The Coming UK Surveillance Debate: Future-proofing

The last in a series of posts on the forthcoming Investigatory Powers Bill

Previous: Communications Data Acquisition

RIPA was future-proofed by writing it in such abstract technology-neutral terms that, combined with some fiendishly tortuous drafting, anyone not in the know had little chance of twigging what it was actually designed to do.

The draft Communications Data Bill took a different approach, building in flexibility to accommodate future technological innovation by granting broad order-making powers to the Secretary of State – orders that themselves would contain little detail.  This went down very badly with the Parliamentary Joint Committee that scrutinised it:

“We have not seen a draft of such an order, and we have been told that we will not be shown one. But it is clear that the order will only be a framework. The specific requirements will be imposed by secret notices by the Secretary of State.”

The Committee went on:

“Given the wide anxiety raised by the breadth of clause 1, we pressed the Home Office officials as to why it could not be narrowed to cover only the gaps which currently needed to be filled. Mr Farr’s answer was:

“The fundamental reason why we are nervous about limiting clause 1 is future-proofing ... Because I genuinely believe that no sooner will you get this legislation through than something else will come up, given the pace of change in the communications industry, which will create another gap, particularly if clever people know that we have filled one area, and so now try to exploit another. Future-proofing and flexibility are at the heart of the language we have used in clause 1.”

... We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved. We believe that it can indeed be changed and improved, by being narrowed to cover specifically the gaps so far identified. An undertaking, whether by officials or by ministers, that a power will be used only to a limited extent, is of little value. Once a power is on the statute book, it is available to be used, and also to be misused or abused, at any time in the future. It is hardly surprising that a proposal for powers of this width has caused public anxiety.”

The Anderson Report described Clause 1 as “an excessively broad power”.  (14.24)

A similar criticism can be levelled at the data retention powers under DRIPA, which are exercisable by notice from the Secretary of State to public telecommunications providers. The government treats the notices as secret and has declined to reveal any details about them, even to the court that heard the DRIPA judicial review, on grounds that to do so would prejudice national security.

At least under DRIPA the specific datatypes that can be ordered to be retained are listed, albeit there has been a move towards more generality (and concomitant obscurity) in the amendment made by the Counter-Terrorism and Security Act 2015 to cover IP address resolution data.

Although technological neutrality and future proofing are admirable in many contexts, they can be positively dangerous in the field of invasive powers where all manner of unanticipated activity may inappropriately fall into scope in the future. When powers intrude on fundamental rights of privacy and freedom of expression it may be more important that Parliament and the public have a clear understanding of what is being authorised than that the legislation be future proof. (This broadly corresponds to the suggestion recorded at 12.96(d) in the Anderson report). If legislation goes out of date, in an area of this sensitivity Parliament ought not to begrudge its time spent scrutinising any further proposal for new, extended or reduced powers.