Back in February 2014 the Home Office issued a public consultation on two Codes of Practice :on undercover agents / informers and on planting bugging devices etc. (usually through legalised burglary)
- Covert human intelligence sources code of practice (.pdf) - February 2014
- Covert surveillance and property interference code of practice (.pdf) February 2014
Here is what Spy Blog contributed
Here are some points which need to be considered in the new Covert
Human Intelligence Source Code of Practice:
This is 2014 and somehow, yet again, there is no specific mention
of *online* CHIS activities in the Code of Practice - this is
Online "Legend" building and maintenance
It may be necessary and proportionate for a CHIS or a Relevant
Source to create fake online internet service accounts e.g. Google
Gmail, Microsoft Live ID, Twitter, Facebook, blog registrations,
online discussion forum registrations etc.
These may be used to help establish a "Legend" (does nobody else
find the use of this Soviet era KGB espionage slang by the Home
Office questionable ?)
N.B. by doing so, the CHIS or Relevant Source will almost certainly
be breaking the legal Terms and Conditions of the online service.
Since newly created social media accounts which participate in
discussions or which try to "follow" or "friend" other users, are
less trustworthy and more suspicious, a convincing online persona
requires a searchable history of online activity for it to be
Therefore any such "Legend" building (which may not yet have been
allocated to a particular Relevant Source or investigation or
operation) could take years and must also be reviewed by a senior
responsible officer and the Surveillance Commissioners, with the
same audit trails and regularity as other Relevant Sources i.e.
regular review at least annually.
Automated social media software
There are plenty of companies willing to sell or create social
media software tools and services for "marketing" or for "social
media intelligence", the use of which can help in the creation of
believable online "Legends", or allow the gathering of online
social media details about an individual or group.
Any use of such tools or services must also be clearly authorised
and audited as per Relevant Sources.
online CHIS risk of Disruption , Agents Provocateurs & Entrapment
One particular danger is the temptation for a CHIS or Relevant
Source to use automated scripts or software to easily create and
try to maintain multiple fake online personalities, often with
limited artificial intelligence to send and reply to messages, so
as to to create "buzz" or "chatter" online about a particular topic
They are also used to try to to manipulate (up or down) the ranking
of certain keywords in web search engine queries.
These are abused by unethical businesses and by criminals to, for
example, manipulate the price (up or down) of stocks and shares
("pump and dump" or "boilerhouse" operators) or to try to hide
unfavourable or embarrassing press articles or social media
commentary (no matter how truthful) from most naive web search
engine users, who rarely progress beyond the first page or two of
Such software can also be used to "swarm" or "spam" political
discussion forums, pushing a particular viewpoint and stifling free
debate through "trolling" and "sock puppetry".
Therefore any use of such software must also be carefully
authorised like a Relevant Source and audited by the Surveillance
Commissioners. There also needs to be a clear Financial audit
trail, as there is could be a substantial cost to the public purse.
Any use of such software for the dubious purpose of "disruption" of
criminal or terrorist enterprises is also fraught with danger that
it will be used to disrupt and cause collateral damage to innocent
people e.g. those involved in political or social campaigns,
peaceful demonstrations etc.
Although popular in the USA and with repressive dictatorships, such
techniques risk creating online Agent Provocateurs and Entrapment,
which should be a legal anathema in the UK.
N.B. even a "justifiable" use of such software or techniques will
inevitably cause reputational damage to the trustworthiness of the
law enforcement agency which uses them,
when, not if, this becomes public.
This new CHIS Code of Practice must clearly forbid any use of
Agents Provocateurs or Entrapment, whether online or in person.
Typically, the Home Office has not yet published the Response to the Consultation, but they have laid Draft Statutory Instruments before Parliament and have published
- Covert Human Intelligence Sources - DRAFT Code of Practice -July 2014 (.pdf)
- Covert Surveillance and Property
Interference - DRAFT Code of Practice -July 2014 (.pdf)
The July Codes of Practice now both include an almost identical paragraph on Covert Online Activity - was this prompted just by the Spy Blog submission, or did other people also point out the glaring omission in the February versions ?
Covert Human Intelligence Source CoP;
The use of the internet may be required to gather information prior to and/ or during a CHIS operation, which may amount to directed surveillance. Alternatively the CHIS may need to communicate online, for example this may involve contacting individuals using social media websites. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person's Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual's Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case.Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code.
Covert Surveillance and Property Interference CoP:
Online covert activity
The use of the internet may be required to gather information prior to and/or during an operation, which may amount to directed surveillance. Whenever a public authority intends to use the internet as part of an investigation they must first consider whether the proposed activity is likely to interfere with a person's Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual's Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case.Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code. Where an investigator may need to communicate covertly online, for example contacting individuals using social media websites, a CHIS authorisation should be considered.
Spy Blog's points about the need for Authorisation and Review of the so called "legend building" process, seem to have been ignored, as was the point about Agent provocateurs.
Nevertheless, these new RIPA Codes of Practice sections on Online Covert Activity should be cited by journalists , campaigners and politicians who are inquiring into the activities of say Undercover Police infiltration of political or justice campaigns or the shady script kiddies of GCHQ's Joint Threat Research Intelligence Group