Happy Christmas from the Investigatory Powers Bill….
Happy Christmas from the Investigatory Powers Bill….
The United Kingdom Parliament is currently in the pre-legislative scrutiny phase of a new Investigatory Powers Bill, which aims to “consolidate existing legislation and ensure the powers in the Bill are fit for the digital age”. It is fair to sat this Bill is controversial with strong views being expressed by both critics and supporters of the Bill. Against this backdrop it is important to cut through the rhetoric and get to the heart of the Bill and to examine what it will do and what it will mean in terms of the legal framework for British citizens, and indeed for those overseas.
Much of the Bill’s activity is to formalise and restate pre-existing surveillance powers. One of the key criticisms of the extant powers of the security and law enforcement services is that the law lacks clarity. Indeed it was this lack of clarity which led the Investigatory Powers Tribunal to rule in the landmark case of Liberty v GCHQ that the regulations which covered GCHQ’s access to emails and phone records intercepted by the US National Security Agency breached Articles 8 and 10 of the European Convention on Human Rights. Following a number of strong critiques of the law including numerous legal challenges the Government received three reports into the current law: the report of the Intelligence and Security Committee of Parliament, “Privacy and Security: A modern and transparent legal framework”; the report of the Independent Reviewer of Terrorism Legislation. “A Question of Trust”; and the report of the Royal United Services Institute: “A Democratic Licence to Operate”. All three reported deficiencies in the law’s transparency.
As a result the Bill restates much of the existing law in a way which should be more transparent and which, in theory, should allow for greater democratic and legal oversight of the powers of the security and law enforcement services. In essence the Bill is split into sections: interception, retention, equipment interference and oversight, with each of the three substantive powers split again into targeted and bulk. What this means in practice is the authorisation of three broad types of activity (each of which have sub-types); the authorisation to intercept data between sender and receiver, the authorisation to retain data such as communications data and internet connection records (more below) for possible processing later and authorisation to interfere with (in colloquial terms “hack”) systems and devices. For each of these there is a split between targeted activity, this is required when dealing with communications which are sent and received by individuals who are inside the British Islands (domestic communications) and bulk activity which is permissible where either the sender or receiver (or both) of the communications are located outside the British Islands.
Two of the more controversial aspects of the Bill are the oversight provisions and the introduction of a new form of retained data, so called “internet connection records.”
The retention of internet connection records are an entirely new power found in the Bill. It is an extension to the extant, but currently legally uncertain data retention powers found in the Data Retention and Investigatory Powers Act 2014 (DRIPA). This new power is thus controversial on two bases: (1) it fails to meet the proportionality principle on the basis it fails to comply with the EU Charter on Fundamental Rights; (2) even if the current law is proportionate an extension of powers is almost certainly disproportionate. With regard to the first of these the current law, as contained in DRIPA, is subject to an ongoing legal challenge brought by MPs David Davis and Tom Watson supported by Liberty. The case, Secretary of State for the Home Department v David Davis MP and others  EWCA Civ 1185, has recently been referred by the Court of Appeal to the Court of Justice of the European Union where the court asks the CJEU to rule on whether the ground-breaking case of Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Others, the case which ruled that European data retention laws were incompatible with Articles 7 & 8 of the EU Charter, also binds national legislators in the making of domestic data retention laws. Thus the current status of domestic data retention laws is unclear, yet at the time that this case remains under review the Bill seeks to extend the powers of the state to order the retention of data from simple, yet still very invasive power to retain all traffic data on our communications to also cover internet connections records, described in the guide to the Bill as “a record of the internet services a specific device has connected to, such as a website or instant messaging application.” This would be data such as which banking services we use, which rail company or airline we tend to favour and which may reveal much about us including gender, ethnicity, religious beliefs, medical conditions and much more. University of East Anglia law lecturer Paul Bernal has written upon this issue very eloquently in his blog. As he notes despite the Home Office’s best attempts to paint these as akin to itemised phone records, they are much more invasive of personal privacy and they are also clearly likely to be more invasive than the mere retention of communications records, a practice ruled illegal under EU Law in Digital Rights Ireland, and which at domestic law is currently under review. It is difficult to see how this new provision could be seen to be proportionate.
The second key battleground over the Bill is likely to be the oversight procedure for the issuance of warrants. The three reports were split as to whether Ministers or judges should issue warrants. The Intelligence and Security Committee felt the power should remain with Ministers, as “Ministers are able to take into account the wider context of each warrant application and the risks involved, whereas judges can only decide whether a warrant application is legally compliant”. The Independent Reviewer of Terrorism Legislation recommended that “Specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be issued and renewed only on the authority of a Judicial Commissioner”, however he recommended that the Secretary of State should be allowed to issue a national security certificate where the application related to “the interests of the defence and/or foreign policy of the UK” and in such cases the “Judicial Commissioner in determining whether to issue the warrant should be able to depart from that certificate only on the basis of the principles applicable in judicial review”, this is sometimes called a “double lock” provision. Finally the RUSI report recommended something very similar to the Independent Reviewer with warrants for a purpose relating to the detection or prevention of serious and organised crime “always being authorised by a judicial commissioner” while warrants for purposes relating to national security (including counter-terrorism, support to military operations, diplomacy and foreign policy) and economic well-being, the warrant should be authorised by the secretary of state subject to judicial review by a judicial commissioner. The provisions of the Bill though are quite different. Despite the recommendations of both the Independent Reviewer of Terrorism Legislation and RUSI that warrants in relation to serious crime be issued by a Judicial Commissioner they will continue to be issued by the Secretary of State or by Scottish Ministers. All forms of warrant, including national security warrants, will however be subject to review by Judicial Commissioners under cl.19 of the Bill. There remains however a further complication. While the RUSI and Independent Reviewer of Terrorism Legislation reports suggested that only in relation to national security warrants the Judicial Commissioner should apply “principles applicable in judicial review”, by cl.19 all warrants will be restricted to this narrow set of principles, essentially illegality, fairness, and irrationality and proportionality.
There have been a number of critiques of the way the double lock system has been set up with among others David Davis MP (one of the DRIPA challengers) and the Shadow Home Secretary being highly critical. Again the question of proportionality of the legislation is questionable. In terms of domestic intercept warrants, which Davis in his comment notes “should not be a political decision”, it is questionable whether the role of the Secretary of State is complaint with the spirit, if not the law of Article 8 ECHR, as well as Article 6’s “independent and impartial” requirement. One must ask is it proportionate, or even relevant, to involve a minster of cabinet rank, a political decision-maker, in a decision as to whether a warrant should be issued to intercept communications in an organised crime case. One of the many benefits of our legal systems in the United Kingdom is that judges are appointed and not elected, allowing them to remain apart from the political process. To retain a role for a political office holder in warrants such as these, and against the recommendations of the RUSI and Independent Reviewer of Terrorism Legislation reports appears disproportionate.
Andrew Murray is Professor of Law at London School of Economics. He is the author of Information Technology Law: The Law and Society. He is a leading expert in Information Technology Law and Regulation and has written many articles on aspects of the interface between information technology and the legal framework including surveillance and data protection laws.
I was one of the panel of academic witnesses before the specially convened Draft Investigatory Powers Bill Select Committee on Monday 7th December. It was my first time before a Parliamentary Committee and I have to admit I was a little intimidated: from queueing up beneath the statue of Oliver Cromwell to walking through what CP Snow referred to as the ‘corridors of power’. It’s a cliché, but there really is a corridor off from which the Committee Rooms are reached – it has a little of the Alice in Wonderland about it, but the thing that I noticed the most whilst waiting to be called was that almost everyone seemed to be a bit lost. In relation to the Investigatory Powers Bill that might be more than a little appropriate.
The panel I was on was pretty intimidating too, from Professor Ross Anderson, one of the best computer science brains on the planet, Professor Sir David Omand, former head of GCHQ, Permanent Secretary at the Home Office and then Permanent Secretary and Security and Intelligence Co-ordinator in the Cabinet Office under Blair, and Professor Mark Ryan of Birmingham University, another highly distinguished computer scientist. It really was intimidating at first – feeling the weight of the place, the seriousness of the subject and the crucial part that a Parliamentary Committee is supposed to play in the process of scrutinising and passing laws. And as the chair of the Committee, Lord Murphy of Torfaen said in his opening remarks, this bill was crucial – perhaps the most important bill in this parliamentary session.
Once the session started, though, I found the level of intimidation diminished rapidly – because, in part at least, it was impossible for me not to become immersed in the discussion. It is easy (and often appropriate) to be cynical about our parliamentary process, but seeing it first hand, in this committee at least, it was clear that enough of the members of the committee really wanted to learn, and really wanted to understand the issues, that there was at least a chance that their scrutiny would have some kind of effect. The initial questions, which had been set out before the session, were reasonably good, but the follow ups and the discussions that arose were much better.
The choice of witnesses was interesting: having Ross Anderson at one end of the panel and Sir David Omand at the other end created an interesting dynamic from the start. Sir David seemed to have a particular role in mind from the start – a ‘reasonable’ voice, confirming that everything was OK, that the Bill, as it was written, was clear, balanced, fair and ‘world-leading’. As a number of people pointed out to me after the event, you could tell whether you’d made a good point by the speed and vehemence with which Sir David responded. There were a few key moments on that score, and I hope there is proper follow up on them.
The first is the Danish ‘session-logging’ experience – the nearest equivalent to the proposed ‘Internet Connection Record’ idea in the new Bill – which resulted in around 7 years of wasted money, time and effort, providing almost no help to the police at all, before it was abandoned. When I mentioned it, Sir David interjected immediately that the Home Office was planning to do it very differently. It would be interesting to know how they are doing it differently. I suspect that further investigation could convince the Committee that the problem wasn’t (and isn’t) the technical implementation but the fundamental approach. Session logging didn’t work in Denmark not because the Danes don’t have our technological expertise, but because it’s a fundamentally flawed approach.
The second was the idea that communications data is less intrusive than content – as all the other three member of the panel know, that might have been true once, but it’s no longer true. The intrusion is different, but it isn’t less. Indeed, because of the possibilities for analysis, the greater difficulty in disguising and the increasing ability to use for profiling, it is likely that the balance will shift very much the other way, with communications data being much more important and more intrusive than content.
There were many other things covered – but we had far less time than we needed to explore them in as much depth as we needed. That’s why I shall also be taking up the invitation of the Committee to submit written evidence as well as oral – and why I would seriously advise others to do the same. I was lucky enough to be on a panel – but the written evidence will be even more critical. This Committee, it seemed to me, wanted to learn and should be given the opportunity. Do take it up! Written submissions will be accepted until 21st December. To submit, follow the link here:
The video of the session can be found here:
Andrew Parker, the head of MI5, has said in a speech that he is hoping for a ‘mature debate’ on what he calls ‘intercepting communications data’ rather than surveillance: I’m sure that most people working in the area would very much welcome such a call. I know that I do. Mature debate is exactly what is needed. The question that immediately springs to mind is whether what Andrew Parker means by ‘mature debate’ is the same as what I would understand by the words. The record of the intelligence and security services and the government in relation to such a debate is not a very convincing one: it has been those who challenge surveillance powers who have shown more desire and willingness to debate than the services and their masters in government.
To suggest otherwise – indeed to hint that those challenging them have behaved like petulant, hyperbolic children – flies in the face of the experience of the last few years. There has been hype on both sides, of course – I can see why Parker and others dislike the term ‘Snoopers’ Charter’, for example – but on the other side the claims have been equally lurid and offensive: the suggestions by Theresa May and others that privacy advocates have ‘blood on their hands’ for opposing new powers have been regular and repellent. The record of seeking debate, however, has been distinctly one-sided. Back in 2012, when the coalition government first put forward the Communications Data Bill – dubbed by its ‘hyperbolic’ opponents the Snoopers’ Charter – the intention was to push it through without any real debate at all. Indeed, the hints were that it would be passed in a matter of weeks before the London Olympics. It took a lot of pressure to force the bill into proper scrutiny, and a special Joint Parliamentary Committee was eventually formed to examine it. Debate was very much sought by those interested in interception and surveillance powers: over 600 pages of written evidence was submitted to the committee from more than 100 witnesses (including myself). So yes, we want mature debate, whenever we get the chance.
That first batch of ‘mature debate’ did not get the results that the proponents of the Communications Data Bill wanted: the report of the Joint Parliamentary Committee was highly critical, and after the intervention of the then Deputy Prime Minister, Nick Clegg, the bill was dropped, with a promise of further debate and a new Bill to scrutinise. That new Bill, however, never materialised (though I understand that it was drafted) and neither did the promised further debate. Again, it was not those who challenged surveillance and interception that were avoiding the debate. Very much the opposite: we wanted more information and more debate, and our questions were largely fobbed off.
That debate, however, began to happen even without the participation of the intelligence and security services, when in June 2013 Edward Snowden dropped his bombshell on the whole business. The debate that followed might not have been mature at all times, but it was a debate – despite the efforts of the intelligence and security services, not because of those efforts. Indeed, most of the efforts seemed to be to shut down the debate, to shut Edward Snowden up, along with those in the media who worked with him, arresting them at airports, smashing their hard drives and so forth. Keith Vaz questioning whether Guardian Editor Alan Rusbridger ‘loved his country’ was a particularly mature part of this debate. All this was accompanied by yet more mature suggestions about opponents of surveillance having blood on their hands. The maturity level was immense.
Then, when the mature debate actually began – the three big inquiries, from the Intelligence and Security Committee, the Independent Reviewer of Terrorism Legislation and the Royal United Services Institute – along came the next attempt to shut down that debate: DRIP. The shabby process through which the Data Retention and Investigatory Powers Act was rushed through parliament in a matter of days without any opportunity for public debate and only a few brief hours of parliamentary debate – in a mostly empty chamber with MPs preoccupied with preparations for the forthcoming election – was about as far from opening up to mature debate as could be imagined. Barely a debate at all, let alone a mature one.
Even after that, there was a further attempt to force through legislation without debate – four members of the House of Lords, all associated in the past with the security side of government, tacked on pretty much the entire, rejected Communications Data Bill to the back of another bill, very late in the parliamentary process, to try to sneak in those powers once more without debate.
So, Andrew Parker, let’s have this mature debate. Please. As soon and as deeply as we can. But don’t pretend that you’ve been seeking it all along, or that those who are challenging you have wanted anything else. What is more, let’s make sure it is a mature debate, and not the sort of ‘debate’ that happens when one side has all the power and has predetermined the result, like a parent telling a three-year-old what the rules are for their behaviour. A mature debate must leave a chance for different results. In this case in particular, mature debate does not mean a Brian Clough style discussion where you tell us your opinion, we tell you your opinion, and we agree that you are right. There has to be a possibility – and you have to be open to this possibility – that the powers of the intelligence and security services are in practice (as well as in law) curtailed. If there is no possibility of change, the debate – mature or immature – is meaningless.
Are you ready for this kind of debate? I hope so. Let’s have it as soon as we can.
Today is #DigitalRightsMatter day – and yes, I know there are days for many things (including, despite the complaints from some, an International Men’s Day (November 19th)). I’m usually fairly cynical about these days – but they do serve a purpose – to focus minds on significant issues, and hopefully to find ways to actually do something about them. In this case, the issue is digital rights – one close to my heart – and the thing to do is to support the Open Rights Group (ORG).
I should say, right from the start, that I’m on the Advisory Council of ORG so I have something of a vested interest – but I’m only on the Advisory Council because I think what ORG does is of critical importance, particularly right now. Never has there been a time when digital rights have been more important, and never has there been a time when they are more under threat. We use the internet for more and more things – from our work to our personal life, from our political activism to our entertainment, from finding jobs to finding romance. Indeed, there are pretty much no parts of our lives that are untouched by the internet – so what happens online, what happens to our digital freedoms and rights, is of ever increasing importance.
Now is when we need them
The threats that we face to our freedoms are growing at a seemingly exponential rate. Surveillance is almost everywhere, and the political pressure to increase it is frightening. Censorship, the other side of that authoritarian coin, is growing almost as fast – from more and more uses for ‘web-blocking’ to ‘porn’ filters that hide vastly more than porn, from critically important sex education websites to sites that discuss alcohol, anorexia and hate speech. David Cameron talks about banning encryption without seemingly having any idea of what he’s talking about – or the implications of his suggestions.
This last point highlights one of the reasons ORG is critically important right now. Politicians from all the mainstream parties seem to have very little grasp of how the internet works – and they reach for ‘easy’ solutions which get the right headlines in the Tabloid press but are not only almost always counterproductive and authoritarian but actually encourage the perpetuation of damaging myths that will make things continue to get worse. The media, left to their own devices, also have a tendency to look for easy headlines and worse.
That’s one of the places that ORG comes in. It campaigns on these issues – current campaigns include ‘Don’t Spy On Us’ dealing with surveillance, Blocked! which looks at filtering, and 451 Unavailable which tries to bring transparency to the blocking of websites by court orders. It produces information that cuts through the confusion and makes sense of these issues – and tries to help politicians and the media to understand them more. And it works – ORG representatives are now quoted regularly in the media and when they make submissions to government inquiries they’re the ones who are given hearings and referred to in reports.
They do much more than this. They help with court cases working with other excellent advocacy groups like Privacy International – the current challenge to the Data Retention and Investigatory Powers Act (DRIPA) is just one of many they’ve been involved in, and these cases really matter. They don’t always win – indeed, sadly they don’t win often – but they often force the disclosure of critical information, they sometimes bring about changes in the law, and they raise the profile of critical issues. ORG are also part of the critical European organisation EDRi who bring together digital rights groups from all over Europe to even more effect.
Now is when they need us
ORG, like other advocacy groups, regularly punches above its weight. It doesn’t have the massive resources of the government agencies and international corporations whose activities they often have to campaign against. There are no deep pockets in ORG, and no massive numbers of staff – they rely on donations, and on volunteers. That’s where #DigitalRightsMatter day comes in – ORG is trying to find new members, get more donations and find access to more expertise. Can you help?
ORG’s joining page is here
Their blog about #DigitalRightsMatter day is here
I would encourage anyone to consider joining – because Digital Rights really do matter, and not just on #DigitalRightsMatter day.
Like many others in the privacy field, I had waited for the Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework’ with some trepidation – though after having made a submission myself, and participated in the ISC’s ’round table’ events that formed part of the consultation I had felt a little less overwhelming pessimism than I had previously. Having read it through after its release yesterday I feel a little underwhelmed. It isn’t quite as bad as I had feared – but it does come close. The general feeling I had, though, was that the ISC is still essentially out of touch, out of date, and unable to fulfil the critical role of scrutiny that it is tasked with.
One particular paragraph made the point most directly – and it concerned one of the most important areas of the review insofar as it relates to the areas that I work in. Paragraph 80 began with this startling sentence:
“We were surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.”
Surprised? Really? No-one who has paid any attention to the field over the last decade at least should have been surprised that the ‘information associated with those communications’ – essentially what is generally referred to as ‘metadata’ these days – is what GCHQ would be interested in. Academics and privacy advocates have been going on about it for years and years – and if the ISC were ‘surprised’ that this is what GCHQ are most directly interested in then it means one of three things: either they’ve not been paying attention (which is their main role), they don’t understand the technology at all (which is critically important to their role), or they’re deliberately dissembling about it (which means they can’t be trusted in their role).
That they even make the admission that they were ‘surprised’ in the official report suggests that they don’t understand the gravity of that admission, and how much it shows that they don’t understand what is happening. They compound that admission later on in the report, in paragraphs 136 and following, when they ask the question of whether Communications Data is ‘as intrusive’ as content, and essentially dismiss the possibility, hence giving the authorities much more freedom. They seem to have forgotten at this point what they had learned in paragraph 80, that the primary value is in the ‘information associated with’ the communications – their surprise didn’t illicit the kind of questions that it should have.
To be clear, the argument made by people like me is not that this information is more intrusive than content – but that it is more useful, for a number of reasons, from the fact that it can be analysed algorithmically (rather than by rooms full of old-fashioned spies pouring over reams of print-outs, which seems to the the ISC’s idea of surveillance), and that qualitative information can be gleaned from it. Profiling information – the kind of information that the massive internet advertising industry uses – that can be automatically processed and used. That, however, was something else that indicated how much the ISC was out of touch – they didn’t seem to acknowledge or understand the nature of the current, commercial, surveilled nature of the internet, and the critical role played by the corporations. Bruce Schneier put it most eloquently when talking about the NSA:
“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.”
The corporates are much more interested in metadata because they understand its value – and so do GCHQ. The profiling techniques used by advertisers to find customers are the same sort of thing that GCHQ might use to find terrorists – just using different parameters. That the ISC doesn’t understand this – or didn’t understand this – is deeply revealing. One of the brighter spots of the report, however, is that they do at least make a tentative step towards recognising it through their new category of ‘Communications Data Plus’ in their recommendations. As they put it:
Personally, I suspect that the ‘grey area’ defined in this way will turn out to be the vast majority of what was previously considered ‘communications data’ – when data aggregation is considered, in particular, most data can be highly revealing. If the ISC had paid more attention to the advertising industry – effectively, if it had understood the context in which surveillance happens these days – it would not have had such a surprise. I look forward to hearing what these ‘greater safeguards’ it will attract will be.
There is much more in the report that should ring alarm bells – the discussion of encryption, the seemingly new idea of ‘bulk personal datasets, the casual dismissal of arguments against the fundamentally intrusive nature of ‘bulk collection’, and the attempt to characterise those who seek privacy as being happy to accept a few terrorist atrocities as a fair price to pay for a little personal privacy – and I am sure they will be written about extensively elsewhere. There was one other thing that struck me, though. At no point in the report, as far as I can see, did they mention the fact that the Data Retention Directive was declared invalid in April 2014, and that the reason for its invalidity was that:
“It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”
Did the ISC not know about this, or not think it was relevant? If the former, they’re incompetent, if the latter, they’re dismissive of what are considered to be fundamental rights. Mostly, though, my suspicion is that they thought it was not within the terms of their review – and that, itself is revealing. Again, the words that spring to mind are ‘out of touch’. In a body charged with oversight of the intelligence services, being out of touch is a fundamental flaw.
The fall of the Chair of the ISC, Sir Malcolm Rifkind, through his being duped into selling his services to a fake Chinese company set up by journalists, highlights the point even more. Time for a change – and a root and branch change. The ISC is right to call for better transparency – but we need better oversight too, and the starting point of that better oversight should be a replacement of the ISC. More technical competence, more people ‘in touch’ with the real world, less subservience to those in authority who are supposed to be subject to their oversight, more openness to new ideas, more willingness to listen to people who don’t immediately fit into their world view.
We’ve had the review by the ISC. Now it’s time for a review of the ISC.
Sir Malcolm Leslie Rifkind, KCMG, QC, MP, former Defence Secretary, former Foreign Secretary, distinguished member of Margaret Thatcher’s cabinet, long standing member of parliament, has become ensnared in a ‘cash for access’ scandal. This has many implications – and many different angles to examine, from his claim that it would be ‘unrealistic’ to expect an MP to live on £67k per annum onward – but the one that may be the most important is his role as Chair of the Intelligence and Security Committee, the ISC. The ISC is the only parliamentary body that oversees the activities of the intelligence services – MI5, MI6 and GCHQ. It is a body that is made up only of people personally nominated by the Prime Minister, and given the nod by the leader of the opposition – and until last year, it operated effectively in private. It has had one public session (about which I have written before) in November last year, and it wasn’t exactly impressive – it felt rehearsed, and scripted, the heads of MI5, MI6 and GCHQ having been given details of the questions beforehand.
In practice, therefore, there is an enormous amount of responsibility on the ISC, and on its chair in particular. What they do is largely behind closed doors – so we have to trust that they do a good job. The latest events for Sir Malcolm Rifkind make that seem very doubtful. I have met Rifkind – I sat next to him at the ‘Round Table’ events as part of the ISC’s inquiry into surveillance – and I have to admit I liked him. He was charming, affable, a good listener, clearly intelligent, and in some ways what appears to be a consummate politician. His experience is enormous, his ability to ‘manage’ meetings very impressive – but does that make him suitable for the key role overseeing the UK’s intelligence services?
He does not have the technical knowledge or understanding of the technology – he made that entirely clear from the start of the Round Table discussion, asking for the most basic information and demonstrating some critical levels of technical ignorance. He does not have the legal understanding either – he admitted to me directly that he didn’t understand RIPA – the Regulation of Investigatory Powers Act that is central to the governance of surveillance in the UK. So what is left? His ‘gravitas’, his position as a ‘safe pair of hands’. And that, importantly, is what is now compromised. He is supposed to represent us – and from what we have seen about his ‘cash for access’ scandal, it seems pretty clear that his main representation is of himself. He was duped by a fake Chinese company, set up by journalists, for the chance of making money. What he said may (it has yet to be confirmed) be within the parliamentary guidelines, but in this context that cannot be nearly enough. Being Chair of the ISC is a huge responsibility – and it has huge sensitivity.
It isn’t just personal issues that are at stake, but national security to: just imagine the possibilities if the fake Chinese company had been a cover for Chinese Intelligence rather than journalists from Channel 4 and the Telegraph. It is almost a classic trap – the sort of thing that has been played out in many thrillers. Some thrillers, these days, would have had Rifkind compromised by people within the intelligence services, so that they can bend him to their will – but I don’t believe that is the real risk here. Rather, it shows inappropriate priorities – when priorities are particularly critical.
There is another side to this that should be deeply concerning. This kind of thing matters because companies – specifically companies involved in the development and supply of surveillance technology – are part of the problem with surveillance. They want to promote surveillance so they can be paid to develop and implement technology here that can then be exported elsewhere – there is a ready market for surveillance systems all over the world, particularly to the more oppressive and autocratic of governments. These companies can lobby, can manipulate, can bamboozle people without the technological knowledge or understanding to appreciate the risks. And Rifkind fits the bill.
I don’t believe it is just Rifkind that is the issue here – though the idea that he could remain as Chair of the ISC after this is frankly deeply disturbing – but our whole system of oversight of intelligence. Depending on individuals, particularly individuals appointed through a system which is rife with patronage and inside connections, just doesn’t work. It creates vulnerability – and destroys the possibility of accountability. It needs root and branch reform – the involvement of technical experts, civil society and the judiciary, not just politicians and civil servants. Will it happen? It seems unlikely. Eventually Rifkind will probably fall on his sword, but nothing more will change. If only it would.
UPDATE: 10:15 February 24th: Rifkind has stepped down as Chair of the ISC, though he remains a member of the committee.
10:30 February 24th: Rifkind will also be stepping down as an MP in May
The news that four peers are trying to bring back the Snoopers’ Charter – in its last incarnation the Communications Data Bill – is depressingly predictable, but perhaps even more shameful than other attempts at legitimising mass data gathering and surveillance. It displays shameful opportunism that seems to plumb new depths – and in a number of different way
1 Bringing it in based on an event
It is a bit of an axiom that reactive law – knee-jerk law – is a bad idea. Law by its nature needs to be considered carefully, not passed in the heat of a moment. The more oppressive and ill-considered of ‘counter-terror’ legislation, however, seems to tend to be done this way all too often. The USA-PATRIOT Act (whose long name, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act is worth a read in itself) is perhaps the best known example, but the Data Retention Directive worked just the same way, passed in the wake of the 7/7 bombings in London, and even making reference to those bombings in its preamble. That this directive was declared invalid by the Court of Justice of the European Union last year should give pause for thought. The CJEU said that the directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” Authoritarian legislation, passed in haste, takes a long time to overturn. Even now, the repercussions are still being felt
2 Bringing it in based on this particular event
Hanging legislation on a hideous event is one thing – bringing it in based on this particular event, the Charlie Hebdo shootings, is even worse, as a careful examination of this event should have revealed not that more mass data gathering and surveillance is necessary, but rather the opposite. As I have written before, the shootings in Paris damage rather than enhance the case for mass data gathering and surveillance. The perpetrators were known to the authorities – they didn’t need to be rooted out by mass surveillance. The authorities had stopped watching them six months before, because, it seems, of lack of resources, resources that might have been available if a targeted rather than mass surveillance approach had been taken. This is part of an almost overwhelming trend – the killers of Lee Rigby and the suspects in the Boston bombings were also known to the authorities. There was no need for mass data gathering and surveillance to stop them – so to use this particular event as an excuse for bringing back the Snoopers’ Charter is particularly shameful.
3 Trying to rush the legislation through
It is almost never appropriate to rush legislation through – but sadly this is also all too familiar. Last summer, Parliament brought itself into significant disrepute by rushing through the Data Retention and Investigatory Powers Act (DRIP) in a matter of mere days, with no real time for scrutiny, no opportunity for independent expert analysis, and no real opposition from any of the main parties. This is not the way to legislate – it wasn’t right then, and it wouldn’t be right now.
4 Doing this in the midst of investigations and legal challenges
The one saving grace in DRIP was that it was intended to give breathing space, to allow proper, detailed and careful consideration to the many issues involved in surveillance. At the same time, there are a series of reviews over surveillance legislation in process – from the Intelligence and Security Committee and by the Independent Reviewer of Terrorism Legislation to start with. Moreover, DRIP itself is subject to legal challenge. To try to pass much more comprehensive and far-reaching legislation even before these reviews have been completed and their reports scrutinised, and before the legal challenges even make their way into the court room, is also deeply shameful – prejudging the results of those reports, and, in effect, disrespecting all those involved.
5 Doing this in the face of a clear CJEU ruling
What is perhaps even worse, is that on the face of it the planned legislation flies directly in the face of the CJEU ruling on data retention. The ruling was strong, clear and direct – but does not seem, on immediate reading of the legislation, to have been taken into account at all. Of course this may be wrong – but as the new legislation only appeared yesterday, and is planned to go before the Lords on Monday, there has not been time for proper, detailed analysis – and nor has there been any kind of explanation or reconciliation presented. This again highlights the point of taking time over legislation – and going through proper, detailed procedures.
6 Using a highly dodgy political method
The method which has been chosen to try to introduce this law is, to put it mildly, somewhat doubtful. Rather than a full Bill, the four peers have tabled an amendment – 18 pages of additional clauses – to an existing bill, the Counter Terrorism and Security, which has already gone through most of the processes necessary before becoming law. It’s like slipping in an entirely new law just before the first law is passed – it makes a mockery of parliamentary process, and in effect disrespects the whole of parliament. Describing it as trying to sneak in the Snoopers’ Charter by the back door may even be too kind.
7 Ignoring the committee
The original Communications Data Bill was subject to analysis by a full parliamentary committee – and that parliamentary committee came out with a highly critical report, a report which ultimately led to the abandonment of the Bill. By trying to bring it back now, seemingly virtually unchanged, the peers proposing the amendment are ignoring the committee and its findings – and as a consequence ignoring the whole process of parliamentary scrutiny.
8 Doing it at this time, in the run up to the election
To try to push through legislation like this in the run up to the election is in itself highly dubious tactics. Politicians have their minds on other things – and many of them may care much more about being re-elected than about whether the details of legislation to be passed are a good idea or not. Whether they ‘look’ good is what matters, and whether that makes them more electable. Right now, in the light of the anger and fear resulting from the Charlie Hebdo shootings, to oppose something that might make people safer, will be difficult – and may hinder the electoral prospects of MPs. This kind of thing has happened before – the way that the Digital Economy Act was passed in 2010 springs to mind – and again makes the timing of the bringing forward of the amendment feel very wrong
Why are they doing it this way?
The whole process – all these layers of opportunism – should make the alarm bells ring. This is a hugely significant piece of law – not just in terms of what it does but in terms of what it signifies, in terms of what kind of society we want to be living in, what kind of an internet we want to have. If we are going to make decisions like this, we should make them in careful, considered ways, weighing the evidence and seeking expert opinion. That’s the idea behind the parliamentary committee system, and the time it takes to bring laws in through normal procedures.
Why, then, are these procedures being avoided, and why are these underhand methods being used? It is hard to escape the conclusion that it is because those pushing it are afraid that if it is given the appropriate amount of time, of attention, and of scrutiny, then it will once again be defeated, as it was the last time around. In the cold light of day, do we want to live in such a surveillance society? I’m not sure – but I do think that trying to make those decisions in this way, in the heat of the moment and without the opportunity to give proper thought and proper scrutiny, is a disastrous way to proceed. Those behind it should be ashamed.
Along with so many other world leaders, David Cameron has made a big point of showing solidarity with the French in the face of the Charlie Hebdo atrocities, claiming to stand for freedom of expression – but anyone who has been following or studying the way his government deals with the press and indeed with freedom of expression generally knows that he’s far from a champion of freedom of expression.
Indeed, rather than championing freedom of expression, Cameron’s government has been actively hostile to it. His is a government that sent agents to a national newspaper’s office to force them to smash computers – an act that could hardly be interpreted as anything but brutal intimidation. This is a government under whose auspices the police have secretly monitored the communications between journalists and their sources.
This is a government that has forced through a law to prevent charities from campaigning on the very subjects for which they were founded, if that campaigning would amount to criticism of government policy. Under that very same law, letters were sent to political bloggers that could also be seen as little more than intimidation.
This is a government that monitors social media traffic to try to stop people protesting about badger culls. This is a government that bans protesting in Parliament Square.
This is a government that has championed – and seems likely to extend support for – a form of internet filtering that not only prevents access to lawful material but not just theoretically but practically has extensively overblocked, preventing access to sites on subjects like sex education. Indeed, even the discussion of subjects like the blocking and censorship of the internet – and circumvention of of this kind of blocking, in some ways the essence of freedom of expression – can and does get blocked by this kind of filtering. One of my own blog posts on the subject was blocked by just such a system.
This is a government that supports exactly the kind of mass surveillance that studies show chill freedom of speech around the globe – indeed, an extensive report from American PEN demonstrated this just days before the Charlie Hebdo shootings. And what is David Cameron’s immediate reaction to the tragedy in Paris? To support even more of this surveillance.
So no, David, vous n’êtes pas Charlie. You’re very much the opposite. You’re not a champion of freedom of speech. You’re one of its enemies.
The video below is the slideshow of my presentation this morning at the Society of Legal Scholars conference in Nottingham – and what follows it are some brief notes to support it. Some of this is speculative and some of it is contentious – particularly in relation to the relative importance of corporate and governmental surveillance – and this is an early stage of this research, though it builds on the work in my book, Internet Privacy Rights. I should also note that this is a development of the paper I gave at BILETA earlier this year: ‘who killed privacy?’
The Resurrection of Privacy?
In 1999, Scott McNealy, then CEO of Sun Microsystems, famously said:
“You have zero privacy anyway. Get over it.”
Events and developments since 1999 have hardly improved the prospects for privacy: the growth of social networking, technological developments like smartphones, geo-location, business ideas such as behavioural tracking and, most recently, the revelations from Edward Snowden about the near universal surveillance systems of the NSA, GCHQ and others. If privacy was in trouble in 1999, the argument that it is at least close to death in 2014 is much stronger.
That brings two questions:
Suspect 1: us!
On the face of it, it might appear as though we ourselves have simply given up on privacy. We’ve killed it ourselves by embracing all the privacy-invasive technology that’s offered to us, by failing even to read privacy policies, by allowing the intelligence services to do whatever they want, with barely a murmur of protest. More than a billion of us have joined Facebook, for example, a service based at least in some ways on giving up on privacy, sharing our most intimate information.
That, however, is not the whole story. In many ways it appears that what we have done has been through a lack of awareness rather than by deliberate decisions. The extent to which people understand how systems like Facebook work is hard to gauge – but the surprise that people show when bad things happen suggests that there isn’t a great deal of awareness. It also appears that people are becoming more aware – and as they become more aware, they’re making more privacy-based decisions, taking control of their privacy settings and so forth.
Further, when we’re given the chance to see how intelligence agencies work, we don’t seem to be happy about it – though less, it has to be acknowledged, in the UK than in many other countries. Even so, when the Communications Data Bill was put under full scrutiny, it was rejected – in part because of the public reaction. Further, studies show that people don’t like behavioural advertising – and dislike it more when they learn more about how it works.
All this suggests that we aren’t really the key to the death of privacy: we’re more like unwitting accomplices.
Suspect 2: the NSA and GCHQ
The revelations of Edward Snowden about the surveillance activities sent shockwaves through the internet. Many people had already believed that the NSA, GCHQ and other agencies performed surveillance on the internet – Snowden’s revelations seemed to prove it, and to suggest that the level of surveillance was greater even than that feared by the more extreme of conspiracy theorists. Not just had they been gathering telephony and internet data and building (in the US) massive data centres, but they’d been accessing the servers of the big commercial internet providers, tapping into undersea cables, intercepting traffic between server sites and undermining encryption systems – and much more. The level of privacy invasion is extreme.
However, until Edward Snowden revealed all of this, the agencies were working largely in secret – and while this still constitutes a major invasion of privacy, the impact on people’s behaviour is much smaller. If we don’t know we’re being watched, our actions aren’t chilled – and our beliefs about privacy are not changed. Moreover, the kind of harms done to people by surveillance by the NSA and GCHQ are indirect, at least for most people. Finally, and most importantly, if it were not for the commercial operators’ surveillance, the NSA and GCHQ would have far less to ‘feed’ on.
All this is not to dismiss the role of the intelligence services or indeed the impact of their surveillance activities – they should be resisted with the utmost vigour – but in terms of the death of privacy, they can be seen more as opportunist accomplices, rather than instigators.
Suspect 3: businesses like Facebook and Google
The role of the commercial operators on the internet, on the other hand, is both deeper and more significant either than is often believed or than the role of governments and government agencies on their own. The commercial entities have contributed to the decline of privacy in three kinds of ways:
All this combines to make the role of the businesses look most significant – if anyone is guilty of killing privacy, it is Facebook and Google rather than the NSA and GCHQ. Moreover, the harms to most people possible from corporate surveillance are both tangible and more likely than harms from the NSA and GCHQ: impact on things like insurance, credit ratings, employability, relationships and so forth are not just theoretical.
As Bruce Schneier put it:
“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.’”
And as Timothy Garton Ash said when considering the Stasi:
“…the Minister for State Security observed that the results achieved by his ministry ‘would be unthinkable without the energetic help and support of the citizens of our country’. ‘For once,’ I comment, ‘what the Minister says is true.’”
Where the Stasi needs the citizen informers, the new surveillance programmes need the ISPs and the internet giants – the Googles, Facebooks, Microsofts, Yahoo!s, Apples and so forth. That is what makes their role in the reverse so important.
The resurrection of privacy
In the post-Snowden environment, at least on the surface, businesses have started to take a more ‘pro-privacy’ stance. Whether that meaningful, or they are just paying lip service to it, has yet to be seen. Their role, however, is crucial.
Reversing the three roles noted above – systematic, cooperative and normative – could produce a positive impact for privacy, effectively being a part of the ‘resurrection’ of privacy:
At the moment it seems unlikely that businesses will do very much of this – but there are a few signs that are positive. Real names policies have been relaxed on Google +, and even Facebook has shown some moves in that direction. All the big companies are doing more to secure their systems – encryption is more common, both in the infrastructure and in user systems. Google does at least seem to be making some attempt to cooperate with the right to be forgotten – though whether these attempts are being done in good faith has yet to be seen.
It will probably take a miracle – resurrections generally do – but miracles do sometimes happen.