David Anderson is the Independent Reviewer of Terrorism Legislation in the United Kingdom.
He is the author of the Bulk Powers Review, which analyses the operational case of bulk collection of data, for cyber-defence, counter-terrorism, counter-espionage and organised crime.
He gives Valerie Gauriat his assessment of the Investigatory Powers Act.
It's only when you can put together a chain of communications that you can piece together a conspiracy
“Every power that the police and the intelligence services use or want to use in this country, is now set out very clearly in black and white.
That hasn’t been true before, it’s not true in most countries in the world But we now have a transparent law that the parliament was able to debate and make up it’s mind about.
And the second change is that the safeguards on the use of those powers have been improved, in particular by ensuring that no one’s communications are going to be read without the approval of a senior judge.
The other and more controversial thing that happened in the bill was the addition of one new power not previously used, under which broadband providers for example, can be asked to keep records of people’s internet browsing history for up to twelve months.
I wasn’t an architect of that particular plan. I found that the operational case for it had not been presented to me. But it was presented to Parliament. They took the view that this was something that the police needed. And so they passed that into law as well.
“Do you really believe this is something the police needs ?”
“Well I can see that they would find it useful because whereas in the past we used to speak to each other on the telephone, now we will very often communicate by internet based platforms. And it can be useful to know if two people were skyping each other at a particular time, even if you don’t want to know or don’t need to know the content of what they were actually saying.
The difficult balance I think for Parliament and for the courts, is whether that advantage to law enforcement is outweighed by the intrusion into privacy, that consists in our browsing habits being kept for a period of months.
In all our European countries, the resources we have to keep people under surveillance are extremely limited. In our country there are something like 3000 people who are suspected of involvement in terrorism. And I’ve heard similar figures for example in Germany. You’d need to have a real police State if you wanted to keep all those people under surveillance. And I think that would be extremely undesirable.
“It’s only when you can put together a chain of communications that you can piece together a conspiracy”
Of the British djihadis that we’ve had in the last 15 years, about 75 percent have been known to the police beforehand. But they may have been known to the police for some petty crime, possession of a firearm, maybe reading a magazine that didn’t look as though it was the sort of publication you’d really want people to be reading.
But none of these things are reason to put somebody under surveillance.
It’s only when you can put together their chain of communications that you can piece together a conspiracy.
And that’s why it’s useful, to have the telephone, the email records, even the people that you don’t suspect, at the time, you’ve no reason to look at them of course, until you’re investigating a serious crime.
But it may be that the investigation will show a link that you hadn’t expected, between the person that you know about, and the people that you don’t know about.
To me it’s all about the safeguards. It’s all about how you regulate access to this information.
And the Europeans court in Luxemburg seems to say that you must have prior independent authorisation before you can do that.
So it’s not good enough for the police to self authorise. They must have permission from a judge or from an independent administrative body. I have no difficulty with that.
We also have in this country a very developed system of review after the event.
So we have retired judges with large technical teams, who look at everything that happened, to see whether correct stages were followed and whether the agencies do their job properly. If they didn’t, if they misused information, there are criminal offences. They can even be sent to prison. So it’s a question of having enough safeguards to build up enough public confidence, without making the whole process so cumbersome, that it becomes difficult or impossible for the police to use to keep us all safe.
“The amount of data is so huge, is it realistic, is it feasible ?”
“Well it took me a while to understand this but the more hay you have in your haystack, the easier it becomes to find the needle.
Take the analogy of Google. In the early days of Google, not very much was on the internet. You searched for something that you wanted and maybe you’d find it maybe you wouldn’t.
Now, everything is on the internet. You formulate your search, and almost invariably you find what you want.
In the first page, very often, the very first answer. And that’s because there is more information, not because there is less. The more you have, the surer you can be, not only that you’ve found the person that you want, but also that somebody else, may not have been involved.
And one great value of keeping phone records is that if somebody is wrongly suspected of being involved in crime or terrorism, whatever it might be, you can go back to their phone records, discover that in fact they were not talking to that person, they were in a different place, they were talking to somebody else. That can help exonerate that person from suspicion.”
“In the meantime they will have been through a lot of trouble, I suppose ?”
“Yes, and it’s important that if people are wrongly accused or suspected they should be exonerated as soon as possible and access to their digital data can be a very good way of doing that.”
“How do you mean ?”
“Well if somebody is suspected of having been at a particular place, committing a particular crime, and the police look at that person’s phone records, and discover that in fact they were speaking on the land line in their home, or on their mobile phone in a particular place that was distant from the scene of the crime, the police can eliminate that person from their inquiries. So it’s not just for finding the guilty, it’s also for exonerating the innocent.”
“It’s a little ironic. That means that people would need to be spied upon to prove their innocence ?”
“Well I think most people would be quite pleased if they were trying to establish their innocence that there was proof available to enable that to be done.”
“You mentioned the EU ruling. Will it have impact on the IPA..Will it have to be amended ?”
“Well I think it’s likely that it will. And of course there is an issue how much longer we will be in the EU, but for the time being it is the law, and the law has to be obeyed. And the ruling really said two things. It said you needed more safeguards. We have good safeguards already but that will have to be reviewed. And it may well be that we need more.
The other thing the ruling says which I think is much more problematic, is that it is wrong in principle to retain universal data.
What the court says is that it’s ok to retain data on people who live in a particular locality, where crime is more common perhaps than it is in the rest of the country..That I think raises it’s own difficulties.
Because people don’t like to feel that they’re being profiled. Because of where they live.
So these issues I think will have to be worked out. Both by national governments across Europe. I think there are 12 governments that are supporting the UK and Sweden in this case. And also at the end of the day by the courts.
If there is ever any question of the content of anyone’s communications being read, then under the new UK law that will need the approval of a senior judge.
Unless it is so urgent, that there is no time to obtain prior approval, in which case it must be obtained within 48 hours.
Where you’re looking at the meta data, that is not going to be the case in every situation, it will depend.
If a local authority for example is looking for meta data, yes they do need the approval of a judge.
But if the police are looking for meta data, they have their own processes which are intended to ensure that somebody not connected with the investigation is able to give the authorisation. But whether that is independent enough to satisfy the European court, I don’t know. It may be that we will need to see change in that regard.”
“I was asked by Parliament to spend three months last year looking at the operational case for these powers. Were they really useful, or were there other ways of achieving the same results. And my conclusion based on about 60 detailed case studies were that these powers are really useful. For example in cyber defence, against hostile foreign powers. In hostage situations or missing persons investigations, and of course for the investigation of serious crime. Conspiracies, sexual exploitation and so on.
So they’re useful there’s no doubt about that at all. Whether they’re necessary, at the end of the day is a question for Parliament. Because they have to balance the extent to which these powers may intrude into the privacy of people’s data, against the undoubted benefits that they bring in keeping us all safe.”
“But there’s no actual evidence that is is a necessity ?”
“I’m not sure what more evidence you can have than the evidence that these powers are useful, and that alternatives could not achieve the same result. That is evidence which you’ll find in this report.
“It’s important to have strong safeguards”
Now if people can produce counter evidence that there are people whose lives have been ruined by the practice of bulk collection, that is obviously something you have to set against that evidence. I should say I have not seen evidence that people have had their lives ruined by the bulk collection of data.
I think it’s very important to have strong safeguards. And the EU court has shown us some examples of the safeguards that probably we should all have. Where I would find the ruling much more difficult, is if it is saying that it is wrong as a matter of principle, to retain the sort of data that let’s face it, your telephone provider will retain on you anyway, for it’s own purposes because it’s very valuable data to them. Google will retain on you, Amazon will retain on you. They retain those data so they can sell you stuff. Why shouldn’t the government have access to that data, for the purposes of keeping you safe?”