A Reflection on the Investigatory Powers Bill

The Investigatory Powers (IP) Bill will mark a new phase in placing secret activity of the State in the internet age, argues David Omand.

Looking back, we can see 2013 and 2014 were years of digital revelation. The exposure of the material leaked by the contractor Edward Snowden from the US National Security Agency and Britain’s GCHQ woke the public up to the potential of advanced internet technology to allow communications to be intercepted from mobile devices, and networks, and data, in ways not possible before the digital revolution.

The accusations of mass surveillance against NSA and GCHQ generated a form of European moral panic, with a string of legal cases launched by campaigners alleging privacy rights breaches. At the same time, public concerns grew over the privacy implications of the business model of the internet itself, with social media services provided free at the point of use, but paid for by the monetisation of personal data of customers, harvested in increasing quantities by internet companies for marketing purposes.

One consequence of these concerns over the potential for both state and private sector surveillance was the failure of the then-Coalition Government’s plans for legislation on communications data (the ‘Snoopers’ Charter’ – a pejorative nickname by the privacy campaigners that doomed the Bill from the outset). Minimal legislation on the subject was passed in the Data Retention and Investigative Powers Act 2014, but with a 2016 sunset clause added, and only on the understanding that there would be separate independent reviews of surveillance and privacy.

In contrast, 2015 was a year of threat recognition. The three independent reviews –by the Parliamentary Intelligence and Security Committee; by David Anderson QC, the reviewer of counter-terrorism legislation; and by a broad-based independent panel under the auspices of the think-tank RUSI – confirmed the need for the authorities to have substantial intelligence gathering powers. The independent Investigative Powers Tribunal ruled that the current exercise of those powers was being conducted in ways that did not breach the privacy provisions of the Human Rights Act.

A common theme, however, arising out of these court cases and the reports of the independent inquiries, has been the need under the rule of law for much greater clarity about the circumstances in which the authorities can legally intrude upon the privacy of the individual.

Tragic events during the year also helped swing public opinion back on the legitimate need to gather digital intelligence on those who mean us harm: the dictators, terrorists, child abusers, cyber criminals, human traffickers, proliferators and narcotics and other serious organised criminal gangs whose activities during the year forced their way onto the news bulletins and front pages.

2015 had opened with the terrorist attack on the Paris offices of Charlie Hebdo and a kosher supermarket lighting a flame of popular solidarity and support for intelligence-led action to contain the threat from jihadist terrorists. In the summer of 2015, we saw 38 people savagely murdered, including 30 British tourists, on a Tunisian beach at Sousse. And worse was to come in November, with the massacre of 130 people at the Bataclan concert hall and in cafes and restaurants in Paris.

We then learned that it was actions by the British security and intelligence authorities that had stopped seven further attacks from happening in the UK over the previous 12 months, further reinforcing the case for intelligence to counter terrorism. Communications data in particular – the ‘who called whom, when, where and how’ of digital communications – was seen to have played a significant role in every Security Service counter-terrorism operation, and used as evidence in 95 per cent of all serious organised crime cases handled by the Crown Prosecution Service.

Nor was terrorism the only external threat to be highlighted last year. 2015 was also remarkable as a year that exposed the risks to the public from cyber attacks, with one major attack after another giving criminals access to the personal information of millions of internet customers, and allowing large scale fraud against banks, institutions and individuals. Against a backdrop of a growing migration crisis, human trafficking gangs and the increasing threat of Islamic extremism, the year ended with Parliament authorising the use of the RAF against ISIL targets in Syria and Iraq, including those directly inspiring terrorist attacks in the UK.

Less publicised has been the part that digital intelligence now plays in countering cyber attacks. It was not by coincidence that the Chancellor of the Exchequer in November chose the ‘doughnut’, the headquarters of GCHQ in Cheltenham, to restate the importance for our economic future of retaining confidence in the effective functioning of the internet as a safe, open and secure medium for business and social interactions of all kinds.

British business now earns £1 in every £5 from the Internet and, according to the G20, the UK is the most cyber-dependent economy in its membership. The technical experts in GCHQ and their private sector and academic partners need to find new technical solutions for detecting, classifying and attributing attacks, improving shared warning and alert systems, ways of protecting networks and sensitive data and ways of expelling attackers who penetrate networks. Digital intelligence is an essential tool to help detect, classify and attribute, and then disrupt, cyber attacks – including those derived from having so-called bulk access to the internet.

The case for digital intelligence therefore continues to strengthen. The Conservative Government elected in 2015 was able to build on the findings of the independent inquiries into privacy and surveillance and publish for pre-legislative scrutiny a comprehensive Investigative Powers (IP) Bill to regulate all forms of digital intelligence, with greatly enhanced safeguards and improved oversight. The intention is for the Bill to pass into law in 2016.

The significance of the IP Bill is that it is intended to enable both the lawful collection of digital intelligence and evidence and to do so in ways that respect and protect our rights. Any civilised state needs to have public safety and security as the first duty of Government, whether from natural hazards such as the recent flooding or from malign groups acting against our interests. At the same time, it is the duty of Government to exercise these responsibilities in accordance with the rule of law, including the legal obligation to uphold our human rights. There should be no contradiction here, not least because the right to life and to the enjoyment of property sit alongside rights to a private and family life, and a right to freedom of expression.

If 2013 and 2014 saw the revelation of the capability of the digital revolution to supply intelligence on the individual, and if 2015 saw the recognition of the legitimacy of the demand for such intelligence, then 2016 has to be the year in which the powerful digital surveillance and intelligence gathering capabilities of the state’s digital tools are placed fully under the rule of law.

When, on the back of the Snowden leaks, sections of the media accused intelligence agencies of flouting the law, Ministers had a ready and correct response that there was proper legal cover in domestic law for the activities of the UK intelligence services and law enforcement, which engaged the privacy rights of individuals. Yes, confirmed the Investigative Powers Tribunal, GCHQ’s processes are in compliance with UK law, including the Human Rights Act.

And yet, it is also true that, under the rule of law, the nature of the rules must be clear, and Government had over preceding years been at fault in not anticipating nor addressing the implications that rapid advances in digital technology would hold for the lawful gathering of intelligence.

The IP Bill provides the opportunity for a single clear source of legal authority, with the appropriate safeguards, for all forms of modern digital intelligence: interception of communications, access to communications data, equipment interference (largely computer network exploitation and software attacks on the devices used by the targets of interception) and for the acquisition and use of bulk personal databases by the intelligence agencies.

We should remember that for most of the last 500 years, secret intelligence activity relied on the Royal Prerogative to justify whatever was necessary to protect the state. Although Parliament just after the Civil War began the tradition of passing an annual Secret Vote, acknowledging the need to fund the state’s covert activity, it left it unregulated by law. Following the creation of the three British secret agencies in the early part of the last century, elected Ministers gradually imposed executive controls over intrusive techniques, but it was not until the 1980s that telephone interception was regulated by law following adverse judgements from the European Human Rights Court.

As the digital revolution has opened up new intelligence opportunities, Ministers have quietly authorised activities such as computer network exploitation, applying a variety of little-understood legal powers. The result may have been formal legal compliance, but with a failure to explain to the public how the law was being applied, which is essential to comply with the spirit of the rule of law.

It is a significant step for Government to have now accepted the need to go afresh to Parliament for clear and unambiguous endorsement, after extensive consultation and democratic debate, of all the digital intelligence powers to be available to the authorities. And to have legislated for the purposes for which they may be used, and how authorised, regulated and restricted and overseen so as to be compliant with the Human Rights Act, and thus our obligations under the European Convention on Human Rights and the Charter of Rights of the European Union. 2016 should be a historic year for consolidating democratic control over covert state activity.

The one additional power sought in the IP Bill is access to Internet Connection Records (ICR), the equivalent for machine-to-machine connections of itemised phone records. The logical case for allowing ICR is strong, given the way that Internet voice and video calls, internet chat rooms, and some apps have taken over from traditional mobile phone calls, not least since the cost of even long international internet sessions is included in the flat rate broadband subscription. But expect the scrutiny in Parliament of the practicability and enforceability of the detailed provisions to be intense.

An important additional safeguard for privacy rights is also in the Bill, changing the process for authorising the most intrusive investigative powers. The Bill proposes in future a ‘double lock’ on warrant applications for the most intrusive capabilities. Currently, the Secretary of State will sign the warrant, but a Judicial Commissioner (a senior judge) will then review the Secretary of State’s decision by applying Judicial Review principles to check that it is lawful, including whether it is necessary and proportionate to undertake the action that the warrant describes. The ‘double lock’ adds an important additional safeguard (provided of course that the resources are available to make it work effectively) and thus should provide added public confidence without diminishing the statutory responsibility of the Minister.

There is very much more detail in the IP Bill than that, of course, all of which goes to improve the transparency of the regime and the robustness of the challenges inherent in it. The digital intelligence capabilities covered by the Bill are powerful and do undeniably engage fundamental rights to privacy and free expression on the internet and will need the careful regulation set out in the Bill.

Ultimately, this important piece of legislation will mark a new phase in placing secret activity of the State in the internet age, so necessary for the safety and security of the public, firmly under the rule of law. It will also help demonstrate how a democracy can provide for both security and privacy in a troubled world, and offer a potential Gold Standard for the application of the rule of law to essential intelligence activity that other nations, not least in Europe, might do well to follow. The stakes could not be higher.

A nagging question nevertheless hangs unanswered: can intelligence agencies thus run under the rule of law, fully regulated and overseen in accordance with the IP Bill, actually still deliver the pre-emptive intelligence needed to keep us safe? Past generations of intelligence officers might have doubted it. Today’s professionals will give it their best shot, I am sure. For all our sakes we must hope they succeed.