On Thursday 11 June, techUK commented on the release of David Anderson QC's report into the investigatory powers of the security agencies. In his carefully researched and detailed report, entitled 'A Question of Trust', Anderson has attempted to analyse the effectiveness of current legislation in relation to issues such as surveillance and the acquisition and interception of communications data . His wide ranging report covers the nature of the threats to the UK and the capabilities required to counter them; the challenges changing technologies provide; and issues related to privacy, transparency and oversight.
The Anderson Report provides essential reading for the Government as it formulates its plans for a new Investigatory Powers Bill to replace existing legislation that is due to expire at the end of 2016. The Intelligence and Security Committee report into 'Privacy and Security' in March this year described the existing legislation as "unnecessarily complicated' and 'lacking transparency'. Anderson goes further than this in his review, labelling current legislation "undemocratic, unnecessary and – in the long run – intolerable". techUK agrees and therefore welcomes the main recommendation in the review; namely the bringing together of all of the surveillance capabilities of the agencies under one single piece of legislation – from interception and data retention to equipment interference and computer network exploitation. As Anderson himself states, this law should "affirm the privacy of communications" whilst also providing "judicial, regulatory and parliamentary mechanisms for authorisation, audit and oversight".
techUK has long argued that legislation around surveillance needs to be clear and comprehensible, which is not the case with the current framework. The key to providing clarity is more precision in the definitions of terms such as "communications data". Currently many of the terms used are too broad, are not based on considered input from communication service providers (CSPs) and are not future proof. By starting from scratch and providing a new single piece of legislation, with input from industry, a clear legal framework that reflects both current and anticipated technological developments can be created.
Anderson also makes a number of important recommendations in relation to the bulk collection of data. The report argues that "the capability of the security and intelligence agencies to collect and analyse intercepted material in bulk" should be maintained but used "only subject to strict additional safeguards" and protections such as judicial authorisations and tighter definitions for the purposes for which it is sought. In light of the lapse of section 214 of the Patriot Act, which ended the US Government's bulk collection of email metadata, and recent legal action by privacy groups against the UK Government, it is important that any maintenance of bulk data collection capabilities involves meaningful dialogue with technology companies, with a clear emphasis on proportionately and necessity.
techUK has also repeatedly raised concerns regarding the oversight arrangements for surveillance capabilities. Anderson addresses this through a recommendation to create an 'Independent Surveillance and Intelligence Commission' (ISIC). Through the ISIC's Judicial Commissioners, who would be serving or retiring judges, the ISIC would be responsible for "the judicial authorisation of all warrants and of certain categories of requests for communications data". This recommendation is a welcome attempt at strengthening public trust in how communications data is obtained by agencies, with the ISIC having the power to issue, renew, cancel and modify interception warrants and also make modifications to bulk warrants. It is important that this particular recommendation, for judicial rather than ministerial authorisation for warrants, is not ignored by the Government. However there are signs that the Government will find the idea of stripping Ministers of their ability to authorise warrants problematic.
The extra-territorial provisions contained in current legislation such as DRIPA have been particularly worrying for CSPs; putting pressure on both those operating abroad and also foreign based CSPs who may be compelled to contravene their own domestic laws. It is encouraging that both Anderson and Sir Nigel Sheinwald, in his capacity as the Prime Minister's special envoy on intelligence data sharing, recognise that a long term solution must be introduced in order to address issues of conflicts of jurisdiction. Anderson rightly concludes that it is undesirable for foreign CSPs to be required to have a license or store data in the UK in order to offer services to UK customers. Instead, he calls for the Government to lead the way and develop a "new international framework for data sharing" whilst also seeking the "improvement and abbreviation of MLAT procedures". There are real and pressing limitations to conflicts of law between different countries and the long term solutions highlighted by Anderson are the correct way to mitigating these problems.
Where the review does need further clarification, however, is on the topic of encryption. Whilst Anderson, and the March ISC report, recognise the importance of encryption in keeping our modern digital economy safe and dismiss any notion of encryption being placed under Government control, both reports fail to provide clarity on what they expect companies to do when they do not have the access to the encrypted data that the agencies may want. Anderson's recommendations, for example, call for "a law-based system in which encryption keys are handed over" either by the user or the company. Earlier in the report, however, he acknowledges that there are instances where "not even the provider...will be able to decrypt its contents". Although the report is helpful in that it attempts to inform the debate on encryption through technical facts, it fails to provide a feasible solution to the entire debate.
In all, the review is in the main a comprehensive, detailed piece of work that has been well thought out and researched and lays a solid foundation for the Government when formulating the upcoming Investigatory Powers Bill. Surveillance legislation in the UK has for too long been fragmented, confusing and inefficient for the modern world. It is hoped that this review, and its recommendations, will help the UK achieve a clear legal framework for surveillance that can be emulated around the world.