This blog explains the extent to which the national security agencies have been collecting bulk Communications Data using powers which are being exercised in a way that were never subject to Parliamentary scrutiny. Such data collection is neither subject to the relevant Code of Practice covering communications data nor to scrutiny from the Regulator who was specifically tasked by Parliament to supervise the use of communications data.
The blog comprises yet another lesson in the dangers of leaving wide ranging powers on the statute book. It also provides the explanation why the collection of bulk communications data is believed by Ministers to be lawful.
The draft Investigatory Powers Bill (“IP Bill”) published earlier this week refers to how bulk communications data have been collected by the national security agencies from telecommunications providers. It states:
“b. Bulk Communications Data Acquisition – currently provided for under section 94 of the Telecommunications Act 1984, this is used to identify subjects of interest within the UK and overseas, and to understand relationships between suspects in a way that would not be possible using only targeted communications data powers”. (page 20)
To set the scene with respect to technology, the Telecommunications Act was enacted in the same year as the Data Protection Act 1984. At that time, computers were not networked in any significant way (except in Research Labs, perhaps via Arpanet etc).
Indeed I can remember the problems caused to the draft Data Protection Bill by the arrival of the first personal computer to be sold in the UK. (This was the “Pet” computer; 2KB of memory and a printer. It retailed at 499 guineas and gave rise to the hastily introduced “word processor exemption”; a guinea was 21 shillings for the benefit of the younger reader).
Section 94 of the Telecommunications Act 1984 identified in the IP Bill documents reads as follows:
S.94(1) states that “The Secretary of State may, after consultation with a person to whom this section applies, give to that person such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom”
S.94(8) states that “This section applies to….providers of public electronic communications networks”.
Section 94 was updated in a very minor way by paragraph 70 of Schedule 17 ("Minor and Consequential Amendments") of the Telecommunications Act 2003; for instance, replacement of the words “requisite or expedient” by the word “necessary” in Section 94. The reason why I have delved into such minutae is merely to explain that an opportunity to provide a full explanation to Parliament of the intended impact of Section 94 was not taken by the then Home Secretary (prop. David Blunkett).
So, back to 1984. The impact of S.94(1) was to allow Secretary of State to give general “directions” to the newly privatised telecoms sector in the interests of national security. As there were few networked computers in 1984, there could have been no Parliamentary discussions about communications data collection in terms of the Internet or modern day networked computers.
Yet, according to the IP Bill document, all the national security agencies still rely on S.94(1) and “directions given by the Secretary of State” to the current day. As with Certificates under S.28 of the Data Protection Act, these “directions” are timeless, general, surrounded by secrecy and not reviewed independently. Additionally, one does not know what the directions do. Is it to install some code into an App? A back door for the authorities? A request for a database?
Section 94(4) of the 1984 Act states that:
“The Secretary of State shall lay before each House of Parliament a copy of every direction given under this section unless he is of opinion that disclosure of the direction is against the interests of national security or relations with the government of a country or territory outside the United Kingdom, or the commercial interests of any person”.
I have searched the Parliamentary database for several hours and I am unable to find any deposited papers on the subject. So, I am fairly convinced that Parliament was deliberately kept in the dark about bulk acquisition of communications data by all Secretaries of State in the last two decades (until the Snowden revelations put them on the agenda).
In fact, in his review of law (A Question of Trust: Report of the Investigatory Powers Review; chapter 6, page 100) David Anderson reports Section 94 as being of incidental importance when the opposite appears to be the case. He writes that there are “Three important general observations arise in connection with non-RIPA investigatory powers” such as S.94.
These observations are:
“(a) There is little or nothing in the public domain that explains how frequently (if at all) they are used.
(b) It appears that at least some (perhaps many) Agencies and Departments exercise these powers without any published Code of Practice in place.
(c) As to the exercise of concurrent RIPA and non-RIPA powers, the position is a little clearer in respect of communications data than it is in relation to interception. The Acquisition Code states (at para 1.3) that public authorities should not use other statutory powers to obtain communications data from a postal or telecommunications operator unless that power explicitly provides that they may obtain communications data (or they are authorised to do so by a warrant or order from the Secretary of State or a person holding judicial office)”. (my emphasis).
Clearly Anderson’s assumption that “that public authorities should not use other statutory powers to obtain communications data from a postal or telecommunications operator…” does not apply to the national security agencies and the comment “there is little or nothing in the public domain…” is clearly correct.
In addition the national security agencies “…are not authorised to do so by a warrant or order from the Secretary of State or a person holding judicial offical” because, with respect to section 94, Ministerial directions are given to the person operating the telecoms service and not to the public authority wanting to obtain the communications data.
We can now see the impact of section 94; it allows the national security agencies to obtain communications data in circumstances that are additional to the exercise of RIPA powers without regard to the Home Office’s own statutory Code of Practice on the Acquisition of Communications Data.
This fact is confirmed by the Annual Report of the Interception of Communications Commissioner (2015) where he says in the Introduction to his report that:
“In addition I have recently been asked by the Prime Minister and have agreed to formally oversee directions under Section 94 of the Telecommunications Act 1984”.
Can we pause for a moment here? S.94 has just been placed under review of a regulator;this is confirmation that Ministerial powers to direct were not independently reviewed before. This in turn means the following:
- Section 94 of the Telecommunications Act 1984 has permitted the national security agencies to lawfully collect Communications Data outside RIPA powers, unhindered by the Home Office’s statutory Code of Practice on Communications Data Acquisition.
- Since 2000, the national security agencies have been collecting Communications Data outside the specific scheme of regulation established by Parliament for Communications Data acquisition
- Ministers, for their part, have knowingly legalised the above activities using old legislation containing wide Ministerial Powers, undebated in Parliament in the context in which these powers are used, and with considerable secrecy (i.e. Parliamentary opportunities to explain matters properly have not been taken).
In his half yearly report (July 2015), the Interception of Communications Commissioner states reviewing the directions is challenging because:
"... the directions are secret as allowed for by statute, can be given by any Secretary of State and do not automatically expire after a certain period. There does not appear to be a comprehensive central record of the directions that have been issued by the various Secretaries of State"
It is important to note that both the recent reports from the Parliamentary Intelligence and Security Committee and the RUSI report commissioned in by the Deputy Prime Minister failed to report that Section 94 of Telecommunications Act provided the legitimate basis for the collection of bulk data collection. This undermines their general conclusions of both reports as one wonders how this important legislative issue was missed (assuming, of course, it was missed rather than suppressed).
In conclusion, one often sees statements from Ministers and MPs who wonder publicly why trust in the national security agencies has been lost. Perhaps, this blog explains why this is the case.
BCS DP Practitioner Qualification (starting in London on Nov 16) or BCS Foundation Qualification in Information Security Management (starting in London on Dec 1; ideal for DPOs wanting to get an overview of Information Security). Details of these courses are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com.
Home Office Code of Practice: “Acquisition and Disclosure of Communications Data”: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/426248/Acquisition_and_Disclosure_of_Communications_Data_Code_of_Practice_March_2015.pdf
Page 4 of the Annual Report of the Interception of Communications Commissioner (2015) which shows the Commissioner now has oversight of : http://iocco-uk.info/docs/IOCCO%20Report%20March%202015%20(Web).pdf and http://www.iocco-uk.info/docs/2015%20Half-yearly%20report%20(web%20version).pdf
The David Anderson report “A Question of Trust”; https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Web-Accessible1.pdf
The ISC Report (“Privacy and Security: A modern and transparent legal framework”) fails to link S.94 with bulk data collection: accessible from http://isc.independent.gov.uk/committee-reports/special-reports
The RUSI Report: “A Democratic Licence to Operate”; https://www.rusi.org/sites/default/files/20150714_whr_2-15_a_democratic_licence_to_operate.pdf
Some Section 28 Certficates under the DPA from 2001 that are still current: http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html