Thursday, June 11, 2015

A question of trust: notes on the terror watchdog report

The Terror Watchdog’s Report

The UK government has finally got round to releasing the report of the investigatory powers review by the independent reviewer of terrorism legislation, David Anderson QC and his team. Mr Anderson submitted the report to the Prime Minister on 6 May, just prior to the general election.

As Mr Anderson predicted, the report “won’t please everybody (indeed it may not please anybody)” but it is a substantive piece of work and deserves careful reading and consideration in full. In the press release accompanying the 379 page report he says:

“Modern communications networks can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation.  A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.

  But trust requires verification.  Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards.

 The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent.  It is time for a clean slate.  This Report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”

So far so good. 

The report itself summarises the importance of privacy, threats to the UK, technologies implicated, laws, powers, safeguards and practices and the views from a disparate variety of actors from law enforcement and the intelligence services to service providers and civil society. It closes with a set of 5 governing principles and 124 specific recommendations. It was not limited to counter-terrorism considerations but also included counter-espionage, missing persons investigations, internet enabled crime (fraud, cyber-attacks, child sexual exploitation) and crime in general. 

The purpose of the report is:

a. to inform the public and political debate on these matters, which at its worst can be polarised, intemperate and characterised by technical misunderstandings; and
b. to set out proposals for reform, in the form of five governing principles and 124 specific recommendations. 

I think it’s fair to say it succeeds with both, even if I can’t agree with some of the recommendations.  Mr Anderson has had unrestricted access, at the highest level of security clearance, to the responsible government departments whilst conducting his review.

Key issues arising from the report seem to be:

               The need to start from scratch on a comprehensive and comprehensible, fit-for-purpose legislative framework for investigatory powers – including the retirement of the “incomprehensible to all but a tiny band of initiates” Regulation of Investigatory Powers Act (RIPA) 2000
               Continuation of communications data retention under the Data Retention and Investigatory Powers Act (DRIPA) 2014
               There should be judicial rather than Secretary of State authorisation of communications data warrants – the report itself describes this recommendation as “radical” departure
               The approval of bulk collection of communications data.
               Lack of acceptance of government’s glossy claims for the magic, unimpeachable value of government access to bulk communications data and recommendations for improved oversight of same
               Approval of extraterritorial reach of DRIP Act, for now, until improved international framework for data sharing is in place
               Abolition of existing oversight commissioners and replacement with Independent Intelligence and Surveillance commission
               The power, in Theresa May’s beloved snoopers’ charter, for the retention of internet searches should only apply where “a detailed operational case can be made out and a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost”.
               An emphatic rejection of David Cameron & Theresa May’s notion of blanket encryption backdoors for government


Why Theresa and Dave are Glum

Though there is a lot in there, it’s becoming clear why the government delayed publication and both Theresa May and the Prime Minister’s spokeswoman seem to be already distancing themselves from the report.

You can understand why Theresa and Dave might be a bit miffed that Mr Anderson disapproves of blanket encryption backdoors (pointing out the agencies don’t want it and it would undermine security for everyone), has the nerve to suggest judicial rather than Executive oversight of interception warrants might be appropriate, kneecaps the snoopers’ charter and notes some of the claims about the value of communications data in the investigation of nefarious actors might be somewhat overblown.

You would expect them, however, to be positively dancing in the aisles as a result of his apparent support for the continuation of the bulk collection and retention of communications data and the continuation of the extra territorial reach of DRIPA beyond its sunset at the end of 2016.

I have to admit I share Privacy International’s disappointment that Mr Anderson didn't condemn bulk interception. However, whatever cheer the government’s senior Cabinet members derive from the nominal support for bulk collection will be tempered by Mr Anderson’s qualification of this approval by saying   "Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practiced by GCHQ is proportionate). A number of such questions are currently before the courts..." [1.12].  

This continual emphasis in the report that he and the government should respect the courts as the requisite arbiters in determining the proportionality of indiscriminate bulk collection, within the framework of the European Convention on Human Rights (ECHR), is interesting. Even as he approves, also, of blanket data retention under DRIPA, he insists that retention would have to comply with the ECHR and the European Court of Justice decision in Digital Rights Ireland case in 2014, which banned indiscriminate data retention.

On the approval of the extra territorial DRIPA powers Mr Anderson is again careful to note:

"I understand those who argue that extraterritorial application sets a bad example to other countries, and who question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others’ properly warranted requests, which must surely be the long-term goal.”

So Mr Anderson’s report has turned out to be nothing like the useful excuse for pushing through the snoopers’ charter that the Home Secretary must have hoped it would be.


Why the report might not please anybody

It’s a real pity that, even within the constraints within which he was working, and the reasonable set of 5 principles outlined for underpinning investigatory powers, laid out in Part IV of the report, Mr Anderson did not condemn bulk collection of communications data. I accept it is not part of his role to offer a legal opinion on whether bulk collection is proportionate. 

Yet I find the justification for supporting bulk collection is rather weak and not commensurate with the deeper consideration of the rest of the report. It is linked to a principle of minimising no go areas for law enforcement as far as possible, whether in the physical or the digital world and justified on the grounds of 6 sample cases briefly outlined in Annex 9 of the report. None of these 6 cases provide the detail to demonstrate that bulk collection was the primary source leading to the identification of these criminals in the first instance.  

It is not in dispute that if law enforcement or the intelligence services have just cause to suspect some person/group of involvement in criminal activity, the availability of bulk data which includes the data of the suspect/s, will enable data mining that may be useful in an investigation. Bulk collection facilitates the significant discovery of multiple details about anyone once they become a suspect or a person of interest. Authorities simply do not have the resources to engage deep data mining the lives of everyone even if they have that data available.

Since the turn of the century, time and again from the 9/11 attacks to the murders of Fusilier Rigby and people at the Charlie Hebdo offices in Paris,  information overload caused by bulk data collection has been a primary factor in the failure to prevent terrorist attacks by known dangerous individuals. It is simply not proportionate to engage in bulk data collection in the hope that it will be useful when the authorities decides to look into someone they disapprove of. It actually actively impedes already over stretched investigatory authorities, who would be better served by putting the resources apparently available for such bulk collection, into recruiting more and better trained investigators and analysts.

Mrs May and Mr Cameron would do well to note that the opportunity costs of engaging in the security theatre that is bulk data collection and data retention, undermines security for everyone by making the jobs of those tasked with protecting us more difficult, whilst simultaneously denying them the resources to be more effective.

Update: the airline worker example from Annex 9, according to Joshua Rozenberg is Rajib Karim, who was convicted in 2011 and jailed for 30 years.

No comments: