Tuesday, February 10, 2015

Liberty, PI, Amnesty v Foreign Secretary at IPT

I had a quick go yesterday at explaining the Investigatory Powers Tribunal (IPT) ruling, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H).

When government, for an indeterminate number of years prior to 5th December 2014 has said,
“All of the work of the intelligence and security services is carried out in accordance within a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
they were being economical with the truth. They were, during that period, in fact flagrantly undermining the rights to privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

The government can, according to the IPT however, make that claim now because we are told there is a legal and policy framework. We are not just entrusted with the privilege of knowing what those legal and policy framework rules are.
Secret laws and policies.

For secret government mass surveillance activities.

Approved by a secretive tribunal historically predisposed towards approving of government secrecy, with the sole limited exception being this Liberty & Ors case.
The most recent IPT ruling takes great pains, from the start, to emphasise that they ruled, in December 2014, that the UK security services intelligence sharing with the NSA, in connection with the Prism and Upstream, is lawful.
"Save in one possible (and to date hypothetical) respect"
The limited and hypothetical exception is laid out in paragraph 53 of their 5 December judgement.
"53. The one matter of concern is this. Although it is the case that any request for, or receipt of, intercept or communications data pursuant to Prism and/or Upstream is ordinarily subject to the same safeguards as in a case where intercept or communication data are obtained directly by the Respondents, if there were a 1(b) request, albeit that such request must go to the Secretary of State, and that any material so obtained must be dealt with pursuant to RIPA, there is the possibility that the s.16 protection might not apply. As already indicated, no 1(b) request has in fact ever occurred, and there has thus been no problem hitherto. We are however satisfied that there ought to be introduced a procedure whereby any such request, if it be made, when referred to the Secretary of State, must address the issue of s.16(3)"
But the exception was hypothetical, had not happened and they were therefore "satisfied as to the lawfulness" of the intelligence services' activities relating to Prism and Upstream. From the 6 February decision:
"10. By our Order of 5 December 2014 we made declarations that the Prism and/or Upstream arrangements (subject to the exception referred to in paragraphs 7 and 8 above) did not contravene Articles 8 or 10 ECHR, and further that the RIPA regime in respect of ss. 8(4), 15 and 16 of RIPA similarly did not contravene Articles 8 or 10 ECHR.
By paragraph 4 of the Order, we directed that the parties serve written submissions according to an agreed timetable, and with a view to the two outstanding issues being resolved by the Tribunal, by agreement of the parties, without a further hearing:

“4. i) Whether by virtue of the fact that any of the matters now disclosed in the judgment of 5 December 2014 were not previously disclosed, there had prior thereto been a contravention of Articles 8 or 10 ECHR. (“The First Issue”).
ii) Whether by virtue of the facts and matters set out in paragraph 53 of the judgment of 5 December 2014, there is a contravention of Articles 8 or 10 ECHR.” (“The Second Issue”). "
We'll get to the IPT's specific answers to these questions presently but (spoiler alert) they basically conclude i) keeping the existence of the rules secret was illegal but isn't anymore since we now know the rules exist (it's slightly more subtle than that, in that there is a the question of "adequate signposting" to the rules) and ii) don't worry about it, the government promise to behave.

Perhaps surprisingly, (though I expect the legal representatives advised of the serious possibility of a limited win on the secret rules grounds and decided to focus exclusively on that), Liberty and co chose not to challenge the RIPA regime at this particular stage. So the IPT take the open goal opportunity to pat GCHQ and co on the back,
"12. ... As requested by the Respondents, therefore, the Tribunal can make it clear, for the avoidance of doubt, that the declaration it made on 5 December 2014 in relation to the RIPA regime was that it is in accordance with the law/prescribed by law and was so prior to the Tribunal’s Judgment of 5 December 2014."
They next tackle the question of whether the absence of government acknowledgment of secret rules governing mass surveillance was illegal.
"15. We set out the requirements of Article 8 in paragraph 37 of the December Judgment:
“37. The relevant principles appear to us to be that in order for interference with Article 8 to be in accordance with the law:
(i) there must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action.
(ii) the nature of the rules must be clear and the ambit of them must be in the public domain so far as possible, an “adequate indication” given (Malone v UK [1985] 7 EHRR 14 at paragraph 67), so that the existence of interference with privacy may in general terms be foreseeable."
So there must be rules reigning in "unfettered... executive action" i.e. theoretically the government is subject to some controls. The rules don't have to be public but the public must know enough to be able to deduce that our privacy may be undermined.
"16. We continued:
“41. We consider that what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed. . . It is in our judgment sufficient that:
(i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it (as per Malone: see paragraph 37(ii) above).
(ii) They are subject to proper oversight.”
I'll leave you to decide on the difference, if any, between "the nature of the rules must be clear..." etc and " what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed" etc.

Bottom line?

Secret rules governing mass surveillance are ok as long as the public know there are rules, even if they are not allowed to know what the rules are and as long as the rules "are subject to proper oversight".

The IPT did get a confidential look at the "arrangement below the waterline" i.e. secret rules, in secret and:
"17. We set out our conclusions, so far as relevant to this question, in paragraph 55:
“55. After careful consideration, the Tribunal reaches the following conclusions:
(i) Having considered the arrangements below the waterline, as described in this judgment, we are satisfied that there are adequate arrangements in place for the purpose of ensuring compliance with the statutory framework and with Articles 8 and 10 of the Convention, so far as the receipt of intercept from Prism and/or Upstream is concerned.
(ii)This is of course of itself not sufficient, because the arrangements must be sufficiently accessible to the public. We are satisfied that they are sufficiently signposted by virtue of the statutory framework to which we have referred and the Statements of the ISC and the [Interception of Communications] Commissioner quoted above, and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment.”
In other words - trust us, there is "adequate" secret oversight of mass surveillance ensuring it complies with human rights.

But don't worry, we've got your back. Not only can we confirm the the existence of adequate secret controls but we realise the fact of the existence of these secret rules must be in the public domain. And hey presto! By way of our wondrous work in getting this information disclosed to the public - i.e. that secret rules exist - the public know that secret rules exist. High fives and self congratulatory kudos all round.

But wait.

Liberty's QC, Matthew Ryder, pointed out that it was only because this case was pursued that the government were forced into releasing the information that secret rules existed that, in turn, satisfied the IPT that the public now know that secret rules exist.

The IPT response?
"19. ... We agree."
Not much to add to that.

Paragraph 20. of the judgement is fun but really for the lawyers. Rough translation:
The government say: leave us alone, there was enough information to deduce that rules existed.

Privacy International barristers, Dan Squires and Ben Jaffey say: maybe but there was not enough information about the nature and ambit of the rules (in the language of the Padfield decision noted in para 15) or sufficient signposting to the content of the rules to give an adequate indication (Padfield & IPT from para 15 & 16) of the ballpark they might reside in.
I won't quote the IPT in paragraph 20 agreeing with Privacy International but the IPT agreed with Privacy International.

We finally reach the heart of the decision so loudly proclaimed as historic by Liberty, Privacy International, Amnesty and The Guardian.
"21. ... We are however satisfied ... that, without the disclosures made, there would not have been adequate signposting, as we have found was required and has now, as a result of our Judgment, been given.
22. Although the first requirement of Article 8, set out in paragraph 37(i) of the December Judgment and in paragraph 15 above, is satisfied, the second requirement, as set out in paragraph 37(ii) of the December Judgment, was only satisfied by the Disclosures being made public in our Judgment.
23. We would accordingly make a declaration that prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but now complies."
So,
There are secret rules controlling government action in this area.

There would not have been "adequate signposting" to the secret rules governing Prism & Upsteam intelligence sharing, without the disclosures the government made in this case.

Prior to these disclosures the government were in breach of  Articles 8 or 10 of the European Convention on Human Rights (ECHR), protecting privacy and freedom of expression; as there was inadequate signposting to the secret rules.

The Prism & Upstream intelligence sharing regime, by virtue of government disclosures, as a result of this case, of adequate signposting to the secret rules, now comply with Articles 8 or 10 of the ECHR.
Having shot the government metaphorically in the foot then bandaged the wound so it was no longer noticeable, the IPT move thence to the" hypothetical" Regulation of Investigatory Powers (RIPA) loophole. "Hypothetical" because they are assured by the government that the issue has never arisen.

The RIPA issue in the case is more complicated than the question of the existence of secret rules, so  in deference to the patience and stamina of readers who have got this far, I'm going to take a relatively short run at it. It is addressed in paragraphs 24 to 31 of the decision. Let's skip the hypotheticals on the 1(b) request and the dancing in and out of sections 5, 8, 15 and 16 of RIPA and get to the government promise outlined in paragraph 30.
"30. The Respondents have now given the further Disclosure, as contained in paragraphs 19 and 20 of their submissions:
“19. For the avoidance of doubt, the concern identified by the Tribunal would not arise in the first place if a request were made pursuant to paragraph 1(b) of the Disclosure for material to, from or about specific selectors (relating therefore to a specific individual or individuals). In such a situation, the request would be a “targeted” one and the Secretary of State would therefore have approved it for the specific individual(s) in question. In that case, the proper parallel would be with a warrant under s.8(1) of RIPA, not s.8(4). Thus, the safeguards under s.16 of RIPA would not be at issue even by analogy because s.16 of RIPA only applies to the examination stage following interception under s.8(4) warrants (i.e. “untargeted” interception).
20. In those circumstances, the remaining concern is in relation to such untargeted interception. The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.” "
This requires careful and repeated reading but purports to be an assurance from the government to close this one lacuna, in a veritable colander of RIPA loopholes. The assurance attempts to give the impression that the Secretary of State must sign off on surveillance targeted at specific individuals.

In other words the government promise to behave... honestly... on this specific RIPA pathway.

Secretary of State approval is now supposed to apply both:
to targeted interception of communications
and to targeted data mining of the giant data silos collected through untargeted interception.
I'm not sure I derive a great deal of comfort from that.

On the latter, just to repeat;
"The Respondents can confirm that, in the event that a request falling within paragraph 1(b) of the Disclosure were to be made and approved by the Secretary of State other than in relation to specific selectors (i.e. “untargeted”), the Intelligence Services would not examine any communications so obtained according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State personally considered and approved the examination of those communications by reference to such factors.”
Privacy International and Amnesty accepted the government assurances explicitly. Liberty were silent on the matter. The IPT takes the declaration as a resolution.
"31. Privacy in their reply submissions, with which Amnesty agrees, accept that “that safeguard is now in place, but was not in place before December 2014”. Liberty does not expressly so accept, but made no submissions to the contrary in their reply. In any event we agree, and the disclosure which resolves the lacuna is now made public in this judgment."
Given the importance the government RIPA promise and the IPT's acceptance that it closes a loophole, they conclude the case at paragraph 32:
"32. In our judgment the appropriate course is to alter the declaration we were otherwise minded to make as set out in paragraph 23 above in respect of the First Issue, so that the declaration we propose to make would recite that “prior to the disclosures made and referred to in the Tribunal’s Judgment of 5 December 2014 and this judgment” the Prism and/or Upstream arrangements contravened Articles 8 or 10 ECHR, but now comply."
So, prior to -
the disclosure of adequate signposting to secret rules governing Prism and Upstream intelligence sharing
And
the government's promise not to exploit one of many RIPA loopholes  
- the UK government, for many years, contravened articles 8 and 10 of the European Convention on Human Rights. Now, thanks to the disclosures and promises extracted as a result of this case, they are no longer undermining the right to privacy and freedom of expression. At least as far as the IPT is concerned, within the narrow confines of the issues it examined in this case.

Update: I meant but neglected to include Caspar Bowden's wonderful description of the decision -

"IPT "illegality" finding a Pyrrhic victory, harpoon hurled at heart of "margin of appreciation". ECtHR reviews "safeguards" not spy methods"

Also Privacy International's note about the secret rules: 
"What was publicly disclosed, therefore, is little more than a Tribunal’s summary of secret policies disclosed in a secret hearing, which policies describe only the broadest of restrictions on the receipt of intelligence material by the UK, and remain buried in a 77-page long decision from the IPT, not enshrined in any accessible law or statute. 
We think that falls far short of what is called for by the “in accordance with law” requirement, and in the coming weeks will be appealing to the European Court of Human Rights to argue our case there, demanding an end to unlawful mass intelligence sharing, and ensuring privacy protections for all. "

Monday, February 09, 2015

IPT on mass surveillance - it's alright now, move along...

On Friday last, Investigatory Powers Tribunal (IPT) ruled, in Liberty & Ors v The Secretary of State for Foreign and Commonwealth Affairs & Others (Case No: IPT/13/77/H), that the UK government had been breaking the law, for an indeterminate number of years, in the context of intelligence sharing operations between the NSA and GCHQ.

Basically the tribunal said mass surveillance was illegal when we didn't know about it. But now we do, as a result of some documents the government were obliged to release during this case, it's entirely fine and hunky-dory. It's perfectly grand, as an old friend of mine used to say. The documents don't tell us about the mass surveillance but they provide "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".

Geddit?

There is... er... might be... mass surveillance er in theory.

If there... er... were mass surveillance, it is under control because there are rules.

We're not telling you the rules.

They are secret.

But trust us, there are rules, aka "adequate arrangements in place for the purpose of ensuring" respect for privacy and freedom of expression under articles 8 and 10 respectively of the European Convention on Human Rights (ECHR).

And we have "a sufficient signposting of the rules or arrangements insofar as they are not disclosed".

Don't worry your fluffy little head about it citizen friend. The good guys are in charge.

So, because the government have finally agreed to tell us there are rules governing mass surveillance, something the IPT ordered them to do following submissions from Liberty & others last summer, and the IPT is satisfied everything is ok, even though it may not have been, er... technically, before they er... agreed to tell us there were rules.

And oh, they were only guilty of not telling us there were rules but now they are not guilty of anything because they have told us there are rules.

We're not, however, allowed to know what the rules are...

The government and intelligence services never comment on matters of national security (except to spread fear and hang on wasn't that the terrorists' intent), other than with the standard boilerplate,
“All of the work of the brave men and women in the intelligence and security services is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate ...”
So move along... nothing to see...

From the IPT order on Friday:
"UPON CONSIDERING WRITTEN SUBMISSIONS FROM THE CLAIMANTS AND THE RESPONDENTS
FOR THE REASONS SET OUT IN THE TRIBUNAL’S JUDGMENT OF 5 DECEMBER 2014 (“THE FIRST JUDGMENT”) AND THEIR JUDGMENT OF THIS DATE (“THE SECOND JUDGMENT”)
IT IS DECLARED:
"(i) THAT prior to the disclosures made and referred to in the First Judgment and the Second Judgment, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream, contravened Articles 8 or 10 ECHR, but
(ii) THAT it now complies with the said Articles."
It's the first time since it was established in 2000 that the secretive tribunal has formally ruled that the intelligence services acted outside the law. Liberty, Privacy International and Amnesty, who had funded the legal challenge, were keen to note the decision as a historic victory but nevertheless only a small step on the road to reigning in mass surveillance. They plan now to pursue the case to the European Court of Human Rights.

The IPT had previously ruled, in December 2014, that the intelligence sharing had not contravened Articles 8 or 10 of the European Convention on Human Rights.

Friday's decision was more of a technical than a substantive victory for the civil rights groups. Indeed GCHQ expressed their pleasure at the decision in a statement,
"The judgment reaffirms the IPT’s main December ruling which found strongly in favour of the Government. The Court ruled that the legal frameworks governing both the bulk interception regime (found in section 8(4) of the Regulation of Investigatory Powers Act or RIPA), and the intelligence-sharing regime, were fully compatible with human rights, in particular the right to privacy.
The judgment focuses primarily on a discrete and purely historical issue – whether those legal frameworks were also fully compatible at a point before these legal proceedings began.
It confirms the UK’s bulk interception regime was fully compliant with the right to privacy at all times, both before and at the time of the legal proceedings.
A GCHQ spokesperson said: "We are pleased that the Court has once again ruled that the UK’s bulk interception regime is fully lawful. It follows the Court’s clear rejection of accusations of ‘mass surveillance’ in their December judgment."
They went on to dismiss the loss as a technical blip,
"The IPT has, however, found against the Government in one small respect in relation to the historic intelligence-sharing legal regime. The Court has ruled that the public disclosure of two paragraphs of additional detail, voluntarily disclosed by the Government during the litigation, were essential to make the public regime sufficiently foreseeable and therefore fully compatible with the European Convention of Human Rights. They found that to the extent that these two paragraphs were not previously in the public domain, the intelligence-sharing regime prior to that point was in contravention of human rights law.
But the judgment does not in any way suggest that important safeguards protecting privacy were not in place at all relevant times. It does not require GCHQ to change what it does to protect national security in any way."
So who's got the real bragging rights - Liberty & co or GCHQ? Well in a sense they both do. Liberty & co get to say it's historic since the IPT have never ruled against the government before. The Guardian as a bonus get to take out some justifiable angst on their UK mainstream media fellow travellers, who have been undermining their reporting on mass surveillance at every turn.  GCHQ and the government get to say don't worry about it, minor blip, all fixed, nothing to see here anymore, move along.

So everyone wins, right?

Wrong.

As long as the mass surveillance that has become normalised in the past 15 years continues, everyone loses.

Update: some links on the case shared on Twitter on Friday last.

FA Respect code more honoured in the breach?

What is it about kids football that brings out the worst in people?

Several weeks ago my son's under 16 team, St Edmunds, comfortably beat Barton Rovers 4-1 in the quarter final of the Berks & Bucks FA cup, in a game played in a generally good spirit. There was not even a remote hint of what was to come. The Barton manager was generally complimentary about St Eds performance and the home linesman on the day had been one of the fairest we had come across this season.

Preparing for a semi final against Ascot a few weeks ago, St Eds discovered the game had been postponed. Barton Rovers had lodged a formal complaint about player ID cards. St Eds' management team had to attend an FA hearing to discuss paperwork and ID cards under Berks & Bucks FA county cup rules 8(e) and 11(e)(ii). Barton Rovers declined to attend the hearing and sent a statement instead.

As I understand it, there was no question of any St Eds player being ineligible and any doubts to that effect could be easily settled, only that ID cards for all players were not produced on the day of the game.

The outcome of the hearing was that the FA ordered a replay of the quarter final.

This took place at Barton Rovers on Sunday, 8th February.

The atmosphere was tense from the start and didn't get any better as a blood and thunder cup tie played out with emotions running high on and off the pitch. The referee had a tough afternoon, producing a multitude of yellow cards and awarding four penalties, in a game that finished 4-3 to the home side. It's a testament to his impartiality that some players and supporters on both sides were consistently vocalising their displeasure, as the game ebbed and flowed.

Unfortunately, two of the ref's most heavily disputed decisions came in the closing five minutes or so, when he awarded the penalty from which Barton equalised and then the winning goal. When the whistle went for the penalty I assumed he was blowing for a free kick for two successive, really dangerous, two footed challenges on the St Eds' centre half. On the winning goal, he dismissed the linesman's flag and also missed a pretty blatant push in the back. Nevertheless, referees are human too, in spite of rumors to the contrary, and have to give the calls as they see them.

A hard fought cup tie had been shaded by Barton and St Eds would have to chalk it down to experience, pick themselves up, dust themselves off and get on with their efforts to win the league. Injustice is rampant in this world and if they have to experience it in the confined context of youth cup  football, it's tough but not life changing. I have to admit it's easier for me to say that now than it would have been when I was 15/16, though, as football was more important than life or death to that teenager.

It is a testament to the players and St Eds' management team that, in spite of the context of the replay and prevailing atmosphere, when they focused on playing football, they played really well.

However, after the final whistle and as the St Eds lads left the ground, there was little evidence on show from the Barton Rovers crew of adherence to the FA's respect agenda, noted so conspicuously on signs around the place. The taunting and cheering was, on the contrary, pretty shameful. The FA’s Respect Code of Conduct for coaches, managers and officials states:
We all bear a collective responsibility to set a good
example and help provide a positive environment
in which children can learn and enjoy the game.
Play your part and observe The FA’s Respect Code
of Conduct at all times.
On and off the field, I will:
• Use my position to set a positive example for the people
I am responsible for
• Show respect to others involved in the game including
match officials, opposition players, coaches, managers,
officials and spectators
• Adhere to the laws and spirit of the game
• Promote Fair Play and high standards of behaviour
• Respect the match official’s decision
• Never enter the field of play without the referee’s
permission
• Never engage in, or tolerate, offensive, insulting or
abusive language or behaviour
• Be aware of the potential impact of bad language on
other participants, facility users or neighbours
• Be gracious in victory and defeat
For spectators and parents it says:
We all bear a collective responsibility to set a good
example and help provide a positive environment
in which children can learn and enjoy the game.
Play your part and observe The FA’s Respect Code
of Conduct for spectators at all times
• Remember that children play for FUN.
• Applaud effort and good play as well as success.
• Respect the Referee’s decisions even when you don’t
agree with them
• Appreciate good play from whatever team it comes from
• Remain behind the touchline and within the Designated
Spectators’ Area (where provided)
• Let the coaches do their job and not confuse the players
by telling them what to do
• Encourage the players to respect the opposition, referee
and match officials
• Support positively. When players make a mistake offer
them encouragement not criticism
• Never engage in, or tolerate, offensive, insulting, or
abusive language or behaviour
For players:
When playing football, I will:
• Always play to the best of my ability
and for the benefit of my team
• Play fairly – I won’t cheat, dive, complain
or waste time
• Respect my team-mates, the other team,
the referee or my coach/manager.
• Play by the rules, as directed by the referee
• Be gracious in victory and defeat – I will shake
hands with the other team and referee before
or at the end of the game
• Listen and respond to what my coach/team manager
tells me
• Understand that a coach has to do what is best
for the team and not one individual player
• Talk to someone I trust or the club welfare officer
if I’m unhappy about anything at my club.
Whether the referee and the observer from the Berk & Bucks FA choose to record the less than respectful post game behaviour, or anything else that may have drawn their attention, formally in their reports is entirely a matter for them. Irrespective of whether they do so or not, it was distinctly unpalatable. Despite being apparently gracious in defeat, at least immediately following the original match, whatever might be thought about the subsequent formal complaint about ID cards, there was no graciousness or respect on show following the controversial last minute victory snatched on Sunday afternoon.

I'll say it again. What is it about kids football that brings out the worst in people?