Thursday, 11 February 2016

Scrutinizing the draft Investigatory Powers Bill

The point about pre-legislative scrutiny is that a parliamentary bill gets a good prod before it begins its usual passage through Parliament. The main issues are identified, and stakeholders can marshal their views in an attempt to influence the decision-makers in good time for changes to be made that ought to result in a statute that is far fitter for purpose.

Three Parliamentary Committees have recently reported on the Draft Investigatory Powers Bill. The measure, complete with a guide to its powers and safeguards, was published as a 296-page document on 4 November. It is not an easy read, even for the surveillance specialists.

Given that a number of stakeholders submitted the same comments to (at least two of) the Committees, it’s not surprising that they all independently reached (broadly) similar conclusions. What is surprising, however, is the tone of the reports. Each gave the Home Office a good kicking. And the Committee comprising the most experienced politicians gave the Home Office the hardest kicking.

First up was the Science and Technology Committee. The committee of 11 MPs had received 50 written submissions, held 2 public hearings during which witnesses gave evidence, and published a 38-page report making 14 recommendations on 30th January.

The STC noted that "Previous attempts to legislate in this area have met with criticisms over the lack of consultation with communications service providers (CSPs) on matters of technical feasibility and cost.” …. Following the failure of previous attempts to introduce data legislation, the Government has made efforts to consult and engage with communications service providers likely to be most affected by the draft Bill. However, there remain widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. This has given rise to uncertainties over the likely scope and costs associated with implementing the proposed measures.

The nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are precisely the subject of uncertainty and concern from business due to lack of clarity in the Bill and in the consultation so far. It is clear that greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens that will not be fully paid for.

If law enforcement agencies and the intelligence and security services are effectively to combat terrorism and serious crime, they must have the means to keep pace with developments in communications. They will doubtless need to continue to deploy a range of methods for intercepting and acquiring information about communications. The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation."

Next to report was the Intelligence & Security Committee, a group of very senior politicians. The committee comprising 2 peers and 7 MPs held no public hearings, but instead heard evidence in private from the Home Secretary, Home Office officials and the heads of the intelligence agencies. A 13-page report, making some 23 recommendations, was published on 9th February.

The ISC pulled few punches. "The Investigatory Powers Bill is the first major piece of legislation governing the Agencies’ powers in over 15 years. While the issues under consideration are undoubtedly complex, we are nevertheless concerned that thus far the Government has missed the opportunity to provide the clarity and assurance which is badly needed. That the confusion surrounding the existing legislation fuelled many of the allegations and suspicions concerning the Agencies’ investigatory powers over the past few years clearly demonstrates the importance of transparency in this area.
Overall, the privacy protections are inconsistent and in our view need strengthening. We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to sensitive professions.
The provisions in relation to three of the key Agency capabilities – Equipment Interference, Bulk Personal Datasets and Communications Data – are too broad and lack sufficient clarity.
We fail to see how Parliament is expected to approve any legislation when a key component, on which much of it rests, has not been agreed, let alone scrutinised by an independent body. 

The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.
The issues we have highlighted in this Report must be addressed before any subsequent Bill is laid before the House and we would urge the Government to ensure that it takes sufficient time and care in so doing. While we recognise the timing constraints imposed by the ‘sunset clause’ in the Data Retention and Investigatory Powers Act 2014, it appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."
Finally, it was the turn of the Joint Committee on the draft Bill. This committee, comprising 7 peers and 7 MPs, had received 148 written submissions, running to over 1500 pages of evidence, heard from 59 people in 22 public panels during which witnesses gave evidence, and published a mighty 198-page report making 86 recommendations on 11th February. As a specialist adviser to this Committee, I was one of the lucky few who spent their Xmas holidays reading over half a million words of evidence.

Here, the criticism is more measured, although the message is the same:

"Resolving the tension between privacy and effective law enforcement in this area is no easy task. The Home Office has now come forward with a draft Bill which seeks to consolidate in a clear and transparent way the law enabling all intrusive capabilities. The Committee, together with the many witnesses who gave evidence to us, was unanimous on the desirability of having a new Bill.
The major change which would be brought about by the draft Bill is the creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities. As well as being important in in its own terms, making this change will reduce the risk that the UK’s surveillance regime is found not to comply with EU law or the European Convention on Human Rights.
A proposal which has attracted much attention from our witnesses is that of the creation of an obligation on communications service providers to collect and retain users’ internet connection records (ICRs). We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them. But we also heard strong concerns, in particular from some of the providers themselves, about the lack of clarity over what form the ICRs would take and about the cost and feasibility of creating and storing them. The Home Office has further work to do before Parliament can be confident that the scheme has been adequately thought through.
Other concerns were over the provisions in the Bill for bulk powers to intercept, to acquire communications data and to interfere with equipment. These powers are not new, but have been avowed for the first time in legislation. The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.
Much of the important detail about the way the new legislation will work is to be contained in a set of Codes of Practice. We call on the Government to ensure that these Codes are published alongside the Bill to inform the further scrutiny which the Bill will receive from the two Houses. In our view, the Bill would also benefit from a post- legislative review by Parliament five years after its enactment. We call for provisions for such a review to be included in the Bill."
The Joint Committee’s recommendations for improving the draft Bill were all designed to ensure that the powers are workable, can be clearly understood by those affected by them and have proper safeguards. Most significantly:
On encryption: "The Home Secretary assured the Committee that its approach to encryption is not designed to compromise security or require the creation of ‘backdoors’. The Committee welcomed this clarification, but was concerned that this needs to be made clear the drafting of the legislation."
On bulk powers: The Committee recommends that if bulk powers are to be included in the Bill, a fuller justification for each should also be published alongside the Bill. It recognises that the Intelligence and Security Committee has recently published its report, which the Committee believes will be of significant value to the two Houses when the Bill is introduced and scrutinised.”
And, on Internet Connection Records (ICRs): "The Committee can see the desirability of ICRs, but has not been persuaded that enough work has been done to conclusively prove the case for them. The Committee would like to see the Government work harder with industry in order to provide more robust information."
So, where do we go from here?

Pre-legislative scrutiny is, after all, just the end of the beginning.

In parliamentary terms, the Government’s business managers have already decided how much parliamentary time can be made available for Home Office-sponsored legislation before the end of the year – when the sunset clause for the records retention provisions in the Data Retention and Investigatory Powers Act 2014 takes effect.

Should Parliament concentrate on passing a Bill that is narrower in scope this year, say one that just addresses the data retention and oversight provisions? Is there really sufficient time to consider other elements – such as overhauling the bulk data and equipment interference provisions in 2016? A second Bill, containing the remaining provisions, could always be considered in 2017.

The Parliamentary calendar will be constrained this year as much business will cease during the EU referendum campaign, the dates of which have not yet been set. 

Looking at the 2016 Parliamentary holidays for the House of Commons (the House of Lords will set slightly different dates), the February recess is from today (11 February) until 22 February. The Easter recess is set from 24 March to 11 April. The Summer recess will be from late July to early September, the Conference recess will be from mid September to mid October, there will be a week’s break in mid November and then the Christmas recess will commence in mid December. That doesn’t leave a lot of time for legislating.

So, a new bill needs to be ready and tabled within weeks. And, if it is to get through both Houses of Parliament unscathed, it really does needs to take full account of each of the 123 recommendations that have been made by the scrutiny Committees.

There will be no rest for the Home Secretary, her officials and the Parliamentary draftsmen for the foreseeable future.