Report: A Question of Trust – Report of the Investigatory Powers Review

David Anderson Q.C. is the UK’s Independent Reviewer of Terrorism Legislation, who has been tasked with reviewing the operation of the United Kingdom’s anti-terrorism laws. In June 2015 he published a report titled ‘A Question of Trust’ [1] with the stated aim to (a) “inform the public and political debate” about authorities that intercept communications, and collect information about communications, and (b) to set out his own proposals for reform. Anderson recommends a ‘clean-slate’ approach whereby future legislation regarding surveillance is drafted from scratch, because he views the current legislative framework as tangled and complex.

The report contains 124 specific recommendations, which Anderson bases on 5 key principles which aim to build trust. His identified principles are as follows:

  • Minimise no-go areas;
  • Limited powers;
  • Rights compliance;
  • Clarity;
  • Unified approach.

Anderson proposes to draft a new law to bring clarity to the current confusing state of affairs. This gives legislators the chance to review definitions, such as ‘content’ and ‘communications data’. The report suggests that current powers to collect and analyse data of communications in bulk should be retained, but made subject to strict additional safeguards. He suggest a new “bulk communications data warrant,” as a proportionate option in certain cases.

A Judicial Commissioner at a newly (proposed) Independent Surveillance and Intelligence Commission (ISIC) should be mandated to authorise warrants. The ISIC would replace the offices of the three current Commissioners and the Commissioner should be a serving or retired judge. The Secretary of State would certify warrants that are in the interest of national security, but the Judicial Commissioner “should have the power to depart from that certificate only on the basis of the principles applicable in judicial review.”

Further tasks mandated to the new ISIC would be:

  • To take over the intelligence oversight functions of the current Intelligence Services Commissioner,
  • The existing auditing functions of its predecessor Commissioners,
  • Additional functions relating in particular to:
    • the acquisition and use of communications data,
    • the use of open-source intelligence,
    • the sharing and transfer of intercepted material and data,
    • take over the judicial authorisation of all warrants and of certain categories of requests for communications data, in addition to the approval functions currently exercised by the current Office of Surveillance Commissioners in relation to other forms of surveillance and the ability to issue guidance.

Further, the existing Investigatory Powers Tribunal (IPT) would receive an “expanded jurisdiction and the capacity to make declarations of incompatibility”. Importantly, its rulings should be subject to appeal on points of law. Finally, both the new ISIC and the IPT should carry the banner for transparency and inform society about why they need certain powers, as well as how they are interpreted used.

[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015. Available at:


Report: Privacy and Security: A Modern and Transparent Legal Framework (Intelligence and Security Committee of Parliament)

The Intelligence and Security Committee of Parliament (ISC) is a statutory committee of the UK Parliament that has responsibility for oversight of the UK intelligence agencies. The ISC works to scrutinise the work of the UK intelligence community and hold them to account. A report published by the ISC in 2015 investigatea the legality of the agencies use of interception and other powers.[1]

The report describes the dilemma it addresses as an issue of security against privacy. The ISC considers the role of intelligence and security agencies to be crucial to protect UK citizens “from threats to their safety,” but also menstions “economic well-being” and the “detection and prevention of serious crime.” On the other hand, the committee notes that “in a democratic society those powers cannot be unconstrained” and suggests several changes to the current system of surveillance. One of the main recommendations is a legislative overhaul of the current legal framework governing the intelligence and security agencies. While the ISC is satisfied that the agencies do not seek to circumvent the law, they do conisder the current framework to be “piecemeal, and […] innecessarily complicated.” The resulting lack of transparency is not in the public interest. The ISC seeks to establish a more appropriate legal regime, which would address the following:

  • “the need for greater transparency;a more streamlined, simpler process;
  • greater safeguards in relation to British citizens overseas, and for individuals who work in ‘sensitive’ professions that require privacy for their work;
  • and,increased oversight by the Interception of Communications Commissioner.”

A major focus of the investigation was the scale of Agency interception of communications. The committee found that GCHQ’s bulk interception systems collect only a small amount of communications from a small percentage of the bearers that make up the Internet; these activities “cannot therefore realistically be considered blanket interception.” The ISC considers it to be reassuring that “GCHQ are not reading the emails of everyone inthe UK.” The use of filters and search queries reduce the quantity of communications that are opened and read by human analysts. This does not address the issue whether the collection of data should be considered to be an infringement to the right of privacy.

For example, the ISC recommends to separate intelligence and law enforcement functions and distinguishes between ‘internal’ communications between two or more people in the UK, and ‘external’ communications’ involving at least one foreign participant. In the current framework, different systems of warrants apply here: in the former case, a RIPA 8(1) warrant signed by a Secretary of State naming the individual is required for targeted interception; in the latter case, a broader authority exists under section 8(4) for searching without naming an individual, also through a warrant signed by a Secretary of State.

The ISC considers the issue of the access to and use of communications data (CD), or metadata. It finds a continuing meaningful distinction between content and communications data, finding that “while the volume of CD available has made it possible to build a richer picture of an individual, this remains considerably less intrusive than content. It does not therefore require the same safeguards as content does. [3]” Nonetheless, the report highlights the growing grey area between these two categories of data, including “information such as web domains visited or the locational tracking information in a smartphone.” The report therefore recommends that this category of data be labelled ‘Communications Data Plus”, and that it should “attract greater safeguards than the narrowly drawn category of Communications Data.”

In addition, the report considered agency use of other powers, including targeted surveillance, interference with property and wireless technology, the reading of encrypted communications and the use of covert human intelligence sources.

[1] Intelligence and Security Committee, Report on Privacy and Security, 2015. Accessible at


Digital Rights Ireland ruling, 2014

The Digital Rights Ireland ruling, of the Grand Chamber of the Court of Justice of the European Union in Joined Cases C‑293/12 and C‑594/12, given in 2014, declared invalid the EU Data Retention Directive (Directive 2006/24/EC). This Directive had provided the legal basis for UK regulations requiring service providers to retain communications data for law enforcement purposes, for between six and 24 months. This ruling resulted in the passing of the Data Retention and Investigatory Powers Act 2014 (DRIPA) by the UK Parliament, which asserted the continuing legality of communications data retention.

The Court found that, as the provisions contained in the Data Retention Directive “applies to all means of electronic communication [and] covers all subscribers and registered users, [i]t therefore entails an interference with the fundamental rights of practically the entire European population.” [1] As such, the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU” [2], which the Court ruled invalid.

The Anderson Review suggests the consequences of the ruling could be significant, since the Grand Chamber’s rulings are strictly binding. Henceforth, UK legislation in this area will require consideration of, for example, “the substantive and procedural conditions for access to and use of retained data” and provision for the physical security of data and its irreversible destruction” [3]. Moreover, although this case covered only the retention of communications data, the legality of bulk interception of communications could also be affected.

The Digital Rights Ireland ruling was cited as the case law with which section 1 of DRIPA was ruled incompatible and thus disapplied, from 31 March 2016, in Davis and Others vs The Secretary of State for the Home Department.


[1] Grand Chamber of the Court of Justice of the European Union, Joined Cases C‑293/12 and C‑594/12, paragraph 56, accessible at

[2] Ibid, paragraph 65.

[3] David Anderson QC, A Question of Trust, p.97.

Ruling: Davis and Others vs The Secretary of State for the Home Department

Davis and Others vs The Secretary of State for the Home Department was a judicial challenge by the MPs David Davis and Tom Watson to the Data Retention and Investigatory Powers Act 2014 (DRIPA). The case was heard in the High Court of Justice, which ruled in favour of the claimants, rendering DRIPA unlawful.

In its ruling, the Court found that section 1 DRIPA was inconsistent with EU law since it “does not lay down clear and precise rules providing for access to and use of [retained] communications data” and “access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary.” [1]

In remedy, the Court “disapplied” DRIPA, although suspended its order until March 31, 2016, allowing government to propose – and Parliament to pass – modified legislation which complies with EU law. This suspension is significant given the sunset clause in DRIPA which requires, in any case, replacement legislation in 2016. The Home Office, in response to the verdict, has indicated an intention to appeal.

In its judgement, the High Court refers often to the Court of Justice of the EU (CJEU) case referred to as ‘Digital Rights Ireland‘, in which the Data Retention Directive was declared invalid. The CJEU stated that “It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” It’s judgement is based on an infringement of Articles 7 and 8 of the Charter of Fundamental Rights of the EU, which provide for privacy and data protection. While the CJEU case did not concern the bulk interception of content, the High Court felt it is “arguable that its principles (including in relation to prior independent authorisation) should apply in that area with at least the same force.”

Interestingly, the High Court reiterates the point made by the European Courts of Human Rights in the case Liberty v UK (2009) that the “[r]etention for the purpose of possible access is in itself an interference with rights under Articles 7 and 8 of the Charter and Article 8 of the ECHR.” The High Court then stresses the need for minimum safe guards to be expressed in legislation, limiting the purpose of communications data collection to serious offences (leaving the definition to Member States), and requiring prior review by courts or administrative bodies. However, the High Court limits the necessity of prior review to access of communications data, not the retention thereof.

[1] High Court ruling in Davis and Others vs The Secretary of State for the Home Department, paragraph 114, accessible at


Wireless Telegraphy Act 2006

The Wireless Telegraphy Act 2006, an Act of Parliament, was described by the Anderson Review as, outside of RIPA, “the key statute allowing for the interception of communications.” [1] Sections 48 and 49 grant broad powers for the interception of communications to “the Secretary of State, the Commissioners for [HMCR], or any other person designated for the purposes of this section by regulations made by the Secretary of State.” [2] The use of this power is limited to necessary and proportionate circumstances, and in relation to national security, the prevention of crime, public safety or health, economic well-being or tax collection.

The Anderson Review explains that “the relationship between the WTA and RIPA is somewhat opaque.” Since “there is no operational distinction between the two statutes … both [Acts] could be used to intercept the same communications.” [3]


[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.97.

[2] United Kingdom Parliament (2006), Wireless Telegraphy Act, Section 48(5), available at

[3] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, pp.97-98.


Counter Terrorism and Security Act 2015

The Counter Terrorism and Security Act 2015, an Act of Parliament, makes provision for the retention of data by Content Service Providers (CSPs), amongst other counter-terrorist measures. Part III of the Act revises DRIPA to include mandating the retention of data regarding the allocation of IP addresses to given devices at particular times – thereby providing authorities with more information about the identity of a particular device user when IP addresses are used by multiple users simultaneously. For technical reasons however this provision does not make it possible in every case to verify the identity of individuals using devices.

As the Explanatory Notes to the Act make clear, “providers generally have no business purpose for keeping a log of who used each address at a specific point in time” [1]; as such, the Anderson Review notes that the act “provided for the first time that service providers should generate and retain data that they did not need for their own business purposes” [2]. However, the Act also explicitly prevents CSPs from retaining “data that explicitly identifies the internet communications service or websites a user of the service has accessed … sometimes referred to as web logs”, a crude record of browsing history. [3]


[1] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at

[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.110.

[3] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at

Law enforcement bodies

Outside of the security and intelligence agencies such as GCHQ, around 600 public authorities hold the power to request communications data. In his 2015 report, the Independent Reviewer of Terrorism Legislation, David Anderson QC, distinguished between “major” law enforcement agencies, including police forces – who make the great majority of requests for communications data – and “minor users” of data including other national public authorities such as Ofcom and the Gambling Commission, as well as the 430 local authorities. [1]

A further distinction can be made between the small number of bodies which have the power to intercept communications, under RIPA Part 1 Chapter 1, and those that do not. The law enforcement bodies with this power are the National Crime Agency, the Metropolitan Police Service, the Police Service of Northern Ireland, Police Scotland, and Her Majesty’s Revenue and Customs. According to the 2015 IOCC report, 2,795 interception warrants requested by these bodies were approved in 2014; 68% concerned serious crime and 31% were related to national security. [2]

[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.166

[2] Rt. Hon. Sir Antony May, ‘Report of the Interception of Communications Commissioner’, March 2015, pp.26-28.


The legal power to decrypt materials is expressly granted as a statutory function to GCHQ in the Intelligence Services Act 1994, where it is empowered to “obtain and provide information derived from … encrypted material” (s.3 (1)(a)).

Further, sections 49-51 of RIPA gives a range of government agencies the power to compel decryption of material or, as necessary, compel a person to provide information, such as a password or decryption key, that allows encrypted material to be decrypted. Permission is required from the Secretary of State, or for police, a judge (RIPA Schedule 2). Such measures, according to the Interception of Communication Commissioner, are “intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information (such as passwords, encryption etc).[1] However, the 2015 Report of the Interception of Communications Commissioner noted that no RIPA section 49 notices have been issued by the Secretary of State with regard to intercepted material since 2013.[2]

The Intelligence and Security Committee’s 2015 ‘Privacy and Security’ report found that “the ability to decrypt [communications of interest] is core to GCHQ’s work”, and noting that the agency has a “programme of work … to enable them to read encrypted communications”, though the name of this programme, and the substance of two of its three main strands, are redacted [3]. The report also noted that “many people believe, based on the Snowden leaks, that GCHQ systematically undermine and weaken common internet encryption products.”

As the report points out, under the terms of the Intelligence Services Act no additional authorisation at a ministerial level is required for these activities. While acknowledging a general need for GCHQ to decrypt communications in the interests of public safety, the report expressed the concern that such decisions are taken internally, and recommended that ministers be “kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.” [4]

[1] Report of the Interception of Communications Commissioner, March 2015, p.75.

[2] Ibid.

[3] Intelligence and Security Committee, ‘Privacy and Security: a modern and transparent legal framework’, p.67.

[4] Ibid., p.69.

Intrusive and targeted surveillance

Powers contained in RIPA 2000 and the Intelligence Services Act 1994 give agencies power to conduct what is described as ‘intrusive’ and ‘targeted’ surveillance. The terminology here is potentially confusing, given that other agency powers – such as the large-scale interception of communications and access to communications data – are often described by civil society groups as forms of ‘mass surveillance’, and the term ‘surveillance state’ is often used to describe intelligence powers in general.

Specifically, ‘intrusive surveillance’ refers to “the use of covert techniques to monitor an SoI’s movements, conversations and activities in private places including a suspect’s home or vehicle.” The Intelligence and Security Committee considers the use of this power “highly intrusive” and “used sparingly … only in support of the highest priority investigations.”[1] Warrants for intrusive surveillance are signed by a Secretary of State and remain in force for six months, though in some cases can remain in place for several years. Warrants can be issued under RIPA, or in conjunction with authorisation for interference with property under the Intelligence Services Act 1994.

‘Directed surveillance’ is that which takes place outside of these private spaces; in essence, in public areas. Activities in this area might include tracking a subject’s movements and still or video recording of them. Warrants for directed surveillance are approved inside the agencies and are valid for three months.


[1] Intelligence and Security Committee, Report on Privacy and Security, 2015, p.61. Accessible at

Special Envoy on Intelligence and Data Sharing

The government appointed Sir Nigel Sheinwald as the Prime Minister’s Special Envoy on Intelligence and Law Enforcement Data Sharing in September 2014. His role was created to work with foreign governments and US communication service providers (CSPs) to improve access to data across different jurisdictions for intelligence and law enforcement purposes.

2015 Summary of Progress

In June 2015, a summary of the Special Envoy’s work was published, in which Sir Nigel outlines his activities since being appointed. [1] Under the heading ‘Short Term Cooperation’, he describes his work with Content Service Providers and the US Government to develop new solutions to ongoing legal concerns around data sharing, as well as dealing with urgent issues around counter-terrorism and threat to life cases.

In the summary Sir Nigel also recommends a number of proposals, including improving government-Government cooperation, and reforming the US/UK Mutual Legal Assistance Treaty to standardise and simplify the process of information-sharing, in particular to “make it easier for UK police to access communications data directly from the US CSPs.” Sir Nigel also suggests the building of a new international framework between certain democratic countries to serve as a long-term, sustainable solution to data sharing. Finally, he recommends that “the Government looks at how it can improve transparency around the number and nature of our requests to overseas and domestic Communication Service Providers”, through better coordination with these companies.

[1] Sir Nigel Sheinwald, Summary of the Work of the Prime Minister’s Special Envoy on Intelligence and Law Enforcement Data Sharing, accessible at