GCHQ

Experts concerned over silence around government obligation to review UK surveillance laws

The government is required to review the UK’s surveillance law, the Investigatory Powers Act, but experts say they are in the dark about its plans. The National Crime Agency’s operation Venetic has highlighted the need for urgent reforms

Concerned experts are asking what plans the government has to meet its obligations to review Britain’s extensive surveillance laws.

The Home Office is legally required to review the operation of the Investigatory Powers Act 2016 (IPA), widely known as the Snoopers’ Charter, after five and half years.

But information security and legal experts have said that they are concerned the government has given no indication of what its plans are to revisit the IPA – despite growing concerns over the adequacy of the act.

Experts have said there is an urgent need to reform the Investigatory Powers Act to allow intercept evidence to be made admissible in criminal prosecutions. They have also called for the use of artificial intelligence (AI) in surveillance to be assessed following ground-breaking advancements which have enabled more intrusive information gathering.

And there are outstanding questions over whether the IPA complies with legal rulings by the European Court of Human Rights, which require end-to-end safeguards for the bulk collection of communications and protections for journalistically privileged information.

Intercept evidence should be admissible in court

Peter Sommer, a computer forensics expert and expert witness, advised the Joint Lords and Commons Select Committee carrying out the pre-legislative scrutiny of the draft Investigatory Powers Bill in 2015 and 2016.

He told Computer Weekly there was an obvious need to change the way the IPA treats intercept, which cannot be used as evidence in prosecutions, in the wake of Operation Venetic, the National Crime Agency’s (NCA’s) biggest investigation into organised crime.

“The most obvious modification now required is to treat intercept evidence in the same way as all other types of evidence and to change the current position whereby warrants can be obtained for intelligence purposes but intercept evidence is inadmissible and cannot be referred to in court,” he said.

Prosecutions brought under Operation Venetic, which rely on the contents of millions of messages and photographs obtained by French police in 2020 from the supposedly secure encrypted phone network, EncroChat, have faced legal difficulties over the admissibility of intercepted evidence.

Defence lawyers have issued a series of legal challenges against the National Crime Agency over the admissibility of material intercepted from tens of thousands of Encrochat phones in the UK, in the Court of Appeal, the European Court of Human Rights and most recently, the UK’s Investigatory Powers Tribunal.

“The current status is causing massive problems in the NCA’s biggest investigation, Operation Venetic, where there are considerable doubts about the status of acquired EncroChat messages and photos. Are they admissible or not?” said Sommers.

Ian Brown, a specialist in information security, said that there was a need for clarity on whether large-scale equipment interference operations similar to the operation against EncroChat were going to be more frequently deployed by law enforcement agencies in the future.

There are questions, he said, whether any data obtained from real-time interception will be admissible in criminal trials as long as it was obtained from digital equipment, rather than from an analogue radio link or telephone wire. “If so, are further safeguards needed?” he added.

Artificial intelligence

Other experts have said that the government should review developments in artificial intelligence which have enabled law enforcement and intelligence agencies to conduct more intrusive bulk surveillance since the Investigatory Powers Act came into force.

Eric Kind, an expert in surveillance and legal and public policy, and managing director of data rights agency AWO, told Computer Weekly that AI and its impact on bulk surveillance powers should be a key priority for any review.

“Artificial intelligence should be one of the top priorities for review, due to the number of ground-breaking advancements since the passing of the IPA. They have the ability to significantly shift the privacy versus intrusion balance throughout the act, but most prominently with regards to bulk powers,” he said.

European court decisions affect IPA

Lawyers and privacy groups also argue the IPA should be re-visited in the light of decisions by the European Court of Human Rights which found serious failings in the UK’s earlier surveillance regime, the Regulation of Investigatory Powers Act 2000 (RIPA).

A decision by the European Court of Human Rights in the case of Big Brother Watch and others vs the UK in 2020, for example, raises questions whether the Investigatory Powers Act provides adequate privacy safeguards during bulk surveillance operations.

Home secretary Suella Braverman was a member of the Joint Select Committee that reviewed the draft Investigatory Powers Bill from November 2015 to February 2016, and is said to have a good understanding of the issues at stake.

Under Section 260 of the Investigatory Powers Act, the government is legally required to review the Investigatory Powers Act five years and six months after it received Royal Assent in November 2016, and to present a copy of the review to Parliament.

Bulk interception

Sommer said that in addition with the difficulties posed by the IPA over intercept evidence, there were difficulties separating legally admissible communications data from inadmissible content in web-based email and social media services.

He said that there was a strong case for Parliament’s Intelligence and Security Committee to review the scope and operation of bulk interception and acquisition warrants.

“Such warrants inevitably collect information from the wholly innocent on the off-chance that they might be guilty of something,” he said.

Although the Investigatory Powers Act authorised state hacking as “equipment interference” and allowed evidence obtained in this way to be used as evidence in court, Sommer said that unlike other forms of digital evidence, there were no standard operating procedures “to ensure the integrity and reliability of the results”.

Any government review would also be expected to assess the performance of the Office for Data Authorisations (OCDA), a body set up in March 2019 – after the IPA 2016 came into force – to review applications by government bodies to access metadata about individuals’ telephone, email and internet use from phone and internet companies.

The OCDA, which was set up to manage 200,000 requests a year from 600 public bodies to access communications data, which includes information such as the sender and recipient of emails, the time they were sent, and the first part of a URL of websites visited.

According to the Investigatory Powers Commissioner’s Office (IPCO), the organisation employs around 100 people, at two offices in Manchester and Birmingham, who act as a contact point for government agencies seeking communications data  between 7am until 10pm seven days a week.

The Home Office declined to answer questions from Computer Weekly about its legal obligation to review the IPA.

Update:

Following publication of this story, Security Minister Tom Tugendhat told Parliament on 23 January 2020, that the Home Office had carried out and an internal review into the operation of the Investigatory Powers Act 2016 in 2022 to inform the Home Secretary’s Report as required by Section 260.

“This Report aims to assess, as far as possible, the extent to which the objectives of the Act continue to be met and whether any changes are required to ensure it remains fit for purpose,” he said in response to a Parliamentary question from Stuart McDonald, Scottish National Party MP.

A final copy of the report will be shared with the Investigatory Powers Commissioner and Intelligence and Security Committee ahead of publication, he said.

He told the Commons that Lord Anderson  KC would conduct a separate review into ‘aspects’ of the Act to inform any potential legislative change.

“Lord Anderson will carry out his own consultation with law enforcement, the intelligence agencies, and wider public authorities, as well as other external organisations and individuals with an interest in this work,” he said.

Read more on IT legislation and regulation