Constitutional Law Group Human rights, UK government, UK Parliament

Tom Hickman: The Investigatory Powers Bill: What’s Hot and What’s Not?

Tom Hickman

Editors’ Note: This unusually long post addresses an abnormally large bill on an exceptionally important topic. We hope readers will appreciate the reasons for departing from our normal practice regarding length, particularly in light of its quality.

Introduction

The Investigatory Powers Bill will completely update and bring welcome transparency to UK law relating to the obtaining information about peoples’ communications and internet activity. But the intrusive powers that Parliament is being asked to endorse are mindboggling.

The Bill has two primary objectives.

(a) Transparency and democratic licence to operate

First, the Bill purports to set out openly the powers that are claimed (and in practice used) by the law enforcement and intelligence agencies under a variety of complex and sometimes obscure statutory provisions.

A snowball of disclosures, triggered by the Snowden revelations, has revealed a huge range of powers exercised by the police and intelligence agencies:

  • The Snowden disclosures brought to public attention the extent to which bulk interception capability is used to hoover-up internet data in bulk that passes along on transatlantic cables, the controls on examination of which has been contained primarily in internal practices and policy documents.
  • Snowden also drew attention to the scope of GCHQ’s computer and telecoms systems hacking powers, which have previously existed in the Intelligence Services Act 1994 (“ISA 1994”) without any public statement or Code of Practice to indicate how such powers are used, even in broad terms.
  • The Intelligence and Security Committee (”ISC”) made the remarkable disclosure in its March 2015 Privacy and Security Report (“ISC Report”) that that targeted interception warrants have been sought and issued on a “thematic” basis.
  • Government avowals and documents published with the Bill have made further revelations, most significantly they reveal that GCHQ and MI5 have been acquiring communications data (i.e. non-content data) in bulk from telecoms companies as well as bulk acquisition of “personal data sets” on citizens, the vast majority of whom are, of course, of no interest to the services. Neither power has been subject to any Code or published guidance.

The status quo became untenable following three critical reports this year.

In March 2015, the ISC expressed “serious concerns about the … lack of transparency, which is not in the public interest.”

David Anderson QC pulled fewer punches in the conclusion of his review in June, stating that RIPA is “incomprehensible” and referred to a multitude of alternative powers, some of them without statutory safeguards: “This state of affairs is undemocratic, unnecessary and – in the long run – intolerable.”

The denouement was supplied by a Royal United Services Institute’s (“RUSI”) report, compiled by a committee including three former intelligence agency chiefs and published in July. It said, a “clear and transparent new legal framework” is needed to form “the basis for a public discussion about the appropriate and constrained power the British state should have to intrude into the lives of its citizens.”

The Bill’s first purpose is therefore far more important than merely reorganising the legislative arrangements. By making clear for the first time the true powers claimed by the law enforcement and intelligence agencies (at least in broad terms) the Bill seeks a clear democratic mandate for such powers; in the words of the RUSI panel, a “democratic licence to operate” that was previously lacking.

(b) Enhanced protections

The second principal objective of the Bill is to increase safeguards for the various powers. Generally speaking, the Bill does not seek to limit the intrusive powers of law enforcement and intelligence agencies but does enhance and extend the warrant regime and give statutory force to certain conditions to the exercise of such powers. The main change is the establishment of Judicial Commissioners (“JCs”) who will have to approve warrants before they take effect, the so called “double-lock”.

The “double lock”

The Bill continues the tradition of warrants being issued by the Secretary of State, but it will require that JCs “review” the Secretary of State’s “conclusions” as to:

  • Whether the warrant is necessary for the purpose of national security, preventing or detecting serious crime or in the interests of the economic wellbeing of the UK so far as they are also relevant to national security; and
  • Whether the conduct authorised is proportionate to what is sought to be achieved.

It also states that the JC must apply the same principles as would be applied by a court on an application for judicial review (eg cl. 19).

David Anderson QC recommended that JCs replace the Secretaries of State, drawing the law into line with approvals for police property interference, intrusive surveillance and long-term undercover operations, which require Commissioner approval (these, RIPA Part 2 powers, are not touched by the present reforms). Even so, David Anderson QC would have maintained a role for Secretaries of State in certifying the necessity for warrants in foreign policy and defence cases. The RUSI panel took a similar approach, recommending that judges should authorise warrants in police cases and they should have a judicial review role in national security cases.

The Bill retains the responsibility of the Secretary of State for the decision to grant a warrant in all cases, but a JC will now ensure that a warrant is lawful. Whilst controversial, the approach is justifiable.

Granting warrants can involve political considerations and risks that are appropriate for the Secretaries of State to consider, particularly in cases touching on foreign policy, high profile individuals (tapping of foreign diplomatic phones, to give one example), and in other sensitive cases. Admittedly wider considerations are less prevalent, but not necessarily absent, outside the national security and foreign policy arena and here the case is stronger for placing approval solely in the hands of judges.

The fact that warrant requests go through the Secretary of State’s office and must be signed off by the Secretary of State personally also imposes a discipline and instils a caution on the part of public officials answerable to the Minister, which is not always present with a judge. Indeed, a real problem with putting decisions in the hands of judges is that it off-loads responsibility from the shoulders of public officials and tempts them to adopt an attitude of ‘if its good enough for the judge its good enough for me’. Since judges inevitably pay considerable deference to public officials, this can lead to a protection gap.

The objection that some have already raised about the double lock is that it will engender greater deference on the part of the JCs. However, the fact that the JCs will be mandated to apply judicial review principles does not mean that they will apply a Wednesbury review. It is trite law that in human rights cases courts will decide for themselves whether a measure is necessary and proportionate and these are the judicial review principles that judges will surely adopt (e.g. Miss Behavin’ Ltd [2007] 1 WLR 1420).

Whilst the reference to judicial review principles is thus unfortunate in terms of clarity, upon analysis it should not be of significance in substance. Much more important for enhancing judicial scrutiny is tightening the objectives for which warrants can be issued and requiring greater specificity as to the proposed use of material obtained under the warrant.

What may turn out to be the most important consequence of the introduction of JCs into the process is that it will reinforce the duty on public officials to provide full and frank disclosure of material and arguments that would have been raised by the affected individuals had they known about the warrant application. This is a duty, recently recognised in TPIM cases (CC & CF [2014] 1 WLR 4240), which arises from the ex parte nature of applications to a judge and goes beyond the ordinary duty of candour in public law cases. It will now impose an important additional protection where warrants are sought.

A further question is whether, as David Pannick QC suggested in his Times column recently (‘Safeguards provide a fair balance on surveillance powers’ The Times (12 Nov 2015)), there is a role for special advocates. Counsel performing a special advocate function (or perhaps more appropriate, a role as amicus or counsel to the JC) would surely be valuable in difficult or unusual cases, although their use in every case may be impractical. This would be a valuable addition to the Bill.

Thematic warrants

RIPA provides very clearly that domestic interception warrants are to be targeted at “one person as the interception subject” or “a single set of premises” (s.8(1)(a)). Despite this, the ISC revealed that MI5 has in fact been obtaining what are called “thematic warrants” which relate to “any organisation, association or combination of persons”. This surprising approach derives from the very broad definition given to the word “person” set out at the back of the Act.

If this was Parliament’s intention, then it cuts across deeply entrenched principles of the common law. A foundational series of eighteenth century cases established that the use of “general warrants”, which permitted arrest and search and seizure in respect of classes of individuals, usually the “authors, printers and publishers” of a named periodical, were unconstitutional. Henceforth, the need to identify suspects or specific property was a basic touchstone of the warrant system. The offensiveness of general warrants is that they delegate to those executing the warrants authority to determine the strength of evidence against individuals and thus whether they are subject to the coercive authority of the warrant or not. As Lord Mansfield stated in Leach v MoneyIt is not fit, that the receiving or judging of the information should be left to the discretion of the officer. The magistrate ought to judge…” (IXX St Tr 1021, at 1027).

The Grand Chamber in the very recent judgment in Zakharov v Russia (47143/06), 4 December 2015, made clear that this approach is also required by the ECHR: “the interception authorisation, … must clearly identify a specific person …or single set of premises” (at [260], [264]).

Worryingly the Interception of Communications Commissioner’s Office said in evidence to the ISC that it felt that the use of thematic warrants had been abused, although it did not seem to doubt their legality.

Regrettably, cl.13(2) of the Bill follows MI5’s practice, allowing a warrant to be obtained in respect of, “A group of persons who share a common purpose or who carry on, or may carry on, a particularly activity”. Since it does not require such individuals to be named (or even known) this is equivalent to the general warrants outlawed 250 years ago. A so-called targeted warrant could therefore be granted for all persons who are believed to support ISIL as they “share a common purpose”. Or it could be granted for persons who may wish to conduct a terrorist attack in London, since such persons may carry on a particular activity, or in respect of attendees at a meeting, demonstration or summit.

It is also unclear whether the reference to “group” means an existing association of persons or not, and if so how close that association should be (should they all know each other or be in contact now or in the future?).

Targeted warrants are at the heart of the interception regime, and yet here we find not only a loosening of the core requirement for due cause against specified persons, but a clause drafted in such a way as to be unacceptably vague. This issue deserves to generate a good deal of heat in Parliament.

Bulk interception warrants

The breadth of the power to grant non-targeted interception warrants for the purpose of intercepting “external” communications only became apparent in 2014 during the IPT proceedings brought by several NGOs against the Government, following Snowden’s disclosures. The case drew attention to three features of the power:

  • First, the Government understands interactions with foreign internet servers to be external communications and thus capable of being the target of such warrants. In evidence in the IPT proceedings, the Government described how a person’s interactions with services such as Twitter, Facebook and Google pages hosted on US servers are regarded as external communications and obtaining such data can thus be amongst the purposes of a bulk interception warrant.
  • Second, bulk interception warrants are effected by tapping fibre optic cables, and since a huge amount of domestic internet traffic (such as UK-UK emails) is routed via the US, such data are regarded as fair game as a necessary incident of the power.
  • Thirdly, the growth in the amount of communications data available on individuals has meant that it is this, rather than the content of communications, which is the principal object of interest of the intelligence services. The extra safeguards in RIPA for bulk interception, namely that where a person of interest is based in the UK a targeted warrant must be obtained, only applies to content data: there is no equivalent statutory protection for non-content data about persons in the British Isles (the Bill is the same: cl. 119(1)(c), (4)).

The consequence is that under the bulk collection power the intelligence services have been obtaining huge amounts of very revealing data about persons in the UK which can be accessed for the general statutory purposes of national security and fighting serious crime. This very broad power is continued in the Bill.

Cl. 111(3) of the Bill provides that: “A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination.” In a step in the right direction, the Bill states that it is not sufficient to simply specify “national security” or “serious crime”, but it adds that, “the purposes may still be general purposes” (cl.111(4)). Therefore the Bill would still authorise interception and examination of data for very general purposes such as tackling the ISIS threat or drug-trafficking, which some, but not enough, control on its use.

There is a big question as to whether Parliament should insist on this jack being put back in its box. But if it does not, it should at least insist on, (a) tighter protections for persons in the UK particularly in relation to use of communications data, (b) requiring warrants to be more narrowly focused as to their purpose and permitted search criteria, and (c) bringing extra safeguards on record-keeping and destruction from internal policy to legislation or at least Code.

Communications data

It is now becoming widely accepted that, when aggregated, communications data are more revealing and intrusive then content data – identifying a person’s contacts and associations, websites visited (up to the first slash), providing information about habits and preferences and even tracking a person’s movements. Yet the massive demand from police and intelligence agencies for rapid and large-scale access to such data may make the imposition of equivalent safeguards to content data politically unfeasible, however desirable in principle.

The headline points under the Bill are these:

  • First, there is a change to the meaning of communications data. This would now include any data “which identifies or describes an event (whether or not by reference to its location)” or information which is about “an entity”. Events data and entity data can be data derived from content although cannot disclose its meaning (cl. 193(1)-(6)). Presumably, this would mean that voice or other identity recognition traces that can be derived from a communication are not protected as content data. (Could data recognition software be run on internet communications without “intercepting” content data?)
  • Second, obtaining communications data would remain largely – but no longer exclusively – outside the warrant regime. The requirement for a designated senior officer who approves such requests to be independent of the investigation would be given statutory force (cl. 47(1)) as well as a requirement for consultation with a Single Point of Contact, a specially trained person within a public body who essentially acts as a compliance officer (c. 60). Both are welcome changes. However, Parliament will need to consider whether this should be taken further for example by requiring or empowering Single Points of Contact to make references to JCs or, as indicated by the CJEU in Digital Rights Ireland, requiring institutionally independent authorisation.

Attention is also likely to be focused on the new additional protection for journalistic material, requiring approval by a JC if the “purpose” is to identify a source (cl. 61). The focus on purpose and intentions is not however sufficiently protective – obtaining data from a journalist, who may routinely interact with sources, who will very likely be identifiable, should itself require judicial approval. Likewise, obtaining data about members of Parliament, doctors, lawyers and ministers of religion would justify similar protection given the potential sensitivity of their contacts. Enhanced protection could also be given to other forms of communications data, such as movement information.

Bulk collection of communications data

The biggest revelation (made in information supplied with the Bill) is that MI5 and GCHQ have been using a very generally worded power contained in s.94 of the Telecommunications Act 1994 (“TA 1984”) to “give …directions of a general character” to telecommunications companies, in order to obtain communications data in bulk from such companies, scooping up vast amounts of data on persons both outside and also inside the British Isles.

The Bill would abolish s.94 and require a proper legal basis under the warrant regime for this power. But in common with bulk interception warrants, examination of the data would be permitted as long as it is “for the specified purpose” (132(1)) and the purposes for which the warrant could be granted could be very general purposes, such as the fight against drug trafficking, child exploitation or ISIS (c. 125).

This is surely the hottest issue in the new Bill. The breadth of the power, allowing the intelligence services to search within very broad search parameters the communications data of everyone in the UK is breathtaking. The fact that a JC would be required to approve a bulk warrant provides little comfort.

Non-statutory “arrangements” for the acquisition of bulk communications data under s.94 have now been published which refer to a “strict authorisation process” for accessing the data. But there is no requirement for operational independence in approvals, still less is such a safeguard proposed to be given the force of law. Since requests for communications data by other public bodies can be made in broad terms, it is difficult to see that there is a compelling justification for exempting the intelligence services from the communications data authorisation regime.

Internet Connection Records (“ICR”)

ICR are data that identify when a device used an internet service or visited a webpage (up to the first slash).

Prior to publication of the Bill, many would have regarded the requirement for telecoms companies to retain ICR for 12 months as likely to be one of the hottest issues (despite being less than the 2 years permitted by the defunct Data Retention Directive). David Anderson QC was not satisfied that he had seen enough to justify it, and insisted that a detailed operational case be supplied.

The intrusiveness of this power is however overshadowed by other powers in the Bill. Indeed, the intelligence services would, it seems, obtain ICR in bulk before they are destroyed by telecommunications companies under the bulk acquisition capability described above (although the point is not clear: apparently ICR are not currently obtained under s.94 of the TA 1994). The retention power seems to be principally intended to assist the police’s investigate and gather evidence of serious crime.

There are three problems, according to the operational case that the power to require retention of ICR is intended to address, each arising where there is a “known suspect”.

The first arises where the police know that a message has been sent to a criminal by an accomplice or where they know someone has, for example, participated in an online chat room for nefarious purposes. They have a suspect, but they don’t know his or her identity. A message sent by a WhatsApp account, for instance, may be in a false name. Although the authorities can seek information from the webpage or messaging service provider, such efforts, for a variety of reasons, are often not fruitful.

The Counter Terrorism Crime and Security Act 2015 introduced a power to require telecommunications companies to retain data necessary to resolve IP addresses to trace web usage, but if a device was sharing an IP address at the relevant time, as mobile phones in particular often do, this does not provide evidence to identify an individual. The Bill would take this further to retention of records of which webpages (up to the first slash), apps and services that a device has accessed. This is evidence which is already in principle obtainable, but in practice is not retained by telecommunications companies.

The second and third problems identified by the operational case relate to a situation where a suspect is known and the police want to know which internet messaging service he or she has used in order to try and find out with whom they have been in contact. But this is controversial not least because in such a scenario an interception warrant could be obtained in respect of the suspect (which would now require JC approval) to look at contemporaneous and stored messages and associated communications data (interception, counter-intuitively, has always included looking at stored messages).

One of the dangers about enabling access to ICR is that it could allow authorities to identify suspect web-browsing patterns, perhaps in combination with other communications data, in order to identify suspect categories of person (internet records includes information about the “pattern” of communications). This is different from using such data to identify known (but unidentified) suspects or for identifying the contacts of known suspects.

These provisions deserve close scrutiny, and a tightening of the legislation is warranted, in particular to ensure that the data made available are not used beyond the operational cases articulated, i.e. in respect of known (even if unidentified) persons suspected of committing serious crimes, rather than for tracing suspicious activity in a search for suspects.

Bulk personal datasets

The obtaining and use of “personal datasets” by the intelligence services was unknown until March this year, when the Prime Minister gave the Interception Commissioner oversight of the practice. Dubiously justified by reference only to the agencies’ general statutory competences, the Bill would now give an express statutory basis for the power.

Personal datasets are records held on individuals, ranging from driving licence records to the electoral roll. As the Bill candidly records, “the nature of the set is such that it is likely that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service” (cl. 150(1)(b)). But it far from clear from the Bill’s documents how far this extends – medical records? Immigration histories? Tax returns? court records? – and what about privately generated data sets such as company employee records or bank account details?

It is proposed that obtaining and use of personal datasets will be authorised by warrant in bulk by reference to a “class” of such data sets (c. 153). These can be added to by specific personal data set warrants (cl. 154).

But class authorisation is inadequate. It is difficult to understand why the datasets cannot be listed expressly in any warrants so that there is clear judicial sight of what data sets are being held and used. If there is to be proper democratic licence for these activities, there needs, at a minimum, to be greater visibility as to the breadth of the power, and full judicial approval.

Furthermore, the vague internal “arrangements” (now published) for use of such data sets leave much to be desired, e.g.:

  • “Individuals must only access information within a bulk personal dataset if it is necessary for the performance of one of the statutory functions of the relevant Intelligence Service” – But everything an intelligence officer does is in furtherance of the fight against serious crime or the protection of national security.
  • “Data containing sensitive personal data (as defined in section 2 of the DPA) may be subject to further restrictions….”. Or, they may not.
  • Working practice seeks to minimise the number of results which are presented to analysts by framing queries in a proportionate way, although this varies in practice …”.

Much tighter restrictions, set out in statute, should be introduced.

Equipment interference (hacking)

It is no doubt necessary for intelligence services to have the capability to hack into computers, telecommunications systems and smart phones, just as it is necessary for them to break and enter, burgle and bug. But such powers are extremely intrusive, potentially much more intrusive than interception of communications.

In theory, such capabilities would enable (amongst other things):

  • Computers and smart phones to be remotely controlled by the intelligence services to be used as a listening device or to take photographs or videos or to track individuals and their contacts.
  • The authorities to gain access to documents to stored on devices and servers that have not been communicated to others.
  • Access to communications of persons targeted at demonstrations, sports or entertainment events, or even in relation to large areas of territory (such as the alleged hack into Cisco systems’ Pakistan server to obtain intelligence on jihadists in the region).
  • Exploitation of emerging technologies such as the use of smart watches that monitor heart rates and breathing patterns, the “internet of things” which connects myriad devices such as cars, household appliances, domestic security systems, etc, all of which provide new opportunities for data gathering. This possibility is intriguingly raised in the documents accompanying the Bill, no doubt to head-off any argument a few years hence that the potential breadth of this power was not anticipated.

The use of equipment interference powers was only publicly avowed in February 2015, when a draft Code of Practice was hurriedly introduced in attempt to shore-up the power under the ISA 1994 s.5 (property and wireless telegraphy interference warrants), the scope and use of which has always been obscure.

In the Bill warrants are divided between “targeted” and “bulk”. Targeted warrants include thematic warrants in a similar manner to interception warrants and invoke similarly general and vague language, attracting the same concerns. The Bill would also allow warrants to be issued in relation to equipment “in a particular location”, which also admits of a very broad interpretation and which requires only the general location to be described, not the equipment (cl. 83, 93).

The authority for bulk equipment interference is novel. Section 5 of the ISA 1994 refers to warrants in relation to “specified” property or wireless telegraphy. The new Code of Practice also refers to the so-called James Bond power contained in s.7 of the ISA 1994 by which the Foreign Secretary can authorise GCHQ or MI6 to carry out otherwise unlawful acts abroad (or, by an amendment to the power, acts which are intended to have effects on apparatus situated abroad).

This power to do unlawful acts, which is obviously not limited to equipment interference (hence why it is called the James Bond Power, Bond being known for karate chopping rather than hacking) is perhaps the most secretive of all of the intelligence services’ powers, with all queries about use of s. 7 having historically been met with an NCND response. It is under this power that a bulk authorisations for equipment interference in respect of persons abroad has hitherto been given.

The explicit new power is thus an extremely hot issue indeed. The very broad nature of both targeted and bulk warrants has already been commented on and, given the particular intrusiveness of hacking capability, is a cause of real concern. (It is also unclear precisely what remains of s.5 of the ISA 1994, which is not set to be repealed and continues to apply to wireless telegraphy and physical property interference).

Conclusion

Overall, and despite a number of concerns raised in this blog, the Bill must be welcomed.

There can be no doubt that it is an advance in terms of transparency of surveillance powers and it will bring capabilities such bulk interception, equipment interference and use of datasets out into the open (at least, in general) and subject them to a clear(ish) legal framework. There is also no doubt that the safeguards have been tightened up, not least through the introduction of JCs.

The number and complexity of the issues is however daunting: this blog has merely sought to highlight some of the hottest of the hotspots. There are many other issues – technical capability notices, data sharing, urgent warrants, modifying warrants, filtering, the IPT, to name but a few – all of which are also of very considerable importance. There is plenty to keep Parliamentarians, lobbyists and academics extremely busy over the festive season.

Tom Hickman is a Reader in Law, University College London and Barrister at Blackstone Chambers.

(Suggested citation: T. Hickman, ‘The Investigatory Powers Bill: What’s Hot and What’s Not?’ U.K. Const. L. Blog (11th Dec 2015) (available at https://ukconstitutionallaw.org/))