Today, one day before Parliament rises for Christmas, the annual reports of the Interception of Communications Commissioner and the Intelligence Services Commissioner have been published.
These are the final reports published by these Commissioners as their roles will now be taken over by the new Investigatory Powers Commissioners Office (IPCO) under the Investigatory Powers Act.
The two reports couldn’t be any more different if they tried.
Whilst Sir Stanley Burnton the Interception of Communications Commissioner has published another probing and challenging review of the Agencies ‘access to communications, presenting data transparently and encouraging further engagement and insight, Sir Mark Waller has once again published a ‘nothing to see here’ report. Sir Mark has long been seen as a soft touch Commissioner, this final report does nothing to change that view.
The Interception of Communications Commissioners Office (IOCCO)
The headline figures from IOCCO show that in 2016:
- 754,599 items of communications data; the who, where, what of our communications were acquired.
- 93% of these requests were made by the police.
- 83% were acquired for the purpose of preventing or detecting serious crime.
- 24% for drugs
- 14% for sexual offences
- 11% to prevent death/injury
- Only 6% were for the purposes of national security.
- 50% were requests for subscriber information and 48% were requests for traffic data ie. what you are doing online and who you are communicating with using your telephone.
- 70% of the requests were for data which was less than 3 months old, 25% of that was for data which was less than a day old.
- Only 6% of requests were for data over 12 months old.
We have long raised concern about the Government pushing the public to believe that access to communications data is mainly in order to protect us from terrorism and to stop the intelligence agencies from “going dark”. These figures make abundantly clear that our concerns were right and that terrorism and access by the agencies is very secondary to police access in relation to “serious crime”.
The figures make clear that retention of data for 12 months is far less necessary than the Government like to stress. It is clear that data of 3 months or less has the most use, raising questions about the process of Internet Connection Records under the Investigatory Powers Act (IPAct) where all our internet searches will be held by our Internet Service Provider (ISP) for 12 months.
When it comes to errors, 2016 saw 1,101 errors occur, with the main number carried out by the SPoC – the person within the police force who signs off on the requests for data. This is interesting as the Watson judgment from the CJEU made clear that the role of SPoC should now be taken by an independent judicial commissioner. With the Investigatory Powers Commissioners Office being lined up to take on that role as well as the oversight of the process, next year’s report of errors will be something to look at closely.
That the Commissioner raises serious concern with the large number of serious errors in relation to IP Address Resolution is welcome. As background; IP Address Resolution is when the police try and pinpoint a device or a location, to an IP address, in order to locate a person of interest. Because IP addresses are based on numerical data, data which can differ depending on time zones for example, the opportunity for errors is raised as numbers can be misheard, mistyped or misinterpreted.
The report details some very serious errors leading to the arrest of innocent people, removal of children from parents, and seizure and interrogation of personal devices.
No detail is provided however as to whether the affected people sought redress for these errors, but the Commissioner does make clear that he continues to want to see rules around error reporting “to be clearer” and that he wants to see Commissioners given “greater powers to notify individuals who have been the victim of error”.
We wholeheartedly support this view. We campaigned for improved notification of serious errors during the IP Act debates and have raised the issue with the new Investigatory Powers Commissioners Office (IPCO). That notification was also outlined as necessary in the Watson judgment is critical.
Finally the report goes into detail about interception warrants, again shown to be used more for serious crime 65% than national security 33% and detail about the use of Section 94 powers under the Telecommunications Act.
Overall the transparency from IOCCO about who is accessing communications data and why is hugely welcome. By listening over the years to calls for greater transparency IOCCO have worked hard with civil society and with the Agencies to improve procedures, improve transparency and improve notification. We hope that IPCO take on board the success of IOCCO’s approach and maintain and continue to improve on the openness and transparency demonstrated.
The Intelligence Services Commissioner (ISC)
Sir Mark Waller’s report, as outlined above, is an entirely different kettle of fish.
Despite acknowledging in the Executive Summary that “the control and auditing” of data sets which are part of the Agencies bulk powers is “extremely important”, because these powers “can involve collecting and dealing with information which is personal and of no intelligence interest.”, Sir Mark appears to continue his approach of providing little more than a gentle telling off when errors are presented to him.
Interferences with privacy are outlined throughout the report. For example we learn that GCHQ shared intelligence 8 times with third parties they shouldn’t have done. Sir Mark’s response however “commended GCHQ” for changing their internal process and initiating a training programme.
When it comes to Bulk Personal Datasets (BPD); a capability overseen by Sir Mark for years before it was even publicly known such things existed, Sir Mark expressed that he “would like to have seen a clearer demonstration of privacy considerations”, yet outlines no further detail as to what this means and why privacy considerations are currently poor.
He also notes concern at the delay of data being added into the BPD system and appears to pose the question that if there is a delay why is the data needed? Good point, but rather than probe further he summarises that he was “persuaded to accept the case for retention” despite the fact that he had “worried that a significant delay seriously weakened the case for retention.” After years of overseeing the capability this entire approach is quite frankly astonishing. That the Commissioner allowed himself to be “persuaded” that data on each and every one of us should be retained without seemingly any real challenge is very worrying.
Finally, the approach taken of simply recommending that MI5 “consider how authorisations might be framed” as the response to learning that the Agency had been given authorisation for equipment interference – hacking to me and you – to be continued despite it taking place on the “wrong computer” in order to assess if there was any “intelligence interest”, is quite frankly unbelievable.
The Agencies under Sir Mark have had an easy ride and they know it. The report is littered with examples of backlogs of errors building up and attempts by the Agencies to address a problem internally rather than report it to him. It is no wonder they have tried to self-monitor themselves because when they appear to have reached out to him with problems, his thin, meaningless guidance focused on improving paperwork or procedures rather than getting into the nitty gritty.
Sir Mark’s reign of poor oversight is finally at an end and we should all be thoroughly grateful. IPCO must scrutinise the Agencies far more closely, challenge their errors, probe the problems and offer engaging and meaningful recommendations. If they do so they will not only keep the Agencies on their toes, but also engage in improving how their intrusive and serious work is undertaken. Such an approach would be better for the Agencies and better for the citizens of the UK.