This morning in Parliament, Prime Minister David Cameron published the much-anticipated report of the Investigatory Powers Review. Entitled ‘A Question of Trust’, the document was submitted by David Anderson QC, the Independent Reviewer of Terrorism Legislation and a debate involving Home Secretary Theresa May was heard in the House.
The Investigatory Powers Review was conducted by a small independent team operating under Anderson’s direct leadership and received almost 70 written submissions from various quarters. Further evidence was taken from public authorities (at the highest level of security clearance) and from a wide range of organisations and individuals in the UK, California, Washington DC, Ottawa, Berlin and Brussels.
Parts I-III of the report (Chapters 1-12) inform the debate by summarising the importance of privacy, the threat picture, the relevant technology, external legal constraints, existing law and practice and comparisons with other types of surveillance, other countries and private sector activity. These sections also summarise the views expressed to the Review by law enforcement, intelligence, service providers and civil society.
Part IV (Chapters 13-15) sets out five underlying principles and 124 separate recommendations. Taken together, they form the blueprint for a new law designed to replace the Regulation of Investigatory Powers Act 2000 (RIPA) and the dozens of other statutes presently authorising the collection of communications data.
Speaking about the Investigatory Powers Review’s findings, David Anderson QC said: “Modern communications networks can be used by the unscrupulous for purposes ranging from cyber attack, terrorism and espionage through to fraud and kidnap. A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.”
Anderson continued: “However, trust requires verification. Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international Human Rights standards and subject to demanding and visible safeguards. The current law is fragmented, obscure and under constant challenge as well as being variable in the protections that it affords the innocent. It’s time for a clean slate. This report aims to help Parliament achieve a world class framework for the regulation of these strong and vital powers.”
Key recommendations made in ‘A Question of Trust’
The key recommendations are summarised in paragraphs 10-34 of the Executive Summary at the beginning of ‘A Question of Trust’. There’s mention of a new law that should be both comprehensive in its scope and comprehensible to people across the world. The advice given is also to maintain – subject to legal constraints – existing capabilities relating to compulsory data retention as provided for by the Data Retention and Investigatory Powers Act 2014 (DRIPA) (and, formerly, under an EU Directive).
The report also focuses on the enhancement of those capabilities (eg by requiring the retention of ‘weblogs’ as proposed in the draft Communications Data Bill 2012, the so-called ‘Snoopers’ Charter’) but only to the extent that a detailed operational case can be made out and that a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost.
Subject to legal constraints, a recommendation is made about the retention of bulk collection capabilities, but subject to additional safeguards and to the addition of a new and lesser power to collect only communications data in bulk.
Mention is made of a new requirement of judicial authorisation (by Judicial Commissioners) of all warrants for interception, the role of the Secretary of State being limited to certifying that certain warrants are required in the interests of national security relating to the defence (or foreign policy) of the UK.
Further, there’s discussion around measures to reinforce the independence of those authorising requests for communications data, particularly within the security and intelligence agencies.
Another recommendation centres on a new requirement of judicial authorisation of novel and contentious requests for communications data and of requests for privileged and confidential communications involving, for example, journalists and lawyers.
Anderson’s 300-page report pinpoints the necessity for the streamlining of procedures in relation to warrants and the authorisation of requests for communications data by local authorities and other minor users.
The Independent Reviewer of Terror Legislation also pinpoints the need for improved supervision of the use of communications data, including in conjunction with other data sets and open-source intelligence.
In addition, there’s mention of:
*maintaining the extra-territorial effect in DRIPA 2014 Section 4 pending a longer-term solution which should include measures to improve the co-operation of overseas (and in particular US-based) service providers and the development of a new international framework for data sharing among like-minded democratic nations
*the replacement of three existing Commissioners’ offices by the Independent Surveillance and Intelligence Commission: envisioned as “a new, powerful, public-facing and inter-disciplinary intelligence and surveillance auditor and regulator” whose judicial commissioners would take over the responsibility for issuing warrants, authorising “novel, contentious and sensitive” requests for communications data and for issuing guidance
*expanded jurisdiction for the Investigatory Powers Tribunal and a right to apply for permission to appeal its rulings
*the maximum possible transparency on the part of the Investigatory Powers Tribunal and public authorities
Endorsement of Intelligence and Security Committee proposals
The new report endorses some of the recommendations made by the Intelligence and Security Committee (ISC) and outlined in the document entitled ‘Privacy and Security’, which was published in March. That said, the new report is somewhat broader in its own scope, covering the activities of all 600 bodies with powers in this field and not just the security and intelligence agencies.
It also departs from the ISC in recommending (a) that a new law should apply across the board and (b) that interception warrants should be judicially authorised.
A further Independent Surveillance Review, to be conducted under the auspices of the Royal United Services Institute (RUSI), was commissioned in March 2014 by the Deputy Prime Minister. It has not yet issued a report.
The Independent Reviewer of Terrorism Legislation is also keen to point out that there has been some recent media speculation on the subject of encryption “which it may be useful to correct”. Indeed, the position communicated by the security and intelligence agencies to the Investigatory Powers Review is summarised as follows:
“The agencies do not look to legislation to give themselves a permanent trump card. Neither they nor anyone else has made a case to me for encryption to be placed under effective Government control, as in practice it was before the advent of public key encryption in the 1990s. There has been no attempt to revive the argument that led to the Clipper Chip proposal from the NSA in the 1990s, when public key cryptography first became widely available. The agencies do look for co-operation – enforced by law if needed – from companies abroad as well as in the UK that are able to provide readable interception product.”
Anderson’s detailed report recommends that, in the digital world as in the real world, ‘no-go areas’ for intelligence and law enforcement should be minimised, but states the following:
“Few now contend for a master key to all communications held by the state, for a requirement to hold data locally in unencrypted form or for a guaranteed facility to insert ‘back doors’ into any telecommunications system. Such tools threaten the integrity of our communications and of the Internet itself. Far preferable, on any view, is a law-based system in which encryption keys are handed over – by service providers or the users themselves – only after properly authorised requests.”
Background to the Investigatory Powers Review
Section 7 of the Data Retention and Investigatory Powers Act 2014 required the Independent Reviewer of Terrorism Legislation to examine in some detail the threats to the United Kingdom, the capabilities required to combat those threats, safeguards to protect privacy, the challenges of changing technologies and issues relating to transparency and oversight.
Anderson was also required to report to the Prime Minister David Cameron on the effectiveness of existing legislation relating to investigatory powers, and to examine the case for a new or amending law.
David Anderson QC is a barrister practising from Brick Court Chambers in London, a Visiting Professor at King’s College London, a Judge of the Courts of Appeal of Guernsey and Jersey and a Bencher of the Middle Temple.
He’s an experienced advocate in the European Court of Human Rights and in the Court of Justice of the EU and, since 2011, has served on a part-time basis as the Independent Reviewer of Terrorism Legislation, reporting in that capacity to the Home Secretary, to the Treasury and Parliament on the operation of the UK’s anti-terrorism laws.
*For further information about the Independent Reviewer of Terrorism Legislation and a full copy of the new report visit: https://terrorismlegislationreviewer.independent.gov.uk