The Investigatory Powers Act: still a question of trust…

I read the short review of the Investigatory Powers Act by David Anderson QC, Independent Reviewer of Terrorism Legislation, with a great deal of interest. Anderson has been exemplary in his role, and has played a very significant part in ensuring that the Investigatory Powers Act has the safeguards that it does, and the chance to be something other than the ‘Snooper’s Charter’ which it often described as.

I find myself agreeing with a great deal of what he says – though coming to rather different conclusions. As one of those who followed the process of the act from beginning to end – and who participated in a number of the reviews, including appearing before the Joint Bill Committee, and being one of those consulted by David in his Bulk Powers Review, I agree with him entirely that the bill has been one of the most carefully scrutinised in recent times. That, however, also reveals the weaknesses of our scrutiny system. Some of these weaknesses that are unavoidable – it would be impossible to expect parliamentarians to understand many of the issues, or even to read all the fairly massive reports that the various reviews resulted in. Others are not: parliamentarians should be able to see their own weaknesses, and be willing to listen a bit more carefully to those who do understand them. As a legal academic, for example, I try to recognise my own weaknesses in understanding the technology, and defer to those who do understand it.

Where I find myself disagreeing most with the Independent Reviewer is in the weight that he appears to give to the bad features and weaknesses of the Investigatory Powers Act. Many of the problems seem to hit at the heart of the Act, and undermine its claim to be something positive overall.

  1. Internet Connection Records, which he notes that he had no opportunity to evaluate, were the one area noted as being entirely new in the bill – and in the view of many (including myself) are both unproven and represent a huge risk, a huge waste of resources. They should, in my view, have been included in David Anderson’s Bulk Powers Review – though not, in the technical terms of the bill, ‘Bulk Powers’, they are in a real sense every bit as ‘bulky’ and ‘powerful’. There are likely (in my view) to be highly difficult to implement, highly unlikely to be effective – and they could have been excluded from the Act, or introduced and tested on a pilot basis, with scope for a proper review.
  2. I share David Anderson’s concern over the dual lock system – and agree with him that this could and should have been done better. As another key element of the bill – and considered to be one of the key safeguards – this really matters. If the dual lock ends up being little more than a rubber stamp, its existence may do more harm than good, providing false assurance and complacency. The test of this will be in the implementation – something that needs to be watched very carefully.
  3. I also share David Anderson’s note that it is “legitimate to ask whether there are adequate advance safeguards on the exercise of some of the very extensive powers now spelled out for the first time”. This, it seems to me, is very important indeed – and hits at the heart of the problems that many of us have with the bill. The powers are extensive, and it is not at all clear that the safeguards are adequate.
  4. Finally as David Anderson notes, the failure to recognise in statute the idea of an ‘Investigatory Powers Commission’ could be significant. The question is why it was omitted: was it, as those suspicious of the authorities might suggest, because they don’t want to put proper, independent oversight on a statutory basis for fear of its restricting their actions?

That, I think, reflects my overall difference with David Anderson – the same question that he highlighted in his review of investigatory powers in 2015. A question of trust. The biggest weakness of the Investigatory Powers Act, for me, is that it still relies on a great deal of trust, without the authorities having yet, for me, proved themselves worthy of that trust. We have to trust that the dual lock system will work. We have to trust that an investigatory powers commission will be put in place and have appropriate powers – they’re not set down in statute. We have to trust that the Technology Advisory Panel will be filled with the right kind of people, and will be able to perform its functions. We have to trust that everything is ‘OK’ with Internet Connection Records.

We have to trust (as David Anderson also notes) that the government interprets the various grey areas and ambiguities in the Act appropriately – when we really didn’t need to nearly as much as we do. Things like how to deal with encryption (whether the Act allows the government to mandate ‘back doors’ etc) and extraterritoriality (how the Act will be enforced on service providers outside the UK) remain subject to a great deal of doubt – and are potentially deeply dangerous.

Whether it is possible for me to agree with David Anderson that this is a ‘victory for democracy and the rule of law’ remains to be seen. Right now, I can’t give it a round of applause. I don’t condemn it completely – but there are sufficient problems at the heart of many of the most important parts of the Act to make it impossible to applaud. A chance missed, is the best I can say at this stage.

The real test is in the implementation. On that, I wholeheartedly agree with David Anderson that the new Investigatory Powers Commission (or whatever name is given to it) is the key. It will make or break the trust that people can have in the Act, and indeed in those engaged in surveillance. As he puts it:

“the new supervisory body needs to develop a culture of high-level technical understanding, intellectual enquiry, openness and challenge.”

If it does that, I will be delighted – and, with my cynical hat on, very surprised. I hope that I am.