Fantastic Powers, and Where to Find Them: The Investigatory Powers Act 2016

06 December 2016

By Paul Scholey, Head of Employment Rights Team, Morrish Solicitors

We’ve not had a lot of success, historically, with our Snooping Powers in the UK.

The Regulation of Investigatory Powers Act 2000 was a dog’s dinner of a statute, described by Justice thus: “Poorly drafted and hopelessly opaque, it was not so much a comprehensive framework for surveillance powers as a crude stitching-together of different regulatory regimes that were each highly complex in their own right and, taken together, lacked all coherence.”

A 2014 piece of successor legislation was declared unlawful by the High Court within a year. A host of other legislation such as the problematically-titled Protection of Freedoms Act 2012 (Homeland Security, anyone – is it only me who is triggered by this sort of nonsense?) litters the statute book and the website of the Information Commissioner’s Office’s must offer a 20-page booklet with a colour-coded chart to help the public navigate the minefield that is our surveillance framework.

So now we have IPA 2016. A draconian Snoopers’ Charter? Certainly, by any fair-minded assessment. David Davies MP said this about it: “In every other country in the world, post-Snowden, people are holding their government’s feet to the fire … but in Britain we idly let it happen.” Edward Snowden: “It is the most intrusive and least accountable surveillance regime in the West.”

What does the new Act say?

First off, it’s a whopper: 263 pages long, with 234 sections and 8 Schedules. Refreshingly, a lot of law is set out in these sections – since the modern approach is often to eschew Parliamentary scrutiny by “enabling” legislation that leaves all the detail to be sorted out later, by secondary Regulations (not that there isn’t some of that in IPA ’16, too).

It requires internet and communications companies to keep customers’ browser histories (Internet Connection Records, in newspeak) for up to a year. Warrants are required for this data to be accessed. Exactly what you do and read on a website won’t be stored – but the “metadata” that will be retained might tell the authorities that you accessed a site with sexual content, or information about STDs, or drugs, or advice about LGBTQ issues, or domestic violence, or child abuse.

It enables GCHQ and MI5 to collect bulk communications data and to hack computers, mobile devices and networks. This practice is known as “equipment interference”. It’s hacking, though, that is clear.

It gives ministers the power to sign off warrants for intrusive surveillance. This might mean bugging your house, or your car.

There are some safeguards. As a solicitor I thought I’d better have a look at Section 25 of the Act, which concerns legal professional privilege. It ought not to be controversial to say that it’s a fundamental right to talk to your lawyer confidentially. Might discussions between lawyer and client be intercepted under IPA? Yes. But only if “exceptional and compelling circumstances” make it “necessary”. I’m not much relieved, to be honest.

We will have An Investigatory Powers Commissioner and judicial commissioners (JCs) – appointed by the prime minister. The Commissioner will publish an annual report, so that’s alright – thank goodness for annual reports.

JCs will be able to veto a ministerial warrant, in certain circumstances. But in “urgent” cases the minister gets to do what the minister gets to do, and the JC’s assessment will be up to three days after the fact.

So lots and lots of extra information will be made available to the powers that be.

What use will this mountain of data be? Some commentators suggest that the authorities will be overloaded with data. I suspect they already are. In 2014, there were 517,236 authorisations given, pursuant to requests for communications data from the police or other public authorities. We don’t know how much data is generated by GCHQ or MI5, because they don’t have to tell us, but even if it’s only the same amount again, that’s over a million instances, in a year. How many people sift this stuff? Is the new generation of “Artificially Intelligent” business process software going to be brought to bear to crunch the numbers? Are we susceptible to arrest because Deep Blue has a hunch?

But it’s alright, say our politicians because if you’ve nothing to hide, you’ve nothing to be worried about. Which is obviously true. Said no one, ever, who has had dealings with the authorities that can and do get it wrong – and not always by mistake. The family of Stephen Lawrence are the first victims that spring to mind.

It is said that the Act will be subject to an extensive regime of “testing” before it is unleashed in all its shiny intrusiveness. I don’t buy it. It’s hard enough to get a government to listen to a few expert views in a consultation about proposed legislation; is it really suggested that the new powers available to the state might be toned down because of a few tests?

The state will always want to increase control over the people. Fear is a terrific weapon for the authorities. You might even think that, if people were worried about the existential threats to our civilisation that we are daily told assail us, we’d be daft enough to let the state encroach hugely upon all the very freedoms that constitute that civilisation. Surely not?

Click here for information on how to remain anonymous online