The Conservative / Liberal Democrat Coalition Government has been a bit more respectful to the public than the previous Labour government was, with respect to the publication of the the Annual Reports by the Commissioners, set up under the Regulation of Investigatory Powers Act 2000. They seem to be publishing them all at the same time in the July following the year calendar year to which they apply. Labour managed, on occasion, to delay publication of these Reports (which are in any case already censored of any interesting details) for nearly 2 years after the statutory deadline for publication.
The entirely separate yet equally content free Annual Report of the Intelligence and Security Committee has also been published in the same week as the RIPA Commissioners' reports.
(see later blog posting)
This year all of these reports have undergone an update to their design and layout, with a few more graphs etc. but none of them fulfils the claims by the Government that they somehow provide Reassurance to Parliament and the Public, that either the extensive snooping powers of the State are not being abused or that the secretive Intelligence Agencies are not wasting huge amounts of public money and committing various crimes, which can be justified in a few exceptional "national security" cases.
That hypothesis may perhaps be true, but the inadequate mechanism of censored annual reports, from legally toothless Commissioners or Committees, who do their best not to investigate individual complaints from the public, fails to inspire any confidence.
- Intelligence & Security Committee Annual Report 2011-12 (.pdf 2.1 Mb)
- Interception of Communications Commissioner 2011 Annual Report (.pdf 1.29 Mb)
- Intelligence Services Commissioner 2011 Annual Report (.pdf 752 Kb)
- Chief Surveillance Commissioner Annual Report for 2011-2012 (.pdf 1.4 Mb)
- Statement from the Prime Minister (.pdf 51 Kb)
A few bits which caught our attention:
Why is it that two former High Court judges and all of the Home Office / Cabinet Office securocrats and mainstream media journalists have failed to spot the misleading tables in both the Interception of Communications Commissioner and the Intelligence Services Commissioner's reports with respect to RIPA Part III The Investigation electronic data
protected by encryption. ?
2011 Annual Report of the Interception of Communications Commissioner
page 6
| Which section of RIPA ? | What is the power? | When can this power be used? | Who can use this power? | Who authorises use of this power? | Who oversees the responsible use of power? |
|---|---|---|---|---|---|
| Pt. III | The investigation of electronic data protected by encryption | Interests of national security Prevention / detection of crime Interest of economic well being of United Kingdom; or For the purpose of securing the effective exercise or proper performance by any public public authority of any identified statutory power or statutory duty. |
Any public authority | Authorisation is most frequently by a Judge | Oversight is conducted by the Interception of Communications, Intelligence Services and Surveillance Commissioners except where authorised by a judge |
Intelligence Services Commissioner 2011 Annual Report
Annex B
Page 42
| Which section of RIPA ? | What is the power? | What is a typical use of this power? | When can this power be used? | Who can use this power? | <Who authorises and who oversees the responsible use of power? |
|---|---|---|---|---|---|
| Pt. 3 | The investigation of electronic data protected by encryption | Request for encryption password or key pertaining to criminal suspects's computer |
| Any public authority | Authorisation is most frequently by a Judge Except when authorised by a judicial authority, oversight is conducted by the Interception of Communications, Intelligence Services and Surveillance Commissioners |
These misleading tables give the impression that any public authority has powers to compel the handover of de-cryption keys or de-crypted plain text, when it clearly only the Police, SOCA, SCDEA, HMRC and the Intelligence Agencies who can do so.
Neither the IOC nor the ISC mentions if they have dealt with any Section 49 notices at all - were they kept out of the loop ? Only the Chief Surveillance Commissioner's report gives any details about encrypted information requests.
The "authorisation" of Section 49 notices is not actually by Judges or by "judicial oversight", it is by Police Constables (at or above the rank of Superintendent) and by NTAC (National Technical Assistance Centre now part of GCHQ).
Chief Surveillance Commissioner Annual Report for 2011-2012
Home Office support
3.13. The Home Secretary is required by the Police Act 1997 to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction.
That just about sums up the effectiveness and esteem in which the (technologically incompetent) Home Office holds the RIPA Commissioners
Section 49 - encryption
4.10. During the period to which this report relates, NTAC granted 57 approvals from 57 applications. Permission was not sought in three cases after NTAC approval. From the remainder, 33 had permission granted by a Circuit Judge, of which 20 have so far been served. Of these nine were complied with and 15 were not (this includes orders obtained in the last reporting year but not progressed at the time of the last report); the remainder are still being processed. It was decided not to proceed with five of the 14 people were charged with an offence. So far, in the period of this report, NTAC has been informed that there have been two convictions with other cases still in progress.4.11. One conviction related to the importation of controlled substances, the other related to a fraud offence. Other offences include: domestic extremism, possession of indecent images of children, insider dealing, fraud, evasion of excise duty, drug trafficking and drug possession with intent to supply.
4.12. These statistics are provided by NTAC who are able to be accurate regarding the number of approvals granted. However, unless informed by the case team, the statistics cannot properly reflect the snapshot at the time of this report. However, it appears that there has been delay in serving some notices after approval has been granted and information regarding the progress of the cases although requested is not as prompt as it should be. Notices, one [sic] approved, should be served without delay and the information supplied to NTAC as soon as possible
57 requests and only 2 criminal cases which led to convictions (possibly on the basis of the other evidence presented, not the De-crypted material) is a very poor justification for the Section 49 snooping powers, which have done so much damage to the reputation of the United Kingdom as a good place from which to run an internet e-commerce related business.
Neither of these convictions involved any national security i.e. terrorism or espionage cases
National security does not feature in the vague list of "other offences" either.
It is unacceptable that these muddled figures appear to show that RIPA section 49 notices are being served without Judicial permission
Digital investigation and data sharing
5.16. The Data Protection Act is not within my remit but the ease with which data can be shared is of interest to me, particularly when the data being shared is the result of covert surveillance. First, there must be adequate protection of sources, techniques and product and this is not always apparent when there is no human in the loop to challenge the need to know. Secondly, I do not detect much effort by some authorising officers to make adequate arrangements for the destruction of product which was the result of collateral intrusion or not of value to the investigation or not properly authorised. The default solution appears to be in favour of retention. The necessity and proportionality of retaining data, which may later be shared in a different context, is as important as the necessity and proportionality of obtaining it in the first place.
5.17. A frequent response to my Inspectors' enquiries regarding a reduction in directed
surveillance is that 'overt' investigations using the Internet suffice. My Commissioners have expressed concern that some research using the Internet may meet the criteria of directed surveillance. This is particularly true if a profile is built by processing data about a specific individual or group of individuals without their knowledge.
5.18. There is a fine line between general observation, systematic observation and
research and it is unwise to rely on a perception of a person's reasonable expectations or their ability to control their personal data. Like ANPR and CCTV, the Internet is a useful investigative tool but they each operate in domains which are public and private. As with ANPR and CCTV, it is inappropriate to define surveillance solely by reference to the device used; the act of surveillance is the primary consideration and this is defined by RIPA section 48(2-4) (monitoring, observing, listening and recording by or with the assistance of a surveillance device). The Internet is a surveillance device as defined by RIPA section 48(1). Surveillance is covert "if, and only if, it is conducted in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is, or may be taking place." Knowing that something is capable of happening is not the same as an awareness that it is or may be taking place. The ease with which an activity meets the legislative threshold demands improved supervision.
The Internet is a surveillance device as defined by RIPA section 48(1).
implies that there should be specific Direct Surveillance authorisations before investigators
are allowed to use, say, Social Media data mining tools and then only for narrowly targeted investigations, not for "data trawling" or "fishing expeditions"
Automated Number Plate Recognition
5.19. The Commissioners invited ACPO representatives to present the case for continued
operation of the ANPR system when legislation demands authorisation. It was accepted that ANPR cameras can be used for an overt and covert purpose. The Commissioners were not persuaded to alter their guidance. I am pleased that ACPO has decided to improve its national guidance and to incorporate the advice of my office.
5.20. I am less happy to discover that the proper ANPR authorisation process can be circumvented using the Police National Computer. I do not desire to prevent the use of this very useful tool, but the ease with which ANPR can be used for directed surveillance demands that authorisation processes should not be circumvented.
5.21. The Commissioners believe that the use of privately owned ANPR systems for a covert purpose should be subject to authorisation if it is to be used for the benefit of a public authority operation or investigation.
5.20. I am less happy to discover that the proper ANPR authorisation process can be circumvented using the Police National Computer.
How many times has this happened ? Who are the culprits ?
Interception of Communications Commissioner 2011 Annual Report
As usual, the Interception of Communications Commissioner's report fails to provide enough of a detailed breakdown of the figures which it presents to be meaningful
The examples of the types of errors, caused by human mistakes when entering telephone numbers or email addresses or physical addresses etc. into computer systems or authorisation paperwork show how true to life Terry Gilliam's film Brazil, where the innocent character "Buttle" is arrested and tortured in place of the terrorist called "Tuttle" has proved to be:
page 31
...Unfortunately in two separate cases where a CSP disclosed the incorrect data, the mistakes were not realised and action was taken by the police forces on the data received. Regrettably, these errors had very significant consequences for two members of the public who were wrongly detained / accused of crimes as a result of the errors. I cannot say more about these two instances at this time as investigations are ongoing....
This is no error correcting mechanism within this system of RIPA regulation which forces the authorities to make public apologies and to pay financial compensation and to wipe out the erroneous data from all of their database and paperwork systems.
Astonishingly, the IOC has not bothered to, or has not felt able to, actually contact the victims of these mistakes or their lawyers directly and it must be assumed that the reason for their false arrests has been kept secret from them.
page 32
Under the Code of Practice I have the power to direct a public authority to provide information to an individual who has been adversely affected by any wilful or reckless exercise of or failure to exercise its powers under the Act. So far it has not been necessary for me to use this power but there is no room for complacency, and each public authority understands that it must strive to achieve the highest possible standards.
So even when people have been falsely arrested as a result of Communications Data mistakes, the IOC has not directed the police etc. to inform the individuals or to apologise.
Even if the Police etc. did so of their own volition, exercising one of the few legal powers which the Interception of Communications Commissioner actually has and "naming and shaming" the culprits, could have sent a useful message to the other public authorities and communications service providers.
There are some graphs etc. in the new report format template which give a few crumbs of evidence to inform the debate over the controversial Draft Communications Data Bill
There really needs to be a far more detailed breakdown, by each requesting public authority
for there to be a meaningful debate. This would not affect any operational security aspects of any ongoing or future investigations.
page 29
Figure 5 - Breakdown of Communications Data Authorisations/Notices by Type
Subscriber Data: 52%
Traffic Data: 25%
Service Use Data: 6%
Combination: 17%
Intelligence Services Commissioner 2011 Annual Report
As usual, there is almost not useful public content in the Intelligence Services Commissioner report.
Since there is no direct mechanism or budget for the secretive Intelligence Services Commissioner to deal with complaints from the public (who are usually not be aware of possible abuses by the intelligence services, due to the overwhelming blanket of secrecy), it is hard to see what Reassurance to the Public or Parliament the role of Intelligence Services Commissioner actually provides.
In the same way in which the Interception of Communications Commissioner inspects the justifiable snooping on the phone calls in Prisons, without this actually being part of the RIPA legislation, the Intelligence Services Commissioner is now involved in doing some vague, non-statutory oversight of:
page 28 onwards
CONSOLIDATED GUIDANCE TO INTELLIGENCE OFFICERS AND SERVICE PERSONNEL ON THE DETENTION AND INTERVIEWING OF DETAINEES OVERSEAS, AND ON THE PASSING AND RECEIPT OF INTELLIGENCE RELATING TO DETAINEES
i.e. the use of or knowledge of torture .
Now that the Detainee Inquiry (conducted by the previous Intelligence Services Commissioner, Sir Peter Gibson) has been nobbled, this is as close to any independent oversight of potential torture practices by the UK military and intelligence services that there is i.e. not very much.
As Spy Blog readers will have come to expect, the ISC has found no wrongdoing:
Based on the information provided to me, and to the extent set out in my remit, I am not aware of any failure by a military or intelligence officer to comply with the Consolidated Guidance in the period between 1st January and December 31st 2011. I have received assurances from the relevant departments and intelligence agencies that they have disclosed fully relevant information about cases within the detainee grid. I am also assured that I have been given full access to both information and officers to discuss particular cases both in the UK and during Station visits. I therefore have no reason to doubt that the guidance is being complied with based on the information that has been provided to me in 2011.
