How the Investigatory Powers Act entrenched highly intrusive digital surveillance in the UK with barely an eyebrow raised
UCL Law Graduate
It’s been a tumultuous few years in UK politics, with a lot of attention being given to the massive issues surrounding Brexit and the drama of political infighting in both major political parties. However, whilst our focus was directed elsewhere, Parliament silently passed some of the most intrusive and controversial sets of digital surveillance laws in the world. The Investigatory Powers Act (IPA) 2016, or the ‘Snooper’s Charter’ as it is more widely known, decisively bestowed UK security officials with incredible powers of surveillance, allowing for a level of intrusion into our lives that is worryingly broad. Whilst it may seem like insignificant technical jargon compared to some of the other issues splashed across the headlines every day, the powers granted by the IPA, and the weak oversight safeguards the law enshrines, deserve our attention and concern.
It should be noted that the actual powers available to the government with regards to digital surveillance are not being newly introduced by the Investigatory Powers Act. The Snowdon leaks in 2013 blew the lid on the fact that the UK has been in the internet monitoring game for quite some time already, largely relying on the open-ended wording of s.94 of the Telecommunications Act 1984 to provide the state with wide discretion for intruding privacy – an Act passed long before most computers were publicly networked or the internet had generally become an essential part of daily life. At first, there were very few restrictions on intelligence agencies, security forces or the Home Secretary in terms of how they could police the internet, resulting in a lack of transparency that defines the UK’s digital surveillance history. This is what the IPA is meant to fix. It lays out in a much clearer and open fashion the powers government agencies have been using for decades, and attempts to establish clear oversight procedures for the exercise of these powers.
However, the fact that these powers are not new does not mean that their retention is not still an extremely important development. In 2014, now Labour party deputy leader Tom Watson and Conservative Brexit Secretary David Davis jointly took the government to court over these powers, ultimately leading to the European Court of Justice ruling that the UK’s digital surveillance powers were unlawful for being too indiscriminate and lacking sufficient safeguards for the protection of privacy. As the first piece of permanent UK legislation on online investigatory powers since these rulings, the decision by Parliament to reaffirm the powers the government can wield betrays its unresponsiveness to the furore the Snowdon revelations inspired. With the UK poised to exit the European Union and escape the jurisdiction of the ECJ, it now seems likely that these powers are here to stay.
What are the powers that security agencies now wield?
Given society’s reliance on the internet today, there are broadly two specific categories of powers outlined in the Investigatory Powers Act that we should all be aware of. First, there is the power to mandate indiscriminate date retention of internet connection records and weblogs. This has been described as the ‘who, when, what, where and how’ of online communication, and covers pretty much everything about our online activity except the content of the information sent. Internet service providers and other telecommunications operators will be required by law to retain the records of every user for a period of 12 months. This data includes IP addresses, partial web addresses and other such nuggets that can allow the government to build a detailed and accurate profile of a person’s interests, beliefs and habits. Even if this power relates largely only to metadata, a huge amount of incredibly personal information can be gleaned from an understanding of a person’s browsing preferences. For example, many sites cater to a very specific group of users, and simply accessing them could inadvertently betray information such as serious health conditions, reveal sexual orientation or imply a host of details that people may legitimately want to keep private.
Secondly, the Act authorises the government, in specific circumstances, to take action to find out the content of online communication. This can be done either be through ‘equipment interference’ (read: hacking and direct device tampering) or ‘interception’ (read: wire-tapping or direct access to messages and communications). Unlike with the first set of powers, these powers cannot be directed at everyone indiscriminately. However, they can be authorised against imprecise groups of people, such as residents of a certain neighbourhood, meaning that innocent individuals who are not suspects of any investigation will inevitably be caught in the surveillance net and have their communications read over.
When can these powers be used?
The first set of powers that relate to non-content based data can be used by the government security agencies without any need for a warrant or external approval, and we should all expect our online web history to be retained and processed as a result. However, a crucial change in the law introduced by the IPA is the new authorisation procedure that government agencies must clear to use more intrusive surveillance powers. For the first time, the judiciary are involved in the process of authorising warrants to access the second category of content-related powers. Termed as the ‘double lock’, a specially appointed judge (known as a judicial commissioner) must sign off on each request for these powers, on top of the Secretary of State. Warrants are only to be approved only if it can be shown that the use of such powers is necessary as part of an investigation, and the intrusion of privacy is as limited as possible and still proportionate to the value of the information that will be attained.
The involvement of the judiciary is an extremely welcome development. Secretaries of State and security agency heads always have an incentive to sign off on warrants, regardless of how thin the justification for them is, as their reputations and thus careers are directly tied to their security track records. This contrasts strongly with the incentive to protect privacy, where failure is far less clear and where the true extent of the erosion of the right is rarely ever known. Approving access to online communications data ensures that intelligence officials have as much information as possible to carry out their duties, thereby creating a strong bias towards privacy intrusion even in cases where it would unreasonable to allow it, and where it may not be absolutely necessary. Judges do not have their positions threatened by public perception, making them far better placed to make an objective assessment of the need for intrusive surveillance tactics.
However, there is good reason to be sceptical about the effect this change is really going to have on the warrant approval process. Despite calls from experts to allow judges to independently assess whether a warrant deserves to be granted, the Act explicitly limits the role of commissioners to one of judicial review. In order words, as then Home Secretary Theresa May made clear, “they are not retaking the decision. They are looking to see whether the original decision was flawed”. This means that judges may only be able to revoke the authorisation of a warrant provided by the Secretary of State if the decision to approve can be shown to be so absurd that no reasonable person would have made such a decision. This is an incredibly high bar that is near impossible to reach when it comes to matters of security, and judges may be forced to accept requests for hacking or other intrusive surveillance powers that they personally would never approve. Further, judicial commissioners can only be appointed with a recommendation from the Prime Minister, and the funding for commissioners and their work is set by the Home Secretary. These controls by the government over the make-up and operational capacity of the judicial aspect of the authorisation process, again contrary to the vast bulk of recommendation by experts, raise serious questions about how independent those reviewing the approval of warrants can be expected to be.
Does it all even matter?
Undoubtedly, there will be many people who will read all of this and shrug their shoulders. The now-common adage regarding privacy of “if you have nothing to hide, you have nothing to fear” appeals to many, with the operational benefits to police of these powers often being used to justify the intrusion on people’s rights. Without the blanket retention of internet connection records, security agencies would find it much harder to find everyone linked to serious criminal or terrorist incidents, and without the ability to access the content of what was communicated by suspects online, future threats are much harder to detect and respond to. These claims have proven to be true already, and are accepted even by the civil rights organisations that campaign against the law.
Yet the right to privacy is not one to be blasé about, particularly on the internet. As mentioned above you do not have to be a criminal to be concerned about your behaviour being profiled and scrutinised for information you do not want to reveal, and concerns related to feeling watched will affect the actions all people feel free to take, therefore limiting the liberty people enjoy online. Unlike with real life surveillance, that we have largely come to accept in recent years, there is nowhere on the internet that one can retreat to that is not potentially subject to this form of over-the-shoulder gaze. Most of us would likely object to CCTV cameras in our homes and rooms as we relish the ability to act in private when we choose to – and yet this is exactly what the IPA makes impossible online. Further, the provisions in the law that allow for direct tampering of the devices used to communicate online represents an alarming ability of the government to manipulate people’s lives that cannot be ignored. It may be that people are willing to sacrifice all this in order to get the security benefits such powers, liberally used without much judicial oversight, could provide. The vocal public reaction to the details that Snowdon leaked would suggest this isn’t likely however, and the lack of priority given to concerns about privacy by both major UK political parties (and the resulting lack of media attention) has allowed parliament to pass the law without having to convince anyone that such extreme trade-offs are necessary. No matter where any of us stand on the privacy versus security debate, we all must make sure that we know what we are giving up in order to feel safe. And should we happen to be uncomfortable with what we are being asked to lose, we have to stop sleepwalking and make sure our parliamentarians finally take the right to privacy online seriously.