Open Rights Group response to consultation on the Investigatory Powers Act Codes of Practice

About the Open Rights Group

Open Rights Group is the UK’s only digital campaigning organisation, working to protect the rights to privacy and free speech online. With 3,200 active supporters, we are a grassroots organisation with local groups across the UK. We believe people have the right to control their technology, and oppose the use of technology to control people.

Digital technology has transformed the way we live and opened up limitless new ways to communicate, connect, share and learn across the world. But for all the benefits, technological developments have created new threats to our human rights. We raise awareness of these threats and challenge them through public campaigns, legal actions, policy interventions and technical projects.

Inadequacy of the consultation procedure

The codes of practice being consulted on relate to the most intrusive powers provided for in law by any western democracy. The majority of them relate to powers only recently avowed, and are the first time that a code of practice relating to that capability has ever been made public.

The five draft codes of practice are: 1) Interception of communications, 2) National security notices, 3) Bulk acquisition of communications data, 4) Equipment interference, and 5) Security and intelligence agencies’ retention and use of bulk personal datasets.

Open Rights Group welcomes the opportunity to respond to these important documents but wishes to express a profound frustration at the consultation procedure and the unhelpful manner in which policy is being formulated.

There was no outreach from the Home Office on the original formulation of these codes, nor these updated drafts. There have been no meetings or workshops to attempt to brief interested parties about the contents of the documents. There is no guidance provided on the changes to the codes from the earlier drafts that were presented alongside the Investigatory Powers Bill nor explanation for why aspects of the codes have changed.

With the five codes totalling 413 pages, simply attempting to identify what changes have been made between versions has been a considerable undertaking, before attempting to discern whether the change was merely grammatical in nature or of more serious consequence.

As just six weeks has been provided to review, consider and respond to the codes the Open Rights Group regrets it has been forced to limit its response to a subset of concerns. This is of course an improper way of conducting policy making in any area, let alone one with such serious implications for our security and human rights.

Twenty-nine civil liberty groups, lawyers and other parties concerned about the consultation have written1 to the Home Secretary, including the Open Rights Group. That letter concluded with recommendations which we repeat here.

Recommendation 1

  • Publish detailed information describing 

    • The functional purposes of the Codes, the safeguards and duties contained 

    • The justifications for the approaches within each code; and 

    • The changes made to the draft codes since they were presented to Parliament

  • Extend the deadline for the consultation to a full three months, starting at the point that the information above is published

  • Arrange briefings for lawyers, civil society and others to take them through the key points.

Unlawfulness of bulk powers

International legal authorities have repeatedly stated that bulk powers fail the tests of necessity and proportionality. The UN High Commissioner on Human Rights has clearly stated that “[m]ass secret surveillance is not permissible under international human rights law, as an individualised necessity and proportionality analysis would not be possible in the context of such measures.”2

Despite this, the majority of the codes being consulted provide guidance in support of mass surveillance, or as they are referred to in the Investigatory Powers Act 2016 - bulk powers. These capabilities – Bulk Interception, Bulk Equipment Interference, Bulk Communications Data and Bulk Personal Datasets – all have their anchors in primary legislation for the first time, and the codes are the first to elaborate on how aspects of those powers may be used in practice.

There was an opportunity for the codes to set out in detail the process by which these activities are undertaken, providing important transparency as to the functioning of these intrusive powers. Likewise, the codes could have provided soft limits on the use of powers and provided reassurance that despite having the raw statutory authority in the Investigatory Powers Act to conduct mass surveillance, warrantry in practice would be considerably restricted and more respectful of human rights.

However, far from providing guidance and examples that illustrate how they are in compliance with international human rights norms, many aspects of the codes demonstrate the fundamental failings of bulk powers that are indiscriminate in nature and fail to proportionately target the interference.

While examples in the codes are described as ‘illustrative’, ‘theoretical’ and ‘not be taken as confirmation’ of any of the activities are undertaken,3 it is impossible to ignore the scope and scale of the suggested examples and how sharply they clash with recent jurisprudence from the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU).

One example suggests a thematic Equipment Interference (EI) warrant for “equipment used by persons known to be accessing the terrorist website ‘X’”4 might be an appropriate use of the power. This is a single warrant not naming a single individual; instead targeting an unspecified number of devices connecting to a website, potentially from countries all over the world, and collecting large quantities of information about each of them. The EI Code accepts “it is entirely possible for a thematic warrant to cover a wide geographical area or involve the acquisition of a significant volume of data”5.

The scope and scale of this sort of warrantry bears no resemblance to the warrantry that could ever be imagined being signed relating to physical search and seizure of individuals or their homes. In the US, the courts are currently looking at6 the fallout from when a US judge was convinced to sign a single warrant permitting the FBI to hack individuals visiting a website known to be distributing child sexual abuse. The operation led the FBI to hack over 8,700 computers, in 120 countries and territories. Over 83% of these computers were located outside the US and outside of US jurisdiction.

Another example, this time making use of Bulk Equipment Interference powers, envisages the power being deployed as almost a dragnet surveillance technique by remotely hacking a ‘large number of devices’ in multiple locations. The example suggests the agencies – in an attempt to determine which of the devices may belong to a terrorist cell – then search the hacked devices for a certain software tool. Even in the most serious of circumstances such as those the example suggests; it is challenging to see how this approach sits with recent European Court of Human Rights decisions. In Zakharov (a case dealing with interception rather than the more intrusive technique of hacking) the court held that warrantry “must clearly identify a specific person” and have confirmed that there is a “reasonable suspicion” of wrongdoing on the part of “the person concerned.”

As such, it is Open Rights Group’s view that these powers are contrary to the European Convention of Human Rights, and when they reach the Strasbourg courts, will be struck down. Litigation relating to the powers as they are contained in the Investigatory Powers Act has already been initiated7 and judgements on aspects of the powers as they were provided for under the Regulation of Investigatory Powers Act 2000 are expected in coming months8.

Recommendation 2:

  • Redraft codes respecting recent ECtHR (see Zakharov , Szabo and Vissy )and CJEU (see Watson) decisions to ensure investigatory powers are conducted in an appropriately targeted, human rights respecting manner9.

Failings of the codes

Due to the lack of time being provided it has not been possible to respond in detail to all aspects of the Codes failings. Instead a subset of thematic issues which run throughout each of the codes are addressed below.

Interference with freedom of expression, association are overlooked in the codes

Throughout the codes, only the right to privacy is consistently referenced when providing guidance on how investigatory powers interfere with human rights. This is in part a consequence of section 2 of the Act which sets out general duties in relation to privacy. However, surveillance, particularly mass surveillance, potentially engages a far wider panoply of rights than merely the right to privacy. These include the rights to freedom of opinion and expression, and to seek, receive and impart information; as well as to freedom of peaceful assembly and association.

Indeed, freedom of expression is only considered by reference to particular safeguards applied to the protection of journalistic sources. This is itself a new addition to the codes after a number of scandals culminating in an inquiry into the use of RIPA to identify journalistic sources. The Interception of Communications Commissioners Office highlighted10 the failings of earlier codes to provide any guidance on the right to freedom of expression when weighing necessity, proportionality and collateral intrusion. The investigation found that the lack of guidance on the codes on this matter was continued in the lack of consideration by applicants or designated persons making decisions about the appropriateness of authorisations and warrantry.

As the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression recently stated “privacy and freedom of expression are interlinked and mutually dependent; an infringement upon one can be both the cause and consequence of an infringement upon the other.” 11

This is particularly true in the context of bulk interception, bulk communications data acquisition, and bulk personal datasets due to the large and indiscriminate nature of the collection Even the mere possibility of information being captured creates a chilling effect on rights, (as per Weber,12) including those to free expression and association.

Recommendation 3:

  • Codes should reflect on how the use of investigatory powers interferes with the right to rights to freedom of opinion and expression, and to seek, receive and impart information, as well as to freedom of peaceful assembly and association; and should expressly require consideration of all affected rights when seeking and signing warrantry.

International intelligence sharing and co-operation excluded

All three of the reviews into investigatory powers (A Question of Trust, Privacy and Security and A Democratic Licence to Operate) found that the previous scheme under Regulation of Investigatory Powers Act (RIPA) was inadequate to govern the UK’s intelligence co-operation and exchange. Each made recommendations to place the practice onto firm statutory footing in any future legislation.

These recommendations were made in part because of UKUSA, the oldest and most comprehensive intelligence co-operation agreement in the world. Co-operation between the Five Eyes (USA, UK, Canada, Australia and New Zealand) is so close that collection and analytic capabilities are jointly developed, targeting packages jointly created, and by default all raw product is shared. In many areas GCHQ is better integrated with its American partner NSA than it is with its sister UK agencies.

The Intelligence and Security Committee (ISC) acknowledged this when it responded to the publication of the draft Investigatory Powers Bill by stating that “the proportion of intercept material obtained from international partners is such that it is not appropriate to exclude it from legislation which purports to cover interception” and recommended that “legislation must set out these arrangements more explicitly, defining the powers and constraints governing such exchanges.”

Despite this, the newly passed Investigatory Powers Act failed to provide any clear statutory language to govern the practice of SIGNINT exchange and cooperation and the Codes continue that trend, failing to adequately address the realities of international intelligence co-operation.

For Bulk Interception, just a handful of paragraphs in the Intercept Code are provided to understand the context in which raw Bulk Interception material can be shared or received between UK and Foreign intelligence agencies. The guidance on “handling of unanalysed intercepted communications from an overseas authority” and on what constitutes deliberate circumvention of the Act” is so abstruse as to prevent even informed commentators from being able to derive their consequence13.

It is not understood by the Open Rights Group how the Codes could claim to provide any intelligible guidance on the simplest of topics such as receipt of intercept material from a long term partner like the NSA. None of the Codes reference the Five Eyes despite the central role they play in our security, nor do any of the clauses in the codes confront head on the practical reality of intelligence co-operation between GCHQ and the NSA. Questions about more complex forms of co-operation, including jointly developing and deploying collection systems, jointly contributing to selection criteria, jointly developing implants or deploying them using shared Five Eyes infrastructure are entirely absent.

This is not a new issue, and it is frustrating to see the continued obfuscation of such a crucial aspect of our national security policy. Given statements by President Trump in recent weeks that President Obama directly tasked GCHQ to target Trump associates – prompting a media furore and unusually strong and on the record denial by GCHQ – it would plainly be in the Agencies’ interest to provide clearer guidance on this issue so that such allegations could be refuted by reference to firm public policy and legally binding commitments embedded in the Codes of Practice.

Recommendation 4:

  • The Codes should specifically cover in detail intelligence co-operation and exchange, addressing the realities and complexities of modern international co-operation.

No code for Technical Capability Notices

One of the most controversial aspects of the Investigatory Powers Act, drawing global concern about how the powers might have the effect of reducing security, were provisions for Technical Capability Notices (TPNs). Despite this concern there is no code providing overarching guidance for the use of such notices.

Given the likely importance and complexity of the such notices, Open Rights Group believes that the lack of a consolidated guidance for Technical Capability Notices is a serious problem. This is particularly important as the Notice scheme occupies just nine clauses in the Investigatory Powers Act, resulting in the significant guidance on the use of the scheme resting solely in Codes of Practice. The fact that these provisions are scattered across multiple other codes means the central reason proffered by Government as to why the Technical Capability Notices were left to be mostly regulated by statutory instrument – that it permits guidance to more easily evolve – is lost when four or five codes would have to be updated instead of one. By keeping them separate, it is inevitable that there will be confusion as to how the various aspects of the schemes will interrelate and how to resolve matters when guidance conflicts.

Unfortunately, the Act does not make a provision for a separate statutory code on Technical Capability Notices. The only solution we can see to this problem is to ensure that each of the Codes contains an expanded full guidance on the application of TPNs. This would ensure consistency and clarity at the expense of some repetition.

The consideration of matters that are not in and of themselves intrusive but permit future intrusion, such as the authorisation of Technical Capability Notices should also engage consideration of human rights. The UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has made clear that any powers which “undermin[e] people’s confidence and security on the Internet and other modern communications technologies have a chilling effect impeding the free flow of information and ideas online and interfer[e] with the right to freedom of expression.”14

Recommendation: 5

  • An expanded Technical Capability Notice section should be included in each Code of Practice and fully consulted on.

Technology neutral language

It was one of the drafting goals of the Investigatory Powers Act that it would be future proof. To achieve that aim, the language in the act is technologically neutral making no reference to specific technologies, protocols, devices or data types. Open Rights Group agrees with the principle of this aim in most contexts as it permits for the law to exist without reference to the rapidly changing technological environment it is situated in.

However, as Graham Smith has argued 15 in the context of intrusive surveillance capabilities a number of problems arise. Firstly, in order to be technically neutral, the language of the act itself can end up being difficult to understand. Such a charge has already been levied at the Investigatory Powers Act by civil society, industry and academia alike. Secondly, by design, as the technology develops the act continues to function. However while this preserves the power it may not preserve the balance struck by Parliament between intrusion and privacy. One only needs to consider a world pre and post the introduction of smart phones to realise how quickly the world can change, how society can adapt to technology, and the potential for additional intrusion into private life if laws – even technologically neutral ones – no longer fit well. This is exacerbated if the interpretation of that law to modern technology is updated in secret without public scrutiny.

Investigating agencies will necessarily have to continuously review and update how they consider the Act applying to modern technologies. Judicial Commissioners will also need to understand how language in the Act is applying to specific technologies protocols or devices. However, the public and Parliament will never learn how new data types will be classed under the Act until they are leaked16.

The Codes can be updated considerably faster than the passing of new Acts, and it is Open Rights Group’s view that internal guidance for how the Act applies to specific technologies, protocols, devices or data types should be set out in the Codes themselves. In this way the act preserves its future proofing character, while ensuring that public and Parliament remains informed and able to contribute views to the challenging application of the Act.

Recommendation 6:

  • Codes should not be technologically neutral, and instead set out in clear how various Investigatory Powers Act definitions map to specific technologies, protocols, devices and data types.

Lack of guidance on ‘least intrusive means’

Reference to the Investigatory Powers Act requirement at (s.2(2)a) that public authorities must have regard to whether any ‘warrant, authorisation or notice could reasonably be achieved by other less intrusive means’ is reflected throughout the Codes of Practice. This is a crucially important test, but one that lacks any comprehensive guidance in the codes.

At points, the Codes make reference to examples of other techniques that should be exhausted before making use of that power. The Bulk Communications Data Acquisition Code suggests that before a warrant is signed the Secretary of State and Judicial Commissioner should consider whether or not “obtaining the required information through a less intrusive power such as the targeted acquisition of communications data, or the targeted acquisition of communications data using the request filter, which will provide an additional safeguard for such communications data”.17

The ISC has suggested in its report on the murder of Fusilier Lee Rigby that they hold a view on a rough order of intrusion of capabilities suggesting that intercept is more intrusive than directed surveillance techniques18.

However beyond these suggestions there is nothing in the Codes that attempts to set out a scale of intrusion leaving it unclear as to how intrusive various powers might be considered by the government. For example, is the use of a CSP to look up the location of a mobile phone any less intrusive than deployment of a EI implant providing just GPS back to the requesting agency? If so, why?

Given the important role of the test in ensuring the technique being deployed is both necessary and proportionate, Open Rights Group recommends that the Government publishes a comprehensive exemplar scale of the types of intrusion that can be permitted by the Investigatory Powers Act, and how they compare in the Government’s view as to their intrusiveness.

Recommendation 7:

  • Provide guidance on how the ‘least intrusive means’ test should apply by setting out clearly in the Codes a scale of intrusion and placing various investigatory powers capabilities on them.

Data analytics, enrichment and combination of datasets

The codes, in part, are intended to provide guidance for public authorities to ensure that their actions while using investigatory powers are lawful, necessary and proportionate. The codes both provide guidance on the statutory framework in the Investigatory Powers Act but also set out in greater detail aspects not able to be fully addressed in statute. One such area that the codes fail to consider and produce any clarity on are the use of data analytics, data enrichment and the combination of data.

The codes suggest there are two primary actions where intrusion occurs. The first being the initial collection, acquisition or holding of the data, and the second is, at some subsequent time, the accessing of those data.

The reality is not so simplistic. Bulk material is not simply collected in bulk, then selected and analysed piece by piece. Instead large scale analytics are deployed against the collected material in an attempt to provide context and further insight from the information they have collected.

MI5 have explained “we derive significant value from our bulk data holdings” and that “[t]he rapid development of new technologies and data types (e.g. increased automation, machine learning, predictive analytics) hold additional promise”19. It is a significant priority for them to continue develop these tools. They have elaborated that “[o]ur ability to fuse multiple expansive data sets for analysis offers unprecedented opportunities to resolve complete identities of individuals based on partial details.”20

This is a practice increasingly being applied to policing as well as intelligence work, with the National Crime Agency hiring a number of staff in recent years to develop the “NCCU21 data exploitation strategy and providing innovative ways to exploit the vast range of data available to the department.”22

Indeed, existing bulk data holdings are used to affect the initial collection, processing, enrichment and automated analysis of bulk data. GCHQ explain this by reference to Bulk Personal Datasets which they consider “to be an increasingly important investigative tool, which they use primarily to ‘enrich’ information that has been obtained through other techniques”.23 This can also be done during the original processing of data, such as the automated summarising of emails, extraction of identifying data from content, or processing of phone calls to identify gender, language or match to an existing voice biometric.

As such, the use of large scale analytics, supported by data enrichment or the simple combining of datasets plainly creates additional intrusion at many more points than the codes suggest. They permit the identification of embedded patterns and relationships, including personal details, habits, and behaviours. As a result, individual pieces of data that previously carried less potential to expose private information may now, in the aggregate, reveal considerably more sensitive details about our everyday lives.

For intelligence agencies, this is of course the point; to analyse data in bulk and reach conclusions, but the codes fail to account for these aspects. Reference is made in the codes to types of data that can be acquired which do not interfere with privacy such as the location of “cell masts or Wi-Fi hotspots”24 as well as there being no guidance on how the proportionality of the actions should be considered when deploying analytics, enriching or combining data. There are two ways in which they should.

Firstly, the appropriate test must be undertaken at the warranty stage, which expressly includes in the proportionality analysis how data once collected might subsequently be combined with other data or subjected to data analysis. If it is determined that the data will likely be combined or enriched with other information, which will result in a greater intrusion into privacy, then this is the true level of intrusion which should be central to the consideration of the proportionality of the warrant.

Secondly, there should not be an automatic permission to run novel analytics techniques against data already collected. Any such techniques should be scrutinised as to whether the insights potentially created could generate higher or broader impacts that go beyond what was considered appropriate under the initial warrant. If that is the case, a new warrant should be sought.

Recommendation 8:

  • Ensure codes provide guidance on the use of data analytics

  • Require that proportionality is assessed by reference to what can be done with the data being sought after it has been enriched, combined with other data and been subjected to data analytics.

  • Require that new warranty is sought where novel analytic or enrichment techniques are applied to existing data, which provide for greater intrusion on human rights not envisaged by the original warranty.

Warrantry and the role of the Judicial Commissioner

The introduction of the ‘double lock’ in the Investigatory Powers Act and the type of review test that Judicial Commissioners should undertake was subjected to much discussion and debate.

After much discussion in committee, Parliament ultimately set the test as a close-scrutiny review, reflected in the Act by reference to the requirement in s.2 that they assess whether the warrant “could reasonably be achieved by other less intrusive means”. The codes in turn reflect this, but fail to provide any express language for Judicial Commissioners to seek additional information that was not already provided to the Secretary of State, instead limiting the language to merely being able to “seek clarification”.25 Express language permitting them to seek additional information and documentation is necessary for them to give effect to their duty under s.2 of the act.

As Judicial Commissioners have the authority to assess for themselves whether there were any less intrusive means, they would be considerably constrained in their ability to do so if they were limited to reviewing the material previously prepared for the warrant and merely seeking ‘clarification’ surrounding that material. Instead, express language permitting them to seek additional information, documentation and ask questions is necessary for them to give effect to their duty under s.2 of the act.

The codes also do not mandate how the Judicial Commissioner must show or record their decision to approve warrantry. The only requirement to write a decision with reasons is in circumstances where warrantry is refused.26 The codes should instead require that the Judicial Commissioner sign a legal instrument, authorising the warrant and provide written reasons.

The codes also provide for agencies other than the one requesting the warrant to assist in giving effect to the warrant.27 There is no obligation however, to require that in circumstances where it is envisaged that the capability will likely be effected by a different agency, whether UK or foreign, then that should clearly be stated on the warrant itself. To avoid circumstances that have arisen in Canada where judges feel mislead and have not received the full “duty of candor” owed to them when considering what may flow from warrantry decision, 28 there should be a requirement that warrantry state whether it is likely another agency will play a role in giving effect to the warrantry.

Recommendation 9:

  • Provide express language for Judicial Commissioners to have power to seek additional information, documentation when considering warrantry.

  • Require that the Judicial Commissioner sign a legal instrument when authorising any warrantry and provide written reasons.

  • Require that warrantry state whether it is likely that another agency will play a role in giving effect to the warrantry.

  1. Letter to the Home Secretary, (2017), Open Rights Group, 

  2. Report on best practices and lessons learned on how protecting and promoting human rights contribute to preventing and countering violent extremism, (2016), UN High Commissioner for Human Rights, A/HRC/33/29 

  3. §1.5, Equipment Interference Code of Practice (2017), Home Office. 

  4. §5.15, Equipment Interference Code of Practice (2017), Home Office. 

  5. §5.12, Equipment Interference Code of Practice (2017), Home Office. 

  6. United States v. Levin 

  7. The People vs The Snoopers’ Charter, (2017), Liberty, 

  8. Strasbourg application moves ahead, (2015), Privacy Not Prism, 

  9. Also see: 

  10. §8.6, IOCCO inquiry into the use of Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act (RIPA) to identify journalistic sources (2015) Interception of Communications Commissioners Office. 

  11. §79, Report of the Special Rapporteur to the Human Rights Council on the implications of States’ surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression (2013) UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. A/HRC/23/40 

  12. Weber and Saravia, para. 78; Malone v. UK, para. 64 

  13. §9.82, Interception 

  14. §30, Report of the Special Rapporteur to the Human Rights Council on the implications of States’ surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression (2013) UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. A/HRC/23/40 

  15. Future-proofing the Investigatory Powers Bill, (2016), Cyberleagle, 

  16. GCHQ content/metadata matrix, (2016), The Intercept. 

  17. §4.12, Bulk Communications Data Acquisition Code (2017) 

  18. §40, Report on the intelligence relating to the murder of Fusilier Lee Rigby (2015) Intelligence and Security Committee of Parliament. 

  19. §8.31, Bulk Powers Review, (2016), David Anderson QC 

  20. §8.31, Bulk Powers Review, (2016), David Anderson QC. 

  21. National Cyber Crime Unit (NCCU) 

  22. []{#DdeLink494_1498013613 .anchor} 

  23. §3.31, Bulk Powers Review, (2016), David Anderson QC.. 

  24. §2.22, Bulk Communications Data Code of Practice (2017) 

  25. §5.47, Interception Code of Practice (2017) 

  26. §6.33, Interception of Communications Code of Practice (2017) 

  27. §5.3, Interception of Communications Code of Practice (2017) 

  28. In the matter of an application by X for a warrant pursuant to Sections 12 and 21 of CSIS Act 2013, T.C 1275 §117