On November 29, Royal Assent was given to the UK Investigatory Powers Act, after eight months of intensive Parliamentary scrutiny, with hundreds of amendments made, following lengthy pre-legislative debate in three Parliamentary Committees. The Act draws on the input from three separate, independent inquiries that were set up after a failed earlier attempt to legislate. In all, it is one of the most examined pieces of legislation in the modern age. Why was this law regarded as so essential by the government and its secret intelligence and law enforcement chiefs?
What the new law actually does—in over 300 pages—is, for the first time, place all the digital intelligence gathering activities of the authorities fully under the rule of law, replacing the previous hodge-podge of separate legislative provisions under which the Government Communications Headquarters (GCHQ)—the UK’s digital intelligence and cyber security agency—and the other intelligence and law enforcement bodies were able to access and acquire communications and other digital information on suspects.
The Act adds significant new safeguards for privacy, and checks and balances to make impossible any misuse of these powerful digital techniques to spy on the general public in response to the fear of so-called “mass surveillance” that was a major concern of the Act’s critics in the UK parliament.
The scale of the change for the intelligence agencies should not be underestimated. The rule of law means transparency about what the law authorizes and under what conditions. The UK government had to admit doing—and then place restrictions on—activities such as “equipment interference,” or hacking into devices used by their targets, and data mining bulk personal databases that include passports and advance passenger travel information to obtain intelligence on their targets.
The rule of law for the UK also means complying at all times with national, European and international human rights law, in particular Article 8 privacy rights, a question of lawfulness that will, under the new Act, be reviewed by senior judges as part of the prior authorization process as well as overseen by a senior Judicial Commissioner, supported by a team of expert Inspectors. It will be required of GCHQ, for example, that the algorithms and selectors they apply to their bulk access to data streams, such as bearers on international cables, are sufficiently discriminating that what the human analyst gets to see is only “necessary and proportionate” to their authorized mission—key conditions laid down in the new Act.
Most of the Act is thus adding tighter regulation of authorization procedures and stricter oversight of digital techniques already in use. There is only one new power in the Act, extending to Internet communication service providers a power that has long existed to compel telecommunications companies to keep communications metadata—the who called whom, when, from where and how, of the telephone bill. Thus the intention in the Act is that the companies will keep for 12 months the Internet Connection Records of their customers, recording which servers were contacted, when and how—but not the individual web pages—accessed. The data can then be used to try to illuminate necessary queries on legitimate cases that are proportionate in their scope in relation to the privacy of the general public.
Who will be the targets of such digital intelligence? The list of those who pose serious harm to society is a long one including dictators, terrorists, cyber criminals, narcotics traffickers, arms proliferators, pirates, people traffickers and other serious criminal groups such as child abuse networks. What they have in common is that as individuals, they are liable to leave digital traces in everyday life when communicating, traveling, crossing borders, using the web, staying in hotels, buying goods and making financial transfers. What the intelligence analysts want to know about their targets is therefore their identities—especially given that terrorists and criminals operate under multiple identities using false documents—their locations and movements, associates, capabilities, financing, and of course, intentions.
It is global coincidence that just when these threats intensified—including by non-state actors sometimes acting as proxies for hostile states—the Internet and the World Wide Web grew exponentially, as did the use of mobile devices, along with the digitization, by states, of government records such as passports and driving licenses. This all provided digital means for acquiring key intelligence.
The demands today—for example, to counter terrorism and to protect armed forces engaged in operations—require a rapid provision of actionable intelligence, only possible with the speed that digitization makes possible. Data volumes are huge, and that means to uncover the full extent of a threat requires the discovery of an initial “seed” from which an investigation can grow. The exploitation of bulk digital data for that purpose—especially patterns and associations of communications data—has become an indispensable tool for law enforcement and the intelligence agencies.
Often, it is the use of such data that enables suspects to be eliminated from enquiries, for example, a murder committed at point A with the body known to be dumped at point B, could lead to a request for details of mobile phones active at both locations in the relevant time frames, leading quickly to a small number of suspects for deeper investigation—more complex examples abound after terrorist attacks.
We live in a digital age, and use of digital intelligence gathering has been shown time and again materially to assist in combatting crime, cyber attacks and terrorism. Much of the recent success of British police and intelligence work in frustrating at least ten attempts by jihadist terrorists to attack the UK itself in the last 2 years is due to the organization of how this information is gathered—overseas as well as domestically—and exploited jointly. Many observers have pointed to the relative absence of these kind of digital intelligence capabilities in relation to the terrorist attacks that have blighted continental Europe.
These capabilities are powerful; therefore, they need to be governed in the interests of the public by legislation such as the new UK Investigatory Powers Act—a model for the rest of Europe. Of course, the new Act brings judicial oversight, greater transparency and scrutiny, and bureaucratic cost to the intelligence world. But it is a price well worth paying to have their work soundly resting on a social compact between the public and their democratic representatives on the one hand and government and their intelligence and law enforcement agencies on the other, giving them a new democratic license to keep us safe in the digital world.