Open oversight – civil society dialogue on proportionality standards for the review of bulk powers

Following the publication of the Advisory Notice in January 2018, IPCO proceeded to enrich these principles in May 2018 with the help of a public invitation for input on issues relevant to the proportionality of bulk powers. IPCO asked NGOs and others to provide assistance in identifying the broad range of factors that the Judicial Commissioners should have in mind when evaluating the proportionality of bulk warrants:

  • – What factors should the Judicial Commissioners take into account when considering whether the conduct proposed in a bulk warrant is proportionate?
  • – Is there any particular approach that the Commissioners should adopt when evaluating those factors, some of which may be competing?

 

Explicit standards for proportionality assessments when approving bulk SIGINT warrants in actual practice (IPCO Advisory Notice 01/2018)

Explaining exactly how the necessity and proportionality test of a bulk collection warrant is conducted is crucial information for rating the thoroughness and legitimacy of the process. The United Kingdom’s Investigatory Powers Commissioner’s Office (IPCO) has published an Advisory Notice that provides advice and information to public authorities and the general public as to the general approach that Judicial Commissioners will adopt under the IP Act when deciding whether to approve decisions to issue warrants.

The Judicial Commissioners, who are in charge of approving bulk SIGINT warrants, must have regard for whether what is sought to be achieved by the warrant, authorization, or notice could reasonably be achieved by other, less intrusive means. In exercising that statutory responsibility, the Judicial Commissioners must, in particular, take into regard:

  • -whether the level of protection to be applied in relation to any obtaining of information by virtue of the warrant, authorization, or notice is higher because of the particular sensitivity of that information;
  • -the public interest in the integrity and security of telecommunication systems and postal services;
  • -any other aspects of the public interest in the protection of privacy;
  • -additional safeguards for matters such as legal professional privilege (e.g., for all professional legal advisers) and journalistic material;
  • -the tests of necessity and proportionality, as applicable under the Human Rights Act 1998 and under European Union law, to the extent that this applies to the powers/activities for which approval is sought.

 

This Advisory Notice is not binding and can theoretically be changed at any point in time. Therefore, it only represents the opinion of the current Judicial Commissioners, because there is also no obligation to inform the public whether the guidelines were revised. The gold standard for providing transparency remains setting out such procedural rules in law. Some critics have pointed out that the Advisory Notice has failed to emphasize “the importance of a current and relevant intelligence case justifying the decision to issue warrants,” particularly in national security cases, where the Advisory Notice leans toward a wider margin of judgment.

Quotas for specific data collection methods

The French intelligence law sets quantitative limits for the use of specific intelligence techniques in order to end dispensable authorized warrants before approving new ones. The number of simultaneous authorizations of specific operations is limited to a fixed amount set by the prime minister at the recommendation of the French oversight body, the National Commission for the Control of the Intelligence Techniques (CNCTR).

The French have adopted fixed quotas for certain collection methods in their governance scheme for targeted surveillance methods. The underlying logic – namely to force agencies to use or abandon existing authorized warrants instead of simply applying for new authorizations – seems to be an adequate tool to limit the use of specific instruments. Potentially, quotas may also spur annual public debates about the set numbers. Naturally, the effectiveness of this approach hinges both on the process and the actual quotas used. Ideally, the quota-setting should be based on a transparent and verifiable process that outlines the specific need for a surveillance allowance.

The quota system applies to three types of data collection: first, to the interception of electronic communications, with a quota of 3,040 in 2017; second, to the use of international mobile subscriber identity (IMSI) catchers, with a total quota of 60; and third, to the real-time collection of connection data, with a quota of 500. The different relevant ministerial departments are assigned a subset of the overall quota (e.g., sub-quotas for interior, customs, defense, and other ministries) and checked on a daily basis by the Groupement Interministériel de Contrôle (GIC).

 

Privacy representative at the Swedish Foreign Intelligence Court

In Sweden, similar to the amicus curiae before the FISC in the United States,  “in all proceedings before the Swedish Foreign Intelligence Court [Försvarsunderrättelsedomstolen], a privacy representative [Integritesskyddsombut] must be present, unless this would delay and compromise the operation.” This representative is appointed by the government.

Option to request external legal opinion in authorization procedures

The FISC can “appoint an individual to serve as amicus curiae to assist in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law.” Hence, the Court has the option to engage in an adversarial proceeding when determining the legality/necessity of foreign intelligence warrants. The law explicitly requires the appointed “friend of the court” to provide “legal arguments that advance the protection of individual privacy and civil liberties” (50 U.S. Code §1803 (i)(2)(A)).

The authorization of a surveillance operation becomes more robust if adversarial council is made available to the authorizing (or approving) body at the decision-making point in time. Hearing only one side of the argument invites regulatory capture. Therefore, the FISC maintains a pool of designated legal counsels, from which the Court may appoint an individual amicus curiae for a specific case. Requesting external expertise from such amici offers a fresh view on a significant or new legal matter and helps to avoid tunnel vision while enhancing the input legitimacy of the process.

The mere indication that the FISC intends to appoint an amicus curiae has already proven to have had a deterrence effect on the executive branch. According to the FISA Annual Report 2017, no amicus was appointed during that year. Yet, the Court considered appointing a person three times, but in all three cases, the government ultimately did not proceed with the proposed application or modified the final application “such that they did not present a novel or significant question of law, thereby obviating a requirement for consideration as to the appropriateness of appointment of amicus.” This said, the opinions presented by an amicus curiae need not be “adversarial.” They may also bolster the government’s argument, for example with technical aspects, as opposed to by default taking the opposite position from that of the government.

 

Required declassification review for new legal interpretations

Section 602 (a) of the USA Freedom Act outlines a declassification requirement. “[T]he Director of National Intelligence, in consultation with the Attorney General, shall conduct a declassification review of each decision, order, or opinion issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review (as defined in Section 601(e)) that includes a significant construction or interpretation of any provision of law, including any novel or significant construction or interpretation of the term ‘specific selection term,’ and, consistent with that review, make publicly available to the greatest extent practicable each such decision, order, or opinion.” To satisfy the needs for the protection of sources and methods, documents may also be made publicly available in redacted form.

Option to request publication of a Foreign Intelligence Surveillance Court decision or opinion

“The Judge who authored an order, opinion, or other decision may sua sponte or on motion by a party request that it be published. Upon such request, the Presiding Judge, after consulting with other Judges of the Court, may direct that an order, opinion or other decision be published” (FISC, “Rules of Procedure”).

Mandatory public report by authorization body

Unlike in some countries that lack such important transparency measures, the Dutch TIB oversight body is legally required to publish a public annual report.

Option to approve a warrant with conditions

The Intelligence Commissioner Act, Section 20 (2) allows the Intelligence Commissioner to approve, reject, or approve with conditions the retention of foreign datasets. These conditions may refer to “the querying or exploitation of the foreign dataset or the retention or destruction of the dataset or of a portion of it,” and the Intelligence Commissioner has to “provide reasons for doing so, if he or she is satisfied that those conclusions are reasonable once the conditions are attached.”

The option to authorize with conditions now applies across the board for all intel authorizations (beyond the Communications Security Establishment (CSE) which is the Canadian foreign intelligence agency). In principle, this can provide oversight bodies with greater control over the implementation of surveillance measures. This could mean, for example, setting a specific number of days before data has to be deleted, or defining specific kinds of information that must be destroyed before analysis.

 

Authorization / Approval

After a warrant has been issued, the requested bulk SIGINT measure must be authorized or – as the case may be in different jurisdictions – approved by a review body that assesses the necessity and proportionality. Differences exist across nations as regards the moment when the independent judicial review process comes into play. In some countries, the competent minister or other members of the executive authorize warrants. In the United Kingdom, for example, the authorization of warrants is the privilege of the executive. Ministerial authorization, then, has to be approved by independent Judicial Commissioners. By contrast, in the German legal framework, warrants are authorized by bodies such as the G10 Commission or the Independent Control Council (for future foreign-foreign intelligence collection).

 

The independent ex-ante authorization/approval of data collection is a crucial safeguard against the misuse and abuse of bulk surveillance powers. The legitimacy of surveillance practice depends on the control of executive conduct from the outside. Enacting the control mechanism prior to implementation is crucial, because this can both deter and prevent certain actions from being taken. Independent authorization/approval also contains an important learning element, because the competent bodies can improve their controls, draw lessons from past mistakes, and then declare more assertively that certain measures are not required, or that no sufficient proof was presented.

 

Across many democracies, a dual system of authorization/approval has emerged that combines a judicial and an executive control function. A judicial oversight body – ideally a court – is best suited to administer a competent legal review of a bulk surveillance application.