Images of innocent civilians being killed and injured in recent terrorist attacks in France and Belgium shocked the world. These attacks made it clear once again that in countries facing terrorist threats, anyone can become a victim, any time. So, given these real and present dangers, surely governments should use any and all means to protect their citizens? Right? Wrong. By JANE DUNCAN.
Britain is responding to terror threats in ways that are likely to increase global insecurity, including in southern countries that face no major terrorist threats, like South Africa. An example of a dangerously inappropriate response is the Investigatory Powers Bill – the “Snoopers Charter”– which is passing through the British parliament at the moment.
If passed in its current form, the bill may well give Britain’s intelligence and police agencies sweeping powers to spy on the communications of its and other countries’ citizens on vague grounds, and with inadequate oversight. It writes unprecedented new mass surveillance powers into law: powers that have been shown to have been abused.
Home Secretary Theresa May has boasted that the bill will set the ‘gold standard’ for government spying around the word. Yet the Scottish National Party’s spokesperson, Joanna Cherry, was more on the mark when she argued that the bill could set a dangerous precedent and a bad example internationally. Recent revisions of the Bill have not addressed its fundamental weaknesses.
Ruling elites often have a vested interest in developing laws that increase their own executive power and political control, and reduce public accountability. This is especially so in the current global climate, when mass opposition to inequality is rising. The possibility of using laws developed in the “war against terror” to suppress legitimate social and political movements is an opportunity that may be too good for embattled governments to pass up.
In order to understand its global implications, it is necessary to delve into the bill’s contents. Surveillance and its oversight is governed by several laws and institutions in Britain, which has created confusion. The bill aims to provide one law, and streamline oversight by consolidating these institutions into one judicial Investigatory Powers Commission, which is a noble intention.
The police and intelligence agencies can use the powers in the bill to prevent or detect serious crime, on national security grounds, or to protect the economic well-being of Britain as they relate to the interests of national security.
However, national security is not defined, and the term economic well-being is so broad that it could include any conduct that elite interests do not like. These vague grounds give the spies almost unfettered access to peoples’ communications.
The bill’s drafters have made much of the fact that it includes a “double lock” provision for the most intrusive powers, where both executive and judicial approval are required for interception warrants. However, the role of judicial authorisation is limited to that of the principles of judicial review. The grounds for judicial review are very narrow, as they focus mainly on whether the correct process was followed and was reasonable.
This form of judicial involvement in the authorisation of the use of powers means they will not be considering the actual merits of the warrants, which would require a review of their content. The “double lock” provision is an inadequate check on executive spying powers.
Authoritarian governments elsewhere will love this arrangement, as it sets back the global struggle for judicial decision-making about interception warrants massively. South Africa is more far-sighted, as it requires judicial approval. But when the country’s own surveillance laws are reviewed, which is imminent, it could well seize on this regressive move to change its mind.
The most controversial elements of the bill are the executive’s bulk powers to intercept, store and even hack communications on a massive scale. Mass, suspicionless surveillance violates the general principle that interceptions should be as targeted as possible to remain within the human rights framework of necessity and proportionality of surveillance powers. There should at least be a reasonable suspicion of wrongdoing to trigger their use.
In response to a parliamentary call to do so, the Home Office made an operational case for use of bulk powers. It argued that targeted interception alone doesn’t help them respond to the range of threats the UK faces.
The Home Office claimed that bulk powers – the government’s softer phrasing for mass surveillance – allows them to establish patterns between individuals of interest and others who weren’t even on the intelligence radar, and allowing them to identify intelligence leads on emerging threats. They claim to have thwarted terrorist attacks and cracked criminal networks using these bulk powers.
Bulk powers target people outside the country, with less privacy-invasive surveillance ostensibly being reserved for British nationals. This means that the Bill subjects non-nationals to weaker privacy protections, which discriminates against them, and flies in the face of attempts to universalise human rights.
However, the operational case for bulk powers remains tenuous, rather than compelling. In some of the cases the Home Office has used as justification, other less intrusive intelligence methods could have been used to achieve the same result.
In 2015, the Intelligence and Security Committee admitted that information harvested from bulk person datasets (databases containing peoples’ financial, travel, communications and other personal information) related to a wide range of individuals, the majority of whom are unlikely to be of intelligence interest.
Recently, documents released to advocacy group Privacy International show that intelligence agents have used bulk personal datasets as their own personal cookie jars. Special Intelligence Service operatives have dipped into these information troves to send birthday cards, check their own travel details and those of their family, and to check the personal details of colleagues.
More seriously, the bill mandates the use of what it refers to coyly as “equipment interference” – or government hacking – of broad categories of computer equipment of non-nationals, and they can do so on vague grounds. The bill even authorises bulk hacking of large numbers of computers: an extremely worrisome international precedent.
These powers will allow the spies to access address books, track every keystroke, email and internet search on computers, and even turn a computer’s camera and microphone on, using it as a surveillance device against its owner.
Intelligence agents exploit existing vulnerabilities in computer software, which creates perverse incentives for them not to reveal their existence, so that they can continue to exploit them. Their silence places thousands of computer users at risk of exploitation by criminals and foreign agents intent on espionage.
These are the most invasive powers of all, and the ones that are the most likely to set a negative international precedent. South Africa’s bulk collection is undertaken by a government entity, the National Communications Centre, which is not regulated by legislation.
The South African government has justified this lack of regulation as “international best practice” for foreign signals intelligence-gathering. They have argued that they need unfettered, wide-ranging powers to scan for potential external threats, and hence warrants are not sought for bulk collection.
But this has created a loophole that has in the past seen the country’s bulk scanning equipment being misused to spy on perceived domestic threats to ruling party interests, including journalists and opposition politicians.
Currently, South African civil society is involved in a struggle to bring mass surveillance under democratic, legislative control. Britain’s move towards expanding its bulk capacities, while weakening democratic controls over them, will make this struggle that much harder.
In terms of the bill, the British police and intelligence agencies can require companies to remove electronic protections on communications, which is an indirect attack on encryption.
The bill contains powers to instruct internet service providers to retain communications records for up to one year. This is a dubious practice from a privacy point of view as it is untargeted; in fact, the European Court of Justice struck down the practice as a serious interference with rights. South Africa requires communications service providers to retain data on a blanket basis for three to five years, and the British swing towards data retention makes it less likely that this draconian privacy-violating measure will be reviewed.
The British government has argued that this information constitutes metadata, not content. In other words, its potential to invade privacy is less serious because this information will only reveal which websites were visited. But this argument is misleading, as metadata can reveal as much as content about a person.
With respect to its international reach, the bill is on dangerous ground as it claims extra-territorial jurisdiction in relation to a number of its powers. If all countries followed suit, then global communications could descend into chaos. Safeguards for the sharing of intelligence internationally are somewhere between weak and non-existent, which could lead to data being shared with rights-violating countries. Britain should work towards an international framework for a common set of rules, rather than imposing its will on other countries, but it appears uninterested in doing so.
The bill throws an unacceptable shroud of secrecy around the government’s spying activities. It does not make provision for user notification. Once an interception warrant has lapsed, communications users should be informed that their communications have been intercepted, unless there is a compelling operational reason not to do so.
Also, communications service providers are sworn to secrecy about their roles in enabling surveillance, with no public interest override or defence; so, even if they are aware of abuses, they cannot speak out. South African civil society is arguing for user notification and more transparency in the country’s communications surveillance law, but is less likely to win these arguments if the British bill is passed into law.
After the 9/11 attacks, many southern countries (South African included) rewrote their surveillance laws to bring them into line with what governments at the time considered to be “best practice”. Many of these laws sought to regulate analogue networks, though.
It is expected that in the next few years, these countries will update these laws to make them more relevant to the digital age, and South Africa is one of these. No doubt they will be in search of new models, and their eyes will turn towards countries that (inexplicably) are still widely considered “major democracies”. The Investigatory Powers Bill will be a gift to securocrats everywhere, who are probably sharpening their pencils already.
But a bill that is revised to bring it into line with international human rights will be a gift to democrats everywhere. And that is why the British Parliament cannot afford to legislate in a bubble. DM
- Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. She is a member of the secrecy and securitisation focus group of the Right 2 Know Campaign (R2K), and the Media Policy and Democracy Project (MPDP), which recently completed a major study on communications surveillance in South Africa. She is author of ‘The Rise of the Securocrats: the Case of South Africa’, published by Jacana Media in 2014. R2K plans to picket the Office for interception Centres on Freedom Day, 27 April 2016, to demand changes to Rica to bring it into line with international human rights principles.
Photo: British Home Secretary Theresa May arrives for a cabinet meeting at Downing Street in London, Britain, 22 March 2016. EPA/ANDY RAIN
Daily Maverick © All rights reserved