X Close

UCL Journal of Law and Jurisprudence Blog

Home

Menu

Archive for December, 2016

The Investigatory Powers Act and International Law: Part I

By ucqhiry, on 26 December 2016

Author: Asaf Lubin (JSD candidate, Yale Law School and Robert L. Bernstein International Human Rights Fellow with Privacy International)

Christmas came early for the UK Government Communications Headquarters (GCHQ). Wrapped in a red ribbon and sparkling with parcel lights, Parliament handed the signal intelligence agency a gift, the Investigatory Powers Act (IPA), providing it with a statutory authorization to engage in bulk interception and retention of electronic communications’ metadata and content, both within and outside the United Kingdom. Like last-minute shoppers running up and down the cramped stores of Oxford Street, so were the Lords in a hurry to complete the IPA’s legislative process before the new year, when the sun was to set on the previous legislation, the Regulation of Investigatory Powers Act (RIPA, 2000).

gchq-surveillance

Since the IPA received royal assent and became an official Act on November 29th 2016, the legal blogosphere and general media have been buzzing over this measure and its implications (see for example: here, here, here, here, and here). Particular attention has been given to the new law’s data retention provisions, which were struck down by the European Court of Justice earlier this week, forcing an impending legal headache for legislators. Nonetheless, a number of the Act’s most troubling features have not been sufficiently reviewed from the perspective of their compatibility with the United Kingdom’s broader international obligations. As we say Rest In Peace to RIPA and usher in a new age of legalized governmental mass surveillance, the following two blog posts will take a step back and examine the new Act’s compatibility with international human rights law (IHRL) as well as its impact on the ongoing evolution of the international law of espionage.

            Within the limits of this blog post I will focus on the following four elements of the Act: (a) Thematic Warrants and Lack of Reasonable Suspicion; (b) Foreign Mass Surveillance and Hacking Powers; (c) Standards on Encryption and Direct Access; and (d) Reporting, Notification Requirements, and Gag Orders.

What’s in Santa’s Stocking? GCHQ’s new surveillance powers and their compatibility with IHRL

a. Thematic Warrants and Lack of Reasonable Suspicion

While disguised as targeted surveillance, the IPA seeks to introduce into law “thematic warrants”. These warrants delegate to the police or intelligence agencies the choice as to whose privacy will be interfered with. This, in turn, increases the risk of arbitrary decision-making and undermines the implementation of effective judicial authorization. In accordance with the Act, the Secretary of State may issue a “targeted interception warrant” (for the acquisition of content of communications) or a “targeted equipment interference warrant” (for extracting information from devices either directly or remotely, via hacking tools). These warrants are subject to the approval of a Judicial Commissioner, barring urgent matters. The warrants allow communication within the United Kingdom to be intercepted and, equipment within the United Kingdom to be interfered with; insofar as these communications or equipment  relates to: (1) people or equipment “who share a common purpose or who carry on, or may carry on a particular activity”; (2) “more than one person or organization, or more than one set of premises, where the conduct authorized or required by the warrant is for the purposes of the same investigation or operation”; (3) “equipment that is being, or may be used, for the purposes of a particular activity or activities of a particular description”; (4) the testing, maintenance or development of capabilities relating to interception or equipment interference.

     As clarified in the explanatory notes, these subject matter expansions intended to encompass, “thematic warrants”. Under a thematic warrant, the Secretary of State and a Judicial Commissioner do not approve each individual target of surveillance, but rather the security agencies can choose their targets without additional sign off. To illustrate, a thematic warrant might authorize the hacking of all mobile phones of members of the Muslim faith in Birmingham, or the interception of the communications of anyone suspected of having travelled to Turkey in the last three months.

         As the Intelligence Services Commissioner points out “the critical thing … is that the submission and the warrant must be set out in a way which allows the Secretary of State to make the decision on necessity and proportionality”. However, permission for interception of communications and hacking of networks without prior reasonable suspicion is by its very nature disproportionate. In the case of Gillan and Quinton v United Kingdom, the European Court of Human Rights (ECtHR) expressed particular concern over an intrusive power that did not require any “reasonable suspicion” (in that case the power of random stop and search individuals under s44 of the Terrorism Act 2000). Such broad discretion gave rise to a “clear risk of arbitrariness”. In S and Marper v United Kingdom, the U.K. government submitted that the retention of DNA samples from people who had not been charged or convicted of a criminal offence was of “inestimable value” and produced “enormous” benefits in the fight against crime and terrorism. The Grand Chamber of the ECtHR nonetheless held that the retention was a “disproportionate interference” with those individuals’ private lives. Central to the reasoning was the absence of any assessment of suspicion by the authorities that was sufficient to justify the retention of each individual’s DNA data. The same reasoning applies in relation to thematic warrants under the IPA. More recently in Zakharov v. Russia the ECtHR reiterated the principle that the authorization of interception of communications “must clearly identify a specific person to be placed under surveillance or a single set of premises.

b. Foreign Mass Surveillance and Hacking Powers

Part 6 of the Act authorises  the GCHQ to engage in bulk interception, acquisition, and equipment interference of “overseas-related” communications and communications systems. These comprise communications “sent or received by individuals who are outside the British Islands”. In order for the Secretary of State to issue such a bulk warrant, the warrant must be considered necessary for : (1) the national security; (2) the prevention or detection of serious crime; (3) the economic well-being of the UK. At the next stage, the examination of any such acquired data may be authorized only for one or more of the operational purposes specified in the warrant. These may include, inter alia: counter terrorism, counter proliferation, countering hostile actors, safeguarding prosperity, cyber defence operations, security of agencies’ and allies’ operational capabilities, security assurances, and the tackling of serious crime.

          The issuing process is identical for each type of bulk warrants. First, the head of an intelligence service, or any official designated by her, must submit a request to the Secretary of State. The Secretary may then issue a bulk warrant, subject to a necessity and proportionality analysis. The decision to issue a warrant is then further scrutinized by a Judicial Commissioner, before it is granted. This is known, in the UK jargon as the “double lock mechanism” (a dual executive-judicial pre-authorization process for its foreign bulk warrants).

        In essence, the law explicitly authorizes the GCHQ to engage in bulk hacking of networks and devices and to intercept communications worldwide. While the UK has taken pride in solidifying the “double lock mechanism”, in actuality the law limits the scope of review by the Judicial Commissioners to mere procedural aspects. In other words, judges will not be given actual powers to assess the merits of any proposed surveillances measures. Moreover, in the case of bulk warrants, the authorization requests will be formulated in such broad and vague terms, that the attempt to form any judicial assessments on the merits of the application will prove essentially impossible.

       Legal institutions and judicial fora may hardly be said to have fully resolved the question of what standards should apply to foreign governmental surveillance. For instance, this issue has not been sufficiently addressed by the ECtHR; although a ground-breaking pending case launched by Privacy International alongside nine other human rights NGOs invites the Court to clarify this matter specifically. The Human Rights Committee in its Concluding Observations to South Africa did note that State Parties should refrain from “engaging in mass surveillance of private communications without prior judicial authorization”. Similarly, certain Special Rapporteurs, such as Ben Emmerson, have already concluded that “the very existence of mass surveillance programmes constitutes a potentially disproportionate interference with the right to privacy” and that “shortly put, it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately.

c. Standards on Encryption and Direct Access

The IPA allows the Secretary of State to issue a “technical capability notice” in order to compel an operator to provide government officials with direct access to its network apparatus. Moreover, under such notices, the Secretary of State may further compel an operator to decrypt intercepted communications. The issuance of such a notice is subject to a necessity and proportionality test, which is [to be]/will be conducted by a Judicial Commissioner. Amongst other factors, the Secretary of State must further take into account the technical feasibility and likely costs of the request. Should the Judicial Commissioner refuse to approve the notice, the Secretary of State may appeal to the IP Commissioner so as to approve the notice nonetheless.

UnFollow_Me_Social_Media_Map

        It is on this point that the ECtHR, in Zakharov v. Russia, affirmed that “a system…which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider…is particularly prone to abuse.” It is in this context that providing government officials with direct and complete access to communications networks run by private corporate providers, is unlikely to comply with the standards of necessity and proportionality. Furthermore, as noted by the U.N. Special Rapporteur David Kaye, “national laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online… States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.”

Banksy-on-the-side-of-a-house-in-Cheltenham

    The IPA, as currently drafted, does not give sufficient weight to factors against decryption. Such factors include: the importance of maintaining the integrity of networks, potential cybersecurity threats, the reputational costs for companies, and chilling effects on expression and creativity of users. By ignoring these issues, the law lacks balance and could open the door to a UK version of Apple v. FBI (which concerned the question of whether US Courts could compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected).

d. Reporting and Notification Requirements

In conformity with the IPA, an individual subjected to surveillance would be informed by the IP Commissioner only when such surveillance involved a “serious error” or concerned the “public interest”. Further, the Act establishes a general reporting requirement, whereby at the end of each calendar year the IP Commissioner must report to the Prime Minister (PM) of/on the way the functions of the Judicial Commissioner have been carried out. While by default this report is to become part of public record, the PM may order otherwise. Thus, should the PM consider the publication of parts of the report as: contrary to public interest or prejudicial to – national security, the economic well-being of the State, the continued discharge of functions of public authority, or the prevention or detection of serious crime, she can decide, in consultation with the IP Commissioner, to exclude from publication those parts of the report. This is not the only way the Act leaves certain information out of the public eye. Notably, any warrants issued to a telecom company or service provider, demanding direct access to its networks or decrypt its users’ data, will be followed/accompanied by a gagging order, “forbidding the firm from discussing it” essentially squashing public debate and scrutiny.

   Independent oversight mechanisms ensuring transparency and accountability of State surveillance communications have been recognised as necessary to guarantee privacy and data protection rights. The lack of a strict reporting requirement in the IPA, due, in part, to the broad range of [security/self-judging] exceptions the Act prescribed, brings into question the degree to which transparency and accountability can effectively be achieved. Additionally, the Act only provides for notification to individuals in cases of identifiable “error”. However, as the ECtHR has affirmed, States have an obligation to provide notification to persons concerned by/with the used measure. To be sure, according to this jurisprudence, notification is due not just in cases of abuse, but rather immediately following the termination of the measures assuming “it can be made without jeopardizing the purpose of the surveillance.” Furthermore, the UN High Commissioner for Human Rights further acknowledged that notification is fundamental in ensuring individuals access to effective remedy. Under the current IPA it is unlikely that individuals will have the opportunity to seek redress where their privacy rights have been violated.

The Investigatory Powers Act: The Official Entrenchment of Far-Reaching Surveillance Powers

By ucqhgnu, on 8 December 2016

Author: Daniella Lock (PhD student at UCL Faculty of Laws). The original post was published on Just Security on 30 November 2016. 

What was formerly known as the Investigatory Powers Bill, referred to elsewhere as the “revised Snoopers’ Charter,” has received Royal Assent and, as of Nov. 29, is officially law in the UK. The Act (full text here) does introduce additional safeguards, as well as a new body of oversight and the involvement of judges in the authorization of surveillance warrants. However, the broad range of surveillance powers available to the British Government, which were exposed by the Snowden leaks, have not been scaled back but further entrenched within British law. This is despite consistent pleas to reduce the powers by parliamentarians, legal practitioners and legal NGOs, and amendments having been made to the Act by both Houses of Parliament.

The Not So New Powers 

The government’s powers exposed by the Snowden leaks were the subject of widespread fear and shock, and they will be further consolidated by this new legislation. The surveillance powers that the Act will now explicitly enshrine in law include: targeted and bulk hacking powers; bulk interception of communications (provided for under the previous UK surveillance regime); access to bulk personal datasets (BPDs); and the acquisition of communications data, both targeted and bulk, which involves the retention of web history logs (known as “Internet Connection Records”). The Act also provides for the use of thematic warrants in relation to targeted surveillance powers. These warrants, equated with general warrants in a previous Just Security post by Scarlet Kim, have the potential to be very broad in scope and may be used against “a group of persons who share a common purpose or who carry on, or may carry on a particular activity.”

All of these far-reaching surveillance powers existed in one form or other prior to the Act. However, many of them were only avowed by the UK Government in the aftermath of the Snowden leaks. For example, engagement in the bulk acquisition of communications data by the security services was first admitted in November 2015, when the then-Home Secretary, Theresa May, informed Parliament that communications data was being obtained in bulk from Communication Service Providers under the authority of the Telecommunications Act 1984. The use of hacking powers was acknowledged by the UK government through the publication of the Draft Equipment Interference Code of Practicepublished in February 2015 (containing, admittedly, unclear distinctions between bulk and targeted powers). The use of thematic warrants and BPDs were publicly avowed for the first time in March 2015 in a report by the Intelligence and Security Committee (the Parliamentary committee appointed to oversee the work of the UK’s security services). 

The Passage of the Act 

Many were hoping to prevent or obstruct the UK Government in its consolidation of these extensive powers. Since the Act was first published in bill form, there has been rigorous engagement with its provisions by legal practitioners, legal NGOs as well as tech companies. When the Act was published in draft form in November 2015 last year, over 1,500 pages of written evidence were submitted to the Joint Committee responsible for scrutinizing the bill. Written evidence was then submitted throughout the year. Legal NGOs and legal practitioners made recommendations calling for many of the powers either to be removed or subjected to much greater restriction. For example, Liberty calledfor a removal of all bulk powers contained in the bill, and the barrister (and Reader at University College London) Dr. Tom Hickman called for the scope of thematic warrants to be greatly reduced.

Official scrutiny of the Act was primarily undertaken by the Joint Committee for the Investigatory Powers Act and the Intelligence and Security Committee (ISC), who both wrote reports in response to the draft bill. These reports also conveyed skepticism about certain powers contained in the bill. For example, the  ISC expressed uncertainty over the need for bulk hacking powers, and the Joint Committee stated that it was not clear that the bulk powers of interception and hacking were compliant with the UK’s obligations under the European Convention on Human Rights.

Partly in response to concerns such as these, the government called for a review of bulk powers by the Independent Review of Terrorism Legislation. The publication of the review report was discussed in a previous blog post by Shaheed Fatima Q.C. The Independent Reviewer concluded in the report that there was a “proven operational case” with respect to three of the bulk powers which were “already in use.” These powers were bulk interception, bulk acquisition (of communications data) and BPDs. At the time of the review, the Independent Reviewer had been told by the UK’s Government Communications Headquarters (GCHQ) they had not so far engaged in bulk hacking. With regards to this power, it was found that there was a “distinct, but not yet proven, operational case” for it.

While the conclusions of the review were welcomed by the UK government, they were not accepted across the board and opposition to the reach of surveillance powers in the bill remained.  Liberty criticized the scope of the review, arguing that its lack of consideration of the necessity and proportionality of bulk powers meant that the most important question regarding their use had gone unanswered. It also criticized the short time-frame for the review, citing the lack of time that had been available for those carrying out the review to consult experts in the field. It also highlighted that no operational case with regards to internet connection records had been made, and it claimed that this power should be removed from the bill.

Despite determined efforts by many to oppose the powers in the bill, only fairly minor changes were made to them during its passage. For example, restrictions were added to class warrants for BPDs, the examination of material obtained under bulk warrant and additional safeguards were added with respect to accessing journalistic material and legally privileged material.

Changes the Act Makes to the UK Surveillance Regime as a Whole 

For those less familiar with the provisions contained in the Act, it should be noted that at the same time as ensuring the same breadth of surveillance powers are available to the government, it also introduces a new authorization process for these powers and new safeguards and body of oversight.

With respect to the authorization process, there is now a mechanism by which judges, called Judicial Commissioners, will be involved in the decision-making process for the issuing of surveillance warrants—a mechanism described as the “Double-Lock.” Judicial Commissioners will be required to approve warrants initially issued by the Secretary of State before they can be fully authorized.

A new oversight body will be set up, which merges previously existing oversight bodies. The body will be made up of an Investigatory Powers Commissioner and a group of Judicial Commissioners. It will keep under review the exercise of statutory functions by public authorities provided for in the Act. Furthermore, as stated, Judicial Commissioners will also be involved in the authorization process for surveillance warrants.

Insofar as these additions to the UK surveillance regime serve to impose robust limitations on the UK government’s use of its surveillance powers, they are clearly welcome. However, the extent to which they will impose robust limitations has been a matter of debate. One issue of controversy is that the Act expressly states that the Judicial Commissioners are to apply judicial review principles when reviewing the Secretary of State’s decision. As was discussed in an earlier blog post by Shaheed Fatima Q.C, there may still be potential for Judicial Commissioners to undertake substantive and meaningful review of the Secretary of State’s decision despite this constraint. However, this remains to be seen.

Furthermore, there are a number of other factors that may serve to constrain the Judicial Commissioners, highlighted here by Lord David Pannick, which are not acknowledged in the Act. For example, there is no clause in the Act which provides that the Judicial Commissioner would have access to all of the same information on the basis of which the Secretary of State made their decision. There is also no provision in the Act to ensure that Judicial Commissioners will be able to access a special advocate to assist them in their decision-making. Concerns have also been raised about the fact that this same oversight body, responsible for providing oversight with regards to the UK surveillance regime, is also responsible for approving surveillance warrants.

Initial Concerns with UK Surveillance Powers Still Stand 

While it is not clear how robust these restrictions will be, what is clear is that the Act does not reduce the powers available to the government. And ultimately, many of the concerns that were initially voiced about the Act still stand. For example, the problems discussed in the blog post by Scarlet Kim, in connection with the expansive hacking powers and use of thematic warrants, remain. The concerns regarding justifiability of access to Internet Connection Records, discussed in a blog post by Shaheed Fatima Q.C, are as relevant as they were last year.

Due to the extensive surveillance powers that the Act provides for, it is still not clear whether the new regime will be compliant with standards set by international law. This was expressly stated by the UN Special Rapporteur when he delivered his first report to the UN Human Rights Council in March this year. The Special Rapporteur argued that the provisions in the Act “prima facie fail the benchmarks” set in recent case law by the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU).

This view is at least plausible. As was highlighted in an earlier blog post by Carly Nyst, the ECtHR has, in the cases of Zakharov v Russia (Grand Chamber) and Szabó and Vissy v Hungary, recently emphasized the need for human rights law principles to be “enhanced” to take into account States’ increased appetite for “massive monitoring of communications.” In the case of Zakharov, it was also emphasized that interceptions must:

“clearly identify a specific person to be placed under surveillance or a single set of premises as the premises in respect of which authorization is ordered. Such information may be made by names, addresses, telephone numbers or other relevant information.”

Some have taken such commentary by the Court to be a sign that the ECtHR may be willing to take issue with the Act. Indeed, in a memorandum on surveillance and oversight mechanisms in the UK published in May, the Council of Europe Commissioner for Human Rights cited “major human rights concerns” over the then Bill. Of particular interest in the memorandum was a reference made to suggestions by surveillance experts that “the sheer breadth of a bulk warrant may have difficulties” against the “clear standard” quoted above, as set out in Zakharov. The Commissioner also commented that:

“by their nature bulk warrants place large groups of people under the menace of surveillance without any suspicion on the part of the authorities that an individual has committed a criminal offence or is of national security interest.”

Provisions in the Act may also come into conflict with certain standards set by the CJEU. The UK will be required to adhere to these standards for at least the next few years, even if the UK manages to begin the process of leaving the Union early next year.  The key issue will be the Act’s provisions on data retention. Recent decisions—such as in the joined cases of Digital Rights Ireland and Seitlinger as well in the case of Schrems —suggest that the CJEU is willing to take a more hardline approach with respect to data retention. Furthermore, in July 2016 the Advocate General of the Court of Justice published his opinion on the Tom Watson (and formerly David Davis) case, regarding the lawfulness of the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA). The Advocate General stated in his opinion that data retention should only be lawful for the purpose of investigating serious crime. This opinion is not binding, and a lot depends on what the CJEU rules in relation to DRIPA early next year. However, it may be that the provisions for data retention in the Act, which allow for data to be retained on the basis of a broad range of purposes—including for the purposes of “public health” and “assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department”—may be incompatible with EU standards.

Looking to the Future 

Legal NGOs have made it clear that they intend to challenge the Act on its compliance with international law. Liberty’s response to the passing of the Act by Parliament couldn’t have been clearer. They stated: “[t]he fight does not end here. Our message to Government: see you in Court.”

There are already challenges relevant to the Act underway. For example, Privacy International and five internet and communications providers have lodged an appeal in the ECtHR challenging the UK Government’s hacking powers (under the previous regime). An application by Big Brother Watch regarding bulk interception and intelligence sharing (under the old regime) is also waiting to be heard in Strasbourg. Many legal challenges to be made directly against the Act once it becomes law are no doubt being currently drafted.

Some will be relieved that, for now, the “fight” is not completely over. However, it seems like a sad reflection of the current state of British law-making that an Act like this could be passed in its current form, with the best chance of opposing its most questionable provisions apparently lying in the ability of pro bono lawyers to challenge it in courts.

People will point to a variety of factors to explain how we got here. One factor which has undoubtedly played a role, which other countries who may face similar legislation can hopefully learn from, is timing. It has taken just over nine months for the Act to pass through Parliament. This is an undeniably brief period of time for an Act which, at the time of being introduced to Parliament, was almost 250 pages of complex legal provisions, accompanied by 19 “overarching documents“ many of which were over a 100 pages long. The then Bill was over 300 pages long on leaving the Lords’ report stage. Nine months is insufficient time to subject so many complex provisions to proper scrutiny. Many parliamentarians would barely have had time to get their head around the implications of the first few chapters of the bill, let alone all of its nine long and technical separate parts.  The government was warned that it was “not in the nation’s interest” to pass the Act this year, when over a 100 cross-party lawmakers and campaigners signed a letter calling for a longer consultation period to “give the Bill the time it needs.”

The letter reminded the government that the new law “could lead the world” if it was done right. Indeed, this new legislation was a big opportunity to wipe the slate clean after the Snowden leaks, and to help rebuild trust in the UK government and its surveillance practices. However, the UK government has chosen to push through a law which may well be seen as only serving to enhance distrust: for it consolidates far-reaching surveillance powers which many think should never have been relied upon in the first place.