Author: Asaf Lubin (JSD candidate, Yale Law School and Robert L. Bernstein International Human Rights Fellow with Privacy International)

In Part I of this blog I examined four of the most troubling elements of the new Investigatory Powers Act and their compatibility with IHRL. It is, however, important to note that the IPA is only one of several electronic communications surveillance laws that have been adopted in recent years, or are currently undergoing legislative processes, across Europe (one can particularly note adopted or pending legislation in Germany, France, Poland, Italy, Austria, Romania, Belgium, and Spain, to name a few examples). In this blog post, I suggest we look at the broader implications of the IPA on the landscape of regulation of espionage in international law.

Tinker, Tailor, Hacker, Spy: The IPA and the Law on Espionage

In his recent autobiography, The Pigeon Tunnel, John le Carré laments about the “British public’s collective submission to wholesale surveillance of dubious legality”. He argues that this type of concerted wilful surrender is the “envy of every spook in the free and unfree world”. Rarely do I find myself disagreeing with le Carré, but this is one of those cases. It is not just the British, but rather the general public, worldwide, that is supportive at worst or apathetic at best to the real prospect of a 1984-type Big Brother global surveillance scheme. The revelations surrounding the British American surveillance programs, as part of their successful collaboration within the broader 5-Eyes Intelligence Alliance, have clearly had ripple effects around the world.

These ripples are causing tectonic shifts within the “law on espionage”, as a distinct body of lex lata rules within the jus gentium. If in 2007 Prof. Radsan had recommended that Academia simply succumb to the idea that “espionage is beyond the law”, the last decade of political and legal developments are pushing away from this policy position. Both the advancements in technological capacities and the prevalence of leaks and whistleblowing, have forced parliaments, courts, academics, and the media, to face the spooks head on in a way they have never done before. As the activities of intelligence agencies, once draped with a cloak of secrecy, are moving further and further into the light, customary international law (dependent by its very nature on state practice to emerge) is slowly beginning to take shape.

We should thus look at the IPA not only from the narrow perspective of UK law, European law, or even international human rights law, but rather embark on an understanding of the broader role this Act plays in the evolution of the Law on Espionage. In this regard, let me conclude with three short brief comments.

1. The Right to Spy (The Jus Ad Explorationem)– I have written elsewhere that espionage should be recognized as a sovereign right under international law. There is room to suggest that the same processes and justifications that have limited the right to use force in the early 20^th century are now taking shape to limit certain aspects of the right to spy. In that regard particular emphasis has been given to economic espionage. In 2015 the United States and China reached a “common understanding” not to conduct or support cyber espionage and intellectual property theft for the purposes of commercial gain. Similarly, Germany legislated a prohibition on “economic espionage” as part of its October 2016 “Communications Intelligence Gathering Act”. According to wikileaks, Hilary Clinton’s Campaign Manager John Pdesta, in a policy brief on U.S.-German Surveillance relations concluded that “If Germany were to propose to the US a bilateral engagement to prohibit industrial espionage as the starting point for multi-lateral agreements or standards, the response from Washington would likely be positive.” In this regard how should we interpret the IPA which allows for foreign surveillance for the protection of the “economic well-being of the United Kingdom” or the French legislation which maintains that foreign surveillance may be conducted to advance the “economic, industrial, and scientific interests of France”. These pieces of legislation are exposing different approaches as to the justifications for the right to spy, and its limitations.
2. Intelligence Sharing– As part of the IPA the U.K. had the opportunity to engage in statutory authorization of its intelligence sharing arrangements with foreign agencies, which it declined to do. The Equivalent German law which was adopted two months before the IPA, did include, in a precedential way, three provisions authorizing and limiting certain aspects of German intelligence sharing operations. The pending 10 Human Rights NGOs Case, calls on the ECtHR to establish that the principle of legality requires States to establish the powers to engage in intelligence sharing as part of accessible and foreseeable primary legislation. This is important as significant abuse can take place in the form of “circular exchanges” that is a circumvention of domestic legislation through direct access to data bases or intelligence collaboration with foreign agencies. As Professor Forcese described it in the context of certain accusations that were made about the ECHELON program as early as the late 90s: “Since privacy laws tend to restrict states’ ability to monitor their own citizens but not those located in other countries, each state’s agency allegedly was asked to spy on the other state’s citizens and, presumably, share the results”.
3. Extraterritorial Enforcement Jurisdiction in International law– In conducting cross border interception and hacking activities, Government authorities are breaking away from one of the oldest tenants of international law, the presumption against extraterritorial enforcement jurisdiction. As the U.S. Third Restatement of Foreign Relations (1987) clarifies: “A state’s law enforcement officers may exercise their functions in the territory of another state only with the consent of the other state, given by duly authorized officials of that state”. Indeed, as early as the SS Lotus Case it was established that the enforcement jurisdiction of States to investigate, prosecute, or apprehend an offender extraterritorially is limited by the territorial sovereignty of the foreign State. Whereas the sending of spies across borders was generally perceived as a tolerable violation of the enforcement jurisdiction principle, within the broader operational code of the law on espionage, the introduction of mass electronic surveillance capabilities are tilting the scales. If in the old world order we put up with, as a necessary evil, the naturally limited intrusions of human spies, a different balance must be struck now once we developed the capacity to surveil whole populations remotely and covertly. Current state practice, as reflected in the IPA, is pushing in the other direction, however, and it becoming more normal to engage in unfettered mass global surveillance with few restrictions and few raised eyebrows. This should keep up anyone who dreads for the future of the rule of law and the right to privacy and freedom of expression.

Author: Asaf Lubin (JSD candidate, Yale Law School and Robert L. Bernstein International Human Rights Fellow with Privacy International)

Christmas came early for the UK Government Communications Headquarters (GCHQ). Wrapped in a red ribbon and sparkling with parcel lights, Parliament handed the signal intelligence agency a gift, the Investigatory Powers Act (IPA), providing it with a statutory authorization to engage in bulk interception and retention of electronic communications’ metadata and content, both within and outside the United Kingdom. Like last-minute shoppers running up and down the cramped stores of Oxford Street, so were the Lords in a hurry to complete the IPA’s legislative process before the new year, when the sun was to set on the previous legislation, the Regulation of Investigatory Powers Act (RIPA, 2000).

Since the IPA received royal assent and became an official Act on November 29^th 2016, the legal blogosphere and general media have been buzzing over this measure and its implications (see for example: here, here, here, here, and here). Particular attention has been given to the new law’s data retention provisions, which were struck down by the European Court of Justice earlier this week, forcing an impending legal headache for legislators. Nonetheless, a number of the Act’s most troubling features have not been sufficiently reviewed from the perspective of their compatibility with the United Kingdom’s broader international obligations. As we say Rest In Peace to RIPA and usher in a new age of legalized governmental mass surveillance, the following two blog posts will take a step back and examine the new Act’s compatibility with international human rights law (IHRL) as well as its impact on the ongoing evolution of the international law of espionage.

            Within the limits of this blog post I will focus on the following four elements of the Act: (a) Thematic Warrants and Lack of Reasonable Suspicion; (b) Foreign Mass Surveillance and Hacking Powers; (c) Standards on Encryption and Direct Access; and (d) Reporting, Notification Requirements, and Gag Orders.

What’s in Santa’s Stocking? GCHQ’s new surveillance powers and their compatibility with IHRL

a. Thematic Warrants and Lack of Reasonable Suspicion

While disguised as targeted surveillance, the IPA seeks to introduce into law “thematic warrants”. These warrants delegate to the police or intelligence agencies the choice as to whose privacy will be interfered with. This, in turn, increases the risk of arbitrary decision-making and undermines the implementation of effective judicial authorization. In accordance with the Act, the Secretary of State may issue a “targeted interception warrant” (for the acquisition of content of communications) or a “targeted equipment interference warrant” (for extracting information from devices either directly or remotely, via hacking tools). These warrants are subject to the approval of a Judicial Commissioner, barring urgent matters. The warrants allow communication within the United Kingdom to be intercepted and, equipment within the United Kingdom to be interfered with; insofar as these communications or equipment  relates to: (1) people or equipment “who share a common purpose or who carry on, or may carry on a particular activity”; (2) “more than one person or organization, or more than one set of premises, where the conduct authorized or required by the warrant is for the purposes of the same investigation or operation”; (3) “equipment that is being, or may be used, for the purposes of a particular activity or activities of a particular description”; (4) the testing, maintenance or development of capabilities relating to interception or equipment interference.

     As clarified in the explanatory notes, these subject matter expansions intended to encompass, “thematic warrants”. Under a thematic warrant, the Secretary of State and a Judicial Commissioner do not approve each individual target of surveillance, but rather the security agencies can choose their targets without additional sign off. To illustrate, a thematic warrant might authorize the hacking of all mobile phones of members of the Muslim faith in Birmingham, or the interception of the communications of anyone suspected of having travelled to Turkey in the last three months.

         As the Intelligence Services Commissioner points out “the critical thing … is that the submission and the warrant must be set out in a way which allows the Secretary of State to make the decision on necessity and proportionality”. However, permission for interception of communications and hacking of networks without prior reasonable suspicion is by its very nature disproportionate. In the case of Gillan and Quinton v United Kingdom, the European Court of Human Rights (ECtHR) expressed particular concern over an intrusive power that did not require any “reasonable suspicion” (in that case the power of random stop and search individuals under s44 of the Terrorism Act 2000). Such broad discretion gave rise to a “clear risk of arbitrariness”. In S and Marper v United Kingdom, the U.K. government submitted that the retention of DNA samples from people who had not been charged or convicted of a criminal offence was of “inestimable value” and produced “enormous” benefits in the fight against crime and terrorism. The Grand Chamber of the ECtHR nonetheless held that the retention was a “disproportionate interference” with those individuals’ private lives. Central to the reasoning was the absence of any assessment of suspicion by the authorities that was sufficient to justify the retention of each individual’s DNA data. The same reasoning applies in relation to thematic warrants under the IPA. More recently in Zakharov v. Russia the ECtHR reiterated the principle that the authorization of interception of communications “must clearly identify a specific person to be placed under surveillance or a single set of premises.

b. Foreign Mass Surveillance and Hacking Powers

Part 6 of the Act authorises  the GCHQ to engage in bulk interception, acquisition, and equipment interference of “overseas-related” communications and communications systems. These comprise communications “sent or received by individuals who are outside the British Islands”. In order for the Secretary of State to issue such a bulk warrant, the warrant must be considered necessary for : (1) the national security; (2) the prevention or detection of serious crime; (3) the economic well-being of the UK. At the next stage, the examination of any such acquired data may be authorized only for one or more of the operational purposes specified in the warrant. These may include, inter alia: counter terrorism, counter proliferation, countering hostile actors, safeguarding prosperity, cyber defence operations, security of agencies’ and allies’ operational capabilities, security assurances, and the tackling of serious crime.

          The issuing process is identical for each type of bulk warrants. First, the head of an intelligence service, or any official designated by her, must submit a request to the Secretary of State. The Secretary may then issue a bulk warrant, subject to a necessity and proportionality analysis. The decision to issue a warrant is then further scrutinized by a Judicial Commissioner, before it is granted. This is known, in the UK jargon as the “double lock mechanism” (a dual executive-judicial pre-authorization process for its foreign bulk warrants).

        In essence, the law explicitly authorizes the GCHQ to engage in bulk hacking of networks and devices and to intercept communications worldwide. While the UK has taken pride in solidifying the “double lock mechanism”, in actuality the law limits the scope of review by the Judicial Commissioners to mere procedural aspects. In other words, judges will not be given actual powers to assess the merits of any proposed surveillances measures. Moreover, in the case of bulk warrants, the authorization requests will be formulated in such broad and vague terms, that the attempt to form any judicial assessments on the merits of the application will prove essentially impossible.

       Legal institutions and judicial fora may hardly be said to have fully resolved the question of what standards should apply to foreign governmental surveillance. For instance, this issue has not been sufficiently addressed by the ECtHR; although a ground-breaking pending case launched by Privacy International alongside nine other human rights NGOs invites the Court to clarify this matter specifically. The Human Rights Committee in its Concluding Observations to South Africa did note that State Parties should refrain from “engaging in mass surveillance of private communications without prior judicial authorization”. Similarly, certain Special Rapporteurs, such as Ben Emmerson, have already concluded that “the very existence of mass surveillance programmes constitutes a potentially disproportionate interference with the right to privacy” and that “shortly put, it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately.

c. Standards on Encryption and Direct Access

The IPA allows the Secretary of State to issue a “technical capability notice” in order to compel an operator to provide government officials with direct access to its network apparatus. Moreover, under such notices, the Secretary of State may further compel an operator to decrypt intercepted communications. The issuance of such a notice is subject to a necessity and proportionality test, which is [to be]/will be conducted by a Judicial Commissioner. Amongst other factors, the Secretary of State must further take into account the technical feasibility and likely costs of the request. Should the Judicial Commissioner refuse to approve the notice, the Secretary of State may appeal to the IP Commissioner so as to approve the notice nonetheless.

        It is on this point that the ECtHR, in Zakharov v. Russia, affirmed that “a system…which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider…is particularly prone to abuse.” It is in this context that providing government officials with direct and complete access to communications networks run by private corporate providers, is unlikely to comply with the standards of necessity and proportionality. Furthermore, as noted by the U.N. Special Rapporteur David Kaye, “national laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online… States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.”

    The IPA, as currently drafted, does not give sufficient weight to factors against decryption. Such factors include: the importance of maintaining the integrity of networks, potential cybersecurity threats, the reputational costs for companies, and chilling effects on expression and creativity of users. By ignoring these issues, the law lacks balance and could open the door to a UK version of Apple v. FBI (which concerned the question of whether US Courts could compel manufacturers to assist in unlocking cell phones whose data are cryptographically protected).

d. Reporting and Notification Requirements

In conformity with the IPA, an individual subjected to surveillance would be informed by the IP Commissioner only when such surveillance involved a “serious error” or concerned the “public interest”. Further, the Act establishes a general reporting requirement, whereby at the end of each calendar year the IP Commissioner must report to the Prime Minister (PM) of/on the way the functions of the Judicial Commissioner have been carried out. While by default this report is to become part of public record, the PM may order otherwise. Thus, should the PM consider the publication of parts of the report as: contrary to public interest or prejudicial to – national security, the economic well-being of the State, the continued discharge of functions of public authority, or the prevention or detection of serious crime, she can decide, in consultation with the IP Commissioner, to exclude from publication those parts of the report. This is not the only way the Act leaves certain information out of the public eye. Notably, any warrants issued to a telecom company or service provider, demanding direct access to its networks or decrypt its users’ data, will be followed/accompanied by a gagging order, “forbidding the firm from discussing it” essentially squashing public debate and scrutiny.

   Independent oversight mechanisms ensuring transparency and accountability of State surveillance communications have been recognised as necessary to guarantee privacy and data protection rights. The lack of a strict reporting requirement in the IPA, due, in part, to the broad range of [security/self-judging] exceptions the Act prescribed, brings into question the degree to which transparency and accountability can effectively be achieved. Additionally, the Act only provides for notification to individuals in cases of identifiable “error”. However, as the ECtHR has affirmed, States have an obligation to provide notification to persons concerned by/with the used measure. To be sure, according to this jurisprudence, notification is due not just in cases of abuse, but rather immediately following the termination of the measures assuming “it can be made without jeopardizing the purpose of the surveillance.” Furthermore, the UN High Commissioner for Human Rights further acknowledged that notification is fundamental in ensuring individuals access to effective remedy. Under the current IPA it is unlikely that individuals will have the opportunity to seek redress where their privacy rights have been violated.