Two important reports were presented to Parliament in March. They represent a landmark in terms of the level of transparency they provide surrounding the activities of the UK intelligence and security agencies. The reports are:
- The latest update (covering the period January to December 2014) of the Interception of Communications Commissioner, which provides an account of his statutory oversight of the interception and communications data activities of the agencies – such as how they exercise their legal powers, the strengths of the controls in place, as well as the nature of the independent oversight provided; and,
- A report by Parliament’s Intelligence and Security Committee (ISC) entitled, ‘Privacy and Security: A modern and transparent legal framework’, setting out the findings of its recent 18-month review of the agencies’ surveillance powers – such as how and to what extent they are used, the legal framework constraining their use, as well as other privacy safeguards that apply.
Despite the reports concluding that the agencies are legally complaint when seeking surveillance authorisation, both reports make recommendations for improvement. The Information Communications Commissioner’s Office (the IOCCO) found that a small percentage of applications in 2014 did not adequately deal with the question of proportionality of means to purpose, providing some examples when powers were used unnecessarily. The ISC report, by comparison, goes as far as recommending a new framework for UK surveillance laws to be debated in the next Parliamentary session, with the aim of making them more comprehensible to the public regarding the way in which communications data interception is authorised under the UK legal system. In particular, the ISC suggests the introduction of a single law to govern access to private communications “based on explicit avowed capabilities, together with the authorisation procedures, privacy constraints, transparency requirements, targeting criteria, sharing arrangements, oversight, and other safeguards that apply to the use of those capabilities”.
A perceived lack of transparency is especially noted as problematic in the ISC report and, for that reason against the public interest, as exemplified by public confusion over the truth of allegations of pervasive – ‘mass’ – online surveillance being carried out. On that issue, the report argues that the targeted and controlled collecting of data in bulk– what it terms “bulk interception” – does not equate to ‘blanket’ or ‘indiscriminate’ surveillance. In particular, arguments are relied upon that the gathered data are filtered by search terms and ‘triage’-processed to determine those of the highest intelligence value. This results in a small amount of the data actually being read by intelligence analysts in practice and, in any event, the report states that the agencies have neither the human resources nor the desire to examine all the information they gather.
Notwithstanding, the ISC report reveals for the first time that the intelligence agencies have the capability to trawl through personal records from which they have created “bulk personal datasets” (BPDs). These are described as “large databases containing personal information about a wide range of people”, which are used to “identify individuals during the course of their investigations, to establish links between Subjects of Interest, and to verify information that they have gathered through other means”. Comparisons have been drawn between BPDs and telephone directories, with potentially millions of records including details about an individual’s religion, racial or ethnic origin, political views, medical condition, sexual orientation, and legally privileged, journalistic or “otherwise confidential” information.
This practice of the intelligence agencies getting hold of such personal data through channels “overt and covert” is mentioned in a heavily censored section of the report and so little further detail is available. However, it is implied that the data has been gathered by means other than interception capabilities using warrants – such as being handed to the agencies after being used first by either business or government agencies for other purposes. Furthermore, the report notes that the rules governing use of BPDs “are not defined in legislation”. In other words, they appear to lie outside the remit of existing regulation, like the Regulation of Investigatory Powers Act 2000 (RIPA), and other statutory oversight in terms of their retention, access, sharing and destruction. This is a worrying set of disclosures.
Moreover, the primary aim of bulk interception methods is said to be the uncovering of threats by finding “patterns and associations in order to generate initial leads”, which could give rise to allegations of ‘fishing expeditions’. Nonetheless, the report states that they cannot be used to target the communications of a UK-located individual without first obtaining “a specific authorisation naming that individual, signed by a secretary of state” (i.e. they can only be used to follow up specific intelligence about a named individual). Significantly, however, shortly after the publication of the ISC report, according to an article in the Guardian, David Cameron released a statement saying that the intelligence services commissioner would be given “statutory powers of oversight of use of bulk personal datasets”.
The ISC report also touches on the topic of communications ‘metadata’ (typically the “what, when, where of communications”), although it rejects use of the term because it is too vague, preferring instead a more nuanced approach. In turn, three types of information that can be collected about an individual from their electronic communications are identified (page 52 of the report).
- Content-Derived Information – This includes all information that the intelligence agencies are able to generate from a communication by analysing or processing the content, such as data that would reveal a person’s habits, preferences or lifestyle choices. It is argued that this should continue to be treated as content in the legislation and unavailable to the intelligence agencies.
- Communications Data – This is restricted to basic information about a communication, such as identifiers (email addresses, telephone numbers, usernames, and IP addresses, dates, times, approximate location, and subscriber information), which is accessible to the intelligence agencies only under certain conditions.
- Communications Data Plus – This is a new categorisation unrecognised in the legislation and argued to include a more detailed class of information distinct from communications data that has the potential to reveal private information about a person’s private life (their habits, preferences or lifestyle choices). Such data – with examples given of web domains visited or location-tracking information in a smartphone – are deemed to be more intrusive than communications data and therefore worthy of attracting greater safeguards regarding its access and use than communications data.
In summary, both reports demonstrate the government’s commitment to more transparency and accountability in UK intelligence operational matters where it is safe to reveal details. Indeed, this aim is considered to be in the public interest, not least to dispel allegations of activities been carried out in a ‘space’ above the law.
While details about new revelations (such as regarding BPDs) are sparse, these inevitably throw out more questions – see e.g. this interesting comment by Dr Eerke Boiten from the University of Kent – and, in turn, are likely to result in a more critical eye being cast in the future publicly upon the legitimacy of broad-brush arguments to sanctions investigations that intrude significantly upon individuals’ private communications. Behind closed doors, moreover, it is easy to imagine difficult questions being asked now of the agencies in relation to the scope of BPDs and their retention, taking into account the implications of the ‘Digital Rights Ireland’ judgement of the Court of Justice of the EU given last year.