Hang on! Just because UK government security official Charles Farr says GCHQ et al have done nothing unlawful in their mass digital surveillance, that’s no reason to believe him. You wouldn’t believe a burglar rifling through your drawers; why believe the spokesmen for the people rifling through your personal emails and internet searches?
Farr has put in a defence in the case brought by Privacy International against the Government, not a statement of the law, yet it is being treating as gospel truth. In particular people are demanding the law be changed – conceding that the surveillance is currently lawful (among them pro-security services types such as Lady Neville-Jones).
In fact a judge has not ruled in the case yet, and there are fundamental flaws in Farr’s argument that UK-originated digital material on overseas servers is fair game even though it originated in or returned to the “British Islands” (in the quaint formulation of the 2000 Regulation of Investigatory Powers Act).
For starters it is strongly arguable in law that nothing in the Act can sanction unreasonable mass surveillance – since that was not the purpose of the Act. RIPA was intended to enact a European Directive banning such downloading and storing of personal material and a judge will interpret it in that light. He or she is likely to take a dim view of any alleged “loopholes” in it. (This argument is made briefly below and at length here.)
But Farr’s case is further flawed – not least by a disingenuous attempt to claim parliamentary sanction for mass surveillance on the basis of an arcane exchange in the House of Lords one July evening in the year 2000.
What Farr did not say
First we must be clear. Farr did not say domestic emails that happen to pass overseas on their journey back to UK subscribers are deemed to be “external communications” and can therefore be monitored without the need for a specific intercept warrant.
He couldn’t say that because Section 20 of RIPA defines “external” communications thus: “external communication means a communication sent or received outside the British Islands”. It does not say “and any communication that passes out of the country and back again”. What Farr has delineated is three different sorts of digital information accessible under different legal circumstances.
A) Internal communications such as emails from London to Birmingham, which are “internal” (ie within the British Islands) whether or not they go via internet links in Alaska or Darwin. These are only accessible with a warrant naming a person or place for the search under Section 8(1) of RIPA.
B) External communications that go from the British Islands abroad or from overseas to Britain. He has included Google searches and the like in this category and suggested they can be monitored and viewed under the laxer Section 8(4) and 8(5). Section 8(5)(a) describes “the interception of external communications in the course of their transmission by means of a telecommunication system”.
C) Any material that is caught inadvertently and unavoidably in a trawl under Section 8(4) – which can include emails in category A) as well as anything in category B). These (he insists) can be copied and kept but the internal material cannot be read without a Section 8(1) warrant – except to ascertain which are “internal” and which “external”.
The more general three-month trawling certificate (six months for security issues) must be issued by the Secretary of State. Crucially she must describe what material needs to be examined. The trawl is not a right of access to everything thus intercepted – it gives no unrestricted right to the inadvertent bycatch of private internet searches and YouTube downloads.
So what is the issue? Basically the fear is that the security services (through the US National Security Agency’s Prism and/or GCHQ’s Tempora programmes) are simply downloading everything we do online and accessing it at will. RIPA, enacting the European Directive, was intended to prevent such copying and retention of material. But, if the security services think the law allows them carte blanche to copy everything, that’s what they will do.
Farr’s flawed case
The statement (pdf) from Farr is clear about the Section 20 point – he accepts absolutely a communication doesn’t become external just because it strays out of the British Islands during its transmission. He adds that the code of guidance that governs surveillance says: “They do not include communications both sent and received in the British Islands, even if they pass outside the British Islands en route”. (Code 5.1 Interception code of practice (PDF file – 168kb) – Gov.uk)
Under Section 5(1) of RIPA, Farr says, “the relevant question to ask is not via whom (or what) a message has been transmitted, but for whom (or what), objectively speaking, the message is intended.” An email from London to Birmingham is internal however it got there. (Para 129)
Farr drops emails for a bit and looks instead at Google searches or accessing YouTube and asserts (at para 133) that, while the information at each end of a communication may be “internal”, the making of the communication is “external” – indeed it is two external communications in the case of searches: one making the search (for information on Google or to find a YouTube video) and another when the answer is returned. Even though the correspondent is a computer replying by electronic pulses through use of algorithms, Farr uses this double “communication” as justification for interception of the substantive material. “In such a case the search would involve two ‘external communications’ for the purposes of Section 20 of RIPA and paragraph 5.1 of the Code.” (Para 134)
He also declares that the “recipient” of a Tweet or Facebook posting is not an individual (because you can’t know exactly who will read it) but the platform itself – “the repository for the message and the means by which it is broadcast”. And that “platform” is overseas, hence the “communication” to it is external and not legally immune from interception by Britain’s spies under a trawling certificate.
He goes on to suggest that interception takes place at the level of cables, not at the level of the individual communications (they don’t tap your computer) – and those cables inevitably contain a mixture of external communications and internal bycatch. So now, step forward Baron Bassam of Brighton, quondam parliamentary undersecretary at the Home Office.
Lord Bassam’s 2000 statement
The issue now becomes whether Parliament knew or intended this vulnerability for private information and hence, in effect, sanctioned what GCHQ and its chums is doing.
If Parliament envisaged it and didn’t ban it, then it’s quite possible it is legal. If it didn’t envisage it and/or instead imposed a wider ban – simply banning illegitimate intercepting and downloading of private communications – then such interception is illegal. Parliament would have banned a result (capturing private data) and would not be interested in the means by which the data was captured. Any means used would be unlawful if the result is unlawful.
So the intention of Parliament may be quite important (certainly to Farr’s argument), in particular Parliament’s awareness of the issues of “external communications”. To show that Parliament intended spooks to grab our communications if they strayed beyond the “British Islands”, Farr relies on a statement in the House of Lords by Lord Bassam on 12 July 2000. (See HL Deb 12 July 2000 vol 615 cc316-64.)
Bassam said: “It is just not possible to ensure that only external communications are intercepted. That is because modern communications are often routed in ways that are not all intuitively obvious.” (At 323)
We’re back on emails etc. Such a communication might start in London and end in Birmingham so, Bassam said, it “may be handled on its journey by Internet service providers in, perhaps, two different countries outside the United Kingdom. We understand that. The communication might therefore be found on a link between those two foreign countries. Such a link should clearly be treated as external, yet it would contain at least this one internal communication. There is no way of filtering that out without intercepting the whole link, including the internal communication.” (Hansard: HL Deb 12 July 2000 vol 615 at 323)
So magically the Section 20 distinction became inadequate to protect internal communications even as the Act was in the process of being passed. Because you can’t practically separate what everyone agrees is internal material (London to Birmingham even if via the Alaska or Darwin), then that internal material becomes “external”. The Act doesn’t say so. It does not need to, because Lord Bassam has said so!
Bassam was seeking to deflect an amendment from Lord Phillips of Sudbury who raised the point about “trawl warrants” for external communications also picking up what, in effect, were internal communications that had simply strayed beyond Britain through underseas cables or what have you. Phillips is clear that the intention of the RIPA bill was to ensure such mixed-in internal material should not be examined under a general trawl warrant. The only issue was a practical one. His amendment was an attempt to ensure mixed-in internal communications would be protected from a legal trawl of external communications.
And Bassam’s objection was also a practical one. He said that “the amendment – I will be frank about this – would render unworkable the arrangements for interception and selection of external communications. It is just not possible to ensure that only external communications are intercepted.”
So can Farr rely on Bassam’s having raised this issue as constituting parliamentary sanction for mass interception (since no amendment was passed to specifically protect mixed-in internal communications)?
First it should be noted that this mini-debate in the Lords was framed in terms of mixed internal and external communications accidentally floundering around in the same trawl and hence internal communications inadvertently picked up (giving the paradox that security forces would have to read them to assess they should not read them). Bassam was in effect saying the Section 20 distinction regarding “external” communications was unworkable in practice.
But a judge might answer: “Make it work!” since it is the law of the land – passed without Bassam’s rider attached. And one way to make it work would be to not go on daily mass trawls of just about everything, downloading and saving the material of just about everyone – since that is against the intention of RIPA, the EU Directive and of Parliament. The fact that these practical issues were put before their Lordships cannot be read as their sanctioning mass interceptions – unless mass interception was put into the Act in explicit terms.
We all know what an internal communication is. Lord Bassam knew and it is clear Farr knows too. But more importantly we are very clear about the intention of RIPA – it is the intention of the European Union directive it was intended to enshrine in domestic law.
Farr has cobbled together a piece of nonsense about Google searches and the like being “external communications”, though communications to no one, with a point about catching internal emails accidentally as they make their scattered digital journeys around the world to justify a policy of mass interception of personal material.
RIPA, in making the internal/external distinction was not sanctioning the downloading of all external material for copying by British spies. It envisaged specific operations but without an exact address or person to monitor. A more general warrant would be available for such operations.
Farr insists private material such as the content of a Google search “made by an individual known to be in the British Islands” caught by action under a Section 8(4) general trawl warrant would not be “selected to be read or even looked at” (para 141). But the intention of the law is that such material should not even be downloaded and saved by security services – yet this is clearly happening constantly.
One must therefore distinguish two scenarios:
1) During a specific operation sanctioned by the Home Secretary on a trawl certificate internal material is captured; that might be deemed legal as long as it was not read on purpose, since it is not part of the operation, and as long as the capturing of irrelevant material were held to be a proportionate and unavoidable side-effect. The primary purpose must be to intercept external material (Farr para 155) and the bycatch of internal communications would have to be seen as “necessary to undertake in order to do what is expressly authorised or required by the warrant” under Section 5(6)(a) – an unfortunate but not unreasonable result of legitimate surveillance. This, though, redefines “necessary” to mean “unavoidable, I’m afraid – sorry, and all that”.
2) Just copying everything out there all the time, with no specific operation in mind other than generally looking for suspicious material. This would be a different matter. A certificate from the Home Secretary that said “just go and get everything, copy it and stash it somewhere and when this warrant runs out, come and get another one” would not (one assumes) be lawful. It would be disproportionate to the purpose intended and directly contrary to the intention of RIPA and the EU Directive.
Privacy International on Charles Farr’s statement is here with a link to their legal argument.
The Investigatory Powers Tribunal has now (February 2015) ruled that some of GCHQ’s behaviour regarding Prism was illegal – but only insofar as it was not public. Now we know about it, it’s not illegal. The Tribunal judgment is here: Investigatory Powers Tribunal judgment: Liberty v FCO
Notes and queries
What is the legal effect of the EU Directive?
The purpose of the Act was to implement a 1997 European Union Directive (now Art 5 of Directive 2002/58/EC), which was not intended to allow such mass downloading of personal information. Any doubts about the wording of RIPA will be interpreted by a judge according to the Directive’s intention – not as a loophole for the spooks to crawl through.
And the purpose of the Directive was to protect personal information in the digital age. To that extent it was future-proofed even though the drafters might not have known what innovations would allow easier surveillance in the internet and iPhone age. It requires member states to pass laws that “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1)”. Article 15(1) sanctions surveillance only as “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”.
The judge in the case brought by Privacy International against the Government will be able to, indeed obliged to, take into account the Directive when interpreting RIPA and any alleged “loophole” allowing mass surveillance of communications that might be sitting on overseas servers. The judge will interpret RIPA “in every way possible in the light of the text and aims of the Directive to achieve the aims envisaged by it”. The aim was to protect individuals from disproportionate mass surveillance, so that is how RIPA will be interpreted.
(See this Thinking Legally piece for a full – and possibly over-long – examination of this legal point.)
Can Hansard be quoted in court?
Farr may be relying on a Pepper v Hart process of judicial construction. The case ( AC 593) opened the way for judges to refer to Hansard rather than restricting themselves to the words of a piece of legislation when interpreting its meaning. The original case suggested this could be done only if the wording in the legislation in question was ambiguous, obscure, or led to absurdity; the material relied on consisted of statements by a Minister (or the promoter of the Bill); the statements relied on were clear. The new freedom has been controversial, Lord Steyn noting, in particular, that “It encourages courts to find that legislation is ambiguous when it is not, once it is apparent that there is a relevant indication of opinion by Parliament.” (Pepper v Hart: A re-examination)
This seems to be the trick Farr is playing by introducing Bassam into the mix – especially since Bassam’s statement in effect suggests the Bill he is seeing through the Lords is unworkable before it has even got out of the doors of Parliament. A statement in Hansard should not be treated as a source of law in itself. In particular it should not be used, as Farr is doing, to obfuscate the wording of the legislation, to raise doubts about it when it can be perfectly well understood as it stands.
RIPA Section 8 Contents of warrants. (1) An interception warrant must name or describe either— (a) one person as the interception subject; or (b) a single set of premises as the premises in relation to which the interception to which the warrant relates is to take place.
(2) The provisions of an interception warrant describing communications the interception of which is authorised or required by the warrant must comprise one or more schedules setting out the addresses, numbers, apparatus or other factors, or combination of factors, that are to be used for identifying the communications that may be or are to be intercepted.
(3) Any factor or combination of factors set out in accordance with subsection (2) must be one that identifies communications which are likely to be or to include— (a) communications from, or intended for, the person named or described in the warrant in accordance with subsection (1); or (b) communications originating on, or intended for transmission to, the premises so named or described. (4) Subsections (1) and (2) shall not apply to an interception warrant if— (a) the description of communications to which the warrant relates confines the conduct authorised or required by the warrant to conduct falling within subsection (5); and (b) at the time of the issue of the warrant, a certificate applicable to the warrant has been issued by the Secretary of State certifying— (i) the descriptions of intercepted material the examination of which he considers necessary; and (ii) that he considers the examination of material of those descriptions necessary as mentioned in section 5(3)(a), (b) or (c)
(5) Conduct falls within this subsection if it consists in— (a) the interception of external communications in the course of their transmission by means of a telecommunication system; and (b) any conduct authorised in relation to any such interception by section 5(6).
(6) A certificate for the purposes of subsection (4) shall not be issued except under the hand of the Secretary of State.