A sensible way forward on surveillance?
- 11 June 2015
- From the section UK
The debate over privacy and security has become increasingly fractious in recent years but David Anderson has laid out a road map which may offer a way forward.
He does this by suggesting existing laws should be torn up - in other words RIP for Ripa, the Regulation of Investigatory Powers Act.
But the issue ahead will be whether a delicate compromise can be fashioned which will survive in parliament.
In recent years, the police and spies have talked of their fears of going dark - losing the ability to listen in to criminals and terrorists as technology evolves.
Those concerned about privacy have contended that the danger is the other way - the state being able to see and hear too much about all of us, especially as the same technology moves more and more of our lives online.
During the last parliament, proposals to provide more powers in a Communications Data Bill were abandoned after being branded a "snooper's charter".
The Anderson report does not propose any major extension of government surveillance.
Some key elements of the Communications Data Bill are now in law - for instance resolution of IP addresses came in a counter-terror bill and data retention is now in place until current emergency laws end next year.
And Anderson - the independent reviewer of terrorism legislation - says a sufficient case has not been made for the most controversial of the past proposals - that logs of web-browsing activity be kept.
Anderson does argue that while new powers may not be needed, the current powers are necessary in order to pursue not just terrorists, but a range of criminals and ensure that there are not any "no-go" areas for the state to protect citizens.
But to keep these powers, he says that stricter additional safeguards are needed.
The report is critical of the lack of transparency and the current safeguards pointing to gaps in oversight and a lack of public understanding.
The Edward Snowden revelations led to disclosure of the way in which GCHQ carried out bulk interception of data.
The Anderson report is unusual in including an annexe which gives examples of how intercepted communications and GCHQ's use of bulk data have played a role in a number of investigations.
In a recent Intelligence and Security Committee report on the same subject, such examples were redacted.
Anderson argues that bulk collection of data is not mass surveillance, as critics have charged, and is useful in "target discovery" - finding people who may then be made the subject of more intrusive interception powers.
But he argues the bulk collection of material requires "strict additional safeguards" with warrants being signed by a judge and a tighter definition of the purpose and targeting.
There is also a call for much greater transparency of the kinds of powers and capabilities that agencies like GCHQ are using.
This "avowal" of capabilities (although not the specific operations in which they are used) may prove challenging to GCHQ who have historically (until Edward Snowden came along) thrived on ambiguity about their reach.
Judges signing warrants
Much - but perhaps not all - has been exposed already by Edward Snowden but the agencies have still resisted, until recently, openly confirming they carry out actions like computer hacking.
Anderson suggests hacking (or to give it its proper name Computer Network Exploitation) will become far more widespread by the state in order to overcome the spread of encryption technology.
One interesting line is that the police consider it "inevitable" that they will need to carry out hacking themselves.
The most politically tricky aspect of the Anderson proposals is likely to be the shift towards judges and not ministers signing warrants.
Civil liberty and privacy activists have long called for a greater role for the judiciary (and the report notes this is the model followed by Australia, Canada, New Zealand and the US) but both ministers and intelligence agencies may be initially reluctant to weaken the bond in which a politically accountable figure is made personally responsible.
Investigatory powers explained
- Communications data: The information that reveals who was in contact with whom and when, but not the actual content. Agencies already have some of these powers, such as to gather logs of phone calls or emails.
- Intercepted communications: The actual content of the message, such as a secret recording of a phone call or capturing the actual words in an email. Agencies need ministerial authorisation to gather this information.
- New communications data powers: The government wants agencies to be able to gather any type of online communication if they need it to combat serious crime or terrorism.
The prime minister is thought to be more in favour of such radical change than some of the ministers who normally sign the warrants.
The spies may not be keen but also recognise that change needs to come if they want to maintain public confidence and what some call their 'licence to operate'.
Intercept is estimated to be 15%-20% of the total intelligence picture in counter-terrorism investigations, according to Home Office evidence to the report.
However, its relative value is declining as targets become more aware and encryption becomes more widespread.
The report says public authorities should not be shut out from places where they need need access to keep the public safe but there is no proposal in the report for legislating to ensure "back doors" and government access to encryption technology.
Comments by the prime minister before the election were interpreted as suggesting such a move might be on the agenda.
David Anderson says he heard no calls for such powers from the spies.
Information from social media is becoming more important.
According to the report, a snapshot of recent prosecutions for terrorist offices concluded that in 26 recent cases, 23 could not have been pursued without communications data and in 11 the conviction depended on that data.
One of the main reasons for the shift to judicial authorisation, Anderson says, is not just public confidence but the views of Silicon Valley.
In the past, intercepting communications involved asking a UK telephone provider to tap a line but now people often communicate using apps made by companies in the US - this has been especially evident in recent years in cases involving people going to Iraq and Syria or communicating with those out there.
Those companies have not considered themselves subject to UK law (despite Britain's claims they are) and so their co-operation is voluntary.
Anderson argues that they are more likely to co-operate with a warrant if it is signed by a judge and not a minister.
While there are normally nearly 3,000 intercept warrants in a year, there are typically around 500,000 requests for communications data - this covers who might have called whom on a phone or who owns a phone or other aspects of communications but not including the content of what is said or written.
The report says this kind of communications data is vital and used in investigating almost all serious crime.
However, Anderson argues for clearer definitions of what such data consists of and more independence for those who provide the authorisation within organisations.
Overall, Anderson has constructed a careful package of measures which might keep the different sides on board.
However, privacy groups will watch carefully to see how far the law which ends up being proposed is actually based on his report or if some things - like judicial warrant signing - are taken out and other things - like increased capabilities - are put in.
This report has moved the debate forward but it is still not over.