I’ve been reading through all the annual reports issues by the Interception of Communications Commissioner since the passage of Regulation of Investigatory Powers Act 2000. He is meant to make sure that the powers granted to public bodies under RIPA to intercept our communications are being used correctly.
The annual reports are not a pretty read, especially when set against a modicum of knowledge about the outside world during the years the reports cover. Consider the following.
1. No scrutiny of the costs system
First, under RIPA there is provision for the government to pay communication service providers costs for meeting the legal requirements put on them. How much has been paid out? Has the system of what can and can’t be claimed for worked well? Are those communications service providers happy with the system? Are those in government who have to sign off such expenditure happy? All the sorts of questions that someone should be asking – and all the sorts of questions which need answers if you are going to make decisions about the future of RIPA on a sensible, evidence-based, basis. But also all questions which are left unanswered by the Commissioner responsible for this area.
2. Huge growth, little explanation
Second, access to communications data has ended up taking place on a massive scale (552,550 times in 2010 alone, the last year for which there are details), far beyond the scale of which people were talking about at the time RIPA was passed and a number that is continuing to grow. How has that happened? What is the reason for growth? The reports tell us almost nothing. Reports even say there is no point in giving a breakdown of the total figures followed rapidly by saying the Commissioner does not know why the totals have gone up. Well, breakdowns might help answer that…
There is no serious analysis of the causes of the volume or the growth, and what little commentary there is tends to be of the ‘I don’t know why it has gone up but it has gone up for good reason’. There is not active regulation, it is passive and highly trusting regulation – in other words, it is not good regulation.
3. Emergency system widely used, little scrutinised
Third, what is more, the urgent oral authorisation procedure, meant to be for exceptional life-threatening situations, is used heavily and growing fast – 31,210 uses in 2010, up from 21,582 in 2009.
I suspect the police used such an oral request when I had to call 999 a while back in a case where a child’s life could have been at risk and a person needed urgently locating in order to protect the child. So I can certainly see the merit of urgent oral powers in such cases. But there are clear risks of abuse of such powers and the fast growth raises other questions.
Again, the reports are very weak, with some limited provision of possible explanations (more people involved in interception are now covering matters 24 x 7) but no rigorous analysis and no evidence that the Commissioner’s checks are based on a good risk analysis of potential abuse and therefore concentrating on areas such as this.
4. Privatisation not studied
Fourth, and rather bizarrely, the large-scale ‘privatisation’ of RIPA services to SinglePoint gets no mention. SinglePoint is no more, having filed for insolvency earlier this year, but when it was running many local councils (and possibly other bodies) passed over some of their responsibilities in the RIPA process to an external, private and profit-making company. There is a case to be made for this being a good thing as some councils were struggling to perform rare and specialist tasks properly. You can imagine the arguments in favour of therefore using a specialist dedicated contractor.
However, given the huge sensitivity of monitoring, surely a good regulator would have been regularly checking up on SinglePoint and assessing its impact on the system? Especially as SinglePoint were marketing their services as taking on one of the legal roles that RIPA gave to councils and doing so in a way that made it easier for councils to get monitoring data on residents (see the Aberdeen example, p.5).
Even more strangely, SinglePoint has now been largely replaced in this role by the National Anti-Fraud Network (NAFN), an unincorporated not-for-profit organisation hosted by two local councils. NAFN has been regularly visited and reported on by the Commissioner, even though it is a set-up certainly no more, and arguably less, risky than SinglePoint.
5. 13% of police and law enforcement agencies not up to scratch
Fifth, despite the reports repeatedly presenting a very optimistic and positive picture, in 2010 we get praise for how well organisations have improved their compliance with RIPA, which rather suggests the picture in earlier years was over-stated. But even after that improvement, 13% of police and law enforcement agencies not have good or satisfactory systems according to the regulator. For an area as sensitive as law enforcement, personal privacy and civil liberties 13% is not a welcome low figure, it is a dreadfully high figure – especially against the background of a Commissioner who has not been ringing alarm bells about the state of his domain when it was lower.
[Update – this attitude has changed fractionally with the latest Commissioner’s report, although the heavy coverage of two people having been wrongly detained due to interception mistakes owes far more to the media’s sudden interest in these reports after a decade of mostly ignoring them. In that respect at least, the Draft Communications Data Bill has achieved something good.]
6. Warning signs of widespread law breaking ignored
Penultimately, and perhaps most damningly, there is the little matter of the alleged repeated law breaking that the Interception of Communications Commissioner appears to have completely ignored.
The New York Times 2011 investigation into phone hacking included allegations that journalists were regularly breaking the law by paying for illegal access to communications data, most likely by abusing RIPA powers. These allegations have been contested and we have yet to see what final verdict the Leveson Inquiry or the courts take of them (though see this excellent blog post from Greg Callus). However, the evidence is more than passing gossip and, if true, means that for years not only was RIPA being broken but the auditing to check that RIPA was being complied with failed to catch the problem. In other words, if true the allegations mean the Interception of Communications Commissioner and the system he presided over would have failed, badly, on a large scale and for a period of time measured in years.
Yet what does the latest annual report from the Commissioner, published well after the allegations were aired, say about this? Nothing. Not even a reference to waiting to see the outcome of court cases, let alone any preliminary investigations.
What is more, there has been other hints of possible serial breaking of RIPA for several years previously. The Information Commissioner’s seminal report in 2006 What Price Privacy blew the whistle on large-scale law breaking by the British media. Its implication is that the communications data journalists were illegally obtaining was coming direct from phone companies without abuse of RIPA procedures involved. However, it is not clear or explicit on this point so a good, pro-active regulator would have been on the ball to check that was the case. Instead, the reports are silent.
There was a chance again in 2008 with Nick Davies’s Flat Earth News, the other classic revelatory publication in this area. It too does not directly finger abuse of RIPA but it gives some strong clues that RIPA abuse may have been a widespread part of the culture of British journalism. He wrote, for example, that “As one Mail veteran put it to me: ‘If the Mail go for you, they get … every call from your phone and mobile.'” But what did the regulator do in response? Check out if RIPA was involved? Alas no. Once more, his annual reports are silent.
7. No-one found to have a good word to say about the system
Six reasons then why the Interception of Communications Commissioner and the system has failed. Multiple reasons why, even if the government were tomorrow to call a halt to any expansion of online monitoring powers and even if the courts do not end up standing up the New York Times allegations, this is still not a regulatory system that works or should be left as it is.
There is one heartening footnote to all this. I recently talked to one of the senior Liberal Democrat advisers in this area and their comment was simple. They’ve yet to come across anyone who has a good word to say about the Commissioner and how he regulates the system.
Knowing there is a problem is a good first step. But it should not be the last step.
Addendum – and all the more so given the Commissioner himself has said he sees no problem with the system.
Note: in addition to the updates to add in references to subsequent stories, the post was slightly updated 27 April and 4 July to make the statistics clearer.
* Mark Pack is Party President and is the editor of Liberal Democrat Newswire.
Follow @libdemvoice.org on Bluesky
Like us on Facebook
Subscribe to our feed
Sign-up for our daily email digest
Dundee - designing resilience into a fragile urban landscape
Potential job losses multiply from NHS England
Adam Harley selected for Strathkelvin and Bearsden
When Not the Nine O'Clock News demonstrated how to deal with chess prodigies
Diversity, Inclusion and Equality Programmes bring out the full capacity of a nation.
Peter Davies
Katharine Pindar
David Raw
2 Comments
The big question then, is where do we go from here? With the home office looking to see RIPA extended to digital communications this is our chance to demand some changes to RIPA in exchange.
What should our demands be?
Can we have proposals drafted up by Autumn Conference?
The problem is not just the matter of future changes, but the understanding of current legislation as it exists now. RIPA is a particular problem. As Glen Mulcaire found out you don’t have to be in the public sector in order to be found guilty of offenses under the Act, yet my MP – a minister in the current government – had the following to say in an email to me on the subject of RIPA: “The key power in RIPA is to require people to release encrypted information to a designated authority”.
This completely ignores the contents of section 1 of the Act. Section 1 only refers to the lawful authority to intercept communications. There is no mention of whether the person doing the intercepting is working within the public sector or how this impacts on whether an offense has been committed under the Act as a result of their employment status.
Of course it’s in the government’s own interests to encourage people to believe that they have as few rights as possible, especially if they want to increase the level of spying that they are forcing on all of us, but assuming for a moment that there is no deliberate attempt at hiding the truth then perhaps education is part of the answer? MPs don’t seem to understand legislation that they themselves passed 12 years ago. If this situation continues then we will probably still be arguing in 20 years time about what the increased surveillance that the government wants to put in place now actually means to all of us.
As for the future demands mentioned by Daniel Henry, might I suggest that certain matters be clarified in the Act, such as the way in which this law applies to both those in the private and public sectors (and indeed private citizens)? Perhaps if it’s made as difficult as possible for these misconceptions to exist then there will be less of a problem?
At the very least we as a country must ensure that the laws are applied properly, but at the moment police forces seem to be paritcularly reluctant to charge anybody under RIPA when it involves telecoms companies (strangely enough they were the ones responsible for actually handing over voicemail to the wrong people, but they don’t seem to have featured much in the Leveson inquiry despite the fact that they were the ones running the systems that were so hackable). It’s not just the media involved here. In one case the City of London police force used the rather laughable excuse of ‘no criminal intent’ in order to justify not prosecuting illegal behaviour. This was an excuse that was responsible in part for landing this country in the EU courts, yet police forces continue to refuse to prosecute telecoms companies for RIPA offenses.