IPR Report Print Version


1 A QUESTION OF TRUST REPORT OF THE INVESTIGATORY POWERS REVIEW by DAVID ANDERSON Q.C. Independent Reviewer of Terrorism Legislation JUNE 2015 Presented to the Prime Minister pursuant to section 7 of the Data Retention and Investig atory Powers Act 2014


3 A QUESTION OF TRUST REPORT OF THE INVESTIGATORY POWERS REVIEW by DAVID ANDERSON Q.C. Independent Reviewer of Terrorism Legislation JUNE 2015 Presented to the Prime Minister pursuant to section 7 of the Data Retention and Investigatory Powers Act 2014

4 © Crown copyright 2015 This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, nationalarchives.gov.uk/doc/open - government - licence/version/3 visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or . email: [email protected] Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned. This publication is available at www.gov.uk/government/publications Any enquiries regarding this publication should be sent to the Independent Reviewer of Terrorism Legislation at co.uk or by post to [email protected] - David Anderson Q.C. at Brick Court Chambers, 7 8 Essex Street, London WC2R 3LD. This document is also available from the Independent Reviewer’s website at https://terrorismlegislationreviewer.independent.gov.uk Print ISBN 978147411945 0 Web ISBN 9781474 119467 ID 20051503 06/15 Printed on paper containing 75% recycled fibre content minimum Printed in the UK by the Williams Lea Group on behalf of the Controller of Her Majesty’s Stationery Office


6 LIST OF ANNEXES Page List of Acronyms Annex 1 30 8 : Defined terms Annex 2: 31 3 ubmissions S 31 5 Annex 3: Annex 4: 31 7 Meetings Annex 5: Impa ct of encryption and anonymisation 32 1 ies with non - RIPA powers Annex 6: 32 3 Bod Annex 7: The Snowden allegations 3 30 Annex 8: Interception case studies 33 4 Annex 9: 33 7 Bulk data case studies ommunications data case studies Retained c 33 9 Annex 10: UK Crime types for whic h communications data is used 34 2 Annex 11: x 12: Anne Urgency of requirements for communications data 34 3 Annex 13: Local authority use of communications data 34 4 Annex 14: Local authority RIPA requests via NAFN 34 8 Annex 15: 34 9 The law of the Five Eyes Annex 16: Potential use of traffic data by local authorities 370 Annex 17: ISIC Model A 372 Annex 18: ISIC Model B 373

7 EXECUTIVE SUMMARY INTRODUCTION 1. As Independent Reviewer of Terrorism Legislation, I am required by the Data Reten tion and Investigatory Powers Act 2014 to examine a. the threats to the United Kingdom, b. the capabilities required to combat those threats, c. the safeguards to protect privacy, d. the challenges of changing technologies, and e. issues relating to transparency and over sight, before reporting to the Prime Minister on the effectiveness of existing legislation relating to investigatory powers, and to examine the case for a new or amending law. 2. The scope of this task extends well beyond the field of counter - terrorism. Publ ic authorities intercept communications, and collect information about communications, for a host of other purposes including counter - espionage, counter - proliferation, missing persons investigations and the detection and prosecution of both internet - attacks, child sexual exploitation) and crime in general. - enable d crime (fraud, cyber 3. The purpose of this Report is: to a. public and political debate on these matters, which at its worst inform the can be polarised, intemperate and characterised by technical misun derstandings; and b. to set out my own proposals for reform , in the form of five governing principles and 124 specific recommendations. 4. In conducting my Review I have enjoyed unrestricted access, at the highest level of security clearance, to the responsible Government Departments (chiefly the Home Office and FCO) and to the relevant public authorities including police, National Crime Agency and the three security and intelligence agencies: MI5, MI6 and GCHQ. I have balanced those contacts by engagement with service providers, independent technical experts, NGOs, academics, lawyers, judges and regulators, and by fact - finding visits to Berlin, California, Washington DC , Ottawa and Brussels . INFORMING THE DEBATE 5. The legal, factual and technological position as I unde r stand it from my reading, my visits and the large number of interviews I have conducted is set out in the first 12 C hapters of this Report. 1

8 EXECUTIVE SUMMARY Part I of the report (BACKGROUND) establishes the context for the Review, 6. acy and considers both current and future threats explores the central concept of priv to the UK and the challenges of changing technology. a. Chapter 1 (INTRODUCTION) sets out the scope, aims and methodology of the Review. Chapter 2 (PRIVACY) looks at the importance of privacy for individual, s ocial b. and political life. It charts attitudes to privacy and surveillance as they have evolved over time and as they have recently been captured in court judgments and in survey evidence from the UK and elsewhere. c. looks at the importanc e of security for individual, social Chapter 3 (THREAT) and political life. It assesses the threat to the UK in terms of both national - term perspective. security and crime, and puts it into a long Chapter 4 (TECHNOLOGY) explains the basic technology that underlies the d. debat e, from changing methods of communication and new capabilities to encryption, anti surveillance tools and the dark net. - 7. Part II of the Report (CURRENT POSITION) explains the international legal backdrop, the current powers and the way in which they are use d. sets out the legal framework which Chapter 5 (LEGAL CONSTRAINTS) a. governs action in this field. In the absence of a written constitutio n, the chief freedom to legislate are those imposed by the ECHR and (within limitations on U law. its field of application) E b. Chapter 6 (POWERS AND SAFEGUARDS) summarises the existing UK laws under which public authorities may collect and analyse people’s communications, or records of their communications. It introduces the key concepts and summarises the various powers b oth under RIPA and outside it, together with the principal oversight mechanisms. c. Chapter 7 (PRACTICE) explains how those powers are applied in practice by intelligence, police, law enforcement and others, touching also on data - sharing, - bulk personal datase ts and the recently avowed capability for computer network exploitation. d. Chapter 8 (COMPARISONS) provides three sets of benchmarks which may assist in working out how UK law on Investigatory Powers should look. These are: cted and intrusive surveillance, other forms of surveillance (dire  property interference, covert human intelligence sources et c.), -  the laws of other countries , particularly in Europe and the English speaking world, and 2

9 EXECUTIVE SUMMARY  the use made of individuals’ communications by service providers, retai lers and other private companies . Part III of the Report (PERSPECTIVES AND VISIONS) draws on the submissions 8. and evidence received by the Review in order to summarise the wishes of interested parties. Chapter 9 (LAW ENFORCEMENT) a. s of the NCA, summarises the requirement police, local authorities and other law enforcement bodies. It addresses the utility of interception and communications data for their work and their views , on capabilities and safeguards. Chapter 10 (INTELLIGENCE) b. made to the summarises the submissions Review by the security and intelligence agencies: MI5, MI6 and GCHQ. It views on explains their technological change and encryption, what they say they need to maintain existing access and their priorities in relation to capabilities and auth orisation of warrants. c. Chapter 11 (SERVICE PROVIDERS) summarises the submissions made to the Review by communications servi ce providers, both in the US (regarding cooperation with the UK Government and extraterritorial effect) and in the UK s a strong emphasis on the strengthening of controls and (where there wa oversight). Chapter 12 (CIVIL SOCIETY) summarises the case made to the Review by d. civil society groups and individuals, some of whom challenged the need for current capabilities, and most of whom emph asised what they saw as the need for transparency, coherence and clarity and improved scrutiny and safeguards. PROPOSALS FOR REFORM 9. Part IV of the Report (CHARTING THE FUTURE) contains my proposals for change. a. Chapter 13 (PRINCIPLES) characterises the key issue as one of trust, and sets out the five principles on which my recommendations are founded:  inimise no - go areas M L imited powers   R ights compliance  C larity  U nified approach. Under the fifth principle, I explain my reasons for rejecting the ISC’s ndation that the law in this area should, for the first time, enshrine a recomme clear separation between intelligence and law enforcement functions. 3

10 EXECUTIVE SUMMARY Chapter 14 (EXPLANATIONS) is a commentary on the principal b. thinking on key issues recommendations set out in Chapter 15. It explains my such as: Defining content and communications data  Compulsory data retention   The proposals in the 2012 Communications Data Bill  Bulk collection and bulk warrants  Specific interception warrants  Judicial authorisation Collection of com munications data  Extraterritorial effect   Use of intercepted material and data m ) C  T h e I n d e p e n d e n t S u r v e i l l a n c e a n d I n t e l l i g e n c e C o I m i s s i o n ( I S The IPT   Transparency. Chapter 15 (RECOMMENDATIONS) c. sets out my 124 specific and inter - related recommendations for reform. SUMMARY OF PROPOS ALS Shape of the new law fted from scratch, A comprehensive and comprehensible new law should be dra 10. replacing the multitude of current powers and providing for clear limits and safeguards 1 es to use. on any intrusive power that it may be necessary for public authoriti 11. The definitions of content and of communications data should be reviewed, clarified 2 and brought up to date. C apabilities for a period 12. The power to require service providers to retain communications data tently with the requirements of the ECHR and of time should continue to exist, consis 3 of EU law. 1 - 9, 14.3 - Recommendations 1 14.7 below. 2 14.12 below. Recommendation 12, 14.1 0 - 3 Recommendations 13 - 14.22 below. - 4.14 14, 1 4

11 EXECUTIVE SUMMARY In relation to the subject matter of the 2012 Communications Data Bill : 13. - IP resolution in the Counter Terrorism and Security Act a. The provisions for 4 2015 are useful and should be kept in force. b. mpulsory retention of records of user interaction with the internet ( web The co logs or similar) would be useful for attributing communications to individual devices, identifying use of communications sites and gathering intelligence or evidence on web browsing a ctivity. But if any proposal is to be brought forward, detailed operational case needs to a be made out , and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of 5 requiring such data to be retained. c. There sho uld be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues 6 have been fully bottomed out. 14. The ca pability of the security and intelligence agencies to practise bulk collection of intercepted material and associated data should be retained (subject to rulings of the 7 courts), but used only subject to strict additional safeguards concerning: 8 a. judicial au thorisation by ISIC; b. a tighter definition of the purposes for which it is sought, defined by operations 9 or mission purposes; c. targeting at the communications of persons believed to be outside the UK at 10 and the time of those communications; d. specific interception warrant to be judicially authorised if the the need for a applicant wishes to look at the communication of a person believed to be within 11 the UK . 15. There should be a new form of bulk warrant , the bulk communications data warrant , which would be limi and could thus be ted to the acquisition of communications data 12 a proportionate option in certain cases . 4 Recommendation 14 below. 5 17, 14.32 Recommendations 15 - - 14.36 below. 6 Recommendation 18, 14.37 - 14.38 below. 7 Recommendation 19, 14.39 - 14.45 below. 8 Recommendations 22, 45 - 48, 14.47 - 14.57 below. 9 Recommendation 43, 14.75 be low. 10 Recommendation 44, 14.76 - 14.77 below. 11 Recommendation 79, 14.89 below. 12 Recommendation 42(b) and 44, 14.73 and 14.77 below. 5

12 EXECUTIVE SUMMARY Warrants for interception All warrants should be judicially authorised by a Judicial Commissioner at a new 16. 13 ( ISIC ) . body: the Independent Surveillance and In telligence Commission Where a warrant is said to be required in the interests of a 17. national security purpose that relates to the defence and/or foreign policy of the UK, the Secretary of State to certify (and, in the case of a bulk warrant, to certify that should have the power so the warrant is required for the operation(s) or mission purpose(s) identified). The Judicial Commissioner, in determining whether to issue the warrant, should have the sis of the principles applicable in power to depart from that certificate only on the ba 14 judicial review. 18. Specific interception warrants may be targeted not only on persons o r premises but (like the existing thematic warrants) on operations. That is subject to the additional protection that save where ord ered by the Judicial Commissioner, the , must addition of persons and premises to the schedule of the warrant be specifically 15 authorised by a Judicial Commissioner. 19. warrantry procedure should be streamlined by providing for: The a. Serious crime warrants, like national security warrants, to be of six months’ 16 duration; 17 b. Renewals to take effect from the expiry of the original warrant; c. Combined warrants for interception, intrusive surveillance and/or property interference, so long as the conditions for each type of warrant are individually 18 satisfied. Pending a longer - term and more satisfactory solution, the extraterritorial effect in 20. 19 DRIPA s4 should be maintained. Authorisation for acquisition of communications data Designated persons 21. urity and intelligence agencies) should (DPs) (including in the sec from the operations and investigations in independent be required by statute to be 20 relation to which they consider whether to grant an authorisation. 21 (SPoCs) should be provided for in statut e. 22. Single Points of Contact 13 - 14.57 below. Recommendation 22, 14.47 14 Recommendations 30 and 46, 14.64 - 14.66 below. 15 38, 14.60 - 14.70 below. Recommendations 26 - 16 Recommendation 37, 14.69 below. 17 Recommendation 38, 14.70 below. 18 Recommendation 39, 14.71 below. 19 - 25, 14.58 - 14.59 below. Recommendations 24 20 Recommendation 58, 14.80 below. 21 Recommendation 62, 14.78 below. 6

13 EXECUTIVE SUMMARY The SPoC function for all of communications data should in future be minor users 23. compulsorily performed by an independent SPoC at the National Anti - Fraud Network 22 (NAFN). Now that all local authority requests for communications data must be submitted t o 24. independent SPoCs at NAFN and approved by a designated person of appropriate of approval by a magistrate or sheriff should seniority, the additional requirement 23 . be abandoned 25. The DP of any public authority which seeks communications data for the purpose of matters that are privileged or confidential must either refuse the determining 24 request or refer it to ISIC for determination by a Judicial Commissioner. 26. persons who handle Where a request is not directed to such a purpose but relates to confidential information privileged or (doctors, lawyers, journalists, MPs etc.), special considerations and arrangements should be in place, and the authorisation if 25 granted should be flagged for the attention of ISIC. 27. Where a novel or contentious request is made for communications data, the requesting public authority on the advice of the DP should refer the matter to ISIC for 26 a Judicial Commissioner to decide whether to authorise the request. Oversight and review 28. The Independent Surveillance and Intelligence Commiss ion (ISIC) should 27 replace the offices of the three current Commissioners. functions of the ISCommr, the intelligence oversight 29. ISIC should take over the existing auditing additional functions of its predecessor Commissioners, and relating in par functions ticular to the acquisition and use of communications data, - source intelligence and the sharing and transfer of intercepted the use of open 28 material and data. 30. Through its Judicial Commissioners, who should be serving or retired senior judges, ISIC should a lso take over the judicial authorisation of all warrants and of certain categories of requests for communications data, in addition to the approval functions currently exercised by the OSC in relation to other forms of surveillance and the ability 29 to issue guidance. 22 Recommend ation 65, 14.84 below. 23 14.83 below. Recommendation 66, 14.82 - 24 Recommendation 68, 14.85(a) below. 25 Recommendation 67, 14.85(b) below. 26 Recommendations 70 - 71, 14.86 below. 27 Recommendations 82 - 112, 14.94 - 14.100 below. 28 97, Recommendations 89 - 14.95 - 14.96 below. 29 - 88, 14.95 below. Recommendations 84 7

14 EXECUTIVE SUMMARY ISIC, on its own initiative or at the suggestion of a public authority or CSP, should 31. have additional powers to notify subjects of their right to lodge an application to the 30 IPT. 32. ISIC should be public - facing, transparent, accessible to media a nd willing to draw on expertise from different disciplines. 33. The Investigatory Powers Tribunal (IPT) should have an expanded jurisdiction and the capacity to make declarations of incompatibility; and its rulings should be subject 31 to appeal on points of la w. Transparency 34. Whilst the operation of covert powers is and must remain secret, public authorities, ISIC and the IPT should all be as open as possible in their work. Intrusive capabilities should be avowed. Public authorities should consider how they c an better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad way in which those powers are used and why additional 32 capabilities may be required. CONCLUSION 35. RIPA, obscure since its inception, has b een patched up so many times as to make it incomprehensible to all but a tiny band of initiates. A multitude of alternative powers, some of them without statutory safeguards, confuse the picture further. This state of affairs is undemocratic, unnecessary and – in the long run – intolerable. 33 a broad canvas, 36. Parliament provided the Review with which I have done my best to cover. The recommendations in Chapter 15 aim to provide a clear, coherent and accessible scheme, adapted to the world of internet based communications and - encryption, in which: a. public authorities have limited powers, but are not shut out from places where they need access to keep the public safe; b. procedures are streamlined, notably in relation to warrants and the authorisation of local a uthority requests for communications data; c. safeguards are enhanced, notably by: i. the author isation of warrants by senior judges; ii. additional protections relating to the collection and use of communications by the security and intelligence agencies in bulk; 30 - 14.104 below. Recommendation 99, 14.103 31 Recommendations 99 and 113 - 117, 14.101 - 14.108 below. 32 Recommendations 9 and 121 - 124, 14.7 and 14.110 - 14.111 below. 33 1.2 below. 8

15 EXECUTIVE SUMMARY reater supervision of the collection of communications data, including iii. g judicial authorisation where privileged and confidential material is in issue or novel and contentious requests are made; iv. improved supervision of the use of communications data, includi ng in conjunction with other datasets and open - source intelligence; and a new, powerful, visible and accountable intelligence and surveillance v. auditor and regulator. 37. My aim has been to build on the best features of the current regime and to learn from the practice of other countries. The resulting framework aims not only to satisfy the 34 majority who broadly accept current levels of investigatory activity and supervision, but to help build trust among sceptics both in the UK and abroad. The opportunity now exists to take a system characterised by confusion , suspicion 38. class and incess ant legal challenge, and transform it into a world - framework for the regulation of strong and vital powers. I hope that opportunity will be taken. 34 below. 2.27 and 2.34 9

16 D CONTENTS ETAILED PART I: BACKGROUND 1. INTRODUCTION 15 15 Genesis of the Review f the Review Context o 15 Scope of the Review 19 Working methods 22 Terminolo gy 23 Treatment of classified material 23 2. PRIVACY 25 Introductio n 25 The evolution of privacy 25 Perspectives on privacy 26 Why is privacy important? 27 28 Privacy: a qualified right The position of the UK 29 32 Modern attitudes to privacy The Snowden effect 34 Is privacy dead? 36 3. THREATS 39 Introduction 39 The threat in perspective 39 The importance of good order 40 National security threats 41 44 Crime and public safety Conclusion 47 4. TECHNOLOGY 49 Introduction 49 Changing methods of communication 49 51 Global nature of the internet 10

17 DETAILED CONTENTS 52 Fragmentation of providers 52 Difficulties in attributing communications New sources of data 54 Geographical chang 59 es 60 Encryption The dark net 65 surveillance - tools 66 Anonymity and anti Decentralised networks 67 New capabilities 68 PART II: CURRENT POSITION 5. LEGAL CONSTRAINTS 71 71 The common law The European Convention on Human Rights 73 84 The law of the European Union International Law 92 6. 95 POWERS AND SAFEGUARD S Key concepts 95 97 Powers outside RIPA Other intrusive capabilities 100 RIPA powers 103 RIPA safeguards 113 Data Sharing 115 Oversight 119 PRACTICE 7. 124 Sources and scope 124 124 The Snowden Documents Interception 126 Communications data 133 Computer network exploitation 137 Intelligence sharing 138 Bulk Personal Datasets 139 139 The Management of Relationships with CSPs 11

18 DETAILED CONTENTS 8. 141 COMPARISONS 141 Other forms of surv eillance International Comparisons 148 Private sector activity 154 PART III: PERSPECTIVES AND VISIONS 9. LAW ENFORCEMENT 166 Scope and sources 166 167 Summary of requirements Utility of intercept and communications data 168 Capabilities: interception 172 Cap 173 abilities: communications data Minor users 183 Oversight 188 190 10 . INTELLIGENCE Scope and sources 190 192 The Agencies Summary o f requirements 193 Agency capabilities 194 11. SERVICE PROVIDERS 203 Scope and sources 203 The importance of trust 203 International enforcement 204 Views of 205 service providers 12. CIVIL SOCIETY 213 Sources and scope 213 Transparency 213 Coherence and clarity 218 Scope of investigatory powers 223 227 Increase scrutiny and safeguards 12

19 DETAILED CONTENTS 235 Improve oversight proofing - 242 Future PART IV: CHARTING THE FUTURE 13. PRINCIPLES 245 A question of trust 245 First princ iple: minimise no - go areas 247 Second principle: limited powers 248 251 Third principle: rights compliance Fourth principle: clarity and transparency 252 Fifth principle: a unified approach 253 Rec – the objective 255 ommendations 14. EXPLANATIONS 257 257 INTRODUCTION GENERAL (Recommendations 1 258 12) - - 19) 260 CAPABILITIES (Recommendations 13 INTERCEPTION AND ACQUISITION OF DATA (Recommendati ons 20 - 71) 270 USE OF INTERCEPTED MATERIAL AND DATA (Recommendations 72 - 81) 279 OVERSIGHT AND REVIEW (Recommendations 82 - 121) 280 - 124) TRANSPARENCY (Recommendations 121 284 15. RECOMMENDATIONS 285 GENERAL 285 CAPABILITIES 287 INTERCEPTION AND ACQUISITION OF DATA 288 USE OF INTERCEPTED MATERIAL AND DATA 297 OVERSIGHT AND REVIEW 299 306 TRANSPARENCY 13

20 BACKGROUND PART I: Part I of the Re port (BACKGROUND) establishes the context for the Review, explores the central concept of privacy and considers both curr ent and future threats to the UK and the challenges of changing technology.  Chapter 1 (INTRODUCTION) sets out the scope, aims and methodology of the Review. privacy for  Chapter 2 (PRIVACY) looks at the importance of individual, social and political life. It charts attitudes to privacy and surveillance as they have evolved over time and as they have recently been captured in court judgments and in survey evidence from the UK and elsewhere.  Chapter 3 (THREAT S ) looks at the importance of security for indivi dual, social and political life. It assesses the threat to the UK in terms of both national security and crime, and puts it into a long - term perspective. Chapter 4 (TECHNOLOGY) explains the basic technology  that underlie s the debate , from changing method s of communication surveillance tools and the and new capabilities to encryption, anti - dark net. 14

21 1. INTRODUCTION s of the Review Genesi completed its The Data Retention and Investigatory Powers Act 2014 2014 1.1. [DRIPA ] entary passage in just four days , receiving Royal Assent on 17 July 2014. parliam was said to be need ed in order to ensure that UK law Emergency legislation security and intelligence agencies could maintain their ability to enforcement and access the telecommunications data they need to investigate criminal activity and protect the public. greement t hat secured cross - party suppor t As part of the political a for the Bill 2014 s7) to “ appoint the , the Home Secretary was required (by DRIPA independent reviewer of terrorism legislation to review the operation and regulation of investigatory powers ”. This Report is the outcome of t hat R eview. 1.2. am required to consider, in particular: I “(a) current and future threats to the United Kingdom; (b) the capabilities needed to combat those threats; (c) safeguards to protect privacy; (d) the challenges of changing technologies; issues relating to transparency and oversight; (e) (f) the effectiveness of existing legislation (including its proportionality) and 1 the case for new or amending legislation.” 1.3. The Review was to be completed so far as reasonably practicable by 1 May 2015, r sent to the Prime Minister as soon as reasonably practicable after and a eport 2 completion. This report is up to date to 1 May 2015, and was sent to the Prime Minister on 6 is obliged to lay a copy of the May 2015. On receipt, the Prime Minister before Parliament, together with a statement as to whether any matter had Report been excluded from it on the basis that it seemed to him to be “ contrary to the public 3 ”. interest or prejudicial to national security the Review Context of iality Data retention and extraterritor The two matters said to justify the emergency passage of DRIPA 2014 1.4. were: (a) t he April 2014 ruling of the Grand Chamber of the Court of Justice of the 4 Digital Rights Ireland [CJEU] in the case, European Union [Digital Rights 5 Ireland] declaring invali d the EU Data Retention Directive , which provided 1 DRIPA 2014, s7(2). 2 DRIPA 2014, s7(3)(4). 3 DRIPA 2014, s7(5)(6). 4 Joined Cases C - 293/12 and C - 594/12 Digital Rights Ireland and Seitlinger and others , EU:C:2014:238. 5 [EU Data Retention Directive] . Directive 2006/24/EC: 15

22 CHAPTER 1: INTRODUCTION 6 UK service providers Regulations requiring to retain the legal basis for 7 and communications data for law enforcement purposes for a specified period; to put beyond doubt the extraterritorial effe the need of warrants, (b) ct relating to interception and communications authorisations and requirements service data, so that they could for example be served on providers . overseas se matters were addressed in 2014 ss 1 and 4 DRIPA The , respectively. Other l and definitional changes were made by the Act . A ccording to its Explanatory technica 2014 was “ Memorandum, the purpose of DRIPA . .. to enhance data retention not 8 - existing capabilities. powers ”, but rather to preserve pre In recognition of the very short time av 2014 contains a 1.5. ailable for debate, DRIPA which provides for its operative provisions to expire at the end of sunset clause” “ 9 Ministers and Shadow Ministers expressed the hope tha 2016. Report t the present r the data retention and will assist Parliament’s consideration of whethe 2014 should be renewed beyond that extraterritoriality powers contained in DRIPA 10 date. The broader context But a s the 1.6. terms of s7 confirm, the scope of this Review extends well beyond wide Review the provisions of DRIPA reflects a broader political 2014 . The settin g up of the c ontext, including : reduced (a) what law enforcement and intelligence bodies had identified as their coverage of electronic communications , as a consequence of:  long - term shift from telephone communications v ia UK service providers the towards internet - based communications through overseas (especially US) service providers ; and  other t echnological changes, including t he growth of secure encryption for 11 ; internet communications 6 For eas e of reference, the term “ service providers ” is used to refer to: (1) companies which offer communications services ( [CSPs] properly so called), such as BT and Vodafone, (2) companies providing internet access (commonly referred to as Internet Service Prov iders ), such as AOL, [ISPs] Virgin Media and Sky (collectively, technical readers will know these two categories as the four lower levels of the OSI 7 layer model), and (3) companies which operate “ over the top ” [OTT] of an internet - connection (commonly ca lled OTT providers or applications services providers), such as Facebook and Twitter. Some CSPs are also ISPs. Some companies offer communications services, internet access and OTT services (e.g. BT TV, over its own internet service). Reference is made to the individual category of service provider where necessary. The term CSP is used when referring to both CSPs and ISPs. 7 The Data Retention (EC Directive) Regulations SI 2009/859, which were adopted pursuant to the European Communities Act 1972 [ECA s2(2). Regulations under the ECA 1972 depend upon 1972] the existence of a valid EU instrument. 8 Explanatory Memorandum, para 32. 9 DRIPA 2014 s8. 10 Hansard, HC Debs, 15 July 2014, Col 714 (Theresa May) and Col 723 (Yvette Cooper). 11 - 4.65 below. See further , 4.41 16

23 CHAPTER 1: INTRODUCTION the of 2012, which sought to remedy gaps in that (b) Communications Data Bill coverage in a number of ways (some of which had been prefigured under the . It was considered in draft by two parliamentary ) previous Government , but never introduced to Parliament as a consequence of committees ements within the Coalition; disagre the , removed without (c) publication since 2013 of a selection of documents from the US National Security Agency [NSA] by the contractor authorisation various capabilities of the NSA Edward Snowden and purporting to describe and other agencies, including the UK’s Government Communications 12 [GCHQ] , [the Snowden Documents] ; Headquarters and (d) consequences of publication of the various the Snowden D ocuments, including:  disquiet and suspicion among sections of the public in the UK and o ther countries, prompted in particular by alleg ations of bulk collection and analysis of data on a previously unreported scale;  a new emphasis by service providers on customer privacy, reflected in a a reduction in quickening of the trend towards universal encryption and voluntary cooperation with foreign governments; security and intelligence agencies for better  pleas from law enforcement and overseas service providers , and better means of cooperation from ; and enforcement against them  unprecedented levels of activity from the UK’s supervision mechanisms , in particular the Investigatory Powers Tribunal [IPT] , Interception of Communications Commissioner’s Office and Intelligence and [IOCCO] Security Committee of Parliament [ISC] , each of which has examined a nd reported on allegations arising out of the Snowden D ocuments. 1.7. The debate is thus a double - jointed one , featuring arguments for more and for less capability, for more safeguards and for the removal of limitations that serve no useful purpose . I f it is at times bitterly contested, that is because both sides (with unquestionable sincerity) see t heir position as under threat : of electronic (a) Privacy advocates emphasise the growing volume as well as their quality, and extended techniques for t he communications, as lives are increasingly lived online . They gathering and analysis of them, campaign for reduced powers, or at any rate enhanced safeguards, to protect the individual from the spectre of a surveillance state. 12 A catalogue of the Snowden Documents placed in the public domain is maintained by the Lawfare Institute: http://www.lawfareblog.com/catalog - of - the - snowden - revelations/ . See also the Snowden Digital Surveillance Archive: https://snowdenarchive.cjfe.org/greenstone/cgi - bin/library.cgi and The spying/nsadocs . Electronic Frontier Foundation: https://www.eff.org/nsa - 17

24 CHAPTER 1: INTRODUCTION (b) rtion of electronic communications The authorities see a decline in the propo or to make use of fear the emergence of which they have the ability to access , and seek to redress the channels of communication that cannot be monitored, balance with new powers in the interests of national security and the prevention and detection of crime . trol. P rivacy advocates look at a world in Each sees a future in which they lose con roduced, aggregated and mined. T he authorities fear which ever more data is p r developments such as universal default encryption, pee to - peer networks and the - dark net. The effect of Snowden Each of the 1.8. rival camp s is well - entrenched : the Communications Data Bill was being proposed, and caricatured as a “ snoopers’ charter ”, before anyone had heard of Edward Snowden . But D ocuments have transformed the position in a the Snowden number of ways. They have (a) debate : though the UK Government retains its provided material for 13 neither confirm nor deny ” [NCND] , strict policy of “ some capabiliti es have been admitted (notably PRISM, after its ac knowledgment by the US Government , and computer network exploitation [CNE] ) and the IPT in particular has been prepared to review the lawfulness of other programmes ( such as TEMPORA) on the basis of assumed facts. (b) For privacy advocates, the Snowden D ocumen ts have caused them to believe that investigatory powers are used more widely even than they had suspected, 14 - ranging litigation. and provided a nucleus for wide (c) e opening up of the debate has however come at a cost to national security: Th some e effect of the Snowden D ocuments on the behaviour th service of providers and terrorists alike has, for the authorities, accentuated the problem of reduced coverage and rendered more acute the need for a remedy. The international dimension 1.9. There is some evidence that reaction to the Snowden D ocuments was less marked, 15 and less negative, in the UK than in some other countries. But to approach the debate as though domestic co nsiderations are all that matter is no t realistic , for at least four reasons : (a) International trav el, the global nature of the internet and the ability to tap international cables s that the use of investigatory powers by UK mean authorities inevitably impacts upon persons who are neither British citizens nor present in the UK. 13 Though see Belhadj and others v Security Service and other (Case no. IPT/13132 - 9/H) [Belhadj IPT Case] , judgment of 29 April 2015. 14 See further 5.35 - 5.54 below. 15 2.35 below. - See 2.25 18

25 CHAPTER 1: INTRODUCTION of those powers must be sufficiently strong not only (b) The safeguards on the use satisfy public opinion in the UK , but to persuade governments an d overseas to service providers (including particular ly in the USA) that they can and should cooperate with requests for information. (c) For as long as the UK accepts the jurisdiction of the European Court of Human Rights [ECtHR] and CJEU , its law must conform to the p rinciples of their jurisprudence , with its strong empha sis on the protection of private , as well as to the constr . communications aints of international law Whatever solution the UK arri ves (d) at may well be influential in other countries. Nothing should be proposed for the UK that would not be accept ed if it were adopted by other democratic nations. Scope of the Review Definition of investigatory powers 1.10. The “ investigatory powers ” that I am required to review are not defined in DRIPA 2014 , nor even in the central piece of legislation in this area: the Regulation of Investigatory It might have been legitimate to understand the phrase as Power s Act 2000 [RIPA] . encompassing the full range of such powers, including directed and intrusive , property interference and the use of covert human surveillance (tailing, bugging) [CHIS] . The concept might even be intelligence sources extended furth er, to cover surveillance cameras and DNA databases. 1.11. I have however approached the task with regard to my initial Terms of Reference, issued in July 2014, which define the objective of the as being Review “[t]o review the use of legislation governing the u se of communications data and interception ...”, with regard among other things to “ the effectiveness of current statutory oversight 16 arrangements ”. The Security Minister confirmed during the passage of the Bill that 17 ion Rev iew . I ntercept this was the intended scope of the and communications data are governed by RIPA Part I ; Part IV covers codes of practice and scrutiny by RIPA , Those are the subjects I have covered in this Review Commissioners and by the IPT. though also to statutes other t han RIPA , and with an eye to the by reference comparisons presented by other types of surveillance and spying powers , particularly when they are used for similar purposes, as for example CNE may be . Some of my recommendations, if adopted, will affect such powers. 16 https://www.gov.uk/government/uploads/system/uploads/atta chment_data/file/330749/Review_of_Co mmunications_Data_and_Interception_Powers_Terms_of_Reference.pdf . 17 Hansard HC Debs 15 July 2014 cols 804, 806. 19

26 CHAPTER 1: INTRODUCTION jectives of this Report Ob me Even so limited 2014 s7 present , DRIPA with a very broad canvas. I n seeking 1.12. s y objectives have been two to cover it, m fold: - (a) to inform the public and parliamentary debate by providing the legal, ext, and by seeking to encapsulate the views technological and operational cont of the main stakeholders; and to (b) , based on all the evidence I have heard offer my own proposals for change and read. Though I seek to place the debate in a legal context, it is not part of my role to offer a er the bulk collection of data a leg al opinion (for example, as to wheth s practised by GCHQ is proportionate). A number of such questions are currently b efore the courts, which have the benefit of structured and opposing legal submissions and (in the case of the only bodies the IPT) the facility to examine highly secret evidence, and which are that can authoritatively determine them. Decid ing the content of the law in this area is for Parliament, subject only to a ny 1.13. constraints external legal ; and there are w ide issues of principle on which the views 18 one committee) c ould never aspire to be determinative. of one individual (or even But I am invited to opine on a variety of topics, some of them quite technical in nature, and hope that by basing my conclusion s where possible on evidence, MPs and others worthy of being will at least be in a posi tion to judge whether my recommendations are followed. Not limited to terrorism This Review overlaps only slightly with my work as independent reviewer of terrorism 1.14. 19 legisl In that (part - time) capacity, I report regularly to Ministers and to ation. - terrorism, but not Parliament on the operation of laws directed specifically to counter 20 on laws relating to investigatory powers, which are within the competence of others. The subject matter of this one - off Review is therefore quite distinct from the normal work of the independent reviewer. 1.15. I would emphasise that: of bulk (a) Investigatory powers vary greatly in their impact . B road powers to from vast collection are used by GCHQ identify th reats to national security quantities of data communicat ions data requests are used highly targeted . But 18 See e.g. the issue of whether the retention by service providers of data capable of revealing web owsing history constitutes an acceptable intrusion into privacy, which the Joint Committee on the br Draft Communications Data Bill [JCDCDB] after its own thorough investigation felt compelled to leave to Parliament: Report of the JCDCDB, HL Paper 79 HC 479, (December 2012) [JCDCDB Report] , para 294. 19 I remain a Q.C. (self - employed barrister) in independent practice. Full details of the role of independent reviewer, and of the reports I have produced in the course of it, are on my website: https://terrorismlegislationreviewer.independent.gov.uk/ . 20 In particular, IOCCO. Other forms of surveillance are reported upon by the Intelligence Services . Commissioner [ISCommr] and by the Off ice of Surveillance Commissioners [OSC] 20

27 CHAPTER 1: INTRODUCTION for such relatively straightforward tasks as tracing the maker of a 999 (emergency) call, or a “ up ” to identify any mobile phon es reverse look - registered to a particular postal address . are used (and were always intended to be used) by a wide range (b) Some powers [NCA] to local authorities, authorit of public ies, from the National Crime Agency and for a host of purposes including murder investig ations, the tracing of missing persons, the investigation of organise d crime, the detection of cyber crime (including child sexual exploitation and online fraud) and the enforcement of trading standards. It would be unfortunate if my association with the review of terrorism laws were to fuel 1.16. the common misconception that investigatory powers are designed solely or even principally to fight terrorism. They have a vital part to play in that fight, as this Report . But they are properly and pro ductively used both in a broader national set out will security context - espionage, counter - proliferation) and in combating a (e.g. counter wide range of other crimes, most of them more prevalent than terrorism and some of them just as capable of destroying lives. Report Struc ture of this Report should be evident from the Contents. In summary: 1.17. The structure of this Part I introduces the (a) privacy and task, explores the central concept of discharges my statutory function of reviewing “ threats to the current and future 21 ed Kingdom Unit the challenges of changing technologies ”. ” and “ touching on the current position before (b) Part II explains legal constraints , summarising powers and how they are used by t he authorities . existing It also seeks to pro vide some alternative referen ce points by looking at other types of surveillance by public authorities , the laws of other countries and the use of communications data by private companies. (c) Part III seeks to summarise the views expressed to the R eview by the f our main Review groups which subm itted evidence to the : law enforcement, intelligence, service providers and civil society. s for change explains and sets out my recommendation (d) . Drawing on Part IV Report , it incorpor ates my conclusions on “ the capabilities previous parts of the nee ded to combat those threats ”, “ safeguards to protect privacy ”, “ issues relating to transparency and oversight the effectiveness of existing ” and “ legislation (including its proportionality) and the case for new or amending 22 legislation ”. 21 DRIPA 2014, s7(a)(d). 22 DRIPA 2014, s7(b)(c)(e)(f). 21

28 CHAPTER 1: INTRODUCTION Other reviews The initial terms of reference state that my Review will take account of : 1.18. , RUSI Review, the ISC Privacy and Security [JCDCDB] “the findings of the Inquiry and administrative and resource impacts”. 1.19. Of the three bodies there mentioned: The JCDCDB (a) reported on 1 1 December 2012 , in the JCDCB C Report : I refer its hapter s 4, 8, 9, 14 findings in C and 15 , below . (b) The ISC produced its report [ ISC Privacy and Security Report] on 12 March 23 2015. In keeping with the functions of the ISC, that report is limited to the security and intelligence agencies ; but it made some far ivities of the act - reaching recommendations, including for the drafting of a bespoke new law to cover all intelligence agency activity. The Royal United Services Institute [ RUSI ] Independent Surveillance Review (c) th announced by the Deputy Prime Minister on 4 [the RUSI Review] March 2014 , has not yet reported. A ccording to the same terms of r eference, this Report is to mark the end of the first phase of a Review that will be carried on by a Joint Committee t o be established in the eview, and all other relevant material, R I have no doubt that the RUSI next Parliament. . the second phase will be given due weight during Working methods which , twitter on my website and via I issued a formal call for evidence in July 2014, 1.20. written attracted was supplemented by a number of specific requests and , individuals, NGOs 7 6 om on a repeated basis) fr (sometimes submissions service providers ators and public authorities. Most in the latter category , individuals, regul are classified because of operational sensitivities; but the submissions that I have 24 consent to publish may be found on my website. A lmost without exception I have provoking. - found them useful, informative and thought I followed up many of the submissions orall y and have held meetings with a wide 1.21. 25 . of interlocutors in the UK I have benefited from the wide range of expertise range presented at Wilton Park meetings in October and November 2014, which provided a and unique opportunity for dialogue between s, very different perspective people with from conferences organised by the Bingham Centre for the Rule of Law and by I made productive JUSTICE. trips to Berlin, San Francisco and Silicon Valley, Washington DC and Ottawa, all in December 2014, and to B russels in J anuary 2015 . 23 , HC 1075, (March 2015). Privacy and Security: A modern and transparent legal framework 24 https://terrorismlegislationreviewer.independent.gov.uk/ . 25 In keeping with the mode of operation of the independent reviewer of terrorism legislation, and in order nfidential and not to achieve maximum frankness from those to whom I spoke, those meetings were co finding visits to the Security Service - formally minuted. They included several meetings with and fact and GCHQ. the Secret Intelligence Services [MI5], [MI6] 22

29 CHAPTER 1: INTRODUCTION view, and of the Full lists of all those who made written submissions to the Re with whom I have spoken, are at Annex organisations (and in some cases individuals) and Annex 4 to this Report. 3 of the he IS with me the entirety In addition, t extensive closed evidence that 1.22. C shared own Privacy and Security Review, and I have seen the confidential it took as part of its the reports of IOCCO and the of . Much parts of the ISC’s report as well as ISCommr me, and nothing that I asked to see, highly classified material was volunteered to however sensitive or secret, was withheld from me. I was fortunate to recruit to the 1.23. team two barristers (Tim Johnston and Jennifer Review L eod ), a solicit or (Rose Stringer) and a former Mac ( Robert Raine CBE), civil servant each of whom has given substantial time and effort to , despite other commitments, Review extend ing its reach and helping to ensure its quality . Dr Bob Nowill the , greatly : he has explained much and saved me fro m a agreed to act as technical consultant . cademics, number of errors lawyers, non - governmental Commissioners, judges, a [NGOs] from technology experts, retired civil servants and others organisations , have across the world with their help: been they have done much to generous challenge and in fluence my views . Eric King, Tom Hickman, Ben Jaffey and Jo Cavan hapters each dealing with technology, law and comment ed on one or more draft C . practice None of the above should be associated with any of the views expressed in (like a are my responsibility alone. this Report, which ny factual errors) Terminology L ist s of the acronyms and definitions used in this Report are at Annex 1 and 1.24. 2 Annex respectively. Treatment of classified material 1.25 It is my practice when reviewing the terrorism laws to pro duce a single, open report which can be shared with Parliament and public without the need for redactions. I was have followed the same approach in this report. My aim to ensure that the Prime Minister would not be called upon to use his power of exclusi on under DRIPA s7. To that end I have shared parts of my draft rep ort with the Government in advance , for the purpose of ensuring that national security - sensitive passages could be identified and, by negotiation or agreement , rendered acceptable for publi c release . 1.26 case studies at Annex 9 ), this Report contains In a few respects (e.g. the bulk collection security and intelligence agencies have not previously put into the public material that of this Report domain. But it has not been possible to deal in the pages with everything 26 that is relevant to the Review. 1.27 I have emphasised in my Recommendations the importance of transparency, of public avowal, and of backing all capabilities with accessible and foreseeable legal 27 provisions. More broadly, my conclusions have been arrived at on the basis of all 26 This will not be surprising to any reader of the ISC’s Privacy and Securit y Report: the existence of classified material relevant to its subject and to mine is indicated by the frequent use of asterisks. 27 - 124. See in particular Recommendations 3 - 5, 8 - 10 and 121 23

30 CHAPTER 1: INTRODUCTION ed and that which disclos that which can be the information I have myself received : both cannot . But it is only fair to point out that (as would no doubt be expected) there are is Review that cannot be referred to in public and that I have matters relevant to th therefore not referred to at all. 24

31 2. PRIVACY Introduction The exercise of investigatory powers impinges on a variety of human rights and 2.1. interests, including (as will be seen) freedom of exp ression, freedom of assembly and the peaceful enjoyment of property. At the root of them are concepts which have been described in international human rights instruments as “ the right to respect for ... ” and “ the righ t to protection of personal private ... life, home and communications 1 is often used, and will be used here, as an The catch - all word “ privacy” data ”. imprecise but useful shorthand for such concepts. 2.2. The UK public and courts are sometimes said to be less protective of privacy than their counterp arts elsewhere: a pr oposition that I examine at 2.26 - 2.35 below. But as has been pertinently remarked: – or which lacks “A public that is unable to understand why privacy is important the conceptual tools necessary to engage in meaningful debates about it s value is likely to be particularly susceptible to arguments that privacy should – 2 be curtailed.” This C hapter seeks to look under the surface of what we call privacy, in order better to understand the reasons why investigatory powers need to be limited and to inform the debate on the form that such limitations should take. The evolution of privacy 2.3. It has been claimed that privacy is a “ modern ” concept, a “ luxury of civilisation ”, 3 But ideas unknown (and unsought) in “ primitive or barbarous ” societies. of privacy, including the relative freedom of the home from intrusion, are set out in the Code of Hammurabi of Ancient Babylonia, the laws of Ancient Greece and Rome and of 4 References are found to privacy in a range of religious texts, inc luding Ancient China. 5 the Bible, the Koran, and Jewish law. Anthropologists have suggested that the need for privacy, while sensitive to cultural factors, is not limited to certain cultures. Rather, most societies regard some areas of human activity as being private, even if there are 1 European Union Charter of Fundamental Rights [EU Charter] , Arti cles 7 and 8, a formulation updated from that in the European Convention of Human Rights [ECHR] , Article 8, which is “ the right to respect for ... private ... life ... home and correspondence ”. On these instruments, see further 5.12 - 5.23 and 5.57 - 5.58 below. 2 , Amsterdam Law Forum (2009) (“Goold”). B. J. Goold, “Surveillance and the Political Value of Privacy” 3 , “The Rights of the Citizen: To His Reputation” , (1980) 8 Scribner’s Magazine 58, p. 65; See EL. Godkin and R. Posner, “An Economic Theory of Privacy” , (1978) AEI Journal on Government and Society, 19, p. 20. 4 st See A. Rengel, Privacy in the 21 2013, (“Rengel”), p. 29; Samuel Dash, Century, The Intruders: Unreasonable Searches and Seizures from King John to John Ashcroft , 2004 (“Dash”), pp. 8 - 10. 5 - 10. Se e Rengel, p 29, and Dash, pp. 8 25

32 CHAPTER 2: PRIVACY 6 how much is private; and humans need privacy to d ifferences concerning what or 7 mate and rear offspring develop into adults, court, . Perspectives on privacy The elements of privacy are strongly interlinked, and subject to no academic 2.4. nsensus. In the words of one scholar, privacy is “ a value so complex, so entangled co in competing and contradictory dimensions, so engorged with various and distinct 8 meanings, that I sometimes despair whether it can be usefully addressed at all ”. It owever be useful to refer to a number of formulations that are of relevance to may h - matter of this Review . the subject 9 A classic formulation of privacy is the right to be let alone , 2.5. once proclaimed to be 10 the “ most comprehensive of rights and the right most val This ued by civilized men”. 11 right has been associated with human dignity, with the notion of the “inviolate personality ” and with the need for beliefs, thoughts, emotions and sensations to be 12 protected from unwanted prying. 2.6. The same principle can be ex pressed in terms of a positive right to conceal or hide information about ourselves sphere ” or zone in which privacy should . The idea of a “ be assured can be extended by the idea that we operate in different spheres in different situations: see for exampl e the approach of the Canadian Supreme Court, which has identified three broad types of privacy interest – territorial, personal and 13 informational – in respect of which different expectations and rules may apply. . Since knowledge is power, the control 2.7. Privacy can also be understood in terms of transfer of private information to the state can be seen as a transfer of autonomy and of control. Even if the information is never actually read for example, an electronic – nt to a bulk data collection exercise but not communication which was obtained pursua – the fact that it could be read may be seen as placing control in selected for scrutiny the hands of the state. Control may also be transferred when information is given to provider, though with the distinguishing factors that consent is an online service required (nomina lly, at least) and that service providers, while they may use or sell the data within the limits of their terms and conditions, lack the coercive powers of the state. 6 See the discussion in Rengel, p. 28. 7 See Rengel, p. 28 and D. Solove, “Conceptualizing Privacy”, (2002) 90 Cal.L.Rev. 10987 (“Solove ” ) . Nagel has argued that it is our desire for privacy that separates us from other animals; T. Nagel, (1998) Philosophy & Public Affairs, Vol 27 No 1 pp. 3 “Concealment and Exposure” , 30, (“Nagel”) p. 18. - 8 Privacy”, (2001) 89 Geo. L.J. 2087. R. C. Post, “Three Concepts of 9 1891) (1890 - S. Warren & L. Brandeis, “The Right to Privacy” 4 Harv. L. Rev. 193, p. 205. , 10 Brandeis J dissenting in Olmstead v United States, 277 US 438 (1928), p. 478, later upheld by Katz v United States 389 US 347 (1967). 11 See E. Bloustein, “Privacy as an Aspect of Dignity: An Answer to Dean Prosser” , (1964) 3 9 NYU L. Rev. 962 (“Bloustein”) p. 974. 12 As enumerated by Brandeis J in Olmstead v US . 13 R v Spencer, [2014] SCC 43 (CanLII), para 35 et seq. 26

33 CHAPTER 2: PRIVACY ? Why is privacy important Intrusions into privacy have been compared, compellingly, to environmental damage: 2.8. individually their impact may be hard to detect, but their cumulative effect can be very 14 y privacy significant. It is all the more important, therefore, to appreciate precisely wh matters, and how intrusions into it can damage the ecosystem that privacy helps to support. a 2.9. A good start is provided by the recent judicial description of privacy protection as “ fulfilment and autonomy as well as to the - prerequisite to individual security, self 15 As that statement implies, the privacy maintenance of a thriving democratic society”. ecosystem has individual, social and political aspects. 2.10. First, privacy enables the expression of individuality . Without privacy, concepts such as ide ntity, dignity, autonomy, independence, imagination and creativity are 16 Privacy allows us to think and create in more difficult to realise and maintain. freedom, to choose how we love and with whom we share: it enables the “ sheer 17 ” to flourish. chaotic tropical luxurian It facilitates an inner sanctum ce of the inner life function autonomously , w that others must respect. It grants us the freedom to ithout ing observed (or countermanded) by others. Of course, if we be our every action individuality in criminal or anti choose to express our social ways, privacy can facilitate - that too. Secondly and relatedly, privacy facilitates trust, friendship and intimacy : qualities 2.11. that allow us to relate freely to each other and that form the essential basis for a 18 dive Conversely, surveillance has been shown to lead to rse and cohesive society. 19 20 though once again, anti self - censorship - and the suppression of certain behaviour, 21 social as well as pro - social behaviour may be suppressed by surveillance. 2.12. , ranging from securing of other human rights is necessary for the Thirdly, privacy the freedom of political expression to the right to a fair trial. Just as democracy is enabled by the privacy of the ballot box, so the expression of dissenting views is 22 lity to put them across anonymously: the ability of a enhanced by the abi whistleblower to reveal state misconduct and of a journalist to report it requires an 23 assurance that the journalist’s sources will not be made known to the state. There 14 See J. Angwin, Dragnet Nation: A quest for privacy, security and freedom in a world of relentless surveillanc e , 2014, (“Angwin”). 15 R v Spencer , para 15, summarising the effect of previous cases in the Supreme Court of Canada. 16 See Solove , p. 1145, and C. Fried, “Privacy” , (1968) 77 Yale LJ 475, discussing love, friendship and trust. 17 Nagel, p. 4. 18 ost, “The Social Foundations of Privacy: Community and Self in the Common Law Tort” Goold; R. P , (1989) 77 Cal. L. Rev. 957. 19 See J. Kang, “Information Privacy in Cyberspace Transactions” (1998) 50 Stan. L. Rev 1193, p. 1260. , 20 A. Oulasvirta et al, “Long - term Effect s of Ubiquitous Surveillance in the Home”, Ubicomp’ 12, 41. 21 To take a practical example, whether a person reports or owns up to scraping another vehicle in a car park might depend on whether the incident is thought to have been recorded by CCTV. 22 This phenomenon long predates the internet age: see for example William Prynne’s anti - prelatical pamphlet “ Newes from Ipswich ”, issued in 1636 under the name of Matthew White. The use of a pseudonym and false Ipswich imprint (rather like a Tor exit node: 4.67( b) below) were attempts to conceal the origin of a work that it was known the authorities would consider seditious. 23 51 below. - See further 5.49 27

34 CHAPTER 2: PRIVACY on involving the state if one party to it has the ability to can be no fairness in litigati 24 Indeed, Lord Neuberger, monitor the privileged communications of the other. President of the UK Supreme Court, recently suggested that, “ at least in many cases” the right to privacy is “ ct of freedom of expression” ; as when one wishes to do an aspe or say something only privately, it is an interference with expression when one 25 He noted that this is particularly true of anonymous speech, where an cannot. force” author’s article 8 (privacy) rights “ his or her article 10 (expression) rights, rein 26 both generally and particularly in relation to confidential speech. 2.13. Fourthly, privacy empowers the individual against the state . The state’s ability to monitor communications offers opportunities for mani pulation or control, for example by the publication of truthful yet embarrassing facts or images intended to discredit or tarnish the citizen; the ability to predict the actions of citizens and to respond to perceived threats to power; the profiling of dis senters or minority groups; and the 27 All these capacity to control the information received or dispensed by the target. 28 practices, described by George Orwell, were known in totalitarian states from intrusion on privacy is a Eastern Europe to Iraq, leading to the observation that 29 “ . Echoes of such tendencies have also been observed primary weapon of the tyrant” 30 (and commendably brought to light) in the United States of America. Privacy: a qualified right 2.14. as is, for example, the prohibition However powerful the need for privacy, it is not ( against torture) an absolute right. Just as the interests of public safety and law enforcement will sometimes have to give way to the right to privacy, so the right to privacy may need to yield to competing consideratio ns. That is acknowledged in Article 8(2) of the ECHR, which approves interference by public authorities with the right to respect for private life and correspondence in circumstances where that interference is in accordance with the law, necessary and a p roportionate method of achieving specified objectives including the interests of national security, the 31 prevention of disorder or crime and the protection of health. 24 - 48 below. See further 5.45 25 rth Estates: Lord Neuberger at the Hong Kong Foreign Correspondents’ Club, “The Third and Fou , Judges, Journalists and Open Justice” 26 August 2014. 26 Lord Neuberger at 5 RB Conference, “What’s in a name? Privacy and anonymous speech on the , 30 September 2014. Internet” 27 Frequently cited in this regard is the comment attributed to Ca rdinal Richelieu: “ Show me six lines written by the most honest man in the world, and I will find enough therein to hang him. ” 28 Nineteen Eighty - Four , 1949. 29 Bloustein, p. 974. 30 The Church Committee, a Senate Committee that sat in the mid 1970s, conclude - d that “ too many people have been spied upon by too many Government agencies and too much information has been collected. The Government has often undertaken the secret surveillance of citizens on the basis of their political efs posed no threat of violence or illegal acts on behalf of a hostile foreign beliefs, even when those beli . Reference was made to the careful surveillance of groups deemed dangerous, on the basis of power” unsavoury and vicious tactics” . Famous exam vague standards, and the use of “ ples set out by the Committee include surveillance and thereafter improper pressure being applied to the Women’s Liberation Movement and Dr. Martin Luther King (including using information obtained to encourage him to commit suicide, or to destroy his marr iage). The Committee also describes the seeking of “ political intelligence ” from wiretapping under President Nixon and others, including Watergate: Final Report of th the Select Committee to Study Governmental Operations with respect to Intelligence Activiti , 94 es nd Congress, 2 Session, Report No. 94 - 755, Book IV, pp. 5 - 13. 31 - 5.22 below. See further 5.21 28

35 CHAPTER 2: PRIVACY The state has a duty to keep those within its borders safe from criminality. That duty 2.15. i s generally acknowledged to require some ability to intrude upon private communications. Where communication channels are unwatched by the state, and still more when they are incapable of being watched, criminals can act with impunity. That common sense observation is reflected in the routine activity theory, a - criminological staple which states that the three necessary conditions for most crime – significantly – are a likely offender, a suitable target and the absence of a capable guardian. intrusion is appropriate, and if so to what extent, is a matter of fierce 2.16. Whether such debate: opinions differ, for example, as to whether it is permissible to interrogate the communications of people not for the time being under suspicion, whether communications provi ders should be obliged to retain data that they do not keep for commercial purposes, and to whom and under what conditions such data should be made available. Those who mistrust the state tend to argue that such powers should not exist at all; others acce pt the powers but emphasise the need for robust safeguards on their use. The question of trust is thus at the core of the issues to be considered in this Review - 13.6 below . : a theme to which I return at 13.1 2.17. But such debates should not be conducted simply on the level of individual versus state. Any intrusion into privacy is liable to have an impact not only on that relationship, but on the individual and social aspects of privacy, as summarised at 2.10 - 2.12 above. Those aspects, though less tangible, are just as important. If we neglect them, we risk sleepwalking into a world which though possibly safer – would – 32 be indefinably but appreciably poorer. The position of the UK Popular views There are signs that the UK public is less troubled by surveillance issues than its 2.18. counterparts in some other countries ( 2.25 2.35 below); and that the same distinction - 2.22 is apparent in the rulings of its courts ( below). - 2.24 2.19. The need to safeguard privacy against intrusion by the UK Government and its security and intelligence agencies is widely appreciated in theory. Indeed to a substantial minority of the population including many of the campaigners who have – contributed to this Review – it is an iss ue of the highest importance. But f or others, it lacks practical resonance. It is easy to see the utility of closed circuit television [CCTV] cameras, DNA databases and communications data in solving crimes, identifying terrorists and protecting children from sexual abuse. It is harder to put a concre te value on concepts such as human dignity and the inviolability of the private th sphere, particularly in a country which escaped the totalitarian excesses of the 20 33 ) , century (thanks in part to the successes of its security and intelligence agencies 32 The threat of “ sleepwalking into a surveillance society ” was thought to be a reality by the Information Commissioner, introducing his Report on the Sur veillance Society, (2006): see “Britain is ‘surveillance society’”, BBC news website, 2 November 2006: see further 12.32 below. 33 espionage system To give two well - known examples from World War II, the Double Cross counter - es of the Government Code and Cypher School, the forerunner of operated by MI5; and the success 29

36 CHAPTER 2: PRIVACY in which libertarianism remains an insignificant political force. People are and concerned or outraged by isolated uses of surveillance powers, especially by police 34 yet on a broader scale, there was a relatively muted reaction to or local authorities; 14 of secret documents purporting to reveal the aspirations the pu blication in 2013 - and inner workings of GCHQ and its partners. 2.20. But attitudes vary widely, both between individuals and over time. An alternative illance over private life may be strand of strong British opposition to state surve illustrated by examples from each of the past four centuries: Viscount Falkland, appointed Secretary of State in 1643, at the height of the (a) the liberty of opening English Civil War, could never bring himself to exercise “ le tters upon a suspicion that they might contain matter of dangerous consequence such a ”, finding it (according to one of his close associates) “ violation of the law of nature that no qualification by office could justify a single 35 person in the trespass ”. th T he 18 (b) century jurist William Blackstone characterised eavesdropping as an against the public health of the nation; a concern of the highest offence “ 36 ”. Celebrated cases of the period declared that there was no importance for the search of properties, for “ if there was, power to issue a general warrant it would destroy all the comforts of society; for papers are often the dearest 37 ”. property a man can have In the wake of an 1844 parliamentary enquiry into the interception of letters (c) an patriot Giuseppe Mazzini, the “ secret branch addressed to the Itali ” of the Post Office (which dealt with foreign letters) and the deciphering office were [t]o closed down, with the result that, according to one historian of the period, “ litical espionage in Britain stopped most intents and purposes, domestic po 38 Patriotic shortly after 1848 ... until the story picks up again in the early 1880s ”. pride in this state of affairs was expressed by Sir Thomas Erskine May, when he wrote in 1863: “Men may be without restraints upon t heir liberty: they may pass to and fro at pleasure but if their steps are tracked by spies and informers, their words noted down for crimination, their associates watched as – conspirators who shall say that they are free? Nothing is more The Defence GCHQ, in cracking the Enigma codes and so, very probably, shortening the war: C. Andrew 2010; and R.J. Aldrich, GCHQ: the Uncensored Sto ry of of the Realm: The Authorized History of MI5, , 2010. Britain’s Most Secret Intelligence Agency 34 E.g. the revelation that Bob Lambert, an undercover police officer, tasked to infiltrate an environmental protest group, fathered a child by one of the protesters, leading to a settlement of £425,000 from the Metropolitan Police in 2014; see D. Casciani, “The undercover cop, his lover, and their son”, BBC website, 24 October 2014. 35 E. Hyde, Earl of Clarendon, The History of the Rebellion , written in 1668 - 70: Oxford World ’ s Classics - edn. , 2009, pp. 186 187. Falkland was equally resistant to “ the employing of spies, or giving any countenance or entertainment to them ”. But the opening of letters continued: “ convinced by the necessity and iniquity of the time that those advantages of information were not to be declined, and were necessary to b e practised ”, Falkland “ ”: ibid. found means to shift it from himself 36 Blackstone’s Commentaries, Book 4, Chapter XIII, p. 128. 37 - Entick v Carrington 2 WILS KB 274, 807, pp. 817 818: see further at 5.4 - 5.8 below. 38 - 81. B. Porter, Plots and paranoia: a histo ry of political espionage in Britain 1790 - 1988, 1989, pp. 77 30

37 CHAPTER 2: PRIVACY lishmen than the espionage that forms part of the revolting to Eng administrative system of continental despotisms. It haunts men like an evil genius, chills their gaiety, restrains their wit, casts a shadow over freedom of this their friendships, and blights their domestic hearth. The 39 country may be measured by its immunity from this baleful agency.” (d) The dystopian society described in George Orwell’s book Nineteen Eighty - Four was one in which the inhabitants of Oceania live and work in places equipped - way “ tele screens ”, allowing them be watched at any time, and in which with two correspondence is routinely opened and read before delivery. The link between surveillance and total state control is a central theme of the novel, which after its publication in 1949 resonated with particular force in the Soviet Union and Communist Eastern Europe. Phrases such as “ Big Brother ” and “ Thought ” remain commonplaces to this day in any debate on surveillance and its Police limits. So generalisation is dangerous. Attitudes will be sh aped by experience, personal as 2.21. well as national. That is as it should be: tolerance of the need for surveillance rightly depends both on how useful and on how intrusive it is, as well as on the threat picture individual members, are prepared to and the degree of risk that society, and its tolerate. Judicial approaches 2.22. Different concepts of privacy are given prominence in different legal systems. Thus, the concept of dignity is said to underlie continental, and particularly German, privacy 40 law, whereas li berty from the state finds more prominence in United States law. 2.23. The UK – so often positioned midway between the norms of the US and continental Europe – is in this respect something of an outlier: privacy protection from state emphasis by the common law, and has recently been intrusion was given little 41 guaranteed largely under the influence of European legal norms. 2.24. [HRA 1998] , Article 8 is now applied domestically under the Human Rights Act 1998 sed in detail below (5.13 - 5.14) . However, there is still a striking difference as discus in emphasis between UK judges and the European courts as regards the degree of protection to be accorded to privacy. For example: (a) In a number of cases, unanimous rulings by the highest UK court have been 42 nimous rulings of the ECtHR upholding privacy rights. countermanded by una 39 T.E. May, Constitutional History of England since the Accession of King George III , vol. 2, 1863, p. 275. 40 51. See J. Whitman, “Two Western Cultures of Privacy”, (2003 - 2004) 113 Yale LJ 11 41 See 5.11 and 5.17 below. 42 S v United Kingdom (Application no. 30562/04; judgment of 4 December 2008) (DNA retention: 0 - 5 in the judicial House of Lords (0 - 10 if the lower courts are included) then 17 - 0 in Strasbourg); Kay v United Kingdom cation no. 37341/06; judgment of 21 September 2010) (home repossession: 0 - 7 (Appli then 7 - 0); Gillan v United Kingdom (Application no. 3158/05; judgment of 12 January 2010) (no - 5901/05; MAK v UK (Application no. 4 suspicion stop and search: 0 - 5 then 7 - 0). A further case ( 31

38 CHAPTER 2: PRIVACY was of the view that the (5.62 - 5.78 below), the CJEU Digital Rights Ireland In (b) EU Data Retention Directive, which the UK Government had strongly promoted, a wide - ranging and particularly seri ous interference with those entailed “ 43 fundamental rights in the legal order of the EU” . (c) In a recent case about the retention of electronic data, Lord Sumption correctly has in the past taken exception to the characterisation noted that the ECtHR “ by English courts with private life as being minor ”, before once of interferences again so characterising the retention of electronic data by the police on an 44 individual associated with a political protest group. It is hard to think of any other area of human rights law t hat is characterised by such marked and consistent differences of opinion between the European courts and the British judges who in most respects rank among their most loyal and conscientious hat there would be followers. To the extent that the law permits, it seems to me t wisdom in acknowledging and seeking to accommodate such differences, which owe something at least to varying perceptions of police and security forces and to the th different (but equally legitimate) conclusions that are drawn from 20 cen tury history in different parts of Europe. Modern attitudes to privacy 45 2.25. Attitudes to privacy, surveillance, and investigatory powers are frequently surveyed. But the treatment of those surveys requires some care, as results may well be 46 de range of factors, including recent newsworthy events, influenced by a wi the exact wording of the question or indeed the identity of the questioner. 2.26. Even within the UK, people vary widely in their attitude to privacy. Research by DEMOS into data sharing places people into different categories, described as: nonsharers (30% of the population), sceptics (22% of the population), pragmatists (20% of the population), value hunters (19% of the population) and enthusiastic 47 sharers (8% of the population). These groups have v ery different views on issues relating to privacy. Moreover, research has showed that people’s own personal judgment of 23 March 2010)) (duty of care to parents of children suspected to be subjects of abuse) was 1 4 then 7 - 0. - 43 ara Ireland , judgment at p 65. Digital Rights 44 R (Catt) v Commissioner of Police of the Metropolis and others [2015] UKSC 9, para 26. 45 Some of those I have con sidered are: Special Eurobarometer 359, Attitudes on Data Protection and Electronic Identity in the European Union , (2011), (“Eurobarometer”); Demos, The Data Dialogue, (2012), (“Demos”); Wellcome Trust, “Summary Report of Qualitative Research into Public Attitudes to Personal Data and Linking Personal Data”, (2013) (“Wellcome Trust”); Pew Research Center, “Public Public Perceptions” Perceptions of Privacy and Security in the Post - Snowden Era”, (2014) (“Pew, ); Ipsos 27 January MORI, “Public Attitudes to Science” 14), (“Ipsos MORI, PAS” ); TNS - BMRB Polling 23 - (20 , 2014, (“TNS - BMRB”); Dr J. F. Rogers, “Public opinion and the Intelligence Services”; (2014) (“YouGov”); Ipsos MORI for ESRC/ONS, “Dialogue on Data: Exploring the public’s views on using administrativ e data for research purposes”, (2014) (“Ipsos MORI: ESRC/ONS”); Deloitte, Data Nation 2014: Putting Customers First, (2014) (“Deloitte”); Ipsos MORI, “Public attitudes to the use and sharing of their data”, for the Royal Statistical Society, (2014) (“Ipsos MORI: RSS”); and Pew Research Center, “Americans’ privacy strategies post - Snowden” (2015), (“Pew, Privacy strategies ”). 46 It was stated in Ipsos MORI, PAS that the survey may have been influenced by recent NSA leaks and a trial on phone hacking in the UK. 47 Demos. 32

39 CHAPTER 2: PRIVACY environment, history and development has a significant effect on their desire or 48 49 ontextual. otherwise for privacy, and that attitudes to privacy are highly c In relation to privacy as against the state or public authorities : 2.27. (a) Public opinion tends to be more supportive of the use of data where there are 50 A TNS BMRB poll in 2014 showed that : tangible public benefits.  prioritise re ducing the threat posed by terrorists and most people (71%) “ serious criminals even if this erodes peoples’ right to privacy” ;  66% think that British security and intelligence agencies should be allowed to access and store the internet communicat ions of criminals or sts; terrori 64% back them in carrying out this activity by monitoring the  communications of the public at large ; and that  whereas 60% were very or fairly concerned about social media websites such as Facebook monitoring and collecting information about their on line activity, and 55% had the same concerns about search engines such as Google, only 46% and 43% had the same concerns about the 51 US and UK Governments respectively . Further research shows that people see one of the benefits of surveillance as 52 he government to protect them against crime, including terrorism. enabling t (b) Research by YouGov in 2013 showed that 49% of respondents agreed that the UK Intelligence Services should be allowed in some circumstances to hack into gn citizens “ ”, as with no questions asked calls/emails/text messages of forei against 27% who thought they should not. The equivalent figures for UK 53 Qualitative surveys have however shown citizens were 43% and 33%. 54 Big Brother concern about being watched by “ ”. (c) the government is trusted more than commercial Whilst surveys show that 55 companies, survey participants have expressed concern regarding the 48 See Nancy Marshall, “Privacy and Environment” , (1972) Human Ecology, Vol 1 No. 2, 92. 49 See Pew, Public Perceptions ; Demos, which showed a greater concern regarding “ personal information ” than “ particular concern for financial, medical and behavioural data ”; Eurobarometer, which showed national identity number information compared to photos, social networks, websites and tastes and personal opinions; and Wellcome Trust, which highlighted a number of distinguishing factors, including e of risk if it is misused/stolen, the level of security attached to the data, whether it was the degre anonymous or personally identifiable data, the value of the data, whether it was extracted by free choice or compulsion and whether the collector is governmental or private. 50 TNS - BMRB. 51 TNS - BMRB. 52 Wellcome Trust. 53 YouGov. 54 See the Wellcome Trust. 55 See 2.27(a) above, last bullet point, and Ipsos MORI: ESRC/ONS; Deloitte; Eurobarometer. Within the ; see Executive Office of the President, US government at least, there may also be some differentiation 33

40 CHAPTER 2: PRIVACY 56 57 government’s use of data, Aligned particularly in terms of profiling or leaks. with the concepts of privacy outlined above, the public ar e particularly concerned about their data being leaked, lost, shared or sold without their 58 consent. (d) Safeguards appear to be relevant to public levels of trust: where no mention of safeguards is made the balance of opinion is against data sharing within 59 vernment, but with safeguards half are in favour of such sharing. go 2.28. Public surveys have shown particularly low levels of trust in relation to phone 60 ISPs A recent survey showed only between companies and in dealing with data. 61 trust in such companies to use their data appropriately. 4% and 7% had high levels of They also show a general lack of confidence in the security of everyday channels, 62 social media being viewed as the least secure and a landline as the most secure. Some studies show differences in approach by age, although these are not consistent. 2.29. Several surveys show that younger people care less, trust organisations more, and are happier with data collection and use or online surveillance than older 63 However, the TNS BMRB poll sho wed that younger people gave a generations. 64 higher priority to privacy when weighed against security, and polls in America have 65 Again, while shown that most teenagers take steps to protect their privacy online. al class may make a difference: far from conclusive, there is some indication that soci lower social classes showed greater levels of discomfort in relation to sharing their data in the Wellcome Trust survey. The Snowden effect 2.30. The Snowden Documents detailed the alleged extent of surveillance by British and 7.7 Annex 7 US security and intelligence agencies . Summarised at 7.6 - below and in to this Report, these materials have influenced some people’s views on the balance between privacy and security. 2.31. Particularly striking in this regard was the realisation of the extent to which communications were being intercepted in bulk. It was not shocking to discover that no means of communication is immune: that has been the case for as long as mails have been opened and spies secreted behind the arras. But because such t echniques were haphazard, risky and resource - intensive, they have generally been . Bulk collection of electronic messages, as used sparingly, and on a targeted basis May 2014, in which law enforcement and Big Data: Seizing Opportunities, Preserving Values, intelligence agencies were ranked low in terms of public trust. 56 See Ipsos MORI: ESRC/ONS, Deloitte, and Eurobarometer. 57 See Ipsos MORI: ESRC/ONS, and Deloitte. 58 Ipsos MORI, PAS ; Deloitte; Demos; although it is expected and supported by the public that governmental administrative data is linked and shared between departments; See Ipsos MORI: ESRC/ONS. 59 Ipsos MORI: RSS. 60 Eurobarometer; Ipsos MORI: RSS. 61 Ipsos MORI: RSS. 62 Public Perceptions. Pew, 63 Wellcome Trust; Eurobarometer; Pew, Public Perceptions ; Deloitte. 64 Wellcome Trust. 65 (2013). , Pew Research Center, “Teens and Mobile Apps Privacy” 34

41 CHAPTER 2: PRIVACY the Snowden Documents brought home, can be achieved with far less effort and so brings the potential (if not properly regulated) for spying on a truly industrial scale. Two US surveys by the Pew Research Center highlight the influence of the leaks: 2.32. In the 2014 study, most adults did not agree that it was a good thing for (a) an eye ” on internet activity, and adults who had heard government to “ keep about government surveillance were more likely to think that internet oversight 66 by government has drawbacks. Overall, 80% of American adults agreed or ned about the government’s strongly agreed that Americans should be concer monitoring of phone calls and internet communications, with just 18% disagreeing or strongly disagreeing with that notion. According to the authors, clear trend” from support for collection of data as pa the survey confirmed the “ rt 67 of anti - terrorism efforts to relative disapproval. In the 2015 study, over a third of those who had heard of surveillance programs (b) had taken at least one step to hide or shield their information from the US use “ a great deal ” or “ somewhat ”. Government, with a quarter changing their However (in apparent contrast to the earlier findings), only 52% were somewhat ” or “ very ” concerned about US G overnment surveillance of “ not Americans’ data and electronic communications, as against 46% who were “ 68 ” or “ not at all ” concerned. very 2.33. Further research undertaken worldwide appeared to show that the Snowden Documents have “ damaged one major element of America’s global image: its 69 . an Older Americans were more likely th reputation for protecting individual liberties” younger Americans to find it acceptable to spy on citizens of other countries, though Americans in general (perhaps unsurprisingly) were more likely to approve of US ople in government surveillance of foreign nationals than of US citizens. However, pe o ther nations found NSA surveillance of foreign nationals to be more objectionable 70 of Americans. Indeed, 71% of respondents in a worldwide study, including than that 71 were strongly opposed to the US monitoring 70% of those in Five Eyes countries, ternet use (with 60% wanting tech companies to secure their communications their in 72 to prevent this). 66 Public Percepti ons . A majority of adults disagreed with the statement “ it is a good thing for society Pew, if people believe that someone is keeping an eye on the things that they do online ”, including 20% who strongly disagreed. 36% agreed with the statement, including 7% who strongly agreed. Just 23% of adults who have heard “ a lot ” about the revelations in the Snowden Documents thought online surveillance was good for society, compared with 46% of those who had heard less about the revelations. 67 Pew, Public Perceptions . 68 Pew, Privacy Strategies . 69 Pew Research Center, “Global Opposition to US Surveillance and Drones” , (2014) (“Pew, Global Opposition” ). This reflected changes in attitude of both Americans themselves and the global public. 70 Pew, Global Opposition . 71 The US, UK, Canada, Australia and New Zealand: see further 8.40 - 8.41 below. 72 , (2015) (“Amnesty”). Amnesty International, “Global opposition to USA big brother mass surveillance” 35

42 CHAPTER 2: PRIVACY 2.34. Such a change in attitudes is less apparent in the UK: (a) Studies have ranked the UK as one of the countries least concerned by ” on int ernet and government “ Along with spying mobile communications. France, the UK had the lowest proportion of citizens who were opposed to it 73 (44%) in a global study in 2015. Indeed, a number of studies showed that most people had already assumed (b) that the type of action alleged in t he Snowden Documents was undertaken, and 74 only 27% were of the view that it was too intrusive. (c) Some recent studies have shown support for the use of data to predict and 75 prevent crimes, w levels of trust in the UK though others have shown lo 76 use their data appropriately. Government to 2.35. One impact of the leaks in the Snowden Documents in the UK is that they damaged people’s belief in the safety of their data; with most believing that neither government 77 ely secure. But this has not nor private companies can now keep their data complet translated into support for the leaks: in a recent study, only 38% of those polled 78 leaks by Julian Assange and Edward Snowd en ” were justified. believed that “ Is privacy dead? 2.36. Mark Zuckerberg, the founder of Facebook, state d in 2010 that privacy is no longer a 79 80 Others have gone further still, declaring it to be dead. social norm. In the words of a recent newspaper article: “We have come to the end of privacy; our private lives, as our grandparents would have recognised th em, have been winnowed away to the realm of the shameful and the secret. ... Insidiously, through small concessions that mounted up over time, we have signed away rights and privileges that other generations fought for, undermining the very cornerstones o f our personalities in the process. While outposts of civilisation fight pyrrhic battles, unplugging themselves from the web – “ going dark ” – the rest of us have come to accept that the majority of our social, financial and even sexual interactions take p lace over the internet and that someone, somewhere, whether state, press or 81 corporation, is watching.” 73 Amnesty. 74 See TNS - BMRB. 75 PAS. Ipsos MORI, 76 Ipsos MORI: RSS; 13% h ad high trust in the British Government compared to 46% with low trust. 77 Ipsos MORI: ESRC/ONS. 78 TNS - BMRB. Interestingly, there was a gender bias highlighted by this study, with more men than women saying that the revelations would do more harm than goo d. 79 “Privacy no longer a social norm, says Facebook founder”, The Guardian, 11 Jan 2011. 80 E.g. J. Morgan, “Privacy is completely and utterly dead, and we killed it”, Forbes.com, 19 August 2014. 81 A. Preston, “The death of privacy”, The Observer 3 Augus t 2014. 36

43 CHAPTER 2: PRIVACY 82 no one I But such colourful defeatism seems largely confined to the commentariat: have heard from suggested that we have come to the end of privacy, o r that routine “ watching ” of our communications by the state happens or should be accepted. 2.37. Reports of privacy’s death have therefore been exaggerated. But it may legitimately be asked whether the way we live online has changed our attitudes to privacy a nd whether, if so, there are implications in this for the proper scope of state investigatory powers. 2.38. It is hard to resist the proposition that notions of privacy have changed in recent years. Many of us display an unprecedented willingness to share once - private information with online contacts, service providers and the general public. For example: (a) We use free email services, despite many of us being aware or suspecting that the provider makes a profit from using the content of our communications to dir ect advertising towards us. We allow our phones to act as mobile tracking devices, as reliable as any (b) professional surveillance team, again with increasing awareness that this information too is liable to be monetised and that it can if necessary be obtain ed by the state. (c) Many of us post intimate observations on Twitter and photographs on apps such as Instagram, to a potentially infinite number of recipients worldwide. (d) We accept (generally without reading them) terms and conditions which allow our data to b e used, at the discretion of the service provider, for a bewildering variety of purposes. We are becoming increasingly aware of the ease with which we can be (e) identified or profiled by anyone who chooses to combine different datasets. (f) By clicking “ Accept ”, we may even enable our data to be sold to (via a data broker) or shared with the governments of the UK or of other countries. In the words of the well - known cryptographer and writer Bruce Schneier, “ The bargain you make, again and again, with various compa nies is surveillance in exchange for 83 free service. ” 2.39. But all this does not mean that privacy can no longer be protected, or that attempts to regulate state power should simply be abandoned. Four observations may be appropriate here. consequences that can follow from the over 2.40. First, the disastrous - sharing of private information on social media are becoming more widely known, whether in the form of fraud, sexual grooming, so - called “ slut - shaming ” or online bullying. It should cyber 82 Which is itself polarised: see Pew Research Center, “Digital Life in 2025: the Future of Privacy” , (2014), which sets out the broad views of privacy experts. 83 - 8.104 below. B. Schneier, Data and Goliath , 2015, chapter 1. See, generally, 8.65 37

44 CHAPTER 2: PRIVACY cy norms which have moved so rapidly in recent years are not be assumed that priva now immutable, or that the direction of travel will not reverse. Indeed, Facebook itself Privacy Basics ” service, in December 2014 sent an update to users promoting its new “ people’s information and providing meaningful privacy controls noting that “ protecting 84 . are at the core of everything we do” 2.41. Secondly, it is clear that most people do care about their privacy, however defined, 85 and take steps to preserve it online. e, consumer If those steps are ineffectiv protection law should be doing more to ensure that only informed consent to the 86 Moreover, it is false to assume that there is one sharing of their data will suffice. standard of privacy that attaches to all electronic communications: people t reat different types of information as entailing different levels of privacy ( 2.26 above), and users of various platforms are mindful of the extent and degree to which that 87 to others . information is available 2.42. Thirdly, the trend away from privacy is counte rbalanced by the spread of encryption. Companies make a selling point out of assuring their customers that (as in the case of modern iPhones), not even the provider of the phone will be able to decrypt its 88 contents. Finally, the distinction between the a ctivities of service providers and those of the 2.43. state, though sometimes elusive, is nonetheless real. The state has a duty to protect its citizens. Pursuant to that duty, it asserts the right to intercept communications or collect data without consent, a nd to use that information for the purpose of depriving persons of their liberty. These powers are asserted, furthermore, even in relation to people in respect of whom there is no reasonable suspicion that they have committed any crime. Recent changes in privacy norms are not without relevance: they may for example 2.44. have a bearing on whether there is a reasonable expectation of privacy in a particular type of data at a particular time. They do not however amount to any sort of argument for dispensing with constraints on the government’s collection or use of data. Indeed as more of our lives are lived online, and as more and more personal information can be deduced from our electronic footprint, the arguments for strict legal controls on the power of the st ate become if anything more compelling. 84 Facebook update, 20 December 2014. 85 See Big Brother Watch/ComRes, , October 2013 (“BBW/ComRes”). Global Attitudes to privacy Online 86 - 8.88 below. In the BBW/ComRes survey, 65% of consumers believed that national See further 8.85 regulators should do mo re to force Google to comply with regulations on online privacy and data protection. 87 See A. Watts, “A Teenager’s View on Social Media” , 2 January 2015. 88 See the Privacy section on the Apple website: https://www.apple.com/privacy/government - information - . requests/ 38

45 THREATS 3. Introduction 3.1. I am specifically directed by DRIPA 2014 s7 to consider “ current and future threats to the United Kingdom ”, of the sort which the capabilities under review could be useful in addressing. The U K faces a diverse range of security threats, from a wide array of perpetrators, including terrorism, organised crime , espionage from hostile states and cyber threats. All of these contribute to a multi - faceted national security threat, to . whic h the threat from crime add s a further dimension 3.2. t is far from an exact science, not least because The calibration of response to threa the perceived severity of a threat depends on the fear that it evokes as well as on its er tangible nor immediate: for example, potential for harm. Some harm may be neith - term damage to the UK’s economic wellbeing, or a reduction in the UK’s ability long to act globally and achieve its international objectives. Such impacts are harder to observe and to quantify than violent attacks. They may never come into the public eye or receive widespread publicity. But without some notion of all these threats, it is hard to pronounce on the extent to which intrusive powers are needed. 3.3. I received a great deal of evidence from the Government, law enforcement and the security and intelligence agencies on the threats faced today and likely to be faced in the future. For the purposes of this short summary, I have grouped them under two But before turning to headings: national security threats and crime and public safety. the detail, I make two preliminary points. The threat in perspective No one doubts the gravity of the threats that are faced by the UK and its inhabitants, 3.4. 1 ty. or the capacity of those threats both to take life and to diminish its quali But it is generally a mistake (though a surprisingly common one) to describe threat levels as unprecedented ”. Two points need to be kept in mind: “ Events capable of taking life on a massive scale are a feature of every age and (a) 2 ment. every stage of develop (b) Whilst some of the threats faced at any given time will be realised, others will not. 3.5. The last point was well made by Jonathan Evans (now Lord Evans of Weardale) in a public speech as Director of MI5: ture from a security perspective “Those of us who are paid to think about the fu tend to conclude that future threats are getting more complex, unpredictable and alarming. After a long career in , I have concluded that this is rarely [MI5] 1 I am grateful to Ray McClure, uncle to Fusilier Lee Rigby, for his thoughtful submission to the Review. 2 The Black Death probably killed at least a third of t he population of Europe in the years after 1346. As to violence, Steven Pinker of Harvard University has warned against “ historical myopia ”, and claimed The Better Angels of our Nature that “ nostalgia for a peaceable past is the biggest delusion of all ”: (2011), pp. 233, 838. 39

46 APTER 3: THREATS CH redictable and in fact the case. The truth is that the future always looks unp complex because it hasn’t happened yet. We don’t feel the force of the uncertainties felt by our predecessors. ... At least some of the areas of concern that I have highlighted tonight may turn out to be dogs that don’t bark. ... On the other h and, the dog you haven’t seen may turn out to be the one that bites 3 you.” 3.6. The moral is not that threats ought to be ignored: on the contrary, any credible threat should be guarded against. The point is, rather, that claims of exceptional or unprecedented threat levels – particularly if relied upon for the purposes of curbing well - established liberties – should be approached with scepticism. The importance of good order 3.7. It was said in C hapter 2 that privacy is a prerequisite to individual security, self - fu lfilment and the maintenance of a thriving democratic society. So indeed it is: but each of those things depends more directly still upon the population feeling safe, secure and confident that the criminal law in all its aspects will be effectively enforc ed against wrongdoers. 3.8. The point may seem obvious, but by way of illustration: - A person who lives in fear of anti social behaviour, online harassment, (a) neighbourhood drug gangs or persistent nuisance calls is patently unable to experience individual securit - fulfilment. y or self (b) The trust in strangers on which civilised society depends is er oded by a perception that cyber fraud is prevalent, that rogue tradesmen prey on the old with impunity or that paedophiles flourish in the privacy of their homes. (c) The thre at of terrorist atrocities curtails normal activities, heightens suspicion, promotes prejudice and can (as the terrorist may intend) do incalculable damage to community relations. (d) A perception that the authorities are powerless to act against external thre ats to the nation, or unable effectively to prosecute certain categories of crime (including low - level crime), can result in hopelessness, a sense of injustice and a feeling that the state has failed to perform its part of the bargain on which overnment depends. consensual g 3.9. For such reasons, the law plainly states that the right to respect for private life and correspondence can be overridden (where it is necessary and proportionate to do so) in the interests of national security, public safety and the prev ention of disorder or 4 crime. 3 Lord Mayor’s Annual Defence and Security Lecture, Mansion House, (June 2012), para 6. 4 See 5.16 below. 40

47 APTER 3: THREATS CH National security threats National security is nowhere defined in statute. The Government set out in its 2010 3.10. 5 National Security Strategy, annually updated, what it assesses to be the 15 main risks. The highest priority ris ks are in summary: (a) terrorism, both Islamist and Northern Ireland - related; scale cyber crime; (b) cyber attacks by other states and large - (c) a major accident or natural hazard which requires a national response; and (d) an international military crisis between states. The 11 other risks prioritised by the Government include the exploitation by terrorists of instability, civil war or insurgency overseas, a significant increase in organised ed crime affecting the UK , a significant increase in attempts by terrorists, organis criminals and carriers of drugs and firearms to cross the UK border and disruption to the supply of oil, gas or other resources. 3.11. In a written statement introducing his latest annual report on progress with the national security strategy, the Prime Minis ter highlighted the major risks and threats that materialised in 2014: “Islamist extremism, with most lately the emergence of ISIL, is the struggle of our generation; and we are working closely with international partners to tackle this, Forces to combat the emergence of this senseless, barbaric deploying UK Armed organisation. Russia’s illegal actions in Ukraine and conflict in the Middle East have created instability and uncertainty. Tensions in East Asia have added to the risks in that region. Sophist attacks continue to cost the icated and targeted cyber UK economy several billion pounds per year; the dangerous and irresponsible - reaching leaking of sensitive information by Edward Snowden has had far consequences. The Ebola virus is wreaking immense da mage in West African 6 . nations, and posing a potentially devastating threat to others ” 3.12. The strategic response to many of those threats involves the use of covert investigatory powers. In relation to some of them (terrorism, cyber attacks, organised crime) , the monitoring of electronic communications is a central and growing part of the response. Terrorism 3.13. The terrorist threat was recently summarised in the annual report on the Government’s 7 Reference was made to: CONTEST strategy. 5 , Cm 7953, (October 2010). A Strong Britain in an Age of Uncertainty: the National Security Strategy 6 Statement HCWS159 of 18 December 2014, introducing the Annual report on the National Security Strategy and Strategic Defence and Security Review , (2014). 7 , Cm 9048, CONTEST, the United Kingdom’s strategy for countering terrorism: Annual Report for 2014 (March 2015). 41

48 APTER 3: THREATS CH the raising of the UK th substantial ” back to (a) reat level in August 2014 from “ severe - 2011), meaning that “ ” (where it had been for most of the period 2006 an attack is highly likely; the 600 or so people with extremist connections to have travelled to Syria and (b) ave combat experience and terrorist Iraq, some of whom h related training and - many of whom have already returned to the UK; (c) unprecedented quantity of terrorist and extremist propaganda ” that is the “ 8 fuelling terrorism; Arabian Peninsula and Qaida in the (d) the continued threat from al - Qaida core, al - al Shabaab; - (e) kidnap for ransom; (f) the advocating of attacks by lone operators; and (g) the continuing threat from Northern Ireland - related and far right terrorism. 678 people in Great Britain (i.e. the UK not including Northern Ireland) we re charged with, and 432 convicted of, terrorism - related offences between September 2001 and September 2014. The figures for charge and convictions in the year to September 9 2014 are 77 and 26 respectively. ed in my own annual report (normally A more detailed account of the threat is contain 3.14. published in July) on the operation of the Terrorism Acts: recent editions have given details of the major terrorism prosecutions since 2000 and of the 30 Britons killed by terrorism overseas between 2005 and 2013. Whi le noting that Islamist terrorism has afflicted a number of European countries, I expressed the view in 2013 that: “.. the threat to the United Kingdom as measured by the number of serious – plots since 2001 and over the past three years y more serious – is unfortunatel than the threat to other parts of Europe. That deaths of UK nationals through terrorism have not been more numerous owes something to luck ... and a great 10 deal to the capabilities of the intelligence agencies and police.” idence to the Review , MI5 has pointed out some of the recent factors In its latest ev 3.15. which reinforce their concerns about the terrorist threat. Terrorist related arrests are up 35% compared to 2010. The number who have travelled to Syria and undertaken st 21 seen in other terrorist trainin g since 2012 is alrea century dy higher than has been theatres, such as Pakistan/Afghanistan, East Africa and Yemen. The threat posed on 8 I n his evidence of 13 January 2015 to Parliament’s Home Affairs Select Committee (HC 933), Rob Wainwright, the Director General of Europol, described the aggressive and imaginative use of the internet by terrorists for recruitment and propaganda as an impor tant evolution, necessitating “ a closer, more productive relationship between law enforcement and the technological firms, and also the right legislation in place to allow the security authorities to monitor suspected terrorist activity online ”. 9 Home O ffice, Operation of police powers under the Terrorism Act 2000 and subsequent legislation , (March 2015). 10 The Terrorism Acts in 2013 D. Anderson, The Terrorism Acts in 2012 , (July 2013), 2.8 - 2.26, 2.61; , (July 2014), 2.18 and 2.21. 42

49 APTER 3: THREATS CH not just attack planning but radicalisation of associates, their return comprises undraising, all of which further exacerbate the threat. The number of facilit ation and f - linked individuals who are involved in or been exposed to terrorist training and UK fighting is higher than it has been at any point since the 9/11 attacks in 2001. MI5 ct of the threat as unprecedented. Some travellers were previously regard this aspe 11 unknown to MI5. The volume and accessibility of extremist propaganda has increased. UK - 3.16. based extremists are able to talk directly to ISIL fighters and their wives in web forums and on soc ial media. The key risk is that this propaganda is able to inspire individuals to undertake attacks without ever travelling to Syria or Iraq. Through these media outputs, ISIL have driven the increase in unsophisticated attack methodology seen in recent m onths in Australia, France and Canada 3.17. MI5 have successfully disrupted two attack plots by lone actors in the past nine months, both in the late stages of preparation. But MI5 have explained that identifying such individuals is increasingly challenging, ex acerbated by the current limitations in their technical capabilities, which I discuss later. 3.18. Finally, Northern Ireland’s progress towards a post - conflict society is unfortunately far from complete. A real terrorist threat persists in parts of Northern Ire land, as the following figures demonstrate: (a) In the year to February 2015 there were three security - related deaths, 71 shooting incidents and 44 bombing incidents, together with 49 casualties from paramilitary - style assaults. - , 230 persons were arrested in Northern Ireland month period (b) Over the same 12 12 under the Terrorism Acts, and 37 were charged. (c) Of the 20 dissident republican attacks during 2014, most were unsuccessful. But the Director General of MI5 has said that “ for every one of those attacks we and our colleagues in the police have stopped three or four others coming to 13 My own regular visits to Northern Ireland, where I am briefed in detail fruition .” by police and security services, give me no cause to doubt that assessment. o Northern Ireland from Northern Ireland - related terrorism remains at The threat level t “ ”. severe Espionage 3.19. Espionage did not go away at the end of the Cold War. Hostile states still seek to – gather sensitive intelligence on a wide range of subjects defence, energy, finan cial, technological, industrial and commercial often to advance their own state – programmes. When they succeed, they disadvantage the UK economically, militarily 11 Evidence from MI5, April 2015. 12 PSNI, Security Situation Statistics , 2015. 13 29. - Andrew Parker, address of 8 January 2015 to RUSI, available on www.mi5.gov.uk , paras 28 43

50 APTER 3: THREATS CH and politically. They recruit human agents and use cyber and technical operations to target UK interests. 3.20. The scale and extent of hostile foreign state targeting of the UK means that the potential for future damage of UK interests is high and growing. The spread of the The human, digital world is providing states with many more operational opportunities. physical and cyber assets used by hostile states are often coordinated to enable or complement each other. Cyber espionage allows information to be stolen remotely, ate’s cheaply and on an industrial scale at relatively little risk to the hostile st W hatever is thought intelligence officers or its agents. of Edward Snowden’s actions, they demonstrate the impact that can be inflicted by a single well - placed individual 14 with wide network access. threats Cyber A range of hostile actors make 3.21. cyber methods, including onli ne criminals , use of fraud sters, or money launderers ; terrorists threatening violent attacks or disruption of public services and websites, and hostile states conducting cyber espionage to steal information covertly. In many respects the proliferation of online technologies and our increasing reliance on the internet in our day to day lives, and to conduct business, has created a rich pool of opportunities for those seeking to harm UK interests, and has lowered the bar to entry to som e actors by providing a cheap, convenient, and deniable way of conducting their activities. I was told of repeated attacks b y hostile foreign states on UK G overnment and industry. Crime and public safety Recorded crime has fallen dramatically in recent yea 3.22. rs: the Crime Survey for England recorded a total of 7 million crimes committed against resident [CSEW] and Wales 15 adults in the year to September 2014, as against 19 million in 1995. There have been similar trends across the western world. Such figures do not, however, tell the whole story. Organised crime Organised crime was estimated by the NCA 3.23. to be worth £24 billion in 2013, and be perpetrated by 5,800 active organised crime groups in the UK comprising around 40,600 individuals. It includes traffick ing and dealing in drugs, people, weapons and counterfeit goods; sophisticated theft and robbery; fraud and other forms of financial crime. It also includes organised child sexual exploitation. Much organised crime is conducted online or is cyber enabled . - 3.24. In some ways organised crime is more complex than terrorism. It is characterised by violence or its threat and but also often depends on the assistance of corrupt, negligent or complicit professionals, notably lawyers, accountants and bankers. 14 Evidence from MI5, April 2015. 15 January 2015. Office for National Stati stics [ONS] , A stocktake of crime statistics in England and Wales, ”. a valuable measure, on a consistent basis, of trends over time The ONS describes the CSEW as “ 44

51 APTER 3: THREATS CH d crime is international in nature; and through sophisticated use of the Organise 16 internet criminals can commit crime in the UK from anywhere in the world. Fraud and cyber crime 3.25. Europol commented in late 2014: “In general cybercrime is increasing in scale and imp act; while there is a lack of reliable figures, trends suggest considerable increases in scope, sophistication, number and types of attacks, number of victims and economic damage. ... Underground forums provide cybercriminals with a nexus for the trade of goods and services and a hub for networking, creating an organised set of criminal 17 relationships from an otherwise disparate population.” Attention was drawn to the exploitation by criminals of legitimate features of the 3.26. n, virtual currencies), to the increased internet (anonymisation, encryptio sophistication of malware and to the increase of e - commerce related fraud in line with the growing number of online payments. Europol suggested that the trend towards cyber crime techniques, even on the part of tra ditional organised crime groups, “ may reflect how all serious crime will be organised in the future ”. The NCA emphasised to me that the internet has increased the geographical range of organised crime, citing a recent example of Anglo - Australian criminal collaboration. Europol’s reference to a lack of reliable figures is borne out in the UK: fraud and cyber 3.27. crime are not included in the CSEW headline estimates. As the ONS observed in its stocktake ”: January 2015 “ “ Advances in technology and the rise of th e internet have provided new opportunities for criminals to commit crime. This has raised questions as to whether the fall in conventional crimes, as described above, has simply been replaced by new types of crime that are not yet well measured by the sta tistics.” To illustrate the point, the ONS presented an estimate that 5.2% of card owners were victims of card fraud in the year to September 2014, as against 1% who suffered theft from the person and 0.2% who suffered robbery. In a survey of 2000 web use rs last year by the Get Safe Online organisation, 51% admitted to having been in some way affected by online cyber scams, such as fraud, ID theft, hacking, online abuse or 18 having their computer infected with a virus. Work is said to be ongoing to incorpo rate measures of fraud and c yber crime into the main CSEW estimates. 16 Evidence from the Home Office, April 2015. 17 Europol, The Internet Organi sed Crime Threat Assessment , (November 2014). 18 Get Safe Online survey, October 2014. 45

52 APTER 3: THREATS CH Sexual offences and abuse The overall decrease in crime recorded by the CSEW also masks a rapid increase in 3.28. is sexual offences, which rose in the year to September 2014 by 22% (partly, it - recording). thought, because of efforts to reduce under 3.29. abuse is said by the National Society for the Prevention The problem of child sexual of Cruelty to Children to be much bigger than shown in official statistics, as most such etected nor reported. A major study estimated that almost 1 in 20 crimes are neither d 11 - - 11s, had experienced “ contact sexual abuse ” by 17 year olds, and 1 in 200 under 19 other children or adults. [CEOP] , an NCA command, has 3.30. The Child Exploitation and Online Protection Centre identified key threats including the online proliferation of indecent images of children, - generation of indecent images and online sexual exploitation (or grooming), self transnational child abuse. 3.31. CEOP estimates that there were some 50,000 individuals in the UK engaged during 2012 in downloading and sharing indecent images of children, often using P2P) networks. The volume of extreme images has - to - peer ( or decentralised or peer grown exponentially. The dark net, and the live streaming of child abuse, ge nerally from the developing world and in exchange for payment, have been identified as new 20 ways that UK offenders are sexually abusing children. 3.32. Grooming is another crime greatly facilitated by the internet. Predatory paedophiles no longer need to hang a round the school gate. Social media, instant messaging and chat are all used, with a significant proportion of reports involving multiple online environments. CEOP comments: “The restrained influencing of a child over several months has been largely repl aced by rapid escalation to threats, intimidation and coercion ... a symptom 21 of the availability of thousands of potential victims online at any one time.” line offending (e.g. deceiving children into sending indecent - It can lead both to on images of them selves, or engaging in sexual chat or sexual activity over webcam) and - line offending such as meetings for sexual purposes. The director of Europol to off anonymity provided by TOR below] is used by [see 4.62(c) has publicly stated that “ undreds of thousands of children throughout Europe with very little people to abuse h 22 ”. fear of detection and prosecution 19 L. Radford et al, “Child abuse and neglect in the UK today”, National Society for the Prevention of Cruelty to Children (2011), Table 1. 20 CEOP, Threat assessment of child sexual exploitation and abuse, (June 2013). In J. Bartlett, The Dark Net , (2014), at chapter 4 there is a revealing interview with a paedophile who was drawn to increasingly extreme material by the ease and anonymity of online access. 21 Ibid. 22 R. Wainwright, “Cybercrime and the challenges for law enforcement”, address to LIBE Committee of the European Parliament, (11 November 2014). 46

53 APTER 3: THREATS CH police enforcement - Non Not all crime is dealt with by the police or the NCA. For example: 3.33. Her Majesty’s Revenue and Customs [HMRC] and the Home Offic e’s (a) Immigration Enforcement branch deal with serious organised crime as well as localised and individual enforcement matters. The cost to the UK from organised attacks on the tax regimes administered by HMRC was estimated at 23 £4.7 billion in 2011 - 12. (b) l authorities and specialist agencies deal with many other crimes and Loca dangers to public safety including the regulation of gambling, benefits fraud, 24 trading standards, gangmasters and environmental protection. essed for the foreseeable future and, so These are all areas that will need to be addr long as these specialised agencies and other authorities are required to be investigatory and enforcement bodies, they will need the powers to undertake their task effectively. Public safety 3.34. Public safety, especiall y dealing with missing and vulnerable persons, is a very significant area of police activity. It is also one that places a high demand for communications data to help in the location and identification of such people. h an average of 838 missing person reports every 3.35. In Great Britain the police dealt wit 25 Some 6% of all communications data requests during the survey day in 2012 - 13. conducted by the Association of Chief Police Officers [ACPO] in 2012 related to 26 e. investigations into missing or vulnerable peopl Conclusion 3.36. Investigatory powers, often of a rather basic nature, may assist in the detection and investigation of any crime that is prefaced or followed by electronic communication, whether it is a drugs importation arranged by telephone or a stolen i tem advertised on eBay. 3.37. More complicated, and serious, are the problems posed by internet - enabled crime. Though a historic force for good, the internet has complicated and magnified the threat in a number of ways: (fraud, sexual groomi (a) providing a new platform for some crimes ng); 23 Submission received from HMRC. 24 For example, Ofcom told me that in the three years to December 2014, among many other regulatory functions, it conducted 2,753 investigations into offences such as unlicensed broadcasting and the placing on the market or putting into service of apparatus liable to cause harmful interference to users of the spectrum. 25 Missing persons: data and analysis 2012 - 13 , NCA (November 2014). 26 Submission received from ACPO. 47

54 APTER 3: THREATS CH st propaganda, indecent images); (b) facilitating the spread of others (terrori (c) creating completely new opportunities for criminality and aggression (malware, denial of service attacks); and for worldwide communication, some allowing almost infinitely various channels (d) of them highly secure, to be used by criminals. 3.38. As the Director of Europol said to Parliament’s Home Affairs Select Committee in January 2015: “[I]t is quite clear that we have a pressing and, indeed, rising challenge to deal with highly encrypted communications online that are managed through the space of the darknet, which are effectively out of the reach of law enforcement not in every case, but in an increasing proportion of those cases. authorities – ay that the scope that the police have to monitor communications It is fair to s in the offline world is greater than it is in the online world. Given that a majority of those communications run by these networks are moving online, there is a extent it should be plugged by the right and security gap there. To what balanced legislation is for others to judge but I do think it is one of the most 27 pressing problems that police face across Europe.” 3.39. If such threats are to be effectively countered, no - go areas for law enforcem ent must be kept to a minimum. As Sir Iain Lobban, Director of GCHQ, said of online criminals in his valedictory address: 28 “We have to enter that labyrinth to find them.” I examine how that can best be achieved, and the necessary accompanying in later parts of this Report . safeguards, 27 Rob Wainwright, oral evidence of 13 January 2015 (HC 933). 28 Valedictory speech at the Cabinet War Rooms, (Oct 2014). 48

55 4. TECHNOLOGY Introduction A ny new law – 4.1. at least if it is to last as long as RIPA has done – must be couched in technology - neutral language . But that fact cannot alter the need for those who debate that law to have at leas t some understanding of the relevant technology . the debate rely on the fact and nature of technological change Different participants in 4.2. to promote their arguments. Thus: (a) Privacy advocates point out that as lives take place increasingly online, the poten tial for electronic surveillance, and its intrusiveness, are growing exponentially. (b) Law enforcement and intelligence refer to factors such as the fragmentation of providers, concealment of identity and growth of encryption to emphasise the existence of ung overned spaces, and point to a growing “ capability gap ”. It is plain that the utility and intrusiveness of new and existing investigatory powers can also be evaluated only on the basis of a sound technical understanding. C 4.3. This , hapter is compiled entirely f rom open - source material. It s purpose is to outline in layman’s terms, some of the basic technological concepts and developments that underlie the legislative debate. It lays no claim to technical authority (though it has been reviewed by technical expe rts). The lightning pace of change means that it is likely to be in some respects out of date almost immediately. Nonetheless, I hope it may be of value to those who must wrestle with the policy issues in this Report . Changing methods of communication 4. Ours is not the first age to make revolutionary claims for new technology. A fictional 4 professor spoke in 1988 of “ the three things which have revolutionised academic life jet travel, direct - dialling telephones and t he Xerox in the last twenty years ” as being “ ”, adding that with those, “ you’re plugged into the only university that really machine 1 the global campus. ” matters – But changing methods of communication since that time, and in particular the growth of the internet, have eclipsed even those de velopments in their long - term significance. From landlines to smart phones 2 4.5. As recently as 1989, letters and landlines were the main methods of communication. By 2014, fewer than three in ten 16 24 year olds used a landline during a week. 16% - of UK house holds do not have one, and the latest UK Communications Infrastructure 1 D. Lodge, Small World , 1988, pp. 43 - 44 , cited by S. Pinker, The better angels of our nature , 2011, p. 214. 2 Communications Market 4.5 - 4.10 are taken from Ofcom’s Save where otherwise stated, the facts in of December 2014. Reports of August 2011 and August 2014, and from its Infrastructure Report 49

56 CHAPTER 4: TECHNOLOGY Report suggests the increasing use of internet telephony may eventually lead to the 3 landline network (the public switched telephone network) being turned off. ital technology is progressing at extraordinary speed: 4.6. The mass uptake of dig (a) In 2014, 82% of UK homes were connected to the internet compared to 25% in 2000, and 93% of adults owned a mobile phone in 2014 compared to 50% in 2000. In 2014, for the first time, there were estimate d to be more mobile subscriptions (b) 4 than people in the world. (c) Ownership of smart phones is soaring: 61% of adults owned a smart phone in 2014 compared to 27% in 2011. A comparison across the generations is even more striking, with 88% of 16 - ning a smart phone, compared to 24 year olds ow 14% of those over 65. (d) This explosion in the smart phone market is driving the growth in the number of people accessing the internet using their mobile phone: 57% did so in 2014 compared to 28% in 2011. Proliferating methods of communication 4.7. Phone calls and texts are being joined by other communication platforms such as instant messaging, video calls and communication through social networking sites. Whilst the adult population in general spent 33% of their total daily commun ications time using email, this reduced to 19% amongst 16 - 24 year olds, who favour social networking sites over email. Instant messaging apps have overtaken traditional SMS services. In 2012, 19 billion messages were sent per day on instant messaging app s, 5 compared to 17.6 billion text messages. Since 2012 the number of instant messaging apps has grown considerably. A further trend is the growing proportion of consumers in the UK using Voice Over 4.8. Internet Protocol : making a phone call over the in ternet. The number almost [VOIP] tripled between 2009 and 2014, from 12% to 35%. The upsurge in use of VOIP services is linked to the increased ownership of smart phones and tablets, as these 6 devices have integrated VOIP apps. Household take - up of tablets alm ost doubled between 2013 and 2014, from 22% to 44%. 4.9. Also striking is the increasing pace of adoption of new technologies. Whilst it took 15 years for half the UK population to get a mobile phone, newer technologies, such as ed this figure in four years. social networking sites, reach 3 A landline is still usually needed to connect to broadband in the home to enable the internet telephony to take place. 4 Anonymous industry speaker at Wilton Park, November 2014. 5 “Chat app messaging overtakes SMS texts, Informa says”, BBC News Website, 9 April 2013. 6 In 2015, EE will launch WiFi Calling, which will enable calls to be made over the inter net without system technology, described at 4.16 below. - downloading an app. It will use IP multimedia sub 50

57 CHAPTER 4: TECHNOLOGY 4.10. Overall, there are trends towards an increasing variety of communication methods, an 7 increasing number of devices and an increasing pace of adoption of new technologies, with young adults leading the way. Global nature of the internet 4.11. The trends outlined above have resulted in a vast increase in data volumes. One exabyte of data by 2015, 76 exabytes of data will travel is 500 billion pages of text: 8 across the internet every year. However, the infrastructure of the internet means data 9 are not territorially bound. A network is a group of devices which are linked and so able to communicate with one 4.12. 10 another. The internet is often described as a “ ”, all of which are network of networks interconnected. Communications over the internet take place through the adoption of protocols which are standardised worldwide. A single communication is divided into packets (units of data), which are transmitted separately across multiple networks. They may be routed via different countries as the path of travel followed will be a mix of the quickest or cheapest paths; not necessarily the shortest path. The quickest path will depend upon bandwidth capacity and latency ( the amount of data which can be sent through an internet connection and t . The result of this method of he delay ) transmission is increased data flows across borders. For example, an email sent between two persons in the UK may be routed via another country if that is the optimum path for the CSPs involved. The route taken wi ll also depend on the location of servers. The servers of major email services like Gmail, Yahoo and Hotmail are based outside the UK. 4.13. It is estimated that somewhere between 10% and 25% of the world’s international he UK via underwater fibre optic cables and telephone and internet traffic transits t 11 Whilst the cables are not a much of the remaining traffic transits cabling in the US. recent technological development, having been in use since the 1970s, the amount of data that can be carried has steadily ri sen. Cables carrying data at a rate of 10 gigabits Data rates of 100 gigabits per second per second were the norm for most of the 1990s. have been available since 2010. By 2014 Google had already invested $300million in 60 terabit (60,000 gigabit) per s econd fibre optic cables. In 2014, it was reported that researchers in the Netherlands and the USA demonstrated data rates of 225 terabits 12 per second. 7 In J. Zittrain, The Future of the Internet and how to stop it , 2008, the author warns that the move away from “ generative technologies ” such as pe rsonal computers towards “ tethered appliances” ’ such as iPhones would extend surveillance capabilities (p. 113). MI5 expressed to me the contrary view. 8 Data and Goliath B. Schneier, , 2015, chapter 1. 9 There are some exceptions. See J. Goldsmith and T. Wu, Who controls the Internet? Illusions of a Borderless World , 2006. Recently some countries have shown a desire for data localisation: 4.42 below. 10 P. Denning, “The ARPANET after Twenty Years”, American Scientist 77 (Nov - Dec 1989), p. 531. 11 , 2014 the author suggests the figure is 25%: see p. 157. GCHQ In L . Harding, The Snowden Files suggested to me that the figure is closer to 10%. 12 S. Anthony, “225Tbps: World’s fastest network could carry all of internet’s traffic on a single fiber”, th October 2014. Extreme Tech Website, 27 51

58 CHAPTER 4: TECHNOLOGY Fragmentation of providers The infrastructure of the internet has resulted in the fragmentation of pr oviders of both 4.14. telecommunications services and communications data. This is illustrated by a a landline call and a VOIP call. Thus: comparison of the business models behind Landline calls a re made through a UK (a) ch CSP to which the owner subscribes, su as knows both endpoints of the call and collects BT or Talk Talk. The CSP billing data. (b) Most VOIP services are currently provided by OTT providers, such as Skype. These operate over an internet connection which a CSP has provided. ed overseas, with the result that it is more difficult for UK Many OTT providers are bas 4.15. law enforcement and to obtain information from security and intelligence agencies them. The services provided by OTT providers are often free , and limited subscriber 13 data are collected. In ad dition, communications data relating to a single communication may not be in a single location due to the collaboration of companies. system 4.16. The internet protocol multimedia sub - [IMS] is a framework designed to standardise methods of delivering voice o r other multimedia services over an internet switched network. It may reduce fragmentation of providers, as it packet protocol - fuses internet and mobile networks and so allows CSPs to support applications such as VOIP and instant messaging. CSPs will be able to compete with OTT providers in the provision of such applications. However, it is likely to lead to greater fragmentation of communications data as new and common identifiers take over from email and phone numbers across multiple devices. culties in attributing communications Diffi The infrastructure of the internet can make it difficult to attribute communications to 4.17. 14 cloak of anonymity ” for communications. their sender and so offers a “ 4.18. An Internet Protocol [IP] address [IP address] is the ide ntifier for a device on a network. The address may be static or dynamic and is usually written and displayed in the following format: (IPv4 – 32 bits), and 2001:db8:0:1234:0:567:8:1 – (IPv6 128 bits). IPv6 is the latest version of the Intern et Protocol. (a) is used to allocate IP addresses Dynamic Host Configuration Protocol dynamically to devices connected to a network. For example, CSPs assign an IP address to a router and all devices connected to the router use it to form a k. All the connections from the devices on the private network private IP networ appear to come from the single IP address assigned to the router by using Network Address Translatio n . CSPs have a pool of IP addresses which are allocated dynamically in sequence, so that a customer’s external IP address 13 Talk Talk’s submission pointed out that business models are constantly changing in the OTT sector. For example, WhatsApp was free but is now starting to charge in certain circumstances. Colin Crowell described OTT pr oviders as being in “ continual evolution” , JCDCDB, Oral Evidence, p. 235. 14 , Shane Harris, 2014, p. 20. @War 5 2

59 CHAPTER 4: TECHNOLOGY will change and different customers will use the same external IP address, but not at the same time. Network Address Translation (b) is a technique used by CSPs to allow a single IP ltaneously, sometimes address to be shared by multiple customers simu 15 numbered in the thousands. It became necessary due to a shortage of IPv4 adopted. addresses, though things will change as IPv6 is increasingly DRIPA 2014 mandated the retention of subscriber data for some categories of IP addresses , namely, those which are static and those which are dynamically allocated [CTSA 2015] in sequence. The Counter Terrorism and Security Act 2015 seeks to address the difficulty which arises when IP addresses are shared by a number of users 16 by requiring the retention of “ relevant internet data simultaneously, in addition to t he ” dresses in shared IP address. However those data are not sufficient to resolve IP ad a CSP below); and in any event, all cases (see 9.51 can usually only provide details of on who pays the internet subscription. This is not necessarily the person who the pers 17 was using a device at a particular time. 4.19. One problem created by the variety of devices now commonly used was highlighted submission s by to the Review. Smart phones and tablets are often shared by a number of users, such as family members. Each of these users may be accessing different applications. This pattern of usage differs from the traditional use of a mobile that in the future ed phone by one person. In light of this, one service provider s uggest investigations will need to be much more user - specific. IP matching can only help with this to a certain degree. 4.20. A further problem for the attribution of communications is that an IP address can be changed by the use of a prox y server so that a communication appears to come from somewhere it does not. A proxy server acts as an intermediary between a device and the internet, changing the IP address from that of the actual sender to that of the proxy ers for perfectly legitimate reasons, such as to maintain server. Many use proxy serv privacy online. However, some use proxy servers in order to carry out cyber attacks so that the origin of the attack remains hidden. Often such attacks involve numerous proxies. Networks [VPN] act in a similar way to proxy servers by changing the Virtual Private 4.21. IP address from that of the actual sender to one provided by the VPN. In the past, VPNs were primarily used by companies to allow their employees to access resources on the company’s net work remotely. Increasingly, VPNs are used by individuals to protect their privacy and security online. Unlike proxy servers, VPNs also provide - hop VPNs offer significantly higher secure communications through encryption. Multi degrees of privacy and an onymity online as they route traffic through two or more VPNs. 15 Home Office, “ Counter - Terrorism and Security Bill Factsheet – Part 3 – Internet Protocol (IP) address resolution” , 2014. 16 The example given i n the factsheet of such data is a port number. 17 See for a further example of the problems surrounding IP matching, “Police face new ethical dilemma in increasingly digital world”, The Guardian, 12 January 2015. 53

60 CHAPTER 4: TECHNOLOGY 4.22. Multipath TCP is an example of an emerging technology likely to have implications for hrough both Wi IP matching. Most mobile devices can access the internet t Fi and a mobile phone data connect ion, utilising one or the other at one time. Technologies such as Multipath TCP will enable the splitting of traffic between these two methods of access, increasing the number of requests that will have to be made for matching process more complex. communications data and making the IP Mobile Edge Computing is also likely to diminish the quantity of data entering the 4.23. central network. It brings content closer to the user by moving it from the central network to the edge of networks. The benefits are faste r delivery and better quality for the user, for example, less buffering. However, this is likely to mean fewer communications entering the core network and so lesser volumes of data available for collection. th access to an internet connection 4.24. Nomadic wireless technology provides devices wi within a limited area: for example, the localised WiFi Access Points offered by coffee shops in order to encourage custom. Users are transient and access to the internet he specified premises. If the device by a device can only be traced to a timeslot in t connects to the internet elsewhere an identifier called a MAC address will recur, however it is possible to change MAC addresses. 4.25. The internet provides opportunities for undetected communications: (a) Anyone can set up a n email address or social networking profile using a 18 pseudonym. 19 (b) Criminal gangs can use gaming consoles to communicate . (c) Opportunities for covert communications via the internet include the use of 4.67 - internet cafes and hidden web pages (see belo w). 4.70 (d) Encryption software, discussed in more detail below, can be used to hide the content of communications. (e) An instant messaging service called Wickr allows users to send encrypted and self - destructing messages. New sources of data 4.26. ge has also resulted in the explosion of open source information. Technological chan This describes all information that is in the public domain, such as social networking sites, websites, blogs and many specific open source data and service providers. 18 A glimpse into the future of online iden tities can be found in patents granted to Apple in 2014 for Automatic Avatar Creation technology and Avatar Reflecting User State technology. The former can create a 3D icon resembling the user, while the latter will allow users to communicate via individ ualised avatar expressions: L. Gonzalez, “Why Apple thinks 3D Avatars Will be the Future of Online Identities”, th PSFK, 10 April 2014. 19 JCDCDB Report, p. 381, citing the evidence of Peter Fahy, Chief Constable of Greater Manchester Police. 54

61 CHAPTER 4: TECHNOLOGY The year 2000 has be 4.27. en identified as the year a social networking site (Friends 20 Reunited) first appeared in the UK, with Facebook and Twitter appearing in 2004 and 2006 respectively. By Q4 2014, there were 1.39 billion monthly active Facebook users. 21 The equivalent figure f or Twitter was 288 million. Such sites provide the opportunity : the use of open for an expansion of what is called Open Source Intelligence [OSINT] 22 source information for intelligence purposes. In the US, an official report into the events leading up to 9/11 recommended the setting up of an Open Source Agency. A similar recommendation was made in an official report into weapons of mass destruction shortly later. The Open Source Center was established by the Director of 23 The Center was charged with collecting information National Intelligence in 2005. the Internet, databases, press, radio, television, video, geospatial data, available from “ 24 photos and commercial imagery. A former head of the bin Laden Unit of the Central ” Intelligence Agency in the 90% of what you need to know” United States noted that “ 25 comes from OSINT. According to a report in 2010, “ in the aftermath of 9/11, intelligence failures - particularly a deficient consideration of OSINT ... - have been 26 identified as major reasons for the ” inability to anticipate and prevent these attacks. In October 2014, James Clapper, the Director of National Intelligence, described social 27 media as “ ”. huge for intelligence purposes As explained to the JCDCDB by Colin Crowell, Head of Global Public Pol icy at Twitter, 4.28. law enforcement can simply go to the Twitter website and locate what they are looking for. Even this may no longer necessary: a social media monitoring platform called Geofeedia allows anyone to “ search, monitor and analyse real - time socia l media 28 ” content by location, from anywhere in the world with a single click. In addition, social data providers, such as GNIP, provide a one stop shop for social data. - 4.29. UK law enforcement and security and intelligence agencies of course use OSINT , 29 though the extent of that use is not publicly known. By way of example, following a review by the Her Majesty ’s Inspectorate of Constabulary of the August 2011 disorders 20 worth, An Introduction to Social Media Marketing , 2014, p.43. A. Charles 21 http://www.statista.com , 2015. See: 22 In 2012, the term “SOCMINT” was coined to cover Social Media Intelligence (see Sir D. Omand, J. Bartlett and C. Miller, “Introducing Social Media Intelligence (SOCMINT) ” , (2012) Intelligence and National Security, Vol 27, Issue 6. Others regard it as part of OSINT: see “Social Media Intelligence – Same Song, New Melody?”, Open Source Intelligence Blog, 31 October 2012. (SOCMINT) 23 Open Source Intelligence in a Networked World , Antony Olcott, (2012), pp. 86 - 87. 24 See the press release by the Office of the Director for National Intelligence: ODNI Announces 2005, of Open Source Center , November 8 see: Establishment http://fas.org/irp/news/2005/11/odni110805.html . 25 S. B. Glasser, “ Probing Galaxies of Data for Nuggets ”, The Washington Post, 25 November 2005. 26 International Relations and Security Netwo OSINT Report 3/2010 , (2010), p.6. rk, 27 In a speech at the Grand Hyatt Hotel in Washington DC, a copy of which can be found at: http://www.dni.gov/index.php/newsroom/speeches - and - interviews/202 - speeches - interviews - 2014/files/documents/Newsroom/title=%22Go . 28 See Geofeedia’s website: http://geofeedia.com/how - i t - works . 29 I am aware that Privacy International have made Freedom of Information requests to law enforcement but that these were refused. 55

62 CHAPTER 4: TECHNOLOGY 30 in an “ all - sources hub ” was created to help police to tackle disorder, English cities, 31 ch includes social media monitoring. whi The use of location data provided by mobile phones is another example of the “ new 4.30. 32 ” dimensions of data ed by technological change. It comes as a surprise to many creat smart phone owners to see how much detailed information about their movements is 33 routinely recorded and retained on default settings. The impact of this dimension was brought to life by the Germ an politician, Malte Spitz, in 2009, after he obtained his phone data from Deutsche Telekom and permitted a newspaper to combine that location data with information freely available about him online, in order to produce a 34 a six - month period. detailed map of his movements over This new source of data has become more voluminous in a world full of app update notifications: location data are created by every notification. Tweets posted from mobile phones can also reveal ces. In February 2015 research was published location data, as do Public WiFi servi which shows how information about a user’s location can be obtained simply by reading aggregate power usage on a phone. Modern mobile platforms allow 35 applications to read this information. Images taken on mo bile phones, and some cameras, also embed location data in the image file. 4.31. These new dimensions of data are ever increasing. The iPhone 5S, introduced in 2013, contains Touch ID technology allowing the user’s fingerprint to act as a pass 36 successors. code, as do its Samsung Smart TVs have a voice recognition feature which, if activated, sends voice data over the internet to a voice recognition service. A UK bank is carrying out a trial of technology which uses customers’ heartbeats to verify their ident ity for online banking. 4.32. Tags using radio frequency identification allow the objects to which they are attached or in which they are embedded to be located: they may be used by retailers to track inventory and prevent shoplifting, but also to transmit loca tion information after purchase. Cars are increasingly becoming software platforms: “ black box insurance ” allows premiums to be calculated on the basis of driving behaviour as monitored by telematics, and may also allow emergency services to be notified i n the event of a 37 crash and guided to the site by Global Positioning System [GPS] technology. 4.33. A source of data predicted to enter the mainstream by 2020 is the Internet of Things or machine to machine communications. These terms are used to descri [IOT] be the idea of having all electronic devices at home and in the workplace connected to the 30 Her Majesty’s Inspectorate of Constabulary, The rules of engagement: A review of the August 2011 (201 Disorders 1). 31 Open Source Intelligence in the Twenty - First Century: New Approaches and See C. Hobbs et al (eds), , (2014), p 24. Opportunities 32 As set out in the Submission I received from Dr Paul Bernal, p. 3. 33 To see where you have been and how long you st ayed, on an iPhone 5 or 6 click on Settings, Privacy, Location Services, System Services, Frequent Locations. 34 As can be seen at http://www.zeit.de/datenschutz/malte - spitz - data - ention . ret 35 R. Whitwam, “Battery power alone used to track Android phones”, Extreme Tech Website, 23 February 2015. 36 One of three future trends in the application of biometrics identified by witnesses to the House of Commons Science and Technology Commi ttee Inquiry into biometric data was the proliferation of mobile th Current and Future Uses of Biometric data and technologies , 6 biometrics: Report of 2014 - 2015, p. 9, published 7 March 2015. 37 “Little black box under the bonnet saved my life”, Mail Onl ine, 10 March 2015. 56

63 CHAPTER 4: TECHNOLOGY internet and capable of communication without human intervention. As explained by one journalist: stem, your “In the World of the Internet of Things, your car, your heating sy refrigerator, your fitness apps, your credit card, your television set, your window shades, your scale, your medications, your heart rate monitor, your electric - toothbrush and your washing machine to say nothing of your phone generate 38 uous stream of data that resides largely out of reach of the individual.” a contin A speaker at a Wilton Park seminar in November 2014 summarised the position as being that in 1975 there were 1 billion connected places; in 2010 there were 5 billion connected peopl e; and that in 2020 there will be 50 billion connected devices. This expansion will be enabled by the latest version of the Internet Protocol, IPv6, which provides a far greater number of IP addresses than existed under IPv4. One already common use of IOT is in energy efficiency. An internet enabled smart 4.34. - thermostat adapts to its user’s behaviour patterns by recording energy usage, home 39 Machine - temperature, humidity, ambient light and nearby movement. - to machine communications will make it increasing ly difficult to know who owns particular data. Smart meters also provide the potential for malicious disruption: this is the consumer end of the more widespread scope for supervisory control and data acquisition attacks on control systems. It has been su ggested that adopting IOT without adequate security You will afford major opportunities for surveillance: in the words of Phil Zimmerman, “ 40 pay good money . ” .. to turn your home into North Korea. The fastest growing category of IOT is wearable devices. Wi dely known examples 4.35. have included Fitbit and Google Glass, but these are just the tip of the iceberg of an industry entering fields such as law enforcement and health. The wearing of body 5 has been cameras by police is currently being trialled across the UK and 201 41 Indeed, “ Implantables, predicted to be the year of wearable technology. embeddables and even ingestables are already emerging as the next wave of 42 wearable technology. ” This is in line with one of the predictions made by technology experts as augmented reality to what the digital world will look like in 2025, namely, “ enhancements to the real world input via portable, wearable and implantable 43 devices The scope for communication by new generations of medical devices ”. (pacemakers, hearing aid s, etc.) is clear. 4.36. IOT will lead to the growth in the volume of data, as data are generated on a continuous basis from sensors in these connected devices. In this way, IOT will provide further 38 S. Halpern, “The Creepy New Wave of the Internet”, The New York Review of Books, 20 November 2014. 39 B. Schneier, Data and Goliath , 2015, chapter 1. The manufacturer, Nest, was bought by Google in 2014. 40 Crypto CPDP conference, “ wars reloaded ”, Brussels 21 - 23 January 2015, https://www.youtube.com/watch?v=CcVj5LNwDa8 at 67 min. 41 “2015 gears up to be the year of wearable tech”, The Guardian, 25 December 2014. 42 A. Thie rer, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation , (2015) 21 Rich. J.L. & Tech. 6. ” 43 poses Pew Research Center, Digital Life in 2025 , (March 2014). Augmented reality technology superim - world environment. a computer - generated image onto the real 57

64 CHAPTER 4: TECHNOLOGY 44 large data sets . The development of tools to aid visualisation of [Big Data] fuel for Big Data is a growth industry too. It is predicted that there will be 28 billion IOT devices 45 and the data transmission speeds made possible by the next generation of by 2020, mobile network (5G) will fuel this growth. Furt hermore, IOT is expected to increase the use of cloud computing services: indeed 4.37. it is predicted that in the next five years 90% of IOT data will be hosted via cloud services. Cloud computing is the term used to describe the delivery of computing s over the internet on demand. Users can access software via the cloud resource rather than purchase the software. Another aspect of cloud services is the storing and accessing of data. This makes cloud computing an ideal storage system for IOT as it provides th e ability to respond quickly to changes in demand and supply. Since the beginning of 2015, two telecommunications companies have launched cloud - based 46 products to handle data generated by IOT. Machine learning technologies 4.38. Growth in computer processing c apacity and data sets has led to advances in a branch 47 Deep Learning software mimics the of artificial intelligence called Deep Learning. structure of the human brain in order to train computers to see patterns. Research published at the end of 2014 desc - recognition software is now capable ribed how image of recognizing and describing scenes, rather than just identifying objects in scenes. The software was developed by training computers to see patterns in pictures and their 48 description using neural netwo rks. The Biometric s Commissioner has highlighted the fact that there have been substantial 4.39. developments in both automated facial and speaker recognition systems in the last 49 The technique involved in Deep Learning is at the heart of some of t few years. hese recent developments in biometric systems. It has been applied in the area of facial recognition to develop software called Deep Dense, which is able to determine whether 50 O an image contains a face, even if part of the face is hidden or upside down. pen Rights Group’s submission to the Review highlighted that machine learning technology has been used to teach computers to classify faces based on attributes such as facial expression or hair style. It is also behind advances in speaker recognition syst ems. The NSA Technology Transfer programme 2013/2014 lists an invention capable of real - time simultaneous identification of multiple voices. One of three future trends in 44 See 8.65 onwards for the use of Big Data by private companies. Examples of how Big Data can be good . used for the common good can be found at http://www.nesta.org.uk/publications/data - 45 This was the figure quoted by IBM from analyst firm IDC in announcing cloud services for IOT devices: - http://www.theinquirer.net/inquirer/news/2376409/ibm announces - internet - of see things - cloud - - services . 46 Blackberry announced this on its website: http://press.blackberry.com/press/2015/blackberry - unveils - - cloud based - internet - of - things - platform - .html , and AT&T’s launch was announced in early January on 2015: http://www.computerworld.com/article/2864069/att - builds - internet - - of - things - offerings - with - cloud - - data - store.html . based 47 As set out in some detail in MIT Technology Revi ew, 10 Breakthrough Technologies 2013, see http://www.technologyreview.com/featuredstory/513696/deep - learning/ IBW Watson uses Deep Learning techniques. 48 See e.g. J. Mar koff, “Researchers Announce Advance in Image Recognition Software”, NY Times, 17 November 2014. 49 Biometrics Commissioner: Annual Report 2013 - 2014 , para 336. 50 015. “”Deep Dense Face Detector” a breakthrough in face detection”, TechWorm website, 20 February 2 58

65 CHAPTER 4: TECHNOLOGY e and the application of biometrics identified by witnesses giving evidence to the Scienc Technology Committee Inquiry into biometric data was the linking of biometric data 51 with other types of Big Data into order to facilitate profiling. Data mining The collection of vast volumes of data enables the identification of patterns and 4.40. ions of future behaviour, a process called predictive analytics, data mining or predict 52 Big Data. An example of this technique is a predictive policing system called PredPol, which analyses large volumes of crime reports to identify areas with high The system has been used by Kent Police to for certain types of crime. probabilities predict when and where drugs crimes and robberies are likely to take place. PredPol is simply about when and where a crime will take place; other technology is aimed at predicting wh o will commit them. In 2011, the US Department of Homeland Security tested Future Attribute Screening Technology, which seeks to identify potential criminals by monitoring individuals’ vital signs, such as cardiovascular signals and ts. respiratory measuremen Geographical changes 4.41. One of the Snowden Documents stated that the UK had the “biggest internet access ” in Five Eyes Alliance (made up of the UK, US, Canada, New Zealand and Australia) and added “ We are in the golden age ”. However, the growing tre nd of US ISPs moving to Malaysia and India was also noted and it was suggested that “ traffic will no longer 53 transit the UK ”. This movement from west to east reflects the fact that Western Europe and North America are experiencing digital saturation, whil st countries such as India are predicted to drive future growth of the online market. The United Nations predicts that 2015 will be the year when Chinese speaking users of the internet - outnumber English speakers. ssage of laws to enforce the localisation of A further trend is the move towards the pa 4.42. data. In April 2014, Russia introduced a draft law requiring companies to locate servers handling Russian internet traffic locally. This is due to come into effect on 1 54 September 2015. Brazil introduced a bi ll containing data localisation proposals, 55 which was later withdrawn. China and Vietnam have passed data localisation laws. Brazil also announced plans in 2014 to build a fibre optic underwater cable between Europe and Brazil. This was reported to be a n attempt to reduce Brazil’s reliance on 56 US cables to carry communications to Europe. 4.43. All these trends point towards a decreasing bulk collection capability for the West. The golden age may already be passing. This decreasing capability is exacerbated for the 51 Current and Future Uses of Biometric data and technologies , (March 2015). 52 - Schonberger and K. Cukier, “At its core, big data is about predictions”, (2013) Big Data, p. 11. V. Mayer 53 See “Mastering the internet: how GCHQ set out to spy on the world wide web”, The Guardian, 21 June 2013. 54 See Hogan Lovell’s Chronicle of Data Protection Blog, Russia Data Localization Law update and webinar, 24 March 2015. 55 M. Bauer et al, “The Costs of data localisation: Friendly Fire on Economic Recovery”, ECIPE, No 3/2014. 56 See “Brazil, Europe plan undersea cable to skirt US spying”, Reuters, 24 February 2014. 59

66 CHAPTER 4: TECHNOLOGY UK by the growth of cloud computing. By 2016, the bulk of new IT spending will be on 57 cloud computing platforms and applications, and the expansion of Network Function astructure virtualisation will mean that cloud providers will be able to host network infr as virtual machines. Most cloud providers are based outside the UK and store data in data centres outside the UK. Encryption 4.44. Encryption refers to the process of converting information, such as the contents of a message, into unreadable form, so that only someone with the decryption key can read it. It is a crucial part of the transactions we make every day as banks use it to keep data secure during financial transactions. There are a number of types of encryption; for example: Encryption in transit provides security during the transmission process. (a) (b) End end encryption provides security at either end of the communication, so to - - that only the recipient, not the company running the messaging service, can decrypt the message. The two basic techniq ues of encryption are symmetric encryption and asymmetric or 4.45. - public key encryption. Symmetric encryption involves the use of one secret key to both encrypt and decrypt messages. Asymmetric encryption was developed in the 1970s, in an attempt to counter t he risks associated with the use of one key. It involves the use of two linked keys; a public key and a private key. A user who wants to send an encrypted message can get the recipient's public key from a public directory. This key is used to encrypt th e message, which is sent to the recipient. The recipient can then 58 decrypt the message with a private key. 4.46. The first widely available public - key encryption software was Pretty Good Privacy [PGP] , released in the 1990s as a response to the US government’s attempt to control 59 The proposal encryption via a proposal by the NSA, known as “ Clipper Chip ”. entailed the insertion of a chip into every new piece of electronic device, which would provide encryption for communications. However, all devices containin g a chip would be assigned an extra key which would be given to the government in escrow. If the government provided a warrant permitting access to a particular communication this extra key could be used to decrypt the data. Opposition to the proposal wa s considerable and a number of encryption packages were released in an attempt to derail it. The proposal was ultimately abandoned: but the issue has recently come to the forefront again as a result of the increasing adoption of encryption software. 4.47. This trend towards encryption pre - dates the Snowden Documents, though it is likely to 60 have been accelerated by them. In the year leading up to the release of the Snowden 57 The Digital World in 2030 The European Internet Forum, , March 2014. 58 The story of the invention of public key cryptography is told by S. Singh , The Code Book , 1999, chapters 6 and 7. 59 Ibid. , pp. 310 - 311. 60 accelerated the use of default The Director - General of MI5 told ISC stated that the Snowden Documents “ encryption by internet companies...which was coming anyway ”: Report on the Intelligence relating to [ISC Rigby Report] , November 2014, para 440. the murder of Lee Rigby 60

67 CHAPTER 4: TECHNOLOGY - parties (gatherings where hosts teach guests, who bring their Documents, crypto digital devices, how to download and use encrypted email and secure internet browsers) had begun to take place in a number of countries, with the aim of bringing 61 ” “crypto to the masses . In January 2014 the British Government launched a etwise, urging individuals and businesses to protect campaign called Cyber Stre themselves online. Privacy - 4.48. enhancing changes introduced by Apple in 2014 include encrypting data by default on iPhone devices, a move also made by Google in respect of Android devices. owed this lead by providing end to - end encryption for WhatsApp has foll - communications. Apple also provides encryption by default on its latest operating systems for laptop and desktop computers. Encryption has been a setting on Apple and Google devices for some years, bu t now the onus is on the customer to opt out. The encryption of material on the device is now user - controlled, meaning whilst previously Apple could unlock any device using a key that it controlled, it is now unable to unlock iOS 8 devices. 4.49. The level of concern about this trend amongst security and intelligence agencies is demonstrated by the accusation levelled at US service providers by the head of GCHQ 62 command and control network of terrorists ”. that they are becoming the “ This is a reference to the fact that terrorists are making increasing use of encryption technologies in order to hide their communications. In 2014, the Director of the Federal Bureau of Investigation in the United States [FBI] , suggested that the “ post - Snowden 63 th ’, pendulum has swung t and on 11 ar’ oo f January 2015 UK Prime Minister David Cameron announced that if he is leading the next government, he will introduce 64 legislation in 2016 to eliminate “ safe spaces ” for terrorists to communicate. However, there are many strands to the encryption debate. A number of Snowden 4.50. Documents refer to encryption. For example, according to a Briefing Sheet said to relate to an NSA programme called BULLRUN, “ [i]n recent years there has been an ovements in defeating network aggressive effort, led by NSA, to make major impr ” An excerpt said to be found security and privacy among many sources and methods. SIGINT Enabling ” in an NSA 2013 Budget Report describes a project called “ one as which “ actively engages US and foreign IT industries to covert ly influence and/or 65 ” . Amongst other things, the overtly leverage their commercial products designs program is designed to “ ” and insert vulnerabilities into commercial encryption systems “ influence policies, standards and specifications for commercial pub lic key technologies ”. It further states that “ design changes make the systems in question exploitable through Sigint collection ... with foreknowledge of the modification. To the 66 consumer and other adversaries, however, the systems’ security remains intac t” . The BULLRUN Briefing Sheet states that “ virtually all decryption is done by PTD 61 See http://www.cryptoparty.in/ . 62 “GCHQ chief accuses US tech giants of becoming terrorists’ networks of choice”, The Guar dian, 3 November 2014. 63 “FBI Chief Comey Hints at Phone Encryption Regulations Suggesting the Pendulum of Privacy has ‘Swung too Far’”, iDigitalTimes website, 17 October 2014. 64 “David Cameron pledges anti - terror law for internet after Paris attacks”, The Guardian, 12 January 2015. 65 The term [SIGINT] is used to refer to Signals Intelligence. 66 “Secret Documents Reveal NSA Campaign against Encryption”, NY Times, 5 September 2013. 61

68 CHAPTER 4: TECHNOLOGY 67 - ” As part of (ARTHUR) processing PTD is reported to be a group based at GCHQ. a programme called EDG EHILL, it was said that GCHQ hoped to break the encryption 68 es of 15 major internet companies and 300 VPNs by 2015. cod The response of Office of the Director of National Intelligence to publication of these 4.51. security and intelligence agencies documents was that it should not be surprising that Cryptog raphy seek ways to counteract encryption. Bruce Schneier commented: “ online trust. By deliberately undermining online security in a short - forms the basis for 69 NSA ”. sighted effort to eavesdrop the is undermining the very fabric of the internet Back doors and front doors The reference to “ design changes ” at 4.50 above appears to denote “ back doors ”, 4.52. the creator of software or which have been defined as access points that enable “ 70 consent of the user ”. hardware (to) access data without the knowledge or There may be said to be a back door if anyone other than the communicating parties and service providers has access to a communication. The term “ front door ” was described by the Director of the FBI, James Comey, as a 4.53. built transparently ” so that “ the chances of a vulnerability being unseen door which is “ 71 ” than with a back door. The Director of the NSA, Mike Rogers, stated are much lower during an address on 23 February 2015 that the term back door sounds “ kind of 72 front ested the creation of a legal framework whereby access via a “ and sugg ” shady door ” would provide access to a communication on possession of a warrant. A door is however a door, and the difference between front and back generally relates to the acknowledgment of it s existence rather than to any technical distinction. 4.54. The technology industry tends to be opposed to the idea of any kind of door because the additional code that has to be written in to create the door increases the risk of 73 improper access to the system In , and thus consumer confidence in their products. the words of two encryption experts: “[A] ‘back door’ ... increases the ‘attack surface’ of the system, providing new points of leverage that a nefarious attacker can exploit. It amounts to creating a s - in flaw. ... If companies like Apple, Google, Microsoft, and ystem with a built Cisco (just to name a few) are somehow forced to include governmentally mandated flaws in their products, these flawed systems become part of our 67 Ibid . 68 “Revealed: how US and UK spy agencies defeat internet pr ivacy and security”, The Guardian, 6 September 2013. 69 Ibid. 70 S. K. Pell, “Jonesing for a Privacy Mandate, Getting a Doctrine Fix - Doctrine to Follow”, (2013) North 2. Carolina Journal of Law and Technology, Vol. 14, Issue 2, (“Jonesing for Privacy”) p. 53 71 In a webcast by the Brookings Institution, “Going Dark: Are Technology, Privacy and Public Safety on a Collision Course”, 14 October 2014: . https://www.youtube.com/watch?v=Dkbh5fJoFhc 72 “NSA director defends plan to maintain ‘backdoors into technology companies”, The Guardian, 23 February 2015. 73 Alex Stamos, Yahoo’s Chief Security Officer was reported in the Washington Post as comparing the : “Clinton is looking for a middle ground on building of back doors to “ drilling a hole i n a windshield” encryption that experts say doesn’t exist”, the Washington Post, 25 February 2015. 62

69 CHAPTER 4: TECHNOLOGY , and the stakes become a lot higher than hacked national critical infrastructure 74 cell phone photos or our address books.” The experts to whom we spoke told us that if one government can gain access through a door, so can other governments and private actors. Sooner or later the existe nce and knowledge of how to exploit such flaws will be discovered via research, serendipity, bribery or coercion. An increasing number of companies – including for - example Microsoft, Google and Adobe offer significant rewards programmes to individual an d companies who can identify weaknesses in their software. An alternative to back doors is the use by governments of hacking capabilities and 4.55. malware, often referred to as . The idea is to exploit natural weaknesses in CNE 75 subjects’ devices rather than inc rease security vulnerabilities via back doors. “ Individualised solutions ” was an approach put forward by FBI General Counsel 76 Caproni for that percentage of criminals that use sophisticated technologies. In knowledged by the publication of the February 2015, the use of CNE in the UK was ac [Draft Equipment Interference draft code of practice on interference with equipment 77 Code] . Quantum Computing 4.56. Concern about the growing use of encryption has led to the search for ways to counter the technology. The NS A is said to be carrying out research into building a quantum 78 computer, which would be able to break current encryption. Estimates as to when the first quantum computer is likely to appear range from 5 - 20 years. In November 2014, the Government announce d the creation of a national network of Quantum Technology Hubs that will explore the properties of quantum mechanics as part of the 79 UK National Technologies Programme. However, designing quantum - resistant Electronics - cryptography is a “ difficult task ”, according to the Communications 80 Security Group based at GCHQ. Steganography In addition to encryption software, software exists which allows messages to be hidden 4.57. in images, a process called steganography. Camouflage is one such software hides files by scrambling them and attaching them to a cover file, which programme. It acts as a carrier for the secret file. A United Nations Report from 2012 describes how members of the Revolutionary People’s Liberation Party Front used Camouflage to 81 n images in JPEG and graphics interchange format files. Professor hide data withi 74 J. Vagle and M. Blaze, “Security “Front Doors” vs “Back Doors”: A Distinction Without a Difference”, Just Secu rity website, 17 October 2014. 75 Jonesing for Privacy, p. 540. 76 p. 542. Ibid., 77 See further 6.24 - 6.31 and 7.63 - 7.65 below. 78 “NSA seeks to build quantum computer that could crack most types of encryption”, Washington Post, 2 January 2014. 79 See the press release by the Engineering and Physical Sciences Research Council, on their website at: http://www.epsrc.ac.uk/newsevents/news/quantumtechhubs/ . 80 P. Campbell and others, “Soliloquy: A Cautionary Tale”, (2014), available freely on the internet. 81 (2012), p. 56. t Purposes, United Nation Office on Drugs and Crime, the Use of the Internet for Terroris 63

70 CHAPTER 4: TECHNOLOGY Alan Woodward has warned that moves to ban encryption could result in those who 82 wish to do harm using steganography instead. Will the encryptors always win? 4.58. imed at combating encryption has been questioned by The efficacy of legislation a 83 some, as there are ways to avoid detection. 4.59. There is force in the argument: but it reckons without human fallibility. Fingerprint need only wear databases are a staple of police work, despite the fact that criminals gloves to render them useless. Similarly, even when encryption cannot easily be broken or circumvented, criminals will not always operate it properly. Thus: FBI General Counsel Caproni told the US Congress at a hearing about (a) nologies in 2011 that the majority of targets “ tend to be somewhat changing tech 84 However, some argue that due ”. lazy, and a lot of times resort to what is easy to the expansion of encryption, targets are likely to end up using it. The growth ettings makes encryption easier. of encryption by default s (b) As Lord Carlile QC explained to the JCDCDB in 2012, criminals still make calls 85 on lines that are listened to and send texts that can be tracked. The 2014 investigation by the ISC into the murder of Fusilier Lee Rigby (c) revea led that one of those responsible, Michael Adebowale, used his landline - Qaida in the Arabian Peninsula. to communicate with a member of Al End - to 4.60. end encryption can provide a high level of privacy for the content of - communications. However, pattern analy sis of communications data can still identify - [OSCT] targets. As Charles Farr of the Office for Security and Counter Terrorism explained to the JCDCDB “ if you have the right kind of data, issues of anonymisation : 86 cease to be a significant problem ”. ISC Privacy and Security Report noted that The bulk interception was chiefly to GCHQ for the content of communications so much not 87 as for “ the information associated with those communications ”. 4.61. Establishing patterns via communications data becomes more diffi cult when a greater proportion of communications data are encrypted or there are less communications is decreasing because OTT data. The amount of communications data visible to CSPs 88 (SSL) providers, increasingly use Secure Sockets Layer to provide encry ption. This means that communications data such as the sender and recipient of an email are not visible to the CSP. When SLL is used the CSP will only see that the message is to be delivered to the particular OTT provider. As mentioned earlier, OTT prov iders are usually based overseas and so ease of access to this communications data by law 82 “Viewpoint: Criminals can hide data in plain sight”, BBC Website, 28 August 2012. He reiterated his https://twitter.com/profwoodward warning on 12 January 2015 on Twitter: . 83 Jimmy Wales, JCDCDB, Oral Evidence, p. 196. 84 Jonesing for Privacy, p. 542. 85 JCDCDB, Oral Evidence, p. 279. 86 Ibid. p. 11. 87 ISC Privacy and Security Report, para 80. 88 Websites which use secure sockets layer start with https. 64

71 CHAPTER 4: TECHNOLOGY security and intelligence agencies via warrant or court order is enforcement and reduced. In addition, there are an increasing number of anonymity tools which offer to hide communications data. Furthermore, there are some OTT providers which do not g. riseup.net, dukgo.com). The diagrams in Annex store communications data at all (e. 5 set out the impact of these trends on lawful access to c ontent and to this Report c ommunications data. The dark net 4.62. Three commonly used categories of websites are as follows: The open web describes those web pages that are found using standard (a) search engines such as Google. makes up the vast majority (c. 90%) of web pag The deep web es and describes (b) those sites which cannot be found using standard search engines: intranet pages, administrative databases and personal photo collections. (c) The dark net (or dark web) is a tiny part of the deep web, consisting of tens of thousands of website s: the operators of these websites use sophisticated or the Invisible Internet anonymity systems such as The Onion Router [Tor] a world Project to conceal their identities. The dark net has been described as “ of complete freedom and anonymity...where use rs say and do what they like, 89 ” This enables it to uncensored, unregulated, and outside of society’s norms. be used by whistleblowers and political activists who rely on anonymity, but also for black market sales and (in common with many non dark net site s) child - pornography. 4.63. Perhaps the best - known dark net site is Silk Road, which used anonymity software to provide a marketplace for illegal goods, such as weapons and drugs. Payment for the h operates outside the goods took place using a digital currency called Bitcoin, whic banking system and relies on encryption to ensure its integrity. Illegal drugs and other goods to a value of more than $1.2 billion were sold to some 150,000 customers between February 2011 and July 2013, using an eBay - style format in which buyers could grade sellers for their reliability and the quality of their goods. 4.64. Policing the dark net is extremely challenging but not necessarily impossible, as demonstrated by the fact that the first version of Silk Road was taken down by rities in 2013 and by the success of Operation Onymous in November 2014, an autho international operation which resulted in the shut - down of dozens of dark net sites 90 including Silk Road 2.0. 89 J. Bartlett, The D ark Net, 2014, p.3. For Tor, see 4.67 - 4.69 below. 90 web takedown”, The Guardian website, 7 “Silk Road 2.0 targeted in ‘Operation Onymous’ dark - November 2014. 65

72 CHAPTER 4: TECHNOLOGY - Anonymity and anti surveillance tools 4.65. Users of the open web who take no steps to protect their anonymity reveal information about themselves which can be used to track the online activities of a device and to ascertain the identities of its users. For example: The content of communications (e.g. emails) may be monitored b y anyone with (a) access to the relevant network infrastructure, though this may be technically challenging as well as unlawful. (b) The IP address which every device must have in order to request and receive 91 content from websites can be recorded by the website op erator. Cookies (c) (text files placed by certain websites on the devices of their users) may enable e.g. a search engine operator to remember a user’s recent search terms. That information may be passed on to third parties who can use it for targeted advert ising. 4.66. Simple ways of hiding one’s identity include the deletion of web browsing histories and the use of pseudonyms on social media sites. More sophisticated anonymity systems amentary offer stronger protection. According to a recent research note from the Parli Office of Science and Technology: “Technologies that anonymise internet users have become increasingly popular in recent years. They help citizens to protect their security and privacy and to circumvent censorship. They also facilitate organised crime, such as 92 the billion dollar drug market known as Silk Road.” centralised trust systems such as VPNs, in Those technologies can be divided into which a single entity (usually the provider of the service) can know the identity of all distributed trust systems , in which this communications partners, and users and their is not the case. The best - known distributed trust system is Tor (4.62 ) 4.67. above) , which consists of: (c (a) The Tor Network: some 6000 computers, provided by volunteers and forming a global network of nodes; an d (b) free software that enables the computers of some 2.5 million Tor users to access the Tor Network, encrypting a user’s data and relaying them through several nodes so as to hide the user’s IP address and other identifiers. 4.68. The Tor Project claims that c .98.5% of traffic on the Tor Network is from users accessing the open web. It may thus be a valuable tool for anonymous activism, dissident activity, victims of digital abuse such as cyber stalking and even covert online surveillance by law enforcemen t authorities. Tor provides special nodes called bridges 91 allocated IP addresses may be linked to an individual device, but are sometimes shared or re - as users connect and disconnect from the internet. IP resolution, facilitated by the CTSA 2015, aids the process of linking device to IP address. See 4.18 above. 92 in this section. “The dark net and online anonymity”, (March 2015). That note is extensively relied upon 66

73 CHAPTER 4: TECHNOLOGY to help users living in regimes such as China, which explicitly block the Tor network. It was reported in 2014 that Russia had offered a reward of 3.9 million roubles to anyone able to develop a wa y to identify Tor users. The Tor Project received funding in 2014 from bodies including the US Departments of State and of Defense. [THS] More controversial, and potentially sinister, are the Tor Hidden Services 4.69. websites (some 40,000 in 2013, identified b y .onion addresses), accessible only via the Tor network. Research is difficult, but it is clear that some at least of these websites host criminal markets (most famously Silk Road) and indecent images of children. Law - enforcement has enjoyed limited suc cess in de anonymising Tor users and shutting down THS sites. The Snowden Documents allege that, as of 2012 at least, Tor was 93 considered a “ major” problem for security and intelligence agencies . But the Parliamentary Office of Science and Technology ref erences doubts over whether it would be technologically feasible to legislate against the availability of THS in the . UK - 4.70. Following the release of the Snowden Documents there is evidence of a growing anti 94 surveillance market. The latest tool to be release d by a coalition of human rights and technology organisations is called DETEKT. This scans computers for traces of surveillance technology called Finfisher and Hacking Team RCS, which has been reported to have been used to target human rights activists an d journalists in countries International all over the world. A project is also said to be underway to develop an 95 Mobile Subscriber Identity [IMSI] catcher detector. Decentralised networks Concern regarding government surveillance has led to a growth in t 4.71. he number of initiatives aimed at decentralising the internet. The purpose of a project called 96 Ethereum is to “ : it seeks to do this by using the technology decentralise the web ” afe provides behind the Bitcoin currency and applying it to a variety of services. Maids a decentralised internet platform by using the spare space on users’ hard drives to 97 store data rather than the servers of large tech companies. In addition to these ged which initiatives to decentralise the internet, a number of applications have emer use mesh networking technology to communicate rather than the internet. Vodafone referred to the fact that during recent protests in Hong Kong, protesters used a mesh networking application called Firechat to communicate. By doing so users coul d bypass Chinese government censorship and potential disablement of cellular networks. 93 “Prying Eyes: Inside the NSA’s War on Internet Security”, Spiegel Online, 28 December 2014. 94 Following the release of the Snowden Documents it was widely reported that the Indian High Commission in London had reverted to old technolog y, namely, the typewriter. 95 See 4.72 - 4.74 below. 96 https://www.ethereum.org/ . 97 . http://maidsafe.net/ 67

74 CHAPTER 4: TECHNOLOGY New capabilities IMSI catchers Interception capabilities in relation to mobile phones are considerable, due to the 4.72. 98 atchers or IMSI grabbers. These increasing sophistication of devices called IMSI c devices intercept signals between a mobile phone and a mobile phone base station, by mimicking the mobile phone base station. 4.73. The capabilities of the devices vary considerably. Some collect IMSI and International Mobile S tation Equipment Identity numbers of mobile phones within the range of the device. These unique identifying data can then be used to identify the owner of the mobile phone. More sophisticated devices have the ability to intercept outgoing calls and text messages. Some can even alter the content of a text message and block calls. The most sophisticated devices can deploy malware. 4.74. , allowing collection Reports suggest that the devices have been attached to aeroplanes open market for as little as £100, and body - over a wide area. They are sold on the 99 worn versions are available. Rather 4.75. more simply, man - in - the - middle attacks using WiFi are now commonplace. Access Point names may be duped, and both data and metadata collected easily. Demonstrations of such systems in use are often given at security events to reveal 100 how vulnerable most people are around WiFi and mobile devices. Software and techniques for extracting WiFi passwords is also widely available. Geotime re had been purchased by the Metropolitan 4.76. It was reported in 2011 that Geotime softwa police. This is said to aggregate information gathered from social networking sites, GPS devices like mobile phones, financial transactions and IP network logs to build a nts. detailed picture of an individual’s moveme Location data 4.77. Advances in technology have not only increased the opportunities for SIGINT. Surveillance methods have also become more sophisticated. For example, it has been seen that location data can be tracked by intercepting mobile phone towers. However, the advent of Google Maps means such information can also be obtained by intercepting Google Map queries on phones. According to a leaked GCHQ 98 Brand names for these devices include DRTboxes and Stingrays. The existence of safeguards against the misuse of these devices by police and other public authorities was the subject of a written question The response given was that investigative activity involving in the House of Lords at the end of 2014. interference wi th property or wireless telegraphy is regulated by the Police Act 1997 and the Intelligence Services Act 1994 [ISA 1994] : Hansard HL 11 November 2014 Written Answers col 24. 99 See S.K. Pell and C. Soghoian, “Your Secret Stingray’s no Secret Anymore: The V anishing Government over Cell Phone Surveillance and its impact on National Security and Consumer Privacy”, (2014) Harvard Journal of Law and Technology, Vol 28, No 1. 100 How to hack Wifi | Evil Twin Access Point | Man in the Middle Attack | MITM | ). https://www.youtube.com/watch?v=aIyKZuxNRnk ( 68

75 CHAPTER 4: TECHNOLOGY anyone using Google Maps on a smart phone is working in document from 2008, “ 101 support of a GCHQ system ”. Software and apps that openly reveal location history and track mobile phones, such 4.78. as Google Location History, GPS Tracking, or Life 360, can be used e.g. by parents to in - track their children but may also be useful to the authorities. These may use the built GPS functions of mobile phones, as well as the geolocation enabled by the cellular network. Deep packet inspection Real - 4.79. time surveillance has been made possible by deep packet inspection technology 102 103 Before DPI, the internet was akin to a “ daydreaming postal worker ”, [DPI] . moving packets around without caring about the content. DPI technology allows the examination of all the different “ layers ” of a communication, including t he content such as in Security Operations valuable functionality for legitimate users layers. It has Centres and malware detection and prevention, but also can be used for invasion of privacy. 101 “Angry Birds and ‘leaky’ phone apps targeted by NSA and GCHQ for user data”, The Guardian, 28 January 2014. 102 DPI technology provides an example of t echnology developed for certain purposes having a ripple One of the primary purposes for which DPI technology was developed was to counter security effect. threats by allowing an ISP to examine all ‘layers’ of a communication. In of Deep C. Fuchs, “Implications Packet Inspection Internet Surveillance for Society”, (2012) Privacy & Security Research Paper Series, #1, the author describes what he calls “ surveillance creep ”, namely, “ DPI usage for one purpose...may creep to other more privacy ities - sensitive activ ”. 103 Code and other Laws of Cyberspace L. Lassig, , 1999. 69

76 PART II: CURRENT POSITION Part II of the Report (CURRENT POSITION) explains the international legal backdrop, the current powers and the way in which they are used. Chapter 5 (LEGAL CONSTRAINTS) sets out the legal framework  which governs action in this field. In the absence of a written constitution, the chief limitations on freedom to legislate are those imposed by the ECHR and (within its field of application) EU law.  Chapter 6 ( POWERS AND SAFEGUARDS) summarises the existing UK law s under which public authorities may collect and analyse people’s communications, or records of their communications . It introduces the key concepts and summarises the various powers both under RIPA and outside it, together with the principal oversight mechanisms.  explains how those powers are applied in Chapter 7 (PRACTICE) practice by intelligence, police, law enforcement and others, touching - sharing, bulk personal datasets and the recent ly - also on data avowed power of computer network exploitation .  Chapter 8 (COMPARISONS) provides three sets of benchmarks which may assist in working out how UK law on investigatory powers should look. These are: o (directed and intrusive other forms of surveillance rveillance, property interference, CHIS &c.), su laws of other countries o the , particularly in Europe and the English - speaking world, and o the use made of individuals’ communications by service . providers, retailers and other private companies 70

77 5. LEGAL CONSTRAINTS hapter explains the legal constraints governing UK legislation. The UK is his C 5.1. T unusual in lacking a written constitution with which all legislation must conform. It has however accepted a number of limitations on its freedom to legislate, including (so far as is relevant here) protections for persons within its jurisdiction against undue interference with their fundamental rights. 5.2. The principal constraints on Parliament’s freedom to legislate in relation to investigatory powers derive from European treaties: (a) The ECHR , a treaty not of the European Union [EU] but of the Council of Eur ope. The ECHR confers rights on individuals within the jurisdiction of its 47 contracting states, enforceable by individual petition before the ECtHR in Strasbourg. Most of the same rights are given effect before the courts of the by the UK re they must generally be pleaded before any HRA 1998 , whe application is made to Strasbourg. Neither the UK courts nor the ECtHR has the power to strike down primary legislation, but each may declare that it infringes ECHR obligations. The law of the EU, and in parti cular the EU Charter , which like the underlying (b) - making powers of general principle of fundamental rights, constrains the law 1 the EU and of its Member States when acting within the scope of EU law. 2 Member State: National security remains the sole responsibility of each but subject to that, any UK legislation governing interception or communications data is likely to have to comply with the EU Charter because it would constitute 3 . a derogation from the EU directives in the field For the sake of completenes s, this C hapter also briefly considers the requirements of the common law and of international law, though neither provides any significant additional constraint on Parliament’s freedom to legislate in this sphere. The common law 5.3. of the UK is founded on the doctrine of parliamentary The unwritten constitution sovereignty. The courts may declare the law in areas untouched by statute, and interpret statutes once enacted. They can and do review the actions of the execut ive nd intelligence agencies ) and hold that they were (including Ministers and security a invalid on various grounds via judicial review. But they have, as a rule, no power to 1 EU Charter, Article 51, as interpreted by the CJEU in Case C 617/10 Åkerberg Fransson , judgment of - tion) Joined Cases 26 February 2013, para 21 EU:C:2013:105, and (in the context of biometric data reten C 446 to C - 449/12 Willems , judgment of 16 April 2015 EU:C:2015:238. I gave written and oral evidence - on the scope of the EU Charter to the House of Commons European Scrutiny Committee in the early part of 2014 for its report on the appl ication of the EU Charter in the UK, HC 979, March 2014: https://terrorismlegislationreviewer.independent.gov.uk/eu - charter - of - fundamental - rights/ . 2 Treaty on the European Union [TEU] , Article 4(2). The scope of that provision (and hence of EU law) has not been definitively resolved (though see Case C - 300/11 ZZ v Secretary of State for the Home Department , EU:C:2013:363, para 38), and is disputed in current litigation. 3 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Data Protection Directive] and Directive 2002/58/EC concerning the processing of personal da ta and the protection of privacy in the electronic communications sector privacy Directive] . [e - 71

78 CHAPTER 5: LEGAL CONSTRAINTS 4 - declared set aside or refuse to give effect to duly enacted primary legislation. Judge - making common law is thus no impedime nt to the exercise by Parliament of its law 5 powers, though clear words are required to override a fundamental right. 5.4. Attempts to fashion a common law constraint on the bulk collection of data have th century cases concerning “ focussed on 18 warrants ”. In 1762, the Home general Secretary, the Earl of Halifax, issued a general warrant to search for Mr John Entick, who had written libellous publications concerning both the king and his Parliament. The warrant also authorised its executors to “ seize an d apprehend, and to bring, together with his books and papers, in safe custody before me to be examined 6 concerning the premises and further dealt with according to law. ” 7 The Lord Chief Justice, Lord Camden, held that: 5.5. “... we can safely say that there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society; for papers are often the dearest property a man can have... This is the first instance of an attempt to prove a modern pra ctice of a private office to make and execute warrants to enter a man’s house, search for and take away all his books and appears, in the first instance, to be low, which is not found in our books.” 5.6. A similar view was taken in the later case of John Wilkes . In 1763 Wilkes wrote a pamphlet critical of George III. Considering that the pamphlet was seditious, a Secretary of State issued a general warrant authorising the police to search for and identify the author, the publisher and their associates. Some of those subjected to this treatment challenged the warrant in the courts, which 5.7. agreed that the Government had acted outside the bounds of its powers. In one case, Lord Chief Justice Pratt stated that: “To enter a man’s house by virtue of a nameless warran t, in order to procure 8 evidence, is worse than the Spanish Inquisition .” The same judge noted in another case: “The defendants claimed a right, under precedents, to force persons’ houses, rrant, where break open escrutores, seize their papers, &c, upon a general wa no inventory is made of the things thus taken away, and where no offenders names are specified in the warrant, and therefore a discretionary power given to messengers to search wherever their suspicions may chance to fall. If such a power is truly invested in the Secretary of State and he can delegate this 4 Save where EU law so requires, as Parliament itself provided in the ECA 1972. Three judges n suggested that parliamentary sovereignty might not be absolute i R (Jackson) v Attorney General [2005] UKHL 56. 5 Morgan Grenfell v Special Commissioner of Income Tax [2002] UKHL 21; [2003] 1 AC 563, para 45. 6 Entick v Carrington 95 E.R. 807, p. 810. 7 Ibid ., pp. 817 - 18. 8 (1763) 2 Wilson 205 95 E R 768. Huckle v Money 72

79 CHAPTER 5: LEGAL CONSTRAINTS power, it certainly may affect the person and property of every man in this 9 kingdom and is totally subversive of the liberty of the subject . ” These are celebrated cases, which have not been 5.8. overruled. But they have not formed the basis of a common law right of privacy, for two reasons. 5.9. First, they were not explicitly decided by reference to the concept of privacy. The law 10 privacy issues. of trespass applied, so the judgments focus on property rather than 5.10. Secondly, the courts have rejected attempts to rely on those cases as authority for the principle that there is a common law right to private communications. th The High Court held in 1979 that the 18 (a) century warrant cases did not provid e 11 a basis for a claim to privacy in respect of phone tapping. Indeed it rejected the idea that there was any common law right to privacy in phone calls. Vice - Chancellor Megarry concluded that it was for Parliament to legislate to protect privacy if it w anted to, and that the right to private communications does not 12 Mr Malone had therefore to go to the ECtHR in exist in the common law. order to establish that he had a right to communicate in private and that the 13 interferences with that right had not bee n in accordance with the law. 14 In a recent case before the IPT, the Tribunal was not persuaded that these (b) cases added anything to the analysis. 5.11. The perhaps surprising outcome is that the common law, shorn of the influence of the 15 ECHR, barely recognises th e right to privacy or private communications. The European Convention on Human Rights Legal framework 5.12. The Council of Europe is an international organisation established in 1949 and currently numbering 47 European states as its members. In 1950 the Parlia mentary 9 (1763) Lofft 1, 98 ER 489. Wilkes v Wood 10 Though when communications were written on paper, concepts of property and privacy were closely related; and these cases played a part in enabling American judges to derive privacy rights from, in th the right of the people to be secure in their persons, houses, papers, and effects part 4 icular, “ ” in the amendment to the US Constitution. 11 Malone v Commissioner of Police ( No. 2) [1979] 1 Ch 344, pp. 368 - 369. 12 Ibid. , pp.372 - 374. 13 cation no. 8691/79; judgment of 2 August 1984). Malone v UK , (Appli 14 , Case Liberty and others v The Secretary of State for Foreign and Commonwealth Affairs and others - [Liberty IPT Case] , Nos. IPT/13/77/CH; 13/92/CH; 13/194/C and 13/204/CH, [2015] UKIPTrib 13_77 H of 5 December 2014 and 6 February 2015. judgments 15 See Kaye v Robertson [1991] FSR 62, per Glidewell LJ with whom Bingham and Leggatt LJJ agreed: “ It is well known that in English law there is no right to privacy and accordingly no right of action for breach of a person’s privacy ” ; Wainwright and another v Home Office , [2003] UKHL 53; [2004] 2 AC 406, per Lord Bingham, para 26: “ All three judgments are flat against a judicial power to declare the existence of a high - level right to privacy and I do not think that t hey suggest that the courts should do so ”; and R (Catt) v Metropolitan Police Commissioner [2015] UKSC 9, per Lord Sumption, para 2: ” The [US] concept of a legal right of privacy whether broadly or narrowly defined fell on stony ground in England. Its re ception here has been relatively recent and almost entirely due to the incorporation into domestic law of the [ECHR]. ” 73

80 CHAPTER 5: LEGAL CONSTRAINTS Assembly of the Council of Europe (made up of MPs from contracting states) adopted the ECHR. The was a founder member of the Council of Europe. Since 1966, it has 5.13. UK acknowledged the right of individuals with a sufficient interest to petition the ECtHR for a ruling that it has violated their fundamental rights. Such rulings are binding upon 16 in international law, the UK and may be enforced through the political mechanisms 17 of the Council of Europe’s Committee of Ministers. 5.14. Since the entry into for ce of the HRA 1998 in October 2000, individuals have been entitled to enforce most of their ECHR rights in domestic courts and tribunals. Those bodies are required to “ take into account ” any relevant decision of the ECtHR, and to nner consistent with the ECHR where it is possible to do interpret UK laws in a ma 18 so. Higher courts may also declare primary legislation (or subordinate legislation made in exercise of a power conferred by primary legislation) to be incompatible with the ECHR. Consistently with the sovereignty of Parliament, legislation is not invalidated by such a declaration. However, once appeal rights have been exhausted, UK the Government has normally been prepared to repeal or to amend legislation that has been declared incompatible by th e courts. 5.15. Material provisions of the ECHR include Article 6 (right to a fair trial) and Article 10 (freedom of expression). They bear, in particular, on the treatment of lawyer client - onsidered in communications and on the protection of journalists’ sources, and are c those contexts below. But in other respects (and though the right to freedom of expression is sometimes pleaded in tandem with the right to privacy) they are generally of lesser significance than Article 8. Article 8 headed “ ”, 5.16. Right to respect for private and family life Article 8 of the ECHR is 19 sometimes rendered, in shorthand, as the “ It provides as follows: ”. right to privacy Everyone has the right to respect for his private and family life, his home and “1) correspondence; all be no interference by a public authority with the exercise of this 2) There sh right except as is in accordance with the law and is necessary in a democratic - society in the interests of national security, public safety or the economic well being of the country, fo r the prevention of disorder or crime, for the protection s and freedoms of others.” of health or morals, or for the protection of the right 16 ECHR, Article 46. 17 See Council of Europe, Supervision of the execution of judgments and decisions of the ECtHR , March 2015. 18 HRA 1998 , ss2 and 3. 19 See, e.g., Liberty v United Kingdom (Application no. 58243/00, judgment of 1 October 2008), at para 43; Kennedy v United Kingdom ( Application no. 26839/05, judgment of 18 May 2010) at para 179. The same convenient shorthand is used by the C JEU to describe the protections offered by Arti cles 7 and 8 . ); and cf. 2.1 above of the EU Charter ( see Digital Rights Ireland , paras 33 - 4 74

81 CHAPTER 5: LEGAL CONSTRAINTS engage ” Article 8 may Article 8 (like Article 10) is a qualified right: interferences that “ f they are in accordance with the law, pursue a legitimate aim be permitted, but only i 20 triple test and are necessary in a democratic society: what the ISC dubbed a “ ”. The ECtHR has traditionally been readier than the English courts to find that Article 8 5.17. 21 is engaged, or engaged i In the context of investigatory n more than a minor respect. powers, it is engaged not only when material is read, analysed and later shared with 22 but other authorities , also when it is collected, stored and filtered, even without 23 human intervention. A ny interference must satisfy, by Article 8(2), what has been interpreted as a “ triple 5.18. 24 it must be in accordance with the law , necessar y in pursuit of a legitimate test ”: aim proportionate . The legal boundary between necessity and proportionality , and is not so clear as that summary suggests: both might be said to be embraced in the 25 necessary in a democratic society However, so long as all three single phrase “ ”. elements are satisfied, the precise way in which they are distinguished is of secondary tance. The distinction between “ ” and “ impor ”, in the sense proportionality necessity summarised above, is firmly embedded not only in RIPA (see, e.g. section 5(2)) but in the practices and training materials of all public authorities who apply it, and although it might be questioned as a matter of legal theory, I do not seek to disturb it Report in this . 5.19. The first element of that test is that the interference must be “ in accordance with the ” In other words: law . 26 (a) the interference must have some basis in domestic law; the law must be sufficiently accessible: the (b) rules must be reasonably easy to 27 obtain and understand; and (c) the manner in which the law will operate or be applied must be sufficiently . foreseeable 5.20. These requirements have not always proved easy to reconcile with the secret nature of electronic su rveillance. A balance must be found between retaining the secrecy of operational tools and methods on the one hand, and, on the other, having a law that is “ sufficiently clear in its terms to give citizens an adequate indication as to the 20 ISC Privacy and Security Report, para 23. 21 As Lord Sumption recently noted in the Supreme Court: Catt v Association of Chief Polic e Officers of England Wales and Northern Ireland and others , [2015] UKSC 9, para 26. 22 Weber and Saravia v Germany , (Application no. 54930/00, judgment of 26 June 2006), para 79. 23 The Supreme Court recently described it as clear that “ the state’s systema tic collection and storage in retrievable form even of public information about an individual is an interference with private life ”: Catt , per Lord Sumption, para 6. v MPC 24 - 27. ISC Privacy and Security Report, paras 23 25 See, e.g., Leander v Sweden (Ap plication no. 9248/81, judgment of 26 March 1987) at para 58: “ the notion of necessity implies that the interference corresponds to a pressing social need and, in ” particular, that it is proportionate to the legitimate aim pursued. 26 Silver and others v Un ited Kingdom (Application no. 5947/72, judgment of 25 March 1983), para 86. 27 Sunday Times v United Kingdom (Application no. 6538/74, judgment of 26 April 1979), para 49; Silver para 87. v United Kingdom, 75

82 CHAPTER 5: LEGAL CONSTRAINTS which and the conditions on which public authorities circumstances in ” will access 28 their communications. The second element of the test involves the identification of a legitimate aim whose 5.21. above) provides a broad list of 5.16 pursuit is necessary. Article 8(2) (set out at interests that are capable of justifying interference. The courts are almost always willing to find that a legitimate aim is being pursued, for example, national security or Neces sary the prevention of crime. “ indispensable ”, but more than ” means less than “ merely “ ” or “ useful ”. To be necessary, an interference must correspond to admissible pressing social need a “ ”. 5.22. To satisfy the third element of the test, the interference must be proportionate to the aim pursued. That is determined via a balancing exercise, which may for example require “the interest of the ... state in protecting its national security ” to be balanced “the seriousness of the interference with the applicant’s right to respect for hi against s 29 The ECtHR has repeatedly noted that: private life ”. (a) States have a “ margin of appreciation ” (or, in the national court, a discretionary area of judgement). However, the court is the ultimate arbiter of necessity. (b) In order to be satisfied th at t he interference is proportionate , courts must be satisfied that the national law sets out sufficient safeguards against abuse, and that those safeguards have been followed in the particular case (if 30 appropriate). 5.23. The case law of the ECtHR concerning surve illance has largely focused on the first element: the requirement that any interference is “ in accordance with the law ”. There is a degree of overlap between the first and third elements, particularly in respect of the procedural safeguards against abuses . As a result, there is a trend in some of the 31 recent case law to consider those two elements together. 5.24. Neither before the IPT nor in the ECtHR do those wishing to complain about a violation of their Article 8 rights have to demonstrate conclusively that their communications have been interfered with. It is enough for them to satisfy the court that it is reasonably 32 Where bulk collection is likely that they were the subject of targeted surveillance. 33 concerned, an even more liberal test may apply. 28 Silver v UK, para 88; Malone v UK Krus lin v France (Application no. 11801/85, judgment of 24 , para 67; April 1990), para 33; , paras 93 - 94. For the requirement of foreseeability, in a different Weber v Germany Khan v United Kingdom context, see (Application no. 35394/97, judgment of 4 October 2000). Th e absence of any guidelines concerning the use of listening devices in private property meant that their use was not in accordance with the law. 29 Leander v Sweden, para 59. For an example of a proportionality assessment in a related context, the S and indefini te “ blanket retention ” of suspects’ fingerprints, cellular samples and DNA profiles, see Marper v UK (Application nos. 30562/04 and 30566/04, judgment of 4 December 2008), paras 118 126. - 30 - Silver v UK , para 97; , paras 59 See 62; Webe r v Germany , para 106. Leander v Sweden 31 Kvasnica v Slovakia (Application no. 72094/01, judgment of 9 June 2009), para 84; See for example and Kennedy v UK , para 155. 32 Kennedy v UK , para 123, Stefanov v Bulgaria, para 49. 33 57. - Weber v Germany , paras 78 - 79; Liberty v UK , par as 56 76

83 CHAPTER 5: LEGAL CONSTRAINTS ECH R: specific issues 5.25. The ECtHR has considered surveillance and interception of communications on a number of occasions. In the course of those judgments, it has addressed a number cularly relevant to this Review . of specific issues that are parti Distinctio n between content and ‘communications data’ , the current RIPA framework distinguishes between at 6.3 - 5.26. As set out in 6.7 below obtaining access to the content of communications (via interception), and the use of communications data. The majority of cases th at have reached the ECtHR have 34 at 7.43 But as explained concerned interception. - 7.51 below , communications data play an important role in policing and counter - UK . Investigative terrorism in the nicating with whom, and agencies are often just as interested in who has been commu where from, as what the parties actually said to one another. 5.27. The Strasbourg case law is clear that both the collection of communications data and 35 In some cases, there are hint the interception of content interfere with Article 8. s in the ECtHR jurisprudence that they may legitimately be treated differently. In Malone v UK the Applicant complained that his phone calls were not only being recorded but metered, in the sense that records were being kept regarding to whom he had spoke n and when. The ECtHR commented that: “By its very nature, metering is ... to be distinguished from interception of communications, which is undesirable and illegitimate in a democratic society 36 unless justified...” (para 84). not appear to follow such a distinction, and it at least However, more recent cases do 5.28. appears that in some circumstances the difference is of no significance. In the Liberty the IPT referred to six principles set out below (from case, ) and IPT Weber v Germany concluded that they shou ld apply to both kinds of material: - law on secret measures of surveillance, the Court has developed “In the case the following minimum safeguards that should be set out in statute law in order to avoid abuses of power (1) the nature of the offences which m ay give rise to an interception order; (2) a definition of the categories of people liable to have their telephones tapped; (3) a limit on the duration of telephone tapping; (4) the procedure to be followed for examining, using and storing the data obtaine d; (5) the precautions to be taken when communicating the data to other parties; and (6) the circumstances in which recordings may or must be erased or the 37 tapes destroyed.” 34 Malone v UK; Weber v Germany; Liberty v UK; Kennedy v UK. See for example 35 , para 84; Copland v United Kingdom (Application no. 62617/00, judgment of 03 April 2007), Malone v UK - 47. paras 39 36 Cf. Uzun v Germany (Application no. 35623/05, judg ment of 2 September 2010), in which the “ rather strict standards ” applicable to the interception of telephone conversations were held not to apply to the placing of a GPS tracking device in a car, para 66. 37 judgment of 5 December 2014, para 114. Weber v Germany para 95, cited in the Liberty IPT case , 77

84 CHAPTER 5: LEGAL CONSTRAINTS It seems therefore that the authorisation, storage and use of communications data 5.29. must each meet the Weber v Germany ed material and of intercept standard. That is consistent with the detailed picture of an individual’s life that can be obtained from 38 communications data, particularly when different sources are combined. 5.30. here the same kind of material is gathered via different means, distinctions may be W particularly Bykov v Russia , the Grand Chamber of the ECtHR held hard to draw. In that the bugging of a live conversation in a sting operation attracted the same 39 protections as interce ption of communications. Bulk collection 5.31. Bulk collection of both communications data and intercept ed material has been one of the leading sources of controversy following the disclosure of the Snowden Documents. Bulk collection is potentially problematic , from an ECHR perspective, because of the sheer number of individuals whose private lives are interfered with. As a result, and leaving aside the question of whether it is in accordance with the law, it may be more difficult to demonstrate that the inter ference is “ necessary in a democratic society” , or proportionate. 5.32. Most applicants to the ECtHR focus on the individual alleged violations of their right 40 to privacy. The court has only considered bulk collection on a small number of occasions. The leadin g authority in this area is Weber v Germany , in which the applicants complained that the German state was monitoring communications in the absence of any “ concrete suspicion ” and relying on “ catchwords ” in order to analyse founded, noting (at - e application as manifestly ill the data. The ECtHR dismissed th paras 114 - ” was not in itself a disproportionate 117) that “ strategic monitoring interference with the right to privacy. In so concluding it had regard to the narrow and closely defined justifications for such collection, the safeguards that governed the authorisation of the collection, the safeguards concerning use of that material and the data protection systems in place. In the other leading case concerning bulk collection of intercept ed Liber 5.33. ty v material, UK , the court concluded that the UK legislation in question (the Interception of [IOCA 1985] Communications Act 1985 ) was not in accordance with the law. IOCA 1985 did not provide sufficient safeguards against abuse of the power to intercept or 41 use t Because the case was decided on the “ in accordance he material in question. with the law ” basis, the court did not explicitly consider whether the interference in question was proportionate. On the other hand, as set out above, the court frequently 38 Digital Rights Ireland, para 26: “ Those data, taken as a whole, may As the CJEU recently explained in allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them .” 39 Application no. 4378/02, judgment of 10 March 2009, paras 78 - 79. 40 See for example the judgment in Kennedy v UK , which considered the lawfulness of the s8(1) framework for individualised warrants but not the more general powers under s8(4). 41 69. Liberty v UK , para 78

85 CHAPTER 5: LEGAL CONSTRAINTS iders very similar factors under the headings of “ ” and cons in accordance with the law proportionality (and may even consider them together). 5.34. In summary, the case law of the ECtHR suggests that bulk data collection and analysis, in the absence of suspicion, i s not in itself a disproportionate interference with the right to respect for private life. However, bulk collection will be assessed against a higher standard than individual interferences with the right to privacy. The justification for that interferen ce, and the safeguards in place to prevent abuse, will 42 need to be more compelling if the requirements of Article 8(2) are to be satisfied. 5.35. The IPT recently heard extensive argument concerning whether or not the current bulk interception processes under RI PA s8(4) were “ in accordance with the law ” in the Liberty IPT Case. The Claimants argued that the current distinction between internal and external communication was so unclear that the bulk collection framework was itself unlawful. They also argued that data sharing arrangements between various governments and the UK were not in accordance with the law, and that insufficient safeguards were in place. All those arguments were rejected in the judgment of 5 t prior to disclosures made in 2014, went on to rule tha December 2014, though the IPT the regime for sharing data with the US had contravened the “ in accordance with the 43 ” requirement. After further (closed) argument, the IPT is expected to determine law tion of external communications is a the Claimants’ submissions that the bulk intercep disproportionate interference with their Article 8 and Article 10 rights. The Claimants 44 have already applied to the ECtHR in relation to the arguments rejected by the IPT. Home and away 5.36. Every state of whose legal fram ework I am aware draws some kind of distinction 45 between the protections afforded to its own citizens or residents and others. The apparent distinction in RIPA between “ internal” and “ external ” communications, together with the additional safeguards under RIPA s16 for persons known to be for 46 the time being in the British Islands , below. is explained at 6.42 - 6.59 47 5.37. The ECHR case law has not directly considered the lawfulness of that dichotomy. As a general rule, Member States do not owe ECHR duties to ind ividuals outside their 48 effective control However, both the case law of the ECtHR and the UN ”. territory or “ Human Rights Committee have made clear that treaty obligations may extend 49 extraterritorially. The application of that doctrine to surveillance c onducted abroad 42 That conclusi on is consistent with the approach adopted by the CJEU in Digital Rights Ireland as set out below. 43 Liberty IPT Case, judgment of 6 February 2015. 44 10 Human Rights Organisations v United Kingdom, an application filed on 10 April 2015 [Liberty ECtHR Ap plication] . 45 See further 5.90 and 14.76 - 14.77 below. 46 British Islands means the UK, Channel Islands and Isle of Man: Interpetation Act 1978 s5. 47 In Weber v Germany , the ECtHR declined to decide the question of whether German nationals uguay who complained of “ strategic monitoring ” of international telecommunications by resident in Ur the German Federal Intelligence Service were entitled to the protection of the ECHR (the case being declared inadmissible on other grounds). 48 148. In Al Skeini v United King dom (Application no. 55721/07, judgment of 7 July 2011), paras 138 - 49 European Commission for Democracy Through Law (Venice Commission), Update of the 2007 report on the democratic oversight of the security services and report on the democratic overs ight of signals , paras 69 - 71. intelligence agencies , Study No 719/2013, April 2015, [Venice Commission Report] 79

86 CHAPTER 5: LEGAL CONSTRAINTS is uncertain, but some possibilities were recently alluded to by the Venice Commission of the Council of Europe: “The collection of intelligence on or over the high seas, or in the territory of another state, with that state’s permission, w ill not be in violation of the customary international law norm of non - intervention. However ... [c]ollection facilities in military bases, or vessels situated outside national territory, can ... jurisdiction ’ for state parties to [the ECHR]. In any event, the be within ‘ processing, analysis and communication of this material is clearly within national jurisdiction and is governed both by national law and states’ applicable 50 human rights obligations.” For practical purposes, it is likely that any framework 5.38. for the interception of external communications, however defined, will have to be ECHR - compliant. It is generally acknowledged to be impossible, when gathering communications between two individuals who are both outside the UK, to avoid collecting some co mmunications that are internal, in the sense that they are both to and from individuals inside the 51 British Islands. Jurisdictional issues arise also in relation to the extra - 5.39. territorial application of national laws requiring overseas service providers to make data available (e.g. DRIPA 2014 s4), particularly where those laws come into conflict with data protection requirements in the foreign state. As suggested by the Venice Commission, the long term resolution - 52 of this issue may require new international standards for privacy. Oversight and authorisation 5.40. The ECtHR has repeatedly affirmed that: “...in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in 53 desirable to entrust supervisory control to a judge.” principle be 5.41. in Klass v Germany it rejected the submission that authorisation must However, provided by a judge . The ECtHR explained that review of surveillance may take place at three stages: when the surveil lance is first authorised, while it is being carried out and after it has been terminated. The initial authorisation process in Germany was made by the relevant minister or law enforcement officer (much like the current system ion of the measure was overseen by an official qualified in the UK). The implementat for judicial office. The material that was gathered did not go dire ct to the competent authorities: rather it was reviewed by that official to determine whether its use was compatible with the relev ant legislation. Review after the event was carried out by See also - Al Jedda v UK (Application no. 27021/08, Judgment of 7 July 2011) and UN Special rapporteur on the promotion and protection of human ri ghts and fundamental freedoms while countering terrorism, 4th annual report, 23 September 2014 (A/69/397). 50 Ibid., para 69. 51 See 6.53 below. 52 Venice Commission Report, para 71. 53 , Klass v Germany (Application no. 5029/71, judgment of 6 September 1978 ), para 56; Kruslin v France Kennedy v UK , para 167. para 34; 80

87 CHAPTER 5: LEGAL CONSTRAINTS wo bodies, a Parliamentary Control Commission t and the G10 Commission, both of which were independent of the authorities carrying out the surveillance and contained 54 The court reviewed all aspects of the es. members of the opposition parti authorisation and oversight regime and concluded it provided sufficient protections to democratic freedoms. 5.42. The current system of ministerial authorisation for individual warrants does not render compliant with Article 8, in the opinion of the ECtHR. In Kennedy v n the system no - UK currently provided by the IOCC , , the ECtHR explained in detail the oversight that is 55 The court did not set out a standard of oversight and then ask the ISC and the IPT. not the current framework meets that test. Rather the strength of the whether or oversight regime was one factor that it took into account when determining whether the RIPA s8(1) framework was a necessary and proportionate and interference with and the absence of judicial involvement during the authorisation the right to privacy; or implementation stage was not fatal. 5.43. Kennedy case concerned individual warrants rather than It should be noted that the bulk collection. Confidential communications Certain kinds of comm 5.44. unication deserve particular protection, and need to be approached with especial care. First, communications between lawyers and their clients are protected by legal 5.45. 56 [LPP] . professional privilege Similar or equivalent provisions exist in the laws of 57 other European countries. most The ECtHR has held that, where a search warrant is executed at a lawyer’s office, “ special procedural safeguards, such as the presence of an independent observer ” should be put in place to avoid an unwarranted breach 58 of profess ional confidence. material subject to 5.46. The same principles will apply in cases concerning in terception of LPP . The precise scope of the additional and further protections that should apply when privileged documents are being intercepted has not been fully argued in any 59 case before the ECtHR. However, it is clear that such protections are required: (a) In Kopp v Switzerland the Swiss authorities had tapped the telephones of a law firm, as part of a wider investigation into corruption. The ECtHR held that was not in accordance with the law, because Swiss law failed clearly and adequately 54 They were held to be sufficiently independent “ to give an objective ruling ”, Klass v Germany , para 56. 55 Kennedy v UK , paras 166 - 9. 56 Whether communications data (recording, for example, the fact that a lawyer spoke to a client or a potential witness) may be subject to LPP is not entirely straightforward: see JSC Bank v Ablyazov th 29. (12 [2012] EWHC 1252 Comm; C. Hollander, edn., 2015) para 17 Bank Documentary Evidence - The fact of such comm unications is presumably confidential, in any event, and likely to be of special sensitivity: IOCCO inquiry into the use of RIPA Part I Chapter 2 to identify journalistic sources, (February 2015), para 6.16. 57 R (Prudential) v Special Commissioner of Inco me Tax [2013] UKSC 13, paras 116 and 136. 58 Niemietz v Germany , para 37. See also Stefanov v Bulgaria , para 38. 59 As noted at 5.68(b) below, the CJEU, when determining that the Data Retention Directive was not lawful, also noted that it made no provision for communications that are subject to professional secrecy ( Digital , at para 58). Rights Ireland 81

88 CHAPTER 5: LEGAL CONSTRAINTS to distinguish between those communications that would attract privilege and those that would not. The court was also particularly exercised that the determination of that qu estion was delegated to an official in the Post Office’s 60 legal department: a part of the executive and not an independent judge. (b) In other cases, the court has noted with approval that the French state offered specific protections to preserve the confiden tiality of lawyer/client relations 61 Additional protections will also be when their telephones are to be tapped. to necessary, in many cases, in order to protect t he right under ECHR Article 6 62 a right to a fair trial. In the domestic sphere, the Judicial 5.47. Committee of the House of Lords (the in the predecessor body to the UK Supreme Court) considered the question of LPP context of surveillance. The case concerned the power to listen in to confidential or doctors and their clients. consultations held at a police station between lawyers The court held that it was lawful, in some circumstances and where authorised expressly by statute, to carry out surveillance of those conversations. However, the rt that the safeguards House of Lords also upheld the view of the Administrative Cou set out in RIPA, and the Code of Practice for surveillance, offered insufficient 63 protections in a case where privileged communications would be gathered. More light has recently been shed on this issue by UK 5.48. the Belhadj IPT case. The Government had already conceded that its policy concerning interception of privileged communications has been unlawful : the IPT held that the privileged communications of a claimant had been intercepted, and ordered GCHQ to destroy its copies of the 64 re Both the Draft Interception of Communications Code of levant documents. Practice of [Draft Interception Code] and the new Acquisition and February 2015 [Acquisition Code] Disclosure of Communications Data Code of March 2015 contain 65 expanded sections conc erning access to privileged communications. and their sources journalists are entitled to be 5.49. Secondly, communications between treated in confidence. The ECtHR has held that an interference with the confidentiality of journalistic sources can only be ju an overriding requirement in the public stified by “ 66 ” The threshold that must be passed is significantly higher than the ordinary interest. Weber v Germany necessity and proportionality test. In the applicant was a journalist, who argued that the interce ption of her communications was a breach of her right to maintain the confidentiality of her sources. The ECtHR held that the purpose of “ strategic monitoring ” (widespread and without reference to a particular individual) was not to gather information abo ut journalistic sources. Therefore, the procedures 60 Kopp v Switzerland (Application no. 13/1997, judgment of 25 March1998), paras 73 - 75. 61 Huvig v France Kruslin v France, para 34; (Application no. 11105/84, judgment of 24 April 1990), para 33. 62 S v Switzerland (Application no. 12629/87, judgment of 28 November 1991). See 63 McE v Prison Service of Northern Ireland and another, C and Another v Chief Constable of the Police Service of Northern Ireland and M v Same [2009] UKHL 15, [2009] 1 AC 908. See in particular the comments of Lord Neuberger, para 113. 64 Belhadj IPT Case, order of 26 February 2015; judgment of 29 April 2015. The decision was the first time the IPT has found in favour of an individual Cl aimant, in an open judgment, and held that the Agencies have acted unlawfully. 65 Draft Interception Code paras 4.2 - 4.25; Acquisition Code paras 3.72 - 3.84. 66 Goodwin v United Kingdom (Application no. 17488, judgment of 27 March 1996), para 39. 82

89 CHAPTER 5: LEGAL CONSTRAINTS that were in place to restrict the use and dissemination of material were sufficient to 67 protect journalists’ freedom of expression and the confidentiality of their sources. However, in a Dutch case the E 5.50. CtHR held that two investigative journalists had suffered a disproportionate interference with their right to privacy as a result of covert surveillance. In that case, the purpose of the surveillance was to identify a journalistic 68 source and there was ins ufficient judicial oversight to render the intervention legal. That conclusion was echoed in a subsequent case. The ECtHR stressed that special safeguards must be in place in order to protect the confidentiality of journalistic F irst and foremost among these safeguards is the guarantee of sources, stating: “ 69 - .” review by a judge or other independent and impartial decision making body 5.51. eau of Investigative Journalism has issued proceedings before the ECtHR The Bur arguing that the current protections provide d under UK law do not afford sufficient 70 protection to journalists’ sources. The matter has been communicated to the in the IPT Government. Meanwhile another challenge has been filed by a Sun 71 journalist, concerning access to his phone records. 5.52. ategory of protected communications, which has not been considered by the A third c ECtHR, is parliamentary correspondence . A claim has been issued before the IPT 72 A concerning the interception of communications to and from Parliamentarians. hearing on preliminary issues of law will take place in July 2015. 5.53. Other communications may be specifically protected. The ECtHR has also held that medical information attracts the protection of Article 8. In Z v Finland , the fact that the applicant was HIV positive was discl osed in the press reporting of her trial. The court 73 held that her right to respect for private life had been breached. Pending cases before the ECtHR 74 The case of 5.54. and Big Brother Watch v UK was lodged before the ECtHR in 2013, communicated to the UK Gove rnment. It concerns bulk data collection and data In addition, the Liberty ECtHR A ) and the application sharing. pplication (5.35 above brought by the Bureau of Investigative Journalists (5.51 above) have been communicated to the UK Government. 67 Weber v Germany , paras 150 - 152. 68 Telegraaf Media Nederland Landelijke Media BV and others v The Netherlands (Application no. 39315/06, judgment of 22 November 2012), paras 96 - 102. 69 Sanoma Uitgevers BV v The Netherland ( Application no. 38224/03, judgment of 14 September 2010), para 90. 70 (Application no. 62322/14). The current Bureau of Investigative Journalism and Alice Ross v UK [Interception Code] Interception of Communications Code of Practice sets out some safeguards at sections 3.2, 3.6 and 3.9. 71 No record of the case number is available on the IPT website yet. 72 Lucas and Moulsecoomb v the Security Service and others (IPT/14/79/CH and 14/80CH). It has recently been joined with a similar claim issued by George Galloway MP. 73 Z v Finland (Applicatio n no. 22009/93, judgment of 25 March 1997). 74 Application no. 58170/13. 83

90 CHAPTER 5: LEGAL CONSTRAINTS The law o f the European Union 5.55. The UK is a Member State of the EU, an international organisation governed by 75 treaties. Parliament has given primacy to EU law, as EU law itself demands. 76 Although the EU is not itself a signatory to the ECHR, it has its own system of rights protection which, within the scope of the Treaties, constrains the legislative freedom both of the Union and of its Member States. 77 5.56. may be annulled or declared invalid if they are inconsistent The legal acts of the EU with the EU Treaties, with t he fundamental rights which constitute “ general principles 78 of the Union’s law ” or with the EU Charter, which has the same legal value as the 79 Treaties. Furthermore, unlike under the ECHR, both the CJEU and domestic courts are obliged to “ disapply ” provis ions of national law, including Acts of Parliament, that conflict with EU legal norms. In contrast to the ECtHR’s political enforcement mechanisms, Member States which fail to rectify an infringement determined by the 80 CJEU are liable to be heavily fined. Charter of Fundamental Rights Of particular relevance to the law on investigatory powers are Articles 7 and 8 of the 5.57. EU Charter, which are based on the ECHR and read as follows: “Article 7: Respect for private and family life pect for his or her private and family life, home Everyone has the right to res and communications. Article 8: Protection of personal data. 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. ” 75 ECA 1972, ss2 and 3. 76 It is obliged to accede to the ECHR (TEU Article 6(2)); but that prospect is not imminent: Opinion of the CJEU 2/13, 18 December 2014 EU:C:2014:2454. 77 Su ch legal acts include regulations (which are binding in their entirety and directly applicable) and directives (which need to be implemented in national law, but are binding as to the result to be achieved): TEU, Articles 288 and 289. 78 TEU, Article 6(3). 79 TEU, Article 6(1). 80 Treaty on the Functioning of the European Union, Article 260. 84

91 CHAPTER 5: LEGAL CONSTRAINTS 5.58. There is no direct equivalent in the EU Charter of Article 8(2) of the ECHR. But Article 52(1) provides that: “Subject to the principle of proportionality, limitations may be made only if t hey are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others,” objectives of general interest ” are effectively limited to those referred to in and the “ the ECHR by Article 52(3), which provides that insofar as the EU Charter Article 8(2) of the meaning and scope of those rights shall be rights correspond with ECHR rights, “ the same ”. That is to be read however together with the last sentence of Article 52(3): This prov ision shall not prevent Union law providing more extensive protection ”. The “ position is thus that the ECHR provides a floor for interpreting the EU Charter rights, but not a ceiling. Data protection law 5.59. Two pieces of EU legislation constrain the freedom to gather and process information 81 without constraint, via surveillance or any other method. 5.60. First, the Data Protection Directive sets out a framework for “ data processing ” that respects “ fundamental rights and freedoms, notably the right to privac 12 y ” (Recital 2). It lays out the standards that govern the processing of personal data, including the collection, recording, organisation, storage, adaptation, retrieval, consultation, use or dissemination of that material throughout the Union (Article 2). Personal data may specified, explicit and legitimate purposes and not further only be collected for “ (Article 6(1)(b)) and “ processed in a way incompatible with those purposes” kept in a form which permits identification of data subject for no longer than is necessary for 82 the purposes for which the data were collected... ” (Article 6(1)(e)). 5.61. Member States are obliged to ensure that appropriate technical and organisational measures are in place to protect personal data from accidental or unlawful destructio n, loss or unauthorised disclosure (Article 17(1)). 5.62. Secondly, the e - Privacy Directive is concerned with the data generated by and in association with use of electronic communications. It harmonises the standards of protection throughout Europe, in order t o ensure that personal data, which is protected by Articles 7 and 8 of the EU Charter, is given adequate security. Article 15(1) 83 provides: “Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in A rticle 5, Article 6, Article 8(1), (2), (3) and (4) and Article 9 of this Directive, when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), def ence, public security, and the 81 Though it is arguable that they do not do so in all circumstances: see, in particular, the comments on TEU Article 4(2) at 5.2(b) above. 82 Directive 95/46/EC. 83 Di rective 2002/58/EC. 85

92 CHAPTER 5: LEGAL CONSTRAINTS prevention, investigation, detection and prosecution of criminal offences ... To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the g rounds laid down in this paragraph.” Digital Rights Ireland 5.63. The CJEU has had, until recently, less opportunity than the ECtHR to pronounce upon 84 But as the court entrusted with the interpretation of the law of investigatory powers. ment which has the potential to be construed in a more the EU Charter, a docu expansive manner than the ECHR, its judgments in this area may prove in the long run to be at least as significant. 5.64. Of particular importance is the judgment of the Grand Chamber of the CJEU in Digita l , a successful challenge to the validity of the EU’s Data Retention Rights Ireland 85 Directive. 5.65. The EU Data Retention Directive, harmonising the various responses by Member States to Article 15(1) of the e - Privacy Directive, required service providers to r etain data generated for billing purposes concerning use of telephone, internet and email services for between six and 24 months. The scope of the data in question was broad and included data necessary to identify a sender and recipient, date, time and du ration, type, equipment of communication and the location of mobile phone calls. Those data were to be held, beyond the period of time when a service provider might need them, in order to assist in the investigation and prevention of serious crime. The s ervice provider was required to make data available, on request, to the police and security services. The implementing legislation in the UK required service providers 86 to keep that data for 12 months. n Directive evoked strong feelings 5.66. Largely uncontroversial in the UK, the Data Retentio in other parts of Europe, culminating in the presentation of mass petitions and a 87 number of constitutional challenges to its implementation. The CJEU acknowledged that data retained under the Directive could be valuable. 5.67. Thus: (a) the growing importance of means of electronic communication ”, and It noted “ a valuable tool for criminal described data retained under the Directive as “ additional opportunities to shed investigations ” which afforded the authorities “ light on serio ”. us crime (b) The fight against serious crime, “ in particular against organised crime and terrorism ”, was itself described as “ of the utmost importance in order to ensure 84 Though see Joined Cases 46/87 and 227/88 Hoechst AG v Commission EU:C:1989:337 (law of search) and Case C 550/07P Akzo Nobel v Commission EU:C:2010:512 (legal professional privilege). - 85 Joined Cases C - 293/12 and C - 594/12 Digital Rig hts Ireland and Seitlinger and others ECLI:EU:C:2014:238. 86 The Data Retention (EC Directive) Regulations 2009 (SI 859/2009) s5. 87 - 8.57 below. See 8.56 86

93 CHAPTER 5: LEGAL CONSTRAINTS ”, and as potentially dependent for its effectiveness on “ the use of public security 88 ”. mod ern investigation techniques This notwithstanding, the CJEU declared the Data Retention Directive to be invalid, 5.68. for failure to comply with the principle of proportionality. The utility of the Directive in to render it “ necessary” , in the absence the fight against serious crime was not enough of safeguards which the court ruled that the EU legislator should have provided. In particular: The Directive mandated the bulk retention (a) of “ all traffic data ” relating to “ all means of electronic communication ” u sed by “ practically the entire European population ”, including those in respect of whom there was no suggestion that - they had a connection, even indirect or remote, with serious crime (paras 56 58). The Directive did not allow for any exceptions relating t (b) o communications that are subject to professional secrecy (para 58). (c) The Directive did not require any “ relationship between the data whose retention is provided for and a threat to national security ”: in particular, retention was not restricted by referen ce to particular time periods, places or persons who were likely to be involved in serious crime or who could contribute to its prevention, detection or prosecution (para 59). (d) The Directive did not lay down “ any objective criterion ” by which to determine ” in respect of which the retained data could be types of “serious crime he t accessed or used: deferring to national definitions was not enough (para 60). The Directive contained no substantive or procedural conditions concerning (e) a . In particular, it did not restrict access and use access to and use of the dat of the data to what is strictly necessary for “ preventing and detecting precisely ” defined serious offences or conducting criminal prosecutions relating thereto (para 61). The Directive did not lay down (f) objective criteria to limit the number of persons authorised to access and use retained data. “ Above all ”, access by national authorities was not made dependent on a “ prior review carried out by a court or by an independent administrative body whose deci sion seeks to limit access to the data and their use to what is strictly necessary... ” (para 62). (g) The Directive required all data without distinction to be retained for at least six retention periods months, and did not ensure that must be limited to what is strictly necessary (paras 63 64). - (h) The Directive did not provide for sufficient protection and security against abuse and unlawful access, bearing in mind the “ vast quantity ” and “ sensitive nature ” of the data. Service providers were wrongly allowed to have regard to 88 49 and 51. Digital Rights Ireland , p aras 87

94 CHAPTER 5: LEGAL CONSTRAINTS economic considerations when determining the level of security which they applied and the Directive did not ensure the “ irreversible destruction ” of the data 67). - at the end of the data retention period (paras 66 The Directive did not requir e that the data be retained within the EU (i) , contrary to the requirement of Article 8(3) of the EU Charter that compliance with the data protection rules envisaged in Article 8 be controlled by an independent authority (para 68). ts Ireland Consequences of Digital Righ 5.69. The precise boundaries of the judgment will not be established for some time. Some 89 From have construed it as an attack on the whole notion of bulk data retention. another perspective, the UK Government has suggested to me that the CJEU did no t hear detailed argument on some of the requirements that it referred to in its judgment; and that it is not entirely clear whether each of the grounds summarised at 5.68 above er it is would have been sufficient to invalidate the Data Retention Directive, or wheth only their cumulative effect that did so. Dutch case 5.70. The District Court of the Hague, in judgment of March 2015, recently struck down the 90 Dutch data retention legislation. The judgment is of course not binding in the UK. n by a national court of the CJEU’s binding But as an interpretatio Digital Rights Ireland judgment, it deserves careful study. Although the Dutch law was described as “ 5.71. autonomous legislation that should be assessed on its own merits ”, it was subject to the constraints of the EU Charter, as interpreted in Digital Rights Ireland , because Member States which legislate for data retention are both implementing the e - Privacy Directive and restricting the free 91 movement of services. The same conclusion is likely in the UK context. 5.72. The District Court rendered the Dutch law inoperable, notwithstanding the State’s unchallenged submissions that “ the detection of certain types of crimes rely almost exclusively on the use of historical telecommunication data ” and that “ some of its 89 See F. Fabbrini, “Human Rights in the Digital Age. The European Court of Jus tice Ruling in the Data Retention Case and its Lessons for Privacy and Surveillance in the US”, (2014) Tilburg Law School Legal Studies Research Paper Series (15), para 24: De facto it rules out anything short of “ approved, requests b y national security and law enforcement authorities to collect - individualised, court - data generated in electronic communications for specific searches.” See also the extra - and use meta juge rapporteur (the member of the CJEU responsible for preparing t he judicial comments of the judgment), Thomas von Danwitz, in an interview with the Süddeutsche Zeitung on 17 September 2014: “Q. So would the general retention of communications data without cause no longer be admissible following the ruling? A. That is certainly the essence of the ruling, and so a provision introducing a general obligation to retain, without any grounds for suspicion, would be problematic. ” 90 NL:RBDHA:2015:2498, District Court of the Hague, 11 March 2015, Case no. C/09/480009/KG/ZA 14/1575 (unofficial trans lation by Anna Berlee for the Interdisciplinary Internet Institute). Other national 8.57 data retention laws have also been annulled since the Digital Rights Ireland judgment: see 8.56 - below. 91 The notion of a “ UK opt - out ” from the EU Charter was always a misconception. See my written evidence to the EU Scrutiny Committee in January 2014, at paras 5 - 10: http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/european - uk/written/4922.html . scrutiny - committee/the - application - of - the - eu - charter - of - fundamental - rights - in - the - 88

95 CHAPTER 5: LEGAL CONSTRAINTS extensive c riminal cases could not have been resolved without data retention ”. It may have profound implications for the detection indeed recognised that its judgment “ and prosecution of offences ” (para 3.6). Digita l Rights Ireland criteria, 5.73. As to the detail, the District Court construed the 5.68 above, as having contributed collectively to the CJEU’s summarised at conclusions. This was helpful to the State, for it enabled the District Court to find unobjectionable the fa ct that the Dutch law provided for the storage of everybody’s (a) and (c), above). The court data, and not just those of suspected criminals (5.68 a limitation such as that apparently envisaged by the CJEU would not pointed out that in view of the law’s purpose of tracing serious crime: “ Indeed, in the be conceivable case of a first offender, it is not possible to make a distinction in advance between suspect and non suspect citizens - ”. 5.74. Other features of the Dutch law however rendered it disproportionate, ha ving regard Digital Rights Ireland to , in particular: (a) its failure to provide that the data should be retained within the EU, which was described as “ an essential component for the protection of the people in the processing of personal data ” (cf 5.68 (i) above) , and (b) the fact that retained data could be used in relation to “ criminal offences not sufficiently serious to justify the interference ”, including bicycle theft a nd (it would appear) all other offences for which a suspect could be remanded in 92 5.68 above. custody: cf. (e) These matters were said to be all the more important bec ause access to the retained data did not require prior authorisation by a judicial authority or independent 93 administrative body: 5.68 (f) 5.68 above. English case 5.75. The equivalent UK case is a judicial review claim by two Members of Parliament (Tom Watson MP and David Davis MP) challenging DRIPA 2014, s1, on the grounds that it 94 Digital Rights Ireland . That case was given permission by the is inconsistent with Administr ative Court to proceed, and is currently listed for hearing in June 2015. The future 5.76. Only the courts (and ultimately, the CJEU) can pronounce authoritatively on the extent Digital Rights Ireland to which constrains current and future UK data retention rule s. If the EU adopts a replacement Data Retention Directive, which it may do in the future, that too will serve as a constraint. But even if (to make assumptions favourable to the sis of the Government) the Directive turns out to have been invalidated only on the ba application of the factors set out at 5.68 cumulative above, and even if the Dutch court 92 T he District Court noted in this regard that the Data Retention Directive was a response to the terror attacks in Madrid and London of 2004 2005. - 93 Paras 3.9 - 3.11. 94 David Davis MP and Tom Watson MP v Home Secretary . 89

96 CHAPTER 5: LEGAL CONSTRAINTS is correct that to limit the categories of person whose data is retained, as the CJEU appears to have wished, w ould be to destroy the whole concept of data retention and cannot therefore have been intended, the Digital Rights Ireland constraints will still be significant. To pass muster under EU law, the UK rules that replace DRIPA 2014 s1 egulations 2014/2042 will have to be prefaced at the very and the Data Retention R least by consideration of: limiting the use of retained data to specified categories of “ serious crime ”; (a) (b) substantive and procedural conditions for access to and use of retained data; (c) prior authorisa tion by a judicial authority or independent administrative body; variable retention periods, limited to what is strictly necessary; (d) (e) provision for the physical security of data and its irreversible destruction when the retention period ends; special treatme nt for communications subject to professional secrecy; and (f) (g) the retention of data within the EU. 5.77. The Grand Chamber of the CJEU is the apex of the judicial pyramid where EU law is concerned, and its conclusions are strictly binding. The extent to which curr ent UK is disputed in the MPs’ law gives effect to the requirements of Digital Rights Ireland case referred to at 5.75 above, which will be heard in the High Court in June 2015. In on its legal the circumstances, it would be inappropriate for me to venture an opinion compatibility. There are however powerful arguments against an over broad interpretation of the - 5.78. Digital Rights Ireland judgment. In particular: What the Grand Chamber said about prior independent authorisation (5.68(f), (a) rther than the case law of the ECtHR but without above), seems to go fu Kennedy v UK (not cited by the Grand explaining why. See, for example, Chamber) , in which the ECtHR accepted prior authorisation of individual of content was warrants by the Secretary of State even where the interception concerned. Though the CJEU was prepared to describe data retention as a “ (b) particularly serious ” infringement of fundamental rights, concrete examples of harm are not 95 While there may be some for provided and are not immediately evident. the retention of data “ is likely to generate in the minds of the persons whom concerned the feeling that their private lives are the subject of constant 95 The CJEU’s suggestion that “ it is not inconceivable that the retention of the data in question might have an effect on the use ... of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression ” ( Digital Rights Ireland , para 28) appe ars - tentative and largely theoretical, at least where law abiding people falling outside the specially protected categories are concerned. 90

97 CHAPTER 5: LEGAL CONSTRAINTS ” ( Digital Rights Ireland surveillance , para 37), the survey evidence suggests 96 r high. that this is putting it rathe There is a case for excluding the use of retained communications data in (c) 5.67 (e) relation to the most trivial of offences ( above). But if the mark for “ ous crime ” is set too high, damaging crimes will go needlessly unpunished seri and public confidence in law enforcement will be reduced. (d) To limit retention to “ particular persons likely to be involved, in one way or another, in a serious crime ”, and/or to “ pers ons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences ” ( , para 59), would not only Digital Rights Ireland ts but would carry reduce the effectiveness of data retention in identifying targe other risks, since to seek to apply such nebulous distinctions would be to court 97 allegations of prejudice, profiling and unlawful discrimination. 5.79. The wider implications of the judgment also need to be reflected upon. Though Digital Ri ghts Ireland did not concern the bulk interception of content, it is arguable that its principles (including in relation to prior independent authorisation) should apply in that 98 Indeed the CJEU stated in terms that the bulk area with at least the same force. interception of content would be more intrusive, since unlike the Data Retention Directive it would affect the “ essence ” of the fundamental right to privacy (para 39). There may be implications also for other types of surveillance in relation to whic h types of self - authorisation are practised, in particular by the security and intelligence . All this is subject to EU law being applicable: though to the extent that agencies Digital Rights Ireland adopte d or followed by the ECtHR, t hat may in the future be distinction will cease to matter. Google Spain 5.80. A further, more recent decision that may also affect any future data retention 99 - 131/12 Google v Spain . legislation is the judgment in Case C The CJEU determined, in brief, that a search engine (such as Go ogle) was a data controller for the purposes of the Data Retention Directive. As a result, it was obliged to protect the fundamental rights of the owner of that data and in particular to protect the right to be “ forgotten ” by responding to requests that c ertain data be destroyed or not made available. 96 See, e.g., TNS - BMRB (2.27 (a) above). 97 My experience as independent reviewer of terrorism legislation indicates tha t the universal exercise of intrusive powers (e.g. to require screening at an airport) is accepted by almost everybody, whereas the use of discretionary intrusive powers (stop and search; port detentions) may be perceived as r justifiably or not) to foment a sense of grievance in affected discriminatory and used (whethe communities. 98 Note however that the point is currently in dispute before the courts; and that it was ruled in the Liberty IPT case (though by reference only to ECHR case law) that the ex isting UK system for authorising interception warrants is unobjectionable: Liberty IPT Case, judgment of 5 December 2014, para 116(vi). 99 EU:C:2014:317. 91

98 CHAPTER 5: LEGAL CONSTRAINTS Following service providers and government agencies that hold 5.81. Google v Spain, communications data, are data controllers. They should be prepared to receive, and destruction. where appropriate agree, to requests for data Pending cases before the CJEU Two other cases, though not yet decided by the CJEU, should be mentioned: 5.82. (a) the case referred by the Irish High Court regarding the adequacy of the “ safe ” agreement under which data is transferred in bulk to harbour companies such as Facebook, where it is subject to less onerous data protection rules than in 100 the EU; and the pending opinion on the lawfulness of the EU (b) Canada agreement on sharing - air passenger data in bulk, referred to the CJEU by the European Parli ament 101 on 25 November 2014. 5.83. Both may shed further light on the attitude of the CJEU towards the sharing of bulk data. International Law 5.84. Principles of international law (with the exception of customary international law) cannot generally be relied upon in t he UK courts unless they have been incorporated 102 into UK domestic legislation. Treaty obligations are binding as a matter of international law; but the jurisprudence of public international law is less complete than that of the European courts, and adds l ittle to it. 5.85. Nonetheless, the reports of UN High Commissioners and Special Rapporteurs command respect, and may in the future be influential in establishing international norms. Treaty law 5.86. national Covenant on The principal relevant Treaty provision is Article 17 of the Inter [ICCPR] : Civil and Political Rights 1966 “1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 100 362/14 Case C - Schrems v Data Protection Commissioner . 101 pnr https://edri.org/eu - canada - agreement - on - - referred - to - the - cjeu - whats - next/ . For EU law on data surveillance and sharing, see C. Murphy, - Terrorism Law (2012), chapter 6. EU Counter 102 R (SG and others) v Secretary of State for Work and Pensions [2015] UKSC 16, per Lord Reed at para 90. In an interesting dissenting opinion, Lord Kerr at paras 235 - 257 challenged this “ constitutional orthodoxy ” on the basis that “ If the government commits itself to a stan dard of human rights protection, it seems to me entirely logical that it should be held to account in the courts as to its actual compliance ”. with that standard 92

99 CHAPTER 5: LEGAL CONSTRAINTS e right to the protection of the law against such 2. Everyone has th interference or attacks.” The ICCPR was referred to in the recent report of Ben Emmerson QC: 5.91 below. UN High Commissioner for Human Rights 5.87. In December 2013, the General Assembly of the United Nations ad opted Resolution 68/167 concerning the right to privacy in the digital age. It notes that “ unlawful or arbitrary surveillance and/or interception of communications, as well as unlawful or arbitrary collection of personal data [are] highly intrusive acts [ that] violate the rights to privacy and to freedom of expression and may contradict the tenets of a democratic society .” The Resolution calls on states to act in accordance with international law and to establish effective oversight, to respect the right to privacy and to review their current mechanisms of surveillance. 5.88. The Resolution requested the UN High Commissioner for Human Rights, Ms Navanethem Pillay, to submit a report on the protection and promotion of the right to 103 shed on 30 June 2014. Drawing on the work of the privacy. That Report, was publi Human Rights Committee, the Commissioner stated, in language familiar from the European case law: “Where there is a legitimate aim and appropriate safeguards are in place, a State might be allowed to engag e in quite intrusive surveillance; however, the onus is on the Government to demonstrate that interference is both necessary and proportionate to the specific risk being addressed.” llance She went on to apply that reasoning to what she called mass or bulk survei programmes, pointing out (para 25) that: “... it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the her the measure is haystack, relative to the harm threatened; namely, whet necessary and proportionate.” UN Special Rapporteur The UN Special Rapporteur on the promotion and protection of fundamental rights 5.89. and human freedoms while countering terrorism, Ben Emmerson QC, wrote about the 104 ual report in September 2014. subject in his fourth ann He stated that “ the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether”, and argued (at paras 12 - 14) that given the scale of the interference with privacy, the corresponding public policy benefit must be very substantial. 5.90. He also suggested (at paras 42 - 43) that laws which distinguish between internal and external communications, either by reference to physical location as in the UK or 103 The right to privacy in the digital age , (June 2014), A/HRC/37. 104 A/69/397. 93

100 CHAPTER 5: LEGAL CONSTRAINTS in the United States, are unlawful. He stated that Article 26 of the citizenship as to afford the same privacy ICCPR, prohibiting discrimination, requires all States “ protection for nationals and non - nationals and for those within and outside their jurisdiction 62). If so, the ICCPR may impose more onerous obligations than ” (para the ECHR, which protects only those within the jurisdiction of its contracting States, including areas outside their borders over which they have effective control. 5.91. Both the Human Rights Com missioner and the Special Rapporteur were extremely - ranging wary of bulk data collection, and emphasised the difficulties in justifying wide intrusions into privacy. Like the European Courts, however, neither went so far as to suggest that it was inherent ly incapable of justification, given sufficient and effective 105 safeguards. 105 Emmerson suggested that the justification would have to be “ compelling ”: ibid. , para 9. Pillay sounded a similar note, arguing that stronger and more robust procedural safeguards are required to prevent arbitrary interference with the right to privacy: The right t o privacy in the digital age , (June 2014), A/HRC/37, para 15. On the other hand, she did suggest that mandatory data retention “ appears ”: para 26. neither necessary nor proportionate 94

101 6. POWERS AND SAFEGUARDS It is illegal to intercept communications, or to obtain certain information about the use 6.1 1 of made of a telecommunications service, without the consent However, the user. exceptions to this rule. This C hapter explains the Parliament has allowed a number of current legal basis on which public authorities may collect and analyse people’s communications, or records of their communications. Chapter 7 des cribes how the provisions set out below are implemented in practice. Key concepts The basic distinction that governs the operation of the law in this area is the difference 6.2. between interception and communications data. Interception 2 6.3. lection of communications in the course of transmission. RIPA Interception is the col contents of the communication [are provides that an interception takes place when “ made] available while being transmitted to a person other than the sender or intended 3 ication ” recipient of the commun The key word “ content ” is not defined in RIPA. Rather RIPA defines communications data, as set out below. Data that are not treated as content. Interception might consist of a wiretap communications data are on a telephone line or the gatherin g of emails or text messages in the course of transmission along communications cables. It makes available to the reader the contents of that communication and also the data relating to that communication 4 (related communications data) . s: 2(7) 6.4. RIPA s provide “For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is u sed for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.” 6.5. in the course of transmission ” when it is Therefore, perhaps surprisingly, an email is “ stored on a server. That view was affirmed by a r ecent decision of the Court of Appeal, which held that obtaining access to voicemails stored on a telephone is an 5 interception. As a result, certain techniques that provide access to the contents of stored communications, such as CNE or the hacking of cl oud storage systems , may involve the interception of communications, which may be authorised by the various 6 statutory powers set out below. 1 RIPA ss1 (1) and (2); Wireless Telegraphy Act 2006 [WTA 2006] ss48 (1 ) and (4). 2 RIPA s1(1). 3 RIPA s2. 4 See the definition of related communications data in RIPA s20. 5 R v Coulson and another [2013] EWCA Crim. 1026. 6 By way of example, CNE or hacking might be authorised under ss5 or 7 ISA 1994. 95

102 CHAPTER 6: POWERS AND SAFEGUARDS Communications data 6.6. Communications data are data about use made of a telecommunications or postal he contents of the communications themselves. Unlike intercept ed service but not t material, communications data do not necessarily have to be collected when 7 in the course of its transmission ”. correspondence is “ Communications data are generally obtained retrospectively from a service provider that retains that information (such as a mobile phone company), though when intercept ed material is collected in the course of transmission, the related communications data are also collected. RIPA divides communications data into three categories: Traffic data which identifies the person, apparatus, location or address to or (a) from which a communication is transmitted, and information about a computer file or program that has been accessed or run in the course of sending or 8 Traffic data includes such matters as the geodata receivin g a communication. (or location data) produced by mobile phones on the move, as they , communicate w ith base stations ( cell - site data) and private WiFi networks information on servers visited together with . The applicable Code of Practice s Resource Locators [url] states that website addresses or Uniform to the first slash e.g. https://www.google.co.uk are traffic data. On that basis the page , https://www.google.co.uk/#q=url+meaning address beyond the fir st slash, e.g. 9 IP addresses are traffic data when they are allocated dynamically is content. 10 or temporarily to enable a communication to be routed. Ser relating to the use of a particular telecoms service. I t vice use information (b) is usually held by a service provider and records how many times and when a person made use of that service as well as which services they have used, such 11 A simple example is an itemised phone bill. nloaded. as amounts of data dow Subscriber information is all other information that the service provider holds (c) about the person that uses the service. It covers the details that a customer provides to the service provider such as t heir address, telephone number or email address, but may include e.g. bank account data and personal information 12 up. - requested at sign 6.7. The three categories are assumed to be in descending order of intrusiveness, as may in which the law treats them differently. Thus: be seen from the (limited) respects 7 RIPA s1(1). 8 RI PA ss21(4)(a) and 21(6). 9 Acquisition Code, para 2.20: “ traffic data may identify a server or domain name (web site) but not a web page .” As pointed out by IOCCO there is a degree of ambiguity here, arising out of the absence of any definition of “ tent ” within RIPA. IOCC Submission to the Review, paras 3.2.6 and 3.2.7. con 10 Ibid . The Acquisition Code provides at 2.26 and fn 42 that dynamic IP addresses may be stored by a service provider in conjunction with subscriber information, in which case it w ould need to be treated as subscriber information, not traffic data. 11 RIPA ss21(4)(b) and 22(4). 12 RIPA s21(4)(c). 96

103 CHAPTER 6: POWERS AND SAFEGUARDS (a) Certain public authorities (including local authorities) are entitled only to request 13 service use information and subscriber information. Even bodies which are entitled to all three categories may be bound by different (b) authorisation requirements: for example, a designated police inspector may request subscriber information, whereas a request for service use data and 14 traffic data must be authorised by a superintendent. I return to the The categorisation has been criticised as obscure and unsatisfactory: 6.8. poin t at 14.12 and Recommendation 12 below. Powers outside RIPA 6.9. The current statutory framework governing investigatory powers has developed in a . However, it is convenient piecemeal fashion. The critical piece of legislation is RIPA first to introduce a number of other parallel statutes that authorise interception and the acquisition of communications data, but without (as a rule) the same degree of attention, analysis and oversight that is given to RIPA. RIPA itself makes clear that it 15 does not supplant those other frameworks. The Government expressed its intention some time ago to streamline the various statutory mechanisms via which data may be 16 obtained. Non RIPA interception - 6.10. Apart from RIPA, WTA 2 006 is the key statute allowing for the interception of 17 communications. Sections 48 and 49 grant the Secretary of State and the Commissioners of Revenue 6.11. and Customs a very broad power to authorise the interception of wireless or other communications. I nterception must be necessary for a series of statutory purposes, including prevention of crime and disorder or the interests of national security. It must also be proportionate to the objective sought. The authority to intercept may be granted to any pe rsons that the designated authority considers appropriate and for such time as the designated authority considers appropriate. The warrant must be issued by hand. The ISC reports that the Foreign Secretary has issued a single 18 f GCHQ’s activities under the WTA 2006. authorisation covering all o 6.12. The relationship between WTA 2006 and RIPA is somewhat op aque. There is no operational distinction between the two statutes. RIPA grants the power to interfere 13 The Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 480/2010). 14 Ibid . Schedule 1. 15 See for example s1(5)(c) w hich provides that interception in relation to stored communications has “ lawful authority ” if undertaken under “ .” See also s80 which provides that nothing in RIPA any statutory power “ should be construed as making it unlawful to engage in any conduct that would not be unlawful apart from this Act .” 16 Home Office Review of Counter - Terrorism Powers, (CM 8004) (January 2011), p. 29. 17 In addition, the interception of prisoners’ communications takes place under a series of Prison Service Instructions (see s 7 of the 2013 Annual Report of IOCCO). RIPA s4(4) provides that conduct that takes place in a prison is authorised by RIPA if it is conduct in exercise of any power conferred by or under any rules made under the Prison Act 1952 s47, the Prisons (Scotland) Act 1989 s39 or the Prison Act (Northern Ireland) 1953 (prison rules) s13. 18 ISC Privacy and Security Report, para 177. 97

104 CHAPTER 6: POWERS AND SAFEGUARDS ry broadly as a system “ for the with telecommunications systems, which are defined ve purpose of facilitating the transmission of communications by any means involving the 19 - magnetic energy .” WTA 2006 s 48 may be used as a basis use of electrical or electro to obtain information “ whether to authorise the use of wireless telegraphy apparatus .” In pri sent by means of wireless telegraphy or not nciple, at least, both RIPA and 2006 might be used to intercept the same communications. WTA As to the exercise of those powers, WTA 2006 ss 49(2)(a) and (b) provide tha t it may 6.13. not provide a basis for conduct that would be an offence under RIPA ss1(1) or (2), if engaged in without lawful authority. GCHQ considers this to be a reference to the definition of “lawful authority ” in RIPA s1(5). Any interception under WTA 20 06 is not 20 lawful if it could also have been carried out under RIPA Part I Chapter 1 . The position is clearer regarding the use of WTA 2006 to authorise access to 6.14. communications data. WTA 2006 s49(2)(c) provides that an interception authority may not be g iven where it authorises conduct that could be authorised under RIPA 21 Part I Chapter 2. 6.15. A number of powers enable the contents of emails to be obtained when they are stored on a mobile phone or c might be described as powers to omputer. In theory, they “ in tercept ” communications located on a server. However, it makes more sense to describe them as mechanisms by which lawful access may be granted to view “ stored ”, as described in s1(5)(c) of RIPA: communications (a) search order for pri vate or commercial premises under A judge may authorise a PACE ] ss15 and 16 or the Supreme the Police and Criminal Evidence Act 1984 [ Courts Act 1981 s37. A search order will often include the right to access and remove files from the computers on site. Stored communications ma (b) y also become available as a result of a production order requiring an individual to provide a phone, computer or certain physical files. The power to make production orders is set out in a number of different statutory provisions, many of which deal with specific types of crime such as drug trafficking or terrorism. PACE Schedule 1 also sets out a general power for the police to issue a production order where they suspect an indictable offence has been committed and a series of other conditions have been met. The (c) provides an exception to the general requirement of Terrorism Act 2000 judicial authorisation. Schedule 7 to that Act grants port officers (generally the police) a broad power to require persons passing through ports or airports to provide thei r property – including a telephone or laptop – without judicial authorisation. That property may be retained for up to a week, but information 19 RIPA s2(1). 20 One alternative reading would be that the WTA 2006 itself provides the “lawful authority” for conduct outside of RIP A and that it may be relied upon to intercept material that could also have been intercepted under RIPA. 21 Similar provision is made in the WTA 2006 s49(2)(d) with regard to conduct that is capable of authorisation under RIPA Part II. 98

105 CHAPTER 6: POWERS AND SAFEGUARDS downloaded is kept for much longer periods, pursuant to management of police 22 information guidelines. - Other n RIPA powers on There are a number of other statutes that grant powers to public authorities and law 6.16. enforcement agencies to interfere with telecommunications in some sense. One of the the Telecommunications Act 19 84 [TA more important of those powers is set out in Section 94 grants the Secretary of 1984] directions of a s94. State a power to give “ ” to an individual, to the extent that they are “ general character necessary in the territory interests of national security or relations with the government of a country or outside the United Kingdom. ” The Secretary of State must consider that the content of the direction is proportionate to the objective sought. 6.17. The backdrop to s94 is the breakup of BT’s monopoly of the telecoms market. The power to give directio ns was drafted into the Act that privatised the market. It is very broad in nature and imposes no limit the kinds of direction that may be given. There is nothing in the public domain concerning the use of that power and the exercise of the s94 power is In March 2015, not subject to any oversight or external supervision. [IOCC] Interception of Communications Commissioner the agreed formally to oversee directions under the T A 1984 s94, a task which he anticipated would require “ extra 23 echnical facilities) ”. staff (and possibly t 6.18. A number of public authorities are also authorised to gather (or require the gathering data that may include communications data or communications data of) . A table itself of those public authorities has been provided to me by th e Home Office and is located to this Report at be comprehensive or up to date. is not warranted to . That list Annex 6 But it is indicative, at least, of the wide range of powers available to a significant rent bodies that number of public authorities. It covers 46 diffe may require the production of data or communications data via 65 different statutory mechanisms. By Business Innovation and way of example, the list identifies that the Department for may secure access to such data under: Skills (a) t he Busin ess Protection from Mislea ding Marketing Regulations 2008; (b) the Companies Act 1985; (c) t he Con sumer Credit Acts 1974 and 1985; (d) the Consumer Protection Act 1987; (e) onsumer Protection from Unfair Trading Regulations 2008; c (f) he Copyright Desig n and Patents Act 1974 and 1988; t (g) t he Enterprise Act 2002. 22 See D. Anderson, The Terrorism Acts in 2013 , July 2014, Annex 2 and Annex 3. 23 , (March 2015), para 10.4. IOCC Report 99

106 CHAPTER 6: POWERS AND SAFEGUARDS 6.19. I am informed that many, but not all, of those powers will be removed following the 24 bringing into force of the Consumer Rights Act 2015. The powers in (b) and some of those in (c) will remain on the statute book. Thre e important general observations arise in connection with non 6.20. RIPA investigatory - powers: There is little or nothing in the public domain that explai ns how frequently (a) (if at all) they are used . (b) It appears that at least some (perhaps many) Agencies and Depa rtments exercise these powers without any published Code of Practice in place. - RIPA powers, the position is a (c) As to the exercise of concurrent RIPA and non little clearer in respect of communications data than it is in relation to intercept . The Acquis ition Code states (at para 1.3) that public authorities ion should not use other statutory powers to obtain communications data from a postal or telecommunications operator unless that power explicitly provides that they may obtain communications data (or they are authorised to do so by a warrant or order from the Secretary of State or a person holding judicial office). DRIPA 2014 s1(6)(a) also states that a service provider must not disclose data retained under DRIPA 2014, except under RIPA Part I Chapter 2 o r as provided by regulations. 6.21. I set out my recommendations concerning consolidat ion and reform in this area at below. and Recommendations 1, 6 and 7 13.31 - 13.34 Other intrusive capabilities Surveillance, interference and CHIS The security and intelligence 6.22. and police also have available to them a agencies number of other intrusive capabilities such as intrusive and directed surveillance, interference with property, and CHIS. Those capabilities are provided for by RIPA Part II, Regulation of Investigatory Po wers (Scotland) Act 2000 [RIP(S)A] and Police Act 1997 and are the subject of regular review by the ISCommr and OSC. 6.23. Those capabilities do not form part of the principal subject - matter of this Report , - though a number of them are referred to for the purpos es of comparison at 8.4 8.34 below. CNE But deserving of mention here is CNE (hacking, in common parlance), which may be 6.24. , amongst other things, under carried out in order to access stored communications 25 ISA 1994 ss5 and 7. 24 See in particular Schedule 6. 25 See also 7.62 - 7.65 below. Accessing stored communications may be an interception, for the purposes out at 6.4 6.5 above. - of RIPA, as set 100

107 CHAPTER 6: POWERS AND SAFEGUARDS ISA 1994 s5 gives the Secretar 6.25. y of State the power to issue warrants authorising MI5, MI6 and GCHQ to interfere with property in quite general terms. The interference must be proportionate to its objective and the material obtained must be used in carrying 26 c i es’ function s. CNE was avowed for the first time by the Government, out those agen 27 in February 2015, by the publicati raft Equipment Interference Code. This on of the D makes clear that Equipment may include, but is not limited to, “ computers, servers, 28 nes and other devices .” routers, laptops, mobile pho It supplements the existing Covert Surveillance and Property Interference Code. MI6 and GCHQ may both obtain authorisation, pursuant to ISA 1994 s5, to carry out 6.26. equipment interference, such as hacking, in pursuit of their statuto ry functions, except where the property is in the British Islands and the purpose is the prevention or detection of serious crime. MI5 may also obtain s5 warrants in pursuit of its statutory aw enforcement and the functions, although where the function is to act in support of l property is in the British Islands, the warrant may only be authorised in order to secure 29 MI5 ma y further the prevention or detection of what amounts to a serious crime. undertake activity under ISA 1994 s5 in support of MI6 or GCH Q. 30 ISA 1994 s7 ( which has been referred to as the “ James Bond clause ”) 6.27. provides a power for the Foreign Secretary to authorise GCHQ or MI6 to carry out acts outside the British Islands that might otherwise be criminal offences or give rise to civil liabi lity. GCHQ had five s7 class - based authorisations in 2014, removing liability for activities including those associated with certain types of intelligence gathering and interference 31 with computers, mobile phones and other types of electronic equipment. MI6 had eight class - based authorisations, removing liability for activities such as the identification and use of CHIS, directed surveillance and interference with and receipt of property and documents, and may seek further ministerial authorisations in re spect 32 of specific operations. 6.28. The Draft Equipment Interference Code requires that an application should set out: (a) the identity or identities, where known, of those who possess or use the equipment; (b) sufficient information to identify the equipment; 26 ISA 1994 s5. The requirement that the Secretary of State consider the interference is proportionate and necessary was added by RIPA. MI6’s functions include obtaining and providing information relating to the actions and intentio ns of persons outside the British Islands and to perform other tasks relating to the actions or intentions of such persons (ISA 1994, s1(1)). MI5’s functions are to protect national security against espionage terrorism and sabotage from the actions of age nts of foreign [SSA 1989] powers and also prevention of serious crime in the UK (Security Service Act 1989 , s1). GCHQ’s functions are first to monitor or interfere with transmissions and to provide information about them and second to provide advice and a ssistance about languages and information security to the armed forces, the Government and other authorised organisations (ISA 1994, s3). 27 The Home Office have already published a Covert Surveillance and Property Interference Code of Practice urveillance and Property Interference Code] . [Covert S 28 fn 6, p. 5. 29 ISA 1994 s5(3B). 30 ISC Privacy and Security Report, para 236. 31 Ibid. , para 234. 32 , para 233. Ibid. 101

108 CHAPTER 6: POWERS AND SAFEGUARDS the natu re and extent of proposed interference; (c) (d) what the operation is expected to deliver; (e) details of collateral intrusion; (f) whether confidential or legally privileged material will be obtained; (g) details of the offence or suspect offence; ria are met; (h) how the authorisation crite (i) what measures will be put in place to ensure proportionality is maintained (e.g. filtering, disregarding personal information); (j) where it is an urgent application, the supporting justification; (k) any action which may be necessary to install, modi fy or remove software on the equipment; and 33 (l) in the case of renewal, the results obtained so far. 6.29. The Secretary of State must be satisfied, before authorising the application, that it is necessary and proportionate, take into account whether the informatio n could be obtained by other means and be satisfied that there are satisfactory arrangements in 34 force in respect of disclosure of any information obtained. Once the information is obtained, there must be internal arrangements in force 6.30. f those data. The disclosure, copying and retention of those data concerning the use o must be limited to the minimum necessary for the discharge of the Services’ functions. Those internal arrangements should be made available to the ISCommr. The material obtained, and all copies, should be destroyed as soon as they are no longer needed 35 for the discharge of the Services’ functions. 6.31. The Draft Equipment Interference Code sets out substantial additional protections for legally privileged and confidential information. If the i nterference is intended to obtain 36 such information, the application should say so expressly. If it is likely that such material will be acquired, inadvertently, the application should identify the steps which will be taken to mitigate the risk of acquiri ng it and to ensure that any information acquired does not become used in law enforcement investigations or criminal prosecutions. Where acquisition of legally privileged material is likely or the intended result of the interference, the warrant will only be issued in “ exceptional and compelling 37 .” circumstances 33 Draft Equipment Interference Code, para 4.6. 34 Ibid ., para 4.7. 35 Ibid ., para 6.10 . 36 Ibid. , para 3.5 37 - ., paras 3.5 3.7. Ibid 102

109 CHAPTER 6: POWERS AND SAFEGUARDS s 5 and 7 powers is not subject to review by the IOCC but 6.32. The exercise of ISA 1994 s rather by the ISCommr, whose latest two annual reports set out the total number of securi ty and intelligence agencies warrants obtained by the and the Ministry of Defence [MoD] (1,887 in 2013). It is not clear how many of those warrants were s5 warrants. 6.33. As to the relationship between CNE, carried out under ISA 1994 and interception or GCHQ under RIPA, the Draft Equipment I nterference Code provid es that if MI6 wishes to interfere with equipment that is overseas but the subject of the operation is known to be in the British Islands: “consideration should be given as to whether a section 8(1) interception warrant or a section 16(3) certification (in relation to one or more extant section 8(4) warrants) under the 2000 Act should be obtained.” It does not elaborate on what factors should be taken into account in the course of that .” consideration “ RIPA powers RIPA inte rception The primary statute, pursuant to which telecommunications can be intercepted or 6.34. communications data obtained, is RIPA. As set out above, RIPA sets out different mechanisms for the authorisation of interception and acquisition of communications d ata. RIPA s71 requires the Secretary of State to publish guidance concerning the use and 6.35. exercise of RIPA powers. Currently, this includes the Interception Code, the new the Retention of Communications Data Code of Practice Acquisition Code and 38 Code] , laid before Parliament in March 2015. [Retention Furthermore, the Home Office is consulting on a Draft Equipment Interference Code, which will regulate a specific area within the existing Covert Surveillance and Property Interference Code. Interception Code. is also consulting on a Draft The Home Office 6.36. The primary means by which an interception may be authorised under RIPA is via a warrant, issued under s5 and signed by a Secretary of State or Scottish Minister in person. The Secretary of State must belie ve that the warrant is necessary on grounds of national security, preventing or detecting serious crime, safeguarding the economic 39 - UK or for the purpose of giving effect to an international agreement. well being of the 6.37. The Secretary of State must also bel ieve it is necessary and proportionate to the objective sought. That dual requirement of necessity and proportionality is a direct 38 As well as a Covert Surveillance and Covert Human Intelligence sources Code of Practice, not directly relevant to this Review. 39 RIPA s5(3). 103

110 CHAPTER 6: POWERS AND SAFEGUARDS import from the Article 8 case law of the ECtHR concerning the right to respect for 40 private life. 6.38. The power to apply for a warrant to intercept communications under RIPA is limited to the following organisations: (a) MI5, MI6 and GCHQ; (b) the NCA; (c) the Metropolitan Police Service [MPS] , Police Service of Northern Ireland [Police Scotland] [PSNI] and Police Service of Scotland ; (d) nd HMRC; a the MoD. (e) Public authorities that are not authorised to obtain an interception warrant may ask the 6.39. UK Central Authority, within the Home Office, to apply for a warrant on their behalf. The UK Central Authority then follows its normal procedures, as set out under RIPA. Interception can also happen at the request of an overseas legal authority through Mutual Legal Assistance Treaty [MLAT] arrangements. But this is an extremely rare occurrence. Such a request would be examined and authorised as if it wer e a domestic request. With very few exceptions, material obtained under an interception warrant is not 6.40. 41 admissible as evidence in UK courts. The Secretary of State may also impose restrictions on the use of material provided to overseas governments. I a m informed by the Home Office that that is likely to include a request that the material is not used in evidence. If one or both parties to a communication consent to its interception, a warrant is not 6.41. needed. If only one party consents, approval is need ed in line with the arrangements Warrants are also not required for for a surveillance operation under RIPA Part II. interception in prisons and for certain permitted business purposes, such as the 42 prevention of fraud. Targeted warrants RIPA s8 distingui shes between two different kinds of warrant that may be granted. 6.42. one person Warrants issued under s8(1) are targeted, as they must describe either “ a single set of premises or “ ” where the interception is to as the interception subject” take place under ss 8(1) and (2). In practice, thematic warrants are sometimes issued under s8(1), which cover “ any organisation or any association or combination of 40 For a fuller discussion see 5.18 - 5.24 below. As set out there, the interference must also be “ in accordance with the law ”. 41 RIPA ss17 - 18; and see further at 9.16 - 9.18 below. 42 Prison Rules, National Security Framework, Function 4 and The Telecommunications (Lawful Business Practice) (Interception of Communications ) Regulations 2000 s3. 104

111 CHAPTER 6: POWERS AND SAFEGUARDS persons .” This interpretation of s8(1) was first avowed in the ISC Privacy and Security 43 Report in March 2015 . 6.43. Section 8(1) warrants may authorise the interception of communications between two people in the British Islands, the communications of known individuals who are communicating outside the British Islands or between two persons overseas. 6.44. The Interception Code sets out the elements that a s8(1) warrant application must 44 contain. They include: the background to the operation in question; (a) (b) the person or premises to which the application relates (and how the person or premises feature in the operation); a de scription of the communications to be intercepted, details of the service (c) provider(s) and an assessment of the feasibility of the interception operation where this is relevant; (d) a description of the conduct to be authorised or the conduct (including the int erception of other communications not specifically identified by the warrant as foreseen under RIPA s5(6)(a)) as it is necessary to undertake in order to carry out what is authorised or required by the warrant, and the obtaining of related communications d ata; an explanation of why the interception is considered to be necessary under the (e) provisions of RIPA s5(3); a consideration of why the conduct to be authorised by the warrant is (f) proportionate to what is sought to be achieved by that conduct; (g) a considerat ion of any unusual degree of collateral intrusion and why that intrusion is justified in the circumstances. In particular, where the communications in question might affect religious, medical or journalistic ations between a Member of confidentiality or legal privilege, or communic Parliament and another person on constituency business, this must be specified in the application; (h) where an application is urgent, supporting justification; and (i) an assurance that all material intercepted will be handled in accord ance with the safeguards required by RIPA s15. Bulk warrants 6.45. Warrants issued under s8(4), often termed “ external ” warrants, authorise interception of communications where one or both of the senders or recipients of a communication 43 ISC Privacy and Security Report, paras 42 - 5. 44 Interception Code, para 4.2. 105

112 CHAPTER 6: POWERS AND SAFEGUARDS 45 British Islands. are located outside the Large volumes of data are carried around the world via fibre - optic cables and satellites. Section 8(4) warrants may be used to authorise the interception of all communications transmitted on a specified route or 46 articular service provider. cable, or carried by a p 47 A s8(4) warrant application should specify: 6.46. (a) the background to the operation in question; (b) a description of the communications to be intercepted, details of the service providers and an assessment of the feasibility of the ope ration where this is relevant; (c) a description of the conduct to be authorised which must be restricted to the interception of external communications, or to conduct necessary in order to intercept those external communications, where appropriate; (d) the certif icate that will regulate examination of the intercepted material; (e) an explanation of why the interception is considered to be necessary for one of the RIPA s5(3) purposes; (f) a consideration of why the conduct to be authorised by the warrant is proportionate t o what is sought to be achieved by that conduct; (g) a consideration of any unusual degree of collateral intrusion, and why that intrusion is justified in the circumstances. In particular where the communication might affect religious, medical or journalistic confidentiality or 48 legal privilege, this must be specified in the application; (h) where the application is urgent, supporting justification; an assurance that intercepted material will be read, looked at or listened to only (i) meets the conditions of RIPA ss16(2) - (6); and so far as it is certified and it (j) an assurance that the material intercepted will be handled in accordance with the safeguards required by RIPA ss15 and 16. 6.47. GCHQ currently only has the capacity to intercept the data travelling through a small p ercentage of the 100,000 bearers, including undersea cables, which make up the 49 global communications core infrastructure. Section 8(4) warrants play a strategic role in setting out which of these bearers are to be intercepted. They are issued by 45 RIPA s20. 46 See Charles Farr’s witness statement of 2014 in the Liberty IPT Case : [Charles Farr Statement] https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press - releases/witness_st_of_charles_blandford_farr.pdf , para 139. 47 Interception Code, para 5.2. 48 The Draft Interception Code does not contain this requirement but does contain fuller provisions concerning the protection of confidential communications overall. 49 ISC Privacy and Security Report, para 27. 106

113 CHAPTER 6: POWERS AND SAFEGUARDS eign Secretary to GCHQ and provide the legal basis for GCHQ’ s bulk the For interception capability. 6.48. Large volumes of material may be intercepted pursuant to a s8(4) warrant and thus become available for examination. At the same time as issuing a warrant, the Secr etary of State must issue a certificate that describes the material that may be examined within that wider body of data. The certificates reflect the Priorities for Intelligence Collection [PIC] that are approved annually by the National Security after consideration by the Joint Intelligence Committee (the part of the Council Cabinet Office responsible for directing the security and intelligence agencies ). The Secretary of State must be satisfied that it is necessary and proportionate to select and examin e the data set out in the certificate. As the ISC said of these certificates in its recent report: 6.49. “We note that the categories are expressed in very general terms. For example: Material providing intelligence on terrorism (as defined by the Terrorism A ct ‘ 2000 (as amended)), including, but not limited to, terrorist organisations, 50 - raising .’” terrorists, active sympathisers, attack planning, fund As a result, very large volumes of communications may be both intercepted and examined under a s8(4) warrant, though GCHQ’s safeguarding and compliance mechanisms, and limitations on storage capacity, limit what can be actively processed 51 or used. , and GCHQ wishes to select for examination UK If an individual is known to be in the 6.50. his external communications, the Foreign Secretary may add his name to the certificate associated with the s8(4) warrant. In reality, most individuals in the UK who are of interest to the intelligence services are subject to a s8(1) warrant that will 52 authorise the interception of both t heir internal and external communications. 6.51. In summary, the boundary between targeted and bulk warrants is comparatively clear. A targeted warrant must be directed at a person (or association of persons) or premises and it must include schedules setting out the factors to be used to identify the communications to be intercepted. A bulk warrant must be targeted against external communications and is not required to include schedules that identify the communications to be sought. However, it must be accom panied by a certificate from the Secretary of State issued in accordance with ss8(4) and 16(3). ” and “ external 6.52. T he boundary between “ internal s is less ” communication OSCT’s interpretation was, as set out in the Charles Farr Statement, straightforward. tha t: 50 ISC Privacy and Security Report, para 101. 51 For a fuller discussion of some of the process adopted by GCHQ in respect of data analysis see: IOCC Report, (March 2015) para 6.37 - 40. 52 to additional coverage of their Though individuals targeted under a s8(1) warrant may also be subject external communications under a s8(4) warrant. 107

114 CHAPTER 6: POWERS AND SAFEGUARDS Two people in the who email each other are engaging in internal (a) UK communication, even if they use an email service which is housed on a server in the United States. The fact that the communication travels via a server overseas does not make it externa l, but it may well be collected under a warrant 53 targeting external communications. A person in the UK who communicates with a search engine overseas is (b) communicating with a server overseas and engaging in an external communication. Likewise a person wh o posts a public message such as a tweet or Facebook status update, is sending an external communication unless all the 54 recipients of that message are within the British Isles. This was not clear prior to the publication of Mr Farr’s statement. Some ha ve considered those distinctions counter - intuitive: for example, many people might not consider a Google search to be a communication at all, let alone an external communication. 6.53. s are Further potential confusion follows from the fact that internal communication der external warrants. RIPA s5(6) allows the collection of information that collected un is not specified in the warrant, if it is necessary in order to collect the information that 55 is specified in the warrant. As explained in the Charles Farr Stat ement, it is inevitable that there is “ by - catch ” of internal communications because s8(4) bulk interception 56 takes place at the level of communications cables. It is generally accepted t hat the collection of such material cannot be avoided . 6.54. As the IPT no ted, in a recent judgment concerning the s8(4) framework, in practical heavy lifting” terms it is s16 of RIPA that must do the “ when it comes to the distinction 57 between internal and external communications. ect of material intercepted pursuant to sets out the extra safeguards in resp 6.55. Section 16 a s8(4) warrant. In order to be examined, material must fall within the Secretary of State’s certificate and it must not be selected according to a factor that is “ referable to an individual who is known for the tim e being to be in the British Islands” and the purpose of which is to identify his communications (s16(2)). 6.56. However, ss16(3) - (5) provide for two exceptions to that position: (a) The external communications of a person known to be in the British Islands may be s elected for examination if the Secretary of State certifies that that is necessary for the purposes of national security, the prevention or detection of serious crime or protecting the economic wellbeing of the UK: s16(3). In practice the Foreign Secretar y approves one or more lists of such targets every six months, though he can add names at any time. based individuals Most UK - who are subjects of interest to the or law security and intelligence agencies 53 Interception Code, para 5.1; Charles Farr Statement, para 128. 54 - Charles Farr Statement, paras 134 137. 55 The same provision also applies to internal warrants. “ Collateral” material may be gathered where it is technically necessary in order to carry out the s8(1) warrant. 56 Para 139. 57 Liberty IPT Case, judgment of 5 December 2014, para 101. 108

115 CHAPTER 6: POWERS AND SAFEGUARDS ssued by the relevant enforcement are however targets of s8(1) warrants i Secretary of State, which will authorise the interception of all their communications, where necessary with the assistance of GCHQ. (b) If the person to whom the warrant is addressed concludes that there has been a relevant change of cir cumstances, in essence that the individual has now entered the British Islands, the material may still be selected for a brief period allowed for the selection of of time. The short window of five days that is provide s material under RIPA s16 the opportun ity to obtain a certificate from the Secretary of State that the examination of that material is necessary (ss16(4) - (6)) or to obtain a s8(1) warrant to intercept all of their communications. 6.57. The practical consequence of this is that: (a) Some internal commun ications are unavoidably intercepted under warrants for the interception of external communications. (b) Material intercepted under external warrants is subjected to computer - based selection (for example by reference to simple selectors such as email addresses or telephone numbers, or using complex selectors based on a combination of factors) in order to find items of intelligence interest. Items may not be selected for reading by reference to an individual known to be in the British Islands , where is the identification of that person’s communications. the purpose (c) However internal communications may be read if:  they are selected to be examined by reference to another factor (although GCHQ inform me that they may not use this route in order to deliberately seek access to internal communications and that it is unlikely to occur in practice); or  the Secretary of State certifies that it is necessary to select and examine a person’s communications (pursuant to s16(3)) and those 58 mmunications. communications include some internal co (d) Where the original intention is to obtain internal communications, a s8(1) warrant will be sought. 6.58. Furthermore, there are no restrictions on the examination of communications data lected under a s8(4) relating to internal communications that are incidentally col warrant. That material may be examined, if it can be shown to be necessary and proportionate to the purposes of the examining authority. 6.59. The proportionality of the mechanisms employed pursuant to s8(4), and the sufficiency guards set out in s16, are currently the subject of a challenge before the of the safe 58 As noted by the ISC Privacy and Security Report, paras 113 - 115, GCHQ does not al ways apply for s8(1) warrants in relation to the communications of individuals in the UK, although GCHQ considers that the process for modifying s16 certificates provides equivalent safeguards. The ISC noted that the consideration of all of the elements that are necessary before a modification process does not require s8(1) warrant is sought. 109

116 CHAPTER 6: POWERS AND SAFEGUARDS in accordance with IPT. The Tribunal has already held that the s8(4) framework is “ the law ,” in the sense that it the manner in which it operates is sufficiently 59 How ever, the Tribunal is yet to rule on the proportionality of the foreseeable. ion under s8(4). methods deployed to carry out bulk intercept retained by service provider s RIPA access to communications data 6.60. C ommunications data are collected and held by service providers. They already hold data on their customers (subscriber information ) and will generate service use information and traffic data depending on their business model. That information is necessary in order to enable communications to be routed successfully and also for billing and marketing purposes. RIPA Part I Chapter 2 sets out the framework under which public authorities may seek access to the data held by the service providers. otice r up to a year on receipt of a n 6.61. Service providers may be required to retain data fo 2014 s1. The Retention Code provides from the Home Secretary, issued under DRIPA at para 3.3 that companies with larger customer bases are more likely to receive a n Other service providers are not compelled to retain data, but all servic e otice. providers are obliged to hand over data to a public authority when they receive a 60 request. Those data which might be required to be retained are set out in the 61 Schedule to the Data Retention Regulations . Companie s that have received a n otice : data including may be a sked to retain the sender or recipient of a communication (whether or not a person); (a) the time or duration of a communication; (b) the type, method, pattern or fact of a communication; (c) the telecommunications system (or any part of it) from, to o r through which, or by (d) means of which, a communication is or may be transmitted; and 62 the location of any such system. (e) 6.62. A voluntary code of practice, drawn up under the Anti - Terrorism Crime and Security Act 2001 [ATCSA 2001] , permits service providers to re tain other data not required under DRIPA 2014, such as phone cell data and the times at which emails are sent 63 and received. CTSA 2015 provided for the first time that service providers should generate and retain 6.63. data that they did not need for their own n 21 provides that business purposes. Sectio service providers may be required to retain data necessary to resolve IP addresses to an individual or device. In brief, that information enables public authorities authorised confirm which device was accessing particular to acquire communications data to 59 Liberty IPT Case, judgment of 5 December 2014. 60 RIPA s22(3A). 61 SI 2042/2014. 62 Retention Code, para 2.14. 63 - Terrorism, Crime & Security Act 2001: Voluntary Retention of Communications Data under Part 11 : Anti Code of Practice. 110

117 CHAPTER 6: POWERS AND SAFEGUARDS services at a particular point in time, though IP address resolution is still not possible in all cases. RIPA Part I Chapter 2 sets out the basis on which public authorities may seek and 6.64. obtain access to commu nications data. There are four major differences between the ion and to communications data: law as it relates to intercept The list of public authorities (a) which can obtain communications data is much longer: a total of 00 organisations as opposed to nine. about 6 (b) The list of grounds that can be used to justify access to communicati ons data longer. As well as national security, detecting crime or disorder and the is economic well being of the UK, communications data can be accessed on the - grounds of public s afety, public health, collecting taxes or preventing death or injury in an emergency. As with interception, those grounds are subjected to a 64 proportionality assessment. The content of the notice or authorisation does not need to be tightly defined (c) tricted to an individual. It only needs to describe the communications data or res 65 that are required. For example, an authorisation might describe the IP addresses of all users who have accessed a particular website or the phone ephoned a particular number. numbers of everyone who has tel (d) lies with the Secretary of State, whereas power to authorise intercept ion The [DP] authority to obtain communications data resides with a designated person at middle management level: for example a superintendent or inspector in the 66 G police, or a rade 7 in certain parts of the Civil Service. - authorisation. Generally 6.65. But that is not to say that the process is one of simple self speaking, the DPs (as prescribed by an order of the Secretary of State) work in Single Point of Contact [SPoC] . SPoCs fulfil two principal roles: conjunction with a (a) advising whether an application is appropriate, lawful and practical, and (b) providing a consistent and knowledgeable interface with the service providers. 67 Acquisition Code. The role of SPoCs is not set out i n statute, but in the 6.66. It is the responsibility of the DP, rather than the SPoC, to give approval to a request to obtain access to communications data. The DP must usually be independent of the investigation concerned and of the SPoC. L ocal authorities are in a somewhat different position. As a result of changes made 6.67. by the Protection of Freedoms Act 2012 , local authorities are required to [PFA 2012] apply to the magistrates’ court for that authorisation or requirement, which may then 64 RIPA s22(2). 65 RIPA s23(2)(b). 66 See RIPA s25(2). For a full list see Regulation of Investigatory Powers (Communications Data) Order 2010, Schedules 1 and 2. 67 0. 3.3 - Paras 3.19 111

118 CHAPTER 6: POWERS AND SAFEGUARDS 68 e forwarded to the service provider. T he application must now be made first to the b Fraud Network , a kind of external SPoC, which then forwards it - National Anti [NAFN] at 7.60 below. to the magistrates’ court . More detail is 69 The applicant applying for ac 6.68. cess to communications data must, in writing: provide the name or designation and the office, rank or position held by the (a) person making the application; include a unique reference number; (b) (c) include the operation name (if applicable) to which the applicatio n relates; (d) specify the purpose for which the data is required, by reference to a statutory purpose under s 22(2) of RIPA; (e) describe the communications data required, specifying where relevant, any (s); historic or future date(s) and where appropriate time period (f) describe whether the communications data relate to a victim, a complainant, a suspect, a next of kin, vulnerable person or other person relevant to the investigation or operation; (g) explain why the acquisition of that data is considered necessary and pr oportionate to what is sought to be achieved by acquiring it; and , the ( (h) consider any likely collateral intrusion and where appropriate describe , extent to which the privacy of any individual not under investigation may be infringed and why that intrusion is justified in the circumstances; ), consider, and where appropriate describe, any possible unintended (i) consequences of the application; and (j) identify and explain the time scale within which the data is required. rgency 6.69. Where approval is given orally in cases of u , retrospective written notification 70 should be given within one working day. 6.70. In each organisation the process of communications data acquisition and disclosure is overseen by a Senior Responsible Officer responsible for the oversight and integrity f the arrangements for acquiring and using communications data within their o 71 organisation. 68 See RIPA s23A. 69 Acquisition Code, para 3.5. 70 Ibid. , para 3.69. 71 , para 3.31. Ibid. 112

119 CHAPTER 6: POWERS AND SAFEGUARDS RIPA safeguards RIPA sets up a range of safeguards to ensure the proper collection, storage and use 6.71. afeguards do not of intercepted communications and communications data. Those s apply to the collection of information via the other routes identified above, which may be governed by their own safeguards such as the handling arrangements under the SSA 1989 and ISA 1994. 6.72. oncerning intercepted material: RIPA s15 contains a set of general safeguards c (a) The number of persons, copies and times that that information is shared is restricted to the minimum that is necessary (s15(2)). The Interception Code 72 makes clear that this applies to persons both within and outside the age ncy. As a result, data are only shared only on a “ need - to - know ” basis . Further disclosure requires either the originator’s permission or the application of explicit safeguards to the secondary recipients. s are not in the public Those safeguard 73 domain. (b) Material must be destroyed as soon as there are no longer any grounds for retaining it for an authorised purpose (s15(3)). (c) The material must be stored in a secure manner (s15(5)). 6.73. Unlike the position in relation to intercept ed material, RIPA places no res trictions on 74 the retention or use of communications data. Section 23(3) provides that a s24(4) notice to a service provider may require it to disclose data to another police force. However, further disclosure between authorities is not specifically addr essed either of Practice. within RIPA or the Codes 6.74. Therefore, the framework that largely or exclusively controls its use is the Data 75 the Secretary of State to issue [DPA 1998] Protection Act . But DPA 1998 s28 allows a certificate excluding material from the scope of the data protection principles and 76 from parts of the Act on national security grounds. I was informed by GCHQ that such certificates are sometimes issued by the Secretary of State but that they only exemp t the personal data held by it from t he obligation to comply with the first, second 77 and eighth (as well as part of the sixt h) data protection principles. 72 Interception Code, para 6.4. 73 Ibid. , para 6.5. 74 Unless that communications data is related communications data collected in association with an warrant. The Interception Code contains surprisingly little detail on the use such material. interception 75 The Criminal Procedure and Investigations Act 1974 and the Management of Police Information principles will also apply in the context of material obtained for the purposes of a criminal investigation. 76 Acquisition Code, chapter 7, addresses data use to some degree, though it is focused on the conduct of service providers, rather than the authority that has gathered the data. 77 ed to as to exempt the intelligence agencies from compliance with the fifth Those certificates are not draft and seventh principles and as a result data must not be kept for longer than is necessary, having regard subject to appropriate to the purposes for which it was obtained. Furthermore those data must be technical and organisational measures against unauthorised or unlawful processing of the data and accidental loss of the data in question. 113

120 CHAPTER 6: POWERS AND SAFEGUARDS Related communications data obtained pursuant to an interception warrant are treated 6.75. material. The s15 pri nciples, set out above, apply to ed in the same way as intercept that material. 6.76. But RIPA s16 only applies to intercepted material and not to related communications data, which may be selected and reviewed according to a factor which is referable to e being to be in the British Islands. an individual who is known for the tim Safeguards for confidential material RIPA itself offers no guidance concerning the treatment and handling of confidential 6.77. communications, such as those covered by LPP . The Interception Code offers some se questions. It states that, where it is likely that privileged guidance on tho communications will be intercepted, that should be stated on the face of the warrant application and weighed by the Secretary of State when determining whether or not to grant it. The Inter ception Code also states that caseworkers should be “ alert to any 78 intercept [ed] material which may be subject to legal privilege .” It does not state what steps should be taken if legally privileged material is identified. Similar guidance is rning the treatment of confidential personal information and journalistic given conce 79 material. The IPT declared in February 2015 t hat the UK Government’s regime for the 6.78. privileged interception, analysis, use, disclosure and destruction of legally 80 ravened ECHR Article 8 between 2010 and early 2015. communications cont That declaration was made following an admission by the Government to that effect. The new Acquisition Code and Draft Interception Code were published shortly afterwards. 6.79. The new Draft Interception Cod e expands on the protections afforded to confidential communications in the Interception Code. Where the interception is intended to intercept legally privileged communications, the Secretary of State must be satisfied exceptional and comp that there are “ elling circumstances that make the warrant 81 necessary Where such communications will be intercepted, although that is not .” the intention, the application for a warrant should identify the steps which will be taken 82 to mitigate the risk of obtaining legall Officials who examine y privileged information. intercepted communications should seek advice where there is any doubt concerning the privileged nature of the communication and any legally privileged material that is retained or disseminated must be acco mpanied by a clear warning that it is subject to 83 legal privilege. The Draft Interception Code sets out similar provisions in respect of journalistic or other confidential material but the threshold for access is not as high as 84 ivilege. that in respect of legal pr 78 Interception Code, paras 3.2 - 3.8 79 - Ibid ,. paras 3.9 3.11. 80 In the Belhadj IPT Case, the o rder in relation to which can be found at: https://www.judiciary.gov.uk/wp - - content/uploads/2015/02/belhadj - open - .pdf . order 81 Draft Interception Code para 4.8. 82 Ibid ., para 4.7 83 Ibid. , paras 4.12 - 4.14 84 4.25. - ., paras 4.19 Ibid 114

121 CHAPTER 6: POWERS AND SAFEGUARDS RIPA is silent in relation to communications data that may attract privilege. The 6.80. Acquisition Code states that communications data are not subject to professional infer an issue of sensitivity from the fact privilege but also that it may be possible to “ 85 that someone has regular contact with, for example, a lawyer or journalist .” In such special consideration” should be given to necessity and circumstances, “ 86 proportionality. In cases where an application is made for communications data in orde r to identify a journalist’s source, judicial authorisation must be obtained via the 87 In prac tice, it appears that the new Acquisition Code procedures in PACE. recognises that communications data may attract professional privilege and require special trea tment on account of its confidential nature. Data Sharing Within the UK 6.81. RIPA s15 requires that disclosure of intercept ed material is restricted to the minimum necessary for the authorised purposes set out in s15(4). arrant may only be read, looked at or listened 6.82. Material obtained pursuant to a s8(4) w to by any person if it is certified for examination by the Secretary of State (see the discussion of RIPA s16 at - 6.59 above). 6.54 6.83. The position in respect of communications data that have been acquired under RIPA is m at 6.71 above , material obtained on national security ore complex. As explained grounds may only be su bject to certain aspects of DPA 1998. In any event, it should not be retained for longer than necessary, having regard to the purposes for whi ch it lso apply to those with whom the data is shared. was obtained. That principle will a 6.84. here is no restriction equivalent to RIPA s15 on the sharing of raw communications T data within government: but it is not a common practice. I was told that C ommuni cations data, as well as interception product, will typically inform reports from the security and intelligence agencies . This analysed inte lligence i s circulated to Ministers, officials and others with the appropriate security clearance, who have a need to receive the information. Circulation of intelligence produc t is tightly controlled by the security and intelligence agencies , not just to meet the legal requirements of minimising intrusion but also to ensure that their sources and methods are given th e least exposure. Data from the UK 6.85. RIPA ss1 5(6) and (7) set out the restrictions on sharing I am informed by GCHQ that intercepted material with other states in circumstances where such exchange is requested under a mechanism such as MLAT. In essence, the Secretary of State must be satisfied that the receiving state will apply minimisation techniques “ to such extent (if any) as the Secretary of State thinks fit” (s15(7)(a)). 85 Acquisition Code, paras 3.72 - 3. 86 Ibid ., para 3.74. 87 ., para 3.78. Ibid 115

122 CHAPTER 6: POWERS AND SAFEGUARDS are considered before any that SSA 1989 s2(2) and ISA 1994 s4(2) 6.86. I am informed R IPA safeguards are engaged. In brief, information must not be shared unless that sharing is necessary for the purpose of the proper discharge of the security and intelligence agencies ’ functions. (3), 6.87. As to RIPA itself, information sharing (outside of MLAT) is governed by ss15(1) - which set out the general safeguards on information use (as described above). In brief, the Secretary of State must be satisfied that the number of persons to whom the data is disclosed and number of copies made are limited to th e minimum that is necessary and the material is destroyed as long as there are no longer any grounds for retaining it. As a result, in practical terms, the safeguards applying to the use of of State. There are no such data are entirely subject to the discretion of the Secretary further safeguards set out in the Interception Code. 6.88. RIPA itself imposes no limits on the sharing of communications data obtained from 88 service providers under RIPA Part II Chapter 1 with overseas governments. However, the Acquisi tion Code does provide some further information in respect of specific requests for information: (a) Communications data may be sought via an MLAT mechanism, whereby an overseas court or prosecuting authority formally requests material stored in the 89 UK. Thi s is considered by the UK central authority in the Home Office and, if accepted, passed to the appropriate public authority to action in line with the Code. Acquisition (b) requests for assistance to - judicia l Overseas authorities may also make non public autho . The UK authority must consider the necessity and UK rities in the proportionality of each case and may then obtain that data via its powers under RIPA. Before it acquires and transfers that data, the UK authority must consider whether the data will be a and may attach UK dequately protected outside the 90 conditions to the processing storage and destruction of the data. If the requesting state is within the EU, communications data can be disclosed (c) Commission has without consideration of further safeguards. The European also determined that certain countries (such as Canada and Switzerland) have adequate safeguards in place. In all other circumstances, the public authority 91 must consider whether the data will be adequately protected. (d) However, the Code r ecognises that “ there may be circumstances when it is necessary, for example in the interests of national security, for communications data to be disclosed to a third party country, even though that country does not 92 have adequate safeguards in place to pro tect the data. ” 88 Communications Data associated with intercepted material is governed by ss15(1) - (3). 89 Acquisition Code , paras 7.13 - 14. 90 Ibid ., paras 7.15 - 17. 91 Ibid ., paras 7.18 - 20. 92 ., para 7.21. Ibid 116

123 CHAPTER 6: POWERS AND SAFEGUARDS Data to the UK Prior to the recent Liberty IPT Case, there was limited concrete information in the 6.89. public domain concerning the safeguards that were applied to the receipt, in the UK, the Codes of Practice deal with of data from overseas governments. Neither RIPA nor security and this question at all. There are general constraints on the actions of the intelligence agencies . As MI5 argued before the IPT, it is only entitled to obtain 93 harge of its functions. ” Other information “ so far as necessary for the proper disc similar constraints arise out of ISA 1994 ss1 - , HRA 1998 s6 and the 4, DPA 1998 s4 94 . - Counter Terrorism Act 2008 s19 6.90. The ISC reported in 2013 that “ in each case where GCHQ sought information from the US, a warrant for inte rception, signed by a Minister, was already in place, in 95 accordance with the legal safeguards contained in [RIPA] In the course of the ”. security and intelligence agencies disclosed that data might, at Liberty IPT Case, the e obtained i least in theory, b Data may either be sought from n another scenario. overseas governments when : (a) an interception warrant had been granted authorising the interception of those communications but they could not be obtained under that warrant and it would 96 be necessary and p roportionate to obtain those communications; or (b) making the request does not “ amount to a deliberate circumvention of RIPA ”. For example, in circumstances where it is not technically feasible to obtain that material under RIPA, and it is necessary and pro portionate to gain access to it. A request of that kind should be personally considered by the Secretary of 97 The confirmed that this would only State . security and intelligence agencies take place “ the date in exceptional circumstances, and has not occurred as at 98 of this statement” . The IPT concluded that, prior to that disclosure, the regime that governed the receipt 6.91. of private communications from the US Government (obtained by the US Government 99 via UPSTREAM and PRISM) had not been “ in accordance with t he law” . That framework had not been sufficiently foreseeable and had not satisfied the standard 100 required by the Article 8(2) case law in the national security context. However, the IPT also held that, following the disclosures made in the course of th e hearing, the security and intelligence agencies had placed the current arrangements on a sufficiently clear footing and the requirements of Articles 8 and 10 were now satisfied. That latter conclusion is subject to challenge in the ECtHR. 93 SSA 1989 s2(2)(a). 94 - 19. Liberty IPT Case, judgment of 5 December 2014, paras 18 95 , (July 2013), para 5. Statement on GCHQ’s alleged interception under PRISM 96 Such a warrant being either: i) a s8(1) warrant; ii) a s8(4) warrant and a certificate and a s16(3) modification (for those within the British Islands); or iii) a s8(4) warrant with a certificate. 97 Liberty IPT Case, judgment of 5 December 2014, para 47. 98 Ibid ., para 48(1). 99 Liberty IPT Case, judgment of 6 February 2015, para 23. 100 5. 20 and 5.35 I address this decision and the principles governing this area of law in more detail at 5.19 - above. 117

124 CHAPTER 6: POWERS AND SAFEGUARDS The IPT also 6.92. considered the use and safeguards applying to data, once it had been received from overseas. The disclosed that security and intelligence agencies information that is covered by a warrant, but cannot be obtained by the UK ame internal rules and safeguards as the same subject to the s Government, are “ categories of content or data, when they are obtained directly by the Intelligence 101 Services as a result of interception under RIPA” . However, the IPT expressed its concern that the same principle would not a pply to 6.93. information requested on the second ground: data that it was not feasible to collect under RIPA. As the Tribunal noted, s16 would not (automatically) apply in those uced cases. In its December judgement, the IPT directed that “ there ought to be introd 102 addressing this issue. a procedure” The Tribunal’s judgment in February stated that equivalent safeguards are now in place for material that may be obtained via that 103 second route. The Tribunal also considered the nature and operation of confidentia l procedures 6.94. below the waterline governing the use of data “ ” that it considered were adequately 104 signposted “ ” by the disclosures and by other material already in the public domain. 105 d, and but the IPT disagree The Claimants argued that that practice was improper the issue is now before the ECtHR. territorial reach of RIPA - Extra 6.95. It is increasingly common that content and communications data are located outside the but not in the possession of a foreign state or its security and intelligence UK in the possession of overseas service . agencies st commonly that material is Mo provider s, presenting unique jurisdictional challenges when UK law enforcement 4 seeks to address that s DRIPA 2014 age ncies wish to gain access to those data. 106 problem by spelling out the e xtraterritorial effect of RIPA ss11, 12 and 22. 6.96. In respect of interception warrants, under RIPA s11(4), any person is obliged to take steps to give effect to a warrant served on them “ whether or not the person is in the . That person is not required to take steps which “ it is not reasonably United Kingdom” , and consideration will be given to the requirements or practicable for him to take” restrictions under the law of the country or territory in which he resides (s11(5A)). However, if a person “ knowing ly fails to comply” with these duties, they may be guilty UK of an offence (s11(7)). E nforcement , including persons outside of the , may be effected through the civil courts. r 6.97. RIPA s12 is also amended by DRIPA 2014 so that the Secretary of State can by orde impose an obligation on a person, whether or not that person is within the , who is UK providing public postal services or public telecommunications services to secure that 101 Liberty IPT Case, judgment of 5 December 2014, para 47. 102 Ibid. , para 53. 103 Liberty IPT Case, judgment of 6 February 2015, paras 24 - 32. 104 Liberty IPT Case, judgment of 5 December 2014, para 50(i). 105 Ibid ., para 49(i). 106 ns of RIPA already The Government’s position, which not everyone accepts, is that the relevant sectio had extraterritorial effect. 118

125 CHAPTER 6: POWERS AND SAFEGUARDS ed requirements to provide assistance in relation to interception warrants are compli with. For communications data, RIPA ss22(5A) (5B) state that an authorisation or a 6.98. - requirement in accordance with a notice may relate to conduct outside the UK and may be given to a person outside the UK. Under s22(6), it shall be the duty of the ice provider “ whether or not the operator is in the United Kingdom” serv to comply with the requirements of any notice given to him under s4, so long as “ reasonably (s22(7)), although unlike interception there is no requirement to consider practicable” the rest rictions of the law of the territory in which that person operates. The duty can be imposed, including on those outside the UK , by civil proceedings for an injunction or for specific performance of a statutory duty (s22(8)). In practical terms, the UK ide to prov Go vernment has assert ed its right to order overseas service providers otice is served on them. communications data when a n Whether or not the UK Government could enforce these obligations in relation to 6.99. service providers has not yet been tested and there remain some overseas service providers who do not consider they are bound by RIPA. As a matter of practice, such cooperation as is forthcoming from overseas CSPs comes from informal requests for assistance. Oversight The IOCC The 6.100. office of IOCC is constituted under RIPA to keep under review the exercise and unctions performance by the Secretary of State and other public authorities of their f 107 The IOCC must hold, or have held, high judicial office. The under RIPA Part I . current Commissioner is Sir Anthony May, a former judge of the Court of Appeal. He reports to the Prime Minister, who lays that report before Parliament, every six 108 months. The IOCC holds the public authorities that exercise RIPA powers to account, and 6.101. e (and public confidence) by means of scrutiny. H e selects seeks to improve complianc 109 , and assesses their necessity and proportionality. and reviews a sample of warrants He also reviews errors public authori ties , identifies further that have been identified by He cannot and assesses any mitigating steps that have been put in place. errors disclose the details of any individual warrant or communications data acquisition but a part of his role is to examine how RIPA powers are being used, whether they are b eing monthly reports to the draw the fact to publi c attention in his six abused and if so to - Prime Ministe r (which are laid before Parliament). 107 RIPA s57. Other commissioners include the ISCommr, who has an equivalent role, and the Surveillance Commissioner: see 6.22 above. 108 RIPA s58(4). 109 For a discussion of the IOCC’s query based sampling me thod see IOCC Report , (March 2015), paras 6.54 6.59. - 119

126 CHAPTER 6: POWERS AND SAFEGUARDS 6.102. IOCCO has in recent years under successive Commissioners and the Head of IOCCO, Joanna Cavan, built up formidable expertise in the nuts a nd bolts of interception, to add to its longer experience of communications data. By way of illustration: IOCCO employs nine experienced and technically skilled inspectors, many with (a) vation a police or intelligence background, who were given access without reser not only to all the material they requested but to the Agencies’ own systems and that assists each to the processes of the warrant granting department [WGD] relevant Secretary of State. Similar access is also granted to each public authority that i s entitled to acquire communications data under RIPA Part I Chapter 2. The Commissioner’s latest report sets out the manner in which IOCCO (b) inspected every aspect of the interception process, from compliance with the Interception Code and the previous nications Data Code to the actual Commu application of individual selection criteria, the retention, storage and destruction of intercepted material, security and administrative safeguards and audit checks 110 carried out by the Agencies. (c) These inspections are by n o means whitewashing exercises. Three significant caveats were set out in the published report concerning the period up to the end 111 of 2014 and subsequently investigated; more than 400 recommendations were made to public authorities; the necessity and pro portionality of some interceptions was challenged and a total of 69 recommendations were made to the nine interception agencies in relation to pre - authorisation or authentication processes, the enhancement of retrospective audits and a more explicit role f or 112 the Commissioner in the audit process. 6.103. There are constraints (not least in RIPA itself) on the transparency that is possible in this area. It is also unfortunate that the IOCC’s reports do not receive more widespread publicity, whether because of thei r technical nature or the sense that the Commissioner and his staff are more interested in doing an excellent job than in 113 gaining publicity for it. But having spoken in depth to IOCCO, and reviewed a ent countries, I would comment number of reports of similar review bodies from differ that they are a model of their kind. 6.104. As set out above, in March 2015, the IOCC agreed formally to oversee directions under T A 1984 s94, a task which he anticipated would require “ extra staff (and possibly 114 technical faciliti ”. The ISCommr oversees the exercise by the Agencies of their es) ISA 1994 and SSA 1989 powers, as set out above. However, there is no entity appointed to oversee access to communications data under any of the myriad routes 110 IOCC Report , (March 2015), chapter 6. 111 Ibid., para 6.35. 112 Ibid., paras 1.9, 6.39 - 6.40, 6.69 - 6.70. 113 Though IOCCO has a twitter feed (@iocco_oversight), on which it has shown itself willing to engage informally with critics and sceptics; and an impressive list of public engagements is given in its March 2015 report at para 3.4. 114 , (March 2015), para 10.4. IOCC Report 120

127 CHAPTER 6: POWERS AND SAFEGUARDS Annex 6 ort , and IOCCO cannot and does not review that process. to this Rep set out in As a result, there is far less transparen cy concerning those processes. The Investigatory Powers Tribunal The IPT hears complaints about conduct in connection with the interception of 6.105. communications and gathering of communications data (by all authorities, not just the 115 security and intelligence agencies It also has jurisdiction to determine complaints ). under HRA 1998 s7 in respect of the actions of the security and intelligence 116 . agencies is established under RIPA , but its role and remit goes beyond it. The IPT years after its establishment in October 20 6.106. For some 00, and despite its distinguished membership, the IPT was a little . Its rules prohibited the holding of public known body - hearings, and p ublic judgments were rare. Its profile as a robust scrutiny mechanism , 673 complaints determined by the end of was not assisted by the fact that out of the 1 – five of them involving members of the same family, and 2013, only 10 were upheld 117 ainst the security and intelligence agencies . This is none of them ag not a criticism of the IPT, whose members are drawn from the upper reaches of the judiciary and legal profession . But coupled with the opaque procedures provided for in the IPT’s rules, it did not pr omote public confidence in, or even knowledge of, the institution. 6.107. The IPT’s journey out of the shadows began in January 2003, when it authorised its first open hearing (in a complaint concerning a possible RIPA Article 8(1) warrant), 118 notwithstanding the r ule that its proceedings had to be conducted in private. Other rules (concerning restrictions on disclosure and evidence, secrecy of proceedings and - the non provision of reasons to unsuccessful complainants) continued to be contested as contrary to the p rinciple of equality of arms, guaranteed by Article 6 of the ECHR. ECtHR concluded that the procedures Kennedy judgment of May 2010, the But in its of the IPT did not violate Article 6. It emphasised, in doing so: by those complaining about “the breadth of access to the IPT enjoyed interception within the United Kingdom and the absence of any evidential 119 burden to be overcome in order to lodge an application with the IPT.” The European Court thereby accepted that once general legal issues have been ned in public, any consideration of the specific facts of the case will take place determi 120 in private and without the participation of the complainant. rior to the Snowden revelations, the IPT had in 6.108. Even p rul ed British Irish Rights Watch in an open judgment that the provisions for intercepting and accessing material 115 RIPA s65(5). 116 RIPA s65(2)(a). 117 Interception of Communications Commiss ioner Annual Report 2013; subsequent figures on IPT website. According to the IPT’s website, around half of the complaints received in recent years have been adjudged “ frivolous or vexatious ” under RIPA s67(4): http://www.ipt - uk.com/section.aspx?pageid=5 . 118 IPT/01/62 and IPT/01/77 Kennedy , ruling of 23 January 2003. The hearing, on issues of legal principle, was held in July 2004: IPT/01/62, ruling of 9 December 2004. 119 Application no. 26839/05 Kennedy v United Kingdom , Judgment of 18 May 2010, para 190. 120 , para 98. Ibid. 121

128 CHAPTER 6: POWERS AND SAFEGUARDS covered by a RIPA s8(4) warrant were sufficiently accessible and foreseeable to be in 121 accordance with the law. After 2013, a number of NGOs and individual brought claims to the IPT seeking 6.109. onsideration of the legality of elements of the investigatory powers regime. detailed c There were several open hearings in 2014, one of which lasted five days, at which what the Tribunal itself had described as “ the clarifying and collaborative value of adversarial oral argument ” was on public display. Sustained pressure from NGOs, concerned individuals and their advocates has led both to significant disclosures from security and intelligence agencies and to the uncovering of unlawfulness. In particular, and in rec ent weeks: (a) The IPT ruled for the first time against the security and intelligence agencies on 6 February 2015, stating that prior to disclosures made during 2014, the regime governing the treatment in the UK of data obtained by the US pursuant to the Prism programme was not in accordance with the law, as required by Articles 8 and 10 122 of the ECHR. A Code of Practice governing CNE was released on the same day, against the (b) Privacy International challenge to the use of CNE. background of the The agencies conce (c) ded on 18 February that their policies and procedures relating to legal professional privilege had not accorded with human rights standards. 6.110. The IPT so confirmed in its Belhadj judgment of 29 Apri l 2015, in the first judgment to find in favour of an indivi dual against the security and intelligence agencies. 6.111. The IPT’s procedure is different from an ordinary court procedure in a number of ways: Proceedings may on occasion be held in closed session without reporters and (a) without the person who is raising the co mplaint attending the hearing. Alternatively, part of the hearing may be held in open and other parts in 123 closed. (b) ’s decisions are normally only that it has made a determination in favour The IPT of, or against, the person complaining. The reasons for or explanation of the 124 decision are not normally given. 125 There is no right of appeal agai nst the IPT ’s decisions. (c) (d) The IPT is not a “ senior court ” that has the power to declare an Act of Parliament incompatibl e with the ECHR, pursuant to HRA 1998 s4 . 121 IPT/01/77, 9 December 2004. 122 [2015] UKIPTrib 13 77 - H. 123 In practice, many complaints to the IPT do not result in a hearing but are disposed of on the papers. 124 The Tribunal has expressed doubts as to its capacity to grant relief (in the absence of undertakings) where there has been no determination in favour of a Claimant: Belhadj IPT Case, judgment of 29 April 2015, para 24(viii). 125 68. - RIPA ss65 122

129 CHAPTER 6: POWERS AND SAFEGUARDS has the power to appoint a counsel to the Tribunal, who may hear the (e) The IPT closed evidence and argue the case on behalf of the ‘privacy’ interests in issue. That stands in contrast to the special advocate regime in place for the Special 126 Immigration Appeals Cour t. The Intelligence and Security Committee 6.112. The ISC is, as the name suggests, the parliamentary body tasked with providing security and intelligence agencies oversight of the use of investigatory powers by the ). It though not by other public authorities ( is a cross - party Committee, and its members 127 are drawn from both the House of Commons and the House of Lords. 128 This . 6.113. It was recently reformed by the Justice and Security Act 2013 [JSA 2013] made the ISC a full committee of Parliament for the first time, granted the ISC the freedom to choose its own chair, gave it greater powers and increased its remit. It now oversees the operational activity and wider intelligence and security activities of the Government. However, it is not responsible for reviewing o ngoing and current operations being conducted by the agencies. The ISC’s reports are submitted in the first place to the Prime Minister, who may redact any matters he considers should not be published. 126 On the role of the counsel to the tribunal, see the Liberty IPT Case, judgment of 5 December 2014, paras 8 - 10. 127 JSA 2013 s1(2). 128 e dule 1. Sections 1 - 4 and Sch 123

130 7. PRACTICE Sources and scope T his C hapter descri bes h ow the powers outlined in C hapter 6 are used. 7.1. In relation to intercept ion , it is based on written evidence provided by service providers 7.2. and from each of the nine public authorities that are empowered to intercept communications. It is also based on ora l evidence I received in the course of visits to each of the security and intelligence agencies , the NCA, MPS and the PSNI . I have also seen the highly classified material made available to the ISC for its parallel 1 the confidential reporting to the Prime Minister by enquiry into privacy and security, the IOCC and the ISCommr and closed material given by the Government to the IPT 2 in the Liberty IPT Case. 7.3. A s to communications data, this C hapter is based in addition on written evidence from the police lead on communications data in England and Wales, Police Scotland, the Department of Work and Pensions [DWP] , the Local Government Association [LGA] and a number of other bodies that are empowered to obtain communications data. I received evidence from Royal M ail, whose powers to obtain such data has now been removed and from the Magistrates’ Association. The Communications Data Strategy CSPs, held a special extended UK Group, a joint group of law enforcement and meeting for me at which I heard the views of CS Ps and law enforcement representatives. I also visited NAFN in Tameside, and spoke to Gloucestershire and Nottinghamshire Police. The evidence I received from the public authorities that use intercept ion 7.4. and communications data is mostly classified, sin ce it sets out their operational needs and methods, and cannot be published. But I have seen and been able to discuss with security and intelligence agencies and other bodies some of their most sensitive capabilities and believe that I have a fair underst anding of how they use the powers available to them. 7.5. Other types of investigatory powers (e.g. directed and covert surveillance and use of CHIS) fall outside the scope of this Review . But they are not so easy to separate out 3 by a recent GCHQ publication, information from a in practice: as demonstrated variety of sources must often be pieced together to achieve a comprehensive picture. The Snowden Documents Leaks of the Snowden Documents began to emerge in 2013 and continue to this day. 7.6. Many of the publi shed documents and slides refer specifically to GCHQ. The 1 The results of which are set out in the ISC Privacy and Security Report. 2 Though for t he past two years, there have been no confidenti al parts to the reports by the IOCC. 3 “How does an analyst catch a terrorist?”, an admirable (though inevitably limited) example of Agency transparency, which can be found on the GCHQ website: . http://www.gchq.gov.uk/what_we_do/how_does_an_analyst_catch_a_terrorist/Pages/index.aspx 124

131 CHAPTER 7: PRACTICE highly classified UK intelligence Government has stated that at least 58,000 “ 4 ” were among the documents stolen. documents The principal allegations broadly concern: 7.7. Bulk collection of internet and international communications data; (a) advanced searching of intercepted data; (b) Analytic tools enabling Cooperative relationships between governments and service providers; (c) (d) Methods for CNE; and Intelligence sharing. (e) . Some of these allegations are briefly s Annex 7 to this Report ummarised in 7.8. It is important to note that: The British government has adopted an NCND approach to the allegations (a) contained in the Snowden Documents (other than the PRISM programme, the 5 existence of which has been acknowledged by th e US government). Only a tiny (and not necessarily representative) proportion of the Snowden (b) Documents has been placed in the public domain. The completeness and veracity of what has been revealed is therefore uncertain. Nothing in this 7.9. should be taken as confirmation by me that the Snowden Report Documents (or any of them) give a fair or representative view of the activities of GCHQ. Nor should I be taken to condone the activities of Edward Snowden. 7.10. But I have considered it important to refer to the al legations, because: (a) it would be entirely artificial, and corrode public confidence in this Review , to proceed as if the disclosures had never been made or could be politely ignored; and because (b) whether or not a true and fair picture is given by the limite d selection of published documents and slides, it is clearly prudent to construct a regulatory system on the basis that programmes of the type described in these documents either exist or might in the future do so. 4 Deputy National Security Adviser Oliver Robbins, cited in “David Miranda row: Seized files endanger ‘agents’”, BBC web site, 30 August 2013. 5 As can be seen from the Charles Farr Statement, para 41. 125

132 CHAPTER 7: PRACTICE Interception The uses of interception I nterception powers are summarised at 6.3 - 6.5, 6.10 - 6.15 and 6.34 - 6.59 7.11. above. Information on the use of interception powers is published each year in reports by the ent, the Director General of OSCT set out the IOCC. In the Charles Farr Statem - Government’s view of the importance of intelligence obtained through interception: “Intelligence [from interception] has led directly to the prevention of terrorist attacks and serious crime, the success of operations aimed at countering the proliferation of weapons o f mass destruction and the saving of lives. Overall, RIPA interception is a critical tool in investigations into the full range of threats to national security.” 7.12. Many of the organisations empowered to use interception stressed to me its success of their work. For example: importance to the (a) MI5 said that interception was “ a critical part of [their] toolkit ” used in a “ sizeable proportion ” of its recent investigations. “ In the majority of the operations in which it is used, interception of electronic commu nications provides unique intelligence which would be extremely hard, if not impossible to replicate 6 ”. In 2013 this was estimated to be 15 through use of other sources - 20% of the 7 total intelligence picture in counter - terrorism investigations. is a key tool in the disruption of the “ (b) The NCA to ld me that intercepted material most significant High Priority and Priority serious and organised criminals and their groups in the UK For some areas of NCA activity ... there are no . ... 8 ing ... interception In 2013 - 14, interception played practical alternatives to us ”. a critical role in investigations that resulted in: Over 2 ,  200 arrests;  Over 750kg of heroin and 2 , 000kg of cocaine seized;  Over 140 firearms seized; and 9 Over £20 seized. ,000,000  (c) t intercept ed material may be useful in other Police impressed upon me tha types of cases, ranging from corruption investigations to domestic murder. 6 Evidence to the Review dated 1 October 2014. 7 Home Office evidence to the Review October 2014. 8 Evidence to the Review dated 2 October 2014. 9 14 repeated in Home Office evidence to the Review October 2014. - NCA performance data 2 013 126

133 CHAPTER 7: PRACTICE (controversially, in in the intercept ed material , This is notwithstanding the fact that UK 10 dence in criminal proceedings. the eyes of some) is not admissible as evi None of this is surprising: but it should not be assumed that intercept ion is of universal 7.13. utility. The chief terrorism investigator in the French judicial system said, of the Kouachi brothers who perpetrated the 2015 Charl The phone ie Hebdo shootings: “ 11 ” Senior officers at tapping yielded nothing. ... No one talks on the phone anymore. PSNI Scotland Yard and the confirmed to me that there are hardened terrorists and organised criminals so security - aware that listening to their communications brings little reward. Interception of known individuals 12 , 795 in 2014) are made under RIPA 7.14. The vast majority of RIPA warrants issued (2 s . These are sometimes wrongly thought to deal only with internal 8(1) communications i.e. those wh ose sender and recipient are in the “ British Islands ”. In fact a s8(1) warrant may apply to all the communications of those named in the warrant. The use in principle of this form of interception, when targeted at individuals sufficient to make out a case for a personalised about whom there are grounds warrant, did not attract significant criticism from civil society groups or others who 13 spoke to me. 7.15. The question of “ thematic warrants” , avowed by the ISC in February 2015 in the ISC Privacy and Security Report, was not addressed by those submissions, although I am aware that some may have concerns about such an interpretation of RIPA. the very 8(1) warrants in place at the end of 2014, of which “ 585 s 7.16. There were 1 , 14 significant majority However: fic individual. ” related to a speci Where there is recognisable group of persons whose communications are to (a) even if not every be targeted, it is permitted to include them all in one warrant . These “ s” member of the group can be identified in advance thematic warrant were viewed warily by the ISC, which wished them to be used sparingly and to 15 be issued for a shorter duration than other warrants. (b) It is also possible that a single target might be subject to more than one ion warrant. intercept Accordingly, the number of warrants in place does not correspond to the number of individuals or investigations concerned. 10 Intercept as Evidence , (Cm 8989), (December 2014). A report by a Committee of Privy Counsellors led by Sir John Chilcott is the latest to recommend that arguments for change are not ye t compelling. That - report lists a further seven since 1993 which have reached the same conclusion. See also 9.16 9.18. 11 Marc Trévidic, quoted in “Gaps in France’s surveillance are clear; solutions aren’t”, New York Times website, 17 February 2015. 12 Statistics on interception warrants are taken from IOCC Report , (March 2015). 13 There was however criticism of the fact that warrants are issued by the Secretary of State rather than an independent figure, and of the potentially wide definition of “ natio nal security ”. 14 ISC Privacy and Security Report, para 42. 15 - 74. IS C Privacy and Security Report, C onclusion D. Cf. IOCC Report , (March 2015), 6.71 127

134 CHAPTER 7: PRACTICE Of the warrants issued in 2014: 7.17. 68% were issued on serious crime grounds, (a) (b) 31% were issued on national security grounds (which many of which would include terrorist investigations), and (c) 1% were issu ed on a combination of grounds. 7.18. Some recent examples of the use of interception in the criminal sphere were published 16 in December 2014, as part of the review of intercept ed material as evidence. They relate to the importation of Class A drugs, the supply and distribution of firearms, conflict between organised crime groups, money - laundering and fraud. They are . reproduced at Annex 8 to this Report The Secretary of State for Defence gives the authority for interception by MoD under 7.19. s8(1) warrant s . This is a limited activity. The MoD conducts interception in the UK, targeted at its own communication, to enable equipment development and training for use in military operations. Material intercepted as part of a training activity is treated in accordance with RIPA s15 and deleted when it is no longer necessary or propo rtionate to retain it. Interception in the UK authorised by the Secretary of State for Defence may very rarely be needed to meet current military intelligence requirements. Bulk interception 7.20. Bulk interception by GCHQ is used to support Government activiti es in the fields of terrorism. - foreign affairs, defence, including cyber defence, serious crime and counter 17 The legal It contributes to about 55% of the intelligence reports GCHQ produces. safegua framework in which GCHQ operates and the re summarised applicable rds a hapter 6: for a fuller treatment, the reader is referred to the very recent reports of in C 18 19 and IOCCO. the ISC A bulk warrant under RIPA s8(4) is targeted at a telecommunications system and 7.21. therefore, in effect, targets communications bear ers rather than specific, individual communications. There were 20 s8(4) warrants in place at the end of 2014. Interception under the WTA 2006 targets standalone communication systems such as those that may support military systems an d private radio comm unications. 16 Intercept as Evidence . 17 Evidence from GCHQ, April 2015. 18 ISC Privacy and Security Report, chapters 4 and 5. 19 IOCC Report IOCC Report (March 2015), chapter 6. There is also fuller detail in the , (April 2014), sections 3 and 6. 128

135 CHAPTER 7: PRACTICE The uses of bulk collection 7.22. The major use of communications collected in bulk is to detect or improve knowledge of threats to national security, which can then be subject to targeted examination. As the ISC put it: n capability is used primarily to find patterns in, or “GCHQ’s bulk interceptio characteristics of, online communications which indicate involvement in threats to national security. The people involved in those communications are sometimes already known, in which case valuable ex tra intelligence may be obtained (e.g. a new person in a terrorist network, a new location to be monitored, or a new selector to be targeted). In other cases, it exposes previously unknown individuals or plots that threaten our security which would 20 herwise be detected.” not ot target discovery ” described in the last sentence was particularly The importance of the “ stressed to me by GCHQ. 7.23. This does not mean that suspicion plays no part in the selection of communication channels for interception, or in the d esign of the searches that are conducted on the collected material. Indeed the contrary is true: (a) For reasons of resource constraint as well as proportionality, GCHQ considers carefully what communications channels it seeks to intercept and makes the case to the Foreign Secretary as part of the preparation for a bulk warrant . issued under RIPA s 8(4) (b) The selection of targets whose communications are examined by agency analysts is controlled through an internal process which creates a permanent auditable rec ord. (c) The analyst must show the target to be relevant to the requirements set out in 21 the certificate which accompanies a s8(4) warrant, in effect one or more of the Government’s PIC, and to meet a statutory intelligence gathering purpose, e.g. the intere sts of national security. (d) The analyst must also demonstrate proportionality, typically by assessing the relevance of the communications to the intelligence requirement identified. Possible collateral intrusion is considered, for example the likelihood that a domestic fixed telephone line will have more users than the immediate target’s email account. 20 ISC Privacy and Security Report, para 90. See, further, 14. 43 below. 21 The ISC has recommended that the certificate be published, ISC Privacy and Se curity Report, C onclusion N. See 14.75 and Recommendation 43(b) below. 129

136 CHAPTER 7: PRACTICE The ISC noted in March 2015: 7.24. “We were surprised to discover that the primary value to GCHQ of bulk cations, but in the interception was not in the actual content of communi 22 information associated with those communications.” By “ the information associated with those communications ”, the ISC was referring to related communications data both “ - ” as defined in RIPA, and also to other content derived information , relating for example to the characteristics of a communication, which is treated as content for the purposes of the law. This might for example be another email address used by a subject of interest. 7.25. GCHQ explained that its bulk access capabilities are the critical enabler for the cyber defence of the UK, providing the vast majority of all reporting on cyber threats and the basis for counter - activity. In a recent two week period bulk access provided visibility - ns. Bulk access is also the only means to GCHQ of 96 distinct cyber attack campaig by which GCHQ can obtain the information it needs to develop effective responses to 23 these attacks. 7.26. GCHQ provided case studies to the ISC in order to demonstrate the effectiveness of its bulk interception capabilitie s. I have been provided with the same case studies and with other detailed examples, on which I have had the opportunity to interrogate GCHQ analysts at length and by reference to detailed intelligence reports based on the analysis of bulk data. They lea ve me in not the slightest doubt that bulk interception, as it is currently practised, has a valuable role to play in protecting national security. It does not of course follow that it is necessarily proportionate, which is for the courts to decide. I re to this topic at 14.39 - 14.55 below. turn 7.27. There are limits to what the public will (or should) take on trust. It is unfortunate, therefore, that the examples which the ISC gave to demonstrate the effectiveness of o be redacted from the open version of its GCHQ’s bulk interception capabilities had t 24 The six outline examples at Annex 9 to this Report report. go a little way towards remedying that defect. They illustrate the utility of bulk data capabilities more y unknown perpetrators of suspicious generally, particularly to identify previousl activity . Interception capability and capacity 7.28. The Government has established a “ national authority ” for interception: the National Technical Assistance Centre [ NTAC ], which since 2006 is part of GCHQ. This was set up in 1999 by the Home Office, in the first place to assist law enforcement in the face of rapid technological change. It now supports all of the intercep ting agencies, other than the Mo D. About half of its funding still comes from the Home Office, and its work includes developing interception capabilities and infrastructure which are 22 ISC Privacy and Security Report, para 80. 23 Evidence from GCHQ, April 2015. 24 Ibid. , paras 82 - 89. 130

137 CHAPTER 7: PRACTICE made available to the intercepting agencies. It interfaces directly with service providers. GCHQ is responsible for developing NTAC’s bulk interception and CNE capabilities. 7.29. 7.30. Implementing a s8(1) warrant generally relies on the cooperation of service providers, acting typically in response to a direction from the Government under RIPA s12. A copy of the intercepted communication is passed by the companies to the intercepting agencies who examine it using their own staff and facilities. External communications may be obtained under a s8(4) warrant either directly by GCHQ, using its own capabilities, or through a service provider. Part of NTAC's role is to ensure that the s of intercepting agencies can be addressed using the best available techniques, need avoiding duplication of effort amongst the intercepting agencies whilst able to protect sensitive techniques that might be compromised by over - use. In contrast to the position 7.31. where communications data is concerned, there has been little discussion in recent years of the impact of technological developments on the feasibility of interception once it has been approved under warrant. Partly this reflects the sensitivity of the t echniques used and the concern not to expose any weaknesses in them. Partly it reflects the continuing ability of the intercepting agencies, working with the service providers, to maintain access to communications channels. Nevertheless, the intercepting agencies acknowledge that the growth in the use of powerful encryption techniques, and their widespread availability from service providers or to individual users, undermines the historically high levels of probability that targets of interception identif ied in a warrant or Secretary of State’s certificate will be able to be fully examined. A further powerful inhibitor on the ability to secure intercept ed material is the increasing tendency to communicate using internet - based OTT applications, which are o perated from overseas by companies which store data 11.25 below. - 6.99 above and 11.10 outside the UK. This is discussed at 6.95 - Secretaries of State and WGDs There are 18 Secretaries of State, all of whom may in theory issue warrants. In 7.32. practice, other than in urgent cases when the usual Minister is unavailable, the Home Secretary deals with all warrants in Great Britain for MI5, the NCA, and HMRC MPS and any national security warrants from Police Scotland; the Secretary of State for ls with applications in Northern Ireland and the Foreign Secretary Northern Ireland dea deals with GCHQ and MI6 warrants. The Secretary of State for Defence d eals with the small number of Mo D warrants. These Secretaries of State also cover for each other’s absence. The Cabi net Secretary for Justice in the Scottish Government deals with Police Scotland’s applications to intercept in serious crime cases. 7.33. The Home Secretary has said that warrantry decisions occupy “ more of my time...than 25 ”. anything else She dealt wit h the great majority of over 2 , 700 RIPA warrants that were handled by the Home Office in 2014 personally authorising 2,345 interception , and property warrants and renewals during that year. 25 Mansion House speech, 24 June 2014. 131

138 CHAPTER 7: PRACTICE Before they consider a warrant, Secretaries of State receive advice from civil servants 7.34. eper in the WGDs. The WGDs have what IOCCO has called a “ guardian and gateke 26 role ”. The majority of warrants are considered by the Home Office, in which the National Security Unit headed by a senior civil servant with 14 staff, provides round - the clock support to the Home Secretary, and any other Secretary of State who is - co nsidering a warrant in her absence. The equivalent unit in the FCO the Intelligence Policy Department, is also headed by a senior civil servant and has two staff who support the warrant process and four more who may be involved from time to time. The Nor thern Ireland Office and Scottish Government have similar staff. Though - subordinate to the approving Ministers, these are all independent of the warrant seeking agency. They ensure that legal and policy advice on the warrant is taken where needed and tha t the warranty process is properly managed, including arranging, where justified, for the urgency procedures to be followed. Handling of intercept material ed There are restrictions on the dissemination of intercept ed material. These are set out 7.35. in RIPA, s s15, 16 and 19, the Interception Code and in detailed arrangements drawn up for each intercepting agency and approved by the Secretary of State. Where possible only a summary and not the detail of intercepted communication should be disseminated. Interce pted material will often inform an intelligence report; but the raw material will be shared with as few people as possible. 7.36. Because intercepted material cannot be used in evidence, there is generally no need for it to be retained by the intercepting agency once its immediate use in providing a intelligence is fulfilled. It is therefore destroyed at the end of the retention period , 27 There are number of grounds, largely concerned with process overseen by IOCCO. oversight and audit , rial can be retained for longer than the on which intercepted mate 28 standard period. 26 IOCC Report , (March 2015), para 6.4 8. 27 IOCC Report , (March 2015), paras 6.60 - 6.65. 28 These include: o if the intercepted material continues to be, or is likely to become, necessary for any of the purposes set – namely, in the interests of national security, for the pur out in RIPA s5(3) pose of preventing or detecting serious crime, for the purpose of safeguarding the economic wellbeing of the UK; o if the intercepted material is necessary for facilitating the carrying out of the functions of the Secretary of State under RIPA Part I Chapte r 1; o if the intercepted material is necessary for facilitating the carrying out of any functions of the IOCC or the IPT; o if the intercepted material is necessary to ensure that a person conducting a criminal prosecution has the information he needs to de termine what is required of him by his duty to secure the fairness of the prosecution; o if the intercepted material is necessary for the performance of any duty imposed by the Public Record Acts. 132

139 CHAPTER 7: PRACTICE Communications data The law relating to communications data is summarised at 6.6 - 6.8, 6.18 - 6.21 and 7.37. 6.99 above . This section explains how in practice it is obtained, treated and - 6.95 used. ion and Acquisition of communications data Retent 7.38. Communications data are produced and collected by service providers. Under data protection legislation, any personal data relating to their customers should be deleted as soon as it is no longer needed for their 2014 business purposes. However, DRIPA s1(1) grants the Secretary of State the p ower to issue a data retention n otice to a service provider, requiring them to retain communications data, even if it is not (or was never) needed by the service provider. Be ch a n otice is given, the Secretary fore su 29 of State must take reasonable steps to consult with the service provider. 7.39. When an investigating body wishes to secure access to those communications data, it will either authorise a person within the public aut hority to access the material or 30 n uthorisation provides for an individual within An a issue a otice to a service provider. a public authority to obtain communications data. They are granted where a service provider is not capable of obtaining or disclosi ng communications data, where there is a pre - existing agreement in place with the service provider for disclosure or where 31 uthorisation An a it is not yet clear which service provider (if any) holds the data. is usually granted to a SPoC: they are most co mmonly used to access data via an 32 automated system. 7.40. A n otice is served on a service provider asking it to disclose specified communications 33 data. Notices are typically served in cases where a service provider has not already been served with a data rete ntion n otice and there is no existing data acquisition framework. That is most likely to be the case with smaller service providers in the UK often test s and with the overseas service providers. Overseas service provider whether they wish to comply with otice by reference to their company practices n a turn to the s e issue s at and the laws of the jurisdiction in which the data is kept. I re - 14.59 and 14.78 - 14.86 below. 14.58 34 Authorisations and notices are valid for a month, but may be renewed. 7.41. They should 35 be cancelled as soon as they are no longer needed. Authorising access to communications data 7.42. The mechanisms by which access to retained communications data may be authorised were set out at 6.64 - 6.70 above . For all but local authorities this is an 29 Retention Code, para 3.9. 30 Acquisition Code, para 3.2. 31 Ibid., para 3.35. 32 Ibid. , para 3.35. These are known in the Code as “ Secure auditable communications data acquisition systems ”. 33 Ibid. , para 3.43. 34 Ibid. , paras 3.51 - 57. 35 - 64. Ibid., paras 3.58 133

140 CHAPTER 7: PRACTICE 36 rnal process with the input of a and final sign - off by a DP. SPoC Following the inte judgment the requirement that the DP be independent of the Digital Rights Ireland investigation has been emphasised. It can be waived in cases, which must be explained to th e IOCC, where the authority has only a small criminal investigation department or where there are ongoing operations or investigations immediately 37 impacting on national security and an independent DP cannot be called upon. The use and impact of communic ations data 7.43. Communications data have become a basic tool in the investigator’s armoury. There were 517,236 RIPA notices and authorisations, excluding urgent oral authorisations, in 2014, of which some 89% were issued by law enforcement and 10% by the 38 Agen But there are no statistics which set out the number of investigations in cies. 39 which it is used, or the number of people whose data were examined. Communications data and intelligence MI5 explained to me that communications data allows it to be able t o build a picture 7.44. of a subject of interest’s activities, and is extremely important in providing leads. It - terrorist operation MI5 has run in the past has had a significant role in every counter 40 One of the advan decade. tages they identified was that a lysis of communications na data is a relatively speedy technique that allows targets to be identified for further work but may also help to determine that someone is of no further intelligence interest. For example, it may show that someone’s contacts with a suspect are entirely innocent. 7.45. GCHQ makes extensive use of communications data to develop its intelligence picture, though much of its data is obtained as a by - product of its bulk interception of content: see above. 7.22 7.46. which the Agencies make use of communications The ISC summarised the manner in data thus: “CD [communications data] is central to most Agency investigations. It is used to develop intelligence leads, to help focus on individuals who may pose a n is properly targeted ... and to threat to the UK, to ensure that interceptio illuminate networks and associations relatively quickly. It can be particularly useful in the early stages, when the Agencies have to be able to determine whether those associating with the target are connected to the plo t (and therefore require further investigation) or are innocent bystanders. GCHQ have established that they can analyse CD to find patterns in it that reflect particular online behaviours that are associated with activities such as attack planning, 41 establish links.” and to 36 , section 3. Ibid. 37 Ibid., para 3.13. 38 IOCC R eport , March 2015, Annex B. 39 Ibid., paras 7.29 - 31 set out the difficulties in establishing this information . 40 Evidence to the Review dated 1 October 2014. 41 ISC Privacy and Security Report, para 130. 134

141 CHAPTER 7: PRACTICE Communications data and crime fighting Communications data is used in the investigation of 90% of all serious crime, helping 7.47. to establish who was (and was not) involved, with whom they acted and when and 42 ories of crime, such as online crime, could not be where they did so. Some categ - investigated without it. In these cases they also provide an opportunity for law enforcement to be proactive, looking for suspects, rather than waiting until a crime e. That can contribute to the avoidance of has been committed and a complaint mad harm rather than the crime solely being investigated afterwards. I am informed that communications data also play an increasing role across the range of criminal and icture of the utility of communications missing persons investigations. A detailed p - 9.32 below. enforcement is at 9.21 data in law One particularly controversial aspect of communications data use is the compulsory 7.48. retention by service providers of data, now enshrined in DRIPA 2014. Retained data ovides information about conduct in the past, often before a suspect is identified. It pr is frequently relied on to piece together conspiracies and associations between groups of criminals. retained 10 to this Report are a number of examples of the use of Annex 7.49. At 43 communications data in the UK that were published by the European Commission. The full document contains other examples of the use of retained communications data in other EU countries. 7.50. used, the police To understand and explain fully how communications data was carried out a detailed survey over two weeks in 2012 of the requests for 44 communications data made by 62 law enforcement agencies nationally. There is no reason think that this is an untypical period or that the results would today be si gnificantly different. The major outcomes of that survey were: Almost Communications data were requested for a very wide range of crimes. (a) a quarter of requests related to drug offences, but no other crime took up more than 11% of the total. A graphic re presentation of the crime types involved is Annex 11 at to this Report . 28 % of data requests concerned people who were not suspects: 18% were victims. (b) Almost a quarter of requests related to threat to life, an immediate risk or urgent operational necessit Annex 12 y in relation to serious crime or national security: to this Report. (c) 28% of all requests were for data over three months old. Older data was relied on particularly frequently in serious cases. 37% of data requests relating to sexual offences, 27 % relating to terrorism, 11% relating to drugs, 5% relating 42 Evidence of the NCA to the Review. See also the range of uses of communications data highlighted in IOCC Report , March 2015, at 7.65 and 7.67. 43 DG Home European Commission, Evidence for necessity of data retention in the EU (March 2013), found at : http://ec.europa.eu/dgs/home - affairs/pdf/policies/police_cooperation/evidence_en.pdf . 44 Evidence to the Review from the National Policing Lead for Communications Data, September 2014. 135

142 CHAPTER 7: PRACTICE to homicide/attempted murder and 9% relating to firearms and explosives were older than six months. Operation Notarise, a high - 7.51. profile operation coordinated by the NCA offers a good example of the uses to which retained data can be put. It resulted in the arrest of over 600 suspected paedophiles who had been viewing indecent images of children. 3 982 , requests for communications data were made as part of this operation, of which 3 , 646 (92%) were a ble to be resolved to identify a suspect. 336 of those requests were for data more than 12 months old which had not been retained. Difficulties in obtaining data 7.52. Historically there has been a high availability of the communications data that investigators required. Typically the subscriber to a telephone number and the call log that went with it were the information needed; these were also the basis for the service provider to charge their customer. 7.53. The growth of internet - based services over the past twen ty years has transformed that situation. Proliferating methods of communication, the fragmentation of providers, difficulties in attributing communications, changing business models and increasing use of overseas providers have all tended to make data more service 45 difficult to access. 7.54. The consequence is that to obtain the communications data needed for an investigation, even of one individual, a public authority may need to approach several s ing body is therefore of . The expertise of the SPoC in the investigat service provider great significance in making an effective approach to a service provider. SPoCs know the right mix of service providers to approach and whether they are likely to have collected the data necessary to progress the investigation. 7.55. But however skilful their SPoCs, law enforcement bodies frequently complain of reduced access to communications data. This has led to pressure from law enforcement for legislation requiring service providers to retain more data (as in the ions Data Bill of 2012), and also for action to facilitate the recovery draft Communicat of data from overseas providers (as in DRIPA 2014 s4, and pursuant to the initiatives that Sir Nigel Sheinwald was appointed to explore) 14 .23 - . I return to this subject at 14.28 and 14 .58 - 14.59 below. Use of communications data by local authorities 7.56. As set out at 6.67 above, local a uthorities are in a unique position when it comes to obtaining access to communications data. The term “ ” does not local authority distinguish between the di fferent types of local authority (County, District, Unitary), which have very different enforcement functions. By way of illustration: (a) Trading standards functions rest with a local weights and measures authority, which will generally be the local County C ouncil or unitary authority. 45 - 4.16 above. See 4.5 136

143 CHAPTER 7: PRACTICE (b) Environmental health functions (e.g. food hygiene, retail health and safety, - tipping) rest with District Council. noise nuisance, fly Communications data is more likely to be useful in the enforcement of trading standards than it is in the context of environmental health. 7.57. A further complicating factor is the tendency since 2010 to centralise enforcement functions amongst authorities. In some cases, national specialist teams have been set up in local authorities: for example th e National e - crime Team (based in North Yorkshire County Council trading standards department) and the National Illegal Money Lending Team for England (based within Birmingham City Council). There are nt in relation to such matters also regional Scambusters teams to deal with enforceme as doorstep crime and fraud. 7.58. As a result, it is necessary to approach any apparent trends in local government activity with caution. 7.59. Local authorities are only permitted to receive su bscriber and service use data, whose prin cipal use is in identifying a suspect from their telephone calls. Some examples of the use of communications data by local authorities are at Annex 13 to this Report. 7.60. NAFN is used by local authorities to provide a shared SPoC service from two centres in T ameside and Brighton. It was funded from 1997 by the DWP to strengthen the fight against housing benefit fraud. It continues to provide data and intelligence sharing and an investigatory educational service, encouraging the appropriate use of communicati ons data to support investigations. Since 2008 it has provided a SPoC service under RIPA. NAFN is now funded by its members, 90% of which are local authorities, but it is open to all organisations which manage public assets. It continues to act as the a uthorising officer for obtaining communications data under the Social Security Fraud Act 2001 and other social security powers. It has been compulsory since 1 December 2014 for local authorities to use NAFN to obtain communications 46 data under RIPA. 7.61. I d iscuss the present and future use of communications data by local authorities at 9.96 - 9.100 below . Computer network exploitation 7.62. As set out at 6.24 - 6.31 above, CNE was first avowed in the UK by the publication in February 2015 of the Draft Equipment Inter ference Code. 7.63. While no specific use is avowed in the Draft Equipment Interference Code, it is applied (by its para 1.6) to the following activities, any of which could (without authorisation under the ISA 1994) infringe the Computer Misuse Act 1990: (a) obtain ing information from equipment in pursuit of intelligence requirements; 46 Acquisition Code, para 3.86. 137

144 CHAPTER 7: PRACTICE (b) obtaining information concerning the ownership, nature and use of equipment in pursuit of intelligence requirements; (c) nt, locating and examining, removing, modifying or substituting equipme hardware or software which is capable of yielding information of the type described in a) and b); and (d) enabling and facilitating surveillance activity by means of the equipment. 7.64. Some insight into the use of CNE was given by the Government in February 20 15, in its open response to a case lodged at the IPT by Privacy International: “CNE operations vary in complexity. At the lower end of the scale, an individual may use someone’s login credentials to gain access to information. More complex operations may involve exploiting vulnerabilities in software in order to gain control of devices or networks to remotely extract information, monitor the user of the device or take control of the device or network. These types of y by hackers or criminals. In limited and operations can be carried out illegall carefully controlled circumstances, and for legitimate purposes, these types of operations may also be carried out lawfully by certain public authorities.” Privacy International (no doubt inspired by allegations i n the Snowden Documents: 7.65. to this Report Annex 7 ) had alleged see further at in the same case that: “GCHQ has developed technology to infect individual devices, and in conjunction with the [NSA], has the capability to deploy that technology to potentially m illions of computers by using malicious software (“ malware ”)”, and described the use of such techniques as “ potentially far more intrusive than any 47 other current surveillance technique, including the interception of communications ”. Intelligence sharing 7.66. T he international nature of the threats facing the UK mean that sharing intelligence including but not limited to its Five Eyes partners – is a fundamental part with allies – 48 ’ work. The obtaining and disclosure of of the security and intelligence agencies security and intelligence agencies is governed by: information by the 49 which require the agencies to ensure that A 1989 and ISA 1994, (a) SS information is obtained and shared only in pursuit of their functions; and (b) HRA 1998, which requires them to operate in conformity with ECHR rights including in particular Article 8. 47 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and GCHQ and others , Case No. IPT/14/85/CH Statement of Grounds, paras 3 and 4. [PI IPT Case] 48 ISC Privacy and Security Repo rt, para 242. 49 Each agency relies upon a different statutory basis: SSA 1989 s2(2)(a) (for MI5), ISA 1994 s2(2)(a) (MI6), and ISA 1994 s4(2)(a) (GCHQ). 138

145 CHAPTER 7: PRACTICE There is however no statute or Code of Practice governing how exchanges should be authorised or take place. Th the routine sharing of e Government’s position is that ed he more occasional sharing of raw, unanalysed intercept intelligence reports and t detailed internal guidance ... and by a culture of material are governed, instead, by “ 50 compliance ”. 7.67. The applicable arrangements were described in outline by the ISC in its recent 51 To summa rise: report. (a) No warrant is required to seek intelligence reports from overseas partners, though there are internal processes for verifying that the intelligence has been obtained in a manner compatible with the security and intelligence agencies ’ obligat ions unde r UK law . (b) GCHQ has in practice always had an interception warrant in place for any raw intercept that it has sought from its overseas partners, and ed material additionally (but voluntarily) appl ies the RIPA safeguards to all its data 52 irrespective of how a nd under what authorisation regime it has been acquired. 7.68. The Government’s rationale for intelligence sharing was set out in the Cha rles Farr 53 see 10.30) . statement to the IPT ( Bulk Personal Datasets k personal datasets was of bul 7.69. The use by the security and intelligence agencies 54 publicly avowed only on 12 March 2015 report. I had when the ISC published its already been extensively briefed on their use at all three agencies, and was also of bulk aware that the ISCommr has, for several years, been reviewing the use personal datasets as part of his duties. 7.70. I do not repeat the information contained in those reports, which is in every respect consistent with the information and demonstrations I was given. The Management of Relationships with s CSP 7.71. Much of the Go vernment, intelligence and police relationship with CSP s providers is conducted by NTAC. The Home Office has the lead responsibility for investigatory powers, sponsors the relevant legislation and guidance and is responsible for the payments to companies. The overall framework of legislation for the companies is however the responsibility of the Department of Culture, Media and Sport. There is an Interception and Communications Data Board chaired by the Home Office that - coordinates work within the Govern ment and warrant requesting agencies on technical and p olicy issues. CSPs are not represent ed . 50 Charles Farr Statement, para 51. 51 ISC Privacy and Security Report, paras 247 - 254. 52 GCHQ evi dence to ISC, July 2014. 53 Charles Farr Statement, paras 15 - 30. 54 - 163. ISC Privacy and Security Report, paras 151 139

146 CHAPTER 7: PRACTICE 7.72. A Technical Advisory Board, set up pursuant to RIPA s13, brings together industry experts in a personal capacity, Government and agency representatives to advis e the Home Secretary on the reasonableness of requirements imposed on companies to provide an interception capability. The Board does not have any regular meetings. 7.73. A Communications Data Steering Group, jointly chaired by industry and police representativ es, provides a forum for the discussion am ongst CSP representatives and some of the users of communications data. The group’s role is entirely advisory. There has been no similar group that examines interception issues from a multilateral 7.74. perspective, tho ugh a Lawful Interception Strategy Group is being established at which Government, Agency and industry representatives will meet from May onwards. None of these bodies has any representative of civil society groups. Furthermore, 7.75. most of the evidence I r eceived from CSP s observed there was an insufficient habit of communication and consultation between the Government and the companies on the policy for and practical impact of interference with communications for intelligence and investigation. The Costs o f Interception and Communications Data Use Under RIPA s14, the Government must make a fair contribution towards the costs 7.76. incurred by a service provider in implementing an interception capability, whether this is a standing capability required under s12 or ve effect to a warrant, under just to gi s 11. In practice this has been up to 80% of the capital cost of new interception capabilities and 100% of the ongoing operational costs. Where a service provider expands its network, it is expected to meet itself any increased capital costs of interception that arise. The companies’ capital costs are paid by the Home Office, the operational costs are 7.77. met by the intercepting agencies based on the projected costs for the year ahead and apportioned to each agency bas ed on relative usage. I was shown the costs of interception and asked not to publish them, in line with the Government’s usual 55 . practice so that inferences cannot be drawn about the nature of these capabilities 7.78. The same reticence does not apply to publis hing the costs of communications data used by public authorities. Grant payments to service providers to retain data were - 14. Following the enactment of DRIPA 2014, grant payments £13.5 million in 2013 are now made under the Data Retention Regulations 20 14/2042 . Public authorities also pay a charge for accessing communications data; these totalled £12.3 million in 2013 - 14. 55 Evidence from the Home Office, April 2015. 140

147 8. COMPARISONS 8.1. his C hapter offers some wider points of reference, to assist in evaluating the T acceptability of intrusions into privacy and the manner in which they are authorised and reviewed. 8.2. The three comparisons I have chosen are: (a) in particular, other forms of surveillance : the use by public authorities of intrusive and directed surveillance and the use of CHIS; (b) international compari sons for the regulation of investigatory powers; and (c) the use of content and communications data by private companies , in particular service providers. 8.3. None of these comparisons is exact, and there is insufficient space to develop any of them comprehensivel y here. But each of them provides a measure of perspective and can operate as a sense check when assessing the adequacy of the current law on investigatory powers, and when contempla ting alternatives to it. This C hapter out each subject, and suggests some ways in provides some basic information ab which the comparisons may be instructive. Other forms of surveillance security and 8.4. The main covert intrusive techniques used by the UK police and , other than interception of communications intelligence agencies and the examination of communications data, are directed and intrusive surveillance, property interference and use of CHIS. 8.5. Statistics on the use of the different intrusive techniques by law enforcement agencies are published by the OSC and are set out be low. 8.6. The Intelligence Service Commissioner does not publish a breakdown for the use of such techniques by the Agencies and M o D. He gives the total of such warrants and authorisations – 1887 in 2013 – but said in his latest report that it was his view th at 1 disclosing details beyond this could be detrimental to national security. 8.7. Opinions differ as to the relative intrusiveness of these powers: for example, we were told by the LGA that the OSC and IOCCO take different views concerning which powers should be used only as a last resort. Directed Surveillance 8.8. Directed surveillance is observing someone covertly in a public place to gain private information about them in order to support an investigation. It is a power widely available to public authorities (c omparable to those with access to communications data), is governed by RIPA Part II and RIP(S)A and is authorised within the public 1 Report of the ISCommr for 2013, p. 35. 141

148 CE CHAPTER 8: COMPARISONS – OTHER FORMS OF SURVEILLAN 2 It is available for a broad range of purposes, reflecting the range of public authority. the technique. authorities that are able to use 8.9. Directed surveillance, though covert like intrusive surveillance , differs from it in that it operates in a public place. I t is also triggered by suspicion, and (as the name suggests) is practised in support of a specific investigation or o peration. In 2013 - 14, directed surveillance was authorised 14,076 times by law - enforcement 8.10. 3 bodies and other public authorities. The Chief Surveillance Commissioner has noted a sharp decrease in the use of the technique by local authorities following the introduction of the requirement to obtain magistrates’ approval. He did not necessarily 4 attribute this to overuse in the past. Intrusive surveillance Intrusive surveillance is covert surveillance carried out within a building or private 8.11. vehicle. It is by att aching or embedding a device to record the performed classically activities of the individual or individuals under surveillance. It involves a high degree of interference with the right to respect for private life. Indeed, it might be as more intrusive than interception of communications, on the basis that characterised using individuals have a greater expectation of privacy within their home than when 5 such as mobile phones or email. electronic communications 8.12. Intrusive surveillance is available to similar bodies and for similar purposes to lawful intercept ion . It is governed by RIPA Part II and RIP(S)A ss5 - 20. The Secretary of State has the power to authorise the intelligence services, an official of the Mo D or a 6 member of the armed forces to car ry out intrusive surveillance. The NCA, HMRC, ct police and Competition and Markets Authority [CMA] may be authorised to condu 7 A similar intrusive surveillance by a C hi ef C onstable or senior authorising officer. framework operates in Scotland, where pol ice forces may be authorised to conduct 8 C Except in urgent cases, a intrusive surveillance by the Chief onstable of that force. police, HRMC, NCA or CMA authorisation does not take effect until approved by a 9 10 Surveillance Commissioner. That Commissioner must have held judicial office. The precedent of Commissioner authorisation for a highly intrusive power is one which I consider in the co ntext of my recommendations in C hapter 15 , below. 8.13. The police and other criminal investigatory bodies were authoris ed to carry out 11 intrusive surveillance on 392 occasions in 2013 14 . - 2 See RIPA ss28 and 30; RIP(S)A ss6 and 8. 3 OSC Annual report of the Chief Surveillance Commissioner to the Prime Minister and the Scottish Ministers 2013 , paras 4.8 - 14 - 4.9. 4 Ibid , para 5.18. 5 Charles Farr Statement, para 29. 6 RIPA s41. 7 RIPA s32(6). A designated deputy may also grant an autho risation, s34(6). 8 RIP(S)A s10. 9 RIPA ss35(1) and 36(1); RIPA(S)A s3. An exception is made for cases that are urgent. 10 RIPA s63(2). 11 OSC , Annual report of the Chief Surveillance Commissioner to the Prime Minister and the Scottish para 4.6. Ministers 2013 - 14 , 142

149 – CE CHAPTER 8: COMPARISONS OTHER FORMS OF SURVEILLAN Property Interference 8.14. Intrusive surveillance will often depend on an entry being made into private property to place the device. As a result, the intelligence services or police may also require a property interference warrant, if they want to hack into a computer by physically 12 modifying it . security and intelligence agencies may be authorised to carry out property The 8.15. interference by a warrant issued by the Secretary of State under ISA 1994. As with intrusive surveillance, an authorising officer within the police may grant an 13 property interference. All such authorisations must be authorisation to carry out 14 nce Commissioner who subjects them to scrutiny. notified to a Surveilla Certa in authorisations must be approved, rather than merely scrutinised after the event by the Commissioner: any authorisation to interfere with a dwelling house or office or that 15 might provide access to confidential material. This offers another example of ommissioner authorisation for a highly intrus C ive power, to which I return at 14.52 below. 8.16. Like intrusive surveillance, directed surveillance and CHIS, property interference is a covert technique that carries the risk of collateral intrusion. That collater al intrusion must be considered in advance before determining whether the interference with the , 689 authorisations to right to respect for private life is necessary and proportionate. 2 16 3 - 14. interfere with property were granted under the Police Act 1997 in 201 Some operations require property interference warrants in conjunction with other types of warrant, e.g. for intrusive surveillance or interception. Covert Human Intelligence Sources (CHIS) 8.17. informants. A long list of CHIS involves the use of agents, undercover officers or public authorities are authorised to make use of CHIS, as set out in RIPA Schedule 2. A statutory instrument sets out which individuals within those bodies may authorise 17 CHIS. Within an ordinary police force, any superintende nt may authorise CHIS. Local authorities may only obtain authorisations to carry out CHIS from a magistrate, 18 owing changes introduced by PFA 2012. foll 8.18. Some argue that the infiltration of social networks by agents and informants is at least as intrusive a s the interception of communications: yet whereas the latter requires the personal authority of the Secretary of State, the former (incongruously, it was said) 12 See 7.62 - 7.65 above. 13 Police Act 1997 s93. 14 Ibid. , s96. 15 Ibid ., s97. As with intrusive surveillance, there is an exception for urgent cases. 16 OSC Annual report of the Chief Surveillance Commissioner to the Prime Minister and the Scot tish Ministers 2013 14, Appendix A. - 17 The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010SI 2010/521, as amended by the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Rele vant Sources) Order 2013. 18 PFA 2012 s38. 143

150 CHAPTER 8: COMPARISONS OTHER FORMS OF SURVEILLAN CE – used to require authorisation only by a superintendent and even now may be internally 19 authorised by the police force concerned. Following public concerns about the long term infiltration of an environmental protest 8.19. - group by officers, one of whom engaged in an intimate sexual relationship with an activist, a distinction has now been drawn between usi ng undercover officers as sources and other forms of CHIS. Additional restrictions apply to the use of undercover officers. Thus: The use of undercover officers authorised by RIPA is now restricted to the (a) match the responsibilities police, NCA, Home Office and HMRC, and limited to of those bodies. The use of undercover officers must be approved by an Assistant Chief (b) Constable, even if (as is sometimes the case) the undercover deployment is intended to last only for a matter of hours). - (c) term undercover operations (over a year) must be authorised by C hief Long 20 onstable and then only with the approval of a Surveillance Commissioner. C 4 , 430 CHIS were authorised in 2013 - 14 by law - enforcement bodies and other public 8.20. 21 authorities. The view was also expressed to 8.21. me that there is no justification for the distinction that now exists between the authorisation of police and non - police informers, the intrusive effect of each operation being much the same. According to that view, the change to rmers in 2013 was a knee the rules for police info jerk reaction which addressed the - problem that had been in the headlines but did not look at the issues in a broader perspective. Surveillance cameras Surveillance cameras are widely used by public authorities for crime prevention and 8.22. public safety. They include CCTV cameras in public places, automatic number plate (ANPR) devices on roads and the body - worn video being introduced to recognition police work. They are used more widely still by private individuals and businesses: the UK , police estimated in 2011 that of the 1.85 million surveillance cameras in the 22 1.7 million were privately owned. 8.23. The use of surveillance cameras does not ordinarily require authorisation under RIPA: they are not used to carry out directed or intrus ive surveillance because their use is 23 overt, rather than covert. Their use is regulated by DPA 1998 and PFA 2012. Two 19 Such arguments were emphasised in the submission of Birnberg Peirce & Partners on behalf of eight women who had been in intimate relationships with police officers. 20 The Regulation of Investigatory Powers (C overt Human Intelligence Sources: Relevant Sources) Order 2013. 21 Report of the ISCommr for 2014, para 4.11. 22 JCDCDB Report, p. 7. 23 2.28. - Covert Surveillance and Property Interference Code, para 2.27 144

151 – CE CHAPTER 8: COMPARISONS OTHER FORMS OF SURVEILLAN 24 also established PFA 2012 en issued in relation to CCTV. codes of practice have be at iance with th a Surveillance Camera Commissioner to oversee compl Code and to review it from time to time. Where security companies operate cameras, whether on behalf of the public or private sector, the operators require a licence from the Security 25 Industry Authority. Visitors from abroad are often str uck by the quantity of CCTV cameras on British 8.24. . Most of th e activities are recorded are, of course, entirely innocent ose whos streets. the cameras are not generally speaking a focus for resentment. CCTV evidence Yet 26 of criminal trial (e.g. for town centre assaults). is routinely presented in certain types 8.25. drones that may carry Police forces also make increasing use of helicopters and cameras: RIPA and its code s of practice apply to any directed surveillance (a) whether it is , carried out with the assistance o f a surveillance device or other equipment , including aerial surveillance by helicopter or by use of remotely pilo ted aircraft systems (drones). (b) Beyond directed surveillance, the use of airborne devices for surveillance is governed by regulations set by th e Civil Aviation Authority, and is also subject to requirements on regulation o f surveillance cameras under PFA 2012, along with DPA 1998 and the RIPA framework. Use of bulk personal data 8.26. The ISC Privacy and Security Report revealed for the first time tha t the security and intelligence agencies make use of bulk personal data sets derived from information 27 held by other public and private sector bodies. The de alings of individuals with overnm - non G governmental bodies are typically recorded in electr onic ent and (which include passport application data ) may be easily databases. Those databases searched in order to obtain information about a particular individual or groups of individuals. Following this disclosure, the ISC recommended that the exercise of th is power be formally overseen by the ISCommr and that recommendation was promptly 28 accepted by the Prime Minister. 8.27. There are a number of legal “ gateways ” under which data can be passed from the 29 ent. organisation which has collected it to another part of governm This may be done 24 “In the Picture: A data protection code of practi ce for surveillance cameras and personal information” was issued by the Information Commissioner’s Office [ICO] under DPA 1998. It sets out how individuals’ e privacy should be protected by the operators of surveillance cameras. The Surveillance Camera Cod of Practice is issued under PFA 2012. It sets out Guiding Principles to govern the use of CCTV. 25 Private Security Industry Act 2001. 26 The presence of cameras is so commonplace that I have known a jury to ask, in such a case, why no CCTV material was put in evidence. 27 ISC Privacy and Security Report, Chapter 7. 28 Written ministerial statement by the Prime Minister, Reports relating to the Security, Intelligence and Law Enforcement Agencies, and statutory direction to the Intelligence Services Commi ssioner , ( 12 March 2015) . 29 See, e.g., exemptions from the data protection principles set out in DPA 1998 Part IV, ISA 1994 s2 s2. and SSA 1989 145

152 – OTHER FORMS OF SURVEILLAN CE CHAPTER 8: COMPARISONS for example in the interests of national security or in certain cases for the prevention and detection of crime. When material within those databases is aggregated, it becomes a powerful tool in 8.28. the hands of e agencies or investigators searching for suspect security and intelligenc ’s Connect database, describe d as a behaviour. One such system is HMRC “ high - tech analysis system , when combined with a “ wide range of data ” which allows 30 , the identification of “ sources” h of a button” . evasion at the touc 8.29. Big Data sets are also the basis for “ rules based targeting ”. This technique involves the “ washing relevant data against intelligence - led rules so as to identify ” of ing on routes of passengers with a profile similar to those of known terrorists travell concern. I have expressed the view elsewhere that this technique is an entirely useful and rational one for identifying travellers whom it may be appropriate to question, and 31 if necessary to search, under the Terrorism Act 2000 Schedule 7 . Enforced decryption 8.30. Where a device has been lawfully seized for examination and contains encrypted materials, the relevant authority can demand that the decryption key is handed over 32 This power, activated only in 2007, is highly to enable all content to be examined. intrusive but not covert. Any public authority that obtains unreadable material in the course of an investigation may seek the keys if it is necessary and proportionate to do so, but must first seek the concurrence of NTAC. Authority is g iven by a circuit 33 judge for law enforcement agencies and by the Secretary of State for the agencies, 34 and the practice is overseen by the relevant Commissioners. 8.31. Enforced decryption represents a possible way around the secure encryption of modern devices such as smart phones. However, as was pointed out to me, somebody whose device contains evidence which would be liable to convict him for serious criminality if it could be read might prefer to accept a relatively low prison ver the encryption key. Enforced decryption was sentence for refusal to hand o - 14, with two convictions in the same period for failure to required 76 times in 2013 35 I have previously drawn attention to the anomalous fact that the Code of comply. Practice governing police port operatio ns under the Terrorism Act Schedule 7 purports to permit them to demand the encryption key without reference to similar procedures 36 or safeguards. 30 - https://www.gov.uk/government/policies/reducing - tax - evasion - and - avoidance/supporting - pages/preventing tax - evasion . 31 The Terrorism Acts in 2013 , (July 2014), Annex 2, para 19. D. Anderson, 32 RIPA s49. 33 See RIPA Schedule 2. 34 See RIPA s59(2), which grants the ISCommr the power to oversee the exercise by the intelligence services of all their powers in RIPA Part III, and RIPA s57(2)(c) which grants IOCC the power to oversee the exercise of RIPA Part II powers. 35 OSC Annual Report, September 2014, 4.13. 36 , July 2014, Annex 2 para 33. The Terrorism Acts in 2013 D. Anderson, 146

153 – OTHER FORMS OF SURVEILLAN CE CHAPTER 8: COMPARISONS Other intrusive powers The JCDCDB in 2012 also drew attention, when considering other intrusive 8.32. capabiliti es, to a number of mechanisms by which public authorities may obtain access to data on the basis of individual suspicion. Suspicious activity reports, arising out of financial and commercial transactions, are automatically reported to the NCA. 37 fingerprints and DNA databases The nation also contain many millions of entries. al 8.33. Securing access to this kind of data is relatively remote from the types of intrusion with which this Report is concerned. However, some parallels arise. For example, 38 S and M arper the has obvious implications judgment of the ECtHR on DNA retention ed material and communications data. for the retention of intercept Otherwise, as set out at 8.34. 4 .27 - 4.29 , use may be made of OSINT, as to which there is some (although minimal) i nformation in the public domain. Some techniques used by below. the private sector to gather information are set out in at 8.65 - 8.83 Measuring Intrusion 8.35. Opinions differ as to the relative intrusiveness of these various techniques. Relevant they operate in a public, private or electronic space (which factors include whether may affect an individual’s expectations of privacy), whether they involve deception (CHIS); and their capacity to operate in bulk (CCTV) or only on suspicion (intrusive ). and directed surveillance 8.36. The levels of authority required before these powers may be exercised imply a broad parity between: (a) interception of communications, intrusive surveillance and property interference; and (b) requests for communications data, directed surveillance and CHIS. Recent legal changes prompted by prominent news stories have reflected shifts in the public perception of how intrusive these powers are. Most notably, the level of authorisation required for police CHIS and for local authority requests for communications data have been increased. 8.37. A more formal structure (or “ ladder of escalation ”) for evaluating the relative intrusiveness of surveillance methods has been proposed by Professor Ross Bellaby, 39 acknowledging the influence of Sir Michael Quinlan, Sir David Oma nd and others. Another “ matrix” of surveillance technologies has been developed by SURVEILLE, a 40 project funded by the European Commission. 37 JCDCDB Report, p 7. 38 S and Marper v UK (Application nos. 30562/04 and 30566/04, judgment of 4 December 2008). 39 R. Bellaby, The Ethics of Intelligence , 2014. 40 SURVEILLE, Paper Assessing Surveillance in the Context of Preventing a Terrorist Act, (May 2015) [SURVEILLE Report] . See further 14.44(a) below. 147

154 – INTERNATIONAL CHAPTER 8: COMPARISONS International Comparisons Comparing the UK’s legal regime with those of other countries is fraught with danger, 8.38. fo r a number of reasons: The UK is far from unique in the complex and fragmented nature of the law (a) governing investigatory powers. I had the impression that in many countries, the number of people professing fully to understand the relevant law, even academics and the legal profession, was remarkably small. among (b) By focussing only on what is written on the page, the observer risks failing to appreciate other aspects of how things operate in practice. Intelligence agencies everywhere in the world operate lar gely in secrecy, for obvious reasons. It cannot be excluded that practices take place which are completely unknown to commentators or which have no legal sanction whatsoever (as was the case with phone tapping in the UK prior to IOCA 1985). 8.39. But a comparat ive picture, however imperfect, is desirable. I have attempted to make some comparative observations in respect of lawful interception, access to communications data and communications data retention (amongst other topics). However, this C hapter does not offer anything comprehensive or authoritative. In the course of preparing it, I have drawn on published comparative surveys, on my own visits to the US, Canada and Germany and on assistance kindly given by national 1 experts to address some issues of parti cular interest. Five Eyes partners 8.40. UK security and intelligence agencies , together with their counterparts in Australia, – a Canada, New Zealand and the USA, form part of the Five Eyes partnership on grouping which had its origins in the 1946 UKUSA informati sharing agreement, - 2 declassified in 2010. 8.41. Each of the Five Eyes is a common law jurisdiction that shares at least some elements legal heritage with the of its . As a result, the laws of the other Five Eyes members UK provide a particularly useful comp arator. I have briefly summarised the law of interception and access to communications data in each of the Five Eyes states in Annex 15 to this Report. Content and communications data 8.42. The precise boundaries between communications data and content are not defined in the same manner around the world. However, there appears to be a broad consensus that the content of a communication falls into a different category from data relating to As set out in Annex 15 communications. to this Report, a number of the o ther Five 1 In particular David Medine (PCLOB) and Alan Butler (EPIC) from the US, Prof. Craig Forcese from Canada and Prof. George Williams and Kieran Hardy from Australia. 2 . http://www.nationalarchives.gov.uk/ukusa/ See 148

155 – INTERNATIONAL CHAPTER 8: COMPARISONS Eyes partners have recently moved to clarify their definition of communications or call 3 associated data. Authorisation 8.43. Many states provide different authorisation pathways for law enforcement on the one hand and on the ot her. In some, though not all, security and intelligence agenc ies es those differing frameworks are set ou t in separate statutory regimes . stat 8.44. riminal law enforcement bodies in the United States, In contrast to the UK position, c n judicial authorisation before they Canada, Australia and New Zealand must all obtai 4 ion . carry out intercept 8.45. to communications data/ metadata is more The position in terms of police access complex. In Canada and Australia, some form of judicial authorisation is required before the police may access met adata. In the United States, federal law enforc ement agencies such as the FBI may access metadata without judicial authorisation , but 5 State police forces ordinarily require a subpoena or a court order in order to do so. security and intellige nce agencies of the Five Eyes partners, the US 8.46. As to the intelligence agencies may apply to a specialised federal court, the Foreign Intelligence [FISC], Surveillance Court in order to receive authorisation to collect intelligence material. However, Executive Order 12333 [EO 12333] also provides the power to 6 intercept communications without judicial oversight. The Canadian Security and Intelligence Service [CSIS] require both Ministerial and judicial authorisation (from a special bank of Federal Court Judges) befo re they may carry out interception. [CSE] , which obtains However, the Communications Security Establishment foreign intelligence outside Canada, may carry out overseas interception without prior judicial 7 approval. The structure in New Zealand is very si milar to that in Canada. The New Zealand Security and Intelligence Service [NZSIS] must obtain the approval of a minister and a retired High Court judge, if it wishes to carry out interception inside 8 New Zealand. Foreign intelligence warrants may be auth orised by the minister alone. The Australian Security Intelligence Organisation may be authorised to carry [ASIO] 9 out interceptions by the Attorney General. 3 New Zealand: Telecommunications (Interception Capability and Security) Act 20 13 [TICSA 2013] established a new statutory definition of “ call associated data ”. Australia: a new mandatory data retention regime specifies categories of information that must be kept by service providers for a period of two years. Canada: The Protectin g Canadians from Online Crime Act 2014 [PCFOC 2014] , defined “ ” and “ transmission data” (Canadian Criminal Code para 487.011). USA: “ Intercept” has tracking data been defined since the 1968 under the Wiretap Act [WA 1968]: the “ aural or other acquisition o f the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device ”. 4 - See paragraphs 80 - 84, 34 - 38, 8 13 and 68 - 72 in Annex 15 to this Report. 5 See paragraphs 85 - 86, 38, 17 - 24 and 73 - 75 of Annex 15 to this Report. 6 See para 102 of Annex 15 to this Report. 7 See para 54 of Annex 15 to this Report. 8 A similar mechanism applies to the Government Communications Security Bureau [GCSB] . See paragraphs 64 - 67 of Annex 15 to this Report. 9 to this Report. See paragra phs 3 - 7 of Annex 15 149

156 – CHAPTER 8: COMPARISONS INTERNATIONAL As is clear from the above, the is unique in the Five Eyes in making no use of UK 8.47. prior authorisation of intercept ion judges for the warrants. But there is no single standard applied by the other members. 8.48. In Europe, judicial authorisation is not universal: In Germany, the position of the security services remains essentially as it was (a) Klass v Germany. After an initial control the ECtHR in the case of described by an official qualified for judicial office ”, intercept ion warrants are approved by by “ - 10 Commission, a committee of present and former members of the G parliament which meets monthly. Th e ECtHR, whilst noting that “ it is in principle desirable to entrust supervisory control to a judge ”, rejected the submission that 10 form of political control ”. this was an unacceptable “ Law enforcement agencies require a court order before they are entitl ed to carry out interception. lux. As outlined at 5.50 - 5.74 above , the (b) The situation in the Netherlands is in f Dutch Data Retention Law was declared unlawful by the District Court of the rch 2015. A previously Hague in Ma propos e d draft bill, which would require - police and public prosecutors to obtain judicial authorisation before securing access to communications data retained by CSPs , may be relied upon by the 11 Government to remedy the position. Dutch The Dutch Security Services currently have the power to intercept communications without judicial authorisation, on the authority of either the Minister of Interior or the Minister of 12 Defence. (c) In France, a new Intelligence Bill, introduced in March 2015 will if passed put the powers of the security service s to carry out interception and gain access to 13 cise of security Currently the exer communications data on a statutory footing. is subject to review by a 3 - person interception service powers in that area service warrants to be committee. The new Bill will allow for intelligence authorised by a Minister but scrutinised by an inde pendent oversight committee of nine people including judges, MPs and IT specialists. That body would have to the Conseil d ’État if it considered t hey were the power to refer authorisations 14 irregular. 8.49. A 2011 European Commission evaluation of the Data Retention Directive (Directive 2006/24/EC) set out the various routes by which access to communications data might 15 be secured in different countries: 16 Purely judicial (magistrate or ju dge): Denmark, Greece, Spain, Netherlands ; (a) 10 Paras 20 and 54 - 56. 11 See however the open advice of the Dutch Data Protection Authority, available online in Dutch https://cbpweb.nl/nl/publicaties/ wetgevingsadviezen . 12 State Security Act ( Wet op de inlichtingen – en veiligheidsdiensten) 2002, Article 25. 13 Draft Police and Security: Information Bill, published on 19 March 2015. 14 Ibid., para 2. 15 Com(2011) 255 final, 18 April 2011, pp. 9 - 10. 16 The position in Finland is that no authorisation is required for subscriber information but judicial authorisation is required for traffic data. 150

157 CHAPTER 8: COMPARISONS INTERNATIONAL – Judicial or prosecutor: Belgium, Cyprus, Netherlands; (b) Public prosecutor alone: Italy, Hungary; (c) (d) Public prosecutor or police: Latvia, Slovakia; (e) Police authorisation: Ireland; Poland; Interior: France. Senior official in Ministry of (f) Oversight Various published documents purport to compare the oversight regimes of different 8.50. states: (a) Report produced by the University of Durham and the Parliament of Norway A 17 . in 2005, with summary table comparing the position in eight cou ntries Annex B to the UK Parliament’s Home Affairs Select Committee's Counter - (b) Terrorism Report, which sets out the comparative oversight frameworks in the 18 . and the U UK S A document from the New Zealand Parliament, comparing the oversight (c) 19 regimes in the UK , New Zealand, Australia and Norway. Annex 1 to a 2013 report of the European Parliament on mass surveillance, (d) comparing the legal position in the UK, France, Germany, Sweden and the 20 Netherlands. at they have all establ ished 8.51. A brief review of the Five Eyes partners demonstrates th oversight at least some element of as well as scrutiny by a by the legislature, General. - Commissioner or Inspector 8.52. s General have a broad mandate with Both the Australian and New Zealand Inspector g investigatory function a stron . The Canadian Security Intelligence Review Committee [ 8.53. ] combines both SIRC p arliamentary and external review within one entity. The member s of the Committee are p arliamentarians , but much of the practical day - to - day operational work is carried out by th e employees of SIRC. The appointed members only meet on a small number of days per year. CSE is overseen by a special Commissioner, a retired judge, who reports on the interceptions granted by the Minister on an annual basis. 8.54. As well as a permanent sele ct committee on intelligence in both Houses of Congress, the United States has a of oversight mechanisms. The Privacy and Civil variety 17 H. Born and I. Leigh, Making Intelligence Accountable, (2005) accessible at: http://www.dcaf.ch/Publications/Making Intelligence - Accountable . - 18 th 17 Report of Session 2013 - 14, HC231 (May 2014). 19 New Zealand Parliament, “External oversight of intelligence agencies”, May 2013. 20 General for Internal Policies, “National programmes for mass European Parliament Directorate - surveillance of personal data in EU Member States and their compatibility with EU law”, 2013. 151

158 CHAPTER 8: COMPARISONS – INTERNATIONAL Liberties Oversight Board provides advice and oversight to the US Government on rate President’s Intelligence Oversight Board questions of terror prevention. A sepa reports directly to the President on potential violations of the law. Many of the Agencies themselves also contain an Office of Inspector General, with a remit to 21 review compliance internally. Data Retention 8.55. The European picture concerning data retention is diverse and complex. Prior to the decision in Digital Rights Ireland , the EU Data Retention Directive required Member States to pass laws requiring the retention of certain metadata for between 6 and 24 mo nths. European data 8.56. An opinion by the European Parliament’s Legal Service concerning 22 - Digital Rights Ireland appeared in January 2015 . retention post It listed the Member Digital Rights Ire land States whose courts had annulled data retention laws prior to the judgment (Bulgaria, Romania, Germany, Cyprus, Czech Republic), as well as the first three to have done so since (Austria, Slovenia, Romania), and concluded that Member States which wish to retain data retention laws must ensure that they comply with E U law. 8.57. A very full summary of EU data retention laws in the EU Member States was published 23 by the Open Rights Group in April 2015. As to the Five Eyes partners, both Canada and Australia have recently passed 8.58. 24 ders to retain some data. legislation to require telecommunications provi Telecommunications providers in New Zealand are already required to be capable of obtaining call associated data and to provide it to police and security services when served with a warrant. An important distinction between US a nd UK law (as it currently stands) is that there 8.59. t for CSP s in the United States to store data beyond their own is no requiremen business needs. On the other hand, US CSP s are not obliged, as are their European counterparts e it is no longer necessary for business , to delete or anonymise data onc purposes. I was informed during my trip to the US that it was highly unlikely that Congress would consider legislation requiring service providers to retain or create data that they did not themselves need for busi ness purposes (s uch as billing). However, CSPs are required to retain data that they already produce and create such as name, address, telephone number of the caller, telephone number called, date, 25 time and length of a call. 21 th 17 Report of Session 2013 - 14, HC231 (May 2014), p. 92. 22 Legal Opinion to LIBE, which can be accessed at: https://s3.amazonaws.com/access.3cdn.net/27bd1765fade54d896_l2m6i61fe.pdf . 23 Open Rights Group, “Data Retention in the EU following the CJEU ruling”, (April 2015). 24 Australia: Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. Canada: PCFOC 2014. 25 Under 47 C.F.R. § 42.6. 152

159 – INTERNATIONAL CHAPTER 8: COMPARISONS Bulk Collection A comparativ e picture of bulk data collection and data analysis is very difficult to 8.60. provide. Many states do not officially avow their bulk data programmes (if they exist) and have continued this practice in the light of the disclosures in the Snowden 26 Documents. Fur thermore, legislation does not ordinarily describe bulk collection powers in terms. 8.61. By way of example, RIPA s8(4) is not described as a mechanism for bulk collection, though in practice that is one of the uses to which it is put. Nonetheless, it is clear that an Australian foreign communications warrant, issued under the Telecommunications (Interception and Access) Act 1979 [TIA 1979] ss11A, 11B or 11C, will allow for bulk collection. Likewise the GCSB in New Zealand may obtain an access authorisation wa rrant that enables it to access specified information 27 infrastructures (with no greater degree of specificity required). It is also clear that the Canadian CSIS and CSE carry out large scale data analysis. For its part, the US Government has officially a vowed its PRISM programme, which involved the collection of large volumes of data by the NSA. 8.62. As to the various European states, the new French Intelligence Bill would grant the Prime Minister the power to require CSPs to monitor communications data passi ng through their networks on a purely anonymous basis. If the data patterns are 28 - anonymise ” that data. suspicious, the CSP may be required to “ de It also provides 29 for the bulk interception of communications “ sent or received abroad .” Report of April 2015 on Venice Commissi explains that both Germany and 8.63. The 30 Sweden make statutory provision for bulk interception. The Snowden Documents suggested that the German external intelligence service (BND) passed very large 31 The Dutc h Government is currently debating a volumes of metadata to the NSA. revision to its Intelligence and Security Act 2002. It is unclear whether the final form of that revision will allow for bulk interception of external communications and on what basis. 8.64. Bulk collection is, at least pres ently, a reality of the surveillance landscape, at least when carried out for the purposes of foreign intelligence, and conduct ed outside the state concerned. 26 dards for surveillance reform”: See however I. Brown and others, “Towards multilateral stan - content/uploads/2015/01/Brown_et_al_Towards_Multilateral_2015.pdf https://cihr.eu/wp . 27 GCSB Act s15A (1). 28 Intelligence Bill 2015 L. 951 - 4. 29 Ibid., L. 854 - 1. 30 Venice Commission Report, p. 27, fn 81. 31 Der Spiegel, 5 August 2013. A German Parliamentary Committee has been set up to investigate the ons concerned with spying matters arising from the Snowden Documents, though its focus is on questi carried out by other states in Germany. See “German BND spy agency helped Germany target France”, BBC website 30 April 2015. 15 3

160 CHAPTER 8: COMPARISONS PRIVATE SECTOR ACTIVITY – Private sector activity How private companies operate It is barely possible to engage in everyda y social and economic activity without 8.65. consenting to the handover of private information to private companies and at that point losing some control over how it is used. Service providers, (particularly online social networks), retailers and others hold vas t 8.66. amounts of commercially valuable data about individuals, which can be monetised in a host of ways, such as credit reference checks and targeted advertising on the 1 internet. he 8.67. Services which are free to customers on the internet are generally paid for by t ability of companies to exploit the data that the customer’s interaction with them creates: everything from buying habits to location and movement and social preferences. For example: Google combines data from a range of sources to display advertising most likely (a) to generate advertising revenue. Google’s online terms of service state “ Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising , and spam and malware detection. This analysis occurs as 2 ” the content is sent, received, and when it is stored. Sources can include a user’s IP address, Google and Youtube profiles, Google search engine results, o businesses which advertise with Google map requests and apps belonging t 3 ” Google. Google offer their “ a number of products to help manage partners Adsense, Adwords, Google Analytics their advertising and websites, including “ 4 - branded services ”. and a range of DoubleClick (b) According to Facebook ’s 2015 Data Policy it “ shares ” information about users 5 within the family of companies that are part of Facebook” . “ This may be done 6 facilitate, support and integrate their activities. There are currently ten to “ ” companies listed in the family, includ ing Whatsapp, Instagram and Atlas (an advertising platform, aimed at helping companies track the effectiveness of online ads). Facebook’s Audience Network programme provides app developers with aggregated data to target their ads. “ ” are Facebook Services also covered by this Data Policy and include Services such as “ Audience ”. This service is designed to provide businesses with information about Insights 7 ” the “ of their geography, demographics and purchasing behaviour and more target audiences. In March 2015, Facebook launched Topic Data in the UK 1 “How Wireless Carriers are Monetizing Your Movements”, MIT Technology Review Website, 12 April 2013. 2 See http://www.google.com/intl/en/policies/terms/ . 3 A list of partners is not provided, see http://www.googl e.com/policies/privacy/example/our - partners.html . 4 See . https://www.google.com/intl/en/policies/technologies/ads/ 5 See https://www.facebook.com/about/privacy/update . 6 See https://www.facebook.com/help/111814505650678 . 7 insights . See https: //www.facebook.com/business/news/audience - 154

161 CHAPTER 8: COMPARISONS – PRIVATE SECTOR ACTIVITY and US. This provides select access to advertisers about the topics being discussed by Facebook users. Data brokers 8.68. Data brokers are companies which collect consumers’ personal information and resell or share that information with others. They collect this information from commercial, government and publicly available sources, often analysing it to make certain inferences about customers before selling it to clients. Examples of data brokers 8 x and Acxiom. include Datalogi 8.69. The lack of transparency relating to this type of company led to a study of nine data brokers by the Federal Trade Commission in the US in 2014. The study found: “Data brokers acquire a vast array of detailed and specific information ab out consumers, analyze it to make inferences about consumers, some of which may be considered sensitive; and share the information with clients in a range of industries. All of this activity takes place behind the scenes, without 9 consumers’ knowledge.” 8.70. pecific findings included that seven out of the nine data brokers shared data with S 10 other data brokers providing “ a detailed composite of the consumer’s life. ” The database of one of the data brokers investigated covered one trillion dollars in ransactions. consumer t 8.71. In April 2015, the ICO launched an investigation into UK firms sharing pension, 11 medical and financial data. Data protection 8.72. The rules and guidance set out in DPA 1998 and consumer protection law are intended to protect individuals from unf air use of such data. However, the House of Commons Science and Technology Committee recently expressed doubt about the 12 ability of current legislation to deal with data passing over digital platforms. A draft to EU Regulation and Directive, introduced in 2 012 with the aim of providing rules “ 13 ”, are still being negotiated by Member States. catch up with the digital age 8 Data Brokers: A Call for Transparency and Accountability (May 2014). 9 Ibid ., p. vii. 10 Ibid., p.11. 11 - See the announcement on the ICO website: https://ico.org.uk/about - the ico/news - and - events/news - and - blogs/2015/04/ico - to - make - enquiries - about - sale - of - pension - data/ . 12 (November Responsible Use of Data , HC 2 45 2014), p. 3. 13 See the European Commission Factsheet, “Data Protection Day 2015: Concluding the EU Data Protection Reform essential for the Digital Single Market”, 28 January 2015. The CMA is currently f issues relating to the commercial use of consumer data, carrying out an inquiry into a number o including consumer understanding about the collection of data and how consumer data are aggregated, bought and sold. 155

162 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS The impact and extent of commercial use of consumer data Commercial use of consumer data can have serious impacts on the personal lives of 8.73. 14 individuals: A woman’s sexuality was exposed to her colleagues, against her wishes, (a) 15 because of the advertisements that popped up on her screen. (b) A department store sent coupons for baby items to customers whose pr egnancy prediction score ”. The father purchasing history gave them a high “ of one teenage recipient made a complaint to the department store before 16 discovering the accuracy of the prediction. (c) A credit card company lowered a customer’s credit rating because he shopped 17 at places where other customers had a poor repayment history. Moreover, such use of dat 8.74. is increasingly complex: a (a) A Canadian firm tracks up to 10 million mobile devices every day in Toronto and builds lifestyle categories based on people’s movements. (b) Shoppertrak uses in - store WiFi sensors to track customers’ phones so it knows if they return to the store. (c) At least 160 third party websites watch the users of OKCupid, a dating site, noting the websites they visit later. Various identification technologies are in development. As well as the familiar (d) (and fast improving) facial recognition systems, these include voiceprint recognition systems, iris scanners that work at distance, gait recognition systems and systems for identifying people by typing style, writing style and 18 – apparently – even body odour. The significance of such developments is expressed in the following prediction: 8.75. “Store clerks will know your name, address, and income level as soon as you walk through the door. Billboards will know who you are, and record ho w you respond to them. Grocery store shelves will know what you usually buy, and exactly how to entice you to buy more of it. Your car will know who is in it, who 19 is driving, and what traffic laws that driver is following or ignoring.” 14 The examples in this section are taken from M. Venkataramanan, My Identity for Sale, unless otherwise stated. 15 J. Angwin, Dragnet Nation: A quest for privacy, security and freedom in a world of relentless , 2014, p. 167. surveillance 16 “How Companies learn your secrets”, The New York Times Magazine, 16 February 2012. 17 A. Croll,” Big Data is our Generation’s civil rights issue, and we don’t know it” , Solve for Interesting website, 31 July 2012. 18 B. Schneier, Data and Goliath , 2015, chapter 2. 19 Ibid . 156

163 – CHAPTER 8: COMPARISONS PRIVATE SECTOR ACTIVITY hat while at present “ The author adds t many of our surveillance systems are still visible to us ” more of those systems are likely to become hidden in the future. Sensing the force of such points, modern dystopian li terature (in contrast to Nineteen 8.76. - Four ) tends to fo cus at least as much on the evils of the (private sector) Eighty “ surveillance society ” as on those of the (more extensively regulated) “ surveillance 20 ”. state Tracking methods As is clear from the above, a significant tool in a private company’s armoury is the 8.77. t racking of communications online. Digital advertising provides a significant method of tracking, as well as presenting a quantifiable return on investment. It takes place via an increasing number of methods. Cookies 8.78. Cookies are small text files placed on a computer’s hard drive when a browser visits a website. They work in conjunction with pixel tags to notify a website that a visit has previously taken place. They include: (a) First party cookies , sent by the website a browser is visiting. , sent by a website other than the website the browser is kies coo (b) Third party visiting. For example an advertisement appearing on the website can send a , third party cookie, thus allowing the network managing the third party cookie to track information about a user’s bro wsing habits and engage in targeted advertising. (c) Zombie cookies or super cookies , which reappear after they have been deleted by a user. (d) Cookie - syncing , which is the practice of third party websites linking IDs allocated to a user. This can improve tr acking, particularly when used in 21 conjunction with zombie cookies. 8.79. The rapid growth in ownership of mobile devices has meant that companies have had to find alternative methods to carry out tracking: cookies are not shared between apps and so have limited value on mobile devices. A number of methods have been adopted to overcome this problem: (a) Single Sign On permits a user to enter one name and password in order to gain access to multiple applications. For example, a Facebook ID can be used to log 20 and cf. James Graham’s play See e.g. Dave Eggers’ 2014 novel The Circle Pri vacy , which sold out the Donmar Warehouse in London in 2014. 21 G. Acar et al, “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild”, (2014) Proceedings in the CCS, p. 681. 157

164 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS third party websites, allowing Facebook to collect information about users’ into 22 visits to these third sites. (b) Header enrichment refers to the process of injecting a number into a HTTP header each time a user visits a website. (c) Fingerprinting techniques collec t different pieces of information relating to a device or browser to enable identification. Deep - linking 23 Approximately 90% of the time spent using mobile devices is spent in apps. Apps 8.80. do not follow the structure of the web and so the usual tracking m ethods are not - available. Deep linking allows app developers to link to pages in apps and so replicate the structure of the web and enable tracking. - ins Social plug 8.81. Social plug - ins facilitate the sharing of third party content within online social network s. Examples include Facebook’s “ like ” button, Google+’s “ +1 ” and Twitter’s “ ” button. When a person visits a third party webpage in which a plug - in is tweet embedded the domain of the plug - in provider may receive certain information automatically. This i s examined in more detail at 8.100 below. Adware Adware is used to describe software which is embedded with advertisements. It is 8.82. commonly used to allow users to have access to software without having to pay for it. However, adware software may also trac k web browsing habits in order to facilitate targeted advertising by third parties. This practice is a form of spyware. Location Tracking 24 “ 8.83. ”, (when an application collects location data even when Passive location tracking it is not in use), is increasingl y common: t he Angry Birds app provides it . A further trend is the growing use of location tracking to enable targeted advertising. In 2014, - Facebook launched Local Awareness ads. Advertisers can target their 25 sers who are near their bu siness. advertisements to u Protections There have been three core strategies used to combat private companies’ collection 8.84. and use of data and to ensure privacy online : individual notice and consent, opting 22 See Facebook’s Data Policy: - info - on - https://www.facebook.com/about/privacy/your other#instantpersonal . 23 “Getting to Know you”, The Economist, 13 September 2014. 24 “Location - tracking: 6 Social App settings to check”, Informa tion Week, 26 August 2014. 25 . awareness See https://www.facebook.com/business/a/local - 158

165 CHAPTER 8: COMPARISONS – PRIVATE SECTOR ACTIVITY wever, these have arguably now out and anonymisation. Ho ch of their lost mu 26 effectiveness. Consent 8.85. The significanc e of online c onsent can easily be over - stated . The issue in the context of social media platforms was examined by the Science and House of Commons Technology Committee. Witnesses observed that signing forms “ is often not an act 27 28 that of informed consent “ people need to know what they are signing up to ”, ”, and 29 Witnesses were particularly critical of the complexity that “ everyone clicks ‘Yes’ ”. 30 of terms and conditions, describing them as “ more complex than Shakespeare ”. a mechanism for showing users have provided The Committee concluded that “As informed consent, so that organisations can process incredibly personal data, terms 31 and conditions contracts are not fit for purpose”. 8.86. In 2014, the Article 29 Working Party suggested that Google amend its priv acy po licy so as to avoid “ indistinct language ” and obtain consent “ in a clear and distinct 32 manner”. A study of Facebook’s 2015 Data Policy concluded that it was unclear “ to what extent user data is shared with other entities such as ‘Facebook Companies’ , ’ and ‘Customers’, nor what the exact identity is of these ‘Third Party Partners 33 entities”. 8.87. There have been some changes: following an ICO investigation and negotiation with Google, which concluded that Google’s privacy policy did not give enough infor mation to customers on how and why their data was collected, the ICO said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they e data across services. It is vital that there is clear and seek to combine and us effective information available to enable users to understand the implications 34 of their data being combined.” Google amended its Privacy Policy in December 2014 and February 2015. 8.88. Yet concerns remain: in 2014 Facebook altered information posted on users’ home pages, and found it could make people feel more positive or negative through a 26 - Schonberger and K. Cukier, Big Data: A Revolution that will transform how we l ive, work and V. Mayer think , 2013. 27 Responsible Use of Data , HC 245 (November 2014) , para 40. 28 Ibid . para 41. 29 Ibid . para 44. 30 Ibid. para 45. Researchers at the University of Nottingham found that Google’s 2013 terms and conditions were more difficult to understand than both Beo wulf and War and Peace. Researchers - used a browser plug in called Literatin to carry out the comparison. See “Google’s terms and conditions are less readable than Beowulf”, The Conversation website, 17 October 2013. 31 Ibid. p.3. 32 cle 29 Data Protection Working Party to Google on Google Privacy Policy and List Letter from the Arti of Possible Compliance Methods, 23 September 2014. 33 B. Van Alsenoy and others, “From social media service to advertising network: A critical analysis of Facebook’s Revised Policies and Terms”, Draft 31/3/15, p.14. 34 - See the press release on the ICO website: https://ico.org.uk/about - the - - and - events/news - and ico/news . investigation/ blogs/2015/01/google - to - change - privacy - policy - after - ico - 159

166 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS emotional contagion ”. The study said altering the news feeds was process of “ “ consistent with Facebook’s data use policy, to which all users agree prior to creating 35 a Facebook account, constituting informed consent for this research”. This generated significant media debate. Opting out 8.89. Opting out of tracking can be a complicated process. For example: (a) to opt out of Facebook’s Custom Audience programme a user needs In order to opt out on each of the websites of the data brokers. If Facebook partners with a new data broker, the same process must be followed. Apple’s Safari Browser is set to block third party cook (b) ies: yet Google was still able to send a third party cookie which operated to allow the DoubleClick cookie 36 to be sent to the user’s browser for part of 2011 and 2012. 37 (c) Some users have found it very difficult to opt out of header enrichment. Running adwar e/spyware removal tools may only be partially effective. (d) More fundamentally, our reliance on the internet, and the near 8.90. - universal use of intrusive techniques, make it a consent to them. As it was lmost impossible to withhold recently put: “It’s not rea sonable to tell people that if they don’t like the data collection, they shouldn’t email, shop online, use Facebook or have a cell phone. I can’t imagine students getting through school anymore without Internet search or afterwards. These are the tools of modern Wikipedia, much less finding a job 38 life.” st So one can opt out of data collection, but only by opting out of 21 century society. Anonymisation 8.91. Private companies are permitted to provide data to third parties without consent as oes not contain personal data, that is, information which allows an long as the data d individual to be identified. They seek to comply by providing anonymised data sets. There are increasing concerns however about the effectiveness of anonymisation techniques. A study of a number of these techniques in 2014 concluded that each 39 meet with certainty the criteria of effective anonymisation ” . failed to “ 8.92. In addition, there are concerns that Big Data techniques renders anonymisation ineffective as a privacy tool: “ Given enou gh data, perfect anonymisation is impossible 35 “Facebook reveals news feed experiment to control emotions”, The Guardian website, 30 June 2014. 36 Vidal - Hall v Google 3. [2015] EWCA Civ 311, para 37 “Somebody’s Already Using Verizon’s ID to Track Users” , ProPublica website, 30 October 2014. 38 B. Schneier, Data and Goliath, 2015, chapter 4. 39 Article 29 Data Protection Working Party, Opinion 5/2014 on Anonymisation Techniques (April 2014). e ICO published a Code of Practice on Anonymisation in 2012 which provides advice on good Th practice. 160

167 CHAPTER 8: COMPARISONS – PRIVATE SECTOR ACTIVITY 40 no matter how hard one tries . In 2008, Netflix released 100 million rental records ” after removing personal identifiers, as part of an attempt to improve its film to de recommendation system. Researchers were able anonymise users by - comparing rankings and time stamps with public rankings and time stamps in the 41 Internet Movie Database. The general picture 8.93. In the words of two commentators: “The problem is that our ability to reveal patterns and new knowledge fr om previously unexamined troves of data is moving faster than our current legal and ethical guidelines can manage. We can now do things that were impossible a few years ago, and we’ve driven off the existing ethical and legal maps. If we fail to preserve the values we care about in our new digital society, then our big data capabilities risk abandoning these values for the sake of 42 innovation and expediency.” They argue elsewhere that “ privacy protections focused on personally identifying information ar e not enough when secondary uses of big data can reverse engineer 43 past, present and even future breaches of privacy, confidentiality and identity .” 8.94. The issue was addressed in John Podesta’s review of the implications of Big Data for 44 4 : President Obama in 201 “It will be especially important to re - examine the traditional notice and consent framework that focuses on obtaining user permission prior to collecting data. While notice and consent remains fundamental in many contexts, it is now ne whether a greater focus on how data is used and reused necessary to exami would be a more productive basis for managing privacy rights in a big data environment. It may be that creating mechanisms for individuals to participate in the use and distribution of his or her i nformation after it is collected is actually a better and more empowering way to allow people to access the benefits that derive from their information. Privacy protections must also evolve in a way ata use.” that accommodates the social good that can come of big d 8.95. The ICO published a paper in 2014 exploring the implications of Big Data for personal 45 privacy. It advised organisations to carry out robust risk assessments regarding the chance of re - identification, in light of the range of data sets availabl e and the power of Big Data analytics. 8.96. Undoubtedly the knowledge about individuals that is available to companies and that is traded amongst them is considerable and largely invisible to the individuals 40 - V. Mayer Big Data: A Revolution that will transform how we live, work and Schonberger and K. Cukier, think , 2013. 41 B. Schneier, , 201 5, chapter 3. Data and Goliath 42 J. King and N. Richards, “What’s Up with Big Data?”, Forbes, 28 March 2014. 43 N. Richards and J. King, “Big Data Ethics”, Wake Forest Law Review, 2014, p.393. 44 Executive Office of the President, Big data: Seizing Opportunities , Preserving Values , (May 2014). 45 , (July 2014). Big Data and data protection 161

168 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS onsent given to data - themselves. There are justified concerns that the c sharing is poorly informed; that the choice given to the customer is limited or unreal; that our desire to use the services freely offered, or to obtain the benefits gained in exchange for our information, is exploited in ways that we cannot necessarily envisage; and that anonymised data, when analysed, can reveal the identity of individuals with a very high degree of certainty. logs and location data Commercial use of web The debate surrounding the collection of comm 8.97. tres around w eb unications data cen logs/urls and location data. It is useful to compare how these categories of data are treated by private companies. IP address/location data Privacy policies often state that the use of websites may convey information about 8.98. can be seen in Google’s privacy policy, which makes clear that Google location. This may use IP addresses, mobile devices, search queries and information from other 46 Facebook’s Data Policy, which uses “ websites to determine location; device locations, including specifi c geographic locations, such as through GPS, Bluetooth or 47 and IP addresses; and Amazon, which automatically collects and analyses WiFi” 48 IP addresses. may receive “ log d ata ” When use is made of Twitter services, Twitter ess and location. Twitter will either remove or delete which includes the user’s IP addr 49 the full IP address after 18 months. W logs /urls eb 50 8.99. and Facebook Google records page requests made, including the requested url; makes clear that it collects information “ when you visit third party s ites and apps that use our services ( like when they offer our Like button or Facebook Log In or use our measurement and advertising services). This includes information about the 52 51 Using Amazon collects and analyses the full url. websites and apps you visit ”. Twitter services may mean details of web pages are received by Twitter. 46 See its Privacy & Terms website: https://www.google.com/policies/technologies/ads/ . 47 See: https://www.facebook.com/full_data_use_policy . 48 According to its website, see: http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=502584#GUID - 76787A77 - 872C - - 4019 8BD7 - 03C8AC3812EB__SECTION_22160257376047E78334D565CD73852D . 49 See Twitter’s Privacy Policy: https://twitter.com/privacy?lang=en 50 See https://www.google.com/intl/en/policies/privacy/key - terms/#toc - terms - server - logs . 51 See https://www.facebook.com/policy.php . 52 As explained at: http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=502584#GUID - 03C8AC3812EB__SECTION_22160257376047E78334D565CD73852D . 76787A77 - 872C - 4019 - 8BD7 - 162

169 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS - Visits to websites with social plug ins The use of plug - ins (8.81 above) automatically s ends information to companies such 8.100. 53 as Facebook, Google and Twitter Research publishe d in March 2015 claimed . 54 that: (a) Facebook sets a cookie on certain non - Facebook pages enabling tracking by social plug - ins even if a user never visits a Facebook page. Information transmitted as a result of cookies can include an IP address, according to 55 F acebook’s Data Policy. hen a logged (b) - in Facebook user visits a site with a Facebook social plug W Facebook receives the url of the web page being visited. (c) When a user logs out of Facebook, Facebook keeps uniquely identifying cookies in the brows er which are used to track these users across the web using social plug ins. - (d) When a Facebook user deactivates an account, Facebook does not remove certain cookies which are used to track these deactivated users across the web using social plug - ins. Public use of commercial data he information given to private sector companies is relevant not only as a T 8.101. comparator, but as a direct contributor – – to law enforcement. or potential contributor As the Director of Europol has claimed: “We know much less than the private sector. All recent cyber crime operations you’ve heard about on the news were launched on the basis of information 56 provided by the private sector.” Two examples are as follows: 8.102. broker to It was reported in 2005 that the FBI was purchasing data from a data (a) help keep track of suspected terrorists. This led to concerns that limitations placed on government to carry out surveillance were being avoided by the use 57 of private companies. It is claimed that the Snowden Documents show that the NSA used G oogle’s (b) Doubleclick service to identify Tor users. GCHQ and the NSA were said to use 53 Pressing the button is not needed: visiting the web page is suffici ent in all three cases. 54 - G. Acar, B. Van Alsenoy, F. Piessons, C. Diaz, B. Preneel, “Facebook Tracking through Social Plug ins”, March 2015, https://securehomes.esat .kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf . Facebook states that this report and/or earlier drafts contain factual inaccuracies: “Facebook hits back at data usage privacy criticisms”, BBC News, 1 April 2015. 55 See https://www.facebook.com/help/cookies/ . 56 R. Wainwright, “Cybercrime and the challenges for law enforcement”, speech to LIBE Committee, European Parliament, 11 November 2014. 57 “FBI, Pentagon pay for access to trove of public recor ds”, Government Executive website, 11 November 2005. 163

170 – PRIVATE SECTOR ACTIVITY CHAPTER 8: COMPARISONS enable remote exploitation ”. It was also said that NSA this information to “ 58 gathered location data from apps to track devices. These examples have led to the claim tha t “ government surveillance piggybacks on corporate 59 .” capabilities This all emphasises the need for independent 8.103. the use of bulk datasets, supervision of as has taken place for several years (though such supervision has only recently been 60 avowed). Relevan ce of private sector activity 8.104. The conduct of private companies cannot excuse the state from protecting the rights of its citizens, however excessive that conduct may seem to some. As an industry voice reminded me: “ The state can arrest you or lock you up ... the worst Google can 61 do is show you an ad”. Safeguards on the exercise of intrusive powers are, for that Private companies have not reason, more important where the state is concerned. 62 to seek constraints on the authority of states to exer cise their powers. been slow 8.105. But in relation to capabilities, a different logic applies. Companies aim to make profits (and may do so by enhancing the convenience of their customers). The state exists for the more fundamental purpose of protecting its citizens fr om threats to their lives and security. Its need for intrusive powers could thus be characterised as more pressing. Furthermore, in the UK at least, substantially more people express concern about the monitoring of their online activity by social media we bsites and search engines than about the activities of either the US or the UK Government: 2.27(a) above. 8.106. Thus : (a) I t may legitimately be asked, if activity of a particular kind is widespread in the private sector, why it should not also be permitted (subject to proper supervision) to public authorities. (b) The extent to which we think it normal to share personal information with private sector providers will in any event tend to condition the terms in which we think about what it is acceptable to allow the state to do on our behalf. 58 “NSA uses Google Cookies to pinpoint targets for hacking”, The Washington Post, 10 December 2013. The issue of whether it is fair to conflate private companies’ activities with government surveillan ce is discussed in the article. One contributor noted “ There’s increasingly a sense that giving consumers control over the information they share with companies is all the more important because you’re giving them control over the information they share w ” ith government. 59 Data and Goliath, 2015, chapter 6. 60 7.69 and 8.26 - 8.29 above; Recommendations 81(b) and 91(d) below. 61 The requirement of consent for private sector intrusion is another distinguishing factor, though its practical value may be doub ted: 8.84 - 8.96 above. 62 The campaign for Global Government Surveillance Reform, supported by a number of large private companies including Google and Facebook, promotes as its first principle: “ Limit governments’ .” authority to collect users’ information 164

171 PART III: PERSPECTIVES AND VISIONS Part III of draws on the the Report (PERSPECTIVES AND VISIONS) submissions and evidence received by the Review in order to summarise the wishes of interested parties.  Chapter 9 (LAW ENFORCEMENT) summarises the requirements of the NCA , police, local authorities and oth er law enforcement bodies. It addresses the utility of interception and communications data for their work and their views on capabilities and safeguards.  Chapter 10 (INTELLIGENCE) summarises the submissions made to the Review by the security and intel li gence agencies: MI6 It explains their views on technological MI5 , . and GCHQ change and encryption, what they say they need to maintain existing access, and their priorities in relation to capabilities and authorisation of warrants.  Chapter 11 (SERVICE P ROVIDERS) summarises the submissions made to the Review by communications service providers, both in the US (regarding cooperation with the UK Government and extraterritorial effect) and in the UK (where there was a strong emphasis on the strengthening of controls . and oversight) Chapter 12 (CIVIL SOCIETY)  summarises the case made to the Review by civil society groups and individuals, some of whom challenged the need for current capabilities and most of whom emphasised what they saw as the need for transpa rency, coherence, clarity and improved scrutiny and safeguards. 165

172 9. LAW ENFORCEMENT Scope and sources This C hapter seeks to summarise the views expressed to me by u sers of intercept ed 9.1. and communications data (other than the security and intelligence agenc ies material , which are covered separately in Chapter 10) . security and intelligence agencies , 9.2. the 600 or so public authorities Leaving aside the communications data comprise: with the power to request (a) the NCA, police forces and other law enforcement agencies, wh ich make the 1 great majority of requests for communications data; (b) some 430 local authorities, which have their own responsibilities for enforcing e.g. trading standards; and other public authorities, ranging from bodies with enforcement powers (e.g. (c) y Commission, Gambling Commission, Ofcom, Financial Conduct Charit Authority, Medicines and Healthcare Products Regulatory Agency, Health and Safety Executive) to the Maritime Coastguard Agency, an occasional user of communications data in the context of saving l ives at sea. 9.3. I refer to these bodies collectively as “ law enforcement ”, though some of them make use of their powers for other purposes. The bodies at (b) and (c) 9.2 above are referred to as “ the minor users ”, since they are currently responsible between them for only a little over 1% of all communications data requests. the security and intelligence 9.4. Of those public authorities, once again leaving aside agencies , five (the NCA, MPS, PSNI, Police Scotland and HMRC) also have the intercept r RIPA Part I Chapter 1 . 2 , 795 intercept ion power to communications unde warrants (and a far greater number of modifications) were approved in 2014, including on application by the security and intelligence agencies : 68% concerned serious crime 2 and 31% were on grounds of national security. 9.5. I received written submissions from each of the intercepting authorities (sometimes, as in the case of the MPS, NCA and Police Scotland, more than once) and from ACPO, the LGA and a number of public authorities with communications data powers. Most of those submissions are confidential, but where I have permission to publish 3 4 I also vi them I have done so /or spoke to many other organisations; sited and and th e Communications Data Strategy Group (which blends UK CSPs and law 1 In 2014, they were responsible for 88.9% of authorisations and notices under RIPA Part I Chapter II, as against 9.8% for the intelligence agencies, 0.4% for local authorities and 0.9% for other public IOCC Report , (March 2015), Figure 7. authorities: 2 ” warrants. Ibid. , Figure 2. The national security warrants however include the 20 s8(4) “ bulk 3 Ofcom (permission granted 2 April) and the ACPO (permission granted 24 April) 4 The Home Office, the NCA, the Metropolitan Police Commissioner, the MP S Assistant Commissioner for Specialist Crime and Operations, the Chief Constable of the PSNI, the National Policing Lead for Communications Data, the MPS Communications Intelligence Unit [CIU] , MPS SO15 Communications Terrorism), Data Communications Group Futures, Data Team (on behalf of police Nation al Counter - Gloucestershire Constabulary, Nottinghamshire Police, the LGA and NAFN. 166

173 CHAPTER 9: LAW ENFORCEMENT Data Communications Group enforcement) and the police executive committee held ely on their priorities. special meetings which enabled me to quiz them extensiv There has been no attempt to formulate uniform views within the law enforcement 9.6. community, or to put such views across to me. Rather, I set out here ideas from a art IV, below). variety of sources, some of which I draw on in my recommendations (P Summary of requirements 9.7. In essence, and subject to the widely understood requirements of necessity and proportionality, law enforcement bodies want the ability to access the communications tions) of anybody within the UK data (or, in serious cases, intercept the communica who may be involved in crime or a threat to public safety, whether as suspect, victim, or witness. When dealing with vulnerable and missing persons, they require the same ability in order to save life and protect people fro m significant harm. Digital polic ing 5 9.8. is applied by the police to the digital world, where The principle of policing by consent it refers to the use of techniques that command general acceptance. I was told that stence of physical no - go zones in towns and just as the public would not accept the exi cities, so they expect the police to have the capacity, in appropriate cases and when duly authorised, to trace any kind of communication. Capabilities 9.9. Law enforcement strongly supports a continuation of data ret ention by CSPs, as now provided for under DRIPA 2014, accepting 12 months routine retention as a proportionate level. 9.10. It is also considered important to have a fully effective means of IP address resolution. CTSA 2015 is regarded as a useful stepping - e in that regard. But it does not fully ston 6 enable IP address resolution, in particular dynamic IP resolution, which requires more data to be retained by service providers , depending on their individual technical mo del . If that resolution could b e achieved by service providers retaining this additional data, incl service providers the destination IP address, law uding for many enforcement would support such a requirement. 9.11. The Communications Data Bill contained provision for the retention of third - party data and for a request filter . Law enforcement still endorse the operational requirements which those provisions were meant to address, but want to engage further with industry on the best ways of meeting them. they think should be that 9.12. The NCA indicated to me a number of other powers considered, including (on a US model) powers to access data flow analysis and to 5 This is a reference to the time - honoured principle, attributed to Sir Robert Peel and contained in the General Instructions issued to new police officers since 1829, that the power of the police “ is dependent on public approval of their existence, actions and behaviour and on their ability to secure and maintain public respect ”. 6 See 4.18 above. 167

174 CHAPTER 9: LAW ENFORCEMENT - obtain the pre emptive seizure of intangible property such as IP addresses and domain names; and a clear enumeration of powers relating to non - notifi cation of subjects and the possible future use by law enforcement of CNE. Some users no 9.13. DWP , and teams within certain local t currently entitled to it ( authorities) would like to see the extension of their powers to cover traffic data where that would enabl e them more effectively to tackle the crimes for which they have investigative responsibility. This was not, however, the position of the LGA when we spoke to its representatives. Authorisation and review 9.14. There is unanimous support for the SPoC arrangements and (among loc al authorities) for the centralisation of those arrangements into NAFN, which some thought could be further extended. There was markedly less enthusiasm for the recently - introdu ced requirement of authorisation by magistrate for communication s data request s, which has also been criticised by IOCCO and the OSC. 9.15. IOCCO is widely praised for its increasingly effective monitoring and for its constructive approach. I received no comments from law enforcement about the systems for parliamentary control or judicia l oversight. Utility of intercept and communications data No intercept as evidence 9.16. The product of UK lawful intercept is only available as an intelligence tool: with limited exceptions, it is not admissible as evidence. Though foreign interlocutors often find it hard to credit, this limitation has survived repeated scrutiny. Part of the reason for this is the extensive disclosure requirement in criminal proceedings: were it sought to rely on the product of intercept conducted over a period of several mon ths, the defence could legitimately request a transcript of the entire intercept product with a view to searching it for exculpatory material. As the latest review put it, unless budgets were increased: t a very large amount of “the increased resource burden would mean either tha other agency activity was dropped to fund intercept as evidence or that 7 – or both.” interception would be available for many fewer investigations 9.17. That extensive review, overseen by a cross - party group of Privy Counsellors under Sir John Chi lcott, led to the Government confirming that there should be no change (at least for now) to the current position. The Security Minister stated that “ [t]he costs of translation, transcription and retention in order to disclose material to the defence woul d be substantial, diverting considerable resources away from investigative work ”, that “ the benefits – measured in additional convictions – would be highly uncertain ” and that “ the costs and risks of introducing intercept as evidence are disproportionate 7 989, (December 2014) . Intercept as Evidence Cm 8 168

175 CHAPTER 9: LAW ENFORCEMENT 8 o the assessed benefits That statement echoed the conclusions of seven previous t ”. reviews since 1993, and is accepted by law enforcement. 9.18. This important limitation (which it is not within my remit to revisit) places a premium tent by othe r means: e.g. by interrogating devices and by applications on obtaining con to a court for stored communications. The content of communications taken from a computer or phone may be and commonly is deployed in evidence, as indeed foreign Crown Prose [CPS] point out that the bar on the intercept may be. The cution Service use of intercepted material places further emphasis on the use of communications 9 data to secure convictions. Utility of interception 9.19. The relative impact of interception is probably in decline, as communi cations data become more abundant, criminals become more security - aware and communications - migrate to internet based apps, managed by providers in other countries in which Interception is there fore interception by UK authorities may not be a realistic option. subject of authorisation at 9.90 used only in the most serious cases. I return to the below. 9.20. But interception can still be of vital importance for intelligence, for disruption , and for to this the detection and investigation of crime. Some examples are give Annex 8 n at Report . Interception warrants are issued to assist in dealing with serious crime at an average rate of about five a day. The lead in developing and maintaining interception deal in C hapter 10 capability is with NTAC, part of GCHQ, wi th whose concerns I below. Utility of communications data The great majority of communications data use is for the prevention or detection of 9.21. 10 crime, or the prevention of disorder. Other than national security, the next most used statutory purpose is the e mergency prevention of death or injury, for example in the case of a kidnap or missing person. 9.22. The significance of messaging and social media in terrorism prosecutions is immense. The reviewed a snapshot of recent prosecutions for terrorist offences and CPS concluded that in 26 recent cases, of which 17 have concluded with a conviction, 23 could not have been pursued without communications data and in 11 cases the 11 conviction depended on that data. Securing reliable access to communications data was also 9.23. described to me as a necessary part of the fight against online crime (including child sexual exploitation and fraud) and a staple of investigations into serious and organised crime. I was told t hat was “ an essential tool in investiga communications data ting even the minor volume 8 Intercept as Evidence: Written Statement (James Brokenshire MP, 17 December 2014, HCWS124). 9 Evidence to the Review, April 2015. 10 78.5%, as against 15% for national security, 6% for the emergency prevention of death or injury and 0.5% for others (including tax, public health and investigating miscarriages of justice) IOCC Report (April 2014), Figure 8. 11 Evidence to the Review dated 1 October 2014. 169

176 CHAPTER 9: LAW ENFORCEMENT 12 ”. Police crimes that are key indicators of police performance and public confidence Scotland pointed out that it “ directly affected the outcome ... establishing the ll “ threat to life ” incidents whereabouts of individuals and saving lives ” in over half of a 13 in Scotland in the latest three - month period. 9.24. Both in the context of this Review and in my capacity as Independent Reviewer of Terrorism Legislation, I have acquired some familiarity with the resourcefulness and knowhow tha t are deployed in these contexts. Communications data are frequently used in the course of fast - moving operations, in which access will often be needed to Some of this work is highly resource - data in something close to real time. intensive, and depends o n very quick decision - making by highly skilled experts: (a) An example, which I observed on a visit to the MPS’ SPoC was an unfolding kidnap investigation in which requests for communications data were being rpetrators’ movements and made every few minutes in an effort to detect the pe contacts; wing I was taken in detail through a five - week investigation, led by the CIU, follo (b) risk - child had gone missing. It progressed from being a high a report that a missing person investigation to kidnap, murder and ultimate ly a manhunt and arrest. Five SPoCs were dedicated to the investigation, day and night, throughout the five weeks. More than 30 UK service providers and several foreign law enforcement agencies were engaged, and more than 900 RIPA ions data were generated in an investigation where requests for communicat quick reactions and flexible procedures were at a premium. The CPS has illustrated for me, by reference to 30 terrorism prosecutions, the (c) secution of central role that digital policing has in the investigation and pro terrorism offences. The ability to extract evidence from social media and - aware individual is exemplified by the recent messaging relating to a security conviction of Imran Khawaja, a British fighter and propagandist for ISIL in 14 Syria. The N CA illustrated the importance of retained communications data to (d) establishing who was involved in a conspiracy, helping to ensure that leading members are identified and convicted. Attique Sami was sentenced to 19 years in March 2015 for conspiracy to sup ply and import Class A drugs, some 238kg of heroin with a street value of £38m. Crucial to his conviction was the use of retained communications data to identify that he had organised a meeting of the co - conspirators because, although the meeting was unde r surveillance, his presence there had not been identified. 12 Submission of PSNI to the Review, November 2014. 13 Evidence of DCC Iain Livingstone, April 2015. 14 Sentencing remarks of Mr Justice Jeremy Baker in R v Khawaja, Bhatti and Ali at Woolwich Crown Court, 6 February 2015, accessible at https://www.judiciary.gov.uk/wp - remarks1.pdf content/uploads/2015/02/khawaja - sentencing - . Further detailed evidence prepared for me by the CPS was cleared for use too late for inclusion in this Report. 170

177 CHAPTER 9: LAW ENFORCEMENT Though the use of communications data is particularly prominent in online crime such 9.25. as fraud and child sexual exploitation, I have been shown examples of it also in e.g. kidnap for ransom, blackmail), trafficking (whether of relation to crimes in action ( people, drugs or weapons), crimes of violence (when communications data can corroborate new information, often some time after the event), harassment and malicious communications. As the National Policing Lead for communications data put it to me: “ Cybercrime is not solely the responsibility of specialist units, but is a 15 growing general policing challenge. ” 9.26. C ommunications data may also be needed in order to meet public expectations that the polic level crimes. Thus, where someone e will be able to solve even relatively low - has their mountain bike stolen and sees it advertised for sale on an online marketplace such as Gumtree, investigators may need to apply, as a minimum, for subscriber informatio n to pursue the case. 9.27. Where ordinary policing is concerned, and still more so in the case of many minor users, it is generally accepted that much remains to be done in ensuring that existing capabilities are used to the full. Gaps in the existing law, and the authorisation procedures required in particular of local authorities, are also said to stand in the way of a more effective response to the threat. It was noted that although the IOCC expressed the tentative view in 2014 that more than 500,000 author isations and 16 notices “ has the feel of being too many ”, his subsequent rigorous inquiry into whether there was significant institutional overuse of the powers concluded that there 17 was not. 9.28. Of central importance, I was told, was the ability to use communi cations data (subject to necessity and proportionality) for: (a) linking an individual to an account or action (e.g. visiting a website, sending an email) through IP resolution; establishing a person’s whereabouts, traditionally via cell site or GPRS data; (b) tablishing how suspects or victims are communicating (i.e, via which es (c) applications or services); observing online criminality (e.g. which websites are being visited for the (d) purposes of terrorism, child sexual exploitation or purchases of firearms or drugs); and illegal (e) exploiting data (e.g. to identify where, when and with whom or what someone was communicating, how malware or a denial of service attack was delivered, and to corroborate other evidence). 15 Submission of Richard Berry, National Pol icing Lead for Communications Data, to the Review, 29 September 2014. 16 IOCC Report , (April 2014), para 4.28. 17 IOCC Report , (March 2015), para 7.94. He did however find some examples of the powers being used improperly or unnecessarily. 171

178 CHAPTER 9: LAW ENFORCEMENT 9.29. These requirements have not changed substantially sinc e 2012, when the Communications Data Bill was proposed. But I was told that law enforcement has an improved understanding of how difficult it can be to achieve them, and of the technical issues involved. It has recognised, in particular, that in order to maintain efficacy in a digital world, the approach in any new law has so far as possible to be flexible and pragmatic rather than prescriptive. 9.30. Law enforcement argues that communications data provision is much less intrusive than: other surveillance metho ds (such as interception, directed surveillance (a) intrusive surveillance and the use of CHIS); and (b) evidential powers under PACE of search, seizure and interrogation. All of these might only result in obtaining the same level of understanding about a suspect and those involved in a crime. Use of communications data can build a case for using a more intrusive measure, or deliver the information that makes other measures unnecessary. It can, and does, exonerate innocent people without them needing to know tha t they were ever under suspicion. Its marginal cost is low; it can be started, changed and stopped easily; it involves a low risk of compromising an investigation by being discovered by the suspects; and it is able to be used much more widely than other f orms of surveillance. digital witness ” sums up the approach of law enforcement to the use of 9.31. The phrase “ their powers. Just as it is expected practice for the police to seek the human witnesses to any ev ent that they are investigating, so they argue that they would be failing in were they not to seek the digital evidence that relates to a crime or other their duty For example, in a recent case of serial stranger rape presented on the allegation. BBC Crimewatch programme, the crimes took place in locations where there was no CCTV and away from residential areas. A key line of enquiry was to consider CD and digital options (including traffic data) to locate the victim, potential witnesses and ble suspects. possi 9.32. Communications data has long been an essential part of many prosecutions: there can have been few organised crime cases in which phone logs were not adduced in order to establish a pattern of communications between conspirators. Nor, even, i s the ability to trace the location from which a call was made entirely novel: fixed lines have always been in known locations. The NCA and police see their current powers as, in large part, a translation of that well established resource into the current age. - Indeed they fear its dilution, as explained below. Capabilities: intercept ion 9.33. The capability to intercept communications is uncontroversial . But the point was made to me by SO15, and to a lesser extent by the NCA, that current warrantry requirement s were very inflexible: “ so many pieces of paper on the same target : different routes, ”. There was support for different authorisation levels, not much flexibility of timescale on the greater use of dual warrants, or thematic warrants, or warrants more focussed 172

179 CHAPTER 9: LAW ENFORCEMENT level of crime being investigated than on the specific technique that it was proposed to use at any given time. Capabilities: communications data Perception of the problem Law enforcement view themselves as engaged in a difficult struggle with seri ous and 9.34. organised criminals and terrorists, a struggle in which their opponents hold many of the advantages. Increasing numbers of their targets are employing techniques such 18 as Tor, PGP and VPN to ensure their anonymity: they can be hard to discover, an d communications data can be an important part of the answer. 9.35. The National Policing Lead singled out IMS (see 4.16 above) as a particularly significant challenge to future capabilities. He also told me that it was becoming more difficult to attribute a de vice to a person, to discover the true user of an identifier, to identify the location of a device at the time of use or when trying to locate a victim, to identify which service has recorded some of the data, to separate CD and intercept 19 nalyse without bulk machine - based techniques. material and to a 9.36. As a senior counter - terrorism officer put it to me: “ We have had 15 years of digital coverage being the main thing – a golden period. But the way people run their lives is not so accessible to us now. ” Human surveillance and use of CHIS were not seen as effective substitutes. As the National Policing Lead emphasised, the alternatives to the use of communications data tend to be more intrusive and to carry both a higher associated cost (in equipment and workf orce deployment) and a higher risk to those deployed. fated attempt - 9.37. No one sought to quantify for me the shortfall in information, after an ill 20 to do so in 2012. I was told that law enforcement only records what it can use and access, not what it cannot. But in summary, it has access to a decreasing proportion of an increasing quantity of digital information. Some specific business, technical and legal ris ks were identified, including: 9.38. (a) the reduction in the routine retention of communications data by serv ice providers for business purposes (because, for example, inclusive tariffs make it unnecessary to keep details of every call made); (b) the growth in OTT services , typically provided from outside the UK and through service providers who may be less willing o r able to cooperate; (c) resolving IP addresses (i.e. attributing an action on the internet, difficulties in including sending an email, to a particular device); and 18 4.46 and 4.65 - 4.68 above. 19 Submission to the Review of Richard Berry, National Policing Lead for Communications Data, 29 September 2014. 20 36. - JCDCDB Report, paras 34 173

180 CHAPTER 9: LAW ENFORCEMENT the Digital Rights Ireland (d) judgment, which appears to place limits on the powers of EU Member States to practise data retention, and even to revive the debate over whether a data preservation model (as used in Germany, and under which data are retained only on limited categories of person) should be used instead. Legislative solution 9.39. The policy de bate is thus a particularly difficult and delicate one. Existing powers are perceived as being under technological and legal threat, just as the law enforcement case for adding to them (running, they would say, to stay still) is growing in force. But it is fair to say that whilst both police and NCA see the need for change, neither has expressed to me a clear view on the form that any new powers should take. They say d that it is their role to outline operational requirements against which Parliament shoul consider what powers are needed. 9.40. Limited consultation leading up to the Communications Data Bill 2012, and a further two years since early 2013 in which political disagreements made it impossible to take things farther, leave an uncertain position which I attempt to describe but which can only be resolved by further intensive consultations between Government, law enforcement and service providers. 9.41. The debate concerning communications data capabilities may be organised under five overlapping heads: data re tention, IP resolution, web logs/destination IP I summarise the position of law addresses, third party data and the search filter . enforcement on each of these, before addressing some further capability matters that the NCA raised with me during the cours e of the Review . Both police and the NCA were keen to emphasise that they want to work with industry 9.42. to identify solutions that would meet their investigatory requirements in a way that de data retention could inform legislation. Those requirements are very likely to inclu and IP resolution, but in other respects may or may not fall under the same headings as the 2012 Bill. As the MPS put it to me: technology - centric’ approach may assist in ensuring flexibility and “a less ‘ 21 agility in meeting our future ca pability requirements.” Data retention 9.43. Successive UK Governments have supported the compulsory retention of 22 The principle that communications data communications data by service providers. generated by service providers should be required to be retained by UK service , ( and previously by providers for a certain period, as provided for in DRIPA 2014 s1 ) the EU Data Retention Directive of 2006 , passed through Parliament with few 21 Evidence to the Review, April 2015. 22 ward the original proposal for the mandatory The UK was one of four Member States that put for retention of data in 2004, and used its Presidency of the EU to prioritise the draft EU Data Retention Directive in the months after the London bombings of July 2005: JCDCDB Report, para 4. 174

181 CHAPTER 9: LAW ENFORCEMENT 23 lties in July 2014, deration. though with a sunset clause t o require further consi difficu has the strong support of law enforcement. It 9.44. In 9.21 - 9.32 above, I explained why the police and CPS consider communications data in general to be essential for the fight against crime . T he specif ic role of retained data in investigations into sexual offences, terrorism, drugs, homicide, firearms and explosives Annex 10 to this Report . is explained at The police and CPS make three other points in this regard: 9.45. (a) Conspirators become more guarded in their use of communications as the moment of a cri me approaches. Older data may therefore be the best evidence against them. (b) It may be relatively easy to arrest the minor players in a drugs importation or smuggling ring. But by going through their historic communications data, it may become possible to trace the bigger players who have taken care to remain in the background. (c) A time lapse between the incident and the identification of a suspect will mean that old data is needed. K. In Data retention is also seen as an imperative by law enforcement outside the U 9.46. a presentation to the European Parliament Committee on Civil Liberties, Justice and Home Aff the Director of Europol, said that “ without data retention law airs last year, ”, adding: the police will not be able to catch criminals harming our society Ask yourself what the end of data retention would mean in concrete terms? It “ would mean that communication data that could have solved a murder or 24 exonerate a suspect is simply deleted and no longer available.” 9.47. DG Home at the European Commission has draw n attention to the negative consequences for law enforcement in countries such as Germany and the Czech 25 As the Commission noted in 2014: Republic where data retention has ended. “Member States have generally reported that retained data is very valuable, and in some cases indispensable, for preventing and combating crime, for protecting victims and for the acquittal of the innocent in criminal cases. ... Data retention enables the construction of trails of evidence leading up to an to discern or corroborate other forms of evidence on the offence. It also helps activities of and links between suspects and victims. In the absence of forensic 23 The maximum per iod is set at 12 months under DRIPA 2014 s1(5). 24 R. Wainwright, Presentation to European Parliament Committee on Civil Liberties, Justice and Home Affairs, 11 November 2014. 25 DG Home European Commission, Evidence for necessity of data retention in the EU , (March 2013) which can be accessed at: affairs/pdf/policies/police_cooperation/evidence_en.pdf . http://ec.europa.eu/dgs/home - 175

182 CHAPTER 9: LAW ENFORCEMENT or eye witness evidence, data retention is often the only way to start a criminal investigation. Generally, data re tention appears to play a central role in criminal investigation even if it is not always possible to isolate and quantify the impact 26 of a particular form of evidence in a given case.” Even the CJEU, which invalidated the EU Data Retention Directive in Ap ril 2014, a valuable tool for criminal described data retained under the Directive as “ investigations ”. The court which rendered the Dutch data retention law inoperable in the detection of certain types of crimes rely almost exclusi vely March 2015 added that “ 27 on the use of historical telecommunications data ”. IP resolution In CTSA 2015 Part 3, Parliament extended the scope of compulsory data retention by 9.48. service providers to include the data that are needed to link an IP address with the sing that address at a particular time. The issue was explained as device that was u follows in the Explanatory Notes to the Bill: “[IP] address resolution is the ability to identify who in the real world was using an IP address at a given point in time. An IP address is automatically allocated by a network provider to a customer’s internet connection, so that communications can be routed backwards and forwards to the customer. [CSPs] may share IP addresses between multiple users. The providers generally have no business 28 purpose for keeping a log of who used each address at a specific point in time.” 9.49. There was unanimous support from law enforcement for this change. The data that must now be retained are communications data that relate to an internet access Fi) or an internet service (e.g. home broadband, mobile internet or public W i communications service (e.g. internet telephony, internet email, instant messaging), and that: “may be used to identify, or assist in identifying, which [IP] address, or other identifier, bel ongs to the sender or recipient of a communication (whether or 29 not a person)”. There is however an exception, which was explained as follows in the Explanatory Notes: “ Subsection (3)(c) specifically prevents a telecommunications operator providing an int ernet access service from retaining under this legislation data 26 European Commission , “Frequently asked questions: the Data Retention Directive”, (April 2014). 27 See 5.62 and 5.67, above. 28 Counter - Terrorism and Security Bill, Explanatory Notes, November 2014, para 121. 29 CTSA 2015 s21(3)(b). In the words of the Explanatory Notes of 8 January 2015: “ Such data could include data required to identify the sender or recipient of a communication (which could be a person or a device), the time or duration of a communication, the type, method or pattern of a communication (e.g. the protoc ol used to send an email), the telecommunications system used or the location of such a telecommunications system that the person was communicating from. An IP address can often be shared by hundreds of people at once – in order to resolve an IP address t o an individual other data (“other identifier” in this clause) would be required. Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses .” 176

183 CHAPTER 9: LAW ENFORCEMENT that explicitly identifies the internet communications service or websites a user of the service has accessed. This type of data is sometimes referred to as web logs.” n its description) remains controversial, as discussed below. That exception (and eve 9.50. The utility of the new requirement may be demonstrated by the scenario in which the police get hold of a server that was used to host criminal activity. They can retrieve the IP addresses that contacted it; but without the ability to resolve IP addresses which may have been used over time by more than one device, will not know the specific computer or phone that was using each address at the time when contact was made. 9.51. lcome CTSA 2015 Part 3, believe that it will have some Law enforcement bodies we independent utility in resolving IP addresses, and want an equivalent provision to be introduced after the end of 2016. They also emphasise however that it is no more - stone. Some CSPs than a stepping , particularly, those using dynamic IP addresses such as mobile phone operators, require destination IP as well as sender IP to match up who is involved in an action. There is a strong belief that the exclusion in CTSA 2015 s21(3)(c) may need to be revisi ted if reliable IP resolution is to be achieved. But as explained below, this does not necessarily mean that law enforcement bodies want any more than is needed to maintain their operational capabilities. Web logs / destination IP 9.52. The Home Office explain ed to the JCDCDB that it wanted law enforcement to be able to access “ two specific types of data: subscriber data relating to IP addresses and 30 ”. The retention of the former has been provided for by CTSA 2015 s21(3): web logs but for the time being at lea mpulsory retention of web st, the same Act excludes the co logs (see 9.49 above). and What is meant by web log in this context has caused some uncertainty, 9.53. m I have spoken criticise the term, and those who use it, independent experts to who on the basis of i mprecision (as well as the inapplicability of the term to non web based - ut the Home Office has provided me with this definition: services). B “ Weblogs are a record of the interaction that a user of the internet has with other computers connected to the int ernet. This will include websites visited up to the first ‘/’ of its [url] , but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of 31 ntact occurred .” the other computers or services with which co 9.54. Under this definition a web log would reveal that a user has visited e.g. 32 www.google .com or www.bbc .co.uk , but not the specific page. It could also of 30 JCDCDB Report, para 73. 31 Evidence to the Review, March 2015. 32 Even so, this is not straightforward. CSPs’ networks are all built and configured differently and there are many datasets which could be used directly or indirectly to identify the services or sites accessed by a customer. The Home Office has indicated that such data could include but is not limited to:  url addresses : Under the current accepted distinction between content and CD, www.bbc.co.uk would www.bbc.co.uk/sport would be content; and this is set out in the be communications data while 177

184 CHAPTER 9: LAW ENFORCEMENT ography course reveal, as critics of the proposal point out, that a user has visited a porn site, or a site for sufferers of a particular medical condition , though the Home Office ng history, see further tell me that it is in practice very difficult to piece together a browsi - below. 1 4 14.38 .23 lth countries in which service I am not aware of other European or Commonwea 9.55. providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal. T he new Australian data retention law is drafted in such a way as to ensure that “ service providers cannot be 33 ”. required to keep information about a subscriber’s web browsing history 9.56. The Communications Data Bill proposed the compulsory retention of web log s, but foundered on disagreements within the coalition Government on whether such a provision would intrude too far into privacy, particularly in view of the possible risk that 34 ”. web log data “ may be hacked into or may fall inadvertently into the wrong hands The JCDCDB expressed no view on the policy issue, concluding that it was for Parliament to decide where to strike the balance, and urging the Home Office also to consider: “whether it would be technically and operationally feasible, and cost effective , to require CSPs to keep web logs only on certain types of web services where 35 those services enable communications between individuals ”. In the meantime, and pending reconsideration of the law which is set to expire at the 9.57. 36 end of 2016, the retention of w eb logs has been expressly prohibited by CTSA 2015. 9.58. The law enforcement bodies which spoke to me required the ability to resolve IP some addresses, but were unwilling to be prescriptive about how this could best be achieved. It was recognised that some servi ce providers may require destination IP – for example sport.bbc.co.uk Acquisition Code. However there are arbitrary elements to that definition (no ‘www.’) takes you to the same place as . www.bbc.co.uk/sport  have an IP address. In terms of a technical Destination IP address : All devices connected to the internet hierarchy, these sit below the url address, allowing the url to function, and are also used for more than just web surfing. A log of IP addresses can tell you what websites and individual has viewed but some s ervices (e.g. Google) are hosted on multiple IP addresses while some IP addresses may host more than one website. A log of IP addresses can also tell what communication apps/services an individual has accessed e.g. Whatsapp or Facebook Messenger. Apps an d services do not generally have url addresses. A DNS (domain name system) translates a domain within a url addresses (typed by  DNS server logs: average web browsers) into the IP addresses used by a computer to make the connection. to The se are machine  http ‘GET’ messages: - machine messages that facilitate the transfer of information - when viewing web pages  IP service use data (summarised service use/category information, frequently derived from network management systems) CSPs can profile customers’ web hist ory using network management systems, for example by comparing a customer’s browsing history against pre - set parameters to define the types of services they have been accessing. 33 Telecommunications (Intercept and Access) Amendment (Data Retention) Act 2 015, s187A(4)(b), excludes from the retention obligation information obtained by the service provider as a result of providing the service “ that states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider ”. 34 JCDCDB Report, para 86. 35 Ibid. , para 88. 36 s21(3)(c). CTSA 2015 178

185 CHAPTER 9: LAW ENFORCEMENT addresses for the purposes of resolution, but the view was expressed that destination IP addresses are less intrusive than s and that service providers which do not web log e purpose of resolution should not be require even destination IP addresses for th obliged to keep them. Others emphasised t he point that the compulsory retention of web browsing history 9.59. could have advantages for law enforcement. As well as assisting in the resolution of IP addresses, it could: (a) y communications sites that have been used by a particular device, identif thus enabling further enquiries to be carried out to establish details of their communications through those sites; and (b) more broadly still, identify sites visited which might be suggestive or corroborative of criminality : for example, sites associated with terrorism, 37 paedophilia or the sale of counterfeit goods. 9.60. But it is widely accepted within the law enforcement community that: (a) web log s would be potentially int rusive; the compulsory retention of (b) the political environment (not to mention the legal environment: Digital Rights Ireland ) may not be conducive to the imposition of such an extensive obligation; and that (c) there would be expense and complexity involved in making these changes (not le ast in terms of training staff within law enforcement), that would only be justified if any new power were to be extensively used. 9.61. In short, it was not submitted to me, as it was in 2012 to the JCDCDB, that “ access to 38 weblogs is essential for a wide rang IP resolution is seen as e of investigations ”. vital, both from IP addresses t clear from my t was o individuals and vice versa; and i conversations with the most senior officers that law enforcement does want a record interaction with the internet to which i t can obtain access. to exist of an individual’s Ultimately it would argue for the retention of web logs, subject to safeguards to be ined by Parliament, if this was identifi determ operational ed as the best way to meet its needs. But it would expect all avenues to be explored before reaching a final view on the best solution. Third - party data retention 9.62. The draft Communications Data Bill in 2012 provided for UK CSPs to be required to - party data, i.e. communications b eing sent over the network retain and disclose third of a UK CSP, where the third party would not comply with the requirement to disclose the data. This was in the expectation that some overseas service providers would not cooperate with requests from UK authorities and that there fore a back - up capability 37 The MPS also told me, in April 2015, that web logs “ may assist in discovering on line bookings for travel (assist survei llance), interest in property purchase (asset recovery) or financial dealings (evidence of principal offence or criminal asset recovery )”: a very broad range of sites indeed. 38 JCDCDB Report, para 85. 179

186 CHAPTER 9: LAW ENFORCEMENT the Home was needed. The Home Office gave an oral commitment to UK CSPs that “ Secretary will invoke the third party provisions only after the original data holder has 39 been approached and all other avenues have been exhausted ”. U K CSPs were described by the JCDCDB as “ rightly very nervous about these 9.63. 40 ”, and remain sceptical . The Government made a commitment that UK provisions CSPs would not be required to store or decrypt any encrypted communications. But the routine encryption of communications has increased significantly since 2012: though it is still not universal, sophisticated encryption is used by a growing number of drug traffickers, fraudsters and child sex offenders. Given doubts as to whether 41 ta could be retrieved from encrypted services, valuable communications da the utility - - Snowden world, particularly in of this proposal needs to be re assessed for a post 42 view of its high anticipated cost. 9.64. Law enforcement bodies generally support the views of the UK CSPs in looking primarily for fuller cooperation from overseas service providers as a solution to the problem of combating criminals who use their services, whilst understanding that this will not always be possible and that the Government needs to stay alert to other sibilities. Law enforcement is also conscious that the proposal of third party data pos retention was a particularly expensive one, and that its utility will be peculiarly susceptible to technological developments. It may therefore be that this aspect of the Communications Data Bill is no longer judged to be the priority that it once was, even within the law enforcement community. I would note, finally, that once again the compulsory retention of such data is excluded in the new Australian data retention 43 law . Request Filter ”, which would in effect allow a request filter The 2012 Bill made provision for a “ 9.65. complex search of all companies’ retained data to be made following a single request. This, it was said, would speed up investigations, minimise collate ral intrusion and reduce error. It would also have made a devolved system in which the service providers each retain their own subscribers’ data into something closer to the central 44 database that was originally envisaged in 2008, though the security adva ntages of locating the data in different places would still have been maintained. 9.66. A typical scenario for the use of a request filter would be where an investigator needed to establish a connection between people and events, which currently would involve king service providers separately for the data on many individuals to establish who as 39 Ibid. , para 109. 40 . Ibid 41 Ibid. , para 93. 42 Total anticipated economic costs of the Communications Data Bill over the 10 years from 2011/12 were estimated by the Government as £1.8 billion: the JCDCDB Report agreed with Microsoft that this cost was likely to “ have multiplied grotesquely ” (para 258). 43 Service providers are not required to keep “information or documents about communications that pass ‘over the top’ of the underlying service they provide, and that are being carried by means of other services operated by other service providers”: note to Telecommunications (Intercept and Access) Amendment (Data Retention) Act 2015, s187A(4)(c). 44 The then Government planned to require communications data to be stored for a year in a single - built database: see JCDCDB Report, para 5. purpose 180

187 CHAPTER 9: LAW ENFORCEMENT was involved in common. With an effective request filter, it would be necessary only to formulate a single, less intrusive search criterion (e.g., “ Find the devices that w ere 45 ”). in cell site area 1 on one date and in cell site area 2 on a different date Only the data of those meeting the complex search criteria would be provided to the investigator. CD Bill in general 9.67. In relation to the unenacted parts of the Communicatio ns Data Bill more generally, I am conscious that: There has (because of the political impasse) been very little consultation (a) between Government, law enforcement and service providers for more than 46 two years. text of the revised draft Bill (b) articular, the CSPs have not been shown the In p that was prepared in early 2013; the NCA does not believe it has seen the final draft text; and I was myself refused permission to share it (or even a summary of it) with them. (c) Technology has moved on since late 2012, as (si nce Digital Rights Ireland ) has the legal position. (d) Law enforcement itself wishes to reserve its detailed position on these proposals pending further discussions with a Government that has a political mandate to take it forward. Other capabilities The NCA identified to me a number of other capabilities for consideration. They did 9.68. so in response to my own questioning, initially of front - line investigators. These ideas Review - were formulated only late in the course of the , and it was not possible to road st them with other i te might usefully be considered, in any nterlocutors. Nonetheless, it reformulation of the law, whether it would be advantageous to provide for them. 9.69. Data flow analysis (via network protocols such as the Cisco Systems product, Netflow) is conducted by CSPs in order to ensure that their routers are operating properly and efficiently by the analysis, or sample analysis, of packets passing through them. That process analyses the attributes of each packet, including for example the source and destination IP addresses, and records may be retained by CSPs for a few days. They could be useful to law enforcement in a number of respects: for example in identifying the source or route of a denial of service attack, or malware. 9.70. Under US legislation governing “ pen register ” and “ trap and trace ”, a company may be asked to hand over information about a user’s communications (dialling, routing, 45 I was g iven the example of a “ three - scene murder ” (murder site, body deposition site and location of the burnt - out car used in the murder), in which the question could have been “ Which device was at all three sites between given dates and times ?”. 46 lso criticised the consultation process prior to 2012: JCDCDB Report, para 56. The JCDCDB a 181

188 CHAPTER 9: LAW ENFORCEMENT addressing and signalling information) in real time. The NCA believe that a similar power could he UK . be useful in t US law provides, secondly, for the pre - emptive seizure of intangible property 9.71. , by court order, so that control of it can be handed to law enforcement to use as if it is the of owner. Seizure of an IP address or domain name being used for the purposes crime (spreading malware, redirecting stolen data or hosting criminal forums) enables 47 it to be redirected to a sinkhole or to a web page used for public information and crime prevention or mitigation. 9.72. The only power which might permit such action under , the Serious Crime UK law Prevention Order, is seen as a severe and cumbersome order, time - consuming to obtain, which would inflict undesirable stigma on any service provider to whom it was 48 directed. which the lack of an I have been briefed on an international operation in easily - available seizure order handicapped the NCA’s efforts in relation to a botnet 49 The point was also made to me that since the MLAT procedure used for bank fraud. cannot be used to request another country to take action that is no t available in the UK, the NCA lacks the ability to request a sinkhole from the US. 9.73. A third concern relates to user notification . An increasing number of US service providers have a policy of notifying users before they disclose any information to law enf orcement, unless they are legally prevented from doing so, in order to allow the user to file an objection if so advised. The NCA has no objection in notification taking place, save in cases where it will hinder or undermine an investigation. In such cas es, however, I am told that the NCA has withdrawn requests rather than facing the consequence of notification. The NCA and the police consider that it would be prudent on to have specific legislative provision in place so that an order prohibiting notificati could be obtained if appropriate. divergent and rapidly - changing policies 9.74. Fourthly, the NCA draws attention to the operated by overseas service providers in relation to the provision of communications ever - changing technic al, jurisdictional and policy mish - data: what it describes as an “ mash ”. This causes much time to be devoted to tailoring a request correctly, and risks resulting in the excessive acquisition of data, which is an “ ” under the Code of error 50 Practice. The NCA proposes that there should be an obligation on service providers operating in the UK to provide regularly - updated information on what data they will routinely provide to UK law enforcement, even if their position is that this is carried out on a voluntary basis. It is also suggeste d that UK legislation needs to allow more flexibility in how it refers to categories of data, including for example an allowance for basic data package the “ ” that service providers retain on their users. 9.75. CNE . It considers that targeted CNE Finally, the NCA raised with me the practice of could give the whole communications picture of a subject at the early stage of an 47 Sinkholing is the redirection of traffic from its intended destination to one specified by the sinkhole owners (in this case, law enforcement). 48 Serious Crime Act 2007, s s1 and 41, Schedules 1 and 2. I am told that the only successful application to date, against a major drug trafficker, took three months to obtain. 49 A botnet is a large number of compromised computers that is used e.g. to generate spam, relay viruses or cause a network to fail. 50 Acquisition Code, para 6.17. 182

189 CHAPTER 9: LAW ENFORCEMENT investigation, allowing a more targeted approach to those involved in the most serious criminality, and ensuring that those who adopt advance d encryption technologies remain within the reach of the law. For their part, the police consider that, in an increasingly cyber - enabled environment, the need for them to use CNE is inevitable. A debate is clearly needed as to how law enforcement can best 9.76. utilise CNE and what safeguards should apply. Minor users 9.77. Local authorities are treated as the poor relations of law enforcement. They have to operate with a more elaborate authorisation procedure (after some well - publicised instances of the self - author ised use of surveillance powers in circumstances that 51 seemed disproportionate). Yet they manage large areas of responsibility, including - tenancy fraud, benefit fraud and e crime in the trading standards context, with diminished resources and fewer powers than most other public authorities. 9.78. Three issues arise in relation to the local authorities and the other minor users of RIPA communications data powers ( above): as defined at 9.3 (a) Who should have the powers? (b) What powers should they have? PA powers? RI (c) What about non - Who should have the powers? Not every public authority with powers to request communications data uses those 9.79. powers. Indeed IOCCO reports that: (a) 40% of the public authorities that have powers to acquire communications data powers. These are largely district councils which will have never used their - hat are have had access to non RIPA powers for their benefit fraud functions t now transferring to DWP; and that 52 of the 13 public authorities which had their powers removed in February 2015 , (b) only fou r had never used them and the remaining nine had collectively 53 approved 103 applications for communications data in 2014. 9.80. The minor users from which I have heard all wish to maintain their powers. In common f communications data allows them to with the police, they find that only the use o identify subjects in some cases: 51 Directed surveillance, in particular, appears to have been used in relation to dog fouling, school catchment areas and the misuse of a disabled parking badge: “Spy law ‘used in dog fouling war” , BBC News website, 27 April 2008. Both the Conservative and Liberal Democrat manifestos in 2010 contained commitments to curb councils’ powers. 52 SI 2015/228. 53 IOCC Report , (March 2015), para 7.10. 183

190 CHAPTER 9: LAW ENFORCEMENT (a) A mobile phone number may be all that is known of someone engaged in fly tipping. (b) Betting fraud is often conducted online and can only be tackled through an investigation online. (c) ying a criminal gang planning to rob the mail is as dependent on Identif communications data as any other investigation into a conspiracy. What powers should they have? 9.81. Traffic data are not available to local authorities or to eight other users of 54 data. case It was suggested to us that there is a communications for according local authorities the power to request traffic data, now that a strong control regime is in place through NAFN. The same might be considered for the other eight users, were they also to use NAFN or a similar centralised, expert SPoC service. 9.82. The makings of such a case are certainly there, at least in the case of some minor users. Without traffic data, it is not possible for local authority investigators to get information about incoming ph one calls, the location of phone calls and some internet use. DWP emphasised the value that traffic data would have to benefit fraud investigators, which is increasingly internet - based, not least because of Government 55 Trading standards officers drew - enabled. policy to make benefits payments digi tally particular attention to the use of social networking sites, especially Facebook, being used for the sale of counterfeit goods on both large and small scale and the need for traffic data to trace the illegal action to the perpetrator. uthority Examples of the benefits which it is said traffic data would bring to local a 9.83. investigations are at 16 to this Report . In particular it would assist in being able Annex so vulnerable (primarily due to age to secure convictions in respect of victims who are and mental health issues) that they are not able to stand up to the rigours of the criminal justice system; and it could assist in identifying other victims, the fact of a conspiracy, the identities of conspirators and the links between suspects. 9.84. DWP indicated that it wanted power to request traffic data. Although some local authority investigators were of the same view, the LGA d eclined to make the same indication to the Review . Non - RIPA powers 9.85. RIPA is not the only sta tute under which public authorities may obtain communications data, (see 6.16 - In the recently approved Retention Code, the Government 6.18). repeated its policy that communications data should not be obtained under general information gathering powers and added that retained data should only be obtained 54 These are: Health and Safety Executive, Medicines & Healthcare Products Regulatory Agency, DWP – Child Maintenance Group, Health & Social Care Business Services Organisation - Central Services Agency (Northern Ireland), Office of Fair Trading / CMA, NHS Protect, NHS Scotland Counter Fraud Services, and D epartment of Enterprise, Trade and Investment (Northern Ireland). 55 Evidence to the Home Office, February 2013. 184

191 CHAPTER 9: LAW ENFORCEMENT 56 under RIPA. However authorities with their own powers to obtain communications data generally want to continue to use them. Ofcom told me for example that it is able to obtain data under the Communicatio ns 9.86. Act 2003, and does so frequently as part of the regulatory function. It conducted over 2 , 700 investigations over the past three years, often obtaining communications data to ensure that companies were behaving properly. As it said: The information is “ obtained and used to protect consumers’ interests. To the extent it involves data about individual consumers, their identities and conduct 57 are incidental to, rather than under, investigation .” 9.87. Ofcom issued only 121 authorisations and notices for communi cations data under RIPA in the same period, mainly when investigating criminal offences under the WTA 2006. 9.88. The powers available to authorities under their own legislation are not overseen by ithin the requesting IOCCO and are typically able to be authorised at a lower level w organisation. For example, executive officers in the DWP authorised to do so can obtain subscriber and service use information without further approval. 9.89. Moving to a RIPA - type approval system would have consequences for organisations now using their own powers, which will need to be thought through. There would be additional costs. The DWP in 2013 estimated their additional costs to be in the region 58 of £1 million over three years. There is a risk of anomaly in imposing the RIPA arr angement for the relatively low level of intrusion involved in a subscriber look - up, if more intrusive powers affecting individuals or businesses are not subject to external oversight. For example, Ofcom has interception powers under the WTA 2006, which 59 i t uses on a day - to - day basis to identify sources of interference to the spectrum . Authorisation of interception ion warrants were in general more concerned with 9.90. Those entitled to apply for intercept the speediness and flexibility of the procedure than wi th the question of who the authorising individual should be. 9.91. Police Scotland expressed their satisfaction with the current arrangements. But others within law enforcement expressed their criticisms : (a) A very senior police officer expressed the view that jud icial authorisation would be strongly preferable to the current system of political authorisation, because of the need to have visibly robust safeguards and in order to counter any future suggestion that a warrant might have been issued for political reaso ns. 56 para 8.1. Retained data may also be obtained under a judicial authorisation. Retention Code, 57 Evidence to the Review, March 2015. 58 Evid ence to the Home Office, February 2013. 59 Evidence to the Review, March 2015. 185

192 CHAPTER 9: LAW ENFORCEMENT The NCA made the practical point that obtaining dates for signings by the Home (b) be difficult, particularly where renewals are sometimes Secretary could 60 concerned. The NCA did add, however, that the current system has the desirable result of the Home Se cretary “ ”. It also seeing the detail of how serious crime looks on the street pointed out the need for absolute security in the arrangements for the consideration of warrants. The NCA made a strong pitch for extending serious crime warrants to six months 9.92. (in keeping with national security warrants), pointing out that a renewal application may need to be prepared before it is clear what is going on (and that the application may 61 thus be of lower quality). A similar point was made by IOCCO in 2014, and echo ed by others. Authorisation of communications data requests SPoCs As to the authorisation of communications data requests, the police took a good deal 9.93. the envy of many friendly of pride in the SPoC system, which was said to be “ countries SPoCs to whom I spoke both in London and in Gloucestershire provided ”. independent input into the process in a motivated and conscientious manner, amply bearing out the IOCC’s recent comment that “ the SPoC process is a stringent 62 safeguard SPoCs’ knowledge of communicat ions data, their relationships with ”. service providers and their role and impact within the investigating body are crucial to obtaining the best effect from the use of the technique, and also for ensuring that it is used with least collateral intrusion. On ly SPoCs are allowed to approach service providers for communications data using RIPA powers. Within law enforcement generally, it was felt tha should have strong 9.94. s t SPoC relationships with the investigators an d this was more likely to happen where they e part of the same organisation, working to the same goal ( wer albeit with distinct and independent responsibilities ) . Their effectiveness as a “ guardian and gatekeeper ” could however diminish were they to become simpl y part the investigation team. NAFN 9.95. I did not detect any dissatisfaction on the part of local authorities with the role of NAFN, which (confirming the impression derived from my own visit) was praised for its proactive advice, invaluable expertise, willingness to give feedback and efficient elect ronic communications. Its charging system, based on a fee per organisation and a usage element, was perceived as fair. There was widespread acceptance of the view that some minor users, whose technical skills are intermittently used and not 60 Other commitments can mean that changes are made to dates that impact on whether it is possible to - month mark, meaning that a renewal is brough t forward to comply with renew the warrant at the three legislation. 61 IOCC Report , (April 2014), para 3.44. 62 20% of IOCC Report , (March 2015), para 7.46. The IOCC added at 7.47 that “ approximately ent .” applications are returned to the applicants by the SPoC for development or improvem 186

193 CHAPTER 9: LAW ENFORCEMENT date, would benefit from having their requests routed through NAFN in always up to the same way as the local authorities do. DPs 63 9.96. I received representations from the LGA regarding the status of the DP. There were difficulties in determining who was entitled to act as a DP, particularly in view of what was seen as contradictory guidance from IOCCO and the OSC, and in the context of increasingly suggested to me that, rather than flat management structures. The LGA quirement should be designed specifying the level of role required to be a DP, the re in terms of competency or function, with councils given the freedom to delegate the ately . This is because they do not all have the numbers of staff at senior role appropri levels with ability to maintain the knowledge that is needed sufficiently to scrutinise what are only occasional applications. 9.97. Alternatively, the LGA said there may be scope to externalise or join up the DP role across councils, by appointing regional DPs, which would bring benefits in terms of training and - enforcement personnel to consistency. I did not detect amongst law whom I spoke any principled objection to authorisation for communications data access coming from outside their investigating bodies. Their main concern was that authorisation should be t as unbureaucrati c as possible . imely and the process Court approval 9.98. Much less appreciated i s the requirement, which is imposed only on local authorities , to have requests for communications data judicially approved by a magistrate or (in 64 Scotland) a sheri ff. The LGA has not asked for its removal, though it admits to concerns about its efficiency. 9.99. Otherwise, with the exception of the Magistrates’ Association, which considered that judicial approval “ ensures greater consistency of decision making ” and “ p rovides - 65 greater confidence in the legitimacy and fairness of the process few people thought ”, that the system added value. In particular: (a) It is described , with some reason, as extremely cumbersome: F iles must go:  from the requ esting local authority to NA FN;  from NAFN back to the local authority for DP approval ;  the preparation of a court then from the local authority back to NAFN for pack;  from NAFN back to local authority for them to obtain cour t approval; 63 Evidence to the Review dated 9 March 2015. 64 See 7.56 - 7.61. 65 Submission of 12 March 2015 to the Review. 187

194 CHAPTER 9: LAW ENFORCEMENT  to the local Magistrates’ or Sheriffs’ Court and back again ;  from the local authority to NAFN once again ; and  from NAFN to the service provider . hilst local authorities and NAFN communicate To make matters worse, w electronically, anything involving the court needs to be produced and transmitted on paper . (b) It was said typically to take one to two weeks to get an appointment at the magistrates’ court, and I was told of a six week delay in one case. (c) A local authority employee may then have to spend a morning travelling to the Magistrates’ Court, waiting for the case to come on, having the application approved and then r told that yet further expense is eturning to the office. I was incurred in Scotland, where a £90 court fee is payable and the case must be presented to the Sheriff by a lawyer. (d) The expenditure of time and resources is said to be disproportionate to the very basic nature of most requests, particularly given that the magistrates hearing the case have no specialist knowledge and that nearly all requests are granted. t magistrates had refused only six applications NAFN told me in March 2015 tha since November 2012, amounting to 19 data requests, out of some 6000 66 requests considered by them. At the same time the number of applications from local authorities has reduced 9.100. significantly. In a typical m in 2014 there were fewer than 150 requests , as onth against 200 - 400 in the months prior to November 2012 : see Annex 14 to this Report . I am informed that this sudden fall in numbers, which shows no sign of being reversed, reflects of the burden on local a uthority investigators (particularly in time) imposed by the need to approach magistrates. That would be no bad thing if local authorities were able to do just as well with OSINT , or by consulting the Home Office’s “ consented ” database of phone numbers. But I do not consider this to be the principal cause. Having spoken to a number of local authority trading standards experts, my impression is that communications data is not uniformly used as much as it could rent in obtaining the permission of a usefully be, and that the cost and delay inhe magistrate functions as a deterrent to applications that could properly and fruitfully be made. Oversight IOCCO was universally respected as a rigorous oversight body which was also 9.101. beneficial in improving practices. Thus: (a) The MPS CIU saw IOCCO as constructively critical in its approach , and would from time to time take the opportunity to ask the Commissioner’s opinion about 66 Evidence to the Review from NAFN, 31 March 2015. 188

195 CHAPTER 9: LAW ENFORCEMENT a proposed course of action. The staff were described as knowledgeable and increasingly techni cally capable, and IOCCO’s recommendations as sensible. (b) Gloucestershire Police reported to us that in the previous year they had had three visits from IOCCO of five, five and four days respectively. (c) The NCA spoke highly of IOCCO, as did the LGA. 9.102. A number o f voices however drew my attention to problems caused by the supervision of two Commissioners’ offices: IOCCO for RIPA Part I and the OSC for RIPA Part II. In particular: , the LGA and IOCCO all made the point that the distinct (a) T he NCA responsibilities of the two offices meant that they lacked what was described total oversight of the proportionality of the intrusion ”. It may be hard, in as “ other words, to judge whether a RIPA Part I request is proportionate (in the ernative), without detailed background sense of being the less restrictive alt knowledge of the directed and intrusive surveillance, CHIS etc. which may have been devoted to the same operation and which falls under the jurisdiction of a different Commissioner. (b) I was also told, again by both the NCA and the LGA, that there are differences of approach between the different Commissioners’ offices. In particular, different approaches are said to have been taken to the relative intrusiveness of different methods of surveillance, and to the identifica tion of appropriate DPs in organisations such as local authorities in which there are no clear - cut ranks as in the police. It was not always clear whether such discrepancies were the policies of the two offices attributable to individual inspectors or to more generally. 189

196 INTELLIGENCE 10. Scope and sources 10.1. This C hapter seeks to summarise what the security and intelligence agencies (MI5, MI6 and GCHQ: referred to in this C hapter as the Agencies) - have submitted to me shorter than the previous C about the future shape of the law. It is hapter because: (a) The Agencies, though certainly among the most important users of the relevant powers, comprise only three of the approximately 600 bodies entitled to use them. (b) Issues relating to the Agencies’ use of their powers were very recently explored, to the extent deemed compatible with the requirements of national security, in 1 a full and careful report of the ISC. (c) For the most part, the Agencies are concerned to preserve their current powers rather than to acquire new on es. Contact with the Agencies My work since 2011 as Independent Reviewer of Terrorism Legislation has been 10.2. chiefly concerned with the activities of Ministers, civil servants, police and prosecutors, and with the experience of those affected by the terroris m laws. Though I visit and speak regularly to all three Agencies (in particular MI5) in the context of that work, I have not in the past been exposed to the detail of their operations in the same way as the Commissioners or indeed the ISC. But in the pas t six months, I have acquired a is degree of knowledge of the workings of the Agencies, and of their cultures, which highly unusual for any outsider. 10.3. This Review confronted the Agencies with severe risks as well as opportunities. Nevertheless, they have engaged with me in a manner which I have found to be both open and constructive. Everything they said to the ISC, orally or in writing, was disclosed to me without question or reservation. The details of extremely sensitive capabilities have been volunteered to me, without any visible reticence. I addressed a large number of questions to the Agencies, including questions to GCHQ arising out of the Snowden Documents, and received full written answers which I was able to probe orally. I have benefited from a numb er of thoughtful written submissions on general and specific issues, from an intensive three day visit to GCHQ in Cheltenham, - from a number of conversations with Agency officials in posts abroad, from interviews with the chiefs of MI5, MI6 and GCHQ and fro m a series of sometimes lengthy meetings and demonstrations in London with each Agency. 10.4. There is, as one would expect, a range of views within each Agency as to the degree of public transparency that is appropriate. Organisations whose existence was an of ficial secret just a generation ago are still learning to come to terms with a world which demands scrutiny, assurances and accountability at every turn. To an outsider, 1 6 (communications ISC Privacy and Security Report: see in particular chapters 3 - 5 (interception) and data). 190

197 CHAPTER 10: INTELLIGENCE extreme caution in relation to the release of information into the public domain can seem frustrating, and indeed contrary to the Agencies’ own interests. Procedures which have never seen the light of day sometimes turn out to need improvement when 2 they are exposed to it. Yet for what it is worth, my impression is of lean organisations b y public sector 10.5. standards, proud of their vital work, able to admit to mistakes, prizing agility and resourcefulness but accepting the need to be held to high ethical and legal standards. facing in termediaries They seek to promote public confidence via trusted public - (whether the Commissioners, the ISC or myself). But there is a growing realisation that trust by proxy is not enough on its own, and that without prejudice to the necessarily secret nature of most of their work, institutional safeguards and d irect public engagement are also needed. The ISC Privacy and Security Report 10.6. Having read the written evidence submitted to the ISC, together with transcripts of the closed oral evidence to it (which was the subject of more penetrating questioning from ISC members than was evident at the televised open hearing at which the three Agency chiefs gave evidence in November 2013) I have no reason to doubt the accuracy of the ISC Privacy and Security Report as a statement of the Agencies’ cable, of their views. practice and, where appli 10.7. There are a number of respects in which I could have wished for a fuller public 3 statement of the factual position, as it appears that the ISC itself may have done. But ISC has recently felt I am not generally in a position to publish material which the 4 obliged to redact. That said, there are respects in which I have now been able to include material that 10.8. the ISC was not: (a) to Annex 9 Some brief examples of the utility of bulk intercept ion are given at this Report : the to a public audience of such a potentially intrusive justification power deserves and arguably needs more, but the examples give at least a flavour of the classified instances on which I have been briefed. 2 A recent example is the Agencies’ procedures for dealing with legally privileged material, disclosed in the Belhadj IPT Case and conceded by the Agencies to be inadequate. 3 The report broke new ground by avowing the use of bulk personal datasets, albeit with little detail - 163). However no open examples are given of the utility of bulk collection (paras 82 (paras 151 - 89), of interference with wireless telegraphy (para 173) or of CNE (para 178); and the treatment of what is escribed as “ another major processing system by which GCHQ may collect communications ” (paras d 65 - 73) is enigmatic. The ISC expressed regret that examples of the effectiveness of bulk interception capabilities could not be published (para 81). It also sta ted that the Certificate which accompanies the s8(4) warrants should be published (para 101), despite not having been able to do so itself, and that “ all the Agencies’ intrusive capabilities ” should be avowed (para 285). 4 Particularly in view of the fac t that the Prime Minister is authorised to exclude from this report any contrary to the public interest or prejudicial to national security matter that appears to him to be “ ”: DRIPA 2014 s7(7). 191

198 CHAPTER 10: INTELLIGENCE hapter, some submis sions that C I have also been able to summarise, in this (b) were made to me by individual Agencies about the legal framework in which they operate, and how it might usefully be changed. The Agencies 5 10.9. which spell out both their MI5, MI6 and GCHQ are constituted by Acts of Parliament 6 functions and, in con junction with other relevant statutes, the permitted scope of their activities. Their informative and accessible websites give an idea of their activities, and contain links to the public speeches that are given from time to time by each of their chiefs. In essence, and so far as relevant to this Review : (a) MI5 finds, investigates and disrupts people who pose threats to the UK, many but not all of whom are in the UK. It seeks the support of the other two Agencies, whose principal focus is abroad. (b) MI6 collec ts intelligence and undertakes covert activity globally, mainly using a combination of human and technical sources, in relation to the full range of threats and in support of the UK’s foreign, defence and security policies. (c) GCHQ collects intelligence glob ally on a large scale about the full range of threats to UK interests, to inform foreign, defence and security policies. It works on the front line of UK intelligence activity and informs work against the threats faced in the UK, which are dealt with by M I5 and the law enforcement agencies. The Agencies may of course disrupt, deceive or seek to “ turn ” people, and may in some cases be authorised to commit acts (e.g. criminal damage) that would p and search, arrest, otherwise be unlawful. But they have no police powers (e.g. sto detention), and are subject in all their activities to the constraints of UK law. 7 10.10. Full - The Agencies’ last financial statement put their combined budget at £2.1 billion. 12,190 in 2013 - 14, time equivalent staff numbers for the Agencies as a whole were with GCHQ the single biggest employer. 10.11. Secrecy is central to the work of all three Agencies. Whereas law enforcement bodies operate covertly only when they need to and exude a certain sense of regret that it – is ever necessary – the Ag encies only exist because of the need to operate in secret. 8 If something can be done openly, the Agencies are not needed to do it. This does not mean that they are ungoverned or unaccountable, nor that the need for their activities to be necessary and p roportionate is in any way reduced. It does however 5 SSA 1989 (MI5) and ISA 1994 (MI6 and GCHQ). 6 Notably HR A 1998 and RIPA. 7 Security and Intelligence Agencies financial statement 2013 to 2014 (June 2014). By way of contrast, the US National Intelligence Program budget for fiscal year 2014 was in excess of $50 billion. The budget of the NSA (which claimed in 2012 to employ more than 30,000 people across the world) is classified, as is that of GCHQ. 8 Of course, the Agencies do some things openly, for example communication security advice at GCHQ and protective security advice at MI5. 192

199 CHAPTER 10: INTELLIGENCE create a tension with the legal requirement that the law governing their activities must 9 be accessible and foreseeable. But the differences between intelligence and law enforcement should not be ove - 10.12. r emphasised. Since 1996, it has been an express function of MI5 to act in support of 10 In the wake of the activities of police forces and other law enforcement agencies. Terrorism the 2005 London bombings, this was facilitated by the formation of Counter - Units across the country where police and MI5 combine their resources in a common cause. Their capacities are to some extent interchangeable, and directed at the same targets. The efficient working together of intelligence and law enforcement is a disti nctive feature of the UK security landscape, and one that is noted and envied abroad. Summary of requirements 10.13. The Agencies saw their main challenge, as the National Security Adviser reported in 11 2014, to maintain their capabilities in the face of an evolv ing threat picture and rapid technological change. 10.14. as follows: They expressed their priorities to the Review Capabilities (a) To maintain their abilities to access the content of communications, and communications data. To collect communications in bulk where (b) they cannot refine targeting at the time of collection to individuals’ communications; and to use bulk collection where discover new threats and targets necessary to . (c) To maintain a flexible and agile global reach, commensurate with the Government’s foreig n, security and defence policies. (d) To be able to exchange information amongst themselves and maintain their position as part of an international community in the exchange of intelligence. Legislation and oversight (e) To be able to operate in secret, subject to Parliamentary and judicial oversight and ministerial control. (f) To be subject to authorisation arrangements that protect the secrecy of their - making. sources and methods, and which provide timely decision 9 As set out in deta il at 5.18 - 5.24. 10 SSA 1989, s1(4), added by SI 1996/2454. 11 Security and Intelligence Agencies Financial Statement, June 2014. 193

200 CHAPTER 10: INTELLIGENCE rous to maintain public consent (g) To be subject to oversight that is sufficiently rigo and confidence, without distracting more than is necessary from the perfor mance of their core functions. Individual agencies also make some specific sug (h) gestions in respect of warrantry . 10.15. These priorities are developed in the remainder of this Chapter. Agency capabilities 10.16. d with The Agencies depend increasingly on cooperation with each other an tners. Against that background international par : (a) They seek to acquire communications, by cooperation with service providers or covertly , in order to find information which can lead them to an otherwi se unknown or obscured target. (b) They develop software that enables them to analyse very large amounts of acquired data, to identify linkages and find new targets of intelligence interest (“ targ et discovery ”). traditional methods of and its impact on (c) They attempt to overcome encryption interception by attacking it with powerful computers, by hacking individuals' electronic devices, by modifying software and by guile, innovation and creativity. (d) attack in order to protect They seek to understand the nature and scale of cyber Government services online, the UK’s Critical National Infrastructu re, businesses and individuals. (e) They seek to operate without being disc overed. (f) They seek to influence their targets' behaviour, by making themselves seem omnipotent or - at other times - weak. In all this, the Agencies are no different to their counterparts in other democratic countries. But t strive, of course , hey to be among the best. Technological change a nd encryption 10.17. All countries face the same challenges from the development of technology and the communications market, as set out in Chapter 4. T he Director of Europol said recently that encryption has become: " .. the biggest problem for the police and the security service authorities in dealing with the threats from terrorism ... It's changed the very nature of terrorist work from one that has been traditionally reliant on having - counter 194

201 CHAPTER 10: INTELLIGENCE doesn't good monitoring capability of communications to one that essentially 12 provide that any more." 10.18. Even the US authorities are unable to access domestically all that they need. The Director of the FBI has referred to this as “ Going Dark ”, a c hallenge which relates not just to the powers available to US intelligen ce and law enforcement but to how 13 technology is developing , and companies’ practices. 10.19. The Agencies forcefully point out that if they cannot maintain their capabilities, threats - entified. will go undetected and opportunities to disrupt the ill intentioned will not be id They struggle with the growth of encryption and the diversification of the communications market. It would be wrong to assume that the Agencies have a constant technological edge over their targets, whether through crypto analytical - power, back - door access or partnership with other agencies. Each side has advantages, and neither can be sure of the upper hand: rather, in the words of the Chief of MI6, they are engaged in “ technology arms race ” in which resourcefulness a 14 remium. and creativity are at a p 10.20. The Agencies do not look to legislation to give themselves a permanent trump card: neither they nor anyone else has made a case to me for encryption to be placed under key effective Government control, as in practice it was before the advent of public encryption in the 1990s. There has been no attempt to reviv e the argument that led to the Clipper C hip proposal from the NSA in the 1990s, when public key cryptography 15 But the Agencies do look for cooperation, enforce d first became widely available. by law if needed, from companies abroad as well as in the UK, which are able to provide readable interception product. 10.21. The Agencies seek to address impeded access to communications through their own cryptographic work. They will also need to develop ne w methods of accessing data, for example through increased use of CNE. They therefore want the capabilities and an appropriate legal framework within which this work can be carried out. Bulk Collection 10.22. The Agencies collect the content and related communic ations data of external communications in bulk. This has been highly controversial, particularly since the Snowden allegations about GCHQ because it inevitably involves their acquiring material on persons who are not and will never be subjects of interest to them. The fold. argument for this is two - (a) First, when acquiring intelligence on activities overseas, the Agencies have less ability to identify targets than is the case for security and law enforcement activities in the UK. They argue that they need t o collect large quantities of communications in order to find the ones that are of interest. This has 12 “Europol chief warns on computer encryption”, BBC website, 29 March 2015. 13 Speech at Brookings Institution, Washington, D.C. 16 October 2014. 14 The Chief’s speech to English Heritage, March 2015, MI6 website. 15 See 4.46 above. Under that proposal, a cryptographic key to any device fitted with a Clipper Chip when duly authorised could have would have been provided in escrow to the US Government, which listened to any communication. Whether for technical or political reasons, the idea never took off. 195

202 CHAPTER 10: INTELLIGENCE resonance with the argument made by law enforcement in relation to the retention of domestic communications data. The Agencies may begin with a – perhaps a phone number, a suspect location - and from it they can small cl ue 16 build up the links that will provide the intelligence needed. But they can only do this if they have the communications material available to search for the links. Secondly, the Agen cies’ ability to understand what communications bearers will (b) be used by subjects of interest overseas is limited and their ability to access those channels is not guaranteed. Subjects of interest are very likely to use many different means of communicatio ns and may change them frequently, some doing so to frustrate their being surveilled. So where a communications channel can be accessed and it is likely to carry communications of interest, the Agencies will make the case to the Foreign Secretary for a wa rrant to intercept that channel in bulk. This does not however provide the capability to access anything like the totality of internet traffic. 10.23. The Agencies reject the argument that this bulk collection amounts to mass 17 18 the IPT, the findings of IOCC, and most surveillance. This is supported by the recently the ISC: “Our Inquiry has shown that the Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of th e Internet as a whole: GCHQ are not 19 reading the emails of everyone in the UK.” Looking to the future, the Agencies also anticipate that domestic security work will 10.24. increasingly rely on the use of bulk data, including the examination of communications data within the UK. The spread of encryption and the multiplicity of identities used online by individuals mean that the kind of target search and discovery familiar from in the domestic sphere overseas operations will be needed y make the point that . The the internet knows no geographic boundaries and a suspect may be hidden within it as easily in Britain as anywhere else. In many respects the use of communications collected in bulk is another aspect to the 10.25. enly discussed for the first time Agencies’ use of other bulk data, which has been op 20 Bulk data are avai lable to the Agencies in the ISC Privacy and Security Report. under SSA 1989 and ISA 1994 , and exemptions in DPA 1998. As the Chief of MI6 recently put it: “ Using data appropriately and proportionately offers us a priceless opportunity to be even more deliberate and targeted in what we do, and so to be better at 21 protecting ... this country.” 16 GCHQ explained this in “How does an analyst catch a terrorist?”: 7.5 above. 17 IOCC, Report for 2013 , 6.5.38. 18 Lib erty IPT Case, judgment of 5 December 2014. 19 ISC Privacy and Security Report, Key Findings. 20 ISC Privacy and Security Report, chapter 7. 21 The Chief’s speech to English Heritage, March 2015, MI6 website. 196

203 CHAPTER 10: INTELLIGENCE elligence picture Together with other information, bulk data allows a more complete int . Without it, i t may not be possible to discover new threats and follow a to be drawn lead to a point of closely targeted intervention. During my Review , the US National Academies 10.26. Report on Bulk Collection of Data was published in response to President Obama’s request to address whe ther software could be created to allow the US intelligence community more easily to conduct targeted information acquisition of signals intelligence, rather than bulk collection. The Academies said: “No software - based technique can fully replace the bulk collection of signals intelligence, but methods can be developed to more effectively conduct targeted collection and to control the usage of collected data... Automated systems for isolating collected data, restricting queries that can be made against tho se data, and auditing usage of the data can help to enforce privacy 22 protections and allay some civil liberty concerns...” GCHQ told me, when drawing this to my attention, that they already practise the 23 additional approaches suggested by the Academies. Acce ss to communications data 10.27. The Agencies are currently able to obtain communications data, including through their bulk interception powers, and they look forward to the future legal framework maintaining their ability to do so. They fac e the same problems as law enforcement in obtaining the commu nications data that they need concerning their targets, particularly from overseas companies but also where data are not currently retained. But as the ISC noted (with surprise) in its recent report: 10.28. “the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those 24 communications”. GCHQ has therefore suggested that there should be a new power to intercept only this information rath er than, as at pre sent, all content as well. It point s out that such an approach would intrude less into privacy. It also left me in no doubt, however, that the ability to intercept technical elements of communications, such as cookies and web log s (s ometimes described as “ content derived metadata ”), which fall outside the definition of communications data in RIPA and so must be treated as content (despite being less sensitive than content as ordinarily understood) was essential to their target 25 discove ry work. 22 National Academies Report, Bulk Collection o f Signals Intelligence: technical options , (January 2015). 23 Letter from Robert Hannigan, 20 January 2015. 24 ISC Privacy and Security Report, para 80. 25 Evidence to the Review, April 2015. 197

204 CHAPTER 10: INTELLIGENCE International relationships 10.29. The Agencies point out the importance to British foreign, defence and security policies of their ability to support a very wide range of intelligence requirements. UK intelligence indeed has a remarkable global reac h. But to retain this reach, the Agencies argue they must maintain a breadth of capability including advanced technical know how that enables them to be partners of choice to other intelligence - agencies whenever British interests arise. Because those int erests change quickly, indeed faster than new intelligence capabilities can be developed, the Agencies must themselves retain a breadth of capability sufficient to react straightaway when demands change. This argument bears particularly on GCHQ, its relat ionship with the NSA, and its ability to intercept communications globally. 10.30. There is an international trade in intelligence. In the Charles Farr Statement, the Government’s argument for intelligence sharing is set out: “It is highly unlikely that any gove rnment will be able to obtain all the intelligence it needs through its own activities. It is therefore vital for the UK government to be able to obtain intelligence from foreign governments both to improve its understanding of the threats that the UK fac es, and to gain the knowledge needed to counter those threats. Indeed, the intelligence that a foreign government shares with the intelligence services (on a strictly confidential basis) represents a significant proportion of the intelligence services' to tal store of intelligence on serious and organised criminals, terrorists and others who may seek to harm UK national security. The store of intelligence forms a resource for the government in seeking to take preventative action to counter e lives.” threats, and sav 10.31. 7 .66 above , the strongest partnership is the Five Eyes community As discussed at involving the UK, USA, Canada, Australia and New Zealand. But there is bilateral EU sharing with many countries, not all of them in the established communities of the or the Nor . Some of these relationships are th Atlantic Treaty Organisation (NATO) broadly based where there is an enduring mutual interest. Others come together for a particular purpose such as a joint intervention. 10.32. These international relationships are a vital contributor to their ability to pro vide the overnment seeks. They therefore wish to preserve them within intelligence that the G a legal framework that respects the confidentiality other governments require, whilst ce in their action. This is another area where the recent maintaining domestic confiden report by the ISC has called for future legislation to control the arrangements more 26 explicitly, defining the powers and constraints governing such exchanges. Techniques and warrants 10.33. MI5 and GCHQ have the leading interest in formulating the needs of the Agencies for investigatory powers affecting communications. 26 C Privacy and Security Report, C onclusion TT. IS 198

205 CHAPTER 10: INTELLIGENCE MI5 described itself as seeking to hold its ground: 10.34. not to expand its territory but sweeping new powers’ or, when taken in the “We are certainly not seeking ‘ round, an increase in levels of intrusion. But what we do require are powers, approved by Parliament, which allow us to keep pace with the changes in behaviour of our [subjects of interest] and in technology, in order to achieve dly similar levels of assurance against the national security threat we broa 27 face.” 10.35. MI5 considers that, due to the proliferation of communications platforms and techniques available to those it is investigating, it needs to use a wider range of techniques more frequently to obtain comparable insight. Equipment interference, for inter example, which may require both a property and an ception warrant, epitomises that need . Access to bulk personal data sets is also becoming more important to its k. investigative wor 10.36. MI5 has therefore suggested that there would be benefit in enabling the Secretary of single warrant all the intrusive techniques she is currently State to authorise under a permitted to authorise. Their powers would not extend beyond those which they h ave currently, and all the interference authorised would need to be justified as necessary and proportionate for the existing purposes. A single warrant wo uld give the Secretary of State and the Commissioners better oversight of the whole of an operation and the intrusion involved , and enable decisions on the proportionality of the interference to be taken in a more informed way. It would also make more efficient use of the Secretary of State's time, and reduce repetition in the number of applications. 5 suggests that the safeguards and handling arrangements for the product of such 10.37. MI warranted operations should also be made consistent. (warrants against clearly 10.38. use of thematic warrants MI5 has also proposed that its defined groupings of individuals who are all carrying out the same activity of concern) be made subject to more explicit safeguards and that current internal policies and safeguards already in place for such thematic warrants be formalised as part of the law or in a Code of Practice. T st , furthermore, that their use of bulk personal hey sugge data sets should be formalised in the same way by introducing more formal published safeguards in addition to the internal processes that already govern them. 10.39. MI5 has concerns that the current provisions for schedules to s8(1) warrants do not reflect the dynamic nature of internet communications and add to the difficulty of being specific as to which techniques and authorisat So, for ions might be required. it example, s that a warrant might give aut hority to intercept a named envisage individual’ s mobile phone communications, but would no longer need to have a schedule which set out th therefore require e phone number concerned, and would not modification if the phone number were changed by the targeted indivi dual. 27 ce to the Review, 17 February 2015. Eviden 199

206 CHAPTER 10: INTELLIGENCE GCHQ provided a set of features with sup considered 10.40. porting justification which it essential in future legislation, incorporating: (a) tinued ability to acquire bulk data from a variety of sources, including The con echniques, such as CNE, and through the exploitation through the use of new t of commercially available Big Data, to deliver the intelligence requirements of the future. Analysis of bulk data usually communications data or content - - - derived metadata (see 10.28 above) is essenti al to the discovery of unknown or only very partially understood threats to the UK. As communica tions technologies evolve, GCHQ's techniques will need to respond and develop accordingly. (b) and using The ability to combine such data acquired from a variety of sources single legislative a variety of techniques into a single intelligence picture. A framework covering all of this activity would be preferable to the current mix of arrangements in terms of enabling greater transparency and ensuring consistency, a s far as is possible, of authorisation regimes, safeguards and oversight. (c) T he ability to intercept communications data and content - derived metadata other than as a by product of content interception. This is not provided for in - all circumstances in the cu rr ent legislation. On average, communications data and content - derived metadata is less intrusive than content, and there are notably but by no means exclusively in the - various scenarios and applications context of GCHQ's cyber defence role - where it i s not always necessary to examine content in order to derive intelligence insight. In such circumstances, it would therefore be more proportionate, and clearly pr eferable, only to acquire or in some cases the content the communications data derived metada ta, and - not the whole content. (d) A two - stage authorisation process for bulk data (acquisition and access) , with the weight of the authorisation burden falling at the point of acquisition, and access to specific data subject to rigorous retrospective review. GCHQ - acknowledges the need for, and values, a robust and accountable end to - end process to govern their exploitation of intelligence material. In the case of bulk untargeted data, they accept that intrusi at the on occurs at two stages: first uisition; and then at the point at which material is actually seen or point of acq listened to by a human being. The overall framework for authorisation, accountability and oversight must be compatible with an approach to this second stage that achieves target discove ry through the agile testing of hypotheses against the full range of available intelligence data, rather than the simple searching for already known target identifiers such as an email address or telephone number. GCHQ argue s strongly that this can best b e achieved by a rigorous audit process after the event. (e) An explicit basis for sharing data with other Agencies and with foreign partners. The ability to share data with both domestic and foreign partners is to acquire all the intelligence it vital: no single organisation, or state, is able 200

207 CHAPTER 10: INTELLIGENCE needs to safeguard its national interests. It is important, therefore to ensure that there is a clear and transparent legal basis for such sharing, and the safeguards that apply. GCHQ co uld see benefit in putting s crime procedures on a par with those for 10.41. seriou l security, in particular by having warrants nationa last for six months rather than three. It was a point generally made that when warrants last for only three months, it is often enewal application without a full understanding of the necessary to start preparing a r impact of the original warrant. GCHQ also expressed a clear intention to be more transparent, wherever possible, 10.42. about its capabilities and operations. Authorisation 10.43. intercept ion are approved by the Secretary of State. Both At present, warrants for - the Home Secretary and the Foreign Secretary are up - date with the requirements to placed on the Agencies and the Government’s policy and operational needs. They are to a large extent also responsible for t hem. So there is an easy fit between the Agencies’ work and the responsible ministers’ portfolios. The Home Secretary bears much the biggest burden among Secretaries of State who approve warrants and she has regarded this as in keeping with her democrati actions of c accountability for the 28 position has been endorsed by the recent report of the ISC. the Agencies, a 10.44. The Agencies have made no suggestions to me that the current arrangements for approval by the Secretary of State should be changed. They recog nise that there is however pressure to do so from a number of other quar ters. Were that to happen, their chief concerns would be to ensure : (a) the timeliness of a revised approval process; and sufficien both security (b) arrangements to maintain t backgroun d for the work , and to be carried out effectively. Although much of MI5’s work may lead to prosecutions in UK courts or to other activity wholly and properly independent of the government, that is not true of most foreign intelligence work. The actions of the Agencies overseas and of the rest of government are pr oper ly and intimately connected. The FCO was keen to emphasise that preserving national security, to which purpose most of the Agencies’ work is directed xecutive branch of gove , is a function of the e rnment, and was concerned that the political and diplomatic context of any action ould continue to be they take sh in that context . considered 10.45. The Agencies are also concerned to maintain their agility, and operational secrecy, in obtaining data from service providers. The recently published communications Acquisition Code recognises that there may be circumstances where “ ongoing operations or investigations immediately impacting on national security ” mean that 28 onclusion GG. C Privacy and Security Report, C IS 201

208 CHAPTER 10: INTELLIGENCE authority to obtain communications data canno t be given independently of the IOCC and may the investigation team. Where this is the case, it is to be reported to 29 be covered in his report. The implication is that these circumstances should be the exception not the rule. The ISC has questioned the validity of any exception for the recognise the need to address the requirement for Agencies. The Agencies independent authority, even though it may require changes to their current working 30 practices. 29 Acquisition Code, 3.13 - 3.15. 30 C Privacy and Security Report, C onclusion HH. IS 202

209 SERVICE PROVIDERS 11. Scope and sources 11.1. This C hapter summarises the submissions made to me by service providers, both domestic and international. 11.2. I received open written submissions from the Internet Services Providers’ Association, BT and Vodafone, together with a short joint submission from Facebook, Googl e, Microsoft, Twitter and Yahoo, each of which I met subsequently (as I did Apple) in London and/or in the US. Confidential submissions were received from BT (again), , Telefonica and Virgin Media. Many CSPs are represented in the TalkTalk, EE, Three Comm unications Data Strategy Group, two of whose meetings I was invited to attend, and I exchanged views with others at Wilton Park conferences in October and 1 November. Service providers do not of course have a single view on the issues with which this 11.3. Review is concerned. They offer different services in competition with each other and have different business models. Yet there are a number of common strands to their thinking, and on some matters they have made efforts to come to a joint view. The importan ce of trust 11.4. All service providers set considerable store by the levels of trust that their customers place in them. For example, the US companies put to me that : “... we must earn and maintain user trust, and users expect that their personal communications be treated with the same respect online, as they would be 2 offline.” the one word we consider to be the bedrock of our Vodafone, likewise, told me that “... 3 business is trust .” Service providers consider that trust is best promoted by protecting their custo mers’ privacy (rather than, for example, going out of their way to assist law enforcement by revealing the details of communications which they have provided). above, I set out some recent survey figures for user trust, which 11.5. However, at 2.28 demonstrate m uch lower figures than providers want. Indeed, they feel that they have been damaged directly or indirectly by the revelations in the Snowden Documents , and the accompanying perception that they cannot be trusted to protect their customers’ data. This, a nd a wish to make up lost ground, heavily influence their approach to questions of surveillance by governments. The accelerated rate at which some service providers have moved towards services encrypted by default is the clearest example of this over the past two years. Moreover, they are sensitive to the views and criticisms of civil society groups and seek to be better regarded by them in order, at least in part, to help build up levels of customer trust. 1 Unattributed quotations in this Chapter are taken from various of these meetings. 2 Joint evidence to the Review from Facebook, Google, Microsoft, Twitter and Yahoo, October 2014. 3 Evidence to the Review, October 2014. 203

210 CHAPTER 11: SERVICE PROVIDERS sing trust, providers approach the 11.6. Of course, and in line with the goal of increa requirements from states for interception and communication data provision with a clear focus on their business needs , which are in turn influenced by current succinctly: technological and market developments. Vodafone described it “If our customers begin to believe that their personal communications are no longer private, they will either use our services less or switch to others they 4 believe are more protective of their privacy.” 11.7. This approach informs service providers ’ views on the topic. They stress the importance that they comply (and are seen to comply) not only with national law, but with internationally recognised principles of human rights. As BT explained: "We consider that it is appropriate to maintain a regi me that permits access to content and communications data, provided that the circumstances are suitably circumscribed, and provided that all necessary checks and balances are in place to ensure the lawful and proportionate operation of that regime, 5 larly from a human rights perspective.” particu 11.8. However, for service providers operating internationally, complying with the law is a complex demand. They do not see it as their role to resolve the conflicts of jurisdiction that arise when, as is frequent when a law enforcement agency seeks communications data or intercept on a customer, the provider is based in one country, their customer who may or not be under suspicion is another, and the data needed is in a third. But the reality is that providers are at th e centre of resolving those conflicts on a daily basis. All service providers stress that they are prepared to share data with the authorities in 11.9. order to save life and prevent crime. But governments in the UK and elsewhere can t surveillance of communications on the basis of a cosy, no longer expect to conduc voluntary relationship with a limited number of providers. Service providers are increasingly uncomfortable with voluntary arrangements, and may well show a customers’ privacy rather than cooperate preference, absent compulsion, to protect with governments. This gives them a surer base for action. Some service providers will tip off a customer that they are under surveillance unless persuaded not to do so, 6 typically by a court order. l enforcement Internationa 11.10. Before turning to specific views of service providers based in different jurisdictions, it is worth highlighting the most significant issue between service providers on the one hand and the intercepting agencies and users of communications d ata on the other: 4 Evidence to the Review, October 2014. 5 Evidence to the Review, October 2014. 6 For example, Twitter’s po licy is “ to notify users of requests for their account information ... prior to disclosure unless we are prohibited from doing so ”: see Twitter’s “Guidelines for Law Enforcement”: enforcement#10 . https://support.twitter.com/articles/41949 - guidelines - for - law - 204

211 CHAPTER 11: SERVICE PROVIDERS international enforcement. The issue has its origins in the shift from traditional - based communications. telephony to internet A 11.11. - UK based user will have a contract with a company, such as BT, Sky or typical ephone line, mobile phone connection or broadband Vodafone, which provides a tel in the UK and may be required connection. These companies own fixed infrastructure to cooperate with the Government in ways that facilitate interception (see Chapter 6) and the provision of communications data. When RIPA became law 15 years ago, these companies still provided the vast majority of UK communications that would be security and intelligence agencies or law enforcement. of interest to the 7 11.12. That model is changing rapidly and significantly. an be very difficult to obtain data It c s which are based overseas and do from service providers OTT provider , in particular not store their data in the UK . That is so especially if they are protective of their customers’ privacy , or consider themselves inhibi ted from assisting by their domestic law. The problem has been exacerbated by the common use of strong encryption, which means that the content of communications cannot be read even if the message is intercepted whilst it passes over infrastructure in the UK. Views of service providers 11.13. It is convenient to look at the views of service providers in two groups: those based overseas and those with UK infrastructure. Although there is overlap in their views, they have each reached a broad and no complete agreement within the two groupings, consensus and discussed it with me collectively. 11.14. A rather specific, yet important, area of complete unanimity worth highlighting was SPoC arrangement support for the above), which was said to act both as a (7.39 “ quality filt er ” and as reassurance that there had been “ a lot of checks and balances ”. All companies wanted it to be retained and developed. US companies described it to a model for everyone ” and compared it favourably to the US system, in which me as “ they could be contacted by any of “ 10,000 FBI agents, who don’t necessarily know what they are asking for ”. Overseas service providers 11.15. Shortly after his appointment, Robert Hannigan, who became director of GCHQ in November 2014, wrote publicly about the problem of obt aining interception product and communications data from companies overseas (principally, in practice, the US), 8 and pressed for greater cooperation. Yet the companies for their part regard this as overnments to address . The US essentially a problem for g companies said to me: 7 See, further, 4.7 - 4.10 and 4.14 - 4.16 above. 8 “The web is a terrorist’s command - and - control network of choice”, the Financial Times website, 3 2014. November 205

212 CHAPTER 11: SERVICE PROVIDERS “ Governments should not unilaterally try to compel disclosure of email or other private content across international borders, particularly when that data 9 belongs to citizens of another country . ” to any system in which they could be required to They were united in their opposition material: even if this had been hand even the US Government a key to encrypted it was thought that it feasible politically Clipper Chip would, like the abandoned proposals which sought maintain access for in tercepting agencies in the 1990s, simply 10 encourage new strategies for secure encryption. 11.16. Some fore ign companies have made clear their unwillingness to facilitate cooperation with intelligence or law enforcement : ghters in Syria, advertises itself (a) Telegram, which is used by many foreign fi heavily as privacy secure, and promotes “ crypto - contests ” to test the security - 11 of its encryption. Its co - founder Pavel Durov, a Russian citizen, is quoted as saying: " The no. 1 reason for me to support and help launch T elegram was to build a means of communication that can’t be accessed by the Russian security 12 agencies .” Apple has put its encryption beyond its own reach. (b) It says of its messaging service: “ Apple has no way to decrypt iMessage and FaceTime data when it ’s in transit between devices. So unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply 13 .” with a wiretap order even if we wanted to Others, while understanding the importance of national sec urity, feel discomfort about - bilateral negotiations with the UK Government because they are sensitive, post Snowden, to allegations that they are voluntary participants in privacy intrusion. As one company put it to me: “ We can’t get into conversations th at leave our customers ”. on the outside ...our priority is our brand, not UK intelligence 11.17. The Government has asserted the extraterritorial effect of UK law, and made it explicit in DRIPA 2014. In theory, therefore, the Government could seek to compel co operation by overseas service providers in the same way as it compels companies based in the UK, although this has not yet been tested in a UK or foreign court. In a narrow sense, this might be said to meet the desire of the US companies for legal . But overseas service providers are generally unhappy with the assertion of clarity extraterritoriality in DRIPA 2014, which they did not necessarily accept (despite the view of the UK Government) to have been implicit in the previous law and had not encountere d in the laws of other countries. While legal compulsion was in principle preferable to voluntary compliance, it was thought that the unilateral assertion of extra - t erritorial effect would be met by blocking statutes, was not “ scalable to a global 9 Joint comments from Facebook, Google, Microsoft, Twitter and Yahoo, October 2014. 10 See 4.45 above. 11 See https://telegram.org . 12 “Why telegram has become the hottest messaging app in the world, The Ver ge website, 25 February 2014. 13 . Its See the privacy section on Apple’s website: https://www.apple.com/uk/privacy/privacy - built - in/ comments do not however apply to encrypted data on the iCloud. 206

213 CHAPTER 11: SERVICE PROVIDERS h a disturbing precedent ” for other, more authoritarian approac ” and was viewed as “ countries. 11.18. In practice, engagement with overseas companies has to date been entirely on a voluntary basis, although it is necessary for the UK agencies to acquire the appropriate l egal instrument, an interception warrant or communications data or authorisation notice, before they seek the cooperation. The degree of cooperation diminished - Snowden and varies between companies and between data types. generally post Thus: ion (a) Where interc ept is concerned, many US companies consider themselves to be constrained by federal law limiting voluntary disclosure to cases in which a provider reasonably believes that immediate disclosure is required by an 14 imminent danger of d eath or serious physical injury ”. emergency involving “ While this might allow service provider s to assist e.g. in cases of kidnap or bomb threat, many serious investigations (including terrorist investigations) do not satisfy these criteria. (b) The sharing of communications dat a is less legally const rained, with the result that service provider s can accede to simple requests to verify subscriber identity, though this is not universal. (c) There are also issues at the margins where companies can make their own - interpretation of the dividing line between content and non content. There have been recent and limited signs of improving cooperation, driven in part by the spread of ISIL and its dependence on social media. But it is also relevant to note alley and elsewhere are small and relatively new that many OTT providers in Silicon V companies, often with a strong libertarian ethos and without the legal or regulatory expertise to deal on an informed basis with requests from foreign governments. A number of major US companies, accustomed to the FISC procedure in the US, 11.19. disliked the notion of authorisation by the Secretary of State and indicated to me that they would be more comfortable about complying with a warrant if it were judicially authorised, providing “ another pair of eyes that i s separate from the investigative apparatus ”. While it was appreciated that other sorts of independence could be built into the system, “ the UK is in a minority with political authorisation, and perceptions do ”. It was also felt that “ improving RI PA matter set a good guide for ” in this way would “ other jurisdictions ”. One major company went so far as to suggest that if the UK introduced judicial authorisation, more cooperation would be forthcoming, though I was not left with the impression that this was a universal view. 11.20. The overseas service providers with whom I discussed the matter apply their own judgement to a request put to them from the UK before they comply with it. Some companies have published transparency reports, which show their assessment o f how 15 many requests from the British authorities they have met. The figures for rejection of 14 18 US Code §2702. 15 ; E.g. Google, http://www.google.com/transparencyreport/ Yahoo, https://transparency.yahoo.com ; https://transparency.twitter.com . Twitter: 207

214 CHAPTER 11: SERVICE PROVIDERS British requests are difficult to interpret. Some may be rejected because the data does not exist, though the UK authorities will also suppress demand where the y feel that it will not be met. Companies will reject requests which they feel are illegal in their host jurisdiction, or which they believe it would be unethical to meet, for example where the interests of a third country might be adversely impacted. I was shown evidence from a British agency that at one point in 2014 about 75% of the desired intelligence coverage for a particular operation could not be obtained from service providers. 11.21. of the Reform In their discussions with me, the US companies advocated the adoption 16 Government Surveillance Principles, which they have been creating as part of the Global Network Initiative, a multi - stakeholder group of companies, civil society organisations investors and academics “working to protect and advance freedom of 17 expression and privacy in the i ”. nformation communications and technology sector The companies argue that the challenges articulated by the British government are 11.22. global problems and require a global solution. The Reform Government Surveillance Princi ples are not directed specifically at the UK. Nevertheless aspects of current British law and practice (most obviously, bulk collection) would not meet the principles. 11.23. The US companies emphasised to me that the UK is influential and should lead internati onally in this sphere. But its influence should be exerted at the inter - governmental level, not by unilateral acts such as the assertion of extraterritorial effect or requiring the local storage of data (data localisation), which would carry security risk s, impose huge costs in terms of compliance, network architecture and engineering and render the internet slower and less efficient. The jurisdictional position is indeed complicated. Although many of the companies 11.24. concerned point to inhibitions in US la w, which prevent automatic cooperation with British government requests, some keep data relevant to UK customers in third countries: for example Yahoo and Microsoft do so in Ireland. The companies point out their operations are human rights - the pressure that they are under to ensure that compliant, for example through the United Nations Human Rights Council’s adoption, 18 with UK and US support, of the Ruggie principles. They expressed concerns that unqualified cooperation with the British government would lead to expectations of similar cooperation with authoritarian governments, which would not be in their customers’, their own corporate or democratic governments’ interests. 11.25. Improvements to the MLAT process to obtain intercept and communications data are s trongly advocated by the US companies, who would prefer to see the problem resolved by negotiations between governments: “ We are under no illusions that it is perfect . But it would be premature to rule it out as part of the solution. ” They claimed 16 https://www.reformgovernmentsurveillance.com/ , and cover (1) limiting These can be found at ct users’ information (including a statement that governments “ should governments’ authority to colle ”); (2) oversight and accountability; (3) not undertake bulk collection of internet communications by not transparency about government demands; (4) respecting the free flow of information (e.g. requiring infrastructure to be located locally); and (5) avoiding conflicts among governments (e.g. by MLAT processes). 17 Global Network Initiative submission. 18 Rights”, See the UN Office of the High Commissioner, “Guiding Principles on Business and Human 2011, HR/PUB/11/04. 208

215 CHAPTER 11: SERVICE PROVIDERS k favourably on requests for data preservation, so as to ensure that at the to loo conclusion of the MLAT process the data would still be there. 11.26. But there is little dispute that the MLAT route is currently ineffective. Principally this is because it is too slo w to meet the needs of an investigation, particularly in relation to a dynamic conspiracy. For example a request to the United States might typically take nine months to produce what is sought. The MLAT route also does not address intelligence needs. Pr ogress has however been made in discussions with the Irish government in the context of the EU protocols for legal assistance to enable speedy turnaround of warranted interception requests in serious crime cases. There are also plans to introduce electron ic document exchange with the United States, which will remove some of the delays inherent in relying on the transfer of hard copies. 11.27. To address this problem of overseas enforcement , at the same time as my Review was established, the government appointed Sir Nigel Sheinwald to be the Prime Minister’s - enforcement and intelligence data sharing. Sir Nigel’s special envoy on law overarching objective, through discussions with governments, other key international service providers, was to improve access to and sharing of law partners and enforcement and intelligence data in different jurisdictions. Sir Nigel was seeking to identify ways to take forward the British government’s relationship with telecommunications companies and explore how new formal arrangemen ts could 19 I have been kept improve data access and sharing in both the short and longer term. informed of his progress. 11.28. A number of options are under consideration which might improve the level of overnment. Some based companies and the British G - cooperation between US depend on the US Government interceding with US companies on behalf of the British Government. These will require the appropriate political will in Washington as well as e solution in the British Government to respond to concerns. There is no immediat sight. UK service p roviders Most of the areas of concern expressed by NGOs 11.29. hapter 12, , discussed further in C found some echo in the views on future arrangements volunteered by UK companies. 19 Specifically, Sir Nigel Sheinwald’s task, as set out in a Cabinet Office Press Release, 19 September 2014, was to:  identify ways to take forward the British Government’s relationships with the telecommunications companies a nd ensure that the British Government’s work in this area is coherent with its broader relationships with the telecommunications companies, and vice versa;  explore how new formal US/UK arrangements could improve data access for the UK agencies;  work with t he US government and telecommunications companies on a range of options for strengthening arrangements and ensuring reliable access, e.g. through MLAT systems, other legal or political frameworks or remedies, better arrangements for direct requests from th e UK agencies to the companies which hold the data, or other means;  consider wider international arrangements in this area; and  ensure that any new arrangements observe the requirement that data are requested and provided only where necessary and proportio nate for the purposes of national security and the prevention or detection of serious crime. 209

216 CHAPTER 11: SERVICE PROVIDERS nment Surveillance Principles. Some of these are also mirrored in the Reform Gover In particular, some service providers emphasised the need for: (a) judicial oversight of interception; (b) greater controls on bulk collection; (c) further controls on the intrusive aspects of communications data access such as locatio n tracking; increased transparency (particularly from the government); (d) strengthened accountability; and (e) (f) government to take the lead on resolving jurisdictional conflicts. 11.30. UK companies were nevertheless generally sceptical of the prospects of a new singl e international regime, as advocated in the Reform Government Surveillance Principles, and would be concerned if it increased compliance costs or other reforms had an impact on their competitive position. in oversight and approval practice, 11.31. Whilst there was no unanimity on desirable changes there was an expectation that change would be required to satisfy increasing demands for privacy. The UK companies were generally united on a number of other points, which I discuss 11.32. below. (a) The current arrangements fo r cost recovery by companies undertaking interception or providing data were widely applauded and, whilst there was some wish for them to be improved from the companies’ perspective, their existence be preserved. was seen as a strength of the UK arrangements that should (b) The cost recovery arrangements do not however entirely offset a widespread concern by UK - based companies that investigatory powers arrangements could adversely impact on their competitiveness. I was told that government surveillance require a significant technical impact. Companies ments do have were concerned to preserve what they would regard as a level playing field in the market: in other words, that the burden of complying with investigators’ needs should not fall disproportionately on UK - based providers, or certain UK - based providers. This was one of the major concerns with the 2012 Communications Data Bill. I was repeatedly told that it was not the job of UK companies to resolve the challenge of encryption of communications carried o n their infrastructure, even if they could. They were therefore generally opposed to having to store third - party data in their systems, in the way that had been proposed in the 2012 tever Bill. The thrust of their concerns was that the Government should by wha means press the OTT providers to play their full part in meeting the surveillance requirement. 210

217 CHAPTER 11: SERVICE PROVIDERS (c) Companies were all concerned about the implications of being compelled to cooperate in interception and data matters. Although they would welcome an avenu e to seek clarity, particularly about the meaning of the law and general requirements placed on them, they did not wish to have a discretion to question the merits of a particular interception or data request. It was for Government to t was lawful, necessary and proportionate, such that they ensure that a reques could then comply with it without fear of redress unless they themselves made an error. 11.33. All thought the Government - industry relationship needed improvement. Some companies were nevertheless suspici ous that competitors enjoyed privileged relationships with Government, though no company felt that it had one. 11.34. - industry In this respect, whilst the existing mechanisms of the Government relationship, such as the Communications Data Strategy Group, were we lcome, they 20 There was an appetite for more strategic did not extend to matters of interception. discussion with industry at an earlier stage. The perceived inadequate consultation 21 over the 2012 Bill still rankled, as did the handling of DRIPA 2014. Th ere remained concerns that the technical features of the 2012 proposals, the request filter and DPI, were not likely to be effective, though this may be an example of inadequate engagement rather than a fully informed disagreement on technology. They note d that the sunset clause in DRIPA 2014 s8(3) will operate from the end of 2016, and that consultation with them thus needs to begin quickly. 11.35. There was further concern that the law was complex, that it had not kept up with technological and market change, a nd that it was dispersed over different statutes. Some concerns were highly technical, such as the impact of the definition of interception in relation to requests to remove offensive material or apply virus protection tools. In part the response to thes e difficulties was a desire to have a route to clarify the law, perhaps through easier access to the courts. But there was an appetite to see the law made clearer and consolidated, for example as be tween the scope of RIPA and TA 1984. In addition, they f elt that data retention and data protection rules could find themselves in conflict. UK companies generally thought the distinction between communications data and 11.36. content was still valid, but needed development. Web log s, cloud services and social were particularly difficult areas to reconcile with the current definitions. media Companies felt that some communications data was highly intrusive and this was not fully recognised by current legislation. There was no longer any simple physical separation of internal and external communications. 11.37. Companies had a number of tactical suggestions as to how interception and data arrangements could be improved within the current legal framework, and believed that greater cooperation would engender ideas for more eff ective use of available powers and capabilities and enable future challenges better to be anticipated and dealt with. 20 Although new arrangements are to be introduced from May 2015, see 7.74. 21 That perception was shared by the JCDCDB, which was critical of the lack of consultat ion: JCDCDB Report, chapter 4. 211

218 CHAPTER 11: SERVICE PROVIDERS A number of specific suggestions emerged from the special meeting of the 11.38. Communications Data Steering Group, where the companies and law enforcement and worked together. These were: (a) Data that does not originate or terminate on the CSPs' network should be considered “ third party data ”, not for the CSP to store and disclose. Consideration should be given to limiting disclosure of retained (b) ommunications data in civil cases where that goes beyond the purposes for c which the data had been retained. Legislation should require continued consultation between law enforcement (c) and CSPs, so as to ensure that law enforcement can obtain the necessary in formation by the most effective means, without dictating the precise methods to be used by CSPs to produce it. (d) Communications data should b e redefined to include user data on the one hand and us on between e data on the other, to create a simple and transparent divisi the person who is accessing the internet or making a communication and the usage data which is inherently more private and would detail and individuals’ activities. , (e) Content should be defined so as to ensure there is no ambiguity over their the cloud. obli gations to produce material, particularly when stored in 212

219 12. CIVIL SOCIETY Sources and scope In the course of this Review , I met and received submissions from NGOs , academics, 12.1. he UK and also in campaigning organisations, activists, trade bodies and others, in t and referred to for convenience Annex 3 and Annex 4 to this Report the US (listed at as civil society) who shared with me their views regarding the investigatory powers regime. In a good many cases, those submissions were the start of a dialogue which I have found illuminating. 12.2. Space does not permit a comprehensive account of those submissions, some of which are extremely valuable sur veys in their own right. This C hapter aims only to at were made by civil society summarise the criticisms, and associated proposals, th Review . The reader who wishes to know more is encouraged to read the to the original submissions, which are published (with the authors’ consent) on my website. 12.3. An important (though perhaps obvious) point to make at the out set is that these submissions are not necessarily representative of the views of the public as a whole. Most of those who have been moved to write are well informed. Many of them have - a passionate belief in the importance of privacy, or of limiting the a ctions of the state. Some are frankly suspicious of the motivations of the agencies and police, and believe that the exercise of intrusive powers, particularly in the a bsence of suspicion, is liable to do more harm than good. But not everybody shares tho se views, as demons trated - above. Some will always argue for security to be by the surveys cited at 2.25 5 2. 3 prioritised over privacy; and a great number (including some who could claim to be well informed) are not particularly struck by imbalance or inju stice in the current - 1 arrangements. Those positions are only lightly represented in the submissions I have received from civil society. 12.4. A wise legislator will proceed however on the basis that the legal framework governing investigatory powers must be suf ficiently robust to satisfy not only those who are easily satisfied, but also those who are suspicious of government or who feel deeply 2 In that context, the views expressed below are of any intrusions into their privacy. particular interest and relevance . Transparency 12.5. At a general level, concerns with the RIPA regime are far from new. However, they have taken on a new and renewed intensity following the leaks in the Snowden Documents. The allegations in those papers took many by surprise, as have quent disclosures by the Government regarding the extent of the investigatory subse used by public authorities . A number of submissions made the point that the powers alleged conduct should have been clear on the face of the law, or should have been highlighted by the various oversight regimes set up under RIPA and related 1 That is also, generally speaking, the position of those who are appointed to regulate the exercise of investigatory powers and who, because of their privileged access to secrets, are best equipped to understand how they ar e used: IOCCO, the ISC and the IPT. 2 That is so, particularly, given the international dimension: see 1.9 above. 213

220 CHAPTER 12: CIVIL SOCIETY investigatory powers legislation. The fact that significant public information is only available due to these leaks, of which a significant majority remain NCND, is seen as unsatisfactory. T his reflects a fundamental imbalance. Those involved in investigatory powers have 12.6. (naturally) far more information regarding the use of those powers than those in civil society. Yet, as explained by Dr. Paul Bernal: “ [i]t is not enough for the authoritie s . For just to say ‘trust us’: the public needs to know that they can trust the authorities” many, that trust has eroded, and greater transparency is needed to get it back. Indeed, foll , which held owing the judgment of 6 February 2015 in the Liberty IPT case rtain procedures public that the failure to make ce rendered the data - sharing regime unlawful, . This many saw the need to make more information available to the public need for further transparency is a fundamental concern of many of those with whom I 3 discussed these issues. The transparency of laws and the public trust in them is not helped (it was suggested) 12.7. rushing ” of statutes such as DRIPA 2014 through Parliament, or by piecemeal by the “ additions and amendments to those laws, including most re cently CTSA 2015. This restricts proper and detailed scrutiny of the measures proposed. The need for clear legal powers 12.8. It has become increasingly apparent during the course of this Review that a range of security and intelligence techniques and methods is utilised (in particular by the agencies ). Some of these intrusive practices do not find clear and explicit basis in legislation, other than general po wers in 1989 and ISA 1994. They include: SSA (a) the use of CNE, onl y recently acknowledged by the Gover nment through the publication of the Draft Equipment Interference Code; (b) the suggestion in the Snowden Documents that the security and intelligence agencies are seeking to break encryption standards; (c) the use, such as there is, of OSINT; and (d) the use, such as there is, of other surveillance instruments available to the public, such as IMSI catchers. 12.9. A number of those with whom I met, particularly those with a detailed knowledge of the technology involved, expressed serious concern regarding the fact that su ch powers were apparently used but were not clearly articulated on the face of the 4 In their view, the use of techniques and methods without, at the least, legislation. published guidance, still less explicit Parliamentary approval or public awareness and support, was not only a large issue for society, but ran contrary to the rule of law (and 3 Access’ submission to the Review contains detailed consideration of the issue. However, Robin Simcox’s submission urges recognition of the importance of secrecy in the face of national security threats. 4 Privacy International explained in some detail its concerns in this regard. 214

221 CHAPTER 12: CIVIL SOCIETY 5 possibly the requirements of Article 8). Moreover, the lack of clear statutory authority for such powers insulates them from public - facing oversight. 12.10. These issue s arise in particularly acute form in relation to bulk collection, for which the power is (in the views of many) far from apparent on the face of RIPA. Though bulk collection, it is claimed, dwarfs the regimes for targeted interception and acquisition of communications data, its use was largely unknown until recent revelations. This lack of clarity engages questions of whether or not such collection y IPT Case, judgment is “ in accordance with the law” : the IPT held that it is (in the Libert December 2 014 ). A long with the claimants in Big Brother Watch and others v of 5 6 , the Liberty the claimants in UK ECtHR Application have raised the point before the ECtHR. 12.11. In the light of this, I spoke to many activists who emphasised that if broad powers such collection are to be authorised (a question which is considered below), these as bulk must be set out in legislation after proper and public debate. As stated by Liberty, a while it is not expected that all the detail of investigatory methods will be published, “ clear understanding of the absolute limits of what is permitted by legislation is essential when the exercise of powers will be done largely in secret” . Thus many - suggestions have urged the publication of further guidance, worked through practical example s, or legal advice interpreting the law or authorising the powers involved. This, it is suggested, is likely to engender greater trust in the actions of the authorities, which would be operating on powers explicitly set out in legislation and whose action s could thereby be reviewed. The need for evidence 12.12. Linked to this issue is a central concern of many civil society groups: that they have minimal, if any, evidence of the need for (rather than desirability of) the powers exercised by public authorities. They are of the view that, following the approach of the ECtHR set out in Chapter 5 above , interferences with rights may no t be justified a justification is provided for that surveillance which is proportionate to the unless intrusion involved. Moreover, it is important democratically to have public understanding of the need for surveillance, as highlighted by DEMOS. Rights Watch (UK) made the point that “ [t]his is particularly important among communities who are considered suspect due to the involvement of some of their members with terrorist activity” . 12.13. Many challenge the premise of the need for further powers, or even all existing powers. In particular, they note that: 5 In relation to CNE, the legality of the use of these powers is currently under challenge in the PI IPT C ase. 6 Application no. 58170/13. 215

222 CHAPTER 12: CIVIL SOCIETY Detailed review mechanisms in the United States have concluded that US (a) 7 not essential to preventing attacks or had “ no discernible ere “ ” programmes w 8 impact” . This is said to be particularly acute in relation to data retention, on which in (b) , and without which law dithered” Access’ words, US authorities have “ erate e.g. in Germany. enforcement st ill seems to op The key issue for authorities should not be gaining more information, but rather (c) ensuring that information which the authorities do possess is put to good use 9 (an area which could arguably be improved). 12.14. ustification, it is said that people are being asked to put In the absence of adequate j their faith in a system which they are told is necessary, but with no concrete examples of why that is the case. Examples are which should demonstrate that the demande d, methods successfully empl oyed would not have been successful under a different and less intrusive regime. Tools for understanding Related to this issue is the need for transparency in the operation of the system. 12.15. Particular concerns in relation to this include the following: eporting mechanisms (including Commissioners, the ISC and indeed this (a) R Review) must first place their reports before the Prime Minister, who can redact certain sensitive information. (b) RIPA s19 provides for an offence of unauthorised disclosure of the existen ce and contents of warrants for interception, which restricts notification in individual cases and hampers the provision of statistics. Acquisition Code at 8.3 are too restrictive, ions for notification in the The provis (c) requiring “ wilful or reckless failur simply to inform a party of the “ existence of e” 10 . the Tribunal and its role” (d) Statistics are insufficient and incomparable between bodies, leading to an 11 incomplete and distorted picture. (e) NCND restricts the information available to the public. 12.16. A number of submissions sought to deal with these points, and I was urged to address each of them. In particular, in relation to statistics, the need for mandatory and clearly regulated publication of statistics by each public authority on the use of such powers, 12 pa rticularly as regards interception and access to data, was highlighted. While the 7 Liberty and Security The President’s Review Group on Intelligence and Communications Technologies, , (December 2013), p 104. in a Changing World 8 New America Foundation, rists? (January 2014). Do NSA’s bulk surveillance programs stop terro 9 See the submissions of Big Brother Watch and Liberty. 10 A point highlighted by IOCCO in its submission to the Review. 11 Again, a matter which IOCCO also raised as a concern in its submission. 12 See for example the submissi on by the Global Network Initiative. 216

223 CHAPTER 12: CIVIL SOCIETY increased provision of transparency reports by service providers was noted, further submissions highlighted the need for a more permissive regime to allow service 13 providers or the need for regulated standards for and increased mandatory to report, reporting. As well as such mandatory provision, increased detail in the statistics 14 particularly in relation to: released was also urged, (a) increased reporting of and detail as to the purpose for which data is requested (for both interception and communications data), set out in clear and specific 15 categories; (b) the specific use to which data is put; (c) the amount of data collected pursuant to each warrant or authorisation as well as the number of individuals affected; (d) greater depth as to what kind of person is targeted and why; and information on rejections of applications. (e) 12.17. More broadly, many are of the view that the public authorities could make significantly 16 ble regarding the way that they operate. While some argued more information availa for a detailed unclassified description of the scale and scope of activities undertaken, others sought more specific information, including sample selectors, target acquisition rules, exemplary w arrants, procedures for data minimisation and the length of time for which data is stored. Alternatively, security and intelligence agencies could publish concrete policies or at least summarise the legal advice or assumptions on which they are operating. This would allow review and, if necessary, challenge of the legality of the system. Finally, some of the submissions highlighted the need for mechanisms to allow more 12.18. individuals to gain sufficient information to be able to challenge actions undertaken 17 against them. This includes notification of those wrongly targeted by surveillance, as it was noted that in a number of jurisdictions such a duty exists and operates 18 successfully, as well as the lifting on the ban on the use of intercept material at tri al. Again it was urged that this would create greater opportunity for further scrutiny of any wrongful acts. 13 As set out in the submissions from Access, Peter Gill and the Global Network Initiative. 14 By, in particular, Big Brother Watch. 15 Steps have already been made by IOCCO in this regard, which published statistics for IOCC Report communications data in the (April 2014) , and both communications data and intercepted material in 2014 in the IOCC Report , (March 2015). This represents an improvement, although the e statistics were at a high level of generality (it was statistics are limited: for interception in particular th indicated that 31% of warrants related to national security, 68% to serious crime, and 1% to a combination). 16 See for example the submissions of the Global Network Initiative and DEMOS. 17 As urged by, for example, Human Rights Watch, the Global Network Initiative and Liberty. 18 According to the submission I received from the Bingham Centre for the Rule of Law, this includes Belgium, Bulgaria, Canada, Germany, Ireland, the Netherlands, New Zealand, Sweden and the United States. However, I note that in the Report of Ben Emmerson QC, the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, ave provisions for such ex post notification, at para 50. ” h A/69/397, it is noted that “ very few States 217

224 CHAPTER 12: CIVIL SOCIETY Coherence and clarity Investigatory powers and practices often involve secret, or covert, actions. The 12.19. importance of coherence and clarity, a d esirable feature in any area of the law, is heightened in this context. Unfortunately, however, RIPA itself is complex, fragmented and opaque. It is 12.20. extraordinarily difficult both to understand and to apply. To summarise the concerns in this regard: As set out in Liberty’s submission, “ a striking feature of RIPA is that it treats the (a) 19 . various forms of surveillance in a patchy and inconsistent manner” (b) Many of the concepts are outdated, including in particular the apparent distinctions l and other communications, and content and between externa communications data. (c) The terminology lacks clarity, in that:  Important concepts such as “ content ” are not defined. subscriber data”  Further terms, such as for example “ communications” and “ now appear anachronist ic and counter - intuitive. ules in the legislation and accompanying Codes of Practice are insufficiently (d) R detailed. Single and simple framework RIPA itself contains inconsistencies which have been pointed out to me: 12.21. with slightly different methodologies (a) Surveillance with a similar purpose but may fall under different regimes, such as for example;  a conversation recorded by a hidden microphone in a person’s home, a hidden microphone in a person’s phone itself, and intercept of the 20 and conversation;  putt ing a “ tail ” on someone and determining the movements of a person and 21 with whom they have met via the use of geo location data. - (b) Different safeguards and authorising mechanisms apply to each, leading to t by those acting for a number possibly counterintuitive results. It was pointed ou of women who had relationships with undercover police officers that the intrusion in their daily lives only had (at the time) to be authorised by a middle - 19 The differences and complications inherent in the scheme as a whole are considered in detail in JUSTICE, (October 2011). Freedom from Suspicion: Surveillance Reform for a Digital Age, 20 Author ised, respectively, under RIPA Part II, either the Police Act 1997 Part III or ISA 1994 s5, or RIPA Part I Chapter 1. 21 Authorised, respectively, under RIPA Part I Chapter 2 and RIPA Part II. 218

225 CHAPTER 12: CIVIL SOCIETY ranking officer, whereas to listen in to one phone call would have req uired a 22 warrant from the Secretary of State. (c) Moreover, there is overlap between different regimes, undermining the safeguards attaching to some. For example, internal communications are intercepted under s8(4) warrants, as are significant volumes of com munications data (discussed in more detail in Chapter 6 above ). for investigatory powers magnifies these 12.22. The proliferation of other statutes providing concerns. In particular: (a) How and when other regimes should trump the regime set out in RIPA or vice ve rsa is far from clear. As the scrutiny applied under different regimes may be of differing levels, this raises concerns that a regime with lesser scrutiny may be chosen to perform the same (or a very similar) function. (b) The extent of the array of different powers is unknown and often ungoverned by supervisory mechanisms. (c) For many of these statutory powers, minimal safeguards appear on the face of the legislation (e.g. TA s94). The extent of the intrusion does not match up to the degree of scrutiny applied (d) to the decision. It is argued that similar protection should be given under RIPA to that given to the search of a house, as the nature and extent of the information involved is similar. Ltd, (e) As pointed out in the submission I received from Roke Manor Research varying capabilities and investigatory techniques are beginning to converge with the advent of technology. In light of the above, there was overwhelming support in the submissions I received 12.23. . The Bingham Centre for the from civil society for simplifying the statutory framework Rule of Law, which in its submission deals extensively with this point, urges: “A single, comprehensive statutory framework should govern the use of intrusive surveillance powers by public bodies. In particular, no public bo dy should have the power to access communications data save by way of this framework”. For many, this view extends to all surveillance powers, including those currently set out in or covered by in the Police Act 1997, ISA 1994, SSA 1989, and the different intrusive techniques in RIPA Part II. While conceptions of how such a scheme would operate vary, some have suggested a scheme analogous to that of PACE: a broad statutory framework containing the key elements of what is considered lawful, under 23 ailed Codes of Practice, more easily updated, can be set out. which det Professor Peter Sommer in his submission focused on the intrusion that each power would cause, suggesting that the greater the intrusion the greater the scrutiny and 22 See 8.18 - 8.19 above. 23 Peter Sommer. As explained in detail by Professor 219

226 CHAPTER 12: CIVIL SOCIETY e applied. Other suggestions for codifying surveillance safeguards would need to b according to simple distinctions focused on the type of surveillance, such as separate regimes for covert and overt surveillance, or for directed and intrusive powers. need for an overarching and simple regime at least However, most focused upon the in relation to interception and acquisition of communications data, which forms the focus of the remainder of this section. Remove outdated concepts 12.24. wing and increasingly When RIPA was designed, the internet was a rapidly gro important means of communication. However, it has been consistently highlighted to me that RIPA has been overtaken by developments in technology, such that in the view of many it is no longer fit for purpose. In particular, the volu me and quality of information contained in and in relation to communications has increased exponentially. The distinctions laid out in the regime are increasingly defunct, erefore, particularly in light of powerful tools for composite analysis. Unsurprisingly, th many in civil society advocate their removal. 12.25. The first key distinction which many have suggested removing is that between internal and external communications, w hich is discussed in Chapter 6 . While the precise interactions of the different subs ections of s8 is opaque, s8(4) warrants (which I term bulk” “ external warrants in Chapter 6), can only be granted for the interception of “ communications ”, defined in s20 as a communication “ sent or received outside the British Islands” , and accompanying c onduct necessary to undertake to seek such interception, under s5(6). This is a very wide power, by comparison to the power to intercept the communications of a single person or connected to a single premises (which I term “ ). Many or most of the submissions warrants in Chapter 6 targeted” received referred to those two powers as the power to issue “ internal” external ” and “ warrants. In practice, as set out in Chapter 6, s8(1) warrants may target both internal s frequently intercept internal and external communications and s8(4) warrant communications (though they may not target them). The distinction between the two categories of warrant is said to be either pointless or misleading, for the following key reasons: (a) As a starting point, what is classified as an “ external communication” is unclear, as set out in detail in the submission of Graham Smith. Many are of the view that the definition put forward by the Home Office in the Charles Farr Statement 24 is inconsistent and overbroad. (b) The distinction is out dated in the context of internet communications that are routed (and intercepted) globally. (c) It is particularly irrelevant in a situation when it is impossible, in practice, to intercept external communications without intercepting internal ones as well (R IPA ss8(5)(b) and 5(6)(a)). Many of the submissions felt that s16 did not do enough to maintain that distinction. 24 See for example the submissions of Big Brother Watch and the All Party Parliamentary Group on Drones. 220

227 CHAPTER 12: CIVIL SOCIETY (d) It is arbitrary, since it is often impossible to tell at the moment of interception whether a communication is “ external ” or not. (e) Some are further concerned that the distinction is discriminatory (both in 25 relation to those abroad and to minority groups the UK). within (f) The operation of s16 is far from clear. There is concern from some that the protection it offers may be more apparent than real; as it appears to provide for considerable searching and examination of data on those within the UK, as long as the selection is not on the basis of a factor referable to an individual known to be in the UK. Thus, many of the submissions I received were of the view that the distinction should 12.26. be abolished. In particular, it was said that this would: i) prevent any discrimination or unnecessary difference in treatment based on nationality or geography; ii) remove the arbitrariness and illogicality of the distinction in a world of globally routed communications; and iii) clarify what exactly is undertaken pursuant to different warrants. In answer to the point that some distinction based on either citizenship or ance regimes globally, actors suggest that geography appears ubiquitous in surveill this should not stop the UK becoming a leader in this field by expunging the distinction. At the very least, most would urge a publicly developed and tech nologically sound distinction. 12.27. Many submissions also high lighted the need to expunge the distinction between the content of communications and communications data, a distinction which is said to be 26 That distinction was premised on an assumption that content is more artificial. personal, more valuable, and more private than communications data. But that is now 27 challenged: (a) The volume of communications data has increased exponentially, and there are increasingly sophisticated means of data analysis which can provide significant information through combining and matching data. (b) This is matched by the increased utility, richness and inherent privacy of information contained in communications data. As explained by Open Rights Group, there is a qualitative difference in the type of communications data that is avail able now to that which was available 15 years ago. (c) It may also be the case that in the context of internet communications the distinction is less clear in terms of determining what is content and what is 28 communications data. 25 A concern highlighted by Rights Watch (UK) and the Equality and Human Rights Commission. 26 As set out, for example, in submission s by the Guardian Media Group, the Equality and Human Rights Commission and Liberty. 27 This view is one gaining in prominence: in the recent SURVEILLE Report, it was noted that “ the distinction between “content data” and metadata ...is rapidly fading away in modern network environment” , p. 4. 28 As raised by, amongst others, IOCCO. 221

228 CHAPTER 12: CIVIL SOCIETY Many submissions were of the view that this distinction should be abolished. At the 12.28. very least, even if there is some relevance to such a distinction, the justification for two entirely separate regimes is not apparent. As with the internal/external distinction, the commonality of such a distinction in other regimes was not seen as a reason to preserve it in the face of illogicality. Simplify and define important concepts There are a number of elements of the regime which many regard as opaque, and 12.29. and e xplained. These include, e.g. : which could be clarified, defined the extent to which s16 permits the selection of and access to internal (a) communications, which currently is far from clear, and some argue in essence 29 third type of warrant ”; provides a “ (b) what is an “ external” communicati on; (c) what is included within “ content” ; (d) the factors to be considered in determining whether interception is “ necessary and proportionate” ; (e) the system to be put in place where the requisite Secretary of State is not available to sign a warrant for intercep tion; ; thematic warrants” (f) the operation and scope of the newly avowed “ (g) the different categories of communications data, including perhaps a specific 30 definition of geo - location data; and (h) the operation and extent of the extra - territoriality provisions intr oduced by DRIPA 2014. 12.30. These clarifications must be, it is argued, sufficiently detailed to allow civil society and others to see on the face of the statute, Code of Practice or published guidance what is permissible and what is not. Submissions pointed to the use of RIPA to gather the communications data of the Tom Newton Dunn, the political editor of the Sun newspaper, as an example of insufficient detail leading to practices which do not have broad support and which were not generally understood to be wi thin the scope of the 31 32 This is a matter which is to be considered by the IPT. legislation. 12.31. Moreover, if investigatory powers remain authorised by a range of statutes, the nce, operation and clarification of the different elements, and which is to take precede 29 See Caspar Bowden’s submission to the Review. Similar concerns were raised by Open Rights Group, Liberty, Graham Smith and Peter Gill. 30 See Big Brother Watch’s submiss ion. 31 Reported, for example in “Plebgate: Met obtained phone records of Sun political editor without consent ”, the Guardian, 2 September 2014. 32 See “Sun makes official complaint over police use of Ripa against journalists, the Guardian website, 6 Octo ber 2014. 222

229 CHAPTER 12: CIVIL SOCIETY will need to be made clear. The current provisions of s80 (the general saving for lawful 33 conduct) are, it is argued, opaque and complex. Scope of investigatory powers Underlying the overwhelming majority of criticisms and submissions received from 12.32. those in civil society was a fundamental concern regarding the scope and breadth of investigatory powers, although such a concern was not necessarily explicitly stated. areas While these concerns extended across the range of investigatory powers, two e of particular note : bulk collection of intercepted material and data retention. wer There were a number of broad reasons for this. Many submissions were of the view 12.33. that such bulk collection/retention could not (or, at the least, as currently practised in the UK does not) meet the requirements of the law, and in particular the requirements 34 of EU law (articulated in Others took a wider and the ECHR. Digital Rights Ireland) approach, highlighting alongside legal concerns the need for the protection of priv acy 35 as a social imperative, and broader idea s regarding the type of society in which such collection/retention is permissible. The idea of “ sleepwalking into a surveillance society ”, a concern first raised by the Information Commissioner in 2006, permeat es some of these submissions. As stated by Open Rights Group: “... communications methods in general have expanded and the digital world makes surveillance even easier. The expansion of this approach means we have slipped into a mass surveillance model wi thout a democratic debate regarding the consequences.” 12.34. Unsurprisingly, given these concerns, the vast majority of those with whom I met from 36 civil society emphasised the need for restrictions on those powers. Bulk collection 12.35. The idea of bulk collection of communications at the level of cables, with limited safeguards applied to such collection (rather than later access), is vehemently opposed by some of those who made submissions to me. Their reasons include the following: (a) RIPA is, it is argued, is built on the idea of targeted , rather than bulk , warrantry (and therefore targeted surveillance and targeted collection). Bulk collection 33 In relation to interception, see further RIPA s1(5)(c), which provides that interception in relation to stored lawful authority” communications has “ if undertaken under “ any statutory power” . In relation to communications data, para 1.3 of the Acquisition Code states that public authorities should only use other powers if such powers explicitly provide for obtaining communications data. Section 21(1) appears to encompass within Chapter 2 any conduct for obtaining data (that falls outside of interception). DRIPA 2014 s1(6)(a) states that a service provider retaining communications data under DRIPA 2014 must not disclose it except under RIPA Part I Chapter 2, or as provided by regulations. See further Richard Greenhill’s submission to the Re view. 34 Including not only rights protected under Article 8, but also including rights to a fair trial, freedom of expression and freedom of association. These concerns are highlighted in the submission received from Dr. Paul Bernal. 35 As articulated c omprehensively in the submission received from Dr. Paul Bernal, as well as in the submission of Charles Raab to the ISC. 36 Robin Simcox’s submission was to the opposite effect. 223

230 CHAPTER 12: CIVIL SOCIETY 37 qualitative change with which the represents therefore a “ ” in surveillance, equipped to deal. - legal regime is ill (b) Furthe r, the lawfulness of bulk collection under the ECHR and EU law does not, it is argued, follow from the judgment in , which focused on the Kennedy v UK “ ” 8(1) regime. The IPT has broadly upheld the legality of the s8(4) targeted on i n the Liberty IPT Case (j regime and bulk collecti of 5 December udgment 2014) , but many of those who made submissions to me are of the view that this will not prove the final word on the matter. It appears that the ECtHR will be by Big Brother Watch called on to determine the issue in the application and in the Liberty ECtHR Application. It was suggested to me, in advance of the IPT’s , that: judgment or with an eye to proceedings in Strasbourg bulk collection is not “ in accordance with the law”, in particular because  38 ulk collection are not apparent from the face of the statute; powers for b it is not proportionate, and indeed that it is simply impossible to have a  39 meaningful assessment of proportionality at that level; and that  it does not provide adequately for certain material , such as material covered by LPP and material relating to journalists, which are considered below. The idea that collection is of itself an intrusion into privacy which requires (c) careful justification (and, in law, a proportionality analysis) was consiste ntly highlighted. Indeed, it was emphasised that whether or not a communication 40 , the fact that it is collected is of itself an intrusion. is It was also stated read does not read or process the data, if there is technological that even if a person 41 proce ssing of that data this is a further intrusion to mere collection. (d) There are concerns regarding the risk posed by holding so much data: it could be abused or accessed (unauthorised) by people outside the system. (e) Fundamentally, there is a concern that su ch collection grants far more power to those conducting surveillance than is warranted, which undermines the basic balance between the citizen and the state. This has been done without public debate and proper scrutiny. 12.36. Some expressed the view that the a lleged actions detailed in the Snowden Documents would, if true, be either unlawful or improper and should be prohibited (expressly, if necessary). Insofar as such actions are authorised by the current 37 See the submission of Dr. Paul Bernal. 38 As set out by the Equalities a nd Human Rights Commission. 39 See Global Network Initiative’s submission 40 As set out in the submissions of Dr Paul Bernal and Professor Peter Sommer. This view is supported by the recent SURVEILLE Report, pp. 12 - 13. 41 As set out in submissions from Open Rights Group and the Bingham Centre for the Rule of Law. An example given of this point by Open Rights Group is the scanning of a person in a body scanner, rather remains an than a personal examination by passport. One is technological, rather than human, but intrusion into privacy. 224

231 CHAPTER 12: CIVIL SOCIETY of such powers was urged, in a regime, and in particular RIPA s8(4), the curtailment number of ways. 12.37. Some were of the view that only where a single person or premises can be identified would interception be appropriate. Another suggestion was that there should be a ceiling on the number of warrants that ca n be granted. Others have emphasised that 42 s8(4) warrants must be detailed and specific (at least by purpose or geography), such that there could not be a very small number covering a large proportion of internet traffic. Some have argued for the need fo r warrants set out by programme, such that individual warrants would cover particular operations run by intelligence or - crime fighting agencies, under which a range of targets would be covered. A further uch as “ reasonable suspicion” suggestion is to introduce a limiting requirement s into the requirements for granting interception or collection of data. 12.38. A more common suggestion was for a shift in the legal framework (or, at the least, its ulk or mass interpretation), such that only targeted interception, rather than b 43 interception, is permitted. In such a framework, a high threshold and robust safeguards attach to the first stage (the interception of data), rather than safeguarding only the access to or use of the information collected. This might entail the removal of the distinction between internal and external communications, discussed above. The same, it is argued, should be true for collection of and access to communications 12.39. targeted data, such that obtaining such data is only possible in “ ons. Moreover, ” situati in relation to obtaining communications data, some argue that th e purposes set out in 44 “ are far too br oad, and should be restricted, e.g. to s22(2) serious crime” . RIPA A should have similar, although less common, suggestion is that fewer public autho rities 45 access to communications data, to ensure control over the scope of the powers. However, others suggest that so long as the author isation process and threshold are sufficiently robust, the specific body involved is less important. One 12.40. broad suggestion in relation to both interception and obtaining communications data was the adoption of a test that focused in particular on the nature and degree of intrusion , rather than the specific type of data, technology or authorising body 46 . involved This, it is suggested, would lead to a more nuanced proportionality assessment which would take better account of the interests and rights of the - proofing the system such that it would not be individual at stake, as well as future dependent upon types or definitions of technology or access. 12.41. For some, this would involve abolishing the distinction between content and com munications data (discussed at 12. 20 (b) and (c) above), such that there was a sliding scale of intrusion based on current categories: subscriber data, service use data, traffic data and content. There could be different levels of authorisation attaching to each, such that the lowest level (subscriber) could be self authorised, and - 42 See for example the submissions of the Guardian Media Group and Graham Smith. 43 See the submissions of Big Brother Watch, Open Rights Group and the Equality and Human Rights Commission. 44 See the definition in RI PA s81(2) and (3); and RIPA s5(3). 45 See for example the submission of the Bingham Centre on the Rule of Law. 46 See for example the submission of the Equalities and Human Rights Commission. 225

232 CHAPTER 12: CIVIL SOCIETY the highest level (content) judicially authorised. Alte rnatively, in line with suggestions of judicial authorisation set out in more detail below, different levels of judge could be called upon to authorise more intrusive data types. Others did not see “ intrusiveness ” f data in question, but rather to a broader as necessarily being linked to the type o question of whether it would be intrusive to the target (which would take account of not only the data type but importantly also the degree of privacy attaching to the subject matter, and the steps taken to prote ct such privacy). There were also calls to tighten up a number of the concepts within the authorisation 12.42. regime to ensure intrusion only where necessary. In this vein, the need for a proper national security” definition of “ as a legitimate purpose for in terception or obtaining 47 This, it was submitted, should be determined in public data was emphasised. debate, and set out in clear guidance, rather than being purely for the executive to determine. Further, a few submissions emphasised that there must be clear guidance on what cannot be accessed or targeted, and is thus excluded from investigation altogether, such as for example lawful peaceful political activities. Data retention h to bulk 12.43. Similar concerns attach to the regime for data retention in the UK as attac collection, in particular in relation to the proportionality of the system. However, they are exacerbated by a commonly held view that the retention regime under DRIPA 2014 is unlawful, as it fails to take account of and/or undermines the CJEU’s judgment 48 in Digital Rights Ireland Liberty’s view that “ mass communications data retention is . undemocratic and unlawful” is shared by other academics and NGOs. In particular, it 49 is said to be disproportionate, and entail insufficient limitations on i ts scale or 50 51 scope. That issue will soon come before the High Court. 12.44. Other options are suggested. A number of submissions urged a regime of targeted 52 of metadata or communications data. Under such a retention, or “ preservation” scheme, a dynamic list ed of suspects would have their data retained for certain specifi periods of time (e.g. convicted offenders released on licence for offences for which recidivism is common). While there is a concern that this could stigmatise certain profiling, those that espouse this view argue it is more groups, or encourage proportionate than universal retention, as it focuses on a real and known threat. There are even narrower suggestions, which do not fall foul of such considerations, including a retention order for specific individuals named in the order based on a specific 53 In response to the suggestion that this would only deal investigation or proceedings. with known threats, there is a further suggestion of a “ centre of analysis ” which would be able to investiga te links and generate new targets. Arising across some of these more targeted suggestions is a view that this targeting should be authorised by judges on a case - by - case basis, targeted at those “ reasonably believed” to be engaged in 47 See the Open Rights Group submission. 48 This was set out i n the submissions of the Law Society and Access. 49 See the Equalities and Human Rights Commission. 50 See the Center for Democracy & Technology. 51 R (David Davis MP and Tom Watson MP) v Secretary of State for the Home Department CO/3794/2014, not yet heard. 52 See Professor Peter Sommer, Caspar Bowden, Center for Democracy & Technology. 53 See the Center for Democracy & Technology. 226

233 CHAPTER 12: CIVIL SOCIETY nd with notification of the target where preservation has been criminal activities, a wrongly undertaken. Hacking, CNE and encryption standards 12.45. As set out above, there are concerns in civil society regarding (in particular) the in the Snowden Documents that recently acknowledged use of CNE, the allegation public authorities are seeking to break encryption standards, and the alleged use of a 54 range of methods for surveillance not set out explicitly in law. As well as the concern I have already mentioned, regarding the basis for such powers in law, there are significant concerns regarding the use of these methods at all. In particular in relation to encryption, some are of the view that these methods are dangerous for the safety er, CNE presents a dizzying and security of the users of the internet. Moreov array of possibilities to the , and while some methods of CNE security and intelligence agencies may be appropriate, many are of the view that there are others which are so intrusive that they would require exceptional safeguards for their use to be legal. The use of CNE by the security and intelligence agencies is one of a number of issues in the PI IPT Case. Increase scrutiny and safeguards Increase scrutiny 12.46. As set out in Chapter 6, in the vast majority of cases the scrutin y that takes place prior to authorisation being granted is undertaken either internally by the body concerned or by the Secretary of State. This has been the subject of considerable criticism. Most in civil society are of the view that this is simply ins ufficient to guarantee protection for fundamental rights and civil liberties. 12.47. For interception, which is authorised by the Secretary of State or Scottish Minister: (a) The primary concern is that the Secretary of State’s position means that it is difficult, a s the head of the relevant institution, to take a robust and independent judgment as to the proportionality of each request. This is not an attack on the capability or independence of any particular Secretary of State, but rather upon the institutional na ture of the position. It is magnified by a position where refusal 55 and oversight is not , of warrants is rare considered robust (as described below). (b) It is difficult to reconcile with the doctrine of the separation of powers (whereby the executive, parlia ment and judiciary remain separate), and has been argued as being constitutionally inappropriate as it grants the executive too much power. 54 Highlighted in particular by Access and Privacy International. 55 Report of the See the Report of the IOCC for 2003, para 8, of the IOCC for 2009, para 2.3 and Report , para 2.4. IOCC for 2010 227

234 CHAPTER 12: CIVIL SOCIETY It places a heavy burden on a small number of politicians. Of particular concern (c) that can be granted to each warrant in those is the time and level of scrutiny circumstances. There is limited explicit provision for when the relevant Secretary of State is (d) unavailable. In relation to the argument that the Secretary of State brings democratic (e) it is contended that democratic legitimacy is limited, legitimacy to the process, both in practice and in principle: there are limits to the efficacy of democratic accountability in any event, and certainly in an area in which public mood can be greatly swayed by particular incident s and in which minorities may be likely to be targeted. Related issues arise as far as communications data is concerned, and in particular 12.48. those raised as points a) and b) above. The lack of institutional independence is clear: 56 ch data, pursuant to RIPA s22 , for the acquisition of su each body able to request such data has a DP who can request service providers to provide it. There is judicial approval only of authorisations granted or notices issued by local authorities (s23A). In these circumstances, while the Codes of Practice set out the responsibilities of those involved, without external input there is a concern that the robustness of the mechanisms is dependent at least in part on the personalities or corporate culture of those involved. Moreove r, within certain public authorities trust may have been eroded by their use of powers without safeguards (such as alleged police use of RIPA Part I Chapter 2 to determine journalistic sources). making 12.49. In light of the above, some have advocated for a centralise d expert decision - body responsible for the authorisation of surveillance. This could, it is suggested, entail different levels of decision - maker so that individual decisions regarding low - level intrusion could be dealt with separately to broader an d more intrusive powers. 12.50. However, by far the most common suggestion emphasised in this regard was the increased use of judicial authorisation for authorising surveillance (both before 57 Submissions interception and prior to obtaining or disclosing communications data). highlighted that this has been an approach preferred by a number of oversight bodies, 58 and the Joint Committee on including the House of Lord Constitution Committee, 59 Human Rights. It was said to be preferable for a number of reasons: It w ould be more likely to satisfy the standards of human rights law set out in (a) particular in Digital Rights Ireland (of prior review by a court, at para 62) and also the judgments of the ECHR, detailed in Chapter 5. 56 And often other regimes, set out in Chapter 6. 57 Such submissions were received, for example, from Big Brother Watch, Professor Peter Sommer, Open Rights Group, the Equality an d Human Rights Commission, Liberty and the Bingham Centre for the Rule of Law. An unusual example of a submission where this was not advocated is the thoughtful submission I received from students at UCL. 58 Surveillance: Citizens and the State, (2009), HL Paper 18 - 1, para 163. 59 Terrorism and Human Rights: 28 Days, Intercept and post Charge Questioning, Counter - HL 157/HC 394 (July 2007), para 161. 228

235 CHAPTER 12: CIVIL SOCIETY It would bring more independence and thus - making (b) trust to the decision procedure. (c) It would be entirely workable. 60 and that operates in relation 12.51. It is a model that has been successful in other countries, to other investigatory powers in the UK . For many, it is clearly the appropriate level of scr utiny required to authorise the type of intrusion in question: as English law has long recognised the need for a judicial warrant for the search of a person’s home, the equivalent should be required to access the information available regarding a person sed on their communications (which may be very intrusive and informative). ba 12.52. Modifications of this broad suggestion included the suggestion of judicial scrutiny 61 alongside ministerial scrutiny, or judicial authorisation for certain activities or certain 62 a, or the use of a model of a Commissioner. dat In response to considerations of authorities urgency raised by public , suggestions noted that there could be provisions ex parte out - of - for hours requests that could be dealt with extremely quickly, as well as the possibility of a short (24 or 48) hour period in which urgent authorisations were permitted internally and then had to be reviewed and authorised by a judge at a later 63 stage. 12.53. As set out further below, the need for such authorisation is particularly emphasised in relation to the content and communications data regarding or revealing journalistic 64 or that which is covered by LPP. sources 12.54. However, there is a general view that judicial authorisation by magistrates of local authority applications pursua nt to ss23A and 23B has not been an effective means of 65 securing more robust scrutiny. Thus, in line with these criticisms, most of the submissions on this point did not suggest granting further decision - making powers to magistrates but rather to transfer such powers to the High Court or a similar level. 66 Indeed, judicial authorisation is not, as others have pointed out, a “ panacea It does ”. downstream the - not (necessarily) provide for oversight “ - event scrutiny. ”, i.e. after sed to me, it may provide further independence, However, as has been emphasi greater scrutiny and increased public trust. 60 According to the submission I received from Liberty, who pointed to the United States of America, Austr alia, Canada and New Zealand as examples: see further 8.40 above and Annex 15 to this Report. See also the UN Office on Drugs on Crime, Current practices in electronic surveillance in the investigation of serious and organised crime , (2009), p. 17. 61 Se e Dr Andrew Defty and Professor Hugh Bochel. This would be a system similar to that existing in Annex 15 Canada, as set out further in to this Report. 62 As set out in the submission of the Bingham Centre for the Rule of Law. 63 See the submission of the Guardian Media Group. 64 As indeed was recognised in IOCCO’s 2015 inquiry into the use of Chapter 2 of Part 1 of RIPA to identify journalistic sources , (February 2015). 65 See the 2013 Annual Report of the Chief Surveillance Commissioner , para 3.10; IOC CO’s submission to this Review, 3.11.12 - 15. 66 See IOCCO’s submission to this Review, section 3, and IOCC Report , (March 2015), paras 6.54 - 6.59 - 7.39. and 7.36 229

236 CHAPTER 12: CIVIL SOCIETY Increase safeguards on access to and use of data Safeguards are not only necessary when collecting, acquiring or accessing data. 12.55. be robust, at later stages, and in particular as They must also be available, and regards the use of such data, especially as this will be a further intrusion under Article 8 of the ECHR. However, a number of submissions emphasised to me that the protections currently set out in RIPA ss 15, 16, 22 and 23 and the Codes of Practice are insufficient for this purpose. Possible ways to improve the current position were set out. First , it was argued that safeguards should extend more widely, including to material 12.56. accessed under DRIPA 2014, to communications data under RIPA Part I Chapter 2 (as to which there are limited safeguards), and to interception or obtaining of data outside the RIPA regime. 12.57. Secondly, safeguards must be more explicit and more stringent. Thus submissions urged: 67 clear a uthorised methods for searching data, (a) perhaps including published terms; (b) special authorisation for search terms that are particularly intrusive; used (c) narrowing the constraints on the use of such data, such that it can only be in line with the purposes f or which it is collected , or require later authorisation; granular and explicit purposes for which it may be used (rather than broad terms (d) such as “ ); national security” (e) only permitting the authority that accessed the data to then use it, or requiring furt her authorisation for it to be transferred; (f) the review of data at regular intervals for destruction; and (g) robust and clearly defined rules for the destruction of intercepted material, including time limits. 12.58. Two particular ways of ensuring this have been h ighlighted. Strict rules on data minimisation (i.e. the holding of the “ minimum ” amount of data necessary) could be implemented, similar to the controls imposed by the FISC in the United States relating to this Report to information concerning United States persons Annex 15 (see ). Alternatively, the possible utility of ordinary data protection principles being applied across the board was also emphasised. 12.59. The concerns regarding safeguards on the use of information apply broadly across investigatory pow ers, and are not confined to access to data. Thus, it is urged that, for example, there should be “ Chinese walls ” between those developing cryptographic 67 See for an example of this, Report of the CTIVD in the Netherlands on the processing of , (February 2014), p. 15 et seq. communications data tele 230

237 CHAPTER 12: CIVIL SOCIETY standards and those empowered with the mandate to uncover threats to national security. Provide for sp ecial protection A “ one - size - fits - all ” approach to intrusion into personal affairs is, it is argued, both 12.60. unsatisfactory and potentially unlawful. I received a number of submissions on the subjects of sensitive information, particularly in relation to da ta that could reveal the 68 data protected by LPP; or information that is source of journalistic information; deeply personal and private, such as medical records. In light of the important ticular by the ECHR (s ee 5.44 safeguards required in par 5.53 above ) , a number of - those with whom I spoke were of the view that insufficient guidance is found on these important topics either in RIPA itself or in the Codes of Practice (in contrast to the heightened scrutiny clearly set out on the face of other legislation, including PACE - ss9 and the Police Act 1997 ss97 14 100 ). This is a topic on which there have been - updates during the course of the Review, which may meet some of these criticisms. 12.61. Taking journalistic material first, the starting point is that set out by Liberty: “ [a] free press and the right to free speech is dependent on respect for private . By allowing public authorities to discover the source of journalistic correspondence” material (without clear safeguards), this important principle is said to be un dermined. This was of pivotal importance to some of the submissions I received, including from Gavin Millar QC, the Newspaper Society, the Media Lawyers’ Association, the National Union of Journalists and the Society of Editors. These submissions highlig hted the following important considerations: (a) Article 10 of the ECHR and judgments of the ECtHR, set out in Chapter 5, require scrutiny of decisions to access material in relation to journalist’s sources. Communications data is particularly relevant, as the content of the (b) communication is often publicly available. As other regimes protect this area, RIPA may “ those safeguards. (c) undermine” Changes were urged to the current scheme, in particular to “ 12.62. safeguard the media’s role as a public watchdog, which form s one of the cornerstones of a democratic 69 In particular, submissions highlighted the possible need for: i) judicial society ”. 70 71 ii) further requirements in the Codes of Practice; scrutiny; or iii) some manner of 72 shield law” to protect sources. “ 12.63. The u se of RIPA to collect material on sources was widely publicised in relation to the 73 “ ” and Chris Huhne affairs. plebgate Popular opinion surveys demonstrated support 68 See the submission from the Newspaper Society. 69 Media Lawyers’ Association, Newspaper Society. 70 See the submission of the Media Lawyers’ Association. 71 Ibid . 72 Submission of Gavin Millar QC. 73 For a detailed discussion of these points see IOCCO inquiry into the use of RIPA Part I Chapter 2 to identify journalistic sources, (February 2015),. 231

238 CHAPTER 12: CIVIL SOCIETY 74 This led IOCCO to consider this for restrictions on police access to phone records. - 2015, and to recommend judicial authorisation for the police area in late 2014 accessing communications data for the purposes of “ ” a source, but determining finding that otherwise ordinary procedures can be used (with bolstered guidance in 75 the Code of Practice ). As emphasised by Jan Clements to me, any consideration of this issue requires care and safeguards not only in relation to the identification of a source, but also in relation to the fact that a source has been in touch, and in relation to the location , timing and frequency of communications. Some of these criticisms may have been addressed by the (very) recent changes to 12.64. the framework for such data. The Serious Crime Act 2015 s83 inserted into RIPA s71 a requirement for a code of practice which “ shall include provision designed to protect ”. The Draft Interception the public interest in the confidentiality of journalistic sources 76 to be given to such material. Code requires “ The new particular consideration” th privacy may be higher in such situations, Acquisition Code notes that interference wi over applications for such data, particular care” requires a record to be kept, requires “ and requires law enforcement to use PACE provisions to seek a production order 77 when they wish to identify a journalist’s source. The importance of LPP was highlighted by the Bar Council, which noted that it forms 12.65. cornerstone of a society governed by the rule of law” S ome submissions focused . the hose of t he Bar Council and the Faculty of almost exclusively on this issue (including t Advocates). These submissions have been partially validated by the admission by the government in the Belhadj IPT Case that its procedures for dealing with LPP 78 The question th material were in violation of the standards required by Article 8. en becomes what is in fact lawful. One particular issue concerns whether or not communications data may attract privilege. While this was not the focus of the submissio Acquisition Code makes clear the Government’s view ns I received, the new ot, at para 3.72. As explained at para s 5.45 - that it cann the contrary is 5.46 above, certainly arguable where the communications data discloses not just the existence of the lawyer - client relationship but also the substance of the advice sought and given (for example the identity of an expert witness who has been cc’d into an email). In the context of interception, and in particular in cases against the Government it is emphasised that there must be robust barriers between those collecting data and those involved wit h the cases in question. It is broadly accepted that extra safeguards would not apply to cases in which LPP is used to further a criminal purpose. 12.66. Again, as with journalistic sources, there have been recent amendments to the Code l further safeguards. In the new Acquisition Code, while there of Practice which entai is no specific requirement for applications (as there is in relation to journalistic 74 Polling was conduct by Ipsos MORI for the Evening Standard in October 2014. See “Public backs curbs on police seeing phone records of journalists”, London Evening Standard, 21 October 2014. 75 IOCCO inquiry into the use of RIPA Part I Chapter 2 to identify journalistic sources, (February 2015), para 8.9. 76 Draft Interception Code, para 4.19. 77 Paras 3.73 - 3.84. 78 See the Order of the Court handed down on 26 February 2015 232

239 CHAPTER 12: CIVIL SOCIETY special consideration” sources), “ must be given to necessity and proportionality, and 79 80 . The Draft Interception Code is more detailed. a record must be kept 12.67. Suggestions were posed in relation to both LPP and journalistic sources, including: (a) Adopting a similar scheme to that set out in PACE, such that police must have edule 1 approved before they can an application to a circuit judge under Sch access personal records, journalistic material, and items subject to LPP. Similarly, under the Police Act 1997, a Commissioner appointed pursuant to s91 (rather than the ordinary authorising officer) must authorise propert y interference where it is likely to result in the acquisition of knowledge of LPP matters, confidential personal information or confidential journalistic information. In the case of communications data which may lead to the identification of journalistic sources, as set out above, this has already been implemented. (b) A bar on targeting information of this nature (although not necessarily a bar on use), or a bar on targeting without a warrant issued by an oversight body. (c) Mandatory reporting to an oversight body where confidential or journalistic source material is identified, or indeed where there is a reasonable belief that the intrusion may give rise to data of this nature, which then could be assessed pursuant to a stringent proportionality test and the requirements of Articles 8 and 10 (set out in detail in Chapter 5 ). Provide for robust sanctions A few suggestions I received highlighted what is perceived to be minimal 12.68. accountability for what can appear to be very serious breaches of the law. Serious intrusion into privacy has been undertaken (perhaps the “ of most visceral illustration” the alleged OPTIC NERVE program: see which, according to Liberty, is to Annex 7 this Report ). Yet in relation to much of the allegations in the Snowden leaks and the f indings of unlawfulness in the IPT, no public sanctions appear to have been imposed. This is in part due to the minimal sanctions in the statutory regime: (a) According to RIPA s72(2), failure to comply with the Codes of Practice by any person “ shall not of itself render him liable to any criminal or civil proceedings” . (b) While s22 states that it is “ lawful ” to obtain and disclose communications data if it is done under RIPA Part I Chapter 2, or to do that which is incidental to that conduct (s22(3)), there i s no clear sanction for a breach of the communications data provisions. (c) This confusion is exacerbated by RIPA s80, which provides that conduct which is not otherwise unlawful under RIPA or would not be unlawful apart from RIPA is lawful. 79 Paras 3.73 - 3.75. 80 4.18. - Draft Interception Code, paras 4.4 233

240 CHAPTER 12: CIVIL SOCIETY Further concer (d) ns are raised regarding the limits of sanctions imposed on 81 service providers by DRIPA 2014, which do not impose a specific offence for unlawful disclosure of data collected under that statute. Yet robust and clear accountability and sanctions for breach es of standards is 12.69. 82 necessary, it is argued, to ensure compliance. One way of achieving this might be 83 the admissibility of intercept evidence into court. 12.70. , many civil society actors were of the view that there should be enhanced Moreover protection for whistleblowers, including a clearer route to oversight mechanisms and fewer sanctions. Data sharing and seeking data from abroad 12.71. sharing with other s tates The failure to regulate for and provide safeguards as to data 84 85 has not only been criticised, but in certain circumstances has been found unlawful. While in the Liberty IPT Case it was broadly found that current practices in relation to the receipt of information from abroad, are now lawful, mirroring the conclusions of 86 th is is a matter which is further raised in Big Brother the ISC in relation to PRISM, Watch’s application and in the Liberty ECtHR Application . No similar decision has been undertaken in relation to the receipt of communications data from overseas. Even if current standards can be said to satisfy Article 8, many in civil society are of the view that the safeguards applying should be set out in law and significantly more robust. In particular, as most states apply differential safeguards based on citizenship tened safeguards being required closer to home , the ) and/or geography (with heigh weaker standard will become the norm if extensive and unregulated data sharing is undertaken. It was emphasised that it should be unlawful to obtain data on UK citizens would be unlawful to obtain within the UK, and that from foreign governments that it sanctions should attach to these obligations. There is also a need for clear standards use and access to data from foreign sources. on the Likewise, there were concerns not only in relation to the recei pt of data from other 12.72. 87 states but also the sharing of data by UK authorities. The UKUSA Agreement sets out the basis for data sharing in only the most general terms. As explained in Chapter determining whether 6, the Secretary of State exercises a very broad discretion when data should be shared with a foreign State. It was argued that this sphere was insufficiently regulated, particularly in relation to data sharing amongst the Five Eyes. There is nothing in the public domain concerning the guarantees secured by the UK Government concerning the storage, retention, destruction and use of those data. 81 Data Retention Regulations 2014/2042, see in particular regulations 12(2), 13(2)(b) and 15(9). 82 ’s submission dealt with the lack of sanctions for a range of issues. Richard Greenhill 83 As urged in particular by the Guardian Media Group and the Bingham Centre for the Rule of Law. 84 As it was, heavily, in the submissions received from in particular Access, as well as the All Party Parliamentary Group on Drones. 85 In the Liberty IPT Case, described in more detail in Chapter 86 Liberty IPT case, judgment of 5 December 2014; ISC, Statement on GCHQ’s alleged interception under PRISM, (July 2013). 87 t out in the submission from the All Party Parliamentary Group on Drones. As helpfully se 234

241 CHAPTER 12: CIVIL SOCIETY Clear guidance should, it was urged, be provided for these processes, as well as accompanying oversight mechanisms. A related topic is the extraterritoriali 12.73. ty provisions in DRIPA 2014, considered in a 88 These focused on the legal complexities of number of submissions I received. requiring companies in other states to comply with notices and warrants issued in the UK, as well as on practical concerns regarding the enforceability of such practices. Review , these issues have become more prominent. During the course of this 12.74. In relation to the above criticisms, and recognising the need for information from se submissions was often on service providers outside the country, the focus of the 89 This, it is suggested, would be clearer, avoid extra - the development of MLATs. territoriality concerns, and be more likely to satisfy the conditions of the law. Insofar as there are criticisms that MLATs are slow or ineffectu al, those with whom I spoke considered that the focus should be rather on improving and securing access through them rather than finding ways around them. Some placed their faith in an international agreement or on international law to ensure 12.75. 90 in data sharing. cooperation However others recognised that while a UN Convention or an additional international treaty would be of assistance in regulating international data sharing, it was both an unlikely event and perhaps unlikely to operate effectively face of alliances and hostilities between states. in the Improve oversight 12.76. The oversight mechanisms for investigatory powers received significant criticism in a high proportion of the submissions I received. Suggestions were made both to 91 individual oversight m which was echanisms and to the oversight regime as a whole, described by Human Rights Watch as “ neither transparent nor comprehensive” . 12.77. Broadly, the submissions I received demonstrated limited trust in the oversight mechanisms. Several pointed to the at titude to oversight apparent from the Snowden Documents: in particular that legal advisers had made a note to tell the NSA “ [w]e 92 ”; have a light oversight regime compared to the US that the regulatory regime was 93 a “ selling point and that the legality o f OPTIC NERVE “ would be considered once ”; 94 ”. Many thought that the revelations in the last few years, it had been developed including but not limited to those contained in the Snowden Documents, should have 95 sms. been highlighted much earlier by oversight mechani 88 Including those from Graham Smith, the Center for Democracy & Technology, Liberty, and the Global Network Initiative. 89 Including Graham Smith, Center for Democracy & Technolog y and Global Network Initiative. 90 As set out in M. H. Halperin et al, “Multilateral Standards for Electronic Surveillance for Intelligence Gathering”, (January 2015), Oxford Internet Institute Discussion paper. 91 Some submissions, such as those by Dr Andrew Defty and Professor Hugh Bochel, focused almost entirely on oversight. 92 “The legal loopholes that allow GCHQ to spy on the world” , The Guardian website, 21 June 2013. 93 ” , The Guardian website, 1 August 2013. “NSA pays £100m in secret funding for GCHQ 94 “Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ”, The Guardian website, 28 February 2014. 95 undertaken by GCHQ should have been set out in the As set out by Peter Gill, the “ mass trawling” reports of IOCCO. 235

242 CHAPTER 12: CIVIL SOCIETY While I set out these criticisms below, it is fair to recognise that the oversight bodies 12.78. hapter , have engaged ate C themselves, whose views are not included in a separ ns, constructively with me over the course of the Review. I have taken those positio and helpful discussions, into account in considering the force of the criticisms below. the oversight mechanisms have achieved more public prominence in Furthermore, e the l ast year, and in particular after the main deadline for written submissions to th of oversight may have receded in the light of recent Review. Some of the criticisms detailed reports of the IOCC and ISC, and two IPT judgments finding against the security and intelligence agencies . Overarching considerations A number of submissions to this Review emphasised the confusing array of individual 12.79. oversight mechanisms, with little clarity as to the demarcation between them. Simplifying this oversight and ensuring that insofar as different bodies were involved 96 was thus a key feature of a number of suggestions. they worked as a cohesive unit Many highlighted the need for better coordination amongst all oversight bodies, and particularly the ISC and the IPT, including the need to ensure access to confidential annexes to the reports of other bodies. Moreover, a clear framework of responsibility, by function or body, and a hierarchy of responsibility, would, it was suggested, increase efficacy. Further, oversight bodies must have access to other systems: it should be possible for the oversigh t body to easily pass on complaints to prosecutors or Parliament. - time, independent Others have gone further to suggest the need for a single, full 12.80. super - regulator ”) with responsibility for all the different elements of expert body (a “ 97 oversight. ll surveillance powers to be brought together, this body would Were a therefore be responsible for all surveillance (including that which falls outside the focus of this Review). Such an oversight body, in some submissions termed an Inspector General ”, in other “ Surveillance Commissioner ”, would need to s a general “ be well resourced. 12.81. This was thought to have the significant benefit of simplifying oversight and assisting with the considerat there was concern particularly from the ion of proportionality. But ISComm r about diluting the personal responsibility of the current Commissioners, and it was suggested that running a super - regulator could be too big a job for a retired - judge who wished to work only part time. 12.82. e bodies, many emphasised the In any event, in considering how to develop cohesiv ther be done by providing need for oversight by technical specialists. This could ei - resourced assistance from technical and legal experts, or the increased use of well technical experts as part of the oversight mechanisms the mselves (rather than in simply supporting roles). A broader suggestion would encompass the use of “ panels ” with officials from both a national security background and those who have expertise ve. DEMOS suggested in the protection of civil liberties from an external perspecti 96 See the submissio n of Peter Gill. 97 As set out in the submissions I received from the Equality and Human Rights Commission, the Bingham Centre for the Rule of Law, and students at UCL. 236

243 CHAPTER 12: CIVIL SOCIETY surveillance that the oversight (or warranting) process would benefit from the use of “ juries ”. As the jury is a trusted institution, it was thought possible that it could secure r oversight bodies and an expert further public trust (particularly if supported by othe technical secretariat). 12.83. rather than reactive Broadly, submissions emphasised the need for a proactive regulator/oversight body, with sufficient resources, sufficient investigatory expertise authorities to account. and sufficient powers to be abl e to actively hold public facing profile to secure public trust - Moreover, the oversight body must have a public and ensure that public complaints can be cons idered. Gaps in oversight 98 12.84. mechanisms were highlighted to me, A number of gaps in the scrutiny and oversight including: (a) the use of the wide range of powers to acquire stored communications data other than by way of RIPA Part I Chapter 2 (for example the use of PACE s9 orders); the use of T A (b) n asked by the Prime s94, which the IOCC has recently bee 99 Minister to oversee; (c) the implementation of DRIPA 2014 s1 and means of redress for a service provider who believes that a notice has become disproportionate (and their request for cancellation has been refused); (d) communications where a statutory power or production interception of stored order is used; (e) procedures and requirements for data sharing (which is currently only partly 100 considered by the ISC and the Information Commissioner); and (f) errors on the disclosure side, and particularly wrongful disclosures or failure to disclose by service providers. 12.85. Finally, the statutorily required Northern Ireland Commissioner (RIPA s61) does not 101 Thus, it is submitted that these gaps must be closed (potentially by the use exist. of a single regula tor, as set out above). A related concern is the concern that, at times, the different scrutiny mechanisms may overlap. While “ more ” scrutiny might less be seen as better than “ ”, this leads to several problems, including inconsistency of results and conf usion as to the correct outcome. Again, it is argued that this could be achieved by the use of a single regulator. 98 In particular by IOCCO’s submission to the Review. 99 IOCC Report , March 2015, sec tion 10. 100 As highlighted by Peter Gill. 101 As highlighted by Paul Connolly. 237

244 CHAPTER 12: CIVIL SOCIETY Commissioners The system of Commissioners came in for considerable criticism from civil society. 12.86. Concerns ranged from those regarding th e Commissioner system and structure, to those specifically based on the operation of the Commissioners within that structure: (a) The wide range of Commissioners was argued to be inaccessible and 102 confusing, notwithstanding initiatives such as the Surveillance Road Map, meaning that oversight depends on very fine distinctions. (b) The fractured nature of the Commissioners’ work means that they are argued to be ill placed to assess the proportionality of measures undertaken. - As judges, suited well to adversarial disputes, their suitability for an inquisitorial (c) role has been questioned, and the potential need for technological expertise highlighted. (d) Commissioners are appointed by the Prime Minister, but to ensure freedom from executive influence would be better ap pointed by Parliament directly. (e) There is a lack of public knowledge of and interaction with the Commissioners, facing efforts by which is at least partly based on the lack of public - ngly Commissioners (although it is recognised that this criticism may increasi not apply to IOCCO, and developments in this regard were encouraged). The extent of scrutiny is inadequate, in particular: (f) the percentage of warrants considered is argued to be insufficient (although  it is recognised that IOCCO has increased the war rants it inspects), with many suggesting that Commissioners should look at far more (perhaps even all warrants);  the reports written by the Commissioners are insufficiently probing, being described as “ formulaic and superficial” until 2013, and, in relatio n to the more detailed reports appearing thereafter (which are not universal), cheerleading with caveats” “ thereafter; such that many urged the need to continue less “ reports in future, ensuring that the detail allows for bland” public scrutiny;  in functio ning as audit mechanisms (as they were intended by Parliament), the Commissioners are not well placed to bring to light serious and systematic intrusions into privacy, and there is a view amongst civil society that the Commissioners should have highlighted practices which are now public, and which have since been examined by the IPT. 102 Produced by the ICO, IOCCO, the ISCommr, the IPT, the OSC, the Office of the Biometrics Commissioner, and the Surveillance Camera Commissioner, (August 2014). 238

245 CHAPTER 12: CIVIL SOCIETY Commissioners have only recently begun to deal with inquiries and reports into (g) alleged abuses, which form a vital part of effective oversight. ISCommr, are inadequately resourced, and (h) Commissioners, particularly the time operation, and greater - should be bolstered with better resourcing, full powers to call for evidence and question national security bodies. 12.87. A common suggestion regarding the above was that the functions of diff erent Commissioners should be merged, or at the very least their interaction should be clarified. In particular, in relation to the latter point, Commissioners should be divided rception, either by the acts/functions of the public authorities in question (i.e. inte in acquisition of communications data, targeted surveillance, etc) or by the bodies horities), to avoid confusion. question (e.g. agencies, police, other public aut Investigatory Powers Tribunal During the course of the Review , the IPT had before 12.88. it a number of major cases, arising out of the Snowden documents and operations in Libya. It rul ed for the first security and intelligence agencies time that the had acted unlawfully (albeit only in the pears to have been the catalyst for past, and in a relatively technical respect), and ap significant disclosures and concessions by the Agencies. A respected commentator 103 . wrote recently of While the voices “the reputation [it] is slowly building for itself” ms of the IPT remain, again regarding calling for its abolition appear muted, criticis 104 both the institutional mechanisms and its operation. Some complained to me that: 105 in comparison to other (a) The percentage of complaints upheld is very low similar bodies. (b) It has insufficient technological expertise. t is insufficiently transparent: I (c)  Most decisions are uninformative, and reached without a hearing; 106 Similarly, ordinarily no reasons are given for the refusal of cases;   Without consent the Tribunal cannot even disclose the fact of a closed hearing (see rul es 9(4) and 6(2) - (3));  It cannot compel oral evidence at a hearing;  It must ensure that information is not disclosed if this would be contrary to inter alia , the public interest, the economic well - being of the UK or the 103 J. Rozenberg , “Legal privilege and the conflicting interests of GCHQ and the IPT ” , the Guardian website, 16 March 2015. 104 Further detail of some of these criticisms is provided by Open Rights Group and Liberty. 105 From the IPT website, Operation – Cases Upheld , http://www.ipt - uk.com/section.aspx?pageid=9 . 106 - See the IPT website, Operation - Determinations and non - determinations, http://www.ipt m/section.aspx?pageid=11 . uk.co 239

246 CHAPTER 12: CIVIL SOCIETY ns of the intelligence services (rule 6(1)), continued discharge of the functio 107 of evidence are now permitted; although “ and gists” 108 It operates based on the principle of NCND, a “ departure from procedural  109 ”. norms There is no appea l from the IPT (RIPA s67(8)); nor does it appear that the IPT (d) can make declarations of incompatibility under HRA 1998. 12.89. A range of suggestions seek to address the criticisms made of the IPT itself, and include: The gra nt of greater powers to the IPT : (a) to allow it to issue a “ declaration of incompatibility ” (as f ar as this is not  provided for currently); disclosure;  relating to to extend the use of oral hearings;   make open hearings the default and disclose the fact that closed hearings to have taken place; to epresentation for the use special advocates so as to ensure a degree of r  interests of those excluded from closed hearings; and to secure further and more robust powers for ordering disclosure, including  sanctions where information is not provided. Increasing the capability of the IPT, including the introd uction of expert (b) technological expertise. Expanding the scope of the IPT’s jurisdiction to allow it to consider errors made (c) by service providers as well as public authorities. The ability for further scrutiny of the IPT’s work, including in particular the (d) introduction of judicial review and/or appeal of IPT decisions. (e) Measures to increase access to the IPT, including: giving more bodies the ability to refer issues to the IPT, including service  s; providers and other oversight mechanisms such as Commissioner 107 The Belhadj IPT Case, interim judgment of 18 November 2014. 108 See the discussions in IPT/03/03/CH, Kennedy v Security Services IPT/01/62 and 77 (in particular paras 46 - 54), and the Belhadj IPT Case. 109 the Home Department v Mohamed and others, Secretary of State for [2014] EWCA Civ 559, [2014] 1 WLR 4240. 240

247 CHAPTER 12: CIVIL SOCIETY providing for notification of those wrongfully subjected to investigatory  powers (unless an operational need requires otherwise); and  granting legal aid to claimants and the ability to award costs to ensure that those with limited means are able to ac cess justice. Measures to ensure greater transparency, which include: (f)  increased fact - finding power, including lessened reliance on the NCND principle where public interest demands otherwise;  the increased giving of reasons for refusing cases; and  the pr oduction of greater public information regarding the operation of the tribunal. Intelligence and Security Committee 12.90. The ISC was reformed by the JSA 2013. However, concerns remain that the ISC is insufficiently robust and independent of governmental press ure. In particular: 110 (a) Its members still require nomination by the Prime Minister. (b) It may not consider matters that the Prime Minister views as either not in the 111 significant national interest or part of an ongoing operation. It must exclude matters that the Prime Minister considers would be prejudicial (c) 112 to the continued operations of the intelligence services. Information can be withheld from it by the Secretary of State if such information (d) is “ ” (i.e. leading to identification of or providing d etails of sources, sensitive assistance or operational methods available to intelligence or security bodies) 113 or should not be disclosed in the interests of national security. 12.91. Submissions focused on bolstering the powers given to the ISC, such that it could compel the production of information, hold more (and more robust) public evidence 114 security and intelligence and perhaps look more broadly at the acts of the sessions, agencies . This would require more funding and more staff. Other suggestions included providi ng the ISC with independent experts able to undertake detailed forensic investigations and an independent secretariat with both legal and technical advisors. 110 Section 1(4)(a). 111 Section 2(3)(a). 112 Section 3(4). 113 Schedule 1, para 4(2) - (5). 114 by Dr Paul Bernal. Recent hearings were described as “political theatre” 241

248 CHAPTER 12: CIVIL SOCIETY 12.92. Some submissions focused on the independence (and further the perceived independence) and institu tional security of the ISC, which it was thought could be improved by: (a) ensuring that key members of the committee have not had dealings with or political responsibility for the intelligence services; the chair of the ISC being a member of the Opposition; (b) (c) a transparent selection process not limited to nominations by the Prime Minister, perhaps by way of appointment by Parliament or Select Committee; reporting directly to Parliament rather than placing reports first before the Prime (d) Minister; and making its own decisions on reporting and publication, removing the automatic (e) veto by the Prime Ministers. In sum, this may entail the ISC becoming a full 115 Parliamentary Select Committee. 12.93. It is fair to point out that the deadline for written submissions to the Review came before the publication of two weighty reports, which may have gone some way 116 towards rescuing the reputation of the ISC. However the ISC as an institution did not receive significant support from those making submissions to us. Some were even of the view that it should be abolished and its functions transferred to other Parliamentary Committees such as the Joint Committee on Human Rights and the Home Affairs Committee. Future proofing - 12.94. The difficulty of predicting the direction and nature of te chnological development underlies many of the criticisms of the current regime. A framework designed in 2000 does not, it is argued, stand up to analysis in 2015. It is difficult to describe accurately that time: but by way of example the vast technological changes that have occurred in we transmit vast quantities of data about the most mundane elements of our daily lives across multiple borders in seconds; computers and handsets can be remotely accessed and controlled without a suspect even being aware o f it; and at any point in time when we are carrying a mobile phone our location can be pinpointed with 117 significant accuracy. 12.95. The advantages of future - proofing (and its regular companion phrase, technological neutrality) have been emphasised to me countl ess times. At its root is a concern not only that the law will become unusable, but that public authorities (and in particular the Agencies) will develop capabilities that appear justifiable on an existing legal framework but as to which safeguards are of minimal impact. 115 For de tailed discussion of the role of and potential improvements to the ISC, see the submissions of Big Brother Watch, ORG, the Bingham Centre for the Rule of Law and Dr Andrew Defty and Professor Hugh Bochel. 116 The ISC Rigby Report and the ISC Privacy and Se curity Report. 117 See further Chapter 4, above. 242

249 CHAPTER 12: CIVIL SOCIETY Future - 12.96. proofing is far from easy, although suggestions include: (a) a statutory requirement to review the law at regular intervals; (b) sunset clauses in legislation (in which the legislation expires following a certain period, as in the case o f DRIPA 2014); (c) a requirement to publish up - to - date and detailed Codes of Practice at regular intervals; and (d) the grant of specific powers and the outlawing of other powers such that for any rised. further powers to be exercised they have to be specifically autho Some placed their faith in the parliamentary system to ensure future - 12.97. proofing. One suggestion was to develop standing committees to review (all) Acts of Parliament to ensure that they are technologically relevant and robust, or likewise to review a ll security measures to ensure compliance with human rights law. Similarly, the Information Commissioner has himself noted that when passing legislation which impinges on privacy norms that there should be published a privacy impact 118 ioners should be permitted to publish a report. assessment, or Commiss He also recommended the report back to Parliament on how authorised measures have been deployed including evidence of the extent to which the expected benefits and risks have been realised. 118 , (2010). Information Commissioner’s Report to Parliament on the State of Surveillance 243

250 NG THE FUTURE PART IV: CHARTI Part IV of the Report (CHARTING THE FUTURE) contain s my proposals for change.  sets out the five principles on which Chapter 13 (PRINCIPLES) my recommendations are founded: Minimise no - go a reas o o Limited powers o Rights compliance o Clarity Unified approach. o  Chapter 14 (EXPLANATIONS) is a commentary on the principal recommendations set out in Chapter 15, concerning in particular: o A clear and unified law Definition of content and communications d ata o o Data retention o The 2012 Communications Data Bill o Collection in bulk o Types of warrant Extraterritoriality o Judicial a uthorisation o o Use of intercepted material and data Oversight: ISIC, the IPT and the ISC o o Transparency t my 124 specific sets ou  Chapter 15 (RECOMMENDATIONS) recommendations for reform. 244

251 13. PRINCIPLES 1 A question of trust 13.1. I have described the public debate on investigatory powers as double - jointed, because it features arguments for more and fewer capabilities, more and fewer characterised by exaggerated rhetoric safeguards. The debate is also polarised: often and by a lack of trust between participants. In the words of one observer: “On one side there are civil liberties groups demanding increased privacy and transparency; on the other there are securocrats and law - enforce ment spokesmen, under pressure to keep us safe and facing a bewildering array of security threats, insisting they need to monitor more of our online behaviour ... The debate is lurching between these nightmarish poles: we can choose a dystopia where our e very move is secretly monitored, recorded and analysed, 2 or a world where criminals are able to do what they like.” Both sides are motivated by fear: not least, their common fear that technological change will throw into jeopardy what they hold to be most important. The silent majority sits between those poles, in a state of some confusion. The 13.2. technology is hard to grasp, and the law fragmented and opaque. Intelligence is said to have been harvested and shared in ways that neither Parliament nor public p redicted, and that some have found disturbing and even unlawful. Yet this was brought to light not by the commissions, committees and courts of London, but by the unlawful activities of Edward Snowden. Informed discussion is hampered by the fact that bot h the benefits of the controversial techniques and the damage attributed to their disclosure are deemed too secret to be specified. Politics enters the picture, and for informed debate in the media are substituted the opposing caricatures of “ unprecedente d threats to our security ” and “ snoopers’ charter ”. 13.3. If one thing is certain, it is that the road to a better system must be paved with trust : (a) Public consent to intrusive laws depends on people trusting the authorities, both 3 to keep them safe and not to sp y needlessly on them. (b) This in turn requires knowledge at least in outline of what powers are liable to 4 a be used , nd visible authorisation and oversight mechanisms in which the wider public, as well as those already initiated into the secret world , can ha ve 5 confidence. 1 I chose the title of this Report before learning that it had been used for Onora O’Neill’s BBC Reith Lectures of 2 002. I have since read them, and gained some valuable insights. 2 Orwell vs Terrorists , 2015. J. Bartlett, 3 3.7, 10.14(g), 12.6 and 12.11 above. 4 7.27 and 12.16 - 12.17 above. 5 12.50, 12.82 and 12.83 above. 245

252 CHAPTER 13: PRINCIPLES Trust between strangers and within communities itself depends on assurance (c) 6 that the state will afford proper protection both to security and privacy . (d) Law enforcement and intelli gence need clear boundaries, together with confidence that the and that t heir y will not be censured for acting within them 7 secrets will be protected. (e) Service providers (particularly the overseas providers whose cooperation is so necessary) crave the trust of their customers, and can earn it only by assuring them tha t their data will only be released in accordance with a visible legal 8 framework and on ethical and i . ndependently controlled grounds Foreign governments (like the UK Government) need to know that data they (f) 9 choose to share is subject to proper safeguards. (g) People across the globe crave secure means of communication, and need to know that the UK can be trusted to comply in full with internationally recognised 10 . standards 13.4. Trust in powerful institutions depends not only on those institutions behaving themselve s (though that is an essential prerequisite), but on there being mechanisms to verify that they have done so. Such mechanisms are particularly challenging to achieve in the national security field, where potential conflicts between state power and civil l iberties are acute, suspicion rife and yet information tightly rationed. 13.5. 30 years ago, it might have been enough to appoint as independent reviewer (or Commissioner): “a person whose reputation would lend authority to his conclusions, because nformation that led him to his conclusions would not be some of the i 11 published”. Respected independent regulators continue to play a vital and distinguished role. But in an age where trust depends on verification rather than reputation, trust by proxy is not enough . Hence the importance of clear law, fair procedures, rights compliance words, but the necessary foundation for and transparency: not just fashionable buzz - the trust between government and governed upon which the existence of coercive depends in a modern democracy. and intrusive powers With the need to promote trust in mind, I have formulated my recommendations on 13.6. , minimise no - go areas , limited powers rights the basis of the following principles: 6 3.8(b) (security) and 2.11 (p rivacy) above. 7 9.91(a), 9.101 and 10.14 above. 8 11.4 - 11.9 above. 9 R ( Binyam Mohamed ) v Secretary of State for Foreign Affairs [2010] EWCA 65. 10 1.9 and 10.20 above. 11 k from the Home Office Lord Elton, Hansard HL vol 449 cols 405 - 406 (8 March 1984). That remar Minister related to the independent reviewer of terrorism legislation, but similar considerations no doubt prompted the creation of the Interception Commissioner in the following year. 246

253 CHAPTER 13: PRINCIPLES clarity and a unified approach . Those principl es are now explained in , compliance turn. First principle: minimise no - go areas go 13.7. A trusted system must be not only fair but effective. My first principle is that no - be minimised as far as possible areas for law enforcement should , whether in the gital world. physical or the di e state is to ensure the safety of It is often and correctly said that the first duty of th 13.8. . Good ) , irrespective of their nationality r indeed all within its borders its citizens (o order is a prerequisite not only for effective government in the public interest, but for the creation of a space in which individu al and collective freedoms including, – among many others, the right to respect for private life – can be safely exercised. Only in a society whose institutions are protected from attack and in which there is t possible for people to trust strangers, an expectation that laws will be enforced is i live without the fear of attack or intimidation, participate fully in the economy and society and develop to the full their own interests, personalities and quality of life. 13.9. The libertarian view that the State has no business snooping on the private affairs of the individual, and that some places or channels of communication should enjoy guaranteed immunity, has its attractions for some. But thos e attractions wane once it is recognised that there are individuals who will take advantage of any unpatrolled space to groom, abuse, blackmail, steal secrets from, threaten, defraud and plot destructive acts of terrorism against others. Any State that cl aims to protect its citizens must have the ability effectively to detect, disrupt and prosecute such behaviour. The central issue is how that ability can be combined with the expectation abiding people have and deserve. - of privacy which law 13.10. . If the State is to discharge its primary ip le applies in the physical sphere My first princ duty of protecting its population, it needs the power to do the most sensitive things that can be imagined: bug a bedroom, search a safe, trick a person into a relationship, d a personal diary, eavesdrop on a conversation between lawyer and client or rea journalist and source. None of those things will be appropriate save in exceptional and occasional circumstances. Even then, they may well be completely impracticable nt. But the issue is when it should be lawful to exercise such powers, not to impleme whether they should exist at all. not least, The s ame is true of the digital sphere . There may be all sorts of reasons – 13.11. secure encryption – why it is not physically possible to i ntercept a particular communication, or track a particular individual. But the power to do so needs to exist, can provide a way around the e in cases where skill or trickery even if it is only usabl mmunication could be reduced obstacle. Were it to be otherwise, entire channels of co to lawless spaces in which freedom is enjoyed only by the strong, and evil of all kinds 12 can flourish. 12 The metaphor of the “ ss apt. I do not suggest that law enforcement or ” is le ungoverned space intelligence should “ ” the internet: simply that they should have the ability to seek access to govern material and data when duly authorised to do so for a legitimate purpose. 247

254 CHAPTER 13: PRINCIPLES 13.12. This does not mean that state access to communications should be made easy. Few now contend for a master key to all communi cations held by the state, for a requirement to hold data locally in unencrypted form, or for a guaranteed facility to insert back doors into any telecommunications system. Such tools threaten the integrity of our communications and of the internet itself . Far preferable, on any view, is a law based system in which encryption keys are handed over (by service providers - or by the users themselves) only after properly authorised requests. 13.13. But in an imperfect world, in which many communications threatening to the UK are conducted over services whose providers do not or cannot comply with such requests, there is a compelling public interest in being able to penetrate any channel of communication, however partially or sporadically. Paedophiles should not be abl e to operate on the dark net with guaranteed impunity, and terrorists should not be able to render themselves undetectable simply by selecting an app on which their communications history will never be known even to the provider. Hence the argument for pe rmitting ingenious or intrusive techniques (such as bulk data analysis or CNE) which may go some way towards enabling otherwise insuperable obstacles to be circumvented. Hence, also, the argument for requiring certain data to be retained so that they can be used in piecing together a crime after the event. 13.14. It has been argued that if western democracies refuse to accept no - go areas, the same will be true of undemocratic regimes that will use their access for sinister and brutal purposes. The prospect is a gloomy one. But the flaw in the argument is in the linkage that it asserts. Unpleasant regimes can (and do) use local control of the expression and dissent: but neither their internet to suppress legitimate dialogue, self - lination to do so are dependent on the practice of other technical ability nor their inc countries. If the UK is to set an example to the world, it will not be by withdrawing a lead that no responsible government would – from the dark spaces of the internet choose to follow. It will be by demonstrating an ability to patrol those spaces in tightly defined circumstances, and with sufficient safeguards against abuse. Second principle: limited powers My second, balancing principle is that powers need to be limited in the interests of 13.15. priv acy. 13.16. What one might call over - governed spaces have existed from time to time in the physical world: commonly cited is the example of communist East Germany, where it 13 has been estimated that there was at least one spy watching every 66 citizens. But the practice of comprehensive physical surveillance is immensely difficult. There will always be suspicious groups which cannot be penetrated by a CHIS, buildings which cannot be safely bugged and potentially dangerous conversations which go undetected and u nheard. Physical surveillance is also extremely costly, which tends to place its own limitations on what can be done. In no democracy has any of those techniques been employed against more than a tiny proportion of the population. 13 told story of the East German secret police , 1999, chapter 1. J. Koehler, Stasi – the un 248

255 CHAPTER 13: PRINCIPLES rent in the digital world. Obligatory data retention requires service 13.17. Things are very diffe providers to retain and make available valuable communications data relating to, effectively, the whole population. Internationally, though GCHQ can access “ only a very small percentag e ” of the 100,000 bearers that make up the structure of the blanket’ coverage of all communications ”, internet and does not exercise “’ the volume 14 “ extremely large ”. elling over those bearers is nevertheless of communications trav The availability of these techniques, and the relatively low marginal cost of using them, allow data to be harvested without any need for suspicion – an uncommon state of 15 affairs where more labour - intensive powers are concerned. 13.18. collectors of communications data have That is not to say that the interceptors and the it all their own way. Their resourcefulness is matched by that of cyber criminals and those who seek to threaten or undermine the State who, unlike them, are not constrained to behave ethically. The capabilities of the state are subject to technical or cost based limits. But if the acceptable use of vast state powers is to be - guaranteed, it cannot simply be by reference to the probity of its servants, the ingenuity of its enemies or current technical limitations on what it can do. Firm limits must also be written into law: not merely safeguards, but red lines that may not be crossed. 13.19. The point may be illustrated as follows. Some might find comfort in a world in which - orded, viewed in real time and our every interaction and movement could be rec indefinitely retained for possible future use by the authorities. Crime - fighting, security, safety or public health justifications are never hard to find. So, to use a little imagination: A perpetual video feed from every r (a) oom in every house (it being a serious criminal offence to obscure the lens), could reduce the incidence of domestic violence, even if the police undertook to view the record only on receipt of a complaint, and assist the detection of what remained. (b) Blanke t drone - based surveillance would ensure that criminals could not escape attention by holding their conversations outdoors. (c) Electronic communications could be permitted only through the medium of licensed service providers, which as a licence condition woul d have to retain within the jurisdiction a complete plain - text version of every communication and make it available to the authorities on request. (d) - A constant feed of data from vehicles, domestic appliances and health e the Government to identify monitoring personal devices would enabl suspicious (or life threatening) patterns of behaviour, and take pre - emptive - action to warn of risks and protect against them. 14 ISC Privacy and Security Report, paras 58 - 59. 15 There are no - suspicion powers in the physical world: see, e.g. the stop and search power in the s60, and the port stop power in the Terrorism Act 2000, Criminal Justice and Public Order Act 1994, Schedule 7, but even these are not exercised in a wholly random manner. 249

256 CHAPTER 13: PRINCIPLES (e) The fitting of facial recognition software to every CCTV camera, and the insertion of a location - tra cking chip under every individual’s skin, would make successful kidnapping and abduction a thing of the past. Some of those developments might even be possible without state compulsion: they would appeal to people concerned about their health or their fami lies’ safety. 13.20. Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart. 13.21. uch vast There would be practical risks: not least, maintaining the security of s quantities of data. But the crucial objection is that of principle. Such a society would 16 have gone beyond Bentham’s Panopticon (whose inmates did not know they were being watched) into a world where constant surveillance was a certainty, and qu iescence the inevitable result. There must surely come a point (though it comes at different places for different people) where the escalation of intrusive powers becomes 17 too high a price to pay for a safer and more law abiding environment. - 13.22. It may be obj ected that the result in combination of my first two principles is uncertain. They would deprive criminals of sanctuary, whilst imposing limitations (for the protection of the innocent) on the methods that can be used to catch them. r as follows: To that, I would answe 13.23. (a) : criminals and enforcers are locked in a digital arms race, It is how things are where neither can be sure of having the upper hand. (b) It is how things should be . When no human institution is perfect, and when the great majority of those usi ng private communications enhance blameless lives by doing so, it is right that there should be legal limits on when and how those communications may be intruded upon. That is so, even if those limits forcement and result in from time to time diminish the effectiveness of law en more bad things happening than would otherwise be the case. 13.24. Understanding the need for legal limits on state power is easier than knowing where those limits are to be placed. It is here that my third principle comes into play. 16 J. Bentham, Panopticon , 1787. The Panopticon was a design for a circular institutional building in which all could be obser ved by a central watchman, but none knew whether they were being observed or not. Promoted by Bentham as an enlightened model for a prison, the notoriety of the concept stems from the analysis of Michel Foucault in Discipline and Punish , 1975. 17 Or as I sabella Sankey of Liberty stated in evidence to the ISC: “ Some things might happen that could have been prevented if you took all of the most oppressive, restrictive and privacy - infringing measures. C Privacy and Security Report, para 94. ”: IS That is the price you pay to live in a free society 250

257 CHAPTER 13: PRINCIPLES Th ird principle: rights compliance My third principle is that the state must respect internationally guaranteed rights and 13.25. freedoms. 13.26. The UK’s Parliament is sovereign. Almost uniquely in the world, it is untrammelled by the constraints of a written constitut ion; and even HRA 1998 places no constraints on 18 its power to legislate as it pleases. But the unbridled exercise of that sovereign power is liable to place the UK in breach of international legal obligations that it has ans, in particular, that: freely chosen to observe. This me (a) Powers that intrude into the privacy of communications must be expressly provided for by accessible and foreseeable laws. for the body (b) Such powers may only be exercised when it is strictly necessary in question to fulfil its legal ly prescribed mandate. Measures taken must be proportionate (c) to the objective, meaning that the measure must be selected that least restricts human rights and that special care is taken to minimise the adverse impact of any measures on the rights of individ uals, including in particular persons who are not suspected of any wrongdoing. (d) There must be a clear and comprehensive system for the authorisation, monitoring and oversight of the use of any measure that restricts human rights. (e) Individuals whose rights ma y have been infringed must be able to address 19 . complaints to an independent institution and seek an effective remedy Also in play are the UK’s obligations to protect the (including freedom of expression assembly fair trial by protecting journalistic sources), and the the freedom of principle - client privilege). Even those rights are not (including by respecting lawyer absolute: under the ECHR, they may yield to sufficiently pressing considerations of 20 national security and crime prevention. 13.27. Whether descr ibed as human rights, civil liberties or fundamental freedoms, these rights assume their most prominent and enforceable form in the ECHR and the EU - related limits on legislative and executive power Charter. But the placing of privacy an phenomenon: it is a feature of all major international human is more than a Europe 21 and of most constitutions. Indeed I was struck on my visits to the rights instruments, US and Canada by how often it was explained to me by Government or law 18 See 5.2 above. 19 Cf. M. Scheinin, Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Compilation of good practices on legal and institutional frameworks and measures that ensure respect for human rights by intelligence agencies while countering terrorism, including on their oversight: UN General Assembly Human Rights Council, 17 May 2010, para 26. 20 See 5.21 - 5.22 above. 21 See, in particular, the ICCPR, drawn from the Universal Declaration of Human Rights (1948) and ratified by 167 states worldwide. 251

258 CHAPTER 13: PRINCIPLES ticular interference with privacy or personal data would enforcement officials that a par like Charter of be considered unconstitutional, or (in Canada) contrary to its ECHR - Rights and Freedoms. 22 13.28. Central to most of these rights are the concepts of necessity and proportionality. Because t hose concepts as developed by the courts are adaptable, nuanced and context specific, they are well adapted to balancing the competing imperatives of - privacy and security. But for the same reasons, they can appear flexible, and capable of subjective appli cation. As a means of imposing strict limits on state power (my - edged second principle, above) they are less certain, and more contestable, than hard rules of a more absolute nature would be. 13.29. entially intrusive powers This highlights the vital importance of ensuring that where pot are concerned, the necessity and proportionality tests are applied according to a thorough set of criteria, and in an independent spirit. However much credit one gives wondered whether a the state for its probity, one can understand those who have 23 The greater element of independence might occasionally have made a difference. paramount importance of independence is reflected in my recommendations regarding not only oversight (where effective though improvable independent mechanis ms have already evolved in the UK) but authorisation. 13.30. To the principle that legally enforceable rights must be respected, I would add two riders: (a) It is not always clear how far legal obligations extend . Court challenges are currently pending or have very recently been resolved in relation to bulk collection, intelligence sharing, data retention, CNE, the protection of journalists’ sources and legal professional privilege. It is not always possible to or is it the function of a predict the ultimate outcome of such challenges, and n report such as this to do so. (b) . I have felt free to Practices may be imperfect without being unlawful recommend change even when the law does not (or may not) require it. My able law, not just one recommendations aim to produce a modern, fair and work that may hope to survive future court scrutiny. Fourth principle: clarity and transparency 13.31. The desire for legislative clarity is more than just tidy - mindedness. Obscure laws – and there are few more impenetrable than RIPA and its s atellites – corrode democracy itself, because neither the public to whom they apply, nor even the legislators who 24 debate and amend them, fully understand what they mean. Thus: (a) The scope of the RIPA Part I powers, and the precise nature of their interacti on with other powers such as WTA 2006, is not apparent from their wo rding. Other 22 See 5.18 - 5.22 above. 23 See, e.g., Liberty’s criticism of the alleged Optic Nerve programme. See Annex 7 to this Report and 12.68 above. 24 - 12.23 above. See the criticisms summarised at 12.20 252

259 CHAPTER 13: PRINCIPLES 94; ISA 1994 ss 5 and 7) are so baldly stated as to tell the powers (TA 1984 s citizen little about how they are liable to be used. (b) Obscurity was perpetuated by the paucity of litigation on RIPA Part I (itself a consequence of its covert operation) and by the Government’s failure to indicate (at least until the Charles Farr Statement of 2014) how it interpreted the law. (c) Recent amendments to DRIPA have been put through Parliamen t on either an urgent (DRIPA 2014) or expedited (CTSA 2015) basis, with the result that few parliamentarians were in a position to understand their full context and implications. 13.32. Confusing legal structures governing investigatory powers are not unique to t he UK, as I discovered on my visit to the United States (where little - publicised executive orders add further complication). But countries which routinely intercept the communications and collect the data of persons outside their jurisdiction owe a specia l duty to ensure that at least the basic thrust of their laws can be understood by intelligent people across the world, without the aid of a highly specialised lawyer or a wet towel. 13.33. The fact that the subject - matter is technical is no excuse for obscurity. It should be possible to set out a series of limited powers, safeguards and review mechanisms with a high degree of clarity and (as RIPA itself demonstrated) without technical he speed jargon: the place for the latter is in regularly updated Codes of Practice. T and unpredictability of technical change means that any statute is likely to need replacement (or at least significant updating) within 10 or 15 years. The use of technical language would tend to accelerate this outcome rather than delay it. 13.34. RIP A Part I has been patched up and mended a number of times, and could no doubt be kept on the road a little longer. It does not seem to me, however, that such a process would be sufficient to provide the clear and principled structure anticipated above. M ore is required if the law is to command public respect, at home and abroad. Accordingly, my recommendations are for a law that (while it would adopt much that is good in RIPA Parts I and IV) would replace them with a new statutory framework. Fifth princi ple: a unified approach 13.35. The ISC Privacy and Security Report recommended that the Government should introduce a new Intelligence Services Bill, consolidating “ the intelligence and security ” of at least seven Acts of Parliament, including related provisions RIPA (Recommendation XX). 25 13.36. The Report did not recommend “ reforming RIPA ” where other bodies were concerned (although, consistently with the scope of its own responsibilities, the ISC did not enquire into the use of RIPA by such bodies). The ISC envisaged that the police and other public authorities would not be covered by the new legislation, on the 25 ISC Privacy and Security Report, p. 8 para xviii. 253

260 CHAPTER 13: PRINCIPLES there should be a clear separation between basis that (as it stated in a footnote) “ 26 intelligence and law enforcement functions ”. The idea of consolidating dup licative powers over interception and communications 13.37. data powers is a sound and (I have found) an uncontroversial one. My own recommendations are to the effect that equivalent powers to those in RIPA Part I should be brought within the same framework or a t least made subject to equivalent 27 conditions. 13.38. More controversial is the idea that the law in this area should enshrine, for the first time, a clear separation between intelligence and law enforcement functions. It is true that such a separation is a fea ture of the laws of many other countries. Even in the UK, some statutory powers (notably those contained in ISA 1994 ss 5 and 7) are . The ISC’s recommendation is reserved to the security and intelligence agencies therefore a perfectly logical one. 13.39. I do n ot however echo that recommendation, partly because I believe for the reasons stated above that RIPA Part I and associated powers require reform across the board, not just as they concern the security and intelligence agencies , and partly because it seems to me that to hive off the security and intelligence agencies in the manner suggested would be a retrograde step. 13.40. The seamless and cooperative working relationship between security and intelligence agencies and the police is a feature of the UK security la ndscape that is widely admired, but rarely successfully imitated, across the world. Part of the secret of that success is that police and agencies (in particular MI5) interoperate across significant e the London bombings of parts of their work, a process that has accelerated sinc 2005. So, for example: MI5 works closely with counter - terrorism police not only in London but in other (a) UK , for example in the four regional police Counter - Terrorism Units parts of the and four Counter - Terrorism Investigation Units across England and Wales and at major ports and airports. (b) There is a similarly close relationship between MI5 and the NCA in the field of serious and organised crime. (c) Police and MI5 each have their own investigative and surveillance teams, which ame techniques, will often be interested in the same targets and may use the s to some extent be used interchangeably. 13.41. Nor should the work of MI5 be distinguished from that of MI6 and GCHQ: it became evident to me during the course of the Review that they depend eve r more on one another. 13.42. There are still investigatory powers that only the security and intelligence agencies deploy: notably, bulk data collection and CNE. I have not suggested that this should 26 Ibid. , fn 289. 27 7 below. - Recommendations 6 254

261 CHAPTER 13: PRINCIPLES bly by private change. But as technology develops, bulk data analysis (nota companies) becomes a standard feature of everyday life and digital investigation techniques become more widespread, the trend may prove to be towards convergence rather than the reverse. on culture. Where investigatory 13.43. There is also the issue of oversight, and its effect security and intelligence agencies , police and other public powers are concerned, 28 I authorities are all subject to the unitary audit and inspection regime of IOCCO. welcome this. The degree of an intrusion into privacy i s not affected by whether that intrusion is conducted by security and intelligence agencies or by police. Firm rules and strong oversight are as necessary in one case as they are in the other. To subject rules for essentially the same activities different public authorities to different sets of could give rise to a dilution in regulatory expertise, different standards of oversight – if a distinctive (particularly if IOCCO were itself split down the middle), and ultimately intelligence “ velop where the use of routine investigatory powers is ” culture were to de concerned different standards of conduct. It might even prompt a tendency to leave – the exercise of intrusive powers to whichever body was perceived to be less strictly regulated. None of this would be welcome. 13.44. My fifth principle is, therefore, that there should be a single body of law, and a single system of oversight, for equivalent investigatory activities conducted by different 29 public authorities. – the objective Recommendations Applying the abo 13.45. ve principles in the light of the evidence submitted to the Review, a single new investigatory powers law will have to provide exhaustively , clearly , in a manner and with the maximum possible compliant rights - technological neutrality for: types of meas ures permitted for the collection of data; (a) the (b) the range of public authorities entitled to collect it; (c) the objectives for which each type of collection measure can be used; (d) the categories of person which may be subject to each type of collection measure; (e) the t hreshold required to justify the use of each type of collection measure; (f) the procedures for authorising each type of collection measure; (g) the duration for which each type of collection measure can be applied; 28 It is not echoed in relation to RIPA part II, whose surveillance powers are audited by the ISC ommr (in respect of the agencies) and the OSC (in respect of other public authorities). If my recommendations are followed, this distinction will cease to exist. 29 This is reflected in my Recommendations 1, 6 and 7. 255

262 CHAPTER 13: PRINCIPLES eria that apply to the use, (h) the types of data that may be held, and the crit retention, deletion and disclosure of those data; the (i) data and intelligence, including the conditions that parameters for sharing must be met for intelligence to be shared, the entities with which intelligence may be shared and the safeguards that apply to exchanges of intelligence both domestically and internationally; (j) an express prohibition on the use of foreign partners in any way that results in the circumvention of national legal standards and institutional controls; (k) imum transparency that is compatible with effective operational use of the max the powers; and the procedures for overseeing and reviewing the use of collection measures (l) 30 and the analysis, use and sharing of data recovered pursuant to them. 13.46. Where the interference with the right to respect for the privacy of communications is systematic rather than suspicion - based, “ [t]he sheer scale of the interference with privacy rights calls for a competing public policy justification of analogical magnitude ”, “ a meaningful public account of the tangible benefits that including – as a m inimum – 31 accrue from its use Enhanced procedures and safeguards may also be required ”. particularly sensitive rights are in issue, e.g. the right of journalists not to when , and the right of a lawyer’s client not to have his privileged legal disclose their sources communications disclosed. 13.47. Finally, it should never be forgotten that the state owes a primary duty to keep its people safe. Subject to all of the above, I recommend that public authorit ies should be provided with the faced by the tools needed effectively to combat the threats 32 UK, its citizens and indeed those of other nations. 13.48. In the remaining two C hapters, which should be read together, I indicate the thinking behind some of my princip al recommendations, before listing the recommendations themselves. 30 Cf. M. Scheinin (UN Special Rappor teur on the promotion and protection of human rights and fundamental freedoms while countering terrorism), Compilation of good practices on legal and institutional frameworks and measures that ensure respect for human rights by intelligence agencies while countering terrorism, including on their oversight: UN General Assembly Human Rights Council, 17 May 2010, Recommendations 20 - 35. 31 Ben Emmerson QC (UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while count ering terrorism), Report to the General Assembly of 23 September 2014, para 13. 32 Three examples of bulk data analysis delivering subjects to justice are at Annex 9 to this Report. Case studies 3, 5 and 6 helped other countries. 256

263 14. EXPLANATIONS INTRODUCTION The recommendations in Chapter 15 can be read on their own, but this C hapter 14.1. provides some of my background thinking. It does not gloss every individual recomme e xplain, by going through the principal ndation, but aims to recommendations in numerical order: how the y relate to (a) earlier parts of this Report, (b) why they were made, and (c) why they take the form that they do. 14.2. is C hapter rela tes to my recommendations on: The most detailed commentary in th (a) Definitions of content and communications data ( Recommendation 12 , 14.11 - 14.12 below); Compulsory data retention (b) Recommendation 14 , 14.14 - 14.22 below); ( (c) 2012 Communications Data Bill ( Recommendations 15 - 18 , 14.23 - 14.38 below); (d) Bulk collection and bulk warrants ( Recommendation s 19 and 40 - 49 , 14.39 - 14.45 and 14.72 - 14.77 below); - 14.63 and (e) , 14.60 Specific interception warrants ( Recommendations 26 - 38 14.68 14.70 below); - Judicial authorisation of warrants ( Recommendations 22, 30 and 47 , 14.47 - (f) - 14.57 and 14.64 14.67 below); (g) Collection of communications data ( Recommendations 50 - 71 , 14.78 - 14.86 below); (h) Extraterritorial effect ( Recommendations 24 - 25 , 14.58 - 14.59 below); Use of intercepted material and data (i) 93 14. ( Recommendations 72 - 81 , 14.87 - below); (j) The Independent Surveillance and Intelligence Commission - ( Recommendations 82 - 112 , 14.94 14.100 below); and - The IPT ( Recommendations 113 (k) 117 , 14.101 - 14.108 below ) . 257

264 CHAPTER 14: EXPLANATIONS (Recommendations 1 12) GENERAL - Recommendations 14.3. 9 give effect to my fourth pr inciple ( clarity and transparency ) - 1 1 as well as to the legal requirement ), unified approach and my fifth principle ( judgment (illustra of 6 February in the Liberty IPT case ) that powers will be ted by the accessible and fore law. lawful only if provided for in an seeable 14.4. Most of these recommendations have their origins in repeated submissions to the 2 Review from civil society: but they were willingly and ungrudgingly endorsed by almost everyone to whom I spoke, including within Government and the security and intelligence agencies. 14.5. encourages a radical departure from the convoluted structures Recommendation 4 and language of RIPA, and challenges the Office of Parliamentary Counsel to produce a text in accordance with their own aspi rations and clear, effective and readable best practice. I explain at 1.9 above the special importance of ensuring that the new law can be understood by all those who debate it, apply it or are liable to be affected by it, in the UK or abroad. Recommendations 6 and 7 seek to make the new law, so far as possible, both 14.6. 3 comprehensive one - stop shop for investigatory powers. and a 14.7. Recommendation 9 deals with the avowal and underlines the of intrusive capabilities, prov powers should be used only if ECHR Article 8 requirement that intrusive ided for in a sufficiently accessible and foreseeable law. I emphasise that I am not aware of any sensitive capabilities which have not been avowed to the Secretary of State. Indeed I have been assured there are none. 14.8. Recommendation 10 ( restrictions on d isclosure ) makes the point that if the use of controversial capabilities is to be properly debated and defended, including before the courts, the law must not place obstacles in the way of doing so other than those which are strictly required by the constr aints of national security. It also picks up the need for clear rules on when intelligence can be shared, a point highlighted by the Police 4 There will be an additional Ombudsman for Northern Ireland in a recent report. reason for reviewing RIPA s19 if m y Recommendation 99 is followed: see 14.103(b) below. here 14.9. As to Recommendation 11 ( criminal offences ), t may be an argument for specific new criminal offences to be created (or higher penalties made available for existing offences), as suggested in the JC CDB Report (paras 227 and 229), the ISC D Privacy and Security Report (Recommendation T) and in the submission of Richard Greenhill to the Review. But it would be contrary to principle to render any breach of would enable the Secretary of State to the Codes of Practice a criminal offence: this create new criminal offences without proper parliamentary scrutiny, and would risk 1 13.31 - 13.44 above . 2 Chapter 12 above. 3 The non - RIPA powers referred to in these recommendations are introduced at 6.9 - 6.33 and 7.62 - 7.65 above. 4 In this respect I make no comment on the interpretation of RIPA or its predecessor statute IOCA 1985, e Police Ombudsman referred to conflicting advice on the interpretation of IOCA and but note that th endorse his call for clarity. 258

265 CHAPTER 14: EXPLANATIONS destroying the benevolent culture of voluntarily confessing to error that successive IOCCs have remarked upon with approval. Recommend ation 12 14.10. definitions of content and communications data ) is of ( central significance for the construction of any new law. As to the distinction between content and communications data : 14.11. explained The borderline is neither as clear nor as simple as when it could be (a) in terms of the content of the letter versus the writing on the envelope. Communications data currently comprises some types of data (location  data, and even some subscriber data) that can be quite revealing of 5 personal habits and characteristics .  As is less often remarked, content (an undefined, residual category which includes anything not classified as communications data) comprises some material which is not particularly intrusive (e.g. a cookie, the date of a letter or the title of a file at tached to an email: 10.28 above).  There may be difficult cases at the margins, particularly in the esoteric technical sphere in which GCHQ operates. (b) I do not recommend removing the distinction, despite the submissions referred A difference in terms of intrusiveness between “ to at 12.27 12.28 above. - what is said or written ” on the one hand and “ the who, when, where and how of a 6 ” on the other communication is generally recognised, including in the practice 7 of other States and in the case law of internati onal courts. 8 But there is a case for (a) defining content in the new law (c) and (b) reviewing the borderline between content and communications data (in the new law or its Codes of Practice) so as to ensure that it reflects the reality of modern technology. CSPs pointed to web logs, cloud services and social media as areas of ambiguity: 11.36 above. Thought has undoubtedly been given to these matters within the security and intelligence agencies, but no proposal was ready to be put before me. Accordingly I recommend a review which should be as open and inclusive as possible. 5 The ISC coined the concept of “ Communications Data Plus ”: Privacy and Security Report, March 2015, Recommendation W. 6 These helpful shor thand terms are used in the Acquisition and Disclosure of Communications Data Code of Practice, 2.12; cf. the 2013 Annual Report of the Interception of Communications Commissioner, April 2014, 4.2. 7 See, e.g., Joined Cases C - 293/12 and C - 594/12 Digital Rights Ireland , CJEU 8 April 2014, para 39: knowledge of content affects the essence of privacy rights in a way that knowledge of other data does not. 8 3.2.7. - As recommended in IOCCO’s submission to the Review, December 2014, 3.2.6 259

266 CHAPTER 14: EXPLANATIONS (d) In the meantime: I have assumed in my proposed scheme that a distinction between  , and have content and communications data will persist into the new law reflected this in my proposa ls for authorisation.  But i n recognition of the fact that some communications data may be relatively intrusive some circumstances , , I have recommended that in including but not limited to privileged and confidential material, there should be judicial dete rmination of an application to access communications data (Recommendations 68 and 70 ). into subscriber information, service 14.12. As to the subdivision of communications data use information and traffic data (6.6 above): 9 10 11 fashioned, old - (a) relevant for only limited purposes That division is obscure, 12 and not reliably based on the relative intrusiveness of the data sought. (b) The JCDCDB recommended almost three years ago that “ a new hierarchy of data types needs to be developed [t]here should be an urgent ” and that “ consultation with industry on changing the definitions and making them relevant 13 ”. to the year 2012 This has not taken place. 14 (c) I reiterate the JCDCDB’s advice. Any review should once again be as open picion that attaches to any and inclusive as possible, so as to dissipate the sus redefinition of terms in this area. It should also have in mind Recommendations 51 and 56 below. (Recommendations 13 19) CAPABILITIES - 14.13. Capabilities (leaving aside the recently - avowed CNE, which is currently the subject of litiga - 7.65 above) are controversial in three main respects. These tion in the IPT: 7.64 may be summarised as: (a) Compulsory data retention : whether CSPs should be obliged to retain certain types of communications data relating to all their customers for periods of up to 9 For example, on e of the elements of the definition of s21(4)(b) “Service Use” information is that it “ contains none of the contents of a communication ”; yet the contents of a communication are nowhere defined in the Act. 10 ” to telephone services but not usually to apps See, e.g., “ subscriber information ”: people “ s ubscribe used for internet communication. 11 6.7 above. 12 Subscriber information can be of a personal nature: 6.6(c) above. 13 JCDCDB Report, November 2012, paras 169 and 167. 14 It did seem to me that co mmunications data might usefully and comprehensibly be reclassified by investigative purpose, taking as a starting point the categories originating in the Data Retention Directive and currently set out in the Schedule to the Data Retention Regulations 2014 (e.g. “ the internet service used ”, “ data necessary to identify the date, time and duration of a communication ”). Everything else would be classified as content. But I have stopped short of making a recommendation in those terms: the issue is highly techn ical; the suggested approach was variously described by those I tried it out on as too broad and too narrow, and would require more thought; and in any event the issue should logically ons data has been decided be considered only after the borderline between content and communicati upon. 260

267 CHAPTER 14: EXPLANATIONS 12 months, as is currently the case under DRIPA 2014 s1 and CTSA 2015 s21 (and was previously the case under the EU Data Retention Directive). (b) Communications Data Bill : whether (as originally proposed in a Bill of 2012, the snoopers’ charter dubbed by its opponents “ additional obligations should ”) be placed upon CSPs, in particular as regards the retention of:  records of subscribers’ internet interactions (loosely known as web logs: see the Home Office definition of this term at 9.53 above); and  the entire content of third - party communications that passed over the network of a UK CSP. Bulk collection : whether GCHQ should be entitled to recover content and (c) related communications data in bulk from cables carrying overseas traffic, as is ted under RIPA s8(4), and to use it in specified ways for the currently permit purposes of protecting national security. In framing my recommendations on capabilities, I seek to give effect to my first principle ( minimise no go areas ) as well as by the second ( limited powe rs ) and third ( rights compliance ). Compulsory data retention 14 states that the data retention power now contained in DRIPA 14.14. Recommendation 2014 s1, as supplemented by the additional category of information whose retention is required by CTSA 2015 s21 (6.60 6.63 and 7.38 above) should remain in force after - December 2016. 14.15. A comparative survey of compulsory data retention laws in Europe and the Five Eyes countries is at 8.55 - 8.59 above. Laws in Canada and Australia dating from 2014 and 2015 have made provisio n for compulsory data retention. 14.16. The utility of communications data to law enforcement across the board is explained at 7.43 - 7.51 and accompanying annexes. The experience of the police, NCA, CPS, Europol and European Commission in relation to the particul ar utility of retained data in criminal and missing persons investigations is at 7.49 - 7.51 and 9.43 - 9.47 above. The points made at 9.45 are of particular significance: older data may be the only way to catch the ringleader in a conspiracy, or to investiga te a crime months have when elapsed between the incident and the identification of a suspect. 14.17. In order to test the utility of retained communications data, I decided to visit a country where data retention i s not required , and to take evidence from law e nforcement and from others . The obvious choice was Germany, where EU data protection rules apply as they do in the UK, but where the rules implementing the EU Data Retention Directive were struck down in March 2010 by the Federal Constitutional Court. 14.18. On a visit to Berlin in December 2014, I was able to question the Interior Ministry and internal security service (BfV) on the issue of data retention, together with the Federal (an Chancellery, the Justice Ministry, the Federal Data Protection Authority, Bitkom organisation representing CSPs) and academics who have reported on data retention. 261

268 CHAPTER 14: EXPLANATIONS My interlocutors spoke frankly, knowing that I would not attribute views to them or to their organisations in this report. But in summary, I took away the following: There is some non - compelled data retention: the criminal code allows data (a) which have been retained for business purposes to be made available to the police. German CSPs currently keep data for up to 90 days in some cases, though generally much less. It w as suggested to me by opponents of data retention that the utility of retained data falls off sharply after three months or 15 so. that a compulsory data retention requirement (b) German law enforcement told me would be useful, particularly but not exclusively i n relation to internet fraud and child pornography cases which they were increasingly unable to tackle. They continue to log examples of cases that they cannot pursue because retained data were not available. (c) The enactment of a compulsory data retention l aw wa s however (since Digital Rights Ireland the political agenda . off ) Public opinion (particularly in the west of the country) is strongly pro - privacy, (d) th partly because of 20 century historical experience and partly because there is little current expos ure to terrorism, limited consciousness of cyber - crime and because people generally feel secure (or as one official put it to me, “ take security for granted ”). ”, under which quick freeze called “ (e) Data preservation proposals (the so - preservation orders would only once a suspicion arises) were not be served being pursued. They are not considered an adequate alternative to data retention by German law enforcement, despite the apparent encouragement of the CJEU above), and are considered technically pr oblematic by some (5.68(c) 16 CSPs, which also had concerns about reimbursement. 14.19. I put to my German interlocutors the very striking example given in the impact 17 assessment that accompanied the DRIP Bill in 2014 of Operation Rescue, a major recent Europol investigati on into international online child sexual exploitation. In the words of the impact assessment: “Of 371 suspects identified in the UK, 240 cases were investigated and 121 arrests or convictions were possible. In contrast of 377 suspects identified in Germa ny, which has no such data retention arrangements, only seven could be investigated and no arrests could be made.” Those familiar with the example did not deny the essential truth of this account, though se guys were only going to comment that “ M a senior German academic ed ost of the 15 See however the UK police survey prepared for the JCDCDB, which found that 28% of all requests made by 62 UK law enforcement agencies over a two week period in June 2012 were for data over - three months old. 16 In the 201 2 UK police survey referred to at 7.50(a) above, 28% of all data requests concerned people who were not suspects: 18% were victims. 17 Data Retention Legislation, IA No. HO0126, June 2014. 262

269 CHAPTER 14: EXPLANATIONS ” and that “ M look: they would not actually have done anything issing one or two ”. paedophiles is a reasonable price to pay for not having blanket intrusion while it is evident that German public attitudes (and the German p olitical 14.20. So thus debate) are in a very different place from their UK equivalents, nothing I heard there causes me to question the strong law enforcement rationale for data retention that was pressed on me by UK police and others. 14.21. The CJEU in Digital Rights Irelan d agreed that data retention could be “ a valuable tool investigations ” (5.67 above), and did not go so far as to suggest that for criminal compulsory data retention is unlawful. I commented at length on the Digital Rights judgment at 5.63 - ve. Whilst data retention was described by the Ireland 5.79 abo ” infringement of fundamental rights (5.78(b) above), I particularly serious CJEU as a “ was referred to no concrete examples, whether in the UK or Germany, of harm to individuals caused by the retention of comm unications data in a country where proper safeguards regulate its use. The meaning of 14.22. , and its impact if any on DRIPA 2014, will no Digital Rights Ireland doubt be elucidated in the course of the proceedings begun by David Davis MP and Tom Watson MP: 5.75 above. The constraints of EU and of ECHR law of course have to be respected. But I am clear in my recommendation that data retention is a useful capability in fighting all kinds of crime, and that it should be retained in a manner that h those legal obligations. is consistent wit Communications Data Bill 8 14.23. relate to the controversial matter of the draft Recommendations 15 - 1 Communications Data Bill, which was the subject of the JCDCDB Report of December 2012. The centrepiece of the draft Bill was clause 14.24. 1, an excessively broad power which would have allowed the Secretary of State, by order, to require CSPs to generate and collect all “ necessary ” communications data for the services and systems they provide, to retain it and to facilitate the efficient an d effective obtaining of the data by 18 public authorities. This was said to be necessary in order to bridge a growing “ data gap ” which meant that even in 2012, “ approximately 25% of communications data 19 required by investigators is unavailable ”. The JCDCDB 14.25. data acknowledged the existence of a “ gap ”, but (noting the increased volume of communications data potentially available) resisted the Govern ment’s attempt to quantify it. It criticised the Home Office for assuming “ that a consultation paper published in April 2009 could justify publication of draft legislation three years later without further consultation with the public and with those most closely affected by its proposals ”. The JCDCDB concluded : 18 JCDCDB Report, November 2012, para 61. 19 , para 34. Ibid. 263

270 CHAPTER 14: EXPLANATIONS vide the law enforcement “.. that there is a case for legislation which will pro authorities with some further access to communications data, but that the current draft Bill is too sweeping and goes further than it need or should”, adding that: “[b]efore re - drafted legislation is introduced there should be a new round of consultation with technical experts, industry, law enforcement bodies, public authorities and civil liberties groups” 20 on the basis of a narrower, more clearly defined set of proposals. 14.26. Those narrower proposals focussed on: (by indicating who subscriber data mak ing it possible to resolve IP addresses (a) is using a dynamic address at a particular time); (b) web log up to the records of user interaction with the internet, in the form of first slash; the storage and disclosure by UK CSPs of third party d ata traversing their (c) networks which relates to services from other providers; and (d) the creation of a request filter , described as “ a very complicated piece of 21 ”, to speed up complex inquiries and minimise collateral intrusion. technology 14.27. The Home Office sou ght to take the recommendations of the JCDCDB into account down draft Bill in early 2013, which I have been shown. and produced a pared - However, the ensuing political paralysis on the subject of communications data has dress resolution (which was addressed, in part, in meant that save in relation to IP ad CTSA 2015 s21), there has been no Government mandate to take matters forward over the past two years. Though I asked Ministers in late 2014 for permission to show the draft Bill (or at least 14.28. it) to CSPs with whom I discussed the issues, in particular at a lengthy a summary of meeting of the CDSG, that permission was not forthcoming. It became clear that in the absence of unified political will to progress the proposals, there has been little them with important stakeholders. discussion of Meanwhile, the rest of the world has not stood still. 14.29. (a) Lord Blencathra, Chair of the JCD CDB , complained after publication of some 22 of the Snowden Documents that Prism and the alleged Tempora programme were “ highly, highly relevant ” to the JCDC DB ’s enquiry, but that the JCDC DB 23 even given any hint ” of their existence. had not been “ 20 Ibid. , November 2012, paras 36, 56, 281 and 284. 21 JCDCBC Report, November 2012, paras 121, 126. 22 Annex 7 to this Report, paras 3 and 5. 23 “Conservative peer Lord Blencathra hits out at online spying by GCHQ”, Guardian website, 14 October 2013. Lo rd Blencathra was quoted as saying: “ Many of us are happy to have certain information collected by the state but, by God, we've a right to know the parameters under which they are ." operating 264

271 CHAPTER 14: EXPLANATIONS The progress towards universal encryption has accelerated since the (b) publication of the Snowden Documents, giving added force to the doubts sed by the JCDC DB expres about the technical utility of the third party data 24 proposal. The Digital Rights Ireland decision of April 2014, with its sceptical approach to (c) data retention even in the more limited form that was provided for in the Data Retention D irective, raises legal questions as to the more extensive powers mooted in the draft Bill. It was suggested to me at the CDSG meeting that I attended in early 2015 that (d) the proposed request filter may have been overtaken by technological developments. Tho ugh the position is sometimes opaque or hard to research, I am aware of no other 14.30. Five Eyes or European country that provides for the compulsory retention either of 25 ere gs (9.55 above) or of third party data. web Such obligation s w lo not considered politica lly conceivable by my interlocutors in Germany, Canada or the US. The 2015 Australian data retention law specifically exempts both web logs and third party data from the categories of data that must be retained by CSPs (9.55 and 9.64 above). 14.31. Against that l egal, technical and comparative background, it seems to me that a high degree of caution is in order. asserted their operational So far as web logs ar e concerned, the police and NCA 14.32. - 9.59 above): utility for three purposes in particular (9.58 (a) attr ibute communications to indivi dual devices; to help identify use of communications sites (allowing service providers to be (b) to approached for further detail); and (c) to gather intelligence or evidence on web browsing activity , both on sites suggestive of criminality a nd more generally. 14.33. I have no doubt that retained records of user interaction with the internet (whether or not via web logs) would be useful for each of those purposes. But that is not enough on its own to justify the introduction of a new obligation on C SPs , particularly one 26 which could be portrayed as potentially very intrusive on their customers’ activities. Though the submissions I received from law enforcement were emphatic about the value of such records, I was not presented with a detailed or uni fied case on: 24 JCDCBC Report, paras 91 - 101. 25 session logging A recent comparative survey referred to (1) a Danish law of 2002 that provided for “ ” th (sampling the destination and source IP address of every 500 packet) until this requirement was removed in June 2014, reportedly because Danish police were unable to use the data, and (2) a recent Finnish Bi ll (HE 221/2013) which provided for retention of “ metadata produced from browsing of websites ”, until this was removed after criticism from a parliamentary committee: Open Rights Group, “Data Retention in the EU following the CJ EU ruling”, April 2015. 26 The MPS suggested to me that the retained data would be useful for researching such matters as travel bookings and financial and property transactions: cf 9.59(b) above. 265

272 CHAPTER 14: EXPLANATIONS the precise definition of the purposes for which such records should be (a) accessible, and the relative importance of those purposes; the extent to which those purposes can in practice be achieved under existing (b) powers (e.g. the inspection of a seized device), by less intrusive measures than 27 that proposed or by data preservation, i.e. an instruction to CSPs to retain the web logs or equivalent of a given user who was already of interest to law enforcement; the precise records that would need to be retained for the above purposes, and (c) 28 how those records should be defined; the steps that would be needed to ensure the security of the data in the hands (d) of the CSPs; 29 the implications for privacy; (e) or (f) ls. the cost and feasibility of implementing the proposa 14.34. That is perhaps not surprising, given that political will has been lacking to progress the issue. I am sympathetic to the operational case made to me by law enforcement, particularly in relation to the objectives at 14.32(a) and (b) above, and particu larly if it is the case that a person’s web browsing history cannot readily be deduced from the 30 data that is retained. The point was also made to me that even the sight of a person’s web browsing history to the first slash (or equivalent), while unquesti onably invasive of privacy, might be thought by some to be not necessarily more so than the sight of 31 a person’s phone log and/or location data. 14.35. But privacy concerns are extremely strongly - felt in this area, as the international , which DB lear, and it is clear to me (as it was to the JCDC comparative picture makes c came to no conclusion as to the acceptability of requiring web logs to be retained) that a good deal more preparatory work needs to be done. Before any detailed proposal be carefully thought through and road - is made, it will need to tested with law enforcement, legal advisers and CSPs. Outside technical experts, NGOs and the public should be consulted and given a full opportunity to comment. A strictly 27 For example, the purpose at 14.32(b) could in princip le be achieved by requiring the retention of details relating only to communications sites: the JCDCDB Report of December 2012 recommended should examine whether it would be technically and operationally feasible, and that the Home Office “ to require CSPs to keep web logs only on certain types of web services where those cost effective, ”: para 88. services enable communications between individuals 28 The NCA was reluctant to ask specifically for web logs to the first slash, making the point that destinat ion IP addresses (which are numeric rather than textual, and analogous to a postcode rather than a house address) might be sufficient for some purposes (or for some CSPs). It also pointed out that the term web logs is inappropriate for non - web - based OTT a pps that use IPs but not urls. 29 The Home Office emphasised to me that what they describe as a web log is far less informative (and thus immediately intrusive) than e.g. an Internet Explorer web browsing history, but acknowledged also that if there is an operational requirement it may, by using very sophisticated analysis tools, be possible to identify a specific page or group of pages visited. Independent experts broadly confirmed that position to me. The extent to which that “ stickiness ” is a guarante e of privacy, and will remain so as technology develops, is obviously vital to the proportionality of the proposed requirement. 30 Thus reducing the risk of intrusion if the data were to fall into the wrong hands. 31 Phone logs as well as browsing histor ies can tell when someone has contacted Alcoholics Anonymous or an AIDS helpline. But the development of a society which depends more on the internet than it ever did the telephone, together with specific factors such as the widespread use of pornography sites, may add further sensitivity to browsing histories. 266

273 CHAPTER 14: EXPLANATIONS - based approach will be essential i evidence f this potentially useful initiative is to be progressed, especially bearing in mind the difficult legal climate summarised above. 14.36. The question of how access to such material should be authorised, and in particular d in addition to the normal mechanisms when and how ISIC may need to be involve for public authorities to access communications data, will also need careful consideration in the event that a proposal is advanced. 14.37. compulsory retention of third party data – an extremely expensive part of the As to planned Communications Data Bill – I did not get the sense that this was judged to be the priority that it once was, even within law enforcement (9.64 above). The CSPs I spoke to about it were either actively hostile or felt remote from the debate since i t was so long since they had been consulted. Some of the difficulties were identified in 32 D B . C Three years on, the comments of the JCDCDB at 14.25 2012 by the JCD above remain apposite. 14.38. Accordingly, as stated in Recommendation 18 , t here should be no quest ion of progressing this element of the old draft Bill until such time as a compelling operational case has been made, there has been full consultation with CSPs and the various legal and technical issues have been fully bottomed out. None of those conditi ons appears to me to be currently satisfied. Collection in bulk 14.39. Recommendation 19 concerns the equally controversial subject of bulk data The UK’s current regime for the collection of bulk data has been collection. exhaustively considered over the past y ear or so by: 33 The IOCC , in his reports of April 2014 and March 2015. (a) The limits on the power, and the safeguards on its operation, were meticulously set out and considered. 34 , in the Liberty IPT judgment of December 2014. (b) The IPT 35 , in its Privacy and Security Report of March 2015. (c) The ISC Some of the most senior judicial and political figures in the country have therefore had the opportunity to analyse the regime and to comment upon it. 14.40. The IOCC and the IPT were not tasked with evaluating the statutory fr amework, but rather with assessing whether it was properly and lawfully operated. Nonetheless, each was exposed to the practical reality of that operation, including the full s safeguards that operate to protect individual privacy. In that connection, it i significant that: (a) The IOCC, having pointed out that there was a policy question as to whether the duly authorised interception agencies should continue to be enabled to 32 JCDCBC Report, paras 89 - 109. 33 IOCC Report of April 2014 at (6.5.27 - 6.5.58); IOCC Report of March 2015 at 6.23 - 6.40. 34 Liberty IPT Case, judgment of 5 December 2014, paras 61 - 152. 35 ivacy and Security Report, chapters 4 and 5. ISC Pr 267

274 CHAPTER 14: EXPLANATIONS intercept external communications in order to assist their statutory functions, state ” that, subject to sufficient d that he personally thought it “ obvious 36 safeguards, they should be. In the same report he gave nine reasons, informed by his own detailed consideration, why “ the section 8(4) process does 37 invasion of privacy ”. not have a significant risk of undue (b) The IPT, though not tasked in that judgment with the consideration of proportionality, echoed and updated its own conclusion in 2004 that the s8(4) 38 regime was “ ”. in accordance with law 14.41. The ISC concluded that “ GCHQ’s bulk intercepti on is a valuable capability that should remain available to them ” and that the legal safeguards protecting the ”: it made some specific reassuring communications of people within the UK were “ 39 suggestions for enhancing the safeguards. 14.42. The law relating to bu lk collection is dealt with in this Report at 6.45 - 6.59 above, its utility at 7.20 - 7.27 above (with accompanying Annex) and its importance for the security and intelligence agencies at 10.14(b) and 10.22 - 10.26 above. The opposition expressed in some civil society submissions is summarised at 12.35 - 12.38 above. 14.43. It is sometimes assumed that GCHQ employs automated data mining algorithms to detect target behaviour, as is often proposed in academic literature. That, it would say, is realistic for tasks such as financial fraud detection, but not for intelligence analysis. Much of its work involves analysis based on a fragment of information which forms the crucial lead, or seed, for further work. GCHQ’s tradecraft lies in the specific analys is to bring together potentially relevant data from application of lead - diverse data stores in order to prove or disprove a theory or hypothesis. As illustrated 40 by the case study on GCHQ’s website, significant analysis of data may be required dentified. This tradecraft requires very high volumes before any actual name can be i of queries to be run against communications data as results are dynamically tested, refined and further refined. GCHQ runs several thousand such communications data queries every day. One of the bene fits of this targeted approach to data mining is that individuals who are innocent or peripheral to an investigation are never looked at, minimising the need for intrusion into their communications. 14.44. Contrasting reports on bulk collection have come out o f t he Council of Europe in 2015 : (a) A parliamentary committee reported in January that “ electronic mass surveillance is not even effective as a tool in the fight against terrorism and organised crime, in comparison with traditional targeted surveillance ”, and ca lling upon Council of Europe member and observer states to cease bulk 41 collection and analysis. Its observations were founded, in part, on the 36 IOCC Report, April 2014, 6.5.56. It may be of interest to note that Sir Anthony May, who wrote those words, was one of the judges who ruled against the intelligence agencies in the well known case of R - (Bin yam Mohamed) v Secretary of State for Foreign Affairs [2010] EWCA 65. 37 Ibid. , 6.5.43. 38 The ECtHR cases on bulk collection are discussed at 5.31 - 5.34 above. 39 See Recommendations F, P and generally at F - T. 40 “How does an analyst catch a terrorist? ” (GCHQ website): 7.5 above. 41 PACE Committee on Legal Affairs and Human Rights, “Mass Surveillance”, January 2015, para 126 and Resolution 17.1. The notion that bulk surveillance is not effective as a tool is contradicted by the 268

275 CHAPTER 14: EXPLANATIONS assessments of a study conducted under EU auspices, which has since gone on to conclude that “ [E]lectronic mass surveillance fails, and fails drastically. It - level usability scores which are overshadowed by a produces at best medium very high degree of ethical risk, coupled with levels of fundamental rights intrusion that on their own would make the surveillance le gally impermissible 42 ” under the EU Charter of Fundamental Rights and human rights treaties. (b) The European Commission for Democracy through Law (Venice Commission) reported in April 2015 in considerably more moderate (and on the basis of what 43 alistic) terms. I have seen, re  It accepted the utility of what it called “ strategic surveillance ”, remarking on its importance for target development and locating it as “ one part of an overarching trend towards more proactive surveillance of the 44 ”. population  Having rem arked that signals intelligence has historically been subject to relatively weak safeguards, partly because it grew out of military 45 intelligence aimed at foreign communications, it devoted most of its n and oversight. attention to the need for proper safeguards, regulatio  It concluded that “ it is necessary to regulate the main elements in statute form and to provide for strong mechanisms of oversight ”, observing that “ [t]he national legislature must be given a proper opportunity to understand the area and d raw the necessary balances ”. Whether or not the s8(4) regime is proportionate for the purposes of ECHR Article 8 14.45. is an issue awaiting determination by the ECtHR. It is not my function to offer a legal deration by a senior court. But assessment, particularly in a case that is under consi on the basis of what I have learned, there is no cause for me either to disagree with the factual conclusions expressed in recent months by the IOCC, the IPT or the ISC, or to recommend that bulk collection in its current f orm should cease. Indeed its utility, particularly in fighting terrorism in the years since the London bombings of 2005, has been made clear to me through the presentation of case studies and contemporaneous documents on which I have had the opportunity t o interrogate With such wide - ranging powers, it is however analysts and other GCHQ staff. absolutely necessary that the right procedures and safeguards should be in place: I Recommendations 40 address this topic, with some suggestions for improvement, at - 49 and 72 - 80 below. detailed examples I hav e been shown at GCHQ, six of which are reproduced in summary form at Annex 9 to this Report. One might wonder why, if it is not effective, it is practised at all. 42 SURVEILLE Deliverable D4.10, April 2015. Aspects of the SURVEILLE methodology seem deba table: some of the inputs are subjective in nature, and the potential of safeguards, regulation and oversight to reduce ethical risk seems not to have been taken into account. 43 European Commission for Democracy through Law, “Update of the 2007 Report on the democratic oversight of the Security Services and Report on the Democratic Oversight of Signals Intelligence - AD(2015)006. Agencies”, April 2015, CDL 44 Ibid. , paras 51, 61, citing legal requirements on companies to retain and make available airline passenger name records, metadata and financial transactions data. 45 , para 54. Ibid. 269

276 CHAPTER 14: EXPLANATIONS INTERCEPTION AND ACQUISITION OF DATA ( - 71) Recommendations 20 Recommendation 20 sets out the types of warrant and authorisation that I have 14.46. recommended should exist. These include the specific interception warrant, which would replace the current individual and thematic warrants, and the new bulk communications data warrant, which would enable bulk collection of communications data to take place without (as currently) needing to collect content at the same time. Recommendation 21 ses that a similar scheme should be extended to the new propo powers referred to in . Recommendation 6 is to the effect that warrants should be judicially authorised. 14.47. Recommendation 22 Following the submission to the Review of the Bingham Centre for the Rule of Law (12.23 and 12.52 above), I have suggested that the appropriate persons to perform this function would be senior serving or retired judges in their capacity as Judicial Commissioners. 14.48. by judicial The recommendation that Secretary of State authorisation be replaced authorisation is one of the more radical recommendations in this Report, since if 46 adopted it would replace a practice of several centuries’ standing. But there is a 47 precedent for it: and notwithstanding th e carefully reasoned contrary view o f the ISC 48 I found it one of the easiest to arrive at. Privacy and Security Report, 14.49. My starting point was not any legal consideration, but rather the remarkable fact (at least to an outsider) that the Home Secretary routinely signs thousands of warrants pe r year , most of them concerned with serious and organised crime and the remainder with national security (principally terrorism). The Home Secretary leads a huge department of state with responsibility for immigration and passports, drugs, policing, crime policy and counter - terrorism. Yet she has herself described warrantry as occupying more of her time than anything else (some of it on an urgent basis in the . middle of the night) In 2014, the Home Secretary personally authorised 2,345 interce ption and property warrants and renewals above . Warrantry is no doubt : 7. 33 49 approached by most Home Secretaries in a thoroughly conscientious manner, and the Home Office WGD does an admirable job in supporting her. But it is open to question whether thi s function is the best use of the Secretary of State’s valuable 50 time. 14.50. improve public confidence in The second reason for recommending change is to the system. I do not suggest that recent Secretaries of State have been complicit in 46 According to the report of the committee of Privy Councillors appointed to inquire into the interception of communications (1957, Cmnd 283), para 9, a proclamation of 1663 forbade the opening of letters save by warrant issued by the Secretary of State, but it appears to have formalised longstanding practice. See 2.20(a) above for the position in 1643. 47 In the report of the Joint Committee on Human Rights referred to at 12.50 above. 48 ISC Privacy and Security Report, March 2015, paras 194 - 203; Recommendations FF and GG. 49 As observed in the IOCC Report, April 2014, 3.40. But s ome, inevitably, will be more conscientious than others. 50 The Joint Committee on Human Rights made the same point in a report of 2007 (see 12.50 abo ve), stating that in a 15 - month period in 2006 - 07 the then Home Secretary had issued 2,243 warrants and modified 4,746 (though then as now, modifications were usually approved by a senior official within the WGD.) The Joint Committee said, mildly, that “ i t must be difficult for the Home Secretary to give much scrutiny to each request ”, and recommended that “ judicial authorisation replace ministerial - 162. authorisation other than in cases of genuine urgency ”: paras 161 270

277 CHAPTER 14: EXPLANATIONS ntry system, so as to target people for political or otherwise the abuse of the warra 51 The professionalism of the WGD would make this difficult, at improper reasons. least in a blatant fashion. But neither the British public nor the global public can be probity of the Secretary of State on trust, a point pressed on counted on to take the above - 12.53 me not only in the many civil society submissions on this point (12.50 ) but by a very senior police officer (9.91(a) above). The third reason for recommending change relates to what the ISC has described as 14.51. , which is no less a “ the single most important challenge that the Agencies face” challenge for law enforcement: the difficulties in obtaining assistance from service 52 providers based in the US . US companies which are used to a do mestic system of judicial authorisation and not instinctively inclined to obey a UK warrant can find it difficult to understand why they should honour a warrant signed by the Secretary of as others have State, as was impressed upon me in Silicon Valley (11.19 above) and also observed. The fourth reason for recommending change is that there is an - 14.52. established and well by Commissioners of comparably intrusive functioning system for judicial approval ence, intrusive surveillance measures, when applied for by the police: property interfer term undercover police operations (which are adjudicated upon by the and long - 53 I have Commissioners even when they are sought on national security grounds). spoken to four Surveillance Commissioners and been introduced to the tasks that they have to perform. Their experience (from a lifetime’s court work) of police attitudes and methods renders them well qualified to judge whether an application is truly if not – necessary and – also have the to send it back for reconsideration. The police highest professional respect for the Commissioners, which is reinforced when the Commissioners go to speak to them about what they expect. Even if they had the necessary time to consider the detail, few Home Secretaries would have the same experience or expertise. the legal position it is in principle desirable to entrust 14.53. , the ECHR considers that “ As to supervisory control to a ” but does not require judicial authorisation, at least judge 54 where individual warrants are concerned. It is possi ble however that a more independent authorisation mechanism may be required in the future, whether in relation to bulk warrants (where the need for robust safeguards is at its highest), or as a consequence of the CJEU’s apparent insistence, in Digital Righ ts Ireland , on “ prior review carried out by a court or by an independent administrative authority even in ” respect of (less intrusive) access to retained communications data (5.68 ( f ) and 5.79 . above) would provide that independence. Recommendation 22 14.54. intercepting authorities did not mind whether their warrants were issued by the Most Secretary of State or by a judge, so long as a quick turnaround could be achieved and urgency procedures were in place. The FCO was however insistent on ensuring that per function of the executive in relation to foreign affairs and national security the pro 51 It was abuse of interception and o ther powers by the FBI and CIA in the US, and by the RCMP in Canada, which prompted the introduction of judicial authorisation in those jurisdictions after the reports of the Church Committee and McDonald Commission in the 1970s and early 1980s. 52 ISC R igby Report, November 2014, para 460. 53 8.12, 8.15 and 8.19(c) above. 54 5.43 above; Liberty IPT Case, judgment of 5 December 2014, para 116(vi). - 5.40 271

278 CHAPTER 14: EXPLANATIONS was retained (10.44 above). There was some resistance on the part of intercepting authorities to the idea of double authorisation, which was perceived as unnecessarily consuming. time - 14.55. The arguments classically advanced in favour of authorisation by Secretary of State are that the Secretary of State has democratic accountability , that she is 55 , immediately available that the business of warrantry keeps the Secretary of State ell informed w as to the threat, and (as the ISC argued at para 202 of its Privacy and Security Report) that the Secretary of State has the ability to take into account the wider context of the warrant application. 14.56. On those points: (a) practice rarely if ever held politically accountable for The Secretary State is in the issue of warrants: contributing factors are RIPA s19, NCND and the fact that intercepted material is not admissible in court. The accountability that rdless of who issued the warrant. matters is in the IPT, and is the same rega There is no reason why a rota of Judicial Commissioners should not be as (b) 56 – indeed more so – than a Secretary of State. available (c) Civil servants are able to brief Ministers on the threat by means other than asking them to sign warrants. foreign policy, in which defence or There are certainly cases, largely involving (d) the wider political context is crucial and the perspective of the Secretary of State a necessary one. That point is addressed in , Recommendations 30 and 46 ed - dress below. at 14.64 ad 14.65 The ISC suggested that judges might approve more warrant applications than 14.57. Ministers (Privacy and Security Report, para 203); but the Foreign Office made to me “ e the UK ” because disadvantag the opposite point: that judicial authorisation might judges would be liable to refuse applications that Ministers accept. Were it the case that Ministers might be tempted to issue warrants in circumstances where it is illegal udicial authorisation to do so, that would seem to me a strong argument in favour of j rather than against it. Extraterritorial effect 14.58. The difficulties in securing cooperation from service providers overseas, particularly - in the US, are described at 11.15 11.28 above and, in more detail, in the ISC’s Rigby ras 415 - Report at pa Recommendation 24 summarises my impressions of how 460. a longer - term solution might look, after speaking to US service providers and to the US Government in December, but the decisive voice here will be that of Sir Nigel tish Ambassador to both the EU and the US, who was Sheinwald, the former Bri 55 As the Home Secretary said to the ISC: Privacy and Security Report, para 201. 56 The NCA complain ed of some difficulties in obtaining dates for signings by the Home Secretary: 9.91(b) above. 272

279 CHAPTER 14: EXPLANATIONS - 2014 as Special Envoy on intelligence and law appointed by the Prime Minister in mid enforcement data sharing. falls more directly within my remit. I understand those who argue 14.59. Recommendation 25 aterritorial application sets a bad example to other countries, and who that extr question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would a gree to honour each others’ properly warranted requests, which must surely term goal. But some service providers find it easier to assist if there is a be the long - legal power purporting to require them to do so; and despite the fact that extraterritorial enforcement has not yet been tried, the presence on the statute book of DRIPA 2014 s4 has been of some assistance in securing vital cooperation from service providers. e On that pragmatic basis I suggest that it should remain in force, at least for the tim being. warrant s Specific interception Recommendations 26 - 38 14.60. concern what I describe as “ specific interception warrants ”, which like all other warrants must be issued by a Judicial Commissioner. 57 ts relate to one individual ”. Currently, “ the very significant majority of 8(1) warran 14.61. Limitation to a single person or premises would indeed appear to be required by the “ thematic literal wording of RIPA s8(1). But the practice has developed of issuing ” , which allow the same capability to be used a gainst a defined group or warrants network whose characteristics are such that the extent of the interference can 58 reasonably be foreseen, and assessed as necessary and proportionate, in advance. The use of thematic warrants (which recall the practice in parts of E urope of issuing 14.62. without listing every individual target ) warrants in respect of a particular investigation – has been a positive development though caution has been needed, not least because there is no very clear backing for them on the face of RIPA s8(1 ). A single warrant application in respect of (for example) an organised crime group gives the intercepting authority the power to add or remove persons or premises from the warrant without recourse to the Secretary of State, which can be particularly use ful in moving cases. Thematic warrants can give both the issuing authority urgent or fast - and the auditor a quicker and better grasp of the investigation than does a series of applications relating to different individuals. They can also help reduce the proliferation of documents of which the police complained to me (9.33 above). My intention has been to encourage the use of thematic warrants ( Recommendation 14.63. ) , but within strict limits . The key issue here is the power of modification: I have 27 recommende d the addition of a new person or premises to the wa rrant should normally be for a Judicial Commissioner (rather than, as currently , for a senior official but of a WGD), that the function may be delegated by a Judicial Commissioner to a sufficiently senior DP if the circumstances so demand ( Recommendation 34 ). 57 ISC Privacy and Security Report, March 2015, para 42. 58 above. Ibid. , paras 42 - 45; see also 7.15 - 7.16 and 10.38 273

280 CHAPTER 14: EXPLANATIONS Recommendation , trailed at 14.56(d) above, is my suggested mechanism for 14.64. 30 reconciling judicial authorisation with the special expertise of the Secretary of State foreign policy are defence of the UK or its concerned. In short: where the Where a warrant (specific or bulk) is sought for a national security purpose (a) defence of the UK or its foreign policy, relating to the I recommend that the warrant is required Secretary of State should have the power to certify that the in the interests of the defence and/or foreign policy of the UK. In the case of a bulk warrant, the Secretary of State should also have the power to certify that the warrant is required for the operation(s) and/or mission purposes ide ntified on the warrant ( ). Recommendation 46 (b) The Judicial Commissioner should be able to depart from that certificate only 59 on the basis of the principles applicable in judicial review: an extremely high udiciary where matters of test in practice, given the proper reticence of the j 60 foreign policy are concerned. (c) Responsibility for verifying that the warrant satisfied the requirements of proportionality, and for authorising the warrant, would remain with the Judicial Commissioner. arrangement are that it would preserve the proper role of 14.65. The twin advantages of that the Secretary of State in relation to the assessment of the defence and foreign policy priorities of the country, whilst protecting the judges from being drawn into political or diplomatic judgement s that are properly for the executive. The Judicial Commissioner would, of course, retain the ability to scrutinise such warrants for compliance , in respects falling outside the scope of the certificate with the requirements set out in , Recommendation 29 Recommendation 45 (bulk (specific interception warrants) and warrants). It seems to me proper that such scrutiny should remain with an independent judicial figure. 14.66. In such cases as in all others, the warrant - requesting authority would have a right to resu bmit the application having remedied any defect identified by the Judicial Commissioner ( ), or indeed to appeal to the Chief Judicial Recommendation 33(a) Commissioner, a procedure modelled on that which is applied by the Office of Surveillance Commissioner s ( Recommendation 33(b) ). 14.67. national I do not consider it necessary to extend Recommendations 30 and 46 to security warrants of a domestic nature. In particular: (a) The same political and diplomatic considerations do not arise. Terrorism, which accounts for t he bulk of national security warrants going through the Home Office, is criminal activity. The gathering of material on it for intelligence or law 59 There are parallels for this test in national security leg islation: it is for example the basis on which the High Court must proceed when reviewing the determination of the Secretary of State’s assessment of the need to impose a Terrorism Prevention and Investigation Measure (TPIM) under the TPIM Act 2011, s9(2). 60 It is difficult to imagine a warrant being refused on this basis, short of e.g. a complete lack of evidence that it might achieve the objective(s) sought. 274

281 CHAPTER 14: EXPLANATIONS enforcement purposes, including by means of interception, is not a political function. The capacity of judic ial authorisation to allay public suspicions would be (b) reduced if the Home Secretary were effectively given the power to decide whether a particular warrant was necessary in the interests of national security. National security being a term undefined in la w, suspicious people (whether or not with good cause) will always criticise the exercise of that judgement by an elected politician whose views of what constitutes a national security threat may not coincide with those of an independent arbiter. The Sur veillance Commissioners have become accustomed to considering the (c) - term deployment of undercover police, and told national security case for a long me that they feel no uneasiness about doing so. (d) There are considerable advantages in having a single warrant - granting authority rather than a dual arrangement. Under my scheme, the Home Office WGD could cease to exist, though some of its it would be desirable for considerable expertise resources and be redeployed in ISIC. to 14.68. Centrally important is the requiremen t that there be arrangements for the prompt consideration of urgent applications for specific interception warrants from any part of the UK and at any time (Recommendation 32 ). , to the effect that serious crime warrants should have the same 14.69. Recommendation 37 6 month duration as national security warrants, responds to the recent comment of - the IOCC that “ there remains a strong practical case for increasing the validity period 61 ”, with which I agree. Requesting for serious crime warrants to six months authorities will have to apply effective procedures for the purpose of verifying that warrants proceed for cancellation once there is no further need them: an aspect that is already the subject of IOCCO inspections and that ISIC inspectors should also be a stute to check. 14.70. Recommendation 38 removes a pointless distinction between RIPA Parts I and II as renewals regards the date when warrant take effect, allowing them to do so from with effect from the expiry of the original warrant as is currently the case u nder Part II. I am grateful to the ISCommr for drawing the discrepancy to my attention. Combined warrants 14.71. relates to combined warrants, and is aimed at ensuring the Recommendation 39 necessary flexibility to perform interception, intrusive surveillance an d property interference in the course of a single operation : see 10.36 above . It offers administrative convenience for any intercepting authority that might wish to make use of them, but does not dilute any protections, since the conditions for each type of warrant would still have to be satisfied. 61 IOCC Report, March 2015, 6.43. 275

282 CHAPTER 14: EXPLANATIONS Bulk warrants Only the chiefs of the security and intelligence agencies should remain eligible to 14.72. apply for bulk warrants (of which there are currently 20), and only with the approval of the Secretary of State ( Recommendation 40 ). The issue of a bulk warrant should be Judicial Commissioner for the , but with the same limitation as regards the national security case as was recommended in relation to specific interception warrants: Recommendations 46 - 47 and 14.64 - 14.66 above. 14.73. Recom mendation 42 b provides for communications data to be obtained in bulk without the accompanying content. It gives effect to the suggestion at 10.40(c) above, and could accommodate a range of different uses. To give an example of a circumstance where it mi ght apply, bulk communications data is essential in identifying and illuminating particular types of activity on a network for the purposes of cyber - defence, where GCHQ is seeking to identify malicious activity on particular networks. This activity neithe r targets nor meaningfully intrudes into the communications of individuals. But more generally, such a warrant is self - evidently less intrusive than the current s8(4) warrant: hence the requirement ( Recommendation 42 ) that a bulk content warrant should ne ver be applied for, approved or authorised in circumstance where a bulk communications data warrant would suffice. agencies to obtain security and intelligence This additional power for the 14.74. communications data in bulk by warrant is not intended to replac e the existing RIPA for law enforcement agencies to obtain large volumes of data directly from powers CSPs for cell site analysis when it is necessary and proportionate to do so, for - example when searching for or tracking the movements of a suspect, see 9.66 . 14.75. Bulk warrants should remain available only in pursuit of the existing statutory purposes ( ). But in lieu of the certificate provided for by RIPA s8(4)(b), Recommendation 43 which the ISC described as “ expressed in very general terms ” (6.49 above), the pu rposes for which material or data is sought should be spelled out by reference to specific operations or mission purposes . I accept that those operations and/or mission purposes are likely to be numerous and (as in the example given in Recommendation 43 : ”) may attack planning by ISIL in Iraq/Syria against the UK “ themselves be fairly broad in nature. I believe though that this change will help focus minds on the specific reasons why bulk interception is said to be necessary, dispelling the notion that bul k warrants are “ untargeted ” and illustrating their kinship with the familiar concept, in many countries, of a thematic warrant that is issued in support of a particular operation. 14.76. internal and external communications The distinction between was widely atta cked as arbitrary and misleading by civil society groups who made submissions to the review (12.25 - 12.26 above). I agree with them that the distinction is outdated in the context of internet communications and should be abandoned. Its value as a protecti on for persons inside the UK is limited in any event by the inescapable fact catch ” of internal communications is collected at the same time: for the that a “ by - purposes of the protection of persons within the UK, it is, rather, RIPA s16 which must 276

283 CHAPTER 14: EXPLANATIONS “ lifting ” at the access stage: 6 .53 - 6.54 above. (In that regard, I do the heavy ghtening of the s16 safeguard: 14.89 and Recommendation 79 recommend a ti .) below 14.77. Though it is at the access stage that the heavy lifting will still need to be done, I am unwilling to protection at the collection stage for persons see a reduced level of within the UK , and so recommend that the internal/external safeguard on targeting not be removed, but rather made clearer so as to focus on the location of individuals rather than commu nications. Recommendation 44 proposes that bulk interception warrants should be required to be targeted at the recovery of intercepted material comprising the communications of persons believed to be outside the UK at the time have left open the question of whether any equivalent of those communications. I limitation is necessary or desirable in relation to bulk communications data warrants, which as noted at 14.73 above have the potential to be used for a variety of purposes hould inform any parliamentary debate on the subject. which (at least in outline) s Authorisations 14.78. As to the acquisition of communications data otherwise than in bulk, my recommendations build on the existing scheme of DPs assisted by SPoCs, which is considered by all who have looked a t it to provide robust and effective pre - 62 authorisation scrutiny, as well as a measure of independence. SPoCs should be provided for in statute ( Recommendation 62 ). 14.79. Two matters that currently depend on the distinction between subscriber information, ser vice use information and traffic data (which I have recommended should be categories of communications data the (if any) reviewed: Recommendation 12 ) are that should not be available to certain public authorities, and the rank or position . For that and for other reasons, each should be reviewed required of a DP Recommendations 51 and 56 ). ( 14.80. DPs within the security and i ntelligence agencies are not currently required to be independent from the investigation in which communications data is requested: they indeed be the line manager of the analyst who seeks access to the data. The may IOCC has recently reported that the selection procedure is undertaken “ carefully and conscientiously ”, but also raised the question of whether might need to be some pre - 63 authorisat ion or authentication process (or alternatively, enhanced audit). The ISC, reporting on the same day, made a recommendation for independent authorisation which I have echoed in my own Recommendation 58 . would of course have to be implem 14.81. ented in a manner consistent Recommendation 58 with ECHR and EU law (including, should it be applicable in this context, the requirement of prior review referred to at 5.68(f) above). A manageable solution needs to be sought, based on an understanding of how bulk data is a ctually used (as to which, see 14.43 above), including by running very high volumes of requests before 62 ”, and after The IOCC in his most recent report referred to the SPoC process as “ a stringent safeguard an exhaustive investigation did not find “ significant institutional overuse ” of communications data powers by police forces and law enforcement agencies: IOCC Report, March 2015, 7.46 and 7.94. 63 - 6.39. IOCC Report , March 2015, 6.38 277

284 CHAPTER 14: EXPLANATIONS an individual has even been identified. There may be contexts, therefore, in which some kind of thematic approach will need to be considered. Recommenda would reverse the recently - imposed requirement on local tion 66 14.82. for communications authorities to seek judicial approval by a magistrate or sheriff data requests. Whilst judicial approval at this level may sound like a safeguard, and was no doubt required for that reason, the reality appears to have been that it has added time, complexity and cost to the authorisation process without contributing 9.100 above. Indeed it is very likely that the introduction additional rigour to it: 9.98 - has resulted in applications being made less often than they of this requirement should: 9.100. 14.83. I considered recommending extra training for magistrates, or centralising the judicial 64 mechanism in the court centres closest to NAFN’s Tameside and Brighton offices: at has been rejected in the past. But despite the fact that the requirement an option th for authorisation by magistrate or sheriff was only recently introduced, I have no hesitation in advising its removal. The independent SPoCs of NAFN perform a good above ) and – service (9.95 subject to careful audit by the Commissioners, and in – should provide the requisite protection against conjunction with local authority DPs the improper use of local authority powers to authorise the acquisition of communications data. - e ver - 14.84. The “ mash ” that characterises changing technical, jurisdictional and policy mish the provision of communications data, particularly by overseas service providers (9.74 above), is notorious and makes it difficult for a SPoC to function effectively without a regular flow of work to keep skills and knowledge up to date. My suggested remedy, of ” for which I encountered significant support, is to require all “ minor users - communications data (9.2 9.3 above), not just as at present the local authorities, to he SPoC function performed for them centrally by NAFN: . have t Recommendation 65 Privileged or confidential material is dealt with in Recommendations 67 - 69 : 14.85. (a) The DP of any public authority which seeks communications data for the purpose are privileged or confidential must either refuse the of determining matters that request or refer it to ISIC for determination by a Judicial Commissioner. (b) When an application is not directed to such a purpose but relates to persons who handle privileged or confidential information (including doctors, lawyers, journalists, MPs or ministers of religion), special consideration and arrangements should be in place, and the authorisation should be flagged for the attention of ISIC. The increased sensitivity of communications data 14.86. ever - changing , and the purposes for which it can be used, are acknowledged by Recommendations 70 - 71 , which require requesting public authorities to refer novel or contentious requests to a routine ISIC for a decision on authorisation. It is not intended that this should be occurrence. As acknowledged in Recommendation 71 , it will be essential to create a clear understanding of when it is appropriate. But in conjunction with ISIC’s power to 64 Different solutions would have been needed for Scotland and Northern Ireland. 278

285 CHAPTER 14: EXPLANATIONS 65 Recommendation 95 issue guidance for the benefit of requesting authorities ( above), this procedure presents an opportunity for judicial guidance to be offered (in - the manner of guideline sentencing judgments, or the partly published opinions of the FISA Court in the US and Federal Court in Canada) in relation to what is and is not appropriate in a fast - changing area. Recommendations 72 - USE OF INTERCEPTED MATERIAL AND DATA ) ( 81 Recommendations 72 - 74 aim to ensure that: 14.87. (a) safeguards at least as strong as those currently in place should apply to the disclosure, dissemination, copyin g, storage and retention of intercepted material; and that equivalent safeguards should be provided in relation to communications data, (b) backed by ISIC audits, extending to the processing of data for reasons going data in conjunction with other beyond their acquisition and to the use of datasets. 14.88. Recommendation 75 , which supplements the more general references to the sharing Recommendation of data in 73 (c) and 76 - 78 , would ensure that so long as the s may red safeguards, they security and intelligence agencies each operate the requi share intercept ed material an between themselves for the d communications data purposes of their respective statutory functions. Use of material recovered under bulk warrants Recommendation 79 14.89. would, if adopted, enhance the existing RIPA s16(3) safeguard on the use of intercepted material recovered under a bulk content warrant. It would do so by requiring a specific interception warrant, issued by a Judicial Commissioner, before content that relates to a communication involving a pe rson believed to be in the UK could be read, looked at or listened to. This would strengthen the current requirement for a RIPA s16(3) modification, which the ISC said was “ unnecessarily 66 8(1) warrant ”. complex and does not provide the same rigour as that provided by an The likely increase in rigour will be all the greater if, as I have recommended, the successor to the s8(1) warrant is to be subject to authorisation by a Judicial Commissioner. 14.90. e same enhanced I do not however go so far as the ISC in recommending that th protection should apply to UK nationals (though not the nationals of other states) when 67 The range of additional police powers and surveillance capabilities outside the UK. se of intercepted that exist within the UK is an objective reason for requiring the u material recovered pursuant to a bulk warrant to be specifically warranted in the normal way: less intrusive means of obtaining the information may have been available. No such objective reason exists for favouring British nationals abro ad, as 65 As in the OSC Procedures and Guidance booklet, December 2014, not publicly available, or (to take another possible model) the partially redacted Opinions that are issued by the FISA Court in the US and the Federal Court in Canada. 66 ISC Privacy and Security Report, March 2015, Recommendation Q. 67 , Recommendation R. Ibid. 279

286 CHAPTER 14: EXPLANATIONS was implicitly acknowledged when RIPA (progressively, by international standards) did not incorporate citizenship - based distinctions. I have left open the question of what “ - compliant procedures ” 14.91. rigorous and rights should apply for the purposes of a uthorising access to (1) content obtained under a bulk warrant and not relating to persons in the UK and (2) communications data , and cf. Recommendation 76 obtained under a bulk warrant: Recommendation 80 above. Intercept as evidence As recorded at 9.16 - 9 .18 above and in Recommendation 81 , it is not th e function of 14.92. - this Review to second the eight reviews (some of them extremely guess or to reinforce which have, since 1993, failed to recommend that intercepted material be detailed) idence in court. rendered admissible as ev 14.93. I do however recommend that consideration should be given to extending the already substantial list of exceptions from this rule to include the Parole Commissioners and d be a Sentence Review Commissioners, both in Northern Ireland. There woul possible benefit in terms of public safety: these bodies consider prisoner licence cases and have the ability to consider classified material in closed proceedings on the issue public. of whether persons convicted of serious offences remain a threat to the dence before them could enable the recall to Allowing intercept to be admitted as evi - prisoners on licence in respect of whom the evidence of continuing threat prison of ex to the community comes from intercepted communications. ) 121 OVERSIGHT AN D REVIEW ( Recommendations 82 - Independent Surveillance and Intelligence Commission 14.94. Recommendations 82 - 112 concern the proposed new Independent Surveillance and Intelligence Commission ( ISIC ) , which would be a well - resourced and outward - facing regulator both of all those involved in the exercise of surveillance powers and of the security and intelligence agencies more generally. 14.95. ISIC would merge the existing functions of its three predecessor Commissioners (including those only recently announced: bulk p ersonal data and TA 1984 s94) and take on, in addition: (a) Recommendations 91 - 93 ; the audit and inspection functions referred to in the warrant - issuing powers currently vested in the Secretary of State , to be (b) exercised only by Judicial Commissioners who must hold or have held high judicial office, or Assistant Judicial Commissioners who have themselves held Recommendations 84 - 88 ), and after hearing submissions from judicial office ( independent standing counsel where necessary ( Recommendation 110(c) ); (c) a new po wer to authorise communications data requests which are novel or contentious or which are made for the purpose of determining matters that are Recommendation 84(e) ); and privileged or confidential ( 280

287 CHAPTER 14: EXPLANATIONS the ability to issue guidance as referred to in 14.86 abov (d) e, and to participate in ) . Recommendation 84(f) the preparation of Codes of Practice ( 14.96. A more general supervisory power over the activities of the security and intelligence Recommendation 97 agencies ( ), and an enhanced reporting function ( 102 ) could also be considered for ISIC. Whether and when to do Recommendation e this would depend on the precis relationship between ISIC and the ISC, which is for others to decide ( Recommendation 120 ) but which should in any event not involve an overlap of functions ( Recom mendations 97, 119 ). 14.97. ISIC would build on the considerable strengths of its predecessor Commissioners, which are founded on their strong judicial ethos, the trust that public authorities have in them and (in the case of IOCCO and the OSC) their professional and technically 68 But its greater size and unified nature would give it a proficient inspectorates. number of advantages over its predecessor Commissioners, notably: (a) the ability to compare practice across the whole range of different public 69 authorities ; (b) the ability to inspect the whole range of surveillance techniques , thus aiding an appreciation of whether it was necessary and proportionate to use one technique rather than another; ical to attract excellent specialists (including techn (c) the gravitational force are specialists) whose opportunities more limited in a smaller organisation; and public profile which has largely eluded its (d) the name recognition and predecessor Commissioners, with the result that their work (and indeed their ha ve not been as widely known as they existence) could have been (and should have been, granted the interest in surveillance matters following the publication of the Snowden Documents). I have considered whether it would be difficult to combine the judicial authorisation 14.98. functi on and the inspectorate in a single organisation, and concluded that it would not. A precedent already exists, in the form of the OSC whose six judicial Commissioners, three Assistant Commissioners and eight Inspectors all report, along with the secretari at, to the Chief Surveillance Commissioner (who from 1 July 2015 will be the 70 former Lord Chief Justice, Lord Judge). Whilst the judicial function is obviously a distinct one, there is benefit in dialogue: the Judicial Commissioners considerable ise the inspectorate on matters to look out for on their inspections, and the could adv inspectors could in turn suggest that a warrant be referred back to the Judicial Commissioners if they formed the impression that it was not being implemented as it should be, an d that the Judicial Commissioners might wish to consider modifying or cancelling it. 68 The ISCommr has no inspectorate, and indeed had until recently the ass istance of only one other person. 69 IOCCO already has that within its field of operation: the functions of the IntellSC and OSC are however divided between the intelligence agencies and the rest. 70 - 14, September 2014, p 32. Figures taken from the organigram in the OSC Annual Re port for 2013 281

288 CHAPTER 14: EXPLANATIONS ISIC should be willing and able to draw on , including in 14.99. specialist legal counsel ( Recommendation ). and on relation to specific applications for warrants 110 fro expertise m the worlds of intelligence, computer science, technology, academia, law and the NGO sector ( . An international perspective is Recommendation 111) Ethics Committee important. Though I did not in the end pursue the idea of an ISIC 71 to advise Judicial Commi ssioners on hard warrantry decisions, still less the “ citizens’ jury” imaginatively proposed by Demos, it is vital that ISIC (including its Judicial Commissioners) should be exposed to a variety of informed opinion, including from ls, technical experts, privacy advocates and the generation intelligence professiona which has grown up online. The ideal Chief Commissioner 14.100. would be a former judge of the highest distinction who is willing to work the hours necessary to run a substantial organisation and open to public and media engagement, including (if e.g. an alleged scandal is brought to 72 light) at short notice. An illustrative model for how ISIC could thus be organised is at Annex 17 to this Report . Because the pool is small and there might be occasions on which no such c provided for the possibility of andidate could be found, I have appoint ing as Chief Commissioner someone who is not a judge ( Recommendation 104 ). In that event, a senior judge would act on a part - time basis as Chief Judicial ubordinate role in the ISIC hierarchy but leading not of course in a s Commissioner , the Judicial Commissioners on a self - Annex 18 to this standing basis as depicted in Report, whilst retaining the closest possible links with the Commission itself. Investigatory Powers Tribunal 14.101. A brief history of the I PT is at 6.105 - 6.111 above, and some criticisms of it are summarised at 12.88 12.89. - 14.102. As the IPT operates increasingly in the open (at least where legal issues are concerned) and produces more open judgments, it is likely increasingly to be 73 aluable and effective check on the exercise of intrusive powers. perceived as a v Its merits include: (a) the ability to hear cases without complainants needing to present even an arguable case that they are the subject of interference; oners or ISC) to hear forceful adversarial (b) the ability (not given to the Commissi argument and thus to clarify the issues; (c) the ability to hold a public hearing on the assumption that facts asserted by the complainant are correct (thus circumventing at least some of the difficulties caused by NC ND); and (d) the RIPA s68(6) duty on public authorities to disclose information to IPT. 71 Though I am grateful for the useful research into Ethics Committees conducted for me by Grant Castle and Covington & Burling. 72 He or she could also be a serving judge, on the analogy of the chairmanship of th e Law Commission, though there would be advantages in a Chair who was prepared to stay for longer than three years. 73 There has been an equivalent improvement in the public image of the US FISA Court, following the publication (if only in redacted form) o f some of its Opinions. 282

289 CHAPTER 14: EXPLANATIONS In addition, the IPT has now moved its administrative base away from the Home Office to a location close to the Royal Courts of Justice: a welcome and necessary . development My first two recommendations concern on the part of persons 14.103. access to the IPT recommend, in accordance whose communications were wrongly intruded upon. I , that : OCCO with suggestions submitted to me by I (a) the jurisdiction of the IPT should be expanded (or clarified) to cover circumstances where it is a CSP rather than a public authority which was at fault, for example, by intercepting the wrong communications address and/or 74 ); ( Recommendation disclosing the wrong communications data and that 113 (b) ISIC shoul d be allowed to inform a subject of an error (subject to not prejudicing 75 at least in cases where it considers it possible that the ongoing operations), scale or nature of the error might entitle the subject of the error to compensation 99 ) ( A Recommendation similar power might in principle be given to CSPs, . but CSPs to which I spoke were more comfortable with a system whereby they would report errors to the Commissioners (as currently), who would take the necessary decision. 14.104. The second of those recommend ations, though a departure from the current position, would still fall short of the general duty to notify (at least of interception) that exists in many countries and has been strongly encouraged (though not described as 76 essential) by the European Court o f Human Rights and by a UN Special 77 Rapporteur. For as long as the relevant Commissioner’s office does not inspect every intrusion, it will to some extent be arbitrary (or a matter of chance) whether an error is referred to the IPT or not. But improved procedures at IOCCO have made it more likely that s erious errors will be uncovered by the sampling process. On any 78 and its view, the existing threshold (wilful or reckless f ailure by a public body ) , limitation to cases involv ing communications data or en cryption keys, seem hard to understand. My third 14.105. right of appeal to an appropriate recommendation is that there should be a 79 from rulings of the IPT, on points of law only ( Recommendation court 114 ). The IPT is unusual in being subject to no process of ap peal, an incongruous state of affairs given that it is the only appropriate tribunal for certain categories of human rights appeals (RIPA s65(2)(3)), and that it can decide issues of great general importance involving vital issues of principle. The Court of Appeal is now accustomed to hearing 74 This was suggested by IOCCO’s submission to the Review of December 2014, 3.1.4. IOCCO reported that in 2013, 20% of the interception errors and 12.5% of the communications data errors were caused by CSPs. A well - publicised exa mple is the mistaken disclosure in March 2014 of more than 1000 numbers relating to News UK employees, inadvertently sent by Vodafone to the Metropolitan Police in the context of Operation Elveden. 75 There is no bar to this where communications data is co ncerned. It however currently falls foul of RIPA s19 where interception is concerned. 76 Klass v Germany (Application 5029/71, judgment of 6 September 1978) para 69; AEIHR v Bulgaria (2007) para 57; Lüütsepp v Estonia (Application 46069/13, pending). 77 UN Special Rapporteur on Free Expression A/HRC/23/40, 17 April 2013, para 82. 78 Communications Data Code of Practice, 8.3. 79 Appeal could lie to the Court of Appeal of England and Wales, the Inner House of the Court of Session Northern Ireland, as is the position for the Competition Appeal Tribunal. or the Court of Appeal of 283

290 CHAPTER 14: EXPLANATIONS It is desirable that human rights cases should be appeals involving closed materials. finally determined in the UK if possible; and if not, that the ECtHR should have the argument in more than one court, and benefit of views reached after the benefit of expressed at a very senior judicial level within the UK. My fourth declarations of incompatibility 14.106. recommendation concerns ). HRA 1998 section 4(5) allows the higher courts to declare ( Recommendation 115 that a provisi on of primary legislation is incompatible with a Convention right, triggering the section 10 power to take remedial action. Consideration should be given to granting the IPT the same power, though this recommendation might be consi dered less important if my thir d recommendation is adopted, because there could then (depending on the basis of the decision) be the possibility of appeal to a court entitled to make a declaration of in compatibility. Finally, it is important that the resources of the IPT 14.107. c ontinue to be should independent of those allocated to the Commissioners and to the ISC Recommendation 116 ( ), and that it should be able to call on the assistance of ISIC as it has done the IOCC and ISCommr in recent years ( Recommendation 117 ). I decided not to m ake any recommendations concern ing IPT procedures , despite the 14.108. procedures for dealing with closed material calls to make available to it the by the use - nterests of the affected of a security cleared special advocate to represent the i a proced person. Such was first rolled out in the Special Immigration Appeals ure JSA (“SIAC”) But Commission 2013, in the ordinary courts. and more recently , by the i t can be argued that the nature of IPT cases reduces the need for an advocate to be on behalf of a claimant. There was also a strong belief in able to take instructions Li berty some quarters that counsel to the tribunal (whose role was described in the 80 ) IPT Case is capable of having more influence in IPT closed procedures than would be at tainable by a special advocate. So without dismissing the suggestion, I leave it for another forum or another day. Intelligence and Security Committee 14.109. Recommendation 118 emphasises the importance (as did the recent Venice Commission report: 14.44(b) above ) of having a parliamentary oversight committee in place. The future of the ISC is a matter for Parliament, and I am concerned only to ensure that its functions do not overlap with those of ISIC ( Recommendations 119 and 120 ). TRANSPARENCY 12 ( Recommendations 1 - 124 ) 14.110. As recognised in Recommendation 121 , there are limits to how far transparency can go where operational matters are concerned. 14.111. My recommendations regarding transp arency, which are important and self - explanatory, are at Recommendations 122 - 124 . 80 - 10. Judgment of 5 December 2014, paras 8 284

291 15. RECOMMENDATIONS PRELIMINARY POINTS  My task is not to adjudicate, but to design a better system. It should not be inferred from any suggestion for change that I consider the current to be unlawful. s arrangement T mendations aim to chart a course, but not to provide for every  hese recom eventuality. They should be read accordingly. GENERAL RIPA Part I, DRIPA 2014 and Part 3 of CTSA 2015 should be replaced by a 1. comprehensive new law, drafted from scratch, which: (a) affirms the privacy of communications; (b) erms specified; by public authorities prohibits interference with them , save on t and (c) provides judicial, regulatory and parliamentary mechanisms for authorisation, audit and oversight of such interferences. 2. The new law should amend or replace RIPA Part IV 82 below Recommendation If . is adopted, changes will also be need ed to Police Act 1997 Part III, RIPA Parts II and III and RIP(S)A. 3. The new law should be written so far as possible in non - technical language. The new law should be structured and expressed so as to enable its essentials to be 4. understood by intelligent rea ders across the world. 5. The new law should cover all essential features, leaving details of implementation and technical application to codes of practice to be laid before Parliament and to or reasons of guidance which should be unpublished only to the extent necessary f national security. 6. The following should be brought into the new law and/or made subject to equivalent conditions to those recommended here: TA 1984 (a) s94, so far as it relates to matters covered the general power under eview (cf. ISC R eport, Recommendation VV); R by this 285

292 CHAPTER 15: RECOMMENDATIONS to ISA 1994 ss5 and 7 , so far as it is (b) equipment interference (or CNE) pursuant conducted for the purpose of obtaining electronic communications (cf. ISC Report, Recommendations MM - PP); (c) interception pursuant to WTA 2006 ss48 - 49 ( cf. ISC Report, Recommendations XX - ZZ); and (d) the acquisition and use of bulk personal data (cf. ISC Report, Recommendation X). 7. The new law should repeal or prohibit the use of any other powers providing for interference with communications. But for the avo idance of doubt, no recommendations are made in relation to the use of court orders to access stored communications (e.g. PACE s9) or the searching of devices lawfully seized, save that it is recommended that oversight should be extended to the former Re commendation 92(d) below). ( 8. The new law should define as clearly as possible the powers and safeguards governing: the receipt of intercepted material and communications data from international (a) partners; and (b) the sharing of intercepted material and communicat ions data with international partners; ( Recommendations 76 - 78 below). 9. Existing and future intrusive capabilities within the scope of this Review that are used or that it is proposed be used should be (cf. ISC Report, Recommendation BBB): the Secretary of State and to ISIC; (a) promptly avowed to (b) publicly avowed by the Secretary of State at the earliest opportunity consistent with the demands of national security; and, in any event, used only if provided for in statute and/or a Code of Practice in a manner that (c) is sufficiently accessible and foreseeable to give an adequate indication of the circumstances in which, and the conditions on which, communications may be accessed by public authorities. 10. Within the constraints imposed by national security, the current res trictions and prohibitions relating to the disclosure of warrants and intercepted material (RIPA ss15 and 19, Official Secrets Act 1989 s4) should be clarified and reviewed (cf. ISC Report, Recommendation C) in order to ensure, in particular, that: is no legal obstacle to explaining the uses (and utility) of warrants to (a) there Parliament, courts and public, and that 286

293 CHAPTER 15: RECOMMENDATIONS (b) as recommended by the Police Ombudsman for Northern Ireland in his report as to how absolute clarity of 30 October 2014 on the Omagh bombing, there is “ specific aspects of intelligence can be shared in order to assist in the investigation of crime ”. 11. B reach of Codes of Practice should not automatically constitute a criminal offence: any new criminal offence or enhanced penalty (cf. JCDCDB Report paras 227 and 229; ISC Report , Recommendation T) should be specifically identified in the new law. 12. The definitions of content and of communications data, and any subdivisions, should with input from all interested parties including service pro viders, be reviewed, technical experts and NGOs, so as to ensure that they properly reflect both current and anticipated technological developments and the privacy interests attaching to different categories of material and data. Content and communications data should continue to be distinguished from one other, and their scope should be clearly delineated in law. CAPABILITIES Compulsory data retention 13. ATCSA 2001 Part 11 should be repealed, and the voluntary code of practice issued under it should be withdrawn. 14. The Hom e Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require s to retain relevant communications data for service provider periods of up to a year, if the Home Secretary considers that the requirement is necessary and proportio purposes laid down in Article 15(1) of the e - Privacy nate for Directive. Communications Data Bill 15. In relation to the subject matter of the 2012 Communications Data Bill, Government should initiate an early and intensive dialogue with law enforcement and CS Ps in order to formulate an updated and coordinated position, informed by legal and web logs (or the equivalent for technical advice, on the operational case for adding non - web based OTT applications) to the data categories currently specified in the Sched ule to the Data Retention Regu lations 2014 for the purposes of : (a) resolv ing shared IP addresses or other identifiers (in particular, to identify the user of a website) ; identify ing (b) when a person has communicated through a particular online service provider (so as to enable further enquiries to be pursued in relation to that provider) ; and/or (c) allowing website s visited by a person to be identified (to investigate possible criminal activity) . 287

294 CHAPTER 15: RECOMMENDATIONS g those purposes, Full consideration should be given to alternative means of achievin including existing powers, and to the categories of data that should be required to be retained, which should be minimally intrusive. If a sufficiently compelling operational case has been made out, a rigorous assessment should then be c onducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed. The rules regarding retention of data by CSPs should compl y (to the extent that it 16. 293/12 and C - - may be applicable) with EU law as contained e.g. in Joined Cases C 594/12 Digital Rights Ireland and with the ECHR, particularly as regards: limits on the data whose retention may be required; (a) (b) eriods are no longer than necessary; ensuring that retention p (c) ensuring the protection and security of data and their destruction when the retention period ends; and (d) the location in which data are stored. T 17. taining o the extent that a requirement is placed on CSPs that may result in them re partial or complete web logs or equivalent , the circumstances in which access may be sought by public authorities and the conditions on which access should be granted should be the subject of guidance in a Code of Practice and/or from ISIC , and suf verify through regular audit and to ficient records should be kept to allow ISIC inspection that requests properly authorised. have been 18. There should be no question of progressing proposals for the compulsory retention of third party data before such time as a compelling operational case may have been made, there has been full consultation with CSPs and the various legal and technical issues have been fully bottomed out. None of those conditions is currently satisfied. Bulk c ollection 19. The capability of the security and intelligence agencies to collect and analyse intercepted material in bulk should be maintained, but subject to rulings of the courts, used only subject to the safeguards in 40 - 49 and 72 - 80 below, Recommendations and only in cases where it is necessary to achieve an objective that cannot be achieved by the new and less extensive power in Recommendation 42(b) below. INTERCEPTION AND ACQUISITION OF DATA Types of warrant and authorisation 20. In relation to interception and the acquisition of commun ications data, the following types of compulsory warrant and authorisation should be available: For the interception of communications in the course of transmission, (a) 288

295 CHAPTER 15: RECOMMENDATIONS  an specific interception warrant  a combined warrant a bulk interception warrant.  (b) For th e acquisition of communications data in bulk, a bulk communications data warrant. (c) For the acquisition of communications data otherwise than in bulk, an authorisation. 21. Recommendation 6 above is adopted, the analogous activities To the extent that rred to should be subject to equivalent procedures. there refe 22. Specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be issued and renewed only on the authority of a Judicial Commissioner. 23. Authorisa tions for the acquisition of communications data otherwise than in bulk should be issued only on the authority of a DP authorised to do so by the authorising body. effect Extraterritorial 24. es in the UK It is not recommended that service providers wishing to offer servic should be required to have a licence, or that they should be required to store data in the UK. But in order to address deficiencies in access to material from overseas service providers, the Government should: seek the cooperation of overseas service providers, including by explaining so (a) far as possible the nature of the threat, how requests are authorised and overseen, and the steps that are taken to ensure that they are necessary and proportionate; (b) seek the improvement and abbreviation of ML AT procedures, in particular with the US Department of Justice and the Irish authorities; and (c) take a lead in developing and negotiating a new international framework for data sharing among like - minded democratic nations. - 25. Pending a satisfactory long - term s olution to the problem, extraterritorial application should continue to be asserted in relation to warrants and authorisations (DRIPA 2014 s4), and consideration should be given to extraterritorial enforcement in appropriate cases. Specific interception wa rrants persons 26. Only those currently specified in RIPA s6 should be entitled to apply for a specific interception warrant. 289

296 CHAPTER 15: RECOMMENDATIONS Specific interception warrants should be limited to a single person, premises or 27. each person or premises to which operation. Where a warrant relates to an operation, the warrant is to apply should be , to the extent known at the time of the application, individually specified on a schedule to the warrant, together with the selectors (e.g. premises. telephone numbers) applicable to that person or 28. The only purposes for which a specific interception warrant can be issued should be, as under RIPA s5(3): preventing or detecting serious crime (including by giving effect to a mutual (a) legal assistance agreement), or (b) in the interests of national s ecurity (including safeguarding the economic well - being of the UK in a respect directly linked to the interests of national security). 29. Applications for interception warrants should contain the following information: (a) tigation in the context of which the The background to the operation or inves warrant is sought ; (b) The person(s) or premises to which the application relates, to the extent known at the time of application, and how they feature in the operation ; (c) A description of the communications to be intercep ted , details of the service provider (s) and an assessment of the feasibility of the interception to the extent ; known at the time of application (d) A description of the conduct to be authorised or the conduct it is necessary to at is authorised or required by the warrant ; undertake in order to carry out wh An explanation of why that conduct is considered to be necessary for one or (e) more of the permitted statutory purposes ; (f) An explanation of why any likely intrusion into privacy is proportionate to what is sought to be achieved by that conduct, explaining why less intrusive alternatives have not been or would not be as effective ; (g) Consideration of any collateral intrusion and why that intrusion is justified in the circumstances ; (h) Whether the application is made for the purposes of determining matters that are privileged or confidential such as the identity or a witness or (for example) prospective witness being contacted by a lawyer or the identity of or a journalist’s confidential source ; (i) Whether the application relate s to a person who is known to be a member of a profession that handles privileged or confidential information (including medical doctors, lawyers, journalists, Members of Parliament or ministers of religion), ; be applied and if so what protections it is proposed will 290

297 CHAPTER 15: RECOMMENDATIONS ; (j) Where an application is urgent, the supporting justification (k) An assurance that all material intercepted will be kept for no longer than necessary in accordance with the applicable rules, and handled in accordance with the applicable procedures for minimisation, secure holding and destruction. 30. When a specific interception warrant is sought for the purpose specified in Recommendation 28(b) above (national security) and that purpose relates to the defence of the UK and/or the foreign policy of th e Government, the Secretary of State should have the power to certify that the warrant is required in the interests of the In such cases, the Judicial Commissioner in defence and/or foreign policy of the UK. de ( Recom mendation 31 below) should be able termining whether to issue the warrant to depart from that certificate only on the basis of the principles applicable in judicial review. 31. A specific interception warrant should be issued only if it is established to the satisfaction of a Judicial Commissioner that: (a) the warrant is necessary for one or both of the permitted statutory purposes 28 above); Recommendation ( (b) the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct; and the assurances regarding the handlin g, retention, use and destruction of the (c) intercepted material, including in relation to privileged or confidential material, are satisfactory. 32. Arrangements should be put in place for the prompt consideration of urgent applications for specific interception warrants from any part of the UK and at any time. 33. Should an application for a specific interception warrant be rejected, the Judicial Commissioner should give reasons for rejection. In the event of rejection , the applicant for a warrant should be able to : (a) - submit an amended application, addressing the defects or omissions re identified by the Judicial Commissioner; or request a final ruling on the original application from the Chief Judicial (b) Commissioner, by way of appeal from the original rejection. The Chief Judicial Commissioner may consider any such appeal in conjunction with one or more other Judicial Commissioners. 34. It should normally be for a Judicial Commissioner to make major modifications to a specific interception warrant, e.g. the addition of a new person or premises to the schedule. So far as applicable, the information listed at Recommendation 29 above should be supplied and considered before such a modification is authorised. However, a Judicial Commissioner should have the power to authoris e a DP meeting 291

298 CHAPTER 15: RECOMMENDATIONS the requirements set out in Recommendations 56 and 57 below to make major modifications to a specific interception warrant on the basis that such modifications are then notified promptly to the Judicial Commissioner. The circumstances in wh ich this could be appropriate should be specified in a Code of Practice and might include, for example, (1) urgent or fast moving cases, and (2) cases in which the interference with privacy is always likely to be small, or to be consistent across possible targets. Provision should be made for minor modifications (e.g. the addition of a new 35. telephone number for an existing target) to be made, after consideration of the g implications if any for privacy, collateral intrusion and proportionality, by a DP meetin the requirements set out in Recommendations 56 and 57 below. 36. A Judicial Commissioner should have the power to cancel a specific interception warrant at any time, if it appears to the Judicial Commissioner that one or more of the are no longer satisfied. conditions for its issue 37. Specific interception warrants should have a duration of six months. The Judicial Commissioner who issues the warrant should have a discretion to require that it be ts expiry. reviewed by a Judicial Commissioner at a specified time before i Warrant renewals should take effect from the date of expiry of the warrant (as 38. currently under RIPA Part I Chapter 2) rather than from the date of renewal (as currently under RIPA Part I Chapter 1). Combined warrants Combined warrants should be 39. subject to the same rules as interception warrants, save that: (a) They may authorise, in the context of a given operation, more than one of (1) interception, (2) intrusive surveillance and (3) property interference. (b) They must explain why the conditions for ea ch type of warrant are satisfied, and why it is necessary and proportionate for a combined warrant to be issued. Bulk Warrants 40. Only the Director General of MI5, the Chief of MI6 and the Director of GCHQ, in each case with the approval of the Secretary of S tate, should be eligible to apply for bulk warrants. 41. The restrictions in Recommendation 27 should not apply to bulk warrants. 42. There should be two types of bulk warrant: (a) bulk interception warrants, which would allow content and related communications data to be obtained; and bulk communications data warrants, which would allow only communications (b) data to be obtained. 292

299 CHAPTER 15: RECOMMENDATIONS A bulk interception warrant should never be applied for, approved or authorised in circumstances where a bulk communications data warrant woul d suffice. The purposes for which a bulk warrant is sought should be: 43. limited to the permitted statutory purposes ( Recommendation 28 above); (a) in lieu of the certificate provided for by RIPA s8(4)(b)), limited to one or more (b) specific operations or mission p urposes (e.g. “ attack planning by ISIL in Iraq/Syria against the UK ”). 44. Bulk interception warrants should, in addition, be required to be targeted at the recovery of intercepted material comprising the communications of persons believed to be outside the UK at the time of those communications. It should be determined (if Recommendation 42(b) is adopted) whether an analogous restriction is necessary or desirable in relation to bulk communications data warrants. Applications for bulk warrants should contain t he following information: 45. (a) The specific operation(s) or mission purpose(s) in respect of which they are sought ; (b) Description of the communications to be intercepted or acquired, details of the ; or acquisition CSP(s) and an assessment of the feasibility of the interception (c) Description of the conduct to be authorised, or the conduct it is necessary to ; undertake in order to carry out what is authorised or required by the warrant A statement specifying both the statutory purpose(s) and, as precisely as (d) possibl e, the operations or mission purposes in relation to which material is sought ; (e) An explanation, backed by evidence, of why the interception or acquisition is considered to be necessary for one or more of the permitted statutory purposes and for the operatio ns or mission purposes identified ; (f) An explanation of why any likely intrusion into privacy is proportionate to what is sought to be achieved by that conduct, explaining why less intrusive alternatives have not been or would not be as effective ; (g) on of any collateral intrusion and why that intrusion is justified in the Considerati circumstances ; (h) Whether the application could result in acquisition of material or data that is privileged or confidential material, and if so what protections it is proposed will be a p plied ; (i) In the case of a bulk interception warrant, an explanation of why a bulk ; communications data warrant would not be an adequate alternative 293

300 CHAPTER 15: RECOMMENDATIONS (j) In the case of a bulk communications data warrant, an explanation of why an authorisation would not be an ad equate alternative ; Where an application is urgent, supporting justification (k) ; (l) Details of the use that it is proposed to make of the data that is recovered, including in relation to possible sharing and use in combination with other datasets ; (m) An assurance t hat all material recovered will be retained no longer than necessary, looked at, used or analysed only for certified purposes and in accordance with the applicable rules, and handled in accordance with the ding and destruction. applicable procedures for minimisation, secure hol 46. When approving a bulk warrant that is sought in whole or in part for the purpose referred to in Recommendation 28(b) above (national security), and when that purpose relates to the defence of the UK and/ or the foreign policy of the G overnment, the Secretary of State should certify: (a) that the warrant is required in the interests of the defence and/or foreign policy of the UK; and identified. (b) that it is required for the operation(s) and/or mission purpose(s) 47. Commissioner in de termining whether to issue the warrant In such cases, the Judicial Recommendation 48 below) may depart from that certificate only on the basis of the ( principles applicable in judicial review. 48. A bulk warrant should be issued only if it is established to the satisfa ction of a Judicial Commissioner that: (a) its purpose and targets are limited by reference to the factors identified in Recommendations 43 and 44 above; (b) it is necessary for one or more of the permitted statutory purposes; (c) it is necessary for the mission purp ose(s) and/or operation(s) identified; (d) in the case of a bulk interception warrant, it is necessary for the warrant to apply to content as well as communications data; the conduct authorised by the warrant is proportionate to what is sought to be (e) by that conduct; and that achieved (f) the assurances regarding the handling, retention, use and destruction of the intercepted material or acquired data, including in relation to privileged or confidential material, are satisfactory. apply also to bulk warrants, save that any 49. Recommendations 32 - 38 above should modification to a bulk warrant must be authorised by a Judicial Commissioner. 294

301 CHAPTER 15: RECOMMENDATIONS Authorisations General Public authorities with relevant criminal enforcement powers should in principle be 50. ons data. It should not be assumed that the public able to acquire communicati interest is served by reducing the number of bodies with such powers, unless there are bodies which have no use for them. There should be a mechanism for removing ) which no longer need the public authorities (or categories of pub lic authorities s , and for adding those which need them. power 51. The issue of which (if any) categories of communications data should be unavailable Recommendation to certain public authorities should be reviewed, in the light of 12 above and any revision of procedures for authorisation and review. (Some examples of the potential value to local authorities of what is currently known as traffic data are Annex 16 to this report.) at The grounds on which communications data may be acqui red should remain as set 52. out in RIPA s22(2), subject to any limitation (relating, for example, to the need for crime to exceed a certain threshold of seriousness, which would not necessarily need to be set at the same level as in RIPA s81(2)(b)) that may b e required by EU law or the ECHR. of an DP Communications data should be acquired only after the grant by a 53. authorisation. Details of the authorisation should be served on a CSP where it appears to the DP that the CSP is or may be in possession of, or cap able of obtaining, any communications data. The distinction between an authorisation and a notice (RIPA s22) is unnecessary and should be abandoned. The application for an authorisation should set out the matters specified in the 54. Acquisition and Disclosur e of Communications Data Code of Practice (March 2015) 3.5 - 3.6. 55. An authorisation should be granted only if the DP is satisfied, having taken the advice of the SPoC and considered all the matters specified in the application, that it is neces sary and propor tionate to do so. Designated person 56. DPs should be persons of the requisite rank or position with the requesting public authority or another public authority. The Regulation of Investigatory Powers (Communications Data) Order 2010 should be revised after c onsultation in the light of: (a) Recommendation 12 above; (b) the comments of IOCCO (December 2014 subm ission to the R eview, 3.3) on the appropriate rank of DPs and the need for consistency across public authorities and in relation to comparable methods of survei llance; and 295

302 CHAPTER 15: RECOMMENDATIONS Recommendations 59(b) (c) The new functions placed on DPs and summarised at and 60 below. DPs should be adequately trained in human rights principles and legislation (including 57. in relation to privileged or confidential material), and may grant auth orisations only when and to the extent that it is necessary and proportionate to do so in the specific circumstances. 58. As recently stated in the ISC Report, Recommendation HH: “ there should always be a clear line of separation within the Agencies between in vestigative teams who request approval for a particular activity, and those within the Agency who authorise it ”. DPs (including in the security and intelligence agencies ) should be required by hen granting statute to be independent from operations and investigations w authorisations related to those operations and investigations, and this requirement should be implemented in a manner consistent with the ECHR and EU law. 59. The function of DPs should be: (a) To authorise the acquisition of communications data ( Rec ommendation 55 above) ; (b) To make references to ISIC on applications for privileged/confidential material and, where appropriate, on novel/contentious applications ( Recommendations 68 and 70 below). 60. In addition, DPs appointed by the nine bodies entitled to in tercept communications data should be entitled to authorise minor modifications to specific interception Recommendation 35 above). warrants ( Single Point of Contact 61. No authorisation should be granted (save in exceptional circumstances specified in the new law) without the prior opinion of an accredited SPoC. The purpose of the SPoC should be: (a) to ensure that only practical and lawful requirements for communications data are undertaken; and (b) to facilitate the lawful acquisition of communications data, and eff ective co - operation between a public authority and CSPs. 62. The functions of the SPoC should be set out in statute along the lines of the March 2015 Code of Practice on the Acquisition and Disclosure of Communications Data, para 3.22. be located within the requesting authority. For example, 63. SPoCs should not have t o there would be no obstacle to police SPoCs being organised on a regional or national level, as is NAFN. 296

303 CHAPTER 15: RECOMMENDATIONS In the case of local authorities, the SPoC function should continue to be compulsorily 64. perfor med through a SPoC at NAFN. In the case of the other “ minor users ”, responsible between them for less than 1% of 65. requests for communications data in 2014, the SPoC function should in future also be compulsorily performed by a SPoC at NAFN, which will need to be resourced for that purpose. 66. The requirement in RIPA 2000 ss23A - B of judicial approval by a magistrate or sheriff for local authority requests for communications data should be abandon ed. a DP Approvals should be granted, after consultation with NAFN, by of appropriate seniority within the requesting public authority. Privileged or confidential material When the communications data sought relates to a person who is known to be a 67. member of a profession that handles privileged or confidential informatio n (including medical doctors, lawyers, journalists, Members of Parliament or ministers of religion), the new law should provide for the DP to ensure that (1) special consideration is given to the possible consequences for the exercise of rights and freedom s, (2) appropriate arrangements are in place for the use of the data, and (3) the application is flagged for the attention of ISIC inspectors. 68. If communications data is sought for the purposes of determining matters that are ) (1) the identity or a witness or prospective e.g. as ( privileged or confidential such witness being contacted by a lawyer or (2) the identity of or a journalist’s confidential source, the DP should be obliged either to refuse the request or to refer the matter to mmissioner to decide whether to authorise the request ISIC for a Judicial Co . 69. A Code of Practice, and/or ISIC guidance, should specify (1) the rare circumstances in which it may be acceptable to seek communications data for such a purpose, and (2) the circumstances in which such requests should be referred to ISIC. Novel or contentious cases 70. In recognition of the capacity of modern communications data to produce insights of mmunications a highly personal nature, where a novel or contentious request for co shou ld refer the matter to data is made, the DP to ISIC for a Judicial Commissioner . decide whether to authorise the request the circumstances in which 71. A Code of Practice, and/or ISIC guidance, should specify such requests should be referred to ISIC . USE OF INTERCEPTED MATERIAL A ND DATA General safeguards 7 of the 72. Safeguards at least equivalent to those in RIPA s15, as elaborated in P art Interception of Communications draft Code of Practice, should ensure that the 297

304 CHAPTER 15: RECOMMENDATIONS domestic disclosure, dissemination, copying, storage and retention of intercepted material is limited to the minimum necessary for the authorised purposes. 73. Equivalent statutory safeguards should be provided in relation to communications data. In particular, the new law and a Code of Practice issued under it, with the nvolvement of the Information Commissioner as appropriate, should make provision i for: (a) why, how and where data are retained within public authorities; (b) who may access them within the public authority; (c) with whom the data may be shared, and under what conditio ns; the special rules needed as regards the treatment of data that appear to be (d) privileged or confidential (see Recommendations 67 - 69 above), and data relating to a victim or a witness; (e) the processing of data for reasons going beyond their acquisition; (f) th e use of data in conjunction with other datasets; the processes for determining which data should be destroyed or further (g) retained; and (h) 1998. compliance with DPA These safeguards should be enforced and backed up by ISIC audits (as currently 74. performed by IO CCO), examining: how the material and/or data were used or analysed; (a) whether they were used for the stated or intended purpose; (b) (c) what actual interference or intrusion resulted, and whether it was proportionate to the aim set out in the original authorisatio n; (d) whether the conduct became disproportionate to what was foreseen at the point of authorisation, and if so whether the operational team initiated the withdrawal of the authorisation; (e) retention, storage and destruction arrangements; and (f) whether any error s or breaches resulted from the interference or intrusion. 75. On the basis that MI5, MI6 and GCHQ each apply the safeguards referred to in Recommendations 72 - 73 above, they should be permitted to share intercepted material and communications data between them for the purposes of their respective functions. 298

305 CHAPTER 15: RECOMMENDATIONS Any receipt of intercepted material or communications data from third countries 76. - defined safeguards, published save insofar as is should be on the basis of clearly necessary for the purposes of national secur ity and monitored by ISIC, including a warrant governing any intercepted material that is sought (ISC Report, Recommendations QQ TT). - 77. Any transfer of intercepted material or communications data to third countries should be on the basis of clearly - defined s afeguards, published save insofar as is necessary for the purposes of national security and monitored by ISIC. 78. The new law should make it clear that neither receipt nor transfer as referred to in Recommendations 7 6 - 7 7 above should ever be permitted or prac tised for the purpose of circumventing safeguards on the use of such material in the UK. Use of material recovered under bulk warrants 79. Content that is acquired pursuant to a bulk interception warrant and that relates to a communication involving a person believed to be in the UK should be made available to be read, looked at or listened to only on the basis of a specific interception warrant 38 above): cf. in part ISC issued by a Judicial Commissioner (Recommendations 26 - Report, Recommendations Q and R. 80. he new law should in addition provide for appropriately rigorous and rights - compliant T procedures for the purposes of authorising access to: (a) content that is acquired pursuant to a bulk warrant and that does not relate to a communication involving a person b elieved to be in the UK; and (b) (if Recommendation 42(b) is adopted), communications data that are obtained pursuant to a bulk warrant. Intercept as evidence 81. The bar in RIPA s17 on using intercepted material as evidence in legal proceedings (recently endorsed after lengthy consideration in Cm 8989) did not form part of this Review. Consideration should however be given to adding to the list of exceptions in RIPA s18, without prejudice to any other possible additions, proceedings before (1) oners for Northern Ireland and (2) the Sentence Review the Parole Commissi Commissioners in Northern Ireland. OVERSIGHT AND REVIEW Independent Surveillance and Intelligence Commission 82. The Interception of Communications Commissioner’s Office (IOCCO), the Office of Commissioners (OSC) and the Intelligence Services Commissioner Surveillance (ISCommr) (the current Commissioners) should be replaced by a new Independent Surveillance and Intelligence Commission (ISIC). 299

306 CHAPTER 15: RECOMMENDATIONS vide to ISIC all such 83. It should be the duty of every relevant person to disclose or pro documents and information as ISIC may require for carrying out its functions, as is the case for the current Commissioners under RIPAs s58 and 60 and the Police Act 1997 s107(5)(a). Powers and functions Warrants and authorisations ISI C (through its Judicial Commissioners: see Recommendations 106 - 107 below) 84. should be granted powers: (a) to issue and renew warrants ( Recommendation 22 above); (b) to make major modifications to specific interception warrants and combined warrants ( Recommendations 34 and 39 above); (c) to make modifications to bulk warrants ( Recommendation 49 above); (d) to cancel warrants that it has issued ( Recommendations 36, 39 and 49 above); (e) to authorise applications for communications data referred to it by public authorities pursua nt to 68 (privileged and confidential Recommendations material) and 70 (novel and contentious) above; and to issue guidance (cf. the OSC’s Procedures and Guidance of December 2014) (f) to public authorities in relation to issues arising in relation to applicat ions for warrants and the grant of authorisations, which would supplement the new law and any codes of practice issued under it and which should be published where the constraints of national security permit. 85. The functions referred to in Recommendation 84 above should only be performed by Judicial Commissioners who hold or have held high judicial office (High Court or above), subject to the possibility of delegating certain functions to persons who hold or have held judicial office at least at the level of Circuit Judge. As currently with the OSC, the judicial authorisation function should be independent from and in no sense subordinate to the other functions of ISIC. 86. Judicial Commissioners should use their power where appropriate to request further clarifi cation, information or documents from the requesting public authority, and/or to consult standing counsel on any point of legal difficulty. Public authorities should have a right of appeal to the Chief Judicial Commissioner ( Recommendation 33(b) above). 87. I SIC (through its Judicial Commissioners) should also take over from the OSC its equivalent functions (in relation to public authorities other than the security and intelligence agencies ) in relation to intrusive surveillance, property interference and unde rcover officers under RIPA Part II, RIP(S)A and the Police Act 1997. 300

307 CHAPTER 15: RECOMMENDATIONS 88. ISIC should be resourced so as to enable it to provide a prompt, efficient and reliable warrantry service in all juri sdictions of the UK. Audit and inspection The existing audit and inspe 89. ction functions of the current Commissioners should be transferred to the ISIC, including: (a) all those set out in RIPA Parts I - III, RIP(S)A and the Police Act 1997, to the extent that they are consistent with the arrangements in the new law; (b) the audit of the use by security and intelligence agencies of their holdings of b ulk ersonal d atasets (cf. ISC Report, Recommendations X and Y); and p the recently granted power to oversee the operation of directions under TA (c) 1984 s94 (IOCCO Report, March 2015, section 10 ), to the extent that such power may survive the introduction of the new law. 90. ISIC should have the power to review compliance with the terms of any warrant, authorisation or guidance that may have been issued by the Judicial Commissioners. Where error is found, an Inspector should be able to recommend that the warrant in question be reviewed by a Judicial Commissioner with a view to its possible modification or cancellation. In addition, ISIC should have the power to inspect: 91. (a) Recommendations 59 The exercise by DPs of all th e functions summarised in ; and 60 above The treatment by public authorities of privileged and confidential material ; (b) The retention, storage, processing and destruction of all communications data (c) as currently for IOCCO, acquired by public authorities (not just, ; communications data only when it is related to intercepted material) The use of such data, including in combination with other datasets (cf. ISC (d) ; Report, Recommendation Y) (e) The use by public authorities of open - source intelligence ( OSINT) ; (f) The sharing of intercepted material and communications data within the UK Government ; (g) The receipt of intercepted material and communications data from, and the transfer of such material and data to, foreign governments ( Recommendations 76 - 78 above) . 92. Additional gaps in the arrangements relating to IOCCO’s current activities (explained R in IOCCO’s su bmission of December 2014 to this eview) should be filled when ISIC is constituted. In particular: 301

308 CHAPTER 15: RECOMMENDATIONS and for a procedure for (a) Express provision should be made for error reporting, arriving at and keeping under review the definition of an error where interception is concerned. There should be a statutory requirement for ISIC to review the giving of notices (b) by the Secretary of State (currently under DRIPA 201 4 s1) requiring the retention of specific communications data by a CSP. (c) ISIC should have the power to report on refusals by service providers (including overseas service provider s, given the extraterritorial effect of the law) or disclose communications data when a lawful to intercept communications request is made of them. (d) There should be statutory provision for oversight of the operation of powers for interception and/or obtaining communications data other than in the new law, to the extent that such pow ers survive, including the power to access stored data by order of the court under PACE s9. 93. Though strictly outside the scope of this R eview, it would also be appropriate to review the existing powers of the OSC and of the ISCommr so as to identify any oth er gaps that should be filled when constituting the ISIC. ISIC (like IOCCO before it) should have the capacity to inspect the work of analysts, 94. investigators, SPoCs and DPs on live cases as well as on cases that are closed. 95. ISIC should have the power to re port on, to issue guidance on and to participate in the preparation of Codes of Practice for any activity which it has the power to inspect. Intelligence oversight functions 96. ISIC should inherit the intelligence oversight functions of the ISCommr, including : (a) oversight of the Consolidated Guidance to Intelligence Officers and Service Personnel; and keeping under review the activities of the (b) security and intelligence a gencies or others engaging in intelligence activity, as directed by the Prime Minister under RIPA s59A. 97. Consideration could be given to granting ISIC a more general supervisory power over security and intelligence a gencies, but subject to the activities of the Recommendations 118 and 119 (no duplication of functions and resources) . Powers relating to the IPT ISIC should be subject to the same obligation as the current Commissioners (RIPA 98. s68(2)) to provide assistance to the IPT, and should be kept informed of proceedings relevant to its functions (as by RIPA s68(3)). 302

309 CHAPTER 15: RECOMMENDATIONS 99. ISIC should further be given th e power, on its own initiative or at the suggestion of a public authority or CSP, and subject to a duty not to disclose anything that would be damaging to national security or prejudice ongoing operations, to: (a) inform a subject of an error on the part of a public authority or CSP; and (b) inform the subject of his right to lodge an application to the IPT; in any case in which in the opinion of ISIC it is possible that the scale or nature of the error might entitle the subject of the error to compensation. Analog ous activities Recommendation 100. To the extent that 6 is adopted, the powers and functions set out in Recommendations 84 - 99 above should apply in an equivalent manner to the activities there referred to. Reporting ry year dealing with all aspects of the There should be a report at least once in eve 101. work of ISIC, and supplemented as may be feasible by more regular statistical releases. 102. As an expert, apolitical body with a strong judicial ethos, ISIC should also have the power to carry out inquiries and produce r eports into matters falling within its remit, at the request of the Prime Minister or on its own initiative. The Prime Minister should have the power to redact ISIC’s annual report on narrowly 103. be obliged to lay specified grounds (cf. RIPA s58(7)). The Prime Minister should ISIC’s annual report before Parliament within a certain number of days (or sitting days) of receipt. Organisation and working methods Chief Commissioner 104. The Chief Commissioner should be a person of unquestioned professional distinction a nd independence, committed not only to leading the work of ISIC but to accounting publicly and to Parliament for that work, and to building public awareness of ISIC and its role. The Chief Judicial Commissioner should be eligible to serve also as Chief Co mmissioner, but need not necessarily do so: some possibilities are illustrated in the diagrams at Annex es 17 and 18 to this Report. 105. The Chief Commissioner should be appointed by the Prime Minister. Consideration should be given to allowing the ISC a voic e in the appointment or confirmation of the Chief Commissioner. 303

310 CHAPTER 15: RECOMMENDATIONS Judicial Commissioners Judges entitled to authorise warrants should be known as Judicial Commissioners 106. (or Assistant Judicial Commissioners) so as to emphasise their distinct and independent s tatus. There should be regular dialogue and sharing of experience between the Judicial Commissioners and the inspectorate. 107. - time or (as currently in the OSC) part - time Judicial Commissioners could be full judges on duty according to a rota. They should b e capable of providing prompt and efficient service for applications from all parts of the UK . It will be necessary to provide 24 - hour cover (as currently provided by the Secretary of State) for cases where urgent applications for warrants and authorisati ons arise out of hours. Inspectorate 108. An inspectorate should be provided for the audit and inspection functions entrusted to ISIC. 109. ISIC should have staff with the necessary expertise (including technical expertise) and resources in relation to: (a) each power w hose operation it audits or inspects (including interception and encryption, communications data, directed and intrusive surveillance, property operations ); and interference and CHIS/undercover (b) each function relating to intercepted material and data (incl uding acquisition, use, storage, retention, dissemination, sharing and destruction). Legal 110. ISIC should have an in - house legal presence and one or more security - cleared standing counsel, appointed on a part time basis from the independent practising - Bar, wh ose function would be, on request: (a) to give advice on recent developments in the law ; (b) ts whose to advise ISIC on possible legal vulnerabilities in the arrangemen review s ; operation it (c) to advise (at the request of the Judicial Commissioners) in relation to ap plications for warrants or requests for authorisations on proposed communications data authorisations; (d) to assist with the legal aspects of formulating guidance and contributing to Codes of Practice; and s it authorises, audits or (e) by these means to help ISIC ensure that the activitie reviews are lawful, and that the public authorities it oversees have due warning of legal difficulties. 304

311 CHAPTER 15: RECOMMENDATIONS General Within the necessary constraints of security: 111. ISIC should be public - facing, transparent and open to diverse ideas (i ncluding (a) from all sectors of the community in all parts of the UK, from other countries, from international institutions and from young people who have grown up online). (b) It should be willing to draw on expertise from the worlds of intelligence, computer sc ience, technology, academia, law and the NGO sector, and should engage with and support compliance officers and compliance mechanisms within public authorities , DPs and SPoCs. (c) As much as possible of its output (including, within the constraints of nationa l security, any guidance that it may issue) should be published on a user - friendly website. (d) Commissioners and staff should attend and participate in conferences, invite dialogue, assist the conduct of research and be alert to the adoption and dissemination of international best practice. (e) ISIC should make itself accessible to traditional media, and have an active social media presence. more ISIC should be sufficiently resourced to enable it to perform functions which are 112. extensive than those performed by almost 40 full - time and part - time current the Commissioners and staff . Investigatory Powers Tribunal Access to the IPT 113. The jurisdiction of the IPT should be expanded (or clarified) to cover circumstances where it is a CSP rather than a public authority which was at fault (for example, by intercepting the wrong communications address and/or disclosing the wrong communications data). 114. There should be a right of appeal to an appropriate court from rulings of the IPT, on points of law only, permission being require d in the normal way from either the IPT or the appellate court (cf. ISC Report, Recommendation LL). 115. The IPT (which is chaired by a High Court Judge or Lord Justice of Appeal) should be given the same power as the High Court to make a declaration of incomp atibility under HRA 1998 s4, particularly (but not exclusively) should Recommendation 114 not be adopted. 116. The IPT should have the resources it needs to operate in a practical and expeditious to ISIC and the manner. Those resources should be independent of those allocated ISC, whose conduct may from time to time be in issue before the IPT. 305

312 CHAPTER 15: RECOMMENDATIONS 117. The IPT should where appropriate require ISIC to provide it with assistance, particularly of an investigative nature, as it has several times required the existing Commis sioners to do pursuant to RIPA s68(2). Intelligence and Security Committee 118. There should continue to be a committee of parliamentarians with oversight of the work of the security and intelligence agencies and trusted by them with classified information, n ot only because parliamentary oversight is desirable in principle but because of the knowledge and understanding that its members bring to parliamentary debates with national security implications, e.g. in relation to terrorism legislation and proscription orders. 119. The functions of ISIC and the ISC should not overlap. In particular, there should be no duplication of reporting functions or resources between the ISC and ISIC. 120. It should be for Parliament to consider whether: (a) to retain the system of Prime Min isterial appointment but require the Chair to be a member of a political party not represented in government; to transfer the ISC’s investigative resource in due course to ISIC; and/or (b) (c) ith the to recast the ISC as a Select Committee (either on its own or merged w Defence Select Committee) whose members would be elected in the normal way, and to which ISIC would report where necessary in closed session. TRANSPARENCY It should be recognised that the operation of covert powers is and should remain 121. nd that transparency in relation to operational matters is not a realistic goal. secret, a 122. Public authorities should however be as open as possible (cf. ISC Report, Recommendation BBB). They should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad ways in which those powers are used and why any additional capabilities might be required. They should contribute to any consultations on the new law, so as to ensure that policy - maki ng is informed by the best evidence. 123. The statistics provided by ISIC should be as informative as possible: the proposals put forward by IOCCO in its De cember 2014 submission to this R eview provide a useful starting point. open as possible in their work, and should seek 124. Both ISIC and the IPT should be as actively to make the public aware of their role as a check on the powers of public authorities. 306

313 ANNEXES 307

314 ANNEX 1: LIST OF ACRONYMS (1.24 above) Annex 1: LIST OF ACRONYMS . the acronyms used in this Report Below are detailed Administrative Appeals Tribunal (Australia) AAT: ACPO: Association of Chief Police Officers ATCSA 2001: Anti - Terrorism Crime and Security Act 2001 Aust ralian Security Intelligence Organisation ASIO: ASIS: Australian Secret Intelligence Service CCTV: Closed Circuit Television CAFT: Corporate Anti - Fraud Team CEOP: Child Exploitation and Online Protection Centre CHIS: Covert human intelligence sources CIU: Communications Intelligence Unit CJEU: Court of Justice of the European Union Competition and Markets Authority CMA: CNE: Computer Network Exploitation CPS: Crown Prosecution Service Crimin al Anti - CRASBO: Social Behaviour Order CSE: Com munications Security Establishment (Canada) CSEW: Crime Survey for England and Wales CSIS: Canadian Security and Intelligence Service CSPs: Communications Service Providers CTSA 2015: Counter Terrorism and Security Act 2015 DRIPA 2014: Data Rete ntion and Investigatory Powers Act 2014 DP: Designated Person DPA 1998: Data Protection Act 1998 DPI: Deep Packet Inspection Work and Pensions DWP: Department for 308

315 ANNEX 1: LIST OF ACRONYMS European Communities Act 1972 ECA 1972: European Convention on Human Rights ECHR: ECtHR: European Court of Human Rights Executive Order 12333 (USA) EO 12333: EU: European Union EU Charter: European Union Charter of Fundamental Rights Federal Bureau of Investigation (USA) FBI: FISA 1978: Foreign Intelligence Services Act 1978 (U SA) FISC: Foreign Intelligence Surveillance Court (USA) GCHQ: Government Communications Headquarters GCSB: Government Communications Security Bureau (New Zealand) Global Positioning System GPS: HMRC: Her Majesty’s Revenue and Customs HRA 1998: Human Rights Act 1998 International Covenant on Civil and Political Rights ICCPR: ICO: Information Commissioner’s Office IGIS: Inspector General of Intelligence and Security (Australia) IGIS Act: Inspector General of Intelligence and Security Act (Austral ia) IMS: IP multimedia sub - system IMSI: International Mobile Subscriber Identity Interception of Communications Act 1985 IOCA 1985: IOCC: Interception of Communications Commissioner IOCCO: Interception of Communications Commissioner’s Office IOT: Internet of Things ISP: Internet service provider IP: Internet Protocol IP address: Internet Protocol address Investigatory Powers Tribunal IPT: 309

316 ANNEX 1: LIST OF ACRONYMS Intelligence Services Act 1994 ISA 1994: Intelligence Services Act 2001 (Australia) ISA 2001: Intelligence and Security Committee of Parliament ISC: ISCommr: Intelligence Services Commissioner ISIC: Independent Surveillance and Intelligence Commission Internet Service Provider ISP: IPT: Investigatory Powers Tribunal JCDCDB: the draft Communications Data Bill Joint Committee on Justice and Security Act 2013 JSA 2013: LGA: Local Government Association LPP: Legal Professional Privilege MI5: Security Service MI6: Secret Intelligence Service MLAT: Mutual Legal Assistance Treaty Min istry of Defence MoD: MPS: Metropolitan Police Service Multi trader intra - community MTIC: - National Anti NAFN: - Fraud Network NCND: Neither confirm nor deny NCA: National Crime Agency NDA 1985: National Defence Act 1985 (Canada) NGO: Non - government al organisation NSA: National Security Agency (USA) NTAC: National Technical Assistance Centre NZSIS: New Zealand Security and Intelligence Service ONS: Office for National Statistics OSC: Office of Surveillance Commissioners Terrorism - OSCT: Office for S ecurity and Counter 310

317 ANNEX 1: LIST OF ACRONYMS Open Source Intelligence OSINT: OTT: Over The Top (providers) Police and Criminal Evidence Act 1984 PACE: Protecting Canadians from Online Crime Act 2014 (Canada) PCFOC 2014: Protection of Freedoms Act 2012 PFA 2012: Pretty Good Privacy PGP: Priorities for Intelligence Collection PIC: PRA: Pen Register Act (USA) PSNI: Police Service of Northern Ireland Regulation of Investigatory Powers Act 2000 RIPA: RIP(S)A: Regulation of Investigatory Powers (Scotland) Act 2 000 RUSI: Royal United Services Institute SCA: Stored Communications Act 1968 (USA) SIGINT: Signals Intelligence SIRC: Security Intelligence Review Committee (Canada) SISA 1979: y Intelligence Service Act 1969 (New Zealand) Securit Serious SOCA: Organised Crime Agency SPoC: Single Point of Contact SSA 1989: Security Service Act 1989 SSA 2012: S earch and Surveillance Act 2012 (New Zealand) TA 1984: Telecommunications Act 1984 TEU: Treaty on European Union THS: Tor Hidden Services : TIA 1979 Telecommunications (Interception and Access) Act 1979 (Australia) TICSA 2013: Telecommunications (Interception Capability and Security) Act 2013 (New Zealand) Tor: The Onion Router Uniform Resource Locator url: Voice Over Internet Protoc ol VOIP: 311

318 ANNEX 1: LIST OF ACRONYMS VPN: Virtual Private Networks Wiretap Act 1968 WA 1968: WGD: Warrant Granting Department WTA 2006: Wireless Telegraphy Act 2006 312

319 Annex 2: DEFINED TERMS (1.24 above) . Below are listed the terms defined for ease of reference and used in this Report Acquisit ion Code ( Acquisition and Disclosure of Commu nications Data Code of 1. Practice, March 2015). Belhadj IPT Case ( Belhadj and others v the Security Service and others 2. (Case No IPT/13132 - 9/H)). 3. Big Data ( very large data sets). IPT 4. (Charles Far r’s witness statement of 2014 in the Liberty Charles Farr Statement Case ). 5. Content - derived metadata (the technical and “less intrusive” elements of communications content) 6. Covert Surveillance and Property Interference Code (Covert Surveillance and Property Interference Code of Practice, December 2014). 7. Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) igital Rights Ireland 293/12 and C 8. Digital Rights Ireland ( Joined Cases C - D - 594/12 and , E U:C:2014:238 ) . Seitlinger and others 9. Draft Equipment Interference Code (Draft Equipment Interference Code of Practice, February 2015). 10. Draft Interception Code ( Draft Interception of C ommunications Code of Practice, February 20 . 15) 11. e - privacy Directive (Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector) 12. EU Data Retention Directive (Directive 2006/24/EC on the retention of data generated or process ed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC ). 13. Interception Code (Interception of Communications Code of Practice) . 14. ISC Privacy and Sec urity Report (Intelligence and Security Committee, Privacy and Security: A modern and transparent legal framework , HC 1075, (March 2015)). 15. ISC Rigby Report (Intelligence and Security Committee, Report on the Intelligence relating to the murder of Lee Rigb y , (November 2014)). JCDCDB Report (Report of the Joint Committee on the Draft Communications Data 16. 313

320 ANNEX 2: DEFINED TERMS Bill, HL Paper 79 HC 479 (December 2012)). Liberty IPT Case ( Liberty and others v The Secretary of State for Foreign and 17. Commonwealth Affairs and others , Cas e Nos. IPT/13/77/CH; 13/92/CH; 13/194/C and 13/204/CH, [2015] UKIPTrib 13_77 H). - 18. Liberty ECtHR Application ( 10 Human Rights Organisations v United Kingdom, an application to the ECtHR filed on 10 April 2015). 19. PI IPT Case ( Privacy International v Secretary of State for Foreign and Commonwealth Affairs and GCHQ and others , Case No. IPT/14/85/CH). 20. Retention Code (Retention of Communications Data Code of Practice, March 2015). 21. The RUSI Review (Independent Surveillance Review of the Royal United Services Insti tute). (used to refer to: (1) companies which offer communications Service providers 22. services ( Communications Service Providers properly so called), such as BT and Vodafone, (2) companies providing internet access (commonly referred to as Internet Service Providers), such as AOL, Virgin Media and Sky (collectively, technical readers will know these two categories as the four lower levels of the OSI 7 - layer model), and (3) companies which operate “ over the top ” of an internet connection (commonly called OTT providers or Applications Services Providers), such as Facebook and Twitter ). 23. The Snowden Documents (documents stolen from the US National Security Agency by the contractor Edward Snowden, and published since 2013, purporting to describe various ance capabilities and activities ). surveill 24. SURVEILLE Report (SURVEILLE, Paper Assessing Surveillance in the Context of Preventing a Terrorist Act, (May 2015)). 25. Venice Commission Report 5 (European Commission for Democracy Through Law (Venice Commission), Update of the 2007 report on the democratic oversight of the security services and report on the democratic oversight of signals intelligence agencies , Study No 719/2013 (April 2015)). 314

321 Annex 3: SUBMISSIONS RECEIVED (1.21 above) WRITTEN Access n Drones All Party Parliamentary Group o Association of Chief Police Officers The Bar Council Dr Paul Bernal Big Brother Watch Bingham Centre for the Rule of Law Birnberg Peirce and Partners Caspar Bowden BT Center for Technology & Democracy Jan Clements Competition and Markets Authorit y Paul Connolly Dr Andrew Defty and Professor Hugh Bochel Demos DWP Mark Dzięcielewski EE Equality and Human Rights Commission Facebook/Google/Microsoft/Twitter/Yahoo Faculty of Advocates Gambling Commission Peter Gill Global Network Initiative GCHQ Richard Greenhill Guardian Media Group Morton Halperin The Henry Jackson Society HMRC Home Office Human Rights Watch Interception of Communications Commissioner’s Office The Internet Services Providers’ Association oviders’ Association The Internet Telephony Services Pr The Law Society Liberty Local Government Association Ray McClure Media Lawyers Association Metropolitan Police Service MI5 MI6 Gavin Millar QC National Union of Journalists 315

322 ANNEX 3: SUBMISSIONS NCA The Newspaper Society Ofcom Sir David Omand Open Rights Group Police Scotland PSNI Charles Raab Rights Watch (UK) Roke Manor Research Ltd Royal Mail The Scottish Government Graham Smith Editors The Society of Professor Peter Sommer Talk Talk Group Telefonica Three UCL Virgin Media Vodafone 316

323 Annex 4: MEETINGS (1.21 above) UNITED KINGDOM Rt Hon Theresa May MP, Home Secretary Rt Hon Yvette Cooper MP, Shadow Home Secretary James Brokenshire MP , Security Minister Office of Security and Counter - Terrorism, Home Office Foreign and Commonwealth Office Sir Nigel Sheinwald, Special Envoy on intelligence and law enforcement data sharing MI5 MI6 GCHQ National Technical Assistance Centre US Embassy Can adian High Commission German Embassy Alison Saunders, Director of Public Prosecutions Crown Prosecution Service National Crime Agency Rob Wainwright, Director, Europol National Policing Lead for Communications Data Metropolitan Police Commissioner MPS As sistant Commissioner for Specialist Crime and Operations MPS Communications Intelligence Unit MPS SO15 Communications Data Team Senior National Coordinator, Counter - Terrorism Data Communications Group Futures Chief Constable and Deputy Chief Constable, Pol ice Service of Northern Ireland Gloucestershire Constabulary Nottinghamshire Police Local Government Association Association of Chief Trading Standards Officers Trading Standards Hampshire Brighton City Council - Fraud Network National Anti Members of Intel ligence and Security Committee, UK Parliament Members of Joint Committee on Human Rights, UK Parliament Sir Michael Burton, President, Investigatory Powers Tribunal Charles Flint QC, Member, Investigatory Powers Tribunal ce Services Commissioner Rt Hon Sir Mark Waller, Intelligen 317

324 ANNEX 4: MEETINGS t Hon Sir Paul Kennedy, Acting Interception of Communications Commissioner R Rt Hon Sir Anthony May, Interception of Communications Commissioner Rt Hon Sir Christopher Rose, Chief Surveillance Commissioner Rt Hon Lord Judge, Chief S urveillance Commissioner designate Rt Hon Sir William Gage and Rt Hon Sir Scott Baker, Office of Surveillance Commissioners Sue Cobb, Chief of Staff to the Intelligence Services Commissioner Jo Cavan, Head of IOCCO Dr Michael Maguire, Police Ombudsman for Northern Ireland Royal United Services Institute Open Society Justice Initiative Jamie Bartlett and Carl Miller, Demos Eric King, Privacy International Alan Rusbridger and staff , The Guardian Prof Ian Brown, University of Oxford Dr Richard Clayton, Univer sity of Cambridge Dinah Rose QC Matthew Ryder QC Martin Chamberlain QC Jonathan Glasson QC Tom Hickman Ben Jaffey Sir David Omand Graham Smith Morton Halperin Apple BT Facebook Google Vodafone Communications Data Strategy Group , CSP representatives GE RMANY Federal Ministry of the Interior Federal Ministry of Justice Federal Chancellery Federal Data Protection Authority BND (foreign intelligence agency) BfV ( internal security service ) Federal Office for the Protection of the Constitution G10 Commission Bitkom (Federal Association for Information Technology) Prof Christoph Moellers, Humboldt University of Berlin 318

325 ANNEX 4: MEETINGS Prof Hans - Georg Albrecht, Max Planck Institut UNITED STATES Office of the Director of National Intelligence National Security Agency Federal Bureau of Investigation Department of Justice Foreign Intelligence Surveillance Court Yahoo Google Apple LinkedIn Dropbox Twitter Susan Friewald, University of San Francisco David Medine and Prof Jim Dempsey, PCLOB orgetown University Prof David Cole and Alberto Bedoya, Ge Access American Civil Liberties Union Cato Institute Center for Democracy and Technology Center for National Security Studies Electronic Frontier Foundation Human Rights Watch New America Foundation Third Way CANADA of the Comm unications Security Establishment Commissioner Office Security Intelligence Review Committee and Justices of the Federal Court Chief Justice Justice Canada Royal Canadian Mounted Police Public Prosecution Service of Canada ttawa Professor Craig Forcese, University of O 319

326 ANNEX 4: MEETINGS BRUSSELS Paul Nemitz, DG Justice, Director Fundamental Rights Luigi Soreca, DG Home, Director Internal Security Matthias Reute, DG Home, Director General Gilles de Kerkhove, Counter - Terrorism Coordinator igh Representative Mogherini Stefano Manservisi, Chef de Cabinet of H Giovanni Buttarelli, European Data Protection Supervisor Claude Moraes MEP, Chair of LIBE Committee Timothy Kirkhope MEP Axel Voss MEP Marju Lauristin MEP Review team ( whom I enjoyed fruitful people with Not in that list are the the 1.23 above) , rk in October and dialogues at various conferences, notably those organised by Wilton Pa November 2014, those referred to at 8.39 above whom I did not meet but who gave their and whose assistance came via th ose assistance with the law of the Five Eyes countries, email or twitter. grateful to Simon McKay for I am also letting me see proofs of his Covert policing: law and nd , Anderson for Viscount Falkland (2.20(a) above) practice (2 to Cian edn. 2015) , to Poppy Murphy and, as ever, to my special adviser Professor Clive Walker. 320

327 A ENCRYPTION AND ANONYMISATION nnex 5: IMPACT OF (4.61 above) In this Annex the following key is used: 1. (a) Eve: Agency. Alice: Sender of email. (b) (c) Bob: Recipient of email. SSL: Secure Sockets Layer. (d) The communications data being discussed in the following examples is (e) sender/recipient details. 2. : there is no encryption in use. Eve can obtain access to the content First example and sender/recipient details of an email sent by Alice to Bob via the CSP. Eve  OTT CSP CSP Alice Bob 3. Second example : t he OTT provider is using SSL, meaning that the content and sender/recipient details of an email sent by Alice to Bob are visible to the OTT. They are not visible to the CSP. The CSP is only able to see that the email is to be sent to the particular OTT provider. Eve x OTT SSL CSP CSP SSL Alice Bob 4. Third example : Eve can access the content and sender/recipient d etails from the OTT provider via a warrant or court order. If the OTT provider is based overseas, it may not cooperate with a UK court order. Eve  OTT SSL CSP CSP SSL Alice Bob 321

328 ANNEX 5: IMPACT OF ENCRYPTION AND ANONYMISATION end encryption means that the content of the email : the use of end - to 5. Fourth example - is not v isible to the CSP or the OTT provider. Sender/recipient details are visible to both. 6. Fifth example : the OTT provider is a privacy se rvice. It does not retain data at all and so cannot provide data in response to a warrant or court order. If the OTT provider does collect data, Alice and Bob can hide sender/recipient details by using an - encryption will provide protection end anonymisation service such as Tor and end - to for the content. Content and sender/recipient details are not visible to a CSP because - to - end encryption are used. The privacy service could be compromised SSL and end overtly or covertly and so a user may use an anonym isation service before visiting the privacy service. 7. For the sake of completeness, it should be noted that the combined protection offered by SSL, end - to - end encryption and anonymisation services is not absolute. A user of e to CNE. all three is still vulnerabl 322

329 Annex 6: LIST OF BODIES WITH NON - RIPA POWERS ( 6.18 above) Department Mechanisms (non - RIPA) Section Business Protection from Misleading Marketing 21 (1) , 23(1) Regulations 2008 434 (2) ; 444 (1); 447 (2) (3) Companies Act 1985 36B (1), 162, Consumer Credit Acts 1974, 1985 174A Department for Business 18 (1), (2); Innovation and Consumer Protection Act 1987 29(4)(5)(6) Skills Consumer Protection from Unfair Trading 21(1)(b)(d) Regulations 2008 16(a) Copyright Design and Patents Act 1974 107A (2), Copyright Design and Patents Act 1988 198A (2) 225 - 227 Enterprise Act 2002 434 (2); 444 (1); 447 (2) Companies Act 1985 (3) Competition & Competition Act 1998 Markets Enterprise Act 2002 (Soon to be replaced by the Authority Consume - 227 225 r Rights Bill) Consumer Credit Act 1974 Business Protection from Misleading Marketing Regulations 2008 21, 23 29(1) Fair Trading Acts 1973, 1986 36B (1), 162, Consumer Credit Acts 1974, 1985 174A 16(1)(2), 131E(1), 165, 165A, 171 - Financial 175, 218A - Conduct Financial S ervices & Markets Act 2000 221, 305 Authority Pensions Act 2004 75, 192 Pensions (N orthern I reland ) Order 2005 67,68 & 73 Merchant Shipping (Accident Reporting and ) 12 ( ? Investigative) Regulations 2005 Ministry of J ustice Prison Rule 35 323

330 ANNEX 6: LIST OF BODIES WITH NON - RIPA POWERS 75, 192 Pensions Act 2004 reland I 67,68 & 73 Pensions (N orthern ) Order 2005 D epartment for 09B and Social Security Administration Act 1992, as ork and W amended by the Social Security Fraud Act 2001 110A ensions P Social Security Administration Act 1992, as amended by the Social Security Fraud Act 2001 110(6) (N orthern I reland ) Child Support Act 1991 15(6) Northern Ireland artment of Dep Social elopment Child Support (Northern Ireland) Order 1991 16, 17 Dev Northern Ireland Dep artment of icultural and Agr Rural Animal Health Act 1981 amended by the Disease (5) ) Act 2010 ) reland I i elopment orthern ( 36 Dev of Animals (N DEFRA (5) ) i ( 36 Animal Health Act 1981 Finance Act 1988 127 Taxes Management Act 1970 20(1) HMRC Schedule 11 Value Added Tax Acts 1983, 1994 Section 4 Scottish Government Adult Support & Protection (Scotland) Act 2007 10(1), 61 Welsh 19(2), 71(2), Government Environmental Protection Act 1990 116(1) Protection from Misleading Marketing Business Regulations 2008 , 23(1) 21(1) (1), 162, 36B 174A Consumer Credit Acts 1974 and 1985 Consumer Protection from Unfair Trading 21(1)(b)(d) Regulations 2008 Northern Ireland artment of Dep Trade Enterprise Schedule 2 estment & Inv s 3(1)(2) Timeshare Act 1992 1994 Trade Marks Act 93(2) 17(2) Video Recordings Act 2010 41(2) Schedule I reland ) Order Weights and Measures (N orthern 1981 9(4) 324

331 ANNEX 6: LIST OF BODIES WITH NON RIPA POWERS - 93(1) Control of Pollution Acts 1974, 1975 19(2), 71(2), Environmental Protection Act 1990 116(1) ) ? Freshwater Fisheries Act 1975 ( Salmon & 31 General Dental Dentists Act 1984 (Amendment) Order 2001 or Council 50(3) 2005 Dangerous Dogs Act 1991 5(2) Drug Trafficking Act 1985 55 National Police, 19, 20 Police and Criminal Evidence Act 1984 Crime Agency , olice Service of P Serious Organised Crime and Police Act 2005 66 Northern Ireland Video Recordings Act 1984, 2010 17(2) Terrorism Act 2006 33 Department for Transport Marine Accident ( Investigation 259 Boards ) Merchant Shipping Act 1995 257 - Department for Transport 259 - 257 Merchant Shipping Act 1995 (Maritime and Coastguard ) Agency Merchant Shipping (Accident Reporting and Investigative) Regulations 2005 12(?) Home Office Immigration Act 1971 28D (Border Force) 127, 131 Immigration and Asylum Act 1999 Ministry of (National Justice Offender Management 35 Service) Prison Rule 35 Scottish Criminal Casework Review 194L Criminal Procedure (Scotland) Act 1995 Commission Gangmasters Licensing Authority (Licensing) Act 2004 16 Gangmasters Privacy and Electronic Communications 31A Regulations 2003 (as amended 2011) nformation I 227 - Enterprise Act 2002 225 Commissioner’s 29 (3), Office Schedule Data Protection Act 1998 9(1)(3) 325

332 ANNEX 6: LIST OF BODIES WITH NON RIPA POWERS - 135 Communications Act 2003 om Ofc 227 - 225 Enterprise Act 2002 Wireless Telegraphy Act 2006 89(4), 99(3) 55 Postal Service Act 2011 Scottish Fire and Fire Precautions Act 1971 19(1) Rescue The Fire and Rescue Services (Northern Ireland) Northern Ireland 19(1) Fire Authority Order 2006 England Fire 19(1) Fire Precautions Act 1971 Authority Fire Welsh Fire Precautions Act 1971 19(1) Authority Northern Ireland Prison Service Prison Rule 35 35 Business Protection from Misleading Marketing Regulations 2008 (1) , 23(1) 21 36B (1), 162, Consumer Credit Acts 1974, 1985 174A 18 (1), (2); 29(4)(5)(6) Consumer Protection Act 1987 Consumer Protection from Unfair Trading Regulations 2008 21(1)(b)(d) Control of Pollution Acts 1974, 1975 93(1) Copyright Design and Patents Act 1974 16(a) Local Authorities 107A (2), 198A (2) Copyright Design and Patents Act 1988 Dangerous Dogs Act 1991 5(2) Fire Precautions Act 1971 19(1) Food Safety Act 1990 32(5)(6) Local Government Act 1971, 1974 and 1982 141 Schedule 3 Package Travel, Package holiday and Tours Act 1992 Section 3 Schedule 3(1) Property Misdescriptions Act 1991 s Schedule 2 Timeshare Act 1992 s 3(1)(2) 326

333 ANNEX 6: LIST OF BODIES WITH NON RIPA POWERS - 28(1) Trade Descriptions Act 1968 Trade Marks Act 1938, 1994 93(2) 39, 79(2), Schedule Weights and Measures Act 1985 8(4) 41(2), orthern I reland ) Order Weights and Measures (N Schedule 1981 9(4) Charity Commission Charities Act 2011 47, 52 Charity orthern 22 (3), 23 (1) ) 2008 and Charities Act (N Commission for I re l I orthern N reland 93(1) Control of Pollution Acts 1974, 1975 Environment 19(2), 71(2), Agency (and 116(1) Environmental Protection Act 1990 regional equivalents) Salmon & Freshwater Fisheries Act 1975 31 ( ? ) 108(4)(k) Environment Act 1995 ood S tandards F 32(5)(6) Food Safety Act 1990 gency A eform (Fire Safety) Order 2005 in Regulatory R 19(1) England and Wales Fire (Scotland) Act 2005 (FSA) in Scotland Health and Safety at Work Act 1974 20 Reg. 28(7) Working Time Regulations 1998 and Schedule 3 Part III s19 th and eal H and Food and Environme nt Protection Act 1985 S xecutive E afety Schedule 2, para 2. Reg. 7 and Plant Protection Products Regulations 2011 Schedule 1, para 4 Reg. 20 and Plant Protection Products (Sustainable Use) Schedule 3, Regulations 2012 para 4 327

334 ANNEX 6: LIST OF BODIES WITH NON RIPA POWERS - 115 Act 1990 Environmental Protection Regulatory Reform (Fire Safety) Order 2005 Article 26 62 Fire (Scotland) Act 2005 28, 30 Electricity Act 1989 Electricity Safety, Quality and Continuity Reg. 30. Regulations 2002 REACH Enforcement Regulations 2008 Schedule 6 75, 192 Pensions Act 2004 s Pension Regulator Pensions (N orthern I reland ) Order 2005 67,68 and 73 British Board of 17(2) Film Video Recordings Act 1984, 2010 Classification General Optical 21(1), (3) Council Opticians Act 1989 Child Support 15(6) pport Act 1991 Child Su Agency UKBA (See 127, 131 Home Office) Immigration and Asylum Act 1999 General Pharmaceutical Council (for the Royal 11 Pharmacy Order 2010 Pharmaceutical Society of Great Britain) ts Act 1974, section 16(a) Copyright Design and Paten Intellectual Property Office 107A (2); 198A (2) Copyright Design and Patents Act 1988, sections D epartment for Culture, Media Privacy and Electronic Communications and Sport Regulations 2003 328

335 ANNEX 6: LIST OF BODIES WITH NON - RIPA POWERS Business Protection from Misleading Marke ting 21 (1) , 23(1) Regulations 2008 434 (2); 444 (1); 447 (2) (3) Companies Act 1985 36B (1), 162, Consumer Credit Acts 1974, 1985 174A Trading 18 (1), (2); Standards Consumer Protection Act 1987 29(4)(5)(6) Consumer Protection from Unfair Trading Regulations 2 008 21(1)(b)(d) Copyright Design and Patents Act 1974 16(a) 107A (2), 198A (2) Copyright Design and Patents Act 1988 Enterprise Act 2002 225 - 227 329

336 Annex 7: THE SNOWDEN ALLEGATIONS ( 7.7 above) In this annex, I summarise some of the main allegations th 1. at emerge from the Snowden Documents unlawfully taken from the NSA in the United States and 1 subsequently published by a number of newspapers. As emphasised at 2. , this summary should not be taken as any para 7.7 of the Report ulness or representative nature of the practices endorsement by me of the truthf l of which, save PRISM, are neither confirmed nor denied by the alleged (al Government), nor of the conduct of Edward Snowden. Bulk interception allegations PRISM The PRISM programme was said to involve t he collection by the NSA of data from the 3. servers of nine US internet companies (Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple - “ the Prism Providers ”). Types of data collected included a range of digital information such as e mail, chat, videos, photos, stored data, VOIP, video conferencing and online social networking details. An automated system called PRINTAURA organised the data by category. Some providers had the - vent by a target, such as a log - capability to provide real time notification of an email e 2 in. UPSTREAM 4. UPSTREAM data collection programmes such as BLARNEY, OAKSTAR, FAIRVIEW and STORMBREW, were said to involve the collection by the NSA of communications from the infrastructure which carries internet traffic , r ather than from the servers of internet companies. A slide referring to UPSTREAM programmes is said to describe the collection of communications from fiber cables and infrastructure as data flows “ 3 by ”. TEMPORA 5. This programme was said to involve the inte rception by GCHQ of digital traffic flowing through the underwater fibre optic cables landing in the UK. It is described as providing analysts access to “ huge amounts of data ”. “ All web, email, social, chat, - ” from th volume, low value EA, VPN, VOIP ” is said to be “ promote high e cables; “ traffic ”, such as peer to - peer downloads is then filtered out. A buffering technique - repository ”; content for three days and metadata for up to 30 days “ holds data in a “ to allow retrospective analysis and forwarding to o ther systems ”. Search terms are applied to the promoted data and any hits are entered into TEMPORA. Data is also entered into TEMPORA based on “ technology type or IP subnet ”. In 2012, GCHQ 4 appeared to be managing to collect data from 46 cables in this w ay. 1 References in this Annex are to on - line versions of the documents discussed. 2 wapo https://www.eff.org/document/2013 - 06 - 06 - - prism . - intercept - prism - olympics . https://www.eff.org/document/20140430 3 https://www.eff.org/document/2013 - 06 - 08 - guard - prism . 4 tempora . https://www.eff.org/document/20140618 - der - spiegel - gchq - report - technical - abilities - 330

337 ANNEX 7: THE SNOWDEN ALLEGATIONS MUSCULAR The MUSCULAR programme was said to be a joint GCHQ and NSA project which 6. intercepted internal fibre optic cables used by Google and Yahoo, to transmit 5 - - 2013 During a 30 day period in 2012 unencrypted data between their data centres. it was s aid that 181 million records were sent from a British collection point back to 6 the USA via this programme. DISHFIRE Slides relating to this programme describe the collection of almost 200 million text 7. messages per day in 2011 by NSA from around the world. Slide 5 describes why ; SMS is regarded as so ontain metadata and “ metacontent ” (content useful they c gems derived metadata), the latter includes such “ ” as notifications relating to credit 7 card transactions and flight plans which can enhance analytics. PTIC NERVE O Under this programme Yahoo webcam images were said to be intercepted by GCHQ. 8. In one 6 month period in 2008 images were collected from 1.8 million Yahoo user accounts globally. The programme saved one image every five seconds and users were “ u nselected”, i.e., the collection was in bulk rather than targeted. Between 3% and 11% of images were said to involve “ ”. This programme was undesirable nudity 8 also used to trial facial recognition technology. MYSTIC and RETRO The NSA programme referred t o as MYSTIC was described as a voice interception 9. programme which used buffering to record an entire country’s telephone calls and The RETRO tool, short for enable access for a month after the call took place. he retrieval of calls up to thirty days in the retrospective retrieval , was said to enable t 9 past. Bulk Processing tools Under the FASCIA programme the NSA was said to track the movements of mobile 10. phones by collecting location data as people move around. Almost 5 billion mobile phone location reco rds were logged per day. - TRAVELER was said to look for unknown associates of 11. A data sorting tool called CO 10 known intelligence targets by tracking people whose movements intersect. 12. text PREFER was said to be the analytic tool used to carry out analysis of the messages collected via the DISHFIRE programme outlined above. It was able to 5 - smiley https://www.eff.org/document/2013 - 10 - 30 - wapo - muscular - - 30 - wapo 10 muscular . - https://www.eff.org/document/2013 6 https://www.eff.org/document/2013 - 11 - 04 - wapo - windstop . - https://www.eff.org/document/2013 11 - 04 - wapo - sso - overview . 7 https://www.eff.org/document/20140116 - guard - dishfire - presentation . 8 - https://www.eff.org/document/20140227 guard - gch q - optic - nerve . 9 https://www.eff.org/document/20140318 - wapo - description - data - collection - under - mystic . - - wapo - adding - another https://www.eff.org/document/20140318 country - mystic - program . 10 . https://www.eff.org/document/20131210 - wapo - cot raveler - overview 331

338 ANNEX 7: THE SNOWDEN ALLEGATIONS extract information from missed call alerts or texts with international roaming charges. Missed call alerts could allow contact chaining, i.e., working out someone’s socia l network. Border crossings could be worked out from roaming charges texts and names could be extracted from electronic business cards. The XKEYSCORE system was said to be developed by the NSA, to allow analysts to 13. h term, such as an email address, or telephone carry out a search, using a single searc number, across three days worth of raw data collected via a number of programmes such as PRISM and UPSTREAM. According to documents relating to OPTIC NERVE, the webcam material collected via this programme wa s fed into XKEYSCORE. XKEYSCORE indexed data sources including email addresses, IP addresses, port - lists. Monitoring of Facebook chats was said numbers, file names, cookies and buddy to be possible simply by entering a Facebook user name and date range. A slide labelled “ listed VOIP as a target. Another slide described how 300 terrorists future” 11 were captured using intelligence generated from XKEYSCORE. 14. DEEP DIVE was said to have a greater capability than traditional XKEYSCORE which of data and ingests all of it. DEEP DIVE could handle 10 gigabytes handles low rates promoted” of data. It “ data that has a “ potential intelligence value” and only that is ingested into XKEYSCORE. Data “ that is not allowed to be in the system UK - UK” – is blocked. DEEP D IVE XKEYSCORE was said to be used by the TEMPORA programme though this was not the only way in which data was promoted to TEMPORA. Promotion also took place based simply on technology type or IP 12 subnet. Computer Network Exploitation 15. Documents referred to a number of programmes aimed at “ Active SIGINT ” or CNE. They were said to involve implanting malware (software designed to disrupt a computer) directly onto a user’s computer. Examples in the documents describing the use of this technique by GCHQ includ ed a programme called NOSEY SMURF which involved implanting malware to activate the microphone on smart phones, DREAMY SMURF, which had the capability to switch on smart phones, TRACKER SMURF which had the capability to provide the location of a target’s s mart phone with 13 precision, and PARANOID SMURF which ensured malware remained hidden. - high 16. It was also said that a GCHQ project called OPERATION SOCIALIST used technology called QUANTUMINSERT to direct staff at Belgacom, without their 14 websites in order to plant malware on their computers. GCHQ knowledge, to fake was also said to have gained access via CNE to the entire network of a company 15 called Gemalto, which produces SIM cards, including their encryption keys. alware can take place in bulk. An automated 17. Documents also said that implants of m “ the current implant network to scale to large size system called TURBINE, allows (millions of implants) by creating a system that does automated control implants by 11 https://www.eff.org/document/2013 - 07 - 31 - guard - xkeyscore - training - slides . 12 Ibid. 13 guard https://www.eff.org/document/20140128 - - leaky - phone - apps . 14 https://www.eff.org/document/2013 - 09 - 20 spiegel - belgacom . - 15 https://www.eff.org/document/20150219 - intercept - sim - card - encryption - key - theft - and - mobile - network - access . 332

339 ANNEX 7: THE SNOWDEN ALLEGATIONS 16 groups instead of individually . ” N MULLENIZE was said to involve a technique called User Agent OPERATIO 18. The unique marker Staining to write a unique mark or “ stain ” onto a target machine. enabled all the events from the machine to be pieced together to “ recreate a browsing for the operation was said to be the sharing of an IP address The catalyst session.” by many users at one time, which made it difficult to identify users. It was said that a 17 ”. method has been devised to enable “ on a “ large - scale staining” 16 turbine https://www.eff.org/document/20140315 - intercept - - intelligence - command - and - control . 17 . mullenize https://www.eff.org/document/20131004 - wapo - gchq - 333

340 Annex 8: INTERCEPTION CASE STUDIES (7.18 above) Case 1 A criminal investigation into a UK - based organised crime group involved in the 1. importation of Class A drugs from South America. Interception assisted in identifying the command and control structure of the group and 2. their associates in other Europ ean countries. It identified individuals responsible for facilitating the supply of drugs and also those involved in establishing front companies for importing legal goods. Intercept provided intelligence on the modus operandi employed by the group, the dates and location of the importation, and the storage place of a series of drug shipments. 3. This resulted in the arrest of UK - based members of the group and their co - conspirators overseas, as well as the seizure of significant quantities of Class ‘A’ dru gs, foreign currency, firearms and ammunition. Intercept material provided key intelligence which was pivotal in building an evidential case and ended in the successful prosecution of the defendants. It also served to enhance the Serious Organised Crime Agency 18 [SOCA] ’s working relationships with overseas partners involved in the investigation. Case 2 4. A criminal investigation into an organised crime group based in the south east of England involved in acquiring, supplying, and storing firearms in the UK. 5. Interception provided intelligence on the structure of the organised crime group, its methods of working, and the types of crime it was involved in. It helped to identify the types of firearm and the locations where the weapons and ammunition were store d. This led to the seizure of weaponry which ranged from handguns to automatic weapons, as well as significant quantities of ammunition. It also provided intelligence on turf wars with other groups operating in the area, which was critical to operational planning. 6. The intelligence provided by intercept was developed further and helped to identify those responsible for the wholesale supply of firearms in Europe. It also revealed - changes to the structure of the group and its weaknesses, enabling SOCA to r e focus the investigation. 7. The result was the successful prosecution of a significant number of gang members involved in the supply and distribution of firearms. Case 3 8. A criminal investigation into a pattern of escalating violence between a number of r ival organised crime groups, including street gangs linked to the London drug economy, operating across the capital. 18 Now replaced by the NCA. 334

341 ANNEX 8: INTERCEPTION CASE STUDIES 9. Intelligence derived from interception indicated a conflict between organised crime groups as each sought to control a greater section of the drugs market. The intelligence suggested the use of firearms by the groups. This prompted immediate steps to tackle the group, with the intention of dismantling the network, disrupting the supply of Class A drugs, preventing further loss of life and arresting those involved. The operation also targeted individuals directly involved in gun possession and crime whilst disrupting other criminal activities such as small - scale drug dealing, acquisitive crime and serious assaults. Intercepted material ide 10. ordinating the sale of significant ntified the individual co - amounts of Class A drugs, led to the location of his safe storage premises, and identified senior gang members involved in the supply chain. It also enabled junior gang members to be identified as couriers of the drugs to numerous locations across London, the Home Counties and beyond, including the method and timing transport. Interception also revealed that the head of the organised crime group was conspiring led to an armed stop of the target whilst he was with others to shoot a rival. This en route to the hit location. He was found to be in possession of a loaded firearm and arrested. The primary operation led to the collapse of the network operating across London and 11. the Home Counties. Du ring the course of the operation, intelligence from interception led to the seizure of over 40 firearms, in excess of 200kg of Class A drugs, the seizure of over £500,000 of cash and over 100 arrests. Case 4 - A criminal investigation into a London based mo 12. ney laundering network, linked to several organised crime groups that were responsible for a major share of criminal activity across London. 13. An operation was launched in partnership with HMRC to identify the proceeds linked es and to deny them funds. The police had identified that to the groups’ criminal activiti a considerable quantity of cash was being laundered on a regular basis by a relatively small group of criminals. Launderers were identified as working for multiple crime icant profits. However, traditional policing methods were networks and making signif unable to provide details of how the network ran their business. 14. Intercepted material indicated the method by which the laundering network was moving interception of high value cash funds between accounts. This led to the covert transactions, depriving the organised crime groups of their profits and diminishing their ability to complete criminal transactions. 15. During the operation, cash in excess of £3 million was seized. Intercept intelligence ind icated that a number of criminal enterprises had collapsed and a number of targets had been forced to cease their activities due to a lack of funding. 335

342 ANNEX 8: INTERCEPTION CASE STUDIES Case 5 fraud is estimated to cost the exchequer 16. Multi - trader intra - community [MTIC] million annually. The fraud typically comprises a scheme involving approximately £750 a number of participants which is set up with the sole purpose of defrauding the public purse. For example, an organised crime group acquires a VAT registration number in the UK for the purposes of purchasing goods free from VAT in another EU member state. The goods are imported into the UK and sold at a VAT inclusive price. The UK ” without paying the output tax due to company selling the goods will then “ go missing HMRC. The criminall y obtained funds will be laundered through a complex network of financial transactions involving bank transfers and cash movements in the UK and overseas. In practice, MTIC fraud will involve complex layers of companies performing different functions in a n effort to conceal the fraud and to thwart investigation and compliance activity. 17. In one particular operation, supported by interception, a total of £3.2 billion in VAT repayments was withheld from criminal groups fraudulently trading in mobile s and computer chips. Interception was also critical in identifying the bank telephone of first choice for laundering the proceeds of the crimes. Working with international partners, HMRC was able to prevent the distribution of assets to the criminal gangs. The s cale of the criminal conspiracy and related laundering operation is illustrated by the fact that over $200 million of MTIC funds have been frozen and are the subject of criminal and civil action. ions into MTIC fraud, the 18. Since HMRC started using interception to support investigat level of attempted fraud has reduced substantially from an estimated high of £5 billion in 2005/2006 to an estimated current figure of £750 million. 336

343 Annex 9: BULK DATA CASE STUDI ES ( 7.27 abo ve) Case Study 1 Since HMRC started using intercep tion to support investigations into MTIC fraud, the 1. level of attempted fraud has reduced substantially from an estimated high of £5 billion in 2005/2006 to an estimated current figure of £750 million. manhunt for a known terrorist 2. In the late 2000s, bulk data enabled GCHQ to trigger a linked to previous attacks on UK citizens. At a time when other intelligence sources had gone cold, GCHQ was able to pick up the trail by identifying patterns of activity - u p searches of bulk data provided online believed to be unique to the suspect. Follow further leads for the investigation. This work in turn highlighted links to extremists in the UK. Through a series of arrests, the network was successfully disrupted before any attack could place. Case study 2 3. In 2010 G CHQ analysts identified an airline worker in the UK with links to al - Qaida. Working with the police, agencies investigated the man, who it transpired had offered to use his access to the airport to launch a terrorist attack from the UK, and pieced This individual had taken togethe r the evidence needed to successfully convict him. great care to ensure that his extremist views and plans were totally concealed in his offline behaviour, meaning that this investigation and conviction would have been highly unl ikely without access to bulk data. Case study 3 4. Sometimes, because of the international nature of al - Qaida inspired terrorism, bulk data is the first and last line of defence. In 2010, an intelligence operation identified a plot which came right from th e top of al - Qaida: to send out waves of operatives to Europe to act as sleeper cells and prepare waves of attacks. The intelligence specified unique and distinctive communications methods that would be used by these operatives. GCHQ, in partnership with many other countries, was able to identify operatives by querying bulk data collection for these distinctive patterns. This international effort led, over a period of months, to the arrest of operatives in several ttack preparation European countries at various stages of a – including one group literally to conducting a murderous attack. en route Case study 4 5. In April 2011, GCHQ intelligence uncovered a network of extremists in the UK who had travelled to Pakistan for extremist training. Whilst the targets were abroad, GCHQ analysis revealed that the group had made contact with al - Qaida. When the group returned to the UK, intelligence suggested that they aspired to conduct an attack, possibly using Improvised Explosive Devices (IEDs). In April 2012, the g roup was arrested and later charged (in April 2013) under Terrorism Act 2006 s5, for which they received sentences ranging from 5 - 16 years in prison. 337

344 ANNEX 9: BULK DATA C ASE STUDIES Case study 5 6. GCHQ used analysis of bulk data to track down two men overseas who had been harnessing the vulnerabilities of the web to blackmail hundreds of children across the world, including the UK, into exposing themselves online – causing them huge It was the vital work trauma. Some of the victims self - harmed and considered suicide. hat brought this abuse to an end: they were able to confirm the of GCHQ analysts t suspects’ names and locations, and to identify an accomplice. After liaison between law enforcement agencies, the two men were arrested and jailed in their home country. Case study 6 7. 2014 bul k data analysis of known ISIL extremists in Syria highlighted links to an unidentified individual whose contacts, locations and attempts to hide his internet activity raised analysts’ suspicions. This analysis of bulk data provided the trigger for an inve stigation involving many different agencies across several countries. This investigation quickly led to the suspect’s arrest and prevented a bomb plot in mainland Europe which was materially ready to proceed. 338

345 Annex 10: UK RETAINED COMMUNICATIONS DATA USE CASES ) ( 7.49 above , European Commission Case 1 In September 2009 the body of taxi driver Stuart Ludlam was discovered with two 1. gunshot wounds to the head in the bo ot of his taxi outside the train station in Derbyshire Police carried out checks on the mobiles Ludlam was carrying at the ti me of his murder in order to help identify his killer. His work telephone had been stolen but data on communications using that device were identified through subscriber checks which revealed that Ludlam had received diverted calls from the main taxi ce number. Incoming and outgoing call data with cell site locations were requested offi to trace Ludlam's movements on that day. Call data was of no use at this time as it only showed the taxi number on divert calling. Police then applied for call data for t he taxi landline number to identify the last number to have contacted Ludlam and any other numbers that might be of interest to the investigation, in order to establish how he might have been lured to the murder scene. The last number to have called the t axi company was attributed to a pre - paid SIM card for which there were no subscriber details. Using the telephone data police were able to identify the place where the telephone had been purchased and where the last top - up before the murder had been purch ased, which was at a supermarket petrol station a few days beforehand. The petrol station did not have in - store CCTV but police requested the till records which revealed another transaction of 20 GBP of petrol at the same time as the purchasing up was - of the mob ile telephone top - up. Officers now knew the time the top purchased, and so examined all CCTV tapes from locations in the vicinity of the supermarket, which showed a male purchasing a mobile telephone in a nearby shop. olin Cheetham, who after further investigation was This male was identified as C convicted of Ludlam's murder and jailed for 30 years. Without access to relevant traffic data Cheetham might never have been identified. Case 2 2. A 14 - year old female from the Fife area was reported missin g in November 2009. She had a history of self - harm and multiple suicide attempts. She had left a note for her A trace to find the live parents in which she claimed to have been “ hearing voices ” . location of the victim's telephone was carried out but it had been switched off. Historical call data was examined to ascertain with whom she had been in contact prior to her going missing. The call data identified a mobile telephone whose subscription was attached to an individual unknown to the girl's parents . Checks at the registered address of the subscriber revealed that the missing girl was in the - company of a 36 old man whom she had met in an internet chat room. The man year - was charged with sexual offences. Case 3 3. UK authorities received intelligence from US authorities that an individual using email on - had sent a movie file of a woman sexually abusing a four - month - old girl. The log IP address for this account was found to be registered to a male from Northampton. 339

346 ANNEX 10: UK RETAINED COMMUNICATIONS DATA USE CASES girlfriend of the individual had three children all Further enquiries established that a less than four years old. After investigation both were convicted of the serious sexual abuse of the children. The children had been found in conditions of neglect, described by an officer as filthy, u nsanitar y and unfit for human residence. Case 4 4. Internet data were used in an investigation into the grooming of a 13 - year - old girl on an internet chat service. Examination of the victim's computer by the authorities revealed the email address of a man wh o had coerced the girl into sending naked photographs of herself and exposing herself during webcam chat. Police officers made enquiries about the e - mail address which revealed the IP address belonged to an address in Wales. Further investigation resulte d in the man being charged preventing potentially more serious sexual offences taking place. Case 5 5. In 2010/ 2011 police used data from thousands of calls over the previous 12 months between more than a dozen mobile phones to dismantle a nationwide cocain e trafficking ring. Two gang members found to be in possession of 3.58 kg of cocaine (valued 165 , 000 EUR) were arrested and their mobile phones seized. Detectives then spent months examining communications data to identify links between the other members of the group. This resulted in conviction of six gang members who were , sentenced for a total of 53 years imprisonment and the confiscation of 61 000 EUR in cash which is being used to fund police operations targeting other drug dealers. Case 6 6. Operation Frant was a detailed investigation into a number of drug dealers who were flooding London and the UK with high grade heroin from Afghanistan. The aim was to target the individuals who were masterminding this organised crime network, and 'hands on' the only possible method of detection was detailed as they were not investigation of communications data. The first part of the operation targeted the 'runners' with their consignments. In December 2007 Ghaffor Hussein was arrested in possession of a kilogramm e of heroin and in January 2008 Christian Bailey was arrested in possession of 8 kilos of heroin. In April 2008 Harminder Chana and Patrick Kuster (a Dutch national) were arrested in possession of 356 kilos of heroin, having he exchange took place. One been under surveillance when t of the ringleaders, Atif Khan, was also arrested later that day on the basis of telephone data and additional surveillance evidence linking him and Chana. Upon arrest all suspects' telephones were seized enabling investigators to obtain the cell site data and establish who orchestrated the deals. Mobile telephone call logs revealed that a certain telephone number had been used to call Khan's telephone 26 times, along with several texts, in a 45 - minute period after Khan’s arres t. This so - called “ dirty telephone” was attributed to one Abdul Rob by cell site analysis which showed two mobile phones always in the same place at the same time. The telephone evidence was crucial in the case against llance evidence of association with the other Rob as there was no previous survei members of the network. Four members of the network were convicted for conspiracy to supply heroin and sentenced for total 81.5 years imprisonment. 340

347 ANNEX 10: UK RETAINED COMMUNICATIONS DATA USE CASES Case 7 7. In January 2008 customs officers at Birmingham airpor t discovered over 16 kilos of heroine concealed with straws which had been threaded through rugs imported from Afghanistan, they alerted SOCA . SOCA substituted the drugs rugs with dummies, replaced the original packaging, and began a surveillance operatio n when the gang came to collect them. After the gang's hire car was abandoned for the second time, SOCA investigators decided to switch from traditional surveillance and to focus – a single unregistered mobile telephone nu mber instead on their other main lead used by the gang to contact the courier company. Analysis of telephone data ultimately led to the identification of five men involved in the plot. All five gang members pleaded guilty on the strength of the telephone evidence. The four main players were sentenced at Birmingham Crown Court in June 2009 to between 10 years 8 months and 14 years 8 months and 14 years 5 months for conspiracy to import Class A drugs. Case 8 8. value Police investigated (Operation Backfill) a series of armed robberies where high “strictly cash only' ”. Persons interested cars were advertised on a website for sale for in buying the cars went to meet the supposed traders and were robbed at gun point. Police examined internet data and identified the laptop and premises from wh ere the suspects had logged onto the internet when posting the advertisements, leading to a number of arrests. Case 9 9. In October 2004 a large criminal network conspired to steal £229 million from a bank in the City of London by transferring funds to bank a ccounts opened in seven different countries. Landline and mobile telephone communication data was critical to establishing those involved in this crime and understanding how it happened. The network members used landline, mobile, and kiosk phones in the UK and across multiple countries. Three defendants were extradited to the UK for trial. Billing data, call data and cell - site location data were all used as evidence in the trial which took place in March 2009. Three defendants were convicted of conspir acy to steal and two were convicted of money laundering. 341

348 Annex 11: CRIME TYPES FOR WHICH COMMUNICATIONS DATA IS ( 7.50(a) above) USED CRIME TYPE % FOR WHICH COMMUNICATIONS DATA IS USED (OUT OF TOTAL) Sexual offences 9% Vulnerable or missing persons 6% Harassment or stalking 7% 25% Drugs offences 8% Homicide, attempted murder & threats to kill Financial offences 10% Terrorism 1% Firearms and explosives 5% Offences against the person 11% Offences against property 11% 7% Other offences 342

349 URGENCY OF REQ UIREMENTS FOR COMMUNICATIONS Annex 12: DATA (7.50(b) above) The Acquisition Code (footnote 52) explains that t he CDSG has adopted a grading scheme to indicate the appropriate timeliness of the response to requirements for disclosure of communications data. 12 SURVEY % OF USE DURING 20 GRADES Grade 1 – an immediate threat to life 6% – an exceptionally urgent operational Grade 2 18% requirement for the prevention or detection of serious crime or a credible and immediate threat to national security Grade 3 but, where – matters that are routine 76% appropriate, will include specific or time critical issues such as bail dates, court dates, or where persons are in custody or where a specific line of investigation into a serious crime and early disclosure by the CSP will directly assist in th e prevention or detection of that crime. 343

350 Annex 13: LOCAL AUTHO RITY USE OF COMMUNICATIONS DATA 7.59 ( above) 1. This annex contains case studies illustrating how councils make use of communications data to stop criminal activity and bring perpetrators to justice. eration Magpie – Op Cambridgeshire County Council 2. Operation Magpie concerned an investigation into an organised crime group who defrauded elderly and vulnerable people. The criminals exploited their victims to the extent that one person was evicted from thei r home, as well as laundering cheques to the value of £700,000. 3. The ringleader of the gang received a prison sentence of 7 years with two co - conspirators receiving sentences of 5 years each. 16 other offenders were also nces serving prison sentences of up to 30 months. convicted of money laundering offe Malcolm Taylor from Trading Standards at Cambridgeshire County Council said 4. “ Without access to communications data, we would not have been in a position to connect the conspirators and detect the level of criminality that extended to over 100 vulnerable and elderly victims, some of whom have since died ”. Operation Troy – Suffolk County Council 5. Operation Troy was a long running advanced fee fraud case that was investigated and The fraud operated between 2007 prosecuted by Suffolk’s trading standards service. and 2010, involved at least £7.5 million of consumer detriment affecting well over and involved two distinct frauds; 16,000 consumers An escort/companion fraud in which consumers were offered guaranteed work as 6. escorts and companions in return for a registration fee, however no work was subsequently provided. A debt elimination fraud in which consumers paid an advanced fee to receive a debt 7. elimination service but little or no service was ever provided. he fraud was complex and well organised, operating from call centres in Spain. 8. UK T customers made contact with the call centres using free phone numbers that appeared to be UK based after viewing various escort websites offering work. During calls with es cort agency staff, false promises would be made regarding the immediate availability of work and potential earnings available. Many consumers complained of similar experiences and provided similar accounts of last minute cancelled work appointments after they had paid their fees. 9. The escort websites and telephone numbers changed frequently to confuse consumers and make it difficult for enforcement bodies to track the source of the fraud. powers and obtaining communications data for the tel By using RIPA ephone numbers used for the fraud, the following links were established: 344

351 ANNEX 13: LOCAL AUTHORITY USE OF COMMUNICATIONS DATA The multiple telephone numbers were owned and operated by only two (a) individuals. One of those individuals, who held the majority of the numbers, had been identified as being involved in operating multiple UK bank accounts used for money laundering aspects of the fraud and the creation of shell companies. (b) All the UK free phone numbers were being redirected to Spanish based numbers that were linked to a small number of call centres op erating from the These call centres were all owned by one man who was Malaga area of Spain. known to have a previous history of fraudulent trading. (c) The link provided by this communications data provided evidence that what appeared outwardly to be over 12 different separate escort website/agencies were in fact all one fraud perpetrated by one set of linked individuals. 10. In June 2012 European Arrests warrants were applied for in respect of Antoni Muldoon, the man at the helm of the fraud, and two other me mbers of the gang, Geraldine French and Bradley Rogers. All three were returned to the UK. Following extradition in September 2012 Muldoon pleaded guilty to conspiracy to defraud at Ipswich Crown Court. als at Ipswich Crown Court including 11. Following Muldoon’s plea, and after a series of tri a ten week trial involving five of the defendants that concluded in June 2013, seven further members of the gang were found guilty of offences including conspiracy to defraud and money laundering offences. The sentence s handed down totalled 36 years overall, with Muldoon receiving 7.5 years for his role and Mark Bell of Ipswich, Muldoon’s right hand man in the UK, receiving 6.5 years. 12. Confiscation proceedings followed the sentencing and to date £315,000 has been awarded in confiscation and costs, which Suffolk Trading Standards has used to repay victims of the fraud. Confiscation proceedings are continuing against Antoni Muldoon who is known to have benefited to the largest extent from this fraud and the amount of confi scation possible from him is expected to be substantial. Confiscation hearings for Muldoon are set to take place in January 2015. In July 2014 four of the defendants appealed their convictions and sentences at the 13. three sitting High Court Judges all appeals Court of Appeal in London and in front of were turned down. 14. Steve Greenfield, Suffolk’s Head of Trading Standards and Community Safety . commented that “ RIPA powers were essential to the successful outcome of this case ” Counterfeit goods case study 1 15. Two internet traders based in Slough were selling counterfeit trainers on e - bay for mail address £35.00. The only intelligence the trading standards service had was the e - and mobile phone numbers that the complainants used to make the purchase. The actual r etail price of these trainers was £135 a pair. By obtaining the data from the mobile phones and the IP address the council were able to pinpoint the address being 345

352 ANNEX 13: LOCAL AUTHORITY USE OF COMMUNICATIONS DATA used by the perpetrators. A test purchase had been made prior to a warrant being sought. A sting operation resulted in a seizure of trainers with a street value of £325,000 and both offenders received a custodial sentence. Without the communications data this would not have been possible. Counterfeit goods case study 2 Officers seized some pot entially counterfeit mirrors from a shop. 16. By the time the mirrors were confirmed as being counterfeit the trader had disappeared after failing to The contact details he provided proved to be false attend for interview. However, . officers obtained a mobi le number for the trader and the subscriber details identified He subsequently his home address in Swansea. This enabled officers to contact him. pleaded guilty to 3 offences under the Trade Marks Act 1994 . Without the access to the communications data officers would not have been able to find the new address to which he had moved and so the investigation would not have been able to proceed. Barnet council – rent deposit scheme fraud 17. A man and woman were jailed following a Barnet Council investigation to crack a highly organised plot to obtain fraudulent payments from the authority by using a complex web of false identities to open a string of bank accounts which were then activated to The rent receive thousands of pounds in fraudulent rent deposit scheme payments . deposit scheme is used by the council to provide people in need of housing with initial financial support to help secure a tenancy for private rented accommodation. d The investigation by the council’s Corporate Anti Fraud Team [CAFT] - 18. was launche Investigators after uncovering irregularities with a number of rent deposit payments. went on to identify 41 fraudulent payments worth £132,629 which had been paid to nt During the course of the investigation a further 12 fraudule different bank accounts. payments worth more than £31,600 were intercepted and blocked by CAFT. CAFT worked with NAFN to obtain mobile phone records, under RIPA, which provided 19. significant evidence to show that the accused were in regular contact on the days when withdrawals and deposits were made. substantial The powers also enabled the investigators to identify the real owners of the false identities by obtaining the mobile phone service providers records which identified names and addresses where these suspects could be fo und. The legislation also allowed information of redirected post from credit card companies, banks and online purchase deliveries which also assisted in tracing addresses that the suspects used which were then the subjects of police / CAFT raids. Without access to this information the investigation would not have proceeded to a useful outcome. Landfill tax fraud 20. A council was alerted to a skip hire company who were disposing of waste in an unauthorised manner, including avoiding payment of landfill tax e stimated at £1.3 million. Enquiries made by the council identified three suspects but there was no evidence to link them to the offences. Subscriber and itemised billing data provided by NAFN proved that there were regular communications between the indi viduals 346

353 ANNEX 13: LOCAL AUTHORITY USE OF COMMUNICATIONS DATA during periods in question. Without this information, it would have been impossible to pursue a prosecution. Fraudulent car trader 21. A car trader was convicted of multiple offences contrary to the Fraud Act 2006 in Vehicles were purchased at relation to the sale of misdescri bed and clocked cars. auction with higher mileage and advertised online via AutoTrader. The trader claimed a third party was responsible and he simply allowed the third party to use his account e easily. However, SIM cards found in possession of at auction to obtain vehicles mor the car trader were confirmed, using communications data, as being associated with unregistered pay as you go telephone numbers used in adverts for vehicles. During the course of the investigation, the trader sold his house and moved location; a second set of communications data (forwarding address details from Royal Mail helped to locate him for the purposes of arrest, entry warrants and interview. The penalty was confiscation order in 12 months imprisonment and a Proceeds of Crime Act 2002 excess of £58,000. 347

354 Annex 14: LOCAL AUTHORITY RIPA COMMUNICATIONS DATA ( above) REQUESTS VIA NAFN 9.100 2012 2013 2014 2015 81 247 158 January 190 190 106 328 February 204 March 341 313 146 78 230 270 April 83 May 383 136 June 233 208 71 19 335 1563 July 292 August 166 246 338 September 110 129 292 496 337 119 October 150 201 62 November 91 175 198 December 2676 2704 3568 Total 19 - The July 2014 one off surge involved a criminal investigation by one local authority in relation to a suspected £multi - million conspiracy to defraud. The application included approximately 1300 bscriber checks and itemised billing. for su requests 348

355 Annex 15 : THE LAW OF THE FIVE EYES (8. 41 above) Australia The primary statute governing acc ess to intercept and communications data in 1. 20 TIA 1979 long and complex. the It is Australia is . interception 2. ” of communications that are passing through a It distinguishes between “ access ” to stored communications on a telecommunications system and “ carr ier’s equipment , although both are only lawful when carried out pursuant to a warrant. Interception is narrowly confined to “ real time ” communications : “ listening to or recording by any means, such a communication in its passage ... without the 21 .” Once a communication has knowledge of the person making the communication become accessible to the recipient, it is no longer passing over a telecommunications 22 system and must be accessed via a stored communications warrant. Interception Australian Security Inte lligence Organisation 3. The TIA 1979 Part 2 - 2 sets out the mechanism by which ASIO (the Australian equivalent of MI5 , governed by the Australian Security Intelligence Organisation Act 1979 ) operates ASIO co might be issued with a warrant to intercept communications. Australian Signals , the with the Australian Secret Intelligence Service [ASIS] Directorate and the Australian Geosp atial Intelligence Organisation . - three types of warrant to intercept communications may apply for , 4. in order to ASIO munications of a person who is reasonably suspected of being engaged access the com 23 in or likely to engage in activities prejudicial to security. E ach of those warrants may be issued by the Attorney - General on request by the Director - General of Security: (a) A warrant th at specifies the telecommunications service likely to be used by a 24 person engaged in activities prejudicial to security; (b) A named person warrant that grants authority to intercept the various communications methods employed by an individual (all their mobi le phone 25 numbers or email addresses); (c) A B - party warrant, which enables the interception of a service that will be used 26 by a non - suspect to communicate with a suspect. 20 The Surveillances Devices Act 2004 and the Telecommunications Act 1997 contain further relevant provisions. 21 TIA 1979 s6(1). 22 rial may be accessed TIA 1979 s5F(1). If only the telecommunications data is required, then stored mate without a warrant under s 178 and 179 of TIA. 23 TIA 1979 s9(1). 24 TIA 1979 s9(1). 25 TIA 1979 s9A. 26 TIA 1979 s9(1)(a)(ia). 349

356 ANNEX 15: THE LAW OF THE FIVE EYES Accordingly, national security warrants 5. may only be obtained for quite narrow t Section 10 sets out a interception. purposes; hey do not provide a basis for bulk mechanism for the issuing of emergency warrants, when the Director General of Security considers it appropriate, for no longer than 48 hours. 6. A separate regime governs the grant of warrants where ASIO wishes to intercept “ . In each case, the Attorney - General must be satisfied, on the foreign intelligence” basis of advice from the Minister of Defence or Foreign Affairs, that obtaining the foreign intelligence set out in the notice is in the interests of Australia’s national security, foreign relations or economic well - being. Once again, three types of warrant may be issued: (a) A warrant authorising interception on quite a general level to a particular “ telecommunications service Where known, the name and address, .” 27 . occupation and number of the subscriber should be set out in the request (b) , for which the application must specify the A named person warrant telecommunications service that is being used by a person or foreign 28 d the foreign intelligence information that will be obtained . organisation an (c) A “ foreign communications ” warrant for the interception of foreign 29 only , (those sent or received outside of Australia. communications 7. The Director - General must not request the issue of a forei gn intelligence warrant under 11A, 11B or 11C for the purpose of collecting information concerning an Australian s 30 citizen or permanent resident. Law Enforcement Authorities The TIA 1979 Part 2 - 8. sets out the circumstances in which l aw e nforcement bodies 5 may intercept telecommunications. They may apply for a warrant to an eligible Judge or a nominated member of the Administrative Appeals Tribunal . A range of [AAT] agencies can apply, at both the state and federal level, including the Independent 31 - ba sed Anti - Corruption Commission and various Crime Commissions. Broad 9. The application must be supported by an affidavit setting out the facts and other grounds on which it is based. Two types of warrant may be issued: (a) , which authorises the intercept ion of a A telecommunications service warrant partic that may be used by an identified ular telecommunications service individual. It must set out the number of previous applications (if any) related to the service or that person and the use made by the agency of infor mation obtained by interceptions under those warrants . 27 TIA 1979 s11A(1). 28 TIA 1979 s11B. 29 TIA 1979 s11C. 30 TIA 1979 s11D(5). 31 TIA 1979 s39. 350

357 ANNEX 15: THE LAW OF THE FIVE EYES A named person warrant must set out the name of the person and details (b) , which sufficient to identify the telecommunications service they are using, details of 32 material obtained. previous applications and use made of the 10. The Judge or AAT member must be satisfied that there are reasonable grounds for suspecting that a particular person is using or is likely to use the service and the st in connection information that would be likely to be obtained would be likely to assi with the investigation by the agency of a serious offence. 11. The Judge or AAT member should have regard to: How much the privacy of any person or persons would be interfered with; (a) (b) The gravity of the conduct constituting the offence; (c) The valu e of the information obtained; (d) , or The extent to which other methods have been used, would be likely to assist might prejudice the investigation. They must be satisfied that all other practicable methods of accessing the 12. 33 communications have been exhausted. 34 Warrants may be sought and obtained, in urgent circumstances, via telephone. 13. Stored Communications 14. The TIA 1979 Part 3 contains a separate regime governing access to stored communications. In broad terms, both ASIO and criminal law enforcement agencie s are entitled to issue preservation notices, requiring a carrier to preserve all stored 35 The notice may only specify one person or communications specified in the notice. 36 telecommunications service. The TIA 1979 distinguishes between a domestic preserv ation notice and a foreign preservation notice. A foreign preservation notice is issued when a foreign country intends to request the Attorney - General to secure 37 access to telecommunications. In that sense, they reflect the UK’s MLAT regime. 15. ASIO does no t have to apply for a preservation notice before seeking access to material on the basis of a warrant. It may apply for a warrant in any case where it reasonable grounds for suspecting that a particular carrier holds stored communications that is likely t o assist in connection with the investigation of a serious contravention (a crime 38 of sufficient seriousness). Furthermore, ASIO does not normally have to apply for a separate stored communications warrant. An interception warrant will also entitle them 32 s42 and 46A. TIA 1979 s 33 TIA 1979 ss46 and 46A. 34 TIA 1979 ss43 and 50. 35 Recent changes have added a new TIA 1979 s110A that has restricted the power to access stored telecommunications data to “ ”, rather than the broader law criminal law enforcement agencies enf orcement agencies described above. 36 TIA 1979 s107H(3). 37 TIA 1979 s107N. 38 TIA 1979 s106(c). 351

358 ANNEX 15: THE LAW OF THE FIVE EYES to access stored communications if the warrant would have authorised interception if it 39 were still However, a criminal law enforcement agency will need to apply in passage. for a stored communications warrant. 16. 1979 contains a number of provisions r elating to the destruction of material TIA obtained via warrants. Telecommunications data TIA 17. 1979 Part 4 sets out the circumstances in which bodies may obtain access to telecommunications data. is not formally defined, although Telecommunications data 40 doe it A new mandatory s not include the contents or substance of a communication. data retention regime specifies categories of information that must be kept by service 41 providers for a period of two years. These categories include the subscriber of a 42 t service and the source, time, date, and location of a communication. relevan Sections 174 - 6 provide for three types of disclosure of telecommunications data to 18. , on a voluntary basis by a service provider “ if the disclosure is in ASIO. Firstly connection with the performance by [ASIO] of its functions .” Secondly , an authorisation for access to existing information or documents (which may be granted by the Director General of Security, Deputy Director General of Security and an officer of ASIO approved by the Director General ) . Thirdly, a slightly wider body of individuals may authorise access to prospective information (anybody above a certain level of seniority 43 within ASIO may grant permission) , for not longer than 90 days . In the case of an authorised dis closure, the authorising individual must be satisfied that the disclosure in connection with the performance by of its functions ”. would be “ [ASIO] Sections 17 7 19. 1 80 set out the framework governing the disclosure of existing - telecommunications data to enf orcement agencies (which includes any criminal law enforcement agency) . An enforcement agency may authorise the disclosure of telecommunications data where reasonably necessary to enforce the criminal law, pecuniary penalty or protect the locate missing persons, enforce a law imposing a public revenue. Accordingly, bodies that have the power to levy a fine may seek access 44 prospective The disclosure of to telecommunications data. telecommunications data may be authorised for a limited period where reason ably necessary for the investigation 45 of a serious offence. 20. Sections 180A and 180E allow authorised officers of the Australian Federal Police to obtain access to telecommunications data for the purpose of further disclosing that material to a foreign autho rity. The procedure, as with intercepted material, is similar to the UK’s MLAT process. 39 TIA 1979 s109. 40 TIA 1979 s172. 41 TIA 1979 s187C. 42 TIA 1979 s187A. 43 TIA 1979 ss175 - 6. 44 As long as they are defined as an enforcement agency in the n ewly amended TIA (see s110A). 45 TIA 1979 s180. 352

359 ANNEX 15: THE LAW OF THE FIVE EYES Before any authorisation is made (on any of the bases set out above) the authorised 21. s officer considering making the authorisation must be satisfied on reasonable ground 46 that any interference with privacy is justifiable and proportionate. An authorisation, the notification of that authorisation, revocation and notification of the 22. , and must contain: revocation must be in written or electronic form The identity of the e ligible person (a) t he basis on which they are eligible to and make the authorisation; The person or company from whom the disclosure is sought; (b) Details of the information or documents to be disclosed; (c) (d) A statement that the eligible person considers that to be in connection with ASIO’s functions; and 47 (e) The date of the authorisation. 23. Authorisations made on behalf of an enforcement agency must set out certain additional material. The rules are very detailed and vary, depending on whether the material is historic or prospective and on behalf of a foreign government or not. 24. E ach year, the head of an enforcement agency must give the Minister a written report that sets out the number of authorisations made and the number of disclosures to of those countries. The minister consolidates that material foreign countries and names 48 and lays before Parliament a report that sets out the consolidated material. The Austra lian Secret Intelligence Service , which I6 are 25. Different provisions apply to the activities of ASIS ( the equivalent of M ) controlled by the Intelligence Services Act 2001 2001 ] . [ISA 26. ASIS may gather intelligence about an Australian person or class of Australian persons 49 Minister for Foreign Affairs. outside Australia, as long as this is authorised by the The Minister must be satisfied that gathering the intelligence is necessary for the proper performance of one of ASIS’s statutory functions, and the person or class of persons is involved in one of a list of specified activities (such as acting for a foreign power, or 50 other activities that pose a threat to Australia’s security). ISA 2001 s14 waives any liability for ASIS in respect of acts committed overseas that would be unlawful if done end to activities pursuant to a proper function of the agency. That waiver does not ext inside Australia that ASIO could not carry out without a warrant , but it may well include . interceptions overseas 46 TIA 1979 s180F. 47 The Telecommunications (Interception and Access) (Requirements for Authorisations, Notifications and Revocations) Determination 2012, drafted by the Communications Access Co ordinator. - 48 TIA 1979 s186. 49 TIA 1979 s9. 50 ISA 2001 s9. 353

360 ANNEX 15: THE LAW OF THE FIVE EYES Oversight Oversight of the interception process is provided in Australia by three mechanisms. 27. e on Intelligence and Security oversees the int Committe Firstly, the Parliamentary Jo administration and expenditure of the Australian intelligence community, including ASIO. It is made up of members of both houses of Parliament nominated by the governing party, in consultation with a ll the parties in Parliament , although with a made up of the party currently in government. majority reports to Parliament once a It year, and will also review any amendments to include new agencies in the list of those 51 of metadata. which may authorise the disclosure Secondly, the Inspector General of Intelligence and Security 28. is e stablished by [IGIS] the Inspector General of Intelligence and Security Act 1986 [IGIS Act] . It is a largely investigatory role broad - ranging . He carries out investigations , appointed for five years into the actions of the agencies at his own initiative or pursuant to a complaint or a 52 , including the Prime Minister request from the public or from ministers He must seek . the approval of the Prime Minister or a responsible Minis ter before investigating actions 53 that took place outside of Australia. 29. The IGIS is appointed by the Governor - General on the advice of the Prime Minister. The office is accountable to the Prime Minister but does not take directions from him. , who may redact that report before IGIS provide s an annual report to the Prime Minister , although laying it before Parliament an unredacted version must be made available to the leader of the opposition. As part of his role, IGIS also conducts regular inspections an d investigations. Amongst 30. those inspections are regular reviews of the documents that ASIO has relied on as providing the basis for its interception warrants. Thirdly, the Commonwealth Ombuds man in vestigates the use of interception powers 31. 54 nt agencies, including through regular inspections of their records. by law enforceme 55 The Ombudsman The office does not have jurisdiction over the intelligence agencies. must also inspect the records of enforcement agencies to determine their compliance 56 tadata regime. with the new me Canada 32. Canadian law provides a separate authorisation mechanism for the police and the security services to collect data. Criminal law enforcement 33. Part VI of the Criminal Code, added pursuant to the Protection of Privacy Act 1974, for the grant of judicial warrants to intercept private communications. Private provides 51 TIS 1979 ss110A(11) and 176A(11). 52 IGIS Act s8. 53 IGIS Act s9AA. 54 Ombudsman Act 1976 s5. 55 Ombudsman Regulations 1977 sch. 1. 56 TIA 1979 s186B. 354

361 ANNEX 15: THE LAW OF THE FIVE EYES any oral communication or any telecommunication t hat communications are defined as “ is made by an originator who is in Canada or is intended by the originator to be received y a person who is in Canada and that is made under circumstances in which it is b reasonable for the originator thereof to expect that it will not be intercepted by any person other than the person intended by the originator thereof to receive it. ” In order to obtain an interception warrant, the police must make an application to a 34. court of criminal jurisdiction judge of a superior that is signed by the Attorney General of the province in which it is made (or an agent specified for this purpose by the ment). Govern It must be accompanied by an affidavit setting out ( s 185): ( c ) “... the facts relied on to justify the belief that an authorization should be given together with partic ulars of the offence; d ) the type of private communication proposed to be inter cepted ; ( ) the names, addresses and occupations, if known, of all persons, the ( e interception of whose private communications there are reasonable grounds to believe may assist the investigation of the offence, a general description of on of the place, if known, at which private communications the nature and locati are proposed to be intercepted and a general description of the manner of i nterception proposed to be used; f the number of instances, if any, on which an application has been made ( ) under this sec tion in relation to the offence and a person named in the affidavit pursuant to paragraph ( e ) and on which the application was withdrawn or no authorization was given, the date on which each application was made and whom each appli the name of the judge to cation was made; ( the period for which the authorization is requested; and ) g ( h ) whether other investigative procedures have been tried and have failed or why it appears they are unlikely to succeed or that the urgency of the matter is such that it would be impractical to carry out the investigation of the offence 57 using only other investigative procedures.” 35. The application is made ex parte and is heard confidentially. However, t argets of interceptions must be given notice of that fact they have been subj ect to surveillance, within 90 days of the authorisation having expired. A confidentiality extension may be granted up to three years after the investigation has come to a close ( s 196) in terrorism interests of justice ” offence cases, where the judge is persuaded that it is in the “ There . are special provisions for obtaining an urgent authorisation from the judge (s188). 36. Stored communications , for example in cloud storage or on a personal computer, may also be accessed via a production order or search war A search warrant may be rant. granted by a judge who is satisfied that there are reasonable grounds to believe that there is “ anything on or in respect of which any offence ” has been or is suspected to 57 s and terrorism offences. Subsection (h) does not apply to some serious crime 355

362 ANNEX 15: THE LAW OF THE FIVE EYES nce or the whereabouts of a be committed, or evidence as to commission of an offe 58 A judge may also order a person who is believed to have committed an offence. person, other than a person under investigation for an offence, to produce documents 59 oduce it. or prepare a document based on data already in existence and pr 37. There is some confusion within Canadian law concerning whether emails that have In already been sent should be governed by intercept or search warrants. R v Telus (2013) SCC 16, the Supreme Court interception ” purposively, holding held interpreted “ that a warrant requiring a service provider to prospectively provide access to text messages was inval interception , ” as the service id: the police were seeking an “ provider stored text messages on their servers as part of the communication and transm Thus i t is likely that the R oyal Canadian Mounted Police n process. should issio use their intercept powers, not those for search warrants, when seeking prospective access to email. 38. In late 2014, the Canadian Parliament passed the PCFOC 2014 that amended c ertain aspects of the . It provided for a clearer and more comprehensive Criminal Code framework for access to metadata by judicial warrant or court order, on a “ reasonable grounds to suspect ” standard (one that is lower than the more traditional reasonabl e 60 grounds to believe threshold). Access for the Security Services “ distinguishes between security 39. The CSIS are regulated by the CSIS Act 1984 , which relates to national security threats; intelligence ” The former foreign intelligence. ” and “ the latter to the political or economic activities of foreign states. Save in relation to the s16 exception set out below, CSIS’s role relates to the collection and analysis of security intelligence , and it is broadly the equivalent of MI 5 . 40. The CSIS Act 1984 s12 provid es, where relevant: “ The Service shall collect, by investigation or otherwise, to the extent that it is strictly necessary, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constitutin g threats to the security of Canada and, in relation thereto, shall report to and advise the Government of Canada.” 41. The s 16 exception provides that the service may collect information or intelligence in relation to any foreign state as long as that informa tion does not relate to a Canadian citizen, permanent resident or Canadian corporation and is done in Canada. Warrant applications are made to a special bank of 14 specially selected and security 42. cleared , who meet up twice a year to en sure consistency . They Federal Court judges largely hear warrant applications alone but may sit in larger numbers to hear an application and to hear submissions from CSIS on a topic of wider interest , although i n 58 Section 487.1. 59 Section 487.12. A separate provision concerns provision of financial data of those suspected of Terrorist Financing or Money Laundering (487.13). 60 - 018. Criminal Code 417.014 356

363 ANNEX 15: THE LAW OF THE FIVE EYES presiding judge. They are such cases the substantive decision is still taken by a single amicus entitled to appoint an advocate to make submissions in respect of the privacy I was told, in the course of my meeting with several issues raised by the application. counsel when novel warrants judges of the Court, that they frequently appoint amicus are sought that deploy new technology or propose new applications of old technology. The members of the Court were of the view that those counsel provided them with real assistance. I was told that warrant applicants can be m ade, heard and determined within 24 hours, and dealt with even faster in an emergency. The ordinary time lag is around 3 days. 43. The applicants are subject to a high duty of candour and may not omit relevant or important information . They will be criticise d for failing to do so, as they were in X(Re) (2013) FC 1275, when Judge Mosley concluded they had deliberately suppress ed their intention to monitor Canadian terror suspects outside of Cana da (via cooperation with 61 other Five Eyes members). 44. o the judges (who sit on rotation), the Designated Proceedings Registry In addition t employs eight full time staff and one full time senior counsel. The Registry’s annual budget (excluding infrastructure and some IT costs) was $826,000 last year ( cir c a £430,000). Dur ing 2013 - 14 the Federal Court dealt with 85 new warrant applications and 178 renewal applications. 45. A warrant must be supported by an affidavit , which I am told are ordinarily between 35 They set out (amongst other things): and 200 pages long. that the warrant is (a) icant believes “ on reasonable grounds ” Why the appl necessary for the Service to carry out its role; (b) Other procedures have been tried and failed or are unlikely to succeed; (c) The type of communication to be intercepted or information, records, documen ts or things to be obtained; (d) The identity of the person whose communication is proposed to be intercepted (if known); and (e) Any previous applications in respect of that person. 46. A warrant may not be issued for longer than 60 days, where it is issued to enable the Service to investigate “ threats to the security of Canada ”, or one year in any other case. 47. involves a two - stage review process: by the Minister and Thus, this warrant process The judicial element was introduced following a series of reports into also by the court. abuses carried out by the Canadian police Security Services in the 1970s. , the Federal Court held that the CSIS had no power to carry out 48. In 2008 in Re CSIS activities beyond Canadian borders because the CSIS Act is not extraterritorial in scope, or at least did not authorize overseas conduct that was not in compliance with 61 2014 FCA 249) Re(X) The judgment was upheld by the Court of Appeal ( 357

364 ANNEX 15: THE LAW OF THE FIVE EYES foreign laws (and thus violated foreign sovereignty). As a practical result, the power to s21 warrant ffairs is a covertly collect information (pursuant to ) relating to foreign a The effects of that decision restricted to the right to take steps within Canada itself. 2014 which provided that CSIS may perform its duties and were reversed by PCFOC functions outside o expressly authori s es a judge to issue a war rant for f Canada. It overse may be violation of foreign or other as investigations, even if those investigations laws. Sections 34 and onwards of the Act establish the SIRC , composed of members of the 49. Canadian Privy Council. T hose who sit on SIRC are not ordinarily me mbers of the Senate or House of Commons. The Governor in Council (in practice, the Canadian federal cabinet) appoints the members of the Committee in consultation with the Prime Minister, Leader of the Opposition and the leader of each party with at least 12 Members of the House of Commons. The individuals appointed play an important but comparatively limited role in the operations of SIRC. They retain other obligations and ordinarily only meet a small number of times per year. The day - to - day operations of SIRC are carried out by its full time staff of 18 individuals. 50. The Committee is required to review the Service in general, although the statute does not specify that it shoul d review the warrantry process. However, in practice SIRC reviews a random s ample of all warrant applications in any given year (around 5%). That review involves an examination of the underlying documents that led to the Their reports warrant application, that were not provided to the court in the application. are provided to th e Minister and the Director of the Service. SIRC also prepares an recounting its findings and its operations and summarising annual report recommendations. 51. Any individual may complain of the Service’s activities to the Committee, which is 62 stigate and make recommendations. . SIRC has no powers to enforce entitled to inve its holdings. It is competent only to make recommendations. 52. The National Defence Act 1985 [NDA 1985 ] recognised the existence of what is now the CSE, a signals intelligence agency and th e Canadian equivalent of GCHQ. NDA 1985 defined CSE ’s mandate as : “( a to acquire and use information from the global information infrastructure for ) the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priori ties; b ) ( to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and ( c ) to provide technical and operational assistance to federal law enforcement 63 and security agencies in the performance of their lawful duties.” 62 Section 37. 63 273.64(1). 358

365 ANNEX 15: THE LAW OF THE FIVE EYES In conducting its mandate (a) and (b) functions, CSE may not direct its activities at 53. Canadians or any person in Canada and their activities are subject to measures to he privacy of Canadians in the use and retention of intercepted material. protect t When CSE performs its mandate (c) function providing assistance to federal law enforcement and security services, it is sheltered by those bodies’ lawful authority (e.g., a Part VI . authorization or CSIS Act warrant) 54. When CSE collects foreign intelligence, this is generally an internal decision with no legislated oversight requirements. However, in the course of collecting foreign , CSE may sweep up incidental e through signals intelligence operations intelligenc ” – that is communications involving Canadians or persons in “ private communications f the Criminal Code’s Part VI Canada. To prevent this from being a violation o NDA 1985 puts in place a special authorization prohibition on unlawful intercepts, the regime, involving the Minister of National Defence. Unlike CSIS, CSE may be authorised by the Minister to obtain foreign intelligence that may involve private tisfied that communications without reference to the courts. The Minister must be sa the interception will be directed at foreign entities outside Canada, the information could not be obtained by other means, the value of the material justifies the interception and that satisfactory measures are in place to protect the privacy of Canadians and to ensure that the material will only be used or retained if they are essential to international These broad powers stand in some contrast to the focused affairs, defence or security. and specific warrantry process for CSIS. CSE h as historically adopted the position that a ministerial authorisation was not 55. While ined access to required before it obta ollowing Telus and Spencer , and the metadata, f , that position is no longer arguable. 2014 changes introduced by PCFOC 56. 1985 requires the appointment of a supernumerary (retired) judge as a NDA Commissioner of CSE to review its activities and investigate any complaints (section 273.63). The current Commissioner is supported by 11 staff members. His operation 64 costs a little under $2 million Can Among other things, the adian dollars per year. Commissioner reviews any new ministerial authorisations relating to private communication on a provisional basis and then addresses them in more detail in his annual review. His staff are also given access to the data analysis engineers within CSE and may confirm the processes and uses that it is subjected to. 57. The Commissioner’s reports have been an important source of information concerning what mechanisms are employed by CSE and also how it interprets its obligations. In particular, t he 2012 Commissioner’s report disclosed CSE’s policy concerning the private communications of Canadian citizens that are the ‘bycatch’ of a foreign intelligence collection : (a) They must be destroyed, save where the material is f oreign intelligence or material essential to protect the lives or safety of individuals of any nationality, or where it contains information on serious criminal activity relating to the 64 p. 13. http://www.ocsec - bccst.gc.ca/ann - rpt/2013 - 2014/ann - rpt_e.pdf 359

366 ANNEX 15: THE LAW OF THE FIVE EYES is m to the security of Canada or essential to identify, isolate or prevent har Canadian Government’s computer systems. (b) At the expiry of an authorisation, CSE must report to the Ministry of National Defence explaining what Canadian communications were retained and on w hat 65 basis. (c) hen CSE shares information with its global partners, the names of any W Canadian are redacted and only reinstated at the specific request of a partner country and after CSE has satisfied itself that the requesting government 66 department has proper authority and justification to make the request. New Zealand The Security and Intelligence Service 58. NZSIS is New Zealand’s equivalent of MI5 , and is governed by the New Zealand Security Intelligence Service Act 1969 [SISA 1979 . ] 59. America (and to some extent Australia) , New Zealand provides for jud icial Like Canada, oversight of the warr ant process at the point of authorisation . However, unlike those countries, that oversight is provided by a retired High Court Judge, the Commissioner 67 arrants. The Commissioner is a creature of statute , created in 1999. of Security W 60. Domestic warrant applications are jointly signed off by both the Minister and the Commissioner. The applicant must provide sworn witness evidence that the interception is necessary for the detection of activities prejudicial to security or for the purpose of gathering foreign intelligence information essential to security. They must also provide evidence that any communication sought to be intercepted is not privileged 68 and that the information is not be obtained by any other means. Foreign intelli 61. differently. Firstly, t he Commissioner is not gence warrants operate involved in their authorisation . Secondly, as well as satisfying the conditions above, NZSIS must demonstrate that that there are reasonable grounds for believing that no New Zealand ci tizen or permanent resident is to be identified by the proposed warrant as a person who is to be subject to the warrant and that any place to be specified in the proposed warrant is occupied by a foreign organisation or a foreign person. 62. Whether internal or foreign, intelligence warrants must specify the type of communication to be intercepted, the identity of the persons (if known) whose communications are sought to be intercepted and (if not known) the place or facility in 69 respect of which communications may be intercepted. Given the restrictive nature of those requirements, it is unlikely that NZSIS has any power to carry out bulk interception. 65 Ibid., - 15. p. 14 66 Ibid ., p. 27. 67 SIS A 1979 s5A. 68 SISA 1979 s4A. 69 SISA 1979 s4B. 360

367 ANNEX 15: THE LAW OF THE FIVE EYES SISA 1979 also contains provisions relating to destruction of irrelevant data. 63. Security Bureau The Government Communications The GCSB was originally a branch 64. of the Ministry of Defence. It bears some resemblance to GCHQ in the United Kingdom The Director of GCSB may apply in . 70 writing to the Minister for an interception warrant authorising the interception of: Communications made or received by one or more persons or classes of (a) persons specified in the authorisation or made and received in one or more places or classes of places specified in the authorisation; (b) Communications sent from, or being sent to an overs eas country; or (c) accessing of one of more specified information infrastructures or classes of The information infrastructures that the Bureau cannot otherwise lawfully access. As under SISA 1979 65. , any application for a warrant or access authorisation must be made jointly to the Minister and the Commissioner of Security Warrants, if anything done under the warrant is for the purpose of intercepting the private communications 71 If the warrant or authorisation is n of a New Zealand citizen or permanent resident. ot sought for the purpose of intercepting the private communications of a person who is a 72 needs to agree it . New Zealand citizen or permanent resident, only the Minister 66. The Minister and Commissioner may grant the interception warrant if satisfied that it is for the purpose of performing the Bureau’s functions; the outcome justifies the interception; it cannot be achieved by other means; there are satisfactory arrangements to ensure that nothing will be done in reliance on the warrant that goes beyond what is necessary; and anything done will be reasonable, having regard to the purposes of the 73 As with SISA 1979 , no warrant may be issued for the purpose of warrant itself. intercepting privileged communications. 67. Interception without a warrant may take place in certain narrow circumstances, when the interception does not involve physically connecting an interception device to any information infrastructure or installing an interception device in a place; any access to information infrastructure is “ access to one or more communication links limited to between computers or to remote terminals ” and it is carried out in pursuance of either advising or cooperating with public authorities in terms of protecting communications 74 n intelligence . and infrastructures, or regarding foreig Police Surveillance [SSA 68. The Search and Surveillance Act 2012 2012 ] sets out a comprehensive regime governing all species of warrant, including warrants for entry, warrants to set up road blocks and interception under a warrant. A warrant is necessary if an enforcement 70 GCSB Act s15A(1). 71 GCSB Act s15B. 72 GCSB Act s14. 73 GCSB Act ss15A(2). 74 GCSB Act s16. 361

368 ANNEX 15: THE LAW OF THE FIVE EYES officer wishes to use an interception device to intercept a private communication (as 75 well as various other forms of surveillance). An application for a surveillance device warrant (which includes a warrant to use an 69. reasonable detail ”: the eption device) must be made in writing and set out in “ interc name of the applicant, the provision that authorises the application, the grounds on which it is made, the suspected offence in relation to which authorisation is sought, the ty pe of device, the name address or other description of the person, place, vehicle or thing that is the object of surveillance, what material it is hoped to obtain and the period 76 for which the warrant is sought. ot be If the person, place, thing or vehicle cann identified, the application must at least define the parameters of and objectives of the operation. An application may only be made by a constable or an enforcement officer 77 that has been approved by an Order in Council. Other law enforcement bodies 70. than the police may only undertake interception if they 78 have been designated by an Order in Council made by the Governor - General. 71. The application should be made to a Judge, who must be satisfied that there are reasonable grounds to suspect that an offenc e has been or is being or will be committed and that that offence falls within a list of sufficiently serious crimes, set out in the 79 Schedule to the Act. The Judge must also be convinced that the interception will obtain evidential material. There are me chanisms for obtaining a warrant in an emergency, where there is 72. 80 to a Judge. insufficient time to secure access Access to Metadata 73. The law concerning access to communications data, or metadata, was unclear until recently. In 2013 it was disclosed that GC SB had taken the view that metadata was not a communication and so could be obtained without a warrant (or indeed any other 81 formal authorisation mechanism). TICSA 2013 has set the position out on a statutory ” as information generated as a result of making footing. It defines “ call associated data a telecommunication that includes the number from which it originates, the number to which it was sent, if it is diverted then the number at which it was received, the time at which it was sent, its duration, if it was from a mobile phone the point at which it first 82 entered the network. Public telecommunications service providers are required to be capable of obtaining 74. call associated data (other than telecommunications that are not authorised to be 83 intercepted under the warrant or lawful authority). That information should be 75 SSA 2012 s46. 76 SSA 2012 s49(1). 77 SSA 2012 s49(5). 78 SSA 2012 s50(1). 79 SSA 2012 s51(1). 80 SSA s48. 81 Kit teridge Report on GCSB Compliance, available online at: http://www.gcsb.govt.nz/assets/GCSB - Compliance - Review/Review - of - Compliance.pdf para 23. 82 TICSA 2013 s3. 83 2013 s10. TICSA 362

369 ANNEX 15: THE LAW OF THE FIVE EYES , on presentation of a proper warrant, provided to GCSB, SIS or the New Zealand Police. 75. A fresh round of Snowden disclosures in 2014 suggested that GCSB had developed a mass metadata colle ction program known as SPEARGUN. The basic premise of the was to insert metadata probes into the Southern Cross Cable, which alleged program carries much of New Zealand’s telecommunications. Prime Minister John Key admitted that the project had been init iated but denied that it had become operational because as he had vetoed it. The controversy arose, in part, the broad powers under GCSB Act 84 ss 15 and 15A were not in place during 2012, when the project was allegedly begun. Oversight The New Zealand secur ity services are overseen via a number of statutory 76. mechanisms. First , the Intelligence and Security Committee is a Parliamentary body, established in statute, which is made up of five persons including the Prime Minister, 85 ther Members of Parliament. It examines Leader of the Opposition and 3 o the policies and administration of the Security Intelligence Service and GCSB and consider other questions with intelligence or security implications that are referred to it by the Prime Minister. Second , the Inspe ctor 77. General of Intelligence and Security, is an individual appointed - 86 by the Governor General, on the recommendation of the Prime Minister. The Inspector - General enquire s into the Services ’ compliance with its legal obligations and complaints about its a They are specifically required to review, at least once ctivities. every 12 months, the compliance with the governing legislation in relation to the issue 87 and execution of warrants and authorisations. The Inspector - General reports annually to the Prime Minister and a redacted version of that report is laid before Parliament. 78. Third, as set out above, the Commissioner of Security Warrants is engaged in agreeing to any warrant that will collect the communications of granted to the security service nd citizens or residents. New Zeala The United States of America 79. The US law concerning investigatory powers is divided between two separate statutory frameworks. The WA 1968 , the Stored Communications Act [SCA] and Pen Register Act govern the use of investiga tory powers in conventional criminal law [PRA] 88 [FISA A separate regime, the Foreign Intelligence Services Act 1978 enforcement. 1978 ] , governs the collection and analysis of foreign intelligence. Both frameworks have been extensively amended since their intro duction. 84 speargun https://firstlook.org/theintercept/2014/09/15/new - zealand - - - mass - surveillance/ gcsb 85 Intelligence and Security Committee Act 1996. 86 Inspector - General of Intelligence and Security Act 1996 [IGISA] s. 5. 87 IGISA s11(d). 88 US Civil Code Title 18 Chapter 119. SCA and PRA were introduced under the Electronic . 1968 Communications Privacy Act 1986 , which substantially amended the WA 363

370 ANNEX 15: THE LAW OF THE FIVE EYES Criminal law enforcement The WA 1968 governs interception of wireless, oral and electronic communications 80. the United States. It defines intercept as “ the aural or other acquisition of the within tion through the use of any contents of any wire, electronic or oral communica 89 electronic, mechanical or other device. Access to information that is not in the course ” 90 S CA. of transmission, is governed by the 81. All interceptions under the WA 1968 must be authorised by a court and are subject to careful re view. US Code s2516 of Title 18 sets out the basis on which law enforcement staff, inside the United States, may be given authority to intercept communications. Various senior officials within federal law enforcement agencies (such as the FBI or the Atto rney General’s office) may authorise an application to a Federal Judge of 91 competent jurisdiction for an interception warrant. The application must be in writing, I was told by law on oath and set out the facts and circumstances in some detail. nt agencies that these applications are frequently substantial documents. enforceme An application may only be made in order to provide evidence (from the wiretap) that will be relevant to certain serious federal felonies. If the application is for an extension, i t must set out the results obtained thus far or a reasonable explanation for the failure 92 to obtain results under the previous warrant. 93 The court m ust be satisfied that there is “ probab le cause for belief ” that: 82. (a) An offence has been or is about to be comm itted; (b) Communications confirming the commission of the offence will be obtained; Normal investigative procedures have been tried and failed or are unlikely to (c) succeed; The communications method is or will be used in connection with the (d) fense. commission of the of 83. The third of those criteria is not required for other types of investigatory warrant, such As a result, interception warrant s are sometimes referred to as as a search warrant. su per warrants ” . The warrant shall not continue for longer than is nec essary and may “ 94 not be issued for more than 30 days. In an emergency situation an interception may 95 begin without an application to the court, an application is made within 48 hours. if 84. The ordinary position under the WA 1968 is that an inventory of the fact of interception, dates and whether anything was intercepted is provided to the persons named in the order within 90 days of termination unless the authority can show “ good cause ” to 89 18 U.S.C § 2510(4). 90 As is the case in the United Kingdom, the precise boundary between data in the course of that is “ transmission ” and communications data is a complex area of some uncertainty. 91 18 U.S.C. § 2516 (1). 92 18 U.S.C. § 2518 (1)(f). 93 Ibid . at (3). 94 Ibid . at (5). 95 Ibid . at (7). 364

371 ANNEX 15: THE LAW OF THE FIVE EYES 96 ex parte I was told, durin g my trip to the hearing. withhold that information at an United States, that disclosure to the subject ordinarily occurs in the context of a criminal procedure. Those individuals who receive notification that they have had their d , rarely bring but are not party to any criminal trial communications intercepte Such damages are capped in any event. proceedings seeking damages. US Code C hapter 21 of Title 18 , commonly referred to as the SCA , provides access for 85. d on a Remote law enforcement to both contents and metadata that are store Computing Serv ice . This provides computer storage or processing services to the 97 public by means of an electronic communications system such as cloud storage. , Access to the content of stored communications, without notice, is granted on the basis 98 Access to stored material that does not include the content of of a search warrant. 99 communications may be granted on a similar basis. However, and importantly, a specified subset of non 86. content may be accessed by - on of a court. Those data administrative subpoena without the scrutiny or authorisati are: name, address, call records, length of service, types of service used, number used 100 including temporarily assigned IP address, means and source of payment. As a thout the permission result, much of the most important metadata may be obtained wi of a court. 87. Furthermore, the SCA provides for access to metadata records, without judicial authorisation, where the Director of the FBI (or his designee) certifies that they are relevant to an authorised investigation to protect agains t international terrorism or Those requests are know National Security clandestine intelligence activities. n as “ Letters ” . The Director of the FBI may request, and a telecoms provider is required to provide, name, address, length of service and local and long distance toll billing records 101 on that basis. An important distinction between US and UK law (as it currently stands) is that there is 88. no requirement for service providers in the United States to store data beyond their own business needs. I was inf ormed during my trip to the US that it was highly unlikely that Congress would consider legislation requiring service providers to retain or create data that they did not themselves need for business purposes (such as billing). However, telecommunications providers are required to retain data that they already produce and create such as: name, address, telephone number of the caller, telephone 102 If law enforcement agencies want number called, date, time and length of a call. access to material beyond that, or want access to other metadata , they are empowered 103 to request that material is preserved, pending an application for access to that data. 96 Ibid . at (8)(d). 97 18 U.S.C. § 2711(2). 98 If the data owner is put on notice, it may also be accessed via a court order, administrative subpoena or grand jury or trial subpoena 18 U.S.C. § 2703. 99 Search warrant, telemarketing fraud request or court order. It is important to note that for non - conte nt subscriber records, no notice has to be given to the subscriber. 100 18 U.S.C. § 2703 (2). 101 18 U.S.C. § 2709 (b). 102 17 C.F.R. § 42.6. 103 E.g. 18 U.S.C. § 2704. 365

372 ANNEX 15: THE LAW OF THE FIVE EYES Finally PRA grants both federal and state law enforcement the right to make records of 89. register) and incoming calls (trap and trace) to a particular outgoing numbers from (pen 104 phone number pursuant to a court order. pen register ” was The definition of a “ widened by the USA PATRIOT Act in 2001. It now includes a device which records signalling information” that ca n record access to the internet and other network “ 105 analysis devices. The procedure for obtaining a court order is less onerous than the procedure for obtaining a warrant, both in terms of the standard of proof to be met and 106 the level of detail that is ord Court orders under the PRA last for up inarily provided. to 60 days. They do not provide a basis for gaining access to the contents of communications. Gathering of foreign intelligence reign powers 90. FISA 1978 (as amended) authorises the electronic surveillance of fo overseas - and agents of foreign including groups engaged in international terrorism - 1978 is gathered overseas or powers. Much of the material collected under FISA - US citizens in the mainland United States. However, a concerns the activities of non 107 US person may also be an agent of a foreign power, to the extent that they knowingly gather intelligence for a foreign power or engage in sabotage or terrorism on behalf of a foreign power. 91. FISA 1978 authorises broadly three kinds of data colle ction. First the traditional FISA 1978 process requires a Federal officer, with the approval of the Attorney General, to apply to the FISC, a bespoke federal court made up of eleven district court judges set up following reports of abuse by the intelligen ce agencies in the United States, for an interception warrant. Those eleven judges sit part time, at the court for one week stints The Court on duty, where they read or hear warrant applications under FISA 1978. 108 has 10 full time staff members: five couns el to the Court and five administrative staff. The majority of applications are dealt with on the papers though I was informed that 92. 109 The judges can and do request around 10% are dealt with following an oral hearing. that the individual who swore an affi davit in support of the application appears before No special advocate can them so that they can be asked questions by the judge. appear to make submissions in defence of the privacy interests in issue. The court has m the Centre for National Security Studies on the recently accepted an amicus brief fro 110 However, I am not aware of amicus counsel question of bulk metadata production. being instructed to make submissions in specific cases. Historically very few judgements of the FISC have been published. However, there has been a trend A telecommunications provider, that is ordered to towards publication in recent years. provide access to material, or a government body that has applied for a warrant may 104 18 U.S.C. § 3121. 105 18 U.S.C. § 3127 (3). 106 18 U.S.C. § 3122. 107 Defined as a citizen of the US, an alien with lawful permanent residence or a US corporation or unincorporated association. 108 The court does not publish details of its costs but the District Court Judges are not paid any additional salary for their FISC work. 109 In the calend ar year 2013, the FISC received 1,655 applications under s 702, 178 applications for “ tangible things ” under s 215 and the FBI applied for 14,219 National Security Letters. 110 . 1.pdf http://www.fisc.uscourts.gov/sites/default/files/Misc%2014 - 01%20Order - 366

373 ANNEX 15: THE LAW OF THE FIVE EYES oreign Intelligence Surveillance appeal a decision of the FISC to the United States F Court of Review. In practice, such appeals are rare. 93. 1978 warrant must specify the identit y (if known) or a An application for a FISA It must set out the facts description of the specific target of the electronic surveillance. and circumstances to support the belief that the target is a foreign power or agent of a 111 foreign power and that the targeted facilities will be used by them. The application must also set out the minimisation procedures in place to ensure that the 112 correspondence of United States persons is not acquired, retained or distributed. The judge of the FISC must be satisfied that there is probable cause to believe that the 94. elements above are satisfied (including that the target is a foreign power or agent of a 113 An order may be granted for up to 90 days. foreign power). FISA 1978 orders may be granted that authorise the interception of the communications of US citizens, to the extent that the FISC judge is satisfied that there is probable cause to find tha t that individual is an agent of a foreign power. The second, more controversial, aspect of FISA 1978 arises out of a series of 95. amendments to the Act introduced in 2008 (the FISA Amendment Act 2008 Section 702 allows the targeting of individuals “ reasonabl y believed to be located outside the United States to acquire foreign intelligence information ” without the same degree of 114 judicial scrutiny. Under s702, the Attorney General and the Director of National Intelligence may jointly authorise that targeting for a period of up to one year. Acquisition of data via this route may not intentionally target: (a) Any person known to be located in the United States; (b) A person outside of the United States in order to target a person reasonably believed to be in the United States; A United States person reasonably believed to be outside the United States; or (c) (d) Any communication as to which the sender and recipients are all known to be inside the United States. 96. The basic mechanics of s702 are: (a) The Attorney General and Director of National Intelligence draw up a certificate identifying categories of foreign intelligence that they wish to collect (for example email addresses of suspected terrorists overseas). Those certifications do not contain the level of specificity as to the individual tar geted that is required under a normal FISA 1978 order; (b) They The certification must set out the targeting procedures that will be used. reasonably designed” must be “ limited to ensure that the material acquired is “ to targeting persons reaso nably believed to be located outside the United 111 50 U.S.C. § 1804 (a). 112 See: 50 U.S.C. § 1801. 113 50 U.S.C. § 1805. 114 50 U.S.C § 1881a. 367

374 ANNEX 15: THE LAW OF THE FIVE EYES .” States The certification must also attest that the Attorney General has adopted Guidelines to ensure compliance with the s702 framework. (c) s of those A judge of the FISC reviews the minimisation and targeting provision t the They must be satisfied tha certifications before they are implemented. reasonably designed ” to meet the objectives set out targeting procedures are “ 115 above. The presiding judge writes an opinion setting out why he or she e procedures meet that standard and also why they comply considers that th with the First Amendment right to free speech. However, the judge does not have to approve the targeting decisions: they do (d) not have to satisfy themselves that the target (or targets) are a foreign power or 116 agents of a foreign power. The NSA have published a fact sheet on their minimisation procedures, which (e) provides that inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the aut horised 117 purpose or evidence of a crime. The Inspector General assesses compliance with the procedural requirements and 97. The Attorney General also submits reports on them on an annual basis to Congress. of applications and extensions a report to Congress each year setting out the number of s702 surveillance certificates and the number of those orders or extensions granted, 118 modified or denied. He also submits a semi annual assessment to three - 119 Congressional select committees concerning all electronic survei llance under s702. 98. Section 702 provided the basis for the US Government to carry out its PRISM and at Upstream collection programs (described more fully to this Report ). Annex 7 is Subchapter IV: Ac 99. cess to A third, and equally controversial, aspect of FISA 19 7 8 Certain Business Records for Foreign Intelligence Purposes (known as s It 215). provides that the Director of the FBI, or a designee, may make an application for an order requiring the production of any “ tangible things (including books, records, p apers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international 120 terrorism or clandestine intelligence activities .” 100. An application under s215 shoul d be made to the FIS C and include a statement of facts showing that there are reasonable grounds to believe that the things sought are 121 If the court is satisfied that that is the case, relevant to an authorised investigation. it will issue an order that d escribes the tangible things that must be provided “ with sufficient particularity to permit them to be fairly identified .” 115 50 U.S.C. § 1881a (i) (2)(B)(i) 116 50 USC § 1881a (g). 117 https://www.fas.org/irp/news/2013/06/nsa - sect702.pdf . 118 50 U.S.C. § 1807. 119 50 U.S.C. § 1808. 120 50 U.S.C. § 1861(1). 121 Ibid . 1861(1) (b). 368

375 ANNEX 15: THE LAW OF THE FIVE EYES Section 215 has become controversial in the light of the disclosures in the Snowden 101. applied, on behalf of the NSA, for , when it became clear that the FBI had Documents orders authorising the collection of nearly all call information generated by certain telephone companies in the USA. The NSA had then queried the database of information that resulted by enquiring for all calls to or fr om telephone numbers in respect of which there was a “ Reasonable Articulable Suspicion ” that it was associated with terrorism (the seed number). The NSA then operated a system known as contact - chaining whereby all persons in contact with the seed number the first hop - all numbers directly in contact with the first hop numbers (the second hop) and all numbers in contact with those second hop numbers as well (the third hop) could be accessed 122 The judges of the FISC had authorised that progra m pursuant to a series and stored. of 90 day orders. 102. Finally, EO 12333 provides an extra - statutory basis for the intelligence services to carry out interception of communications. It was first issued in 1981 and has been amended on occasions since. Part 1 of E O 12333 sets out the various roles of the three includes a broad power to collect intelligence bodies in the United States. Part 2 information. Comparatively little is known about the use of those powers. If it is relied upon as a basis for carrying out inter ception, the intelligence agencies may do so without judicial authorisation. Oversight 103. The intelligence services in the United States are subject to multiple forms of oversight. In 2007 Congress established a Privacy and Civil Liberties Oversight Board to review and oversee civil liberties in the context of national security. The Board has published two report. Its first, in January 2014 concerned the “ section 215 program ” and held that it did not comply with the statute itself. In particular, the Board held that the program terrorism investigations in general, and - had been authorised by reference to counter not a specific authorised investigation (as required). They also expressed their serious 123 reservations about whether or not it complied with the Con A second report stitution. in July 2014, concerning s702 concluded that certain historical programs “ push the 124 program close to the line of constitutional reasonableness.” However, they concluded that the program was, in broad terms, lawful. B oth House s of Congress also provide legislative oversight in the form of a permanent select committee on intelligence. 104. A separate President’s Intelligence Oversight Board reports directly to the President on potential violations of the law committed by the Agencie s . Many of the Agencies themselves also contain an Office of Inspector General, with a remit to review 125 compliance internally. 122 Following a change in 2014 the FISC now has to approve RAS determinations before contact chaining may be carried out. 123 http://www.fas.org/irp/offdocs/pclob 215.pdf . That was a view shared by the President’s Review Group - on Intelligence and Communi cations Technologies, p. 85. https://www.whitehouse.gov/sites/default/files/docs/2013 - 12 - 12_rg_final_report.pdf . 124 http://www.pclob.gov/library.html page 9. 125 th - 14, HC231 (May 2014), p. 92. 17 Report of Session 2013 369

376 Annex 16: POTENTIAL USE OF TRAFFIC DATA BY LOCAL AUTHORITIES (9.83 above) 1. Th e information in this Annex derive s from evidence to the Review from Hampshire County Council officers, March 2015. Cold calling fraud 2. In April 2012 Mr V was arrested at a house where a consumer had been defrauded of a considerable amount of money. Other persons ran away and could not be identified. 3. From itemised bi lling checks on Mr V’s telephone number, it was established that Mr V had been in regular contact with a Mr A. Itemised billing for Mr A’s phone number showed a pattern of contacts with Mr V. 4. Some time later Mr A was arrested, but on interview he denied being present at the address and he claimed that someone else had asked him to cash a cheque that had been written by the consumer. Nothing could be proved to the contrary. 5. Only Mr V was able to be prosecuted for the fraud offences and he was eventually given a suspended sentence of 15 months imprisonment plus community service. He was also given a 7 year Criminal Anti Social Behaviour Order [ CRASBO ] banning him from being involved in cold calling anywhere in England and Wales. against Mr A was a money laundering offence and he was just All that could be proved 6. given a sentence of 140 hours community service. The local authority was unable to apply for a CRASBO against him, as they could not place him at the scene. 7. Had the local authority been able to access traffic data they would have checked location data for Mr A’s phone, which would have been likely to show he had been in of the offences. If this had been the vicinity at the consumer’s house at the time established this would have enabled them to prosecute him for the fraud offence and quite possibly to have used a conspiracy charge involving both men. If there had been being obtained a successful fraud prosecution, this would have resulted in a CRASBO against Mr. A. ted vulnerable consumers in general, The CRASBO would have protec since he would be liable to arrest if he was caught cold calling anywhere, even if no fraud was provable. Counterfeit goods In a number of cases, 8. a local authority has seized counterfeit goods from persons who are sel ling them locally, but appear to be obtaining them from other persons further up the distribution chain. The defendants have claimed not to know the name or phone number of their supplier, because he just rings them when he is about to deliver more Consequently the local authority is usually only able to prosecute the person stock. from whom the items were seized. If they were able to access traffic data they could use this to obtain incoming calls data for the defendant’s phone to try to identify the ier. This would otherwise not be possible as the defendant was not making phone suppl calls to the supplier. Rather than just prosecuting the persons at the bottom of the 370

377 ANNEX 16: POTENTIAL USE OF TRAFFIC DATA BY LOCAL AUTHORITIES distribution chain, they would be able to prosecute the distributors who would also be supp lying counterfeit goods to other persons in the locality and making greater profits. 371

378 Annex 17: I ndependent Surveillance and Intelligence Commission (ISIC) Model A above) (14.100 372

379 Annex 18: Independent Surveillance and Intelligence Commission (14.100 above) (ISIC) Model B 373




Related documents

Annual Intellectual Property Report to Congress

Annual Intellectual Property Report to Congress


More info »
U.S. Mexico Canada Trade Agreement: Likely Impact on the U.S. Economy and on Specific Industry Sectors

U.S. Mexico Canada Trade Agreement: Likely Impact on the U.S. Economy and on Specific Industry Sectors

United States International Trade Commission U.S. -Mexico -Canada Trade Agreement: Likely Impact on the U.S. Economy and on Specific Industry Sectors April 2019 Publication Number: 4889 Investigation ...

More info »
Sumi Mini Tools Catalog LR

Sumi Mini Tools Catalog LR

Sumitomo Electric Carbide, Inc. Headquarters Detroit Branch 14496 Sheldon Road #230 1001 Business Center Drive Mount Prospect, IL 60056-2181 Plymouth, MI 48170 P.O. Box 545, Mt. Prospect, IL 60056-054...

More info »
Sphinx Vol. 2 High Precision Cutting Tools

Sphinx Vol. 2 High Precision Cutting Tools


More info »
15 1242.Opinion.8 16 2018

15 1242.Opinion.8 16 2018

United States Court of Appeals for the Federal Circuit ______________________ -CALL TECHNOLOGIES, L CLICK P, -TO Appellant v. INGENIO, INC., YELLOWPAGES.COM, LLC, Appellees IANCU, UNDER SECRETA ANDREI...

More info »
ETSI Directives   Version 40   April 2019

ETSI Directives Version 40 April 2019

Page 39 RULES OF PROCEDURE, 3 April 2019 ETSI IPR POLICY 6: ETSI Intellectual Property Rights Policy ANNEX 1 Introduction The General Assembly of ETSI has established the following Intellectual Proper...

More info »
Fact Sheet   How to search for patent information

Fact Sheet How to search for patent information

www.iprhelpdesk.eu European IPR Helpdesk Fact Sheet How to search for patent information This fact sheet has been developed in cooperation with 1 2018 January What information is presented in a patent...

More info »
Fact Sheet   Copyright essentials <