow companies to provide their own transparency notices annually. The government completely disagrees, and reasserted that doing so would count as tipping off. They further asserted that it is the place of the IOCCO to report [12] on the number of requests received. While the IOCCO report is excellent, I think that statistical information cannot be too dangerous, especially when appropriately bucketed. Furthermore, the IOCCO do not report on the number, size, or duration, of retention requests – although maybe they will do so in the future.

Private Companies

Several individuals referred to how much data private companies hold, and yet the public has no worries, whereas the government has strict rules. There was definitely an appetite to include private data in some form of future legislation. It appears to me though that there is a big difference here – I can choose which companies I work with, whereas I cannot opt-out of having RIPA requests served against my data. There was also no discussion whatsoever on the impact of RIPA on private companies – RIPA results in vast numbers of disparate requests from a number of organisations, some of whom won’t be especially familiar with the technologies being requested. I think that will need to be addressed in future legislation, possibly with a central clearing house for authorities/agencies who are less familiar with both the legislation and the companies themselves.

Technical Competence

It was obvious that the level of technical/IT competence of many in both houses was seriously lacking. Indeed, Baroness Lane Fox (of lastminute.com fame) said as such. What terrified me most though was that some seemed to have just enough knowledge (or briefing) to be dangerous in their incompetence – Helen Goodman (Lab) (see Straw Men, below) is the perfect example of this.

Straw Men

The debate was full of straw men arguments, especially on the government side/pro-Bill side. This is no surprise, however it was somewhat disappointing nonetheless. Still, a number of MPs and peers were cognizant of this and called it out. I must take a moment however to pour out my scorn for Helen Goodman (Lab). She represented the worst of someone briefed with just enough knowledge to be dangerous, who also seemed to believe in a binary straw-man world. I highly recommend you read her diatribe in Hansard, but be careful of spit-takes…

Other

There were a small number of Anti-EU/EHRC debaters. It appeared the government barely, if at all, consulted with the devolved administrations. Many supporters of the Bill seemed to imply that what the police and intelligence agencies ask for, they should get, which is rather scary. Lord Hodgson (Con) captured this rather well when he said “The bottom line is that the security services and the police have told us that they need this Bill. They deserve our support because they work long hours unsung on our behalf to keep us safe. Therefore, this is a Bill they must have.” I’m hoping he was just referring to the government position.

References

Bill and Reports

  1. Constitution Committee report on DRIP: Link
  2. Delegated Powers and Regulatory Reform Committee report on DRIP: Link
  3. Latest DRIP Bill (approved by House of Lords): Link
  4. Draft Regulations under DRIP: Link

Hansard (Debates)

  1. Commons Business
  2. Commons Second Reading
  3. Commons Committee stage
  4. Lords Second Reading
  5. Lord’s Committee stage

 Other

  1. General Election Timetable
  2. Independent Privacy and Civil Liberties Oversight Board Terms of Reference
  3. Interception of Communications Commissioners Office 2013 Report
  4. Independent Reviewer of Terrorism Legislation David Anderson QC
  5. RUSI Independent Surveillance Review Panel