The UK Investigatory Powers Act: A Bad Example for the World
This piece was written by PI Executive Director Dr Gus Hosein and originally appeared here.
Surveillance law is absolutely necessary because it compels the government to write down, for all to clearly see, the rules that they must abide by as they undertake intrusive powers, often in secret, to investigate criminal activity and protect a country. To do so is to protect the rule of law, uphold democracy, and safeguard human rights. For two decades, successive British governments have evaded transparency, even as they failed repeatedly at passing mass surveillance legislation, and deployed — in secret — capabilities that nobody, not even the UK parliament, knew were allowed or even possible.
A chapter in this tawdry tale ended in November 2016 when the UK parliament gave the government a clean bill of health and, essentially, a blank check on a new era of secret surveillance. Privacy advocates would argue that the recently implemented Investigatory Powers Act (IPA) is a draconian and expansive piece of surveillance legislation that no other liberal democracy has had the gall to attempt. The UK government, on the other hand, claims it is the most rights-protective piece of legislation the world has yet seen.
They can’t both be right.
We are now beginning a new chapter of continued disingenuous and cynical surveillance law in the United Kingdom. The best example of its cynical attitude arose when the Intelligence and Security Committee of the UK parliament demanded that, upon reviewing a draft of the bill, the UK government place privacy at the heart of the legislation. The Home Office, the ministry in charge, responded by merely adding one instance of the word “privacy” to the bill.
It didn’t have to be this way.
The Investigatory Powers Act, commonly described among privacy advocates as the “Snoopers’ Charter,” was introduced following a raft of avowals in 2015 revealing that previously proposed (and opposed) powers, had in fact been in use, many for decades, unbeknownst to the public and indeed even to the UK parliament, using opaque and obscure statutory powers.
Rather than being conciliatory with the UK parliament and the public about the existence of secret law and secret powers, the legislation was promulgated by the government as a mere consolidation of powers already in existence. This is disingenuous if not downright dishonest. It ignores the fact that parliament had previously opposed these powers. It bypasses the fact that the UK intelligence agencies were caught out by a U.S. whistleblower and had no intention of ever avowing some of these powers. It belittles the court findings, based on Privacy International’s legal action, that these powers had been exercised in secret for decades without a clear legal framework, with inadequate safeguards, and little to no oversight.
Importantly, it also blatantly ignores the opposition of industry, legal experts, and rights organizations over the extraordinary expansion of powers that is captured in this 300 page piece of legislation varying from, for example, the ability to: demand companies pre-release new products to the Government via Technical Capability Notices before releasing to the public; demand companies assist the government in hacking the public’s devices; and require a single broad warrant that could apply to thousands of devices and people.
Further, despite the UK government boasting that the IPA would create a clean sheet, consolidating surveillance powers into one transparent piece of legislation, this is just further misdirection. First, whilst it replaces much, but not all, of its ancestor legislation, the Regulation of Investigatory Powers Act 2000 (RIPA), several old, vague, and broad laws such as the Security Services Act 1989, the Intelligence Services Act 1994, and the Police Act 1997 will continue to exist in parallel. These will continue to provide alternative routes for government agencies who decide that the Snoopers’ Charter does not offer the full breadth of powers they seek. Second, even now, many modern surveillance capabilities we know the police and intelligence agencies are using — like setting up fake mobile phone base stations to monitor protestors, and monitoring social network activities of entirely innocent people — remains unregulated by law.
Whole new types of powers are now in this law. It is striking that at a time when cybersecurity is seen as imperative to even election integrity, the UK government snuck through a legal basis for it to hack devices and networks. Hacking can be a highly intrusive activity by government. When deployed against an individual’s computer or telephone, it can achieve results more intrusive that the cumulative actions of targeting an individual by bugging his house, searching his premises and possessions, intercepting his communications, reviewing all letters and diaries, and putting a tracking device on him. Bulk hacking can be deployed against entire networks, giving access to numerous computers. The consequence is the ability to gain access to the data of very large numbers of people, all in secret.
Even traditional rule of law questions remain. The legislation provides for “thematic warrants,” where the government performs the incredible feat of redefining a general warrant that can impact literally millions of people, thereby undermining the principle that “fundamental rights cannot be overridden by general or ambiguous words,” because, according to Lord Hoffman, a former Lord of Appeal in Ordinary (the highest court of appeals in the UK), “there is too great a risk that the full implications of their unqualified meaning may have passed unnoticed in the democratic process.”
David Anderson, the independent advisor to the U.K. government on terrorism, warned that thematic warrants for both hacking and interception, have “some of the potential range of bulk warrants but without the same safeguards.”
The law permits the issue of a warrant by the UK Secretary of State for a whole class of activity or range of property. In a modern liberal democracy, how can it be possible for a law to allow for a single warrant to give access to “all mobile telephones in the United Kingdom” or “all copies of Microsoft Windows used by a person in the UK who is suspected of having travelled to Turkey in the last year?”
As a result, the UK is one of the first governments anywhere in the world to give themselves the explicit legal right to hack in bulk, which could literally mean hacking millions of devices.
We will be none the wiser as to how these powers are used. The UK has succeeded in creating legislation future-proofed against effective scrutiny, and it will undoubtedly be interpreted in secret to enable state bodies to be “creative” in how they use these powers.
With developments in the United States and the rise of nationalism across Europe, this should have been a time for restraint. Instead, the winners from this alleged gold standard of surveillance legislation are any government in the world that wants to assert greater power over their own population. All they have to do is say “the British government is doing it, so why can’t we?”
