Author: Asaf Lubin (JSD candidate, Yale Law School and Robert L. Bernstein International Human Rights Fellow with Privacy International)
Christmas came early for the UK Government Communications Headquarters (GCHQ). Wrapped in a red ribbon and sparkling with parcel lights, Parliament handed the signal intelligence agency a gift, the Investigatory Powers Act (IPA), providing it with a statutory authorization to engage in bulk interception and retention of electronic communications’ metadata and content, both within and outside the United Kingdom. Like last-minute shoppers running up and down the cramped stores of Oxford Street, so were the Lords in a hurry to complete the IPA’s legislative process before the new year, when the sun was to set on the previous legislation, the Regulation of Investigatory Powers Act (RIPA, 2000).
Since the IPA received royal assent and became an official Act on November 29th 2016, the legal blogosphere and general media have been buzzing over this measure and its implications (see for example: here, here, here, here, and here). Particular attention has been given to the new law’s data retention provisions, which were struck down by the European Court of Justice earlier this week, forcing an impending legal headache for legislators. Nonetheless, a number of the Act’s most troubling features have not been sufficiently reviewed from the perspective of their compatibility with the United Kingdom’s broader international obligations. As we say Rest In Peace to RIPA and usher in a new age of legalized governmental mass surveillance, the following two blog posts will take a step back and examine the new Act’s compatibility with international human rights law (IHRL) as well as its impact on the ongoing evolution of the international law of espionage.
Within the limits of this blog post I will focus on the following four elements of the Act: (a) Thematic Warrants and Lack of Reasonable Suspicion; (b) Foreign Mass Surveillance and Hacking Powers; (c) Standards on Encryption and Direct Access; and (d) Reporting, Notification Requirements, and Gag Orders.
What’s in Santa’s Stocking? GCHQ’s new surveillance powers and their compatibility with IHRL
a. Thematic Warrants and Lack of Reasonable Suspicion
While disguised as targeted surveillance, the IPA seeks to introduce into law “thematic warrants”. These warrants delegate to the police or intelligence agencies the choice as to whose privacy will be interfered with. This, in turn, increases the risk of arbitrary decision-making and undermines the implementation of effective judicial authorization. In accordance with the Act, the Secretary of State may issue a “targeted interception warrant” (for the acquisition of content of communications) or a “targeted equipment interference warrant” (for extracting information from devices either directly or remotely, via hacking tools). These warrants are subject to the approval of a Judicial Commissioner, barring urgent matters. The warrants allow communication within the United Kingdom to be intercepted and, equipment within the United Kingdom to be interfered with; insofar as these communications or equipment relates to: (1) people or equipment “who share a common purpose or who carry on, or may carry on a particular activity”; (2) “more than one person or organization, or more than one set of premises, where the conduct authorized or required by the warrant is for the purposes of the same investigation or operation”; (3) “equipment that is being, or may be used, for the purposes of a particular activity or activities of a particular description”; (4) the testing, maintenance or development of capabilities relating to interception or equipment interference.
As clarified in the explanatory notes, these subject matter expansions intended to encompass, “thematic warrants”. Under a thematic warrant, the Secretary of State and a Judicial Commissioner do not approve each individual target of surveillance, but rather the security agencies can choose their targets without additional sign off. To illustrate, a thematic warrant might authorize the hacking of all mobile phones of members of the Muslim faith in Birmingham, or the interception of the communications of anyone suspected of having travelled to Turkey in the last three months.
As the Intelligence Services Commissioner points out “the critical thing … is that the submission and the warrant must be set out in a way which allows the Secretary of State to make the decision on necessity and proportionality”. However, permission for interception of communications and hacking of networks without prior reasonable suspicion is by its very nature disproportionate. In the case of Gillan and Quinton v United Kingdom, the European Court of Human Rights (ECtHR) expressed particular concern over an intrusive power that did not require any “reasonable suspicion” (in that case the power of random stop and search individuals under s44 of the Terrorism Act 2000). Such broad discretion gave rise to a “clear risk of arbitrariness”. In S and Marper v United Kingdom, the U.K. government submitted that the retention of DNA samples from people who had not been charged or convicted of a criminal offence was of “inestimable value” and produced “enormous” benefits in the fight against crime and terrorism. The Grand Chamber of the ECtHR nonetheless held that the retention was a “disproportionate interference” with those individuals’ private lives. Central to the reasoning was the absence of any assessment of suspicion by the authorities that was sufficient to justify the retention of each individual’s DNA data. The same reasoning applies in relation to thematic warrants under the IPA. More recently in Zakharov v. Russia the ECtHR reiterated the principle that the authorization of interception of communications “must clearly identify a specific person to be placed under surveillance or a single set of premises.
b. Foreign Mass Surveillance and Hacking Powers
Part 6 of the Act authorises the GCHQ to engage in bulk interception, acquisition, and equipment interference of “overseas-related” communications and communications systems. These comprise communications “sent or received by individuals who are outside the British Islands”. In order for the Secretary of State to issue such a bulk warrant, the warrant must be considered necessary for : (1) the national security; (2) the prevention or detection of serious crime; (3) the economic well-being of the UK. At the next stage, the examination of any such acquired data may be authorized only for one or more of the operational purposes specified in the warrant. These may include, inter alia: counter terrorism, counter proliferation, countering hostile actors, safeguarding prosperity, cyber defence operations, security of agencies’ and allies’ operational capabilities, security assurances, and the tackling of serious crime.
The issuing process is identical for each type of bulk warrants. First, the head of an intelligence service, or any official designated by her, must submit a request to the Secretary of State. The Secretary may then issue a bulk warrant, subject to a necessity and proportionality analysis. The decision to issue a warrant is then further scrutinized by a Judicial Commissioner, before it is granted. This is known, in the UK jargon as the “double lock mechanism” (a dual executive-judicial pre-authorization process for its foreign bulk warrants).
In essence, the law explicitly authorizes the GCHQ to engage in bulk hacking of networks and devices and to intercept communications worldwide. While the UK has taken pride in solidifying the “double lock mechanism”, in actuality the law limits the scope of review by the Judicial Commissioners to mere procedural aspects. In other words, judges will not be given actual powers to assess the merits of any proposed surveillances measures. Moreover, in the case of bulk warrants, the authorization requests will be formulated in such broad and vague terms, that the attempt to form any judicial assessments on the merits of the application will prove essentially impossible.
Legal institutions and judicial fora may hardly be said to have fully resolved the question of what standards should apply to foreign governmental surveillance. For instance, this issue has not been sufficiently addressed by the ECtHR; although a ground-breaking pending case launched by Privacy International alongside nine other human rights NGOs invites the Court to clarify this matter specifically. The Human Rights Committee in its Concluding Observations to South Africa did note that State Parties should refrain from “engaging in mass surveillance of private communications without prior judicial authorization”. Similarly, certain Special Rapporteurs, such as Ben Emmerson, have already concluded that “the very existence of mass surveillance programmes constitutes a potentially disproportionate interference with the right to privacy” and that “shortly put, it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately.
c. Standards on Encryption and Direct Access
The IPA allows the Secretary of State to issue a “technical capability notice” in order to compel an operator to provide government officials with direct access to its network apparatus. Moreover, under such notices, the Secretary of State may further compel an operator to decrypt intercepted communications. The issuance of such a notice is subject to a necessity and proportionality test, which is [to be]/will be conducted by a Judicial Commissioner. Amongst other factors, the Secretary of State must further take into account the technical feasibility and likely costs of the request. Should the Judicial Commissioner refuse to approve the notice, the Secretary of State may appeal to the IP Commissioner so as to approve the notice nonetheless.
It is on this point that the ECtHR, in Zakharov v. Russia, affirmed that “a system…which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider…is particularly prone to abuse.” It is in this context that providing government officials with direct and complete access to communications networks run by private corporate providers, is unlikely to comply with the standards of necessity and proportionality. Furthermore, as noted by the U.N. Special Rapporteur David Kaye, “national laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online… States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.”
The IPA, as currently drafted, does not give sufficient weight to factors against decryption. Such factors include: the importance of maintaining the integrity of networks, potential cybersecurity threats, the reputational costs for companies, and chilling effects on expression and creativity of users. By ignoring these issues, the law lacks balance and could open the door to a UK version of Apple v. FBI (which concerned the question of whether US Courts could compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected).
d. Reporting and Notification Requirements
In conformity with the IPA, an individual subjected to surveillance would be informed by the IP Commissioner only when such surveillance involved a “serious error” or concerned the “public interest”. Further, the Act establishes a general reporting requirement, whereby at the end of each calendar year the IP Commissioner must report to the Prime Minister (PM) of/on the way the functions of the Judicial Commissioner have been carried out. While by default this report is to become part of public record, the PM may order otherwise. Thus, should the PM consider the publication of parts of the report as: contrary to public interest or prejudicial to – national security, the economic well-being of the State, the continued discharge of functions of public authority, or the prevention or detection of serious crime, she can decide, in consultation with the IP Commissioner, to exclude from publication those parts of the report. This is not the only way the Act leaves certain information out of the public eye. Notably, any warrants issued to a telecom company or service provider, demanding direct access to its networks or decrypt its users’ data, will be followed/accompanied by a gagging order, “forbidding the firm from discussing it” essentially squashing public debate and scrutiny.
Independent oversight mechanisms ensuring transparency and accountability of State surveillance communications have been recognised as necessary to guarantee privacy and data protection rights. The lack of a strict reporting requirement in the IPA, due, in part, to the broad range of [security/self-judging] exceptions the Act prescribed, brings into question the degree to which transparency and accountability can effectively be achieved. Additionally, the Act only provides for notification to individuals in cases of identifiable “error”. However, as the ECtHR has affirmed, States have an obligation to provide notification to persons concerned by/with the used measure. To be sure, according to this jurisprudence, notification is due not just in cases of abuse, but rather immediately following the termination of the measures assuming “it can be made without jeopardizing the purpose of the surveillance.” Furthermore, the UN High Commissioner for Human Rights further acknowledged that notification is fundamental in ensuring individuals access to effective remedy. Under the current IPA it is unlikely that individuals will have the opportunity to seek redress where their privacy rights have been violated.