Report of the Interception of Communications Commissioner for 2007 (.pdf 16 pages) by the Rt. Hon. Sir Paul Kennedy, submitted to the Prime Minister on 27th June 2008, published on 22nd July 2008.
See our reasonably lengthy comments on this report below:
Section 2: Part I Chaper I - Interception of Communications
N.B. Presumably "Chaper" is typing error which should be read as "Chapter".
Errors
2.10 Twenty-four interception errors and breaches have been reported to me during the course of 2007. This is the same number of errors reported in my first Annual Report (which was for a shorter period) and is a significant decrease in the number reported by my predecessor. I consider the number of errors to be too high.[...]
2.11 The Northern Ireland Office/Police Service Northern Ireland reported four errors.
[...]
2.12 Six errors were reported to me by GCHQ of which three are highlighted below.
[...]
2.15 The Security Service reported eight errors. Brief details of three of these are highlighted below.
[...]
2.18 HM Revenue and Customs (HMRC) reported one error where, in light of a decision not to renew a warrant, they allowed a warrant to run up until its end date.
[...]
2.19 I now turn to give two examples of the five errors made by the communications service providers (CSPs).
[...]
2.22 No errors were reported by the Home Office, Foreign and Commonwealth Office, Scottish Government, Ministry of Defence, Secret Intelligence Service, Serious Organised Crime Agency and Metropolitan Police Counter Terrorism Command
There are some statistics:
Statistics
2.23 Warrants (a) in force, under the Regulation of Investigatory Powers Act, as at 31 December 2007 and (b) issued during the period 1 January 2007 and 31 December 2007
a b Home Secretary 929 [754]* 1881 The total number of RIPA modifications from
01/01/2007 - 31/12/2007 = 5577Scottish Executive 28 [43]* 145 The total number of RIPA modifications from
01/01/2007 - 31/12/2007 = 367*For comparison purposes I have included in the parentheses the warrants in force as at 31 December 2006 as detailed in my 2006 Annual Report. I have not included the number of warrants issued during 2006 as the statistics in my 2006 Report were for a shorter period i.e., my first nine months in post - the period from 1 April 2006 to 31 December 2006. No realistic comparison can therefore be made.
[NB: Under the Regulation of Investigatory Powers Act 2000 there is no longer a breakdown of the figures between Telecommunications and Letters.]
Remember that these Interception statistics do not reveal the actual number of phone calls or emails (or postal letters) etc. which have been snooped on, only the number of warrants (which usually last up to 6 months) and certificates (which can cover entire foreign countries).
Communications Traffic Data is also meant to be scrutinised by the Interception of Communications Commissioner:
Section 3: Part I Chapter II - Acquisition and Disclosure Communications Data
Police Forces and Law Enforcement Agencies
3.6 I strongly believe that it is in the public interest that public authorities should demonstrate that they make lawful and effective use of regulated investigatory powers. My annual report should provide the necessary reassurance that the use which public authorities have made of their powers has met my expectations and those of my Inspectors,
This Report does not provide the necessary reassurance that the legitimate expectations of the public have been met.
although there is no reason why public authorities cannot make a further disclosure in compliance with a request under the Freedom of Information Act if they so wish. There is provision for this in the Code of Practice although each public authority must seek my prior approval before making any further disclosure. That is to ensure that the wider public interest is not adversely affected by a disclosure.
This mention of the Freedom of Information Act by Sir Paul Kennedy is is at variance with the views of Sir Christoper Rose, the Chief Surveillance Commissioner's remarks regarding such FOIA requests (see the later Spy Blog article).
Remember that despite fulfilling not just one, but both of the statutory requirements i.e. that they are established by an Act of Parliament , and they are appointed by a Minister, none of the RIPA Commissioners are classified as "public bodies" for the purposes of the Freedom of Information Act 2000, unlike, say, the Information Commissioner or the Police forces etc. which are.
3.7 During the year ended 31 December, 2007, public authorities as a whole, made 519,260 requests for communications data to Communication Service Providers (CSP). I do not intend to give a breakdown of these requests because I do not think that it would serve any useful purpose, but I can say that the intelligence agencies, police forces and other law enforcement agencies are the principal users of communications data.
i.e. over half a million requests for communications data in 2007.
The RIPA Commissioners are rightly annoyed when the mainstream media confuse "requests for communications data" with "Interceptions" of phone calls or emails etc..
The mainstream media and the public are rightly annoyed that the Interception of Communications Commissioner refuses to publish any statistics, even aggregated annual statistics, showing the actual number of interceptions which have happened , under the authority of various warrants and certificates, rather than fobbing them off with figures just about the number of such warrants, each of which which may represent a single interception, or may represent millions of them.
Later in my report I will give some indication of the extent to which local authorities use communications data as I believe that this should be placed in context. Any suggestion that a low ranking council employee may have unrestricted access to the telephone records of a member of the public is far removed from reality because a process has to be gone through first which requires the necessity and proportionality tests to be fully met before the necessary approval is given by a senior official.
That is what should happen in theory, but in practice, we suspect that there are exactly the same problems which the Chief Surveillance Commissioner highlights in his report (see later blog article) with Local Authorities i.e. their relative inexperience, lack of training, and tendency to self authorise (i.e. the senior official is usually the head of the department conducting the investigation, and not someone without a direct interest in it)
3.8 In the same 12-month period a total of 1,182 errors were reported to my office by public authorities: approximately two thirds are attributable to public authorities and one third to CSPs. This may seem a large number but it is very small when it is compared to the numbers of requests for data which are made nationally. I am not convinced that any useful purpose would be served by providing a more detailed report of these errors.
Let the informed public be the judges of that.
I should add that neither I nor any of my Inspectors have uncovered any willful or reckless conduct which has been the cause of these errors. A considerable proportion of these errors were due to the incorrect transposition of telephone numbers and of course human error can never be eliminated completely. I am pleased to say that more and more police forces are introducing automated systems for the management of communications data requests and these will inevitably reduce the number of keying errors which occur.
"automated systems for the management of communications data requests" may well reduce transcription and transposition errors, but they also make it easier and more tempting to snoop on more people disproportionately.
Note that the method of "error reporting" has now been changed:
3.9 In October 2007, when the Code of Practice was approved by Parliament, changes were made to the arrangements under which public authorities report errors because previously they were required to notify me of any error, even though it did not result in any intrusion upon the privacy of an innocent third party.
[...]
3.10 Accordingly I agreed to a change in the error reporting system whereby public authorities now only report errors which have resulted in them obtaining the wrong communications data and where this has resulted in intrusion upon the privacy of an innocent third party.
[...]
During the period October to December 2007 the number of 'reportable' errors made by public authorities was 99 which illustrates that in reality the level of intrusion upon innocent third parties is actually much less than stated in previous reports.
[...]
3.11 With effect from October 2007 each public authority must also keep a log of any 'recordable' errors which have occurred during the process of acquiring communications data. Generally these are procedural errors relating to non- compliance with the Code of Practice but which do not affect its lawful entitlement to acquire the data. [...]
These errors are kept secret from the public, save for the couple of non-specific examples indirectly mentioned in this report.
3.19 Where necessary my Inspectors will challenge the justifications for acquiring communications data if they believe that it was obtained unnecessarily or inappropriately. In one instance an Assistant Chief Constable was brought in to help resolve a case of difficulty.
[...]
Under the Code of Practice I have the power to direct a public authority to provide information to an individual who has been adversely affected by any wilful or reckless exercise or lack of exercise of its powers under the Act. So far it has not been necessary for me to exercise this function
[...]
This only applies to the small random sample of Authorisations which happen to be chosen to be audited. There is no mechanism for the Interception of Communications Commissioner to pro-actively investigate any particular case of potential or actual abuse, either from mass media reports, or from complaints by individual members of the public, who are discouraged from even knowing about his existence, let alone contacting him directly.
Security and intelligence agencies
3.21 For the most part the work of the intelligence agencies is necessarily secret and therefore this limits what I can say about the inspections which have been conducted in relation to their use of data. However, I can state that the intelligence agencies are subject to exactly the same type of inspection as police forces and law enforcement agencies. I am satisfied that they are complying with the Act and Code of Practice and no issues have arisen regarding their application of the legislation.
3.22 Communications data is used extensively by the intelligence agencies, primarily to build up an intelligence picture about persons or groups of persons who may pose a real threat to our national security. Given the nature of the work it is perhaps unavoidable that there will be some degree of collateral intrusion into the private lives of persons who have had contact with the subjects of investigations. However, this is recognised by the intelligence agencies, and the inspections have shown that intrusion is being limited so far as possible.
That provides no reassurance to innocent members of the public whatsoever.
Local Authorities
3.23 There are approximately 474 local authorities throughout the UK approved by Parliament for the purpose of acquiring communications data, using the provisions of the Act.
This is far too many public bodies, especially given their relatively infrequent use of these powers compared with the Police.
No local authority has been given the power to intercept a telephone call or any other form of communication during the course of its transmission. Local authorities may acquire communications data for the purpose of preventing and detecting crime, but there are restrictions upon the types of data which they may obtain. They do not have access to traffic data which would enable them to identify the location from or to which a communication has been transmitted.[...]
3.26 During the period covered by this report only 154 local authorities made use of their powers to acquire communications data. A total of 1,707 requests were made for communications data and the vast majority were for basic subscriber information. Very few local authorities have used their powers to acquire itemized call records in relation to the investigations which they have conducted. Indeed our inspections have shown that generally the local authorities could make much more use of communications data as a powerful tool to investigate crime.
Since the Police etc. made over half a million such requests last year, this shows that Local Council staff are are likely to be inexperienced, and probably improperly trained in the handling of what are for them, relatively rare requests.
3.29 The local authorities reported a total of 52 errors in 2007 and a fair proportion of these were identified during the inspections.
[...]
I have not encountered any cases which would be serious enough for me to invoke the powers which I have outlined previously in paragraph 3.19 of this report.
There is no mention of the recently reported Poole Council or other local council cases where communications data as well as directed surveillance was seen to being used disproportionately.
No doubt the inspectors will check on Poole Council in the next couple of years or so, but, as was revealed to a Parliamentary Committee, there is little flexibility in the programme of the hundreds of scheduled inspection visits.by any of the RIPA Commissioners or their staff.
The concept of unannounced spot checks on public bodies, does not seem to be the way in which any of the RIPA Commissioners have chosen to work, although they have the legal power to do so.
Other public authorities
3.31 There are approximately 110 other public authorities which are registered for the purpose of acquiring communications data. These include the Serious Fraud Office, Independent Police Complaints Commission, Charity Commission, Royal Mail and the Medicines & Healthcare Products Regulatory Agency (MHPRA) to name just a few.
There are no figures at all for the number of Communications Data Requests made by these bodies, who are likely to be even less frequent users of these powers than Local Authority trading standards and environmental health departments.
Section 4: Interception in Prisons
[...] 4.3 There are 137 prisons in England & Wales, including Kennet which was opened in 2007. All of the prisons have been inspected on at least one occasion during the last 3 years and quite a number have now been inspected for a second or third time. During the period covered by this report my Inspectors visited 85 prisons which roughly equates to two thirds of the whole estate
[...]
4.5 Regrettably, I cannot give an assurance that there is total compliance with the rules and in some prisons breaches still occur on a fairly regular basis. My inspectors have needed to re-inspect a number of prisons within a relatively short time in order to raise the level of compliance. In saying so, however, I do not imply that prison managers and their staff are deliberately setting out to circumvent the rules.
That is a large number of visits and use of manpower and resources, conducting inspections for which the Interception of Communications Commissioner has no statutory powers to do so, and has no sanctions with which to enforce compliance with the rules.
Surely the Regulation of Investigatory Powers Act 2000 should be amended to include prisons, including privately run prisons, within the statutory remits of all of the RIPA Commissioners ?
Section 5: Other Matters
[...]
Safeguards
5.4 Sections 15 and 16 of RIPA lay a duty on the Secretary of State to ensure that arrangements are in force as safeguards in relation to the dissemination, disclosing, copying, storage and destruction etc., of intercepted material. These sections of the legislation require careful and detailed safeguards to be drafted by each of the agencies and for those safeguards to be approved by the Secretary of State. This has been done. My advice is sought on proposed amendments to the safeguards when they are updated in light of technical and administrative developments. During the period of this report I saw and commented on the revised handling arrangements for the Police Service of Northern Ireland and the Serious Organised Crime Agency. I also assured officials in HM Revenue and Customs (HMRC) that I was satisfied with the adequacy of the safeguards they had in place to deal with disclosure following adverse criticism of an HMRC officer by a Court of Appeal judge.
Was this before or after the incompetence of HMRC, and the flouting of established security operating procedures in October 2007, and the later Whitehall data handling security scandals revealed thereafter ?
The obscure Investigatory Powers Tribunal consulted the Interception of Communications Commissioner in one case.
6.3 Section 57(3) of RIPA requires me to give all such assistance to the Tribunal as the Tribunal may require in relation to investigations and other specified matters. During 2007 I was asked by the Tribunal President to assist the Tribunal on one occasion. The legislation precludes me from identifying details of the particular complaint but for the purposes of this Report I can say that I provided advice to the President as to whether the test of "necessity" was correctly applied when an agency was considering whether or not it was "necessary" for a particular person's telephone calls to be intercepted "for the purpose of preventing or detecting serious crime".
Finally, there is another passing reference to the Wilson Doctrine::
7.2 I said last year that in times like these the Wilson Doctrine seems to me to be indefensible. That is still my belief, and, judging by the reaction to a complaint made by a Member of Parliament some months ago, it is a belief that is widely shared.
His previous report just wholeheartedly agreed with his predecessor the Rt.Hon. Sir Swinton Thomas on the Wilson Doctrine.
Our criticism of their anti-Wilson Doctrine stance still remains valid, especially as they do not seem to be distinguishing between the personal and private business communications of Members of Parliament, which should not be above the law, and the confidentiality of communications between Members of Parliament and their constituents, which definitely should be protected from snooping by the Government agencies or other supposedly independent law enforcement agencies like the Police.
This MP / Constituent confidentiality should not just cover interception, but also all the other activities authorised under other parts of RIPA as well,i.e. communications traffic data, directed and intrusive surveillance, the use of confidential human intelligence sources / informers , and demands for cryptographic keys.
See: the previous Spy Blog article Sir Swinton Thomas on the "Wilson Doctrine"
Well - blow me down with a bicycle pump!
Just as Parliament closes down for 3 months !