The author of the latest report on government surveillance practices is probably right when he says the document “won’t please everybody (indeed it may not please anybody)”. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has laid out his proposals for reforming the way intelligence services collect and use data about our online activities. And the prime minister has reportedly already rejected one of the key recommendations that judges – not ministers – should authorise the interception of communications.
The report is a substantive piece of work and deserves careful reading and consideration in full. It argues that people’s internet searches should only be captured where a rigorous assessment proves there is a strong case for doing so. This is not in line with government plans in the so-called Snoopers’ Charter.
It also emphatically rejects the idea that government should have a backdoor into all encrypted communications. And it highlights the need to replace the current patchwork of communications laws with a single framework and a new oversight body.
It’s becoming clear why the government delayed the report’s publication. The opposition of David Cameron and Home Secretary Theresa May to judicial rather than ministerial authorisation of warrants was predictable. You can also understand why they might be a bit miffed that Anderson disapproves of blanket encryption backdoors. He argues the agencies don’t want it and that it would undermine security for everyone.
You would expect the government to be positively dancing in the aisles for the report’s apparent support for the bulk data collection and retention. And its support for the notion that UK law in this area should have global reach.
However, their joy will be tempered by Anderson’s qualification that he is not offering a legal opinion that these practices are proportionate. On the contrary, he notes: “A number of such questions are currently before the courts.” He also insists bulk collection and retention would have to comply with the European Convention on Human Rights and the ruling by the European Court of Justice last year that outlawed indiscriminate data retention.
And on international communications, Anderson says capturing this data without the official agreement of other countries is an “unsatisfactory substitute for a multilateral arrangement … which must surely be the long-term goal.”
So Anderson’s report has turned out to be nothing like the useful excuse for pushing through the Snoopers’ Charter that the home secretary must have hoped it would be.
On the down side, I have to admit I share Privacy International’s disappointment that Anderson did not condemn bulk data collection. The justification for this is rather weak and not in line with the deeper consideration of the rest of the report.
Anderson links the issue to the principle of minimising areas – in both the physical and digital worlds – where law enforcement doesn’t apply. He supports this position by reference to six real bulk data case studies in Annex 9 of the report. None of these cases definitively demonstrate that bulk collection was the main reason those involved were identified in the first place.
If the police or intelligence services have just cause to suspect someone of criminal activity, then being able to access and search the suspect’s data could reveal significant information about them. But authorities simply do not have the resources to sift through data about the lives of everyone in the country.
Time and again since the turn of the century, from 9/11 to the murder of Lee Rigby, authorities have failed to prevent terrorist attacks by known dangerous individuals after being overloaded with information from bulk collection. Additionally, it is simply not proportionate to engage in bulk data collection, in the hope that it will be useful when the authorities decide to look into someone they disapprove of. It actually impedes already over-stretched authorities, who would be better off recruiting more and better-trained investigators and analysts.
The government would do well to note that the opportunity costs of bulk data collection and retention make the jobs of those tasked with protecting us more difficult, while simultaneously denying them the resources to be more effective. This undermines security for everyone.