Needle, Haystack, Magnet
Francis FitzGibbon
In 1765 Lord Camden, the chief justice of England, held that the King’s Messengers – the Special Branch of the day – had to pay damages for trespassing on the premises of a newspaper publisher. They were looking for copies of his newspaper, which the government regarded as seditious – or as we might say now, a threat to national security. They were acting on the orders of a government minister, but his orders didn't have the force of law and couldn't trump the publisher’s property rights – in effect, his right to privacy. ‘By the laws of England,' Lord Camden said, ‘every invasion of private property, be it ever so minute, is a trespass.’ The case, Entick v. Carrington, established that ministers must not issue general warrants and their agents must not enter private property without a lawful warrant.
The Data Retention and Investigatory Powers Act (DRIP) became law last week after just three days of parliamentary debate. When David Cameron said of the bill, ‘I want to be very clear: we are not introducing new powers or capabilities,’ he was clear, but he wasn’t accurate. DRIP does two big new things: first, clauses 4 and 5 greatly extend the government’s powers, by enabling it to issue demands to foreign as well as British companies for information about their customers’ telephone, email and internet usage. The government will have lawful access to vastly more electronic traffic than it does at present. The act legalises bulk monitoring of the internet. Edward Snowden has reminded us that the UK authorities have been accessing communications data for years, at the outer edge of what the law permits, with minimal regulation. The service providers have understandably become nervous about whether the law allows them to hand over private information, as they have been doing. They may have pressed for clarity to protect themselves against loss of reputation and claims for breach of privacy. They will now have no choice but to comply with a DRIP warrant or face criminal and civil sanctions. Life has got easier for them.
The other new thing in DRIP is its definition of a telecommunication service: ‘any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system’. Normally, statutory definitions define things. What this one means is anybody’s guess: probably something like ‘absolutely anything to do with any form of online or telephone system’.
On 8 April the EU Court of Justice gave a judgment which held that the existing EU directive governing mass data retention was unlawful because it breached privacy rights and was out of proportion to the harm it was meant to counter. The EU Court’s rulings are binding on member states. The old domestic regulations which converted the directive into UK law lost their legal force when the directive was struck down, and needed to be rewritten in line with the court’s judgment. In summary, the court held that, for its retention to be justified, data had to relate to a threat to public security, and should only be held for as long as was necessary, and with independent oversight; its use should be limited to investigating serious crime, and only those who strictly needed it should be able to access it; the data should be kept within the EU and should be destroyed when no longer needed. In other words, the authorities needed to identify a threat before gathering information, and act proportionately and in conformity with citizens’ rights to privacy of communications.
Why the rush to pass the bill now, when draft legislation could have been introduced and debated months ago? The government didn't think responding to the EU Court was an emergency, on the basis that the old regulations gave sufficient cover. Opinions differ as to whether the new regulations issued under clauses 1 and 2 of the bill succeed in meeting the demands of the court’s ruling – in my view, they sell it short. Normally, differing opinions would inform public and parliamentary debate, but now they will not. Whatever their merits as regards data retention, the new regulations don’t limit the authorities’ additional surveillance powers provided for in clauses 4 and 5.
Instead of the usual procedures, we have emergency legislation, for undisclosed reasons. If replacing the old regulations wasn't an urgent matter, the need for the new powers must be. A few important people have been briefed on Privy Council terms – about we know not what. A plausible explanation is that the authorities received a credible threat to national security that was immediate enough to call for the instant enactment of the bill, with next to no debate. We have to take it on trust. Referring to events in Syria and Iraq, Cameron said: ‘Now is not the time to be scaling back our ability to keep our people safe.’ Is there any time when government should do this? The ‘sunset’ clause, which terminates the measures in December 2016, should give little comfort, because two years and five months of almost limitless surveillance is a long time, and nothing prevents a future government from simply re-enacting the provisions later. Emergency and temporary national security laws are known for their longevity: the disastrous Prevention of Terrorism (Temporary Provisions) Act 1974 stayed in force till 1989.
One way to get a needle out of a haystack is by using a powerful magnet. We are assured that the security services’ algorithms and pattern-recognition techniques work like a magnet on the needles hidden in internet and phone traffic, and involve no real or unjustified intrusion on our privacy. Before Snowden, that may have been credible. It may still be true. The problem may lie not in the capacity to monitor, but in the failure by states to scrutinise the monitoring within a proper legal framework. A rushed bill, with enhanced surveillance powers, a definition that defines nothing, and a vague sense of threat hanging over it, gives little reassurance that abuses will not occur, but rather gives the impression that the King’s Messengers are back in business.
Comments
"the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system"
In other words, telecommunication services (those services which provide access to a telecommunication system) are taken to include anything you can use to create, manage or store anything which can be transmitted over a telecommunication system. Which basically includes any 'service' using a computer, or pen and paper (paper can be scanned), or the human voice. (Recording studios probably aren't covered, as long as they restrict themselves entirely to instrumental music.)
The Prevention of Terrorism (Temporary Powers) Act was passed in 1974, not 1973. It was renewed in 1975, then annually until 1988, with revisions in 1976 and 1984. However, in 1989 the Prevention of Terrorism Act was passed, representing a consolidated version of the Act and its cumulative revisions, and that in turn was renewed every year until 1998. So in effect the 'temporary' 1974 legislation - rushed through the Commons in five days in the wake of the Birmingham pub bombs - stayed on the books until 2000. And at that point (two years after the IRA ceasefire and a year before 9/11) it was replaced by the bigger, better and entirely permanent Terrorism Act 2000.