A long-awaited independent review of U.K. government surveillance capabilities, conducted by QC David Anderson and published today, has recommended that interception warrants should be signed off by the judiciary, rather than government ministers.
And while the review generally supports U.K. intelligence agencies having bulk interception and data retention (aka mass surveillance) capabilities — which stands in contrast to the U.S. Senate’s recent rowing back on this front in the USA Freedom Act — Anderson stresses these powers should be “subject to strict additional safeguards”, such as having judges sign off interception warrants.
The review recommends a new body, called the Independent Surveillance and Intelligence Commission (ISIC), be set up to judicially authorize all interception warrants.
Other safeguards recommended in the report are tighter definitions of the purposes for which data is sought — with Anderson specifying it should be “defined by operations or mission purposes” (as opposed to fishing expeditions); and the introduction of a new form of “bulk warrant” to limit the acquisition of data captured via mass surveillance to comms metadata.
The 300+-page report also calls for a new legislative framework to cover investigatory powers — mirroring calls earlier this year from the U.K. parliament’s Intelligence and Security Committee, which also recommended there be a new single act of parliament to govern domestic spy agencies.
“A comprehensive and comprehensible new law should be drafted from scratch, replacing the multitude of current powers and providing for clear limits and safeguards on any intrusive power that it may be necessary for public authorities to use,” says Anderson’s report.
“The opportunity now exists to take a system characterised by confusion, suspicion
and incessant legal challenge, and transform it into a world-class framework for the
regulation of strong and vital powers. I hope that opportunity will be taken,” it adds.
Last month the UK government confirmed a new Investigatory Powers Bill will be put forward in the current parliament, which will include provisions to “modernize” the law in this area. How exactly that will be done is unclear at this point; a draft version of the bill has not yet been published — likely because the government was waiting for Anderson’s review to be delivered. So it remains to be seen which of his recommendations filter into the forthcoming legislation. But ripping up RIPA and starting again is clear consensus.
For the review Anderson was asked to consider various issues associated with surveillance — including national security threats, current and future, plus the capabilities required to combat them; safeguards to protect privacy; challenges posed by changing technologies; issues relating to transparency and oversight; and the effectiveness of existing legislation — including its proportionality — and the case for new or amending legislation. On the latter point his recommendations are unequivocal that a clean slate is indeed required.
He sets out his five principles on which the report is based as:
- Minimise no-go areas
- Limited powers
- Rights compliance
- Unified approach
Snoopers’ charter needs justifying
Last year the U.K. government failed in an attempt to introduce more expansive surveillance powers — such as logging websites visited and retaining the contents of messages sent via social media services (the so-called Snoopers’ Charter, aka the Communications Data Bill). But it’s lining up for another expansion attempt in the forthcoming Investigatory Powers Bill — arguing this is necessary to plug what it dubs “capability gaps” in domestic intelligence gathering.
Anderson’s report specifically addresses the proposed measures set out in the Communications Data Bill. And while he’s supportive of IP matching, which has been brought in via another piece of legislation (the Counter Terrorism and Security Act 2015), he expresses strong reservations about the other powers the government was keen to push through (retaining browsing logs and third party comms data) — even if, in keeping with his principle of ‘minimizing no-go areas’, he does not explicitly reject further expansion of surveillance capabilities.
Anderson writes (emphasis mine):
The compulsory retention of records of user interaction with the internet (web logs or similar) would be useful for attributing communications to individual devices, identifying use of communications sites and gathering intelligence or evidence on web browsing activity. But if any proposal is to be brought forward, a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.
There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues have been fully bottomed out.
Elsewhere, in a section on transparency, he also urges greater openness in the operations of covert powers:
Whilst the operation of covert powers is and must remain secret, public authorities, ISIC and the IPT [Investigatory Powers Tribunal; the court overseeing domestic intelligence agencies] should all be as open as possible in their work. Intrusive capabilities should be avowed. Public authorities should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad way in which those powers are used and why additional capabilities may be required.
Commenting on the report in a statement, Anderson added: “Modern communications networks can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation. A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world. But trust requires verification.Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards.
“The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent. It is time for a clean slate. This Report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”
Responding to the report, civil liberties organization Liberty welcomed Anderson’s call to fundamentally overhaul surveillance legislation. It also supports his call for judicial review of interception warrants.
However the organization expressed disappointment that the review supports the continued practice of mass surveillance — noting this position goes against the grain within the wider European context. It is currently helping to bring a legal challenge against the U.K. government for sanctioning mass surveillance.
The report offers six Agency case studies in an attempt at justifying mass interception. However, with the vague and limited information provided, it is impossible to assess whether the security outcomes could have been achieved by using the wealth of targeted and operation-led intrusive surveillance powers at the Agencies’ disposal.
While Liberty does not dispute the use and value of intrusive surveillance powers per se, we believe that the mass speculative interception of communications and data retention are unlawful, unnecessary and disproportionate. Liberty is currently challenging the lawfulness of mass interception in the European Court of Human Rights, and is representing MPs Tom Watson and David Davis in their legal challenge to DRIPA.
Anderson’s report can be read in full here.