Concerned experts are asking what plans the government has to meet its obligations to review Britain’s extensive surveillance laws.
The Home Office is legally required to review the operation of the Investigatory Powers Act 2016 (IPA), widely known as the snoopers charter after five and half years.
But information security and legal experts say they are concerned that the government has given no indication of what its plans are to revisit the IPA – despite growing concerns over the adequacy of the Act.
Experts say there is an urgent need to reform the Investigatory Powers Act to allow intercept evidence to be made admissible in criminal prosecutions.
They have also called for the use of artificial intelligence in surveillance to be assessed following ground breaking advancements which have enabled more intrusive information gathering.
And there are outstanding questions over whether the IPA complies with legal rulings by the European Court of Human Rights which require end-to-end safeguards for the bulk collection of communications and protections for journalistically privileged information.
Intercept evidence should be admissible in court
Peter Sommer, a computer forensics expert and expert witness advised the Joint Lords and Commons Select Committee carrying out the pre-legislative scrutiny of the draft Investigatory Powers Bill in 2015 and 2016.
He told Computer Weekly there was an obvious need to change the way the IPA treats intercept, which cannot be used as evidence in prosecutions, in the wake of Operation Venetic, the National Crime Agency’s biggest investigation into organised crime.
“The most obvious modification now required is to treat intercept evidence in the same way as all other types of evidence and to change the current position whereby warrants can be obtained for intelligence purposes but intercept evidence is inadmissible and cannot be referred to in court,” he said.
Prosecutions brought under Operation Venetic, which rely on the contents of millions of messages and photographs obtained by French police in 2020 from the supposedly secure encrypted phone network, EncroChat, have faced legal difficulties over the admissibility of intercepted evidence.
Defence lawyers have issued a series of legal challenges against the National Crime Agency over the admissibility of material intercepted from tens of thousands of Encrochat phones in the UK, in the court of appeal, the European Court of Human Rights and most recently, the UK’s Investigatory Powers Tribunal.
“The current status is causing massive problems in the NCA’s biggest investigation, Operation Venetic, where there are considerable doubts about the status of acquired EncroChat messages and photos. Are they admissible or not?” said Sommers.
Dr Ian Brown, a specialist in information security, said that there was a need for clarity on whether large scale equipment interference operations similar to the operation against EncroChat were going to be more frequently deployed by law enforcement agencies in the future.
There are questions, he said, whether any data obtained from real-time interception will be admissible in criminal trials as long as it was obtained from digital equipment, rather than from an analogue radio link or telephone wire. “If so, are further safeguards needed?”
Other experts say that the government should review developments in artificial intelligence which have enabled law enforcement and intelligence agencies to conduct more intrusive bulk surveillance since the Investigatory Powers Act came into force.
Eric Kind, an expert in surveillance and legal and public policy, and managing director of AWO, a data rights agency, told Computer Weekly that artificial intelligence and its impact on bulk surveillance powers should be a key priority for any review.
“Artificial intelligence should be one of the top priorities for review, due to the number of ground-breaking advancements since the passing of the IPA. They have the ability to significantly shift the privacy versus intrusion balance throughout the Act, but most prominently with regards to bulk powers,” he said.
European court decisions impact IPA
Lawyers and privacy groups also argue the IPA should be re-visited in the light of decisions by the European Court of Human Rights which found serious failings in the UK’s earlier surveillance regime, the Regulation of Investigatory Powers Act 2000 (RIPA).
A decision by the European Court of Human Rights in the case of Big Brother Watch and others v the UK in 2020, for example, raises questions whether the Investigatory Powers Act provides adequate privacy safeguards during bulk surveillance operations.
The Home Secretary Suella Braverman was a member of the Joint Select Committee that reviewed the draft Investigatory Powers Bill from November 2015 to February 2016, and is said to have a good understanding of the issues at stake.
Under Section 260 of the Investigatory Powers Act, the government is legally required to review the Investigatory Powers Act 5 years and six months after it received Royal Assent in November 2016, and to present a copy of the review to Parliament.
Sommer said that in addition with the difficulties posed by the IPA over intercept evidence, there were also difficulties separating legally admissible communications data from inadmissible content in web-based email and social media services.
He said that there was a strong case for Parliaments’ Intelligence and Security Committee to review the scope and operation of bulk interception and acquisition warrants.
“Such warrants inevitably collect information from the wholly innocent on the off-chance that they might be guilty of something,” he said.
Although the Investigatory Powers Act authorised state hacking as “equipment interference” and allowed evidence obtained in this way to be used as evidence in court, Sommer said that unlike other forms of digital evidence, there were no standard operating procedures “to ensure the integrity and reliability of the results.”
Any government review would also be expected to assess the performance of the Office for Data Authorisations (OCDA), a body set up in March 2019 – after the IPA 2016 came into force – to review applications by government bodies to access metadata about individuals’ telephone, email and internet use from phone and internet companies.
The OCDA, which was set up to manage 200,000 requests a year from 600 public bodies to access communications data, which includes information such as the sender and recipient of emails, the time they were sent, and the first part of a URL of websites visited.
According to the Investigatory Powers Commissioner’s Office (IPCO), the organisation employs around 100 people, at two offices in Manchester and Birmingham, who act as a contact point for government agencies seeking communications data between 7am until 10pm seven days a week.
The Home Office declined to answer questions from Computer Weekly about its legal obligation to review the IPA.