One of the recommendations of the Joint Parliamentary Committee on the Investigatory Powers Bill was that the Bill should include some kind of a review process or ‘sunset clause’. The new Bill, as I noted in my earlier post on the subject, has included a term that seems to answer that recommendation – but does so in such a cursory way as to be close to irrelevant. This is how it is set out:
222 Review of operation of Act
(1) The Secretary of State must, within the period of 6 months beginning with the end of the initial period, prepare a report on the operation of this Act.
(2) In subsection (1) “the initial period” is the period of 5 years and 6 months beginning with the day on which this Act is passed.
(3) In preparing the report under subsection (1), the Secretary of State must, in particular, take account of any report on the operation of this Act made by a Select Committee of either House of Parliament (whether acting alone or jointly).
(4) The Secretary of State must
(a) publish the report prepared under subsection (1), and
(b) lay a copy of it before Parliament.
So, effectively, this means that the Secretary of State will have to produce a report after six years and lay a copy of it before Parliament – that’s all. Six years is a long time in relation to the internet. Six years ago, for example, WhatsApp had only just been launched, and SnapChat did not even exist. Facebook had 400 million users: it now has 1.6 billion.
Even more pertinently, the Investigatory Powers Bill has some significant new and distinctly controversial powers – most directly some of the ‘Bulk Powers’ and the Internet Connection Records (ICRs) about which I have also written about a number of times (here and here for example). ICRs have been criticised in a number of ways: their potential intrusiveness, the difficulty in defining what they actually are, the costs involved in their collection and retention, and the likelihood of their being able to do what the Bill suggests that they should do. All these matter – and to a great extent all of these are a matter of conjecture. Those like myself who believe that they will end up hugely expensive, highly ineffective and potentially vulnerable are to at least some degree speculating – but so are those who believe they’ll be a crucial tool for law enforcement and the security services, a proportionate and effective response, easily safeguarded and no great burden on the relevant service providers.
Both sides of the argument believe that they’re right – and have provided evidence to back up their opinions. Personally I believe that my evidence is the more compelling – but I would believe that. I am sure that the proponents of the inclusion of Internet Connection Records believe the same about their evidence. Who is right? The best way to tell might well be to have a proper, regular and independent review of the reality. An audit of a kind, to assess all these different aspects. Is it proving easy to define ICRs in all the relevant cases? Are the ICRs being useful? Are they proving expensive to collect and retain? Have they been kept securely or have there been losses through error, hacking, technological malfunction or something similar?
This kind of audit could be required under the Act – and if the drafters had followed the advice of the Independent Reviewer of Terrorism Legislation and created an Independent Intelligence and Surveillance Commission, it could have been the perfect body to perform such an audit. If that Commission had been granted the powers to ask for a part of the bill to be suspended or subject to amendment that would make this possibility even better.
In my oral evidence to the Committee I suggested something further – that the review should include a kind of ‘contextual’ review, looking not just at how the powers were being used in relation to the Bill, but in relation to how people were using communications systems. In effect, assessing whether the powers were still appropriate and balanced because how people use service can, in practice, change how intrusive powers relating to a service can be. Undermining encryption, for example, is far less troublesome if the only people using encryption are the most technologically adept of geeks and nerds than it is if we are all reliant on encryption for our banking and confidential work.
If properly constituted and empowered, a review body could look at this – and rather than being in a position we are now, where outdated laws are being misapplied to situations that have radically changed, we could keep not just the law but how it is used up to date and proportionate. We could learn where mistakes are being made, where resources are being misapplied, what works and what doesn’t work – and not just from those who have a vested interest in telling us that those powers are working and that they need the resources that they’re being given. The two examples we have in this field – the Independent Reviewer of Terrorism Legislation and the Interception of Communications Commissioner’s Office (IOCCO) – have proven their worth in a number of ways. An independent body to oversee the implementation, effectiveness and proportionality of the operations of the Investigatory Powers Bill could be similarly effective.
That, however, is not what the IP Bill currently proposes. The review as it is set out in S 222 is too late, not independent, and without the power to produce any real effect. This could, however, be relatively simply changed. In their response to the consultations, the main objection to making such a change seems to be cost: the response says that it would cost an extra £0.5m/year. Though that may seem like a lot of money, in the grand scheme of things it really is not. If, as just one (small) example, ICRs are as expensive as it seems likely they will be, and the review body reveals this after three years rather than six, spending that £0.5m/year would be very cheap at the price. Other savings could be made in other areas as revealed by the reviews – and that’s not considering the significant extra level of trust that would be generated by a properly independent review body. The potential benefits are very significant: I hope that those pushing the Bill are willing to consider it.
Paul Bernal's Blog 
The Bill does of course provide for independent review and scrutiny – through the Investigatory Powers Commissioner.
The Joint Committee simply recommended that the IPC be a non-departmental public body. The Home Office argument is that this would cost more without providing more oversight. I think they have a point there – I don’t see that creating yet another NDPB would provide better scrutiny. I suppose you would argue the body would be more independent.
But there’s a slight contradiction in your post. You criticise the option the Home Office have gone for but compliment IoCCO. But IoCCO is precisely what the IPC would be. The legislation that provides for the Interception of Communications Commissioner is pretty obviously the model for th clauses creating the IPC – though the IPC has more power and more access.
The IPC has some very precise functions defined, and they don’t include the kind of review function that I’m suggesting here. Instead, they’re really monitoring process rather than the deeper questions: is the law being followed rather than is the law the right kind of law. That’s a key difference when new and untested piers are being granted and when there is a significant question as to their effectiveness and potential harm.
I see the contradiction with IOCCO – but IOCCO does have the kind of regular audit and reporting function that I would like to see, albeit without the true independence that would make it much more effective.
i like your article very inspiring and thank you for your post