Surveillance legislation needs verification, says Anderson report

The government, TechUK and Big Brother Watch welcome the Anderson report on surveillance legislation – but the civil liberties group calls for wider debate

An independent report says any legislation that seeks to increase the surveillance powers of the police and intelligence services must include verification, clear limits and safeguards.

Announcing the proposed Investigatory Powers Bill in the Queen’s Speech, the government promised legislation to respond to issues in the Investigatory Powers Review by David Anderson QC, published today by prime minister David Cameron.

The government, IT industry trade body TechUK and civil liberties group Big Brother Watch welcomed the report – although the latter called for wider debate. 

The government said it will aim legislation at modernising the law on communications data, but – like the shelved Communications Data Bill critics dubbed the “the snoopers’ charter" – it will be designed to give police and intelligence agencies more power to monitor online communications. 

Anderson said that, while modern communications networks can be used by the unscrupulous – for purposes ranging from cyber attack, terrorism and espionage to fraud, kidnap and child sexual exploitation – a successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.

“But trust requires verification. Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards,” said Anderson.

“The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent. It is time for a clean slate. This report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”

Collating evidence and opinion

A small independent team under Anderson’s leadership conducted the review, for which it received almost 70 written submissions. The team took further evidence from public authorities and a wide range of organisations and individuals in the UK, Europe, US and Canada.

The report summarises the importance of privacy, the threat picture, the relevant technology, external legal constraints, existing law and practice and comparisons with other types of surveillance in other countries, and private sector activity. 

Read more about the draft Communications Data Bill

The report summarises the views submitted by law enforcement, intelligence, service providers and civil society.

The report sets out five underlying principles and 124 separate recommendations. Anderson said these form the blueprint for legislation to replace the Regulation of Investigatory Powers Act 2000 (RIPA) and the dozens of other statutes authorising the collection of communications data.

Key recommendations include maintaining existing capabilities relating to compulsory data retention subject to legal constraints; retaining bulk collection capabilities subject to legal constraints and additional safeguards; the introduction of judicial authorisation for all warrants for interception; and improved supervision of the use of communications data.

Anderson's report recommends maintaining the extraterritorial effect in the Data Retention and Investigatory Powers Act (Dripa) 2014, pending a longer-term solution which should include measures to improve the co-operation of overseas (especially US) service providers and developing an international framework for data-sharing among like-minded democratic nations.

Encryption: Balancing security and privacy in the digital world

On the topic of encryption, Anderson called for clarification to counter media speculation on the issue. He noted that the position communicated by the security and intelligence agencies is that they are not seeking legislation to give themselves “a permanent trump card”.

“Neither they nor anyone else has made a case for encryption to be placed under effective government control, as in practice it was before the advent of public key encryption in the 1990s. But the agencies do look for co-operation – enforced by law if needed – from companies abroad as well as in the UK, which are able to provide readable interception product,” he said.

The report recommends that, in the digital world as in the real world, “no-go areas” for intelligence and law enforcement should be minimised.

“Few now contend for a master key to all communications held by the state, for a requirement to hold data locally in unencrypted form or for a guaranteed facility to insert back doors into any telecommunications system," it said. 

“Such tools threaten the integrity of our communications and of the internet itself. Far preferable, on any view, is a law-based system in which encryption keys are handed over, by service providers or by the users themselves, only after properly authorised requests.”

Responding to the report in Parliament, home secretary Theresa May said the report highlights a range of threats against the UK and its interests, from terrorism – both at home and overseas – to criminal cyber attacks.

Road plan for UK legislation

“Many groups, not just the government, have a role to play in ensuring the right capabilities are in place to tackle those threats. We will continue to work closely with all partners – including the intelligence agencies, law enforcement and industry – to take all these issues forward and continue to keep us safe from those that would do us harm,” May said.

The home secretary said that, as the report made clear, it is imperative that sensitive powers are overseen and fully declared under arrangements set by parliament. “It is therefore entirely right that parliament should have the opportunity to debate those arrangements in full,” she said.

“The Anderson review was undertaken with cross-party support and I believe it provides a sound basis to take this issue forward in the same manner.”

The home secretary said the government will publish a draft bill in Autumn 2105 for pre-legislative scrutiny by a joint committee of parliament, with the intention of introducing a bill early in 2016.

“Given the sunset clause in the Data Retention and Investigatory Powers Act 2014, the legislation will need to be in place by the end of December 2016,” she said.

Data retention and independent authority

IT industry trade body TechUK said the Anderson report provided a positive and constructive basis for the development of the Investigatory Powers Bill.

“Anderson’s findings support our position that we need new legislation to strengthen the legal framework and ensure proper democratic oversight. This is a unique opportunity to get the legal framework right for UK citizens, technology companies and UK national security,” said Antony Walker, deputy CEO of TechUK.

On the issue of bulk data retention, he said TechUK strongly agreed with Anderson, that "early and intensive dialogue" with law enforcement and technology companies is critical in formulating an updated and coordinated position.

On the recommendation to strengthen the independence of those authorising requests, Walker said TechUK had repeatedly expressed concern about the need for effective oversight. “Anderson’s recommendation that those who authorise requests for communications data should be independent from operations and investigations is extremely important and a step in the right direction for strengthening public trust in how communications data is obtained by agencies,” he said.

Walker said Anderson had recognised that issues of extra-territoriality and conflicts of jurisdiction cannot be ignored. “But, as Anderson makes clear, concrete steps can be taken by governments to address these issues. We agree that UK government must take the lead in developing a new international framework for data-sharing to address real and pressing limitations that are caused by conflicts between different national laws,” he said.

Curbing intrusive powers

Walker said encryption was fundamental to keeping our modern digital economy safe and secure. “Anderson’s report is an important step forward in informing the debate on this vital issue. However it remains unclear what the solution is when companies simply don’t have access to encrypted data, and we must avoid solutions that threaten the integrity of the internet itself,” he said.

Renate Samson, CEO of Big Brother Watch, said Anderson’s report was well researched and balanced, and provided a clear analysis of the delicate balance between surveillance and privacy in the UK.

“He has listened at length to all the key players in this debate and we welcome his acknowledgment of the many areas we have repeatedly noted as being of concern,” she said.

However, Samson said that, while the report featured a number of excellent recommendations – notably, the introduction of judicial authorisation of warrants, the creation of a commissioner system and a complete rewrite of RIPA – it failed to make a compelling case for the intrusive powers called for in the “snoopers’ charter”.

“On the issue of bulk data collection, further discussion about safeguards based on necessity and proportionality is critical. Bulk data collection, whilst useful, has the power – as Anderson noted – to be 'revealing of personal habits and characteristics'. Further discussion and debate is therefore essential,” she said.

“We hope today’s report will be the start of a long-overdue and much-needed parliamentary and public debate. The creation of a joint committee to begin analysis on existing legislation and Anderson’s report should now be convened."

Read more on Privacy and data protection