Plea for referral to police for investigation of alleged s.1 RIPA violations by GCHQ

Similar documents
APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

INVESTIGATORY POWERS BILL EXPLANATORY NOTES

Investigatory Powers Bill

I. REGULATION OF INVESTIGATORY POWERS BILL

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

1 June Introduction

LEGISLATIVE CONSENT MEMORANDUM INVESTIGATORY POWERS BILL

Submission to the Joint Committee on the draft Investigatory Powers Bill

Regulation of Investigatory Powers Act 2000

Regulation of Investigatory Powers Bill

On 4 November the government published the draft Investigatory Powers Bill, set to be. Understanding the Investigatory Powers Bill.

House Standing Committee on Social Policy and Legal Affairs

Privacy And? Surveillance

PRIVACY INTERNATIONAL. and. (1) THE SECRETARY OF STATE FOR FOREIGN AND COMMONWEALTH AFFAIRS (2) THE GOVERNMENT COMMUNICATIONS HEADQUARTERS Respondents

HAUT-COMMISSARIAT AUX DROITS DE L HOMME OFFICE OF THE HIGH COMMISSIONER FOR HUMAN RIGHTS PALAIS DES NATIONS 1211 GENEVA 10, SWITZERLAND

2018 No. 873 (C. 66) INVESTIGATORY POWERS

BULK POWERS IN THE INVESTIGATORY POWERS BILL:

Report of the Interception of Communications Commissioner

Investigatory Powers Bill

Law Enforcement processing (Part 3 of the DPA 2018)

Acquisition and Disclosure of Communications Data. A public consultation

Letter from Rt Hon Theresa May MP, Home Secretary, to the Chair of the Committee, 26 April Communication Data

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 11 of 2010

Data Protection Bill [HL]

Before : THE PRESIDENT THE VICE-PRESIDENT MR PETER SCOTT QC (1) MS JENNY PATON (2) C2 (3) C3 (4) C4 (5) C5. and

DURHAM CONSTABULARY POLICY

Spying on humanitarians: implications for organisations and beneficiaries

CCTV CODE OF PRACTICE

Telecommunications Information Privacy Code 2003

DATA SHARING AND PROCESSING

Conducting surveillance in a public place

Counter-Terrorism Bill

Investigatory Powers Bill Briefing

REGULATION OF INVESTIGATORY POWERS BILL SECOND READING BRIEFING

National Security Legislation Amendment Bill (No. 1) 2014 No., 2014

Analysis of the Workplace Surveillance Bill 2005

Data Protection Bill [HL]

IN THE EUROPEAN COURT OF HUMAN RIGHTS Application no /15. -v- UNITED KINGDOM SUBMISSIONS MADE IN LIGHT OF THE THIRD IPT JUDGMENT OF 22 JUNE 2015

REGULATION OF INVESTIGATORY POWERS (SCOTLAND) BILL

CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations

LAW ENFORCEMENT ASSISTANCE VODAFONE GLOBAL POLICY STANDARD

Brussels, 16 May 2006 (Case ) 1. Procedure

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

The Right to Privacy in the Digital Age: Meeting Report

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

INVESTIGATORY POWERS AND LEGAL PROFESSIONAL PRIVILEGE

COMP Article 1. Article 1 Subject matter and objectives

DEPARTMENT OF JUSTICE CANADA MINISTÈRE DE LA JUSTICE CANADA

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

Investigatory Powers Bill. How to make it fit-for-purpose

Council of the European Union Brussels, 1 February 2017 (OR. en)

Protection of Freedoms Bill. Delegated Powers - Memorandum by the Home Office. Introduction

EXECUTIVE SUMMARY. 3 P a g e

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Information Privacy Act 2000

Data protection. Guide to the Law Enforcement Provisions

Surveillance Devices Act 2007 No 64

Statutory Frameworks. Safeguarding and Prevent. 1. Safeguarding

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

A guide to the new privacy landscape for the Commonwealth Government

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Protection of Freedoms Act 2012

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Telecommunications (Interception Capability and Security) Bill

Code of Practice - Covert Human Intelligence Sources. Covert Human Intelligence Sources. Code of Practice

Cybercrime Legislation Amendment Bill 2011

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

Conference report Privacy, security and surveillance: tackling dilemmas and dangers in the digital realm Monday 17 Wednesday 19 November 2014 WP1361

Data Protection. Standard Operating Procedure

Liberty s briefing on Report of the Bulk Powers Review

David Anderson QC Independent Reviewer of Terrorism Legislation Brick Court Chambers 7-8 Essex Street London WC2R 3LD

Regulation of Interception of Act 18 Communications Act 2010

closer look at Rights & remedies

Prisons and Courts Bill

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Liberty s briefing on an amendment to require pre-judicial authorisation for police use of covert human intelligence sources

Legislative Brief The Information Technology (Amendment) Bill, 2006

COUNTER-TERRORISM AND SECURITY BILL

COUNTER TERRORISM AND SECURITY BILL DELEGATED POWERS MEMORANDUM BY THE HOME OFFICE

Investigatory Powers Bill 2016: Part 8. Surveillance Oversight. Briefing for House of Commons Committee Stage. April 2016

Privacy. Purpose. Scope. Policy. Appendix A

Information exempt from the subject access right (section 40(4) and

The Protection of Freedoms Bill

TekSavvy Solutions Inc.

Freedom of Information Act 2000 (FOIA) Decision notice

FOURTH SECTION. CASE OF LIBERTY AND OTHERS v. THE UNITED KINGDOM. (Application no /00) JUDGMENT STRASBOURG. 1 July 2008

[2015] UKIPTrib 13_77-H Case Nos: IPT/13/77/H, IPT/13/92/CH, IPT/13/ /H, IPT/13/194/CH, IPT/13/204/CH. Before :

Neutral Citation Number: [2016] UKIPTrib 15_110-CH No. IPT/15/110/CH. Before:

Hacking and the Law. John MacKenzie

Draft Voluntary Code of Practice on Retention of Communications Data under Part 11 of the Anti-terrorism, Crime and Security Act 2001

DATA PROTECTION LAWS OF THE WORLD. South Korea

Douwe Korff Professor of International Law London Metropolitan University, London (UK)

Changes to RIPA. It is worth considering the history and purposes of RIPA before examining the changes and their potential impact.

Policies and Procedures

Joint Committee on the Draft Investigatory Powers Bill Information Commissioner s submission

Act No. 502 of 23 May 2018

Transcription:

16th March 2014 The Rt. Hon Dominic Grieve QC MP, Attorney General, 20 Victoria Street London SW1H 0NF c.c. The Rt. Hon Theresa May, Home Secretary Dear Mr. Grieve, Plea for referral to police for investigation of alleged s.1 RIPA violations by GCHQ I am writing with regard to recent public disclosures that Government Communications Headquarters (GCHQ) has for some years engaged in a programme of indiscriminate access to and storage of webcam images of a substantial number possibly millions - of Yahoo customers. This programme named Optic Nerve - was recently made public as a result of publication of a number of internal GCHQ documents made available by the whistleblower Edward Snowden. If this information is verified it would be reasonable to conclude that GCHQ has engaged in unauthorised interception in violation of s.1 (1) of the Regulation of Investigatory Powers Act. As you are fully aware, this legislation provides for substantial criminal penalties, including imprisonment, for unlawful communications interception. In this case, it would appear that the required s.42 RIPA authorisation was not issued by or sought from - the Secretary of State. On the basis of the documentation it is doubtful whether any exemption (particularly the claimed

research exemption) would apply to such a substantial interception operation. As a user of Yahoo services, I like many other people have been deeply troubled by these reported mass surveillance activities. During the period of Optic Nerve s operation I regularly used Yahoo both in the UK and in at least twenty other countries. The question of the geographical areas in which these interceptions took place is dealt with below. In light of 1) the circumstances set out in this letter, 2) the absence of an appropriate complaint mechanism, 3) the existence of a substantial body of evidence and 4) the exceptional public interest in this matter, I request that you consider using your discretionary prerogative to invite the Commissioner of the Metropolitan Police to investigate this alleged violation. Alternatively, I ask you to consider requesting the DPP to initiate a request. As you are aware, such an action while being unusual - would not be without precedent. This plea is made to you in your capacity as an independent guardian of the public interest and the rule of law. I strongly feel that in light of the extensive controversy in recent months over such matters, your intervention is necessary to maintain public trust in both the right to privacy and in the rule of law. The Snowden disclosures have triggered widespread concern over national security operations. This followed considerable alarm over a spectrum of phone hacking allegations that went to the heart of the integrity of media and the police. Any claim of unlawful conduct by a security agency must surely be investigated and resolved as a matter of urgency. If, after considering this request, you feel it is not appropriate for you to take any action, would you please advise which agency I should approach regarding this matter. Background to the webcam interception programme On 28 th February 2014 the Guardian newspaper reported that it had obtained documented evidence that GCHQ had indiscriminately intercepted and stored the webcam images of a considerable number Yahoo! Messenger users. 1 The programme allegedly commenced operation in 2008 and remained active until at least 2012. Documents obtained by the Guardian explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month 1 http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo 2

period in 2008 alone, the agency collected webcam imagery including substantial quantities of sexually explicit communications from more than 1.8 million Yahoo user accounts globally. A GCHQ internal memo confirming the project is set out in Appendix 1. The system was used for experiments in automated facial recognition, to monitor GCHQ's existing targets, and to discover new targets of interest. Such searches could be used to try to find terror suspects or criminals making use of multiple, anonymous user IDs. Rather than collecting webcam chats in their entirety, the program saved one image every five minutes from the users' feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ's servers. The documents describe these users as "unselected" intelligence agency parlance for bulk rather than targeted collection. One document likened the program's "bulk access to Yahoo webcam images/events" to a massive digital police mugbook of previously arrested individuals. Substance of the concerns It is not necessary for me to outline the provisions set out in RIPA. As you are aware, there are very few circumstances in which an interception can take place. In a scenario such as the one outlined above, the appropriate course would be a s.42 authorisation. It may, however, be useful to clarify the legal basis for an investigation of a s.1 RIPA violation by GCHQ. - Webcam data is content protected by RIPA Webcam traffic falls within the definition of interception in s 2(2)(b) of RIPA: 2 (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he (a) so modifies or interferes with the system, or its operation, (b) so monitors transmissions made by means of the system, or (c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system, 2 http://www.legislation.gov.uk/ukpga/2000/23/section/1 3

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication. - A s.42 authorisation is required S 42 (1) states that authorisations must be made by the issue of a warrant granted by the Secretary of State and must be compliant with s 32 of RIPA (s42(3). Webcam traffic - if it shows people in their homes - is intrusive surveillance which must pass the tests of s 32 of RIPA. i.e. necessary ( s 32(2)), proportionate (s 32(3)) and for the purposes set out in s 33: in the interests of national security; for the purpose of preventing or detecting serious crime; or in the interests of the economic well-being of the United Kingdom. - The claimed research exemption is invalid In these circumstances a claimed research justification could not meet the necessity and proportionality tests. If technical testing of face recognition algorithms were considered necessary via webcams it could have been undertaken in a controlled environment, indeed the research would be more valid because a variety of test circumstances could be established. RIPA protections are relevant regardless of the location of target individuals. RIPA and ISA appear to be agnostic as to territoriality (though enforcement would generally take place via UK mechanisms). However the question of territory is largely irrelevant. GCHQ accessed images substantially via a UK public telecommunications system, and in the case of webcam images of overseas targets in conversation with UK residents the access would also involve intercepting private systems. These circumstances indicate that a s.42 authorisation would most definitely be needed to lawfully conduct the interception. On the basis of the published documentation, however, it would seem that such authorisation was neither sought nor granted. One internal document explained the agency s reasoning: "It was agreed that the legalities of such a capability would be considered once it had been developed, but that the general principle applied would be that if the accuracy of the algorithm was such that it was useful to the 4

analyst (ie, the number of spurious results was low, then it was likely to be proportionate)" "This is allowed for research purposes but at the point where the results are shown to analysts for operational use, the proportionality and legality questions must be more carefully considered." This assessment demonstrates a fundamental misunderstanding of the law. RIPA criminalises the fact of an intercept unless at least one of a limited number of conditions has been met. How the intercepted data are processed - or the purposes to which they are put - are not relevant. It is possible that staff had failed to differentiate between the permissible exemptions and exceptions in RIPA and the Data Protection Act (1998) (DPA) and had confused the two pieces of legislation. Certain research purposes are permissible under the DPA. However, even if this exemption was relevant, the DPA does not in any practical sense apply to GCHQ. Even if a full exemption for research existed under the DPA this condition would have no bearing on the authorisation requirements set out in RIPA. It is also important to consider the possibility that SoS authorisation was sought and obtained, but that the SoS acted ultra vires, issuing a warrant outside the scope permitted in RIPA, perhaps on poor legal advice. This situation may fall within the scope of other investigatory entities for consideration, or even be subject to judicial review. Inadequacy of alternative complaint mechanisms As you aware, the Data Protection Act (1998) has limited relevance to GCHQ s activities. Most of the key principles (particularly the 1 st, 2 nd and 8 th principles) are exempt, while the 3 rd and 5 th principles have almost no effect. The extensive use of s.28 certificates has created a default exemption for national security operations. The absence of a s.42 authorisation is most likely a procedural failure by GCHQ rather than a breach of responsibility by the Secretary of State, and so this issue would not be of relevance to either the Interception of Communications Commissioner nor the Investigatory Powers Tribunal. Additionally, in instances of alleged criminal law violations, neither the Commissioner nor the Tribunal will take action on complaints. Instead, they advise that the matter should be brought to the attention of police. In normal events I would have brought this matter directly to the attention of police. Two conditions dissuaded me from this course of action. 5

First, I am aware of the arrangements that have been put in place between your office and the CPS regarding investigations into matters of national security. 3 You have a clearly defined role in such matters, and it seems to me that in these circumstances you should be the first avenue of approach. Police would inevitably need to consult CPS, and according to the Protocol mentioned above, CPS would then need to consult you. Second, I understand that in normal events - in the absence of guidance - police would have great difficulty investigating a complex entity such as GCHQ. There is historical evidence to support this view. In 2010 - as the then Director of Privacy International - I unsuccessfully raised a strikingly similar complaint with the Metropolitan Police over apparent s.1 (1) RIPA violations by Google. 4. The 2010 complaint arose from an equally widespread data capture programme that involved the interception of wireless content across the UK. Senior officers at Scotland Yard advised me that in the absence of an identified individual perpetrator, they were not prepared to take action. The fact of the intercept was not in dispute; the principal issue for police appeared to be that the interception was conducted by a complex entity and no single individual could be held accountable. They argued that this raised a number of complexities for any investigation, including budgetary and legal considerations. The reluctance of police to act against large entities regarding s.1 violations of RIPA is also indicated by the decision of the City of London police in 2008 to discontinue an investigation into s.1 offences by BT during covert technical trials of an online advertising company called Phorm. 5 While police justified the decision on the basis that they did not believe there was criminal intent by BT (which in itself was contentious reasoning), the same cannot be said of GCHQ, which in the matter of the webcam interception clearly intended to systematically conduct the intercepts. Police also claimed there was implied consent by BT customers to be intercepted, a condition that again - is not relevant to the GCHQ operation. In light of this recent experience, it would fanciful to imagine that police would take action again in the absence of an identified individual perpetrator - to investigate a security agency over RIPA violations. 3 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/15197/protocol_between_the_attorney_gen eral_and_the_prosecuting_departments.pdf 4 http://online.wsj.com/news/articles/sb10001424052748704853404575322831250788728 5 http://en.wikipedia.org/wiki/phorm 6

I am sure you will understand the difficult position this creates for a complainant such as myself. If - in these circumstances and in light of the above history - I went to the police in the first instance, your prerogative of a referral to them would not be possible. I had also considered the option of approaching the Parliament s Intelligence and Security Committee, however the terms of reference of the committee s present inquiry 6 are more focused on the adequacy of the legal framework rather than an investigatory approach to specific operational issues. A focused police investigation on the lawfulness of one of GCHQ s programmes would, however, doubtless be of some value to the Committee. The precedent for a referral to police by the Attorney General I am aware that any action by you to initiate or encourage a police investigation would be highly unusual. There is, however, a precedent of which I am certain you are familiar. This precedent involved certain elements in common with the GCHQ matter. In 2009 the case of Binyam Mohamed, a former British Guantanamo detainee, was investigated by police after a request by your predecessor, Baroness Scotland QC. The case centred on claims of torture conducted by an MI5 officer. In a ministerial statement 7 Baroness Scotland said "I have concluded that the appropriate course of action is to invite the Commissioner of the Metropolitan Police to commence an investigation into the allegations that have been made in relation to Binyam Mohamed. "I have expressed to the Commissioner the hope that the investigation can be taken forward as expeditiously as possible given the seriousness and sensitivity of the issues involved. The conduct of the investigation will be a matter for the police, with advice from the Crown Prosecution Service. I would argue that such a referral would be an equally appropriate course of action in the GCHQ matter. As with the Mohamed case, security concerns and official secrecy have restricted the normal legal avenues a matter compounded in both cases by an alleged operational partnership of US and UK security 6 https://b1cba9b3-a-5e6631fd-ssites.googlegroups.com/a/independent.gov.uk/isc/files/20131017_isc_statement_privacy_and_security_inquiry.pdf?attachauth=anoy 7crVTrH6i4tkG8keKqsV4N4ZwEfohaCX1K4ldrhGWnuHzlYJtBELZV8fGFiCKOF-oDj_7VPbugNb07br- 6Vyiaz6SLxgqzDGRyTpVtzUeJH929EQgdCvAcFSCnzUgF4vFwU2RdSWEQ01guxmNhO2XtKOCiL4l5SyhqdN5mr9i8DXmUq900 yyjyidqr_nu3sqs_ap_inkazrognrwnez0yhw-iszihhmzlkhb1qx2ulb5xc76ppjmpqdohebkkqj_slphax2_fifn8zpbs14ahyhqkjhwq%3d%3d&attredirects=0 7 http://www.publications.parliament.uk/pa/ld200809/ldhansrd/text/90326-wms0001.htm#09032631000047 7

agencies. I hope you are able to resolve these matters swiftly to ensure that Internet users continue to enjoy protection of their privacy and personal information. If you are unable to agree to my request, could you please advice the appropriate course of action? Yours sincerely, Simon Davies 8

APPENDIX 1 9

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback