Since Edward Snowden hit the headlines last year after pulling the plug on the United States' mass surveillance programme, PRISM, pressure has been mounting on governments across the world to justify how they intercept and collect communications data. Given the 'special relationship' between the the US And the UK, it is unsurprising that allegations across the pond have been mounting and serious questions have been put to the government and its spy agencies. However, Prime Minister David Cameron and his most senior officials will breath a sigh of relief this week after an independent investigation into data snooping has effectively given the government a clean bill of health.
The Interception of Communications Commissioner, Sir Anthony May, published his first annual report this week and stated that GCHQ, the UK's intelligence agency, is operating lawfully and that the current legal framework – the Regulation of Investigatory Powers Act 2000 – is broadly fit for purpose. He pretty much said that although data snooping does happen, spy agencies aren't going to be interested in you unless you are up to something dodgy. And even if they were interested in you, there are a number of controls in place to ensure that there has to be a very good reason for obtaining the data. He also found that agencies generally aren't storing data for unnecessary periods of time and that information is largely being deleted when it should be.
The government will no doubt hope that the report appeases any public concerns regarding undue 'mass surveillance'. Sir May states:
“In the real world, intrusion in this context into the privacy of innocent persons would require sentient examination of individuals’ communications. The legislation only permits this to the extent that it is properly authorised under the statutory structure which I have described and for the necessity purposes which the legislation permits. None of this is ‘random’ or ‘mass’ and none of it is directed to intrude into the private affairs of law abiding UK citizens.
“[I am] personally quite clear that any member of the public who does not associate with potential terrorists or serious criminals or individuals who are potentially involved in actions which could raise national security issues for the UK can be assured that none of the interception agencies which I inspect has the slightest interest in examining their emails, their phone or postal communications or their use of the internet, and they do not do so to any extent which could reasonably be regarded as significant.”
A smug government
Needless to say Ministers are suitably pleased with the findings and will be hoping that Sir May's report will silence privacy concerns that have been whipped up over the past few months by the media. I have my doubts about that, but here's what they said anyway...
Prime Minister David Cameron said:
“[The report] shows that public authorities do not engage in indiscriminate random mass intrusion."
Home Secretary Theresa May said:
“[The report] makes clear the intelligence agencies, law enforcement agencies and other public authorities operate lawfully, conscientiously and in the national interest."
Foreign Secretary William Hague, the minister responsible for GCHQ, said:
"A senior and fully independent judge has looked in detail at whether the interception agencies 'misuse their powers to engage in random mass intrusion into the private affairs of law abiding UK citizens'. He has concluded that the answer is 'emphatically no'.
"We are open to suggestions to strengthen the oversight framework even further and make it as transparent as possible without putting security at risk."
Potential 'overuse' of powers
However, despite getting the all clear on mass surveillance of the public's communications data, the report did raise some concerns about the amount of requests made by the UK's police forces and crime agencies. In 2013 there were 514,608 requests for communications data – which could include who owns a phone, IP addresses, numbers dialled or calls received (but not the content of the communications) – of which 87.5 percent were made by police and law enforcement agencies. The remainder of requests were made by up intelligence agencies (11.5%), local authorities (0.3%) and other bodies (0.5%).
Sir Anthony May said that the 514,608 figure appears to be a “very large number” and has the “feel of being too many”. He wrote:
“I have accordingly asked our inspectors to take a critical look at the constituents of this bulk to see if there might be a significant institutional overuse of the [powers]. This may apply in particular to police forces and law enforcement agencies who between them account for approaching 90% of the bulk.”
He also questioned whether police investigations, which may not be of a very serious nature, relied upon the requests for communications data – at the expense of people's privacy. The report states:
“Since a very large proportion of these communications data applications come from police and law enforcement investigations, it may be that criminal investigations generally are now conducted with such automatic resort to communications data that applications are made and justified as necessary and proportionate, when more emphasis is placed on advancing the investigations with the requirements of privacy unduly subordinated.
“[Our] inspectors have found instances where applications (for data) are marked urgent when in truth they are not, or where there has been delay in making the application. The very fact of delay sometimes suggests that the necessity for the application may be questionable. More generally, a proper regard for privacy could mean that a proportion of applications currently routinely promoted as necessary could be seen as inadequately justified.”
Good news for the government and GCHQ – any other response would have further dented public confidence. However, this doesn't mean that the problem is going away. Up until now the the government has been extremely secretive about how it carries out its data snooping activities and the nature of the legal framework makes it very difficult for the general public to penetrate, which has created an incredible amount of distrust and an assumption that 'big brother is watching'. Although there is always going to be an element of secrecy, transparency wherever possible will go a long to giving the public faith about how its personal data is handled.
However, the police forces and law enforcement agencies need to be careful. It appears that it has become quite easy for them to request information and it is relying upon this mechanism for its investigations. If the information is critical to an urgent investigation, then that's an understandable use of a request for data - but it shouldn't be done routinely and at the expense of privacy. Whether or not the 500,000+ figure is too large is still up for dispute, but all agencies should invest in assessing their processes and controls to ensure that the legal framework is working properly for them, as well as the public.