The British House of Lords reconvenes on September 5, when it will resume consideration of the Investigatory Powers Bill (IP Bill). So far, the British government has failed to adequately address the many troubling aspects of this legislation. If this trend continues, the legislation will pass and confer vast surveillance authorities on British intelligence and law enforcement entities, with weak oversight over the use of those powers. While this might on its surface appear to be a boon to intelligence and law enforcement surveillance, it may turn out to be a bust because it would undermine the United Kingdom’s efforts to strike a data sharing agreement with the United States.
The Investigatory Powers Bill codifies the British government’s secret surveillance powers. Broadly, these include the interception of communications, the acquisition of communications data (metadata), and equipment interference (government hacking). After introducing the draft Bill in November 2015, the British government received a flood of evidence (public comments) and amendment suggestions from civil liberties groups, businesses, and technologists. The evidence drew attention to the many ways in which the powers described threaten privacy and other fundamental rights. Problematic aspects of the bill include bulk surveillance and equipment interference powers, the ability to demand that providers create backdoors for law enforcement access to communications that would otherwise be encrypted end-to-end, and a lack of judicial authorization for intercept orders.
Though notified of the need for amendments by four Parliamentary committees, the government chose not to amend the Bill in any significant way before the House of Commons approved it. One of the most egregious parts that remain is the weak “judicial review” standard that only allows a judge to determine whether the proper procedures were followed, not whether the Home Secretary’s determination to authorize surveillance was correct. Also, it requires Judicial Commissioners to “have regard to” less intrusive options, public interest in the integrity of telecommunications systems, and privacy rights generally. This weak language is not a substitute for a strong evidentiary standard and a searching judicial inquiry into whether the facts show the standard was met.
These weak surveillance standards threaten not only civil liberties, but also the UK’s efforts to get access to data under any standard.
The legislation raises other concerns. It fails to require even delayed notice to surveillance targets, authorizes “thematic warrants” for surveillance of groups of people who “may carry on a particular activity,” and authorizes extraterritorial warrants that can put communications service providers in the difficult position of deciding whether to make a mandatory disclosure under UK law that would be unlawful under the local law governing their services.
These weak surveillance standards threaten not only civil liberties, but also the UK’s efforts to get access to data under any standard. The UK lacks jurisdiction over much of the data that it needs for its criminal investigations. US internet service providers, like Google and Facebook, hold much of that data in the US where US law applies. Currently, when a British investigator needs access to this communications content to investigate a crime, the investigator must make a request of the US government under the mutual legal assistance treaty between the US and the UK. This triggers a lengthy process, in which the US Department of Justice acts as an intermediary and obtains on behalf of the British authority a search warrant from a US court. Given the increasing importance of this information, the British Government wishes to serve its surveillance demands for communications content directly on US companies, after obtaining a warrant in the UK, under UK law. Because the proposed procedure would bypass the relatively stringent US warrant process, which requires a showing of probable cause, the standards and procedures set for warrant authorization in the IP Bill matter greatly.
Recently, the US Department of Justice proposed legislation that would clear the way for a bilateral agreement between the US and the UK, which would permit US providers to respond to intercept orders issued by the Secretary of State for the Home Department. It would create a limited exception to the provision of the US Electronic Communications Privacy Act (ECPA) that bars communications service providers from disclosing their users’ content to governmental entities outside the US. Unless the US Congress approves such legislation, the proposed agreement will not have effect in the US.
It would be surprising if the US House approved a lower standard for foreign governments to obtain access to the same information.
Weak surveillance standards in the UK can threaten that US legislation: privacy groups, joined by US companies that value the privacy of their customers, will work to build into the US legislation privacy protections that make up for the privacy shortfalls of British law and the laws of other countries with which the US is likely to seek agreements. It is particularly important to ensure that US law continues to prohibit US providers from disclosing their users’ communications content to the UK and other governments in the absence of an authorization from a judicial or other independent entity. Such authorization should be issued only after that entity has determined that the facts show a strong likelihood of criminality and a strong likelihood that the information sought will help establish criminal responsibility.
There is robust support in the US for a strong warrant requirement and independent judicial authorization. In April, the US House of Representatives passed, on a vote of 419-0, a bill that would require a judicial warrant based on a finding of probable cause for disclosure of communications content to any federal, state, or local law enforcement entity in the US. It would be surprising if the House approved a lower standard for foreign governments to obtain access to the same information, even if Americans are not the targets of the surveillance demands.
The US Congress will look skeptically at proposals to give the British Government access to user communications content more easily, without strong standards in place. Given the importance of the agreement to the investigation of crime in the UK, the British Government would do well to make the IP Bill’s safeguards more rigorous than the judicial review and “have regard to” standards. Strong surveillance standards are the key to access to the communications content that British law enforcement authorities need to investigate and prevent crimes in the UK.
In its current form, the Investigatory Powers Bill undermines both public safety and privacy rights. There is still time for the British government to amend the IP Bill to impose the strong standards need to advance both public safety and privacy.