Access contributes to independent review of UK surveillance abuses

By Peter Micek and Ellen Lightfoot

Download our submission to the Independent Reviewer here.

In July, the UK Parliament took the unexpected step of ordering an open review of its surveillance legislation. The move stands in contrast to the government’s steady drumbeat toward more digital spying.

Parliament charged the Independent Reviewer of Terrorism Legislation, David Anderson QC (Queen’s Counsel), with the mandate of evaluating the UK’s policies on data interception and retention, especially the Regulation of Investigatory Powers Act (RIPA) of 2000.

As we have noted time and again, the UK has failed to protect its citizens’ fundamental rights to privacy and secure communications, and it has even contributed to the direct infringement of those rights — a point underscored this week by yet another UN report finding that mass surveillance violates international law. In the report, Special Rapporteur for Counter-terrorism Ben Emmerson finds that, in the UK, “a wide range of public bodies have access to communications data, for a wide variety of purposes, often without judicial authorization or meaningful independent oversight.” At the same time, the government has turned a blind eye to violations of the rights of users abroad (see the TEMPORA program), whose communications transit its ports and fiber optic cables.

Back to the Independent Review. We took this opportunity to add our own critiques and to suggest reforms that would increase transparency of UK government surveillance, overcome Parliament’s stubborn support for data retention laws, and raise vigilance on cryptography standards.

Critiques and reforms: transparency, data retention, & encryption

First, we exhorted the UK to increase transparency on surveillance. Even compared to the U.S. — hardly a bastion of openness on national security — the UK falls short. Earlier this year, the U.S. government reached a settlement with major internet platforms allowing them to release aggregate data on certain national security requests. Companies have upheld their end of the bargain, as more and more firms report national security requests for the first time. While the settlement’s strict guidelines leave much unanswered — the U.S. government imposed a delay and limits on acknowledging Foreign Intelligence Surveillance Court (FISC) orders, and Twitter has taken the fight back into court — this is still more than UK companies are allowed to disclose. To begin the long journey toward sunshine in UK surveillance laws, we argue telecom providers should be allowed to acknowledge national security requests for user data and lawful intercepts, and the Interception of Communication Commissioner’s Office should release more granular reporting on interception warrants and surveillance of foreigners.

Continuing the transparency point, we submitted evidence on why the UK should institute a more adversarial and open system in its surveillance court, the Investigatory Powers Tribunal (IPT). Though the UK does allow police to execute self-authorizing warrants, foregoing judicial process, the IPT hears complaints on abuses of RIPA and similar laws. However, the court publishes few opinions, like the secretive U.S. FISA Court, and inconsistently allows lawyers to defend victims of overbearing government surveillance.

Mandatory data retention laws, like the UK’s new Data Retention and Investigatory Powers Act (DRIP), turn all citizens into suspects. Even the U.S. intelligence authorities have turned their backs on data retention, at least publicly: the NSA terminated its email metadata program in 2011, and recently both the Attorney General and the Director of National Intelligence conceded that the intelligence community does not need a data retention mandate. Likewise, FISA Court Judge Walton found that extending the time limit on data retention under Section 215 of the USA Patriot Act “would further infringe on the privacy interests of United States persons.” Citing the International Principles on the Application of Human Rights to Communications Surveillance, Access demands that Parliament repeal DRIP.

Finally, we drew attention to data security practices. In Sept. 2013, the Guardian (in conjunction with The New York Times and ProPublica), released the details of an extensive partnership between the NSA and GCHQ aimed at gaining covert control over international and domestic encryption systems. Weakened encryption standards make data more easily exploited by everyone – including malicious actors outside of intelligence agencies. Access warned the Independent Reviewer against letting “lock-breakers” like GCHQ control cryptographic standards or fill “lock-making” roles. Specifically, a civilian agency could be created and entrusted with creation and maintenance of crypto standards, independently of any agency with intelligence-gathering responsibilities. The independent agency should receive its own adequate funding and resources, and be empowered with sufficient technical expertise to allow it to operate on its own discretion.

Access offered this advice after learning hard lessons in the U.S., where the NSA is entrusted with lock-breaking responsibilities (signals intelligence gathering) as well as lock-breaking, or “information assurance” roles. The NSA’s cross-purposes resulted in weakened encryption standards, putting all users at risk.

Much work to be done

Based on evidence submitted, the Independent Reviewer will put a report on the Prime Minister’s desk, before the next election (likely in 2015), who will then pass it to Parliament. Access and our partners urge the Reviewer to take into account all aspects of the UK’s secretive surveillance practices, from collection and retention to cryptography and transparency. The report must mince no words on the need for comprehensive reforms of UK law under international law and norms on communications surveillance.