A remarkable consensus of high-level opinion seemed to be emerging about the state of communications surveillance in the UK until this morning, when the High Court ruled in favour of the MPs Tom Watson (Labour - West Bromwich East) and David Davis (Conservative - Haltemprice and Howden) in their suit against the government over last summer's pass-in-haste-gloat-at-leisure vacation special, the Data Retention and Investigatory Powers Act. The government now has until March 2016 to pass new legislation that conforms to the April 2014 European Court of Justice (CJEU) ruling that invalidated the UK's data retention regulations in the first place. It also may appeal the judgment. A cynic might imagine that the government's next move might be to propose judicial reform that does away with the High Court.
The main point is that this court judgment matches that of the CJEU: DRIPA's section 1, which reinstated the requirement for ISPs to retain traffic data for 12 months, violates the same human rights laws the 2009 data retention rules did. Legal minds will be picking at the bones of this judgment for a while. The more immediate question is how the government will now proceed: the post-election Queen's speech included an investigatory powers bill intended to "close gaps" in access to communications data; this has been universally interpreted as a revival of the "https://www.openrightsgroup.org/issues/ccdp">Communications Data Bill, aka "snooper's charter".
The judgment makes plain, however, that it is not ruling on whether data retention is legal. Merely that this implementation is invalid because it fails to restrict the use of the retained data to prevention, investigation, and prosecution of serious offenses and fails to require review by a court or independent body as a condition of access. In this, it follows the pattern that was forming over the past few months.
Three rings for the Elven-kings...no, three *reports* on the workings of surveillance in Britain were due in the first half of 2015. These were produced by: the Intelligence and Security Committee; the independent reviewer, David Anderson, QC; and the Royal United Services Institute panel.
All these reports received their due press attention when they were released. What's notable is the similarity of their conclusions: the system is legislatively fragmented and complex, needs greater transparency, and lacks sufficient access safeguards. Similarly, some of their recommendations match; in particular all call for replacing today's piecemeal-created legislative structure with a single, less complex law and greater transparency about the system in general. Like today's court ruling, none calls either data retention or GCHQ's activities illegal, and although they all call for reforming legislation to make it simpler, none suggests the legislation should be changed to remove powers the surveillance agencies currently have. We say "surveillance agencies", a term that suggests a handful of experts; Anderson notes that the ISC report covers 600 bodies "with powers in this field", a number that should be spread more widely.
The ISC, established by the Intelligence Services Act 1994, reports once a year, and described this year's report as unprecedentedly comprehensive; its work on the report it released in March began in July 2013, a month after the Snowden revelations began. A month ago, it was joined by the report written by Anderson, the independent reviewer of terrorism legislation. This job dates to the 1970s, though it's been expanded since, most recently by the Counter-Terrorism and Security Act (2015). Finally, the RUSI report, which the Liberal Democrats boasted they had secured as a condition of supporting DRIPA, arrived this week.
The ISC report reads as though it was designed to be reassuring: no one's doing anything illegal, nothing to see here. The ISC particularly supported the present situation, where warrants are signed by the Secretary of State, on the basis that they are thoroughly scrutinized even before they reach her desk, explicitly stating that GCHQ is not engaged in "blanket surveillance" or "indiscriminate surveillance". Anderson, on the other hand, advocated for replacing that system with independent judicial review, though he thought the data retention capabilities in DRIPA should be retained.
On one point, the status of encryption, Anderson seems already to have been superseded: prime minister David Cameron's recent statements on encryption contradict his comment that "neither [the agencies] nor anyone else has made a case to me for encryption to be placed under effective Government control". The RUSI report again says the panel has seen no evidence that the British government "knowingly acts illegally in intercepting private communications or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens." They came down on the side of requiring judicial authorization for warrants and offered ten principles by which privacy intrusion could be tested. This report also advocated maintaining the " capability of the security and intelligence agencies to collect and analyse intercepted material in bulk". However, they also seemed to support the government's contention with regards to encryption that there shouldn't be anything it can't read.
It's worth remembering that, as Sir Humphrey says in Yes, Minister ("The Greasy Pole"), inquiries, however independent, cannot answer questions they are not asked. The big one is this: how do we measure the system's value in protecting public safety? It's a hard one to answer, and it's unlikely the government will try by, for example, taking today's DRIPA judgment as definitive.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.