Seven reasons the Interception of Communications Commissioner has failed

I’ve been reading through all the annual reports issued by the Interception of Communications Commissioner since the passage of Regulation of Investigatory Powers Act 2000. He is meant to make sure that the powers granted to public bodies under RIPA to intercept our communications are being used correctly.

The annual reports are not a pretty read, especially when set against a modicum of knowledge about the outside world during the years covered by the reports. Consider the following.

1. No scrutiny of the costs system

First, under RIPA there is provision for the government to pay communication service providers costs for meeting the legal requirements put on them. How much has been paid out? Has the system of what can and can’t be claimed for worked well? Are those communications service providers happy with the system? Are those in government who have to sign off such expenditure happy? All the sorts of questions that someone should be asking – and all the sorts of questions which need answers if you are going to make decisions about the future of RIPA on a sensible, evidence-based, basis. But also all questions which are left unanswered by the Commissioner responsible for this area.

2. Huge growth, little explanation

Second, access to communications data has ended up taking place on a massive scale (552,550 times in 2010 alone, the last year for which there are details), far beyond the scale of which people were talking about at the time RIPA was passed and a number that is continuing to grow. How has that happened? What is the reason for growth? The reports tell us almost nothing. Reports even say there is no point in giving a breakdown of the total figures followed rapidly by saying the Commissioner does not know why the totals have gone up. Well, breakdowns might help answer that…

There is no serious analysis of the causes of the volume or the growth, and what little commentary there is tends to be of the form ‘I don’t know why it has gone up but it has gone up for good reason’. There is not active regulation, it is passive and highly trusting regulation – in other words, it is not good regulation.

3. Emergency system widely used, little scrutinised

Third, what is more, the urgent oral authorisation procedure, meant to be for exceptional life-threatening situations, is used heavily and growing fast – 31,210 uses in 2010, up from 21,582 in 2009.

I suspect the police used such an oral request when I had to call 999 a while back in a case where a child’s life could have been at risk and a person needed urgently locating in order to protect the child. So I can certainly see the merit of urgent oral powers in such cases. But there are clear risks of abuse of such powers and the fast growth raises other questions.

Again, the reports are very weak, with some limited provision of possible explanations (more people involved in interception are now covering matters 24 x 7) but no rigorous analysis and no evidence that the Commissioner’s checks are based on a good risk analysis of potential abuse.

4. Privatisation not studied

Fourth, and rather bizarrely, the large-scale ‘privatisation’ of RIPA services to SinglePoint gets no mention. SinglePoint is no more, having filed for insolvency earlier this year, but when it was running many local councils (and possibly other bodies) passed over some of their responsibilities in the RIPA process to an external, private and profit-making company. There is a case to be made for this being a good thing as some councils were struggling to perform rare and specialist tasks properly. You can imagine the arguments in favour of therefore using a specialist dedicated contractor.

However, given the huge sensitivity of monitoring, surely a good regulator would have been regularly checking up on SinglePoint and assessing its impact on the system? Especially as SinglePoint were marketing their services as taking on one of the legal roles that RIPA gave to councils and doing so in a way that made it easier for councils to get monitoring data on residents (see the Aberdeen example, p.5 [document no longer online]).

Even more strangely, SinglePoint has now been largely replaced in this role by the National Anti-Fraud Network (NAFN), an unincorporated not-for-profit organisation hosted by two local councils. NAFN has been regularly visited and reported on by the Commissioner, even though it is a set-up certainly no more, and arguably less, risky than SinglePoint.

5. 13% of police and law enforcement agencies not up to scratch

Fifth, despite the reports repeatedly presenting a very optimistic and positive picture, in 2010 we get praise for how well organisations have improved their compliance with RIPA, which rather suggests the picture in earlier years was over-stated. But even after that improvement, 13% of police and law enforcement agencies do not have good or satisfactory systems according to the regulator. For an area as sensitive as law enforcement, personal privacy and civil liberties 13% is not a welcome low figure, it is a dreadfully high figure – especially against the background of a Commissioner who has not been ringing alarm bells about the state of his domain when it was lower.

[Update – this attitude has changed fractionally with the latest Commissioner’s report, although the heavy coverage of two people having been wrongly detained due to interception mistakes owes far more to the media’s sudden interest in these reports after a decade of mostly ignoring them. In that respect at least, the Draft Communications Data Bill has achieved something good.]

6. Warning signs of widespread law breaking ignored

Penultimately, and perhaps most damningly, there is the little matter of the alleged repeated law breaking that the Interception of Communications Commissioner appears to have completely ignored.

The New York Times 2011 investigation into phone hacking included allegations that journalists were regularly breaking the law by paying for illegal access to communications data, most likely by abusing RIPA powers. These allegations have been contested and we have yet to see what final verdict the Leveson Inquiry or the courts make of them (though see this excellent blog post from Greg Callus). However, the evidence is more than passing gossip and, if true, means that for years not only was RIPA being broken but the auditing to check that RIPA was being complied with failed to catch the problem. In other words, if true the allegations mean the Interception of Communications Commissioner and the system he presided over would have failed, badly, on a large scale and for a period of time measured in years.

Yet what does the latest annual report from the Commissioner, published well after the allegations were aired, say about this? Nothing. Not even a reference to waiting to see the outcome of court cases, let alone any preliminary investigations.

What is more, there have been other hints of possible serial breaking of RIPA over several years. The Information Commissioner’s seminal report in 2006 What Price Privacy? blew the whistle on large-scale law breaking by the British media. Its implication is that the communications data journalists were illegally obtaining was coming direct from phone companies without abuse of RIPA procedures involved. However, it is not clear or explicit on this point so a good, proactive regulator would have been on the ball to check that was the case. Instead, the reports are silent.

There was a chance again in 2008 with Nick Davies’s Flat Earth News, the other classic revelatory publication in this area. It too does not directly finger abuse of RIPA but it gives some strong clues that RIPA abuse may have been a widespread part of the culture of British journalism. He wrote, for example, that “As one Mail veteran put it to me: ‘If the Mail go for you, they get … every call from your phone and mobile.’” But what did the regulator do in response? Check out if RIPA was involved? Alas no. Once more, his annual reports are silent.

7. No-one found to have a good word to say about the system

Six reasons then why the Interception of Communications Commissioner and the system has failed. Multiple reasons why, even if the government were tomorrow to call a halt to any expansion of online monitoring powers and even if the courts do not end up standing up the New York Times allegations, this is still not a regulatory system that works or should be left as it is.

There is one heartening footnote to all this – and a seventh reason to add to the list. I recently talked to one of the senior Liberal Democrat advisers in this area and their comment was simple. They’ve yet to come across anyone who has a good word to say about the Commissioner and how he regulates the system.

Knowing there is a problem is a good first step. But it should not be the last step.

Addendum – and all the more so given the Commissioner himself has said he sees no problem with the system.


Note: in addition to the updates to add in references to subsequent stories, the post was slightly updated 27 April and 4 July to make the statistics clearer.

6 responses to “Seven reasons the Interception of Communications Commissioner has failed”

  1. Are those 500,000 request for Interception requests (seems very high) or for just comms data (still high)?

  2. and on the number of Oral requests, a single incident might need a number of requests to be made so as to identify the person. e.g.

    Post on website about a threat to suicide.
    -> request to host to get IP address.
    -> request to ISP to get identity/telephone number.
    -> request to telco to confirm location.
    -> request to mobile company to get location data.

    in normal operation these could be gathered and supplied in a single request, but with an emergency it might take several requests to different departments (who all technically count as separate requests rather than a single one).

    • And finally… good point, which is why it is a shame the reports tell us so little about the data. Though even if the 'true' level of incidents is lower than the headline figure, it still doesn't explain why the number has gone up by a half in a year.

  3. Oh and… there were a number of non-RIPA authorised organisations (foreign LEOs, rights holders, lawyers, etc) who would try and make RIPA based requests to ISP. In most case these would have been spotted and rejected but with these sort of volumes it wouldn't be hard to imagine a few slipping through the net.

    Yes, foreign LEOs can get the data but they are meant to go via the appropriate channels.

    • Yup, the volume means it's very unlikely all the requests are being thoroughly checked – and hence dodgy requests slipping through. It's noticeable that Google reject around a third of the (non-RIPA) requests for data made to them without anyone complaining that they are rejecting well grounded requests. That suggests is a lot of dodgy requesting going on.

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments and data you submit with them will be handled in line with the privacy and moderation policies.