Cross-posted on Lawfare.
Last week the Intelligence and Security Committee (ISC) of the UK Parliament published its much-anticipated report entitled ‘Privacy and Security: A modern and transparent legal framework.’ The Report followed an extended inquiry into UK agencies’ surveillance practices prompted by the Snowden revelations; while it concludes that the agencies have generally acted within the prescribed legal limits, it also calls for a total overhaul of the UK legislation governing electronic surveillance, which it finds to be fragmented, overly complex and confusing. For helpful overviews of the Report’s main conclusions and recommendations, see Shaheed Fatima and Ruchi Parekh on Just Security, and James Ball in The Guardian.
The ISC’s exoneration of GCHQ et al. was hardly surprising – libertarians and privacy activists have derided its members as having long gone native and being nothing more than a bunch of apologists for the intelligence agencies whom they are supposed to oversee. Liberty’s ShamiChakrabarti thus commented that ‘the ISC has repeatedly shown itself as a simple mouthpiece for the spooks – so clueless and ineffective that it’s only thanks to Edward Snowden that it had the slightest clue of the agencies’ antics,’ while The Guardian’s editorial page a tad more delicately called it the ‘watchdog that rarely barks,’ the ‘slumbering scrutineer’ and a body that ‘searches out nothing.’ So there.
Whatever the intentions behind the Report, and despite the (at times comical) level of redactions in its public version, it is still a useful document. At a minimum, it provides a reasonably clear analytical overview of the legal framework currently regulating the surveillance activities of the British intelligence agencies, as well as the relevant procedures, and provides a helpful comparison point for those looking at the same set of problems in a different system, for instance in the United States or Germany. In this post I will comment critically on some aspects of the Report that I think are especially interesting and deserving of further consideration.
Surveillance and human rights
First, I think it worth noting the ISC’s apparent level of comfort with the human rights legal framework, including the legality, necessity and proportionality tests for the purpose of justifying interferences with privacy (Report, pp. 14-16). At no point in its analysis does the ICC question the appropriateness of these legal tests, as developed in the case law of the European Court of Human Rights, which are binding on the agencies domestically by virtue of the Human Rights Act 1998, incorporating parts of the European Convention into UK law.
Second, the Report applies the ECHR analytical framework to all surveillance activities of the UK agencies. It does not any point claim that individuals located outside the UK have no right to private life, i.e. that the ECHR (and the HRA) do not apply extraterritorially. I have extensively argued in a forthcoming piece in the Harvard International Law Journal that human rights treaties should apply to extraterritorial surveillance, and ISC at least did not seem to have any problem with that proposition. It does note (p. 26, para. 56), correctly in my view, that the state has many other tools at its disposal when operating on its own territory, which means that the nature of extraterritorial surveillance (and the regulation thereof) may be different.
Bulk collection/mass surveillance
Third, the Report attempts to justify the use of bulk collection of data by the intelligence agencies, and does so in several ways. It first tries to minimize the sheer scale of bulk collection, essentially by arguing that GCHQ collects only a very small percentage of the total communications made over the Internet on any day, that it does so on the basis of specific selection criteria, and that an even tinier fraction of the communications collected is actually read by a GCHQ analyst (Report, pp. 27-32). Note that all of the exact percentages have been redacted.
However, as James Ball well explains for The Guardian, saying that GCHQ siphons only a small percentage of the total data traversing the Internet, and that only a fraction of that data is analysed, tells us precisely nothing about the scale of its surveillance programs. The majority of Internet traffic consists of file sharing or video streaming, which vastly outstrip the total volume of email communications, and is automatically filtered out as having no intelligence value. In other words, even if GCHQ collected every email out there it would still be collecting only a small percentage of Internet traffic. The ISC moreover rather superficially discounts the intrusiveness and chilling effects that collection alone can produce.
The ISC then proceeds to examine the crucial issue of whether bulk collection actually works in a paltry two pages (Report, pp. 32-33) and unsurprisingly concludes that it does. What ‘works’ really means here is not explained. The ISC cites three case studies provides to it by GCHQ as examples of the program’s usefulness, but any information on them is redacted. The ISC simply says that (para. 81): ‘these examples cannot be published, even in redacted form, without significant risk to GCHQ’s capabilities, and consequential damage to the national security of the UK. We can, however, confirm that they refer to complex problems relating directly to some of the UK’s highest priority intelligence requirements.’ They thus conclude (para. L) that: ‘GCHQ’s bulk interception is a valuable capability that should remain available to them.’
No information is provided on whether the ISC subjected GCHQ’s case studies to any kind of critical scrutiny. The ISC then goes on to reject the categorical stance of various privacy activists, who argue that bulk collection is inherently disproportionate (Report, pp. 35-36). The ISC may well be correct on this point – it is at least non-obvious, and I personally have no firm view on the matter – but it does so in a manner which is wholly unpersuasive, by regurgitating some ‘gotcha’ questioning of privacy advocates in its hearings:
MR HOWARTH: You object to [bulk collection] in principle, which is fair enough, but do you accept the corollary to that, which is that some things might happen that otherwise might have been prevented?
ISABELLA SANKEY: Yes. That is always the case in a free society. Some things might happen that could have been prevented if you took all of the most oppressive, restrictive and privacy-infringing measures. That is the price you pay to live in a free society.
M. While we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy – nor do we believe that the vast majority of the British public would. In principle it is right that the intelligence Agencies have this capability, provided – and it is this that is essential – that it is tightly controlled and subject to proper safeguards.
Leaving the speculation about what the ‘vast majority of the British public’ thinks aside, this reasoning can be extended to any interference with any individual right (e.g. we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to be free from torture, etc.). Such a crude juxtaposition of liberty and security cannot form the basis for making policy in a modern democratic society. Even if we looked at the problem in purely utilitarian terms, the ISC’s conclusion is rendered almost meaningless by the fact that, because of the generous redactions, it provides us with no real information on the utility of the bulk collection program that we could balance against its intrusiveness into private life (other than that we’re supposed to take the ISC’s word for it, despite its evident trust deficit).
The relevance of UK nationality
The UK statute governing the interception of communications (RIPA) draws a cardinal distinction between ‘internal’ and ‘external’ communications. The former differ from the latter in that both ends of the communication have to be located in the UK. The interception of internal communications requires an individualized warrant signed by the Foreign Secretary (s. 8(1) RIPA), whereas external communications can be collected pursuant to generalized warrants (s. 8(4) RIPA).
This distinction has proven to be difficult to draw in the digital age, has led to controversial results and has confused even the ministers who are supposed to apply it, and the ISC recommends that it be scrapped in a new statutes. The key point, however, is that the RIPA distinction is nationality-neutral: ‘The RIPA warrant regime is based on geography, rather than nationality. Therefore, while it provides additional safeguards for individuals in the UK, it does not do so for UK nationals overseas. However, GCHQ recognise the particular sensitivities around the targeting of UK nationals, and this policy position is reflected in their operational approach: GCHQ have implemented an additional system of internal authorisations for the communications of UK nationals overseas to provide that further assurance. [redacted footnote] … This is not a formal, legal requirement (unlike a RIPA 16(3) modification relating to communications of people in the UK). However, it does mean that there is a further consideration of necessity and proportionality before such communications can be examined.’ (Report, pp. 43-44).
The ISC proceeds to recommend that UK nationals abroad be given the same level of legal protection as UK nationals in the UK (i.e. an individualized warrant). This is in my view highly problematic. Human rights law sees discrimination on the basis of citizenship as particularly suspect, and the ISC makes no attempt to justify it, i.e. why UK nationals deserve more protection for their privacy than non-nationals when abroad (and only when abroad). I have argued at length elsewhere why such distinctions are inappropriate and not likely to survive human rights scrutiny (see here and here; see also paras. 35-36 of the OHCHR report on the right to privacy in the digital age). In other words, a major benefit of the current UK legal arrangements is precisely that they do not discriminate on the basis of nationality, unlike the comparable statutes in the other ‘Five Eyes’ states.
Authorization and oversight
There is one point where I think the Report does make some meaningful contribution (pp. 73-76) – in its discussion of whether ex ante authorizations to conduct surveillance should be given by a minister (as is the case in the UK now) or by a judge (as is the case in the US with the FISA Court). While privacy advocates have argued for the need to have judicial warrants, the Report endorses the status quo – not necessarily because having judges authorize warrants would be impracticable, but because the ISC’s view they would authorize more warrants than a democratically accountable minister would (para. FF):
In relation to the activities that we have considered thus far, those which are most intrusive are authorised by a Secretary of State. Some witnesses questioned whether Ministers had sufficient time and independence and suggested that the public had lost trust and confidence in elected politicians to make those decisions. The Committee recognises these concerns. However, one aspect which we found compelling is that Ministers are able to take into account the wider context of each warrant application and the risks involved, whereas judges can only decide whether a warrant application is legally compliant. This additional hurdle would be lost if responsibility were to be transferred to judges and may indeed result in more warrant applications being authorised.
In other words, while a judge would have to authorize a warrant which is within the law, even if the proposed course of action is stupid or is likely to have a number of adverse political consequences (think Angela Merkel’s phone), a minister would not. (In this respect the Report echoes the reasoning of the Foreign Secretary in his testimony before the ISC).
It is a genuinely difficult question whether the best possible model for ex ante authorization should be ministerial or judicial. While a level of independent judicial oversight of intelligence agencies is to my mind indispensable, in designing such oversight one must ensure that, on the one hand, it is practicable and takes into account legitimate security concerns (e.g. by having cleared judges looking at evidence in camera), while, on the other hand, avoiding having the judges seeing themselves, or being seen as, as apologists for the intelligence community that they should be controlling. The involvement of specialized judges in ex ante authorizations is perhaps inherently more likely to lead to the judges going native, as it were. The question of ex ante authorization is also directly tied to how robust judicial supervision is ex post facto and what hurdles (e.g. in terms of standing) are put in front of prospective litigants. So while I am not persuaded that an ex ante, FISA Court type model is the best possible solution (just think of the FISC’s ‘whole-world-but-the-Five-Eyes’ warrant and consider whether it provided any meaningful check on the NSA), I’m sure that the ISC should have devoted much more energy into considering possible reforms of the existing UK specialized court with ex post facto jurisdiction, the Investigatory Powers Tribunal, which somewhat embarrassingly upheld less than 1% of the complaints against the government since its establishment.