Access Now et al. (IPB0109)

 

       Thank you for this opportunity to provide comments. This written evidence is submitted on behalf of Access Now, Advocacy for Principled Action in Government, the Center for Financial Privacy and Human Rights, the Electronic Frontier Foundation, New America’s Open Technology Institute, Restore the Fourth, and TechFreedom. We are human rights, technology policy, and civil society organisations based out of or doing work in the United States and internationally.

 

       Communications surveillance interferes with individuals’ human right to privacy, as well as other human rights recognised in international law and policies. Accordingly, laws that permit communications surveillance must be necessary and proportionate.

 

       In particular, we note the close partnership between the surveillance agencies operating within the United Kingdom and the United States, as demonstrated by the string of investigative reports starting on June 6, 2013 and known colloquially as the “Snowden Revelations.” While it is unclear the exact terms by which surveillance information is disseminated between the United Kingdom and the United States, it is clear that agencies in both nations work in close concert to conduct surveillance around the world. We know that information collected by UK intelligence agencies, including information about U.S. citizens and foreign nationals, is shared in secret with the U.S. National Security Agency to be held and analysed.[1] Additionally, the extraterritorial effect of the Draft Investigatory Powers Bill means that its provisions are also likely to have direct impact on the signers of this Comment.

 

       Accordingly, we recommend that the consideration of the Draft IP Bill be given adequate time, and not be rushed. Each provision should be provided with adequate attention and care. The surveillance authorities granted in the Draft IP Bill will subject millions, if not billions, of internet users around the world to surveillance by the UK intelligence and law enforcement agencies. In her introduction to the Draft Bill, the Home Secretary notes:

The draft Investigatory Powers Bill that has been published for pre-legislative scrutiny and public consultation builds on their recommendations to bring together all of the powers available to law enforcement and the security and intelligence agencies to acquire communications and communications data and make them subject to enhanced, consistent safeguards.

However, the period for public consultation for the Draft, which numbers close to 300 pages including explanatory text and notes, has not given sufficient time to independently consider each provision as well as the interplay between separate authorities.

 

       A new investigatory powers law must include suitably specific and clear authority as to give notice to the public of the circumstances when they may be subject to surveillance and provide for independent judicial review and robust human rights protections and safeguards, as well as transparency and accountability.

 

       The Joint Committee on the Draft Investigatory Powers Bill (the “Draft IP Bill”) has requested answers to several questions to inform its analysis of the draft bill. We provide answers in brief here. If you would like additional information, we encourage you to reach out to the signatories of this comment.

 

  1. Overarching / Thematic Questions

 

  1. Are the powers sought necessary? Has the case been made, both for the new powers and for the restated and clarified existing powers?

 

  1. The International Principles on the Application of Human Rights to Communications Surveillance defines the standard of necessity:

Surveillance laws, regulations, activities, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. Communications Surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification is always on the State.[2]

The European Court of Human Rights has explained that the secret surveillance authorities are amongst those that receive a greater level of scrutiny.[3] The Home Office has not explained the necessity of the exceedingly broad surveillance authorities that it seeks to renew or instate in the Draft IP Bill. Rather, the Draft IP Bill appears to seek all foreseeable surveillance authorities, and grants their use with little public oversight as to how the Secretary of State interprets their standards for use by the intelligence agencies, public agencies, or law enforcement agencies.

 

  1. Are the powers sought legal?

 

  1. “The State must not adopt or implement a measure that interferes with these rights in the absence of an existing publicly available legislative act, which meets a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee its application.”[4]

 

  1. The Draft IP Bill fails to provide this requisite level of clarity.[5] Additionally, it fails to include a “sunset” provision that would require Parliament review the authorities granted periodically to ensure their continued need or the ability to incorporate additional safeguards.

 

  1. Are the powers compatible with the Human Rights Act and the ECHR?

 

  1. No -- nor are they consistent with the right to privacy even more deeply rooted in British traditions[6] The Draft IP Bill violates several provisions of the European Convention on Human Rights (“ECHR”), including the Right to respect for private and family life (Article 8), Freedom of thought, conscience, and religion (Article 9), Freedom of expression (Article 10), and Freedom of assembly and association (Article 11), among others.

 

  1. In a recent ruling of the European Court of Human Rights in the case Roman Zakharov v. Russia, the Court found Russia’s system of secret interception of mobile telephone communications to interfere with Article 8 of the ECHR.[7] The Court explained that, in order to be compatible with the ECHR, secret surveillance had to be clear on its face, supervised by a truly independent authority that is open to public scrutiny, and provide for notice and an opportunity to challenge the surveillance as soon as practicable.[8] The Draft IP Bill is inconsistent with this standard.

 

  1. Is the requirement that they be exercised only when necessary and proportionate fully addressed? Are they sufficiently clear and accessible on the face of the draft Bill?

 

  1. We appreciate the Draft IP Bill’s application of the “necessary and proportionate” standard, but the bill should specifically define these terms in accordance with international human rights law and policy.[9] Bulk collection is fundamentally inconsistent with the “necessary and proportionate” standard. Further, the Draft IP Bill fails to provide for transparency into, or independent judicial approval of, the Secretary’s interpretation and application of those standards. Finally, the purposes for which surveillance can be “necessary and proportionate” are also overbroad, for example, “to assist investigations into alleged miscarriages of justice,” which is also facially unclear as to what activities would be covered.

 

  1. Is the legal framework such that CSPs (especially those based abroad) will be persuaded to comply?

 

  1. No. Communications Service Providers (CSPs) must be given the ability to respect the rights of their users and to object to government orders that interfere with those rights. The Draft IP Bill fails to provide for sufficient mechanisms for CSPs to appeal overbroad or objectionable orders and fails to give CSPs sufficient rights to inform users of orders that implicate their personal information. CSPs risk being sued in their own states for complying with these orders if they are not consistent with local law. Additionally, provisions requiring extra-territorial application of broad authorities -- including those that may require the removal of electronic protections of user data, such as encryption -- are particularly troubling and may make it harder for both large and small companies to protect their users.

 

  1. Are the powers sought workable and carefully defined? Are the technological definitions accurate and meaningful (e.g. content vs communications data, internet connection records etc.)?

 

  1. As explained above, the Draft IP Bill fails to provide adequate clarity as to the authorities that it authorises, and for many provisions the authorities described are over-broad and lack adequate transparency or oversight. In addition, the definitions are inadequately precise.

 

  1. For example, the broad definition of what constitutes “communications data,” and, in particular, an “internet connection record,” fails to consider either the level to which collection of internet records is invasive or the substantially different process that must be taken for collecting that information versus obtaining telephone communications data. The line between communications content and communications data on the internet is not clear, and authorities to collect internet connection records must take this into account.

 

  1. The powers of bulk and targeted equipment interference, specifically described in statute for the first time in this Bill, is granted with a broad set of permitted targets, and with no limits on technical scope or consideration for the effect on the services of CSPs required to comply with the warrants, nor the effect on their customers’ security and privacy.[10]

 

  1. Does the draft Bill adequately explain the types of activity that could be undertaken under these powers?

 

  1. No. Several provisions of the Draft IP Bill fail to adequately define the different activities that the Secretary could authorise public agencies, law enforcement agencies, or intelligence agencies to pursue under their authority. Additionally, several provisions of the bill contain a broad and undefined “catch-all” which authorises or requires from third-parties, “any conduct which it is necessary to undertake in order to do what is expressly authorised or required” by the warrant—including, for example, “the interception of communications not described in the warrant.”[11]

 

  1. Is the wording of the powers sustainable in the light of rapidly evolving technologies and user behaviours? Overall is the Bill future-proofed as it stands?

 

  1. While the language of a law should indeed be “technology neutral” in order to protect against developments that render its provisions inadequate or irrelevant, the Draft IP Bill goes too far by providing inadequate definitions of key terms, including internet connection records, and overbroad and unspecific authorisations, including the provisions on filtering. In addition, provisions that compel CSPs to tamper with their own infrastructure in order to provide “technical capabilities” place no external limits on what new capabilities might be might be imposed on service providers[12]. The bill’s targeted equipment interference provisions places an ad hoc obligation on providers to comply with individual demands from the intelligence services, military intelligence or law enforcement to transform or even undermine the functionality of their service,[13] with no oversight by the IP Bill’s own Technical Advisory Board, or possibility for CSPs or their customers to challenge these secret changes.

 

  1. Are the powers sufficiently supervised? Is the authorisation process appropriate? Will the oversight bodies be able adequately to scrutinise their operation? What ability will Parliament and the public have to check and raise concerns about the use of these powers?

 

  1. The Draft IP Bill fails to provide for adequate supervision or oversight of the provided-for authorities. In fact, the provided-for level of review is far below even the perfunctory review provided by the Foreign Intelligence Surveillance Court (“FISC”) in the United States, a body that has received international criticism for its secret deliberations and decisions despite its independence. Responding in part to this criticism, the U.S. Congress recently increased the transparency and accountability of the FISC, providing for unclassified publication of substantial Court decisions and the appointment of amicus curiae to provide additional independent legal or technical expertise. No equivalent resources or requirements are provided for the judicial commissioners or the Investigatory Powers Commissioner.

 

  1. Selected Specific Questions

 

Interception

 

  1. Are there sufficient operational justifications for undertaking (a) targeted and (b) bulk interception?

 

  1. The targeted interception envisioned by the Draft IP Bill is already far from the layman’s definition of “targeted,” and may include not only a person, organisation, or single set of premises,[14] but may also include “a group of persons who share a common purpose or who carry on, or may carry on, particular activity,” as well as “more than one person or organisation, or more than one set of premises, where the conduct authorised or required by the warrant is for the purposes of the same investigation or operation.”[15] With this, already very broad, authority to conduct interception, it is not clear why additional “bulk” authority is necessary, or why the additional safeguards for bulk cannot or should not be applied to the “targeted” interception. Bulk interception violates core privacy rights guaranteed in international law.[16] Bulk interception is inherently disproportionate and its authorisation and, as implemented in the Draft IP Bill, would have excessive impact on people outside of the UK.[17]

 

  1. Is the proposed process for authorising urgent warrants workable?

 

  1. The Draft IP Bill allows the unilateral approval of a warrant, without the approval of a judicial commissioner so long as the person who issues the warrant considers that an urgent need exists in order to do so. This is an inadequate and inadequately specific standard, and the decision as to whether or not a situation is “urgent” is not subject to any judicial review.[18] This process fails to provide sufficient human rights protections or adequate oversight.

 

Data Retention

 

  1. Do the proposed authorisation regime and safeguards for bulk data retention meet the requirements set out in the CJEU Digital Rights Ireland and the Court of Appeal Davis judgments?

 

  1. The Draft IP Bill authorises mandates for providers to retain personal data up to twelve months.[19] The Investigatory Powers Commission can also deem information or documents appropriate for retention.[20] Data retention mandates infringe upon individual privacy and chill the exercise of human rights including freedom of expression and freedom of association.[21] This infringement is particularly pronounced in situations without meaningful limits to the scope of the data that provider can be compelled to retain. The current Draft IP Bill does not contain any finding or evidence as to whether a legal review was conducted on whether – and how – these proposed measures were in conformity with rules articulated by the Court of Justice of the European Union (hereinafter, “CJEU”).[22]

 

Equipment Interference

 

  1. Should the security and intelligence services have access to powers to undertake (a) targeted and (b) bulk equipment interference?

 

  1. “Equipment interference” carries with it the implication that the power is restricted to impeding normal equipment operations, but may also include adding unexpected new functionality to a device. Under targeted and bulk equipment warrants, telecommunication providers must obey any instructions given by or on behalf of the person to whom the warrant is addressed, and are bound by a gag order, which prevents them from conferring with others before executing the orders given by the warrant holder.[23] The broad scope of machine interference warrants, the range of affected providers who may be compelled to assist, and the large set of potential targets, make this power one of most potentially intrusive in the new bill. Yet it lacks many of the review and oversight mechanisms attached to other, narrower powers.

 

  1. Are the safeguards for such activities sufficient?

 

  1. Not even remotely. Given the Draft IP Bill’s weak oversight provisions, these powers would undermine trust in a broad range of online services, technology companies, academic research, and government services.

 

Oversight

 

  1. Would the proposed Judicial Commission have sufficient powers, resources and independence to perform its role satisfactorily?

 

  1. Under the Draft IP Bill, the judicial commissioners would not be fully independent of the Executive—the same entity whose authorities will be responsible for conducting much of the surveillance authorised by the Draft IP Bill. The commissioners would be appointed by and serve at the pleasure of the Prime Minister. Additionally, the head judicial commissioner, known as the Investigatory Powers Commissioner (“IPC”), would be given the power to remove other judicial commissioners unilaterally (in consultation only with the Prime Minister) on grounds that are not set out in the legislation.[24]

 

  1. Are the new arrangements for the Investigatory Powers Tribunal including the possibility of appeal adequate or are further changes necessary?

 

  1. Even the limited oversight provided for by the judicial commissioners is undermined by the grant of authority for the IPC to review final decisions of a judicial commissioner that fail to approve a sought-after warrant.

 

  1. Conclusion

 

  1. This comment is signed by Access Now, Advocacy for Principled Action in Government, the Center for Financial Privacy and Human Rights, the Electronic Frontier Foundation, New America’s Open Technology Institute, Restore the Fourth, and TechFreedom.[25]

 

21 December 2015

[1] Ewen MacAskill, Julian Borger, Nick Hopkins, Nick Davies, & James Ball, GCHQ taps fibre-optic cables for secret access to world’s communications, The Guardian (June 21, 2013), http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa.

[2] International Principles on the Application of Human Rights to Communications Surveillance (May, 2014), https://en.necessaryandproportionate.org. [N&P]

[3] Klass v. Germany, European Court of Human Rights, at para. 42 (1978), available at http://hudoc.echr.coe.int/eng?i=001-57510#{"itemid":["001-57510"]}.

[4] N&P.

[5] Roman Zakharov v. Russia, European Court of Human Rights (2015), available at http://hudoc.echr.coe.int/eng?i=001-159324. 

[6] Entick v. Carrington [1765] established a right to privacy in one’s home from government intrusion. Malone v. Commissioner for the Metropolitan Police [1976] admitted the legality of government wiretapping of telephones, but set out requirements for the legality of wiretapping that are not met by a system of before-the-fact and universal surveillance for police purposes.

[7] Id. at para. 235.

[8] European Court of Human Rights, Q & A Roman Zakharov v. Russia, Grand Chamber judgment, (Apr. 12, 2015), http://www.echr.coe.int/Documents/Press_Q_A_Roman_Zakharov_ENG.PDF.

[9] N&P.

[10] See submissions to this Committee by the Electronic Frontier Foundation, Open Technology Institute , Center for Democracy and Technology, and others.

[11] Secretary of State for the Home Department, Draft Investigatory Powers Bill (2015), §§ 12(5), 81(5), 106(5), 122(7),135(4) and 188(3), available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf [Draft IP Bill].

[12] Draft IP Bill § 189.

[13] Draft IP Bill § 101.

[14] Draft IP Bill § 13(1).

[15] Draft IP Bill § 13(2).

[16] Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, General Assembly, U.N. Doc.A/69/397 (Sept. 23, 2014) (by Ben Emmerson).

[17] Draft IP Bill § 106.

[18] Draft IP Bill § 20.

[19] Draft IP Bill § 71 (gives the Secretary of State authority to “require a telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate [for an enumerated purpose].”). The retention order may provide for up to 12 months of data. Id. The Secretary of State may produce regulations that allow a provider to request a review of the retention order, at which point additional evidence may be taken. Id. However, pursuant to section 73, the Secretary of State is the ultimate arbiter of whether the retention order will stand following such a request. Id. at Section 73. Section 74 provides that data that is ordered retained must be secured and protected against accidental or unlawful destruction or unauthorised access, among other things. Id. at § 74.

[20] Draft IP Bill § 89(4).

[21] Letter from Access Now, et. al. to Majority Leader Mitch McConnell, et. al (May 11, 2015), available at https://s3.amazonaws.com/access.3cdn.net/ecffc6f83105be5bc5_8tm6bn51u.pdf.

[22] Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and Others (C-293/12) and Kärntner Landesregierung and Others (C-594/12), Court of Justice of the EU (8/4/2004), available at http://curia.europa.eu/juris/liste.jsf?num=C-293/12.

[23] Draft IP Bill § 102.

[24] Draft IP Bill § 168(6)-(7).

[25] If you have any additional questions or inquiries, you can send them to Amie Stepanovich at AccessNow.