Recently it seems as though you can hardly get away from government mass surveillance programs (no pun intended). They even make an appearance in the latest James Bond film (as sinister tools of the ‘New World Order’, naturally). The latest event, long anticipated following Digital Rights Ireland and R(Davis), has been the unveiling of the Draft Investigatory Powers Bill by the British Home Secretary.
The Bill aims to consolidate and reform the obsolete, incomprehensible, and in parts unlawful, legislation that previously governed surveillance and investigatory powers. The Bill incorporates recommendations made in this area by David Anderson QC, the Intelligence and Security Committee of Parliament and the Royal United Services Institute.
It is important to understand the technical difference between the various types of power dealt with by the Bill. Interception (content caught in the course of transmission), communications data (the who, where, when, how and with whom of communications but not content), equipment interference (private data obtained covertly from computers etc) are separate matters with different rules applying to them. Bulk interception of this material, of the sort seen in the PRISM and TEMPORA programs, brought to light by the Snowdon revelations, are also dealt with separately.
The most welcome reform is the implementation of the Anderson Report’s proposals for judicial authorisation of surveillance warrants. A new Investigatory Powers Commissioner (a senior judge) will replace the three current, mostly unknown, bodies. Serving or former High Court judges will serve as Judicial Commissioners, who will authorise and approve the use of investigatory powers in a manner similar to the United States Foreign Intelligence Surveillance Court, a safeguard absent from this jurisdiction to date. This ‘double lock’ of ministerial authorisation of surveillance warrants pending approval by a Judicial Commissioner applies with regard to the interception, equipment interference and exercise of bulk powers. It is a positive step which serves to bolster the rule of law and ensures oversight.
However, there are a number of concerns with the Bill. First, warrants may be granted not only for reasons of national security and serious crime but also in the ‘interests of the economic well-being’ of the country (subject to caveats). Judicial Commissioners are also prohibited from acting in a manner ‘prejudicial’ to the ‘economic well-being of the United Kingdom’ (see s.169(5)). The implications of this for judicial independence in this area are somewhat unsettling and deserve forensic scrutiny.
Second, while the list of organisations that may request a warrant is tightly restricted to intelligence, military and law enforcement chiefs, it is necessary to question what happens to the information afterwards. Due attention must be given to ensure there is no inappropriate bleeding of data to other bodies, with the above persons used as a conduit (or indeed a ‘front’).
Third, it is debatable whether the distinction drawn between the above powers and the obtaining of communications data is justified. This is not least because such requests are not subject to judicial approval. They may also be made for a wider variety of reasons (s.46(7)) by a much wider range of public bodies (s.54 and Schedule 4) including Department of Work and Pensions officials targeting benefit fraud and (strangely) Watch Managers in the fire and ambulance services. Local authorities may also gain access to such data if they have a suitable ‘collaboration agreement’ in place (see s.58). So some of the vices from the old system (the local council spying on your phone records to see if you actually live in the catchment area for your child’s school) are still present, if somewhat toned down (the council cannot access your webcam to see if you are putting your recycling in the wrong bin). Such requests are restricted to what is “necessary and proportionate”. But what that means in the abstract, given the wide variety of permissible purposes, is far from clear.
Finally, data retention by communications providers is also a concern. Worryingly, the old twelve month maximum limit under section 1 of DRIPA is retained. This seems incongruous given that the German Bundestag recently decided that the same job could be done with retention for a mere ten weeks.
The Bill provides much food for thought. At present it appears far from ideal but it will hopefully generate exactly the sort of vigorous debate required on the nature of privacy in the internet age.