The UK's Regulation of Investigatory Powers Act (RIPA) is under scrutiny again after new documents from Edward Snowden show that GCHQ recorded and saved emails from reporters at the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post, then shared them out on the agency’s intranet.
These were part of a large exercise in data harvesting that happened back in Nov. 2008, which extracted 70,000 messages in total, from the journalists and beyond.
It puts RIPA firmly in the spotlight. For now, the act says that law enforcement need not seek a warrant or court approval to intercept messages, including those protected by client or sourcing privilege, such as attorneys, doctors and journalists.
The news comes against a backdrop of increased dialogue in Britain over privacy and surveillance. This week, former head of MI6 Sir John Sawers said at the launch of the Edelman Trust Barometer that a renewed compact needed to be forged between tech companies and the government, after the 2013 Snowden revelations broke apart what was an “informal” agreement to work together. Since then, the public backlash against tech companies’ role in surveillance has had most of them distancing themselves from surveillance efforts.
“Snowden threw a massive rock in the pool. The ripples from that have still not died down,” Sawers said. “It was certainly a great concern for me that the, if you like, informal cooperation that worked well between most technology companies and communication companies and security services was broken by the Snowden revelations and has not been repaired.”
The sentiments echo comments from UK Prime Minister David Cameron last week after the Charlie Hebdo attacks in Paris. He made the case against the use of apps like WhatsApp and Apple’s iMessage, which encrypt their communications end-to-end, arguing that law enforcement should have recourse to track extremists using whatever information they can put at their disposal. He pointed out that letters and phone calls have always been available to lawful intercept in such cases, and that internet communications should be no different.
At the same time, the UK government is in the process of soliciting comments on amending RIPA under a wide-ranging consultation process with industry groups and individuals.
And indeed, as part of the RIPA code consultation, more than 100 editors have signed a letter coordinated by Press Gazette and the Society of Editors in the UK to warn that the draft code of practice on use of the act puts journalists' sources at risk.
“Politicians promised new controls in the code, but instead the new draft guidance states that police can continue to secretly view journalists' phone records provided they give ‘special consideration’ to the ‘proportionality’ of doing so,” Press Gazette pointed out. The joint letter thus states that the draft code “provides wholly inadequate protection for journalists’ sources.”
techUK, a consortium for the UK technology industry, raised specific concerns to the Home Office about the lack of clarity in RIPA’s draft Codes of Practice, and the way in which the process has been undertaken.
"Sir John Sawers...called for a new relationship between industry and security services, but this has to be firmly rooted in law,” said Antony Walker, deputy CEO of techUK, in a statement. “In a democratic society, the only way to protect security, freedom and trust is through the creation of an appropriate, proportionate and transparent legal framework. In order to achieve this, further changes are required to the current draft Codes of Practice."
techUK cited a lack of clear definition of what constitutes a communications service provider (CSP); failure to clearly define the extensions to the categories of data to be retained; and a lack of clear guidance on how specific professions, such as journalists or lawyers, would be identified or handled; failure to provide any further definition on what constitutes a journalist; or any special consideration for whistleblowers.
Walker continued: "It's right that we ensure that legislation keeps pace with changes in technology and that where appropriate, legislation is updated. However, when this happens, it's essential that time is given to allow for effective consultation and parliamentary scrutiny. Without that there is real risk that public confidence will be undermined. We hope that when new legislation is bought forward in 2016, sufficient time will be allowed for informed discussion and debate on an issue that goes to the heart of the value of a democratic society."