Cyberleagle: The Coming UK Surveillance Debate: Extraterritoriality, Transparency and Data sharing

One of a series of posts on the forthcoming Investigatory Powers Bill

Next: Communications Data Retention, Part 1

Extraterritoriality. DRIPA (the Data Retention and Investigatory Powers Act), enacted in July 2014 gave various kinds of extraterritorial effect to RIPA’s interception and communications data acquisition provisions. The Home Office insisted that the amendments clarified RIPA in order to achieve what had always been intended.

Extraterritoriality is controversial and carries the risk of creating clashes between laws of different countries. Not surprisingly, given the speed at which DRIPA was rushed through Parliament, there are oddities and anomalies. Two concern extraterritoriality:

(a) DRIPA provides that in assessing reasonable practicability of assisting with an interception warrant regard is to be had to restrictions and requirements under the law of a non-UK country in which interception steps are to be taken. This applies only to non-UK providers. Yet a UK provider may have facilities outside the UK on which following DRIPA it may be required to perform interception.

(b) There is no equivalent provision for compliance with a communications data acquisition notice.

The government has published a summary of the work done so far by Sir Nigel Sheinwald, who in September 2014 was appointed a Special Envoy for intelligence and law enforcement data sharing.

The recommendations of the three Reviews are:

ISC	No recommendation
Anderson	As suggested by the Venice Commission, the long-term resolution of this issue may require new international standards for privacy (5.39) Pending a satisfactory long-term solution to the problem, extraterritorial application should continue to be asserted in relation to warrants and authorisations, and consideration should be given to extraterritorial enforcement in appropriate cases. (Recommendation 25)
RUSI	No recommendation

Transparency Transparency goes to the clarity and intelligibility of the published legislation and to the problem of secret law. If the rules under which the agencies are operating are not sufficiently public, then the regime may fail the human rights legality test that law should be accessible and its application reasonably foreseeable.

Broad discretionary powers are vulnerable to challenge on legality grounds. As the ISC observed:

“…the lack of clarity in the existing laws, and the lack of transparent policies beneath them, has not only fuelled suspicion and allegations but has also meant that the Agencies could be open to challenge for failing to meet their human rights obligations due to a lack of ‘foreseeability’. The adequacy of the legal framework and the greater need for transparency have been at the forefront of this Inquiry throughout.” (xvii)

Anderson emphasises the importance from a trust perspective, of avowing intrusive capabilities:

“Whilst the operation of covert powers is and must remain secret, public authorities, ISIC and the IPT should all be as open as possible in their work. Intrusive capabilities should be avowed. Public authorities should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad way in which those powers are used and why additional capabilities may be required.”

The ISC made a similar point in their earlier report (see Recommendation BBB below).

Several capabilities have come to light only since Snowden. Anderson mentions thematic warrants and their underlying interpretation of RIPA Section 8(1) disclosed for the first time in the ISC report in March 2015; use of bulk personal datasets disclosed for the first time in the same report; and Computer Network Exploitation (CNE, or hacking in common parlance). That was disclosed in a Code of Practice in February 2015 as the consequence of legal challenges to the activities disclosed by Snowden.

An issue that may arise is whether oversight should consist not just of retrospective audit, but should include a more proactive transparency function – for instance publishing interpretations of statutes on the basis of which the agencies are operating. The controversial Home Office interpretation of external communications would never have seen the light of the day but for the post-Snowden challenge to bulk interception in the Investigatory Powers Tribunal. If law enforcement and the agencies are operating on the basis of particular interpretations it is arguable that those form part of the law being applied and should, if the human rights test of legality is to be satisfied, be made public.

The recommendations of the reviews do not go as far as, for instance, requiring the appropriate oversight body proactively to ascertain and publish any relevant statutory interpretations on the basis of which law enforcement and the agencies are operating.

The recommendations of the three Reviews are:

ISC	The Intelligence Services Act 1994 and the Security Service Act 1989 provide the legal basis for the Agencies’ activities, and broad general powers to act in accordance with their statutory functions and purposes. We have concerns about the lack of transparency surrounding these general powers, which could be misconstrued as providing the Agencies with a ‘blank cheque’ to carry out whatever activities they deem necessary. We therefore recommend that the Agencies’ powers are set out clearly and unambiguously. (Recommendation MM) Section 7 of the Intelligence Services Act 1994 allows for a Secretary of State to sign an authorisation which removes civil and criminal liability for activity undertaken outside the British Islands which may otherwise be unlawful under UK law. … consideration should … be given to greater transparency around the number and nature of Section 7 Authorisations. (Recommendation OO) The Intelligence Services Act 1994 and the Security Service Act 1989 provide the legal authority for the acquisition and use of Bulk Personal Datasets. However, this is implicit rather than explicit. In the interests of transparency, we consider that this capability should be clearly acknowledged and put on a specific statutory footing. (Recommendation X) Given the nature of current threats to the UK, the use of Directions under [Section 94 of] the Telecommunications Act [1984] is a legitimate capability for the Agencies. However, the current arrangements in the Telecommunications Act 1984 lack clarity and transparency, and must be reformed. This capability must be clearly set out in law, including the safeguards governing its use and statutory oversight arrangements. (Recommendation VV) The first step is to consolidate the relevant legislation and avow all of the Agencies’ intrusive capabilities. This will, in itself, be a significant step towards greater transparency. … We recognise that much of the detail regarding the Agencies’ capabilities must be kept secret. There is, however, a great deal that can be discussed publicly and we believe that the time has come for much greater openness and transparency regarding the Agencies’ work. (Recommendation BBB)
Anderson	The new law should be written so far as possible in non-technical language. It should be structured and expressed so as to enable its essentials to be understood by intelligent readers across the world. It should cover all essential features, leaving details of implementation and technical application to codes of practice to be laid before Parliament and to guidance which should be unpublished only to the extent necessary for reasons of national security. (Recommendations 3-5) The general power under TA 1984 s94, so far as it relates to matters covered by this Review, should be brought into the new law and/or made subject to equivalent conditions to those recommended here. The same should apply to equipment interference (or CNE) pursuant to ISA 1994 ss5 and 7, so far as conducted for the purpose of obtaining electronic communications; interception pursuant to the Wireless Telegraphy Act 2006 ss48-49; and the acquisition and use of bulk personal data. (Recommendation 6) Existing and future intrusive capabilities within the scope of this Review that are used or that it is proposed be used should be: (a) promptly avowed to the Secretary of State and to ISIC; (b) publicly avowed by the Secretary of State at the earliest opportunity consistent with the demands of national security; and, in any event, (c) used only if provided for in statute and/or a Code of Practice in a manner that is sufficiently accessible and foreseeable to give an adequate indication of the circumstances in which, and the conditions on which, communications may be accessed by public authorities. (Recommendation 9)
RUSI	A clear and transparent new legal framework and a more coherent, visible and effective oversight regime should be the basis for a public discussion about the appropriate and constrained power the British state should have to intrude into the lives of its citizens. This would be the essence of a new deal between citizen and government. (5.30) Transparency: How the law applies to the citizen must be evident if the rule of law is to be upheld. Anything that does not need to be secret should be transparent to the public; not just comprehensible to dedicated specialists but clearly stated in ways that any interested citizen understands. (Test 8) Legislative clarity: Relevant legislation is not likely to be simple but it must be clearly explained in Codes of Practice that have Parliamentary approval, are kept up-to-date and are accessible to citizens, the private sector, foreign governments and practitioners alike. (Test 9)

Data sharing RIPA is silent on soliciting and receiving intercept product from foreign agencies, such as from the US PRISM programme. The IPT in December 2014 held that receipt of PRISM data was lawful in the future, on the basis that some internal rules disclosed by the government during the proceedings now provide a publicly available legal basis for the activity. The government may think it prudent for rules to be incorporated in future legislation.

The recommendations of the three Reviews are:

ISC	Future legislation should clearly require the Agencies to have an interception warrant in place before seeking communications from a foreign partner. (Recommendation SS) The safeguards that apply to the exchange of raw intercept material with international partners do not necessarily apply to other intelligence exchanges, such as analysed intelligence reports. While the ‘gateway’ provisions of the Intelligence Services Act and the Security Service Act do allow for this, we consider that future legislation must define this more explicitly (Recommendation TT)
Anderson	The new law should define as clearly as possible the powers and safeguards governing: (a) the receipt of intercepted material and communications data from international partners; and (b) the sharing of intercepted material and communications data with international partners; (Recommendation 8) Any transfer of intercepted material or communications data to third countries should be on the basis of clearly-defined safeguards, published save insofar as is necessary for the purposes of national security and monitored by ISIC. The same should apply to receipt, with the addition of a warrant governing any intercepted material that is sought. The new law should make it clear that neither receipt nor transfer should ever be permitted or practised for the purpose of circumventing safeguards on the use of such material in the UK. (Recommendations 76 to 79)
RUSI	Currently, there is insufficient clarity over the powers and safeguards governing the exchange of data and intelligence between international partners. (5.75)