Public authorities and surveillance

Camera 146x219The Office of Surveillance Commissioners has published its annual report. Steve Morris sets out the key issues for public authorities.

On 7 July 2016 the Office of Surveillance Commissioners (OSC) published the 2015-2016 Annual Report.

The report covers the period from 1st April 2015 to 31st March 2016 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)).

We have reviewed the report and below are summaries of comments and sections of particular relevance to public authorities other than law enforcement. (The section numbers from the report are quoted below so that reference to the complete text can be made.)

Reduced use by public authorities Section 2.3.

  • There is substantially reduced number of authorisations by public authorities, most notably local district and borough councils, who do not deploy their statutory powers, or do so very rarely indeed, and do not intend or expect to do so in future.

However, while they remain vested with these powers, the appropriate structures and training must continue to be in place so that if they come to be exercised, the exercise will be lawful.

This reduction could be related to the substantial budgetary cuts faced by councils and the requirement for Magistrates’ Approval (and other reforms), which took effect on 1st November 2012.

Changed arrangements for inspection of local authorities Section 2.10.

  • The OSC is to introduce a new system of inspection for some local authorities where the statutory powers have not been used at all, or have been very rarely used in the last three years since a previous inspection, the process will start on paper, with a request for information. An Inspector or Assistant Surveillance Commissioner will visit the authority if there has been any significant increase in the use of the statutory powers, or if the responses to the OSC paper give ground for concern, or if the authority itself requests a personal visit by an Inspector. There will be no automatic visit.

Irregularities Section 4.18.

  • The total number of reports of irregularities (100) continues to represent a tiny proportion of the total number of authorisations granted during the course of a year. The overwhelming majority are the result of human error.

Section 4.19.

  • Irregularities caused by human error reinforces the need for those with responsibilities for ensuring compliance with the statutory provisions to receive regular, updated training, together with the need for continuing robust oversight by senior officers and managers of the processes. In the case of enforcement agencies, including the police, both these requirements are understood. In relation to some of the public authorities which, facing strains on their financial resources either have ceased or virtually ceased to use the statutory powers, and do not envisage using them in the future, training arrangements can sometimes assume a lowly priority. The view of the OSC is that every single authority vested with the relevant statutory powers should have in place structures and training arrangements which will ensure that the exercise of any such powers, even if arising unexpectedly, will be lawful.

Use of covert powers by public authorities other than law enforcement agencies Section 5.10.

  • From the OSC point of view the principle is clear. The fact that a local authority has elected not to exercise the relevant statutory powers does not remove it from the inspection process. While it retains these powers, which may be exercised at any time, appropriate structures and officials with the requisite training are required.

The “virtual world” Section 2.8.

  • There is a shift towards criminal activity in or by the use of the “virtual world”. This increases the demands on those responsible for covert surveillance. They need an understanding of the technological advances and myriad types of communication and storage devices which are constantly being updated. They also need assistance about how the statutory powers available to them can or should be applied.

Social Networks and the “virtual world” Section 5.17.

  • Patterns of criminal planning are changing to embrace technological advances. Criminals and terrorists are less likely to meet in public, in parked up cars, with police officers using binoculars and longsighted cameras to follow their movements. Social media and private electronic communications provide greater anonymity for the criminals, and enable their activities to proceed on a global scale. This issue was addressed by my predecessor in his last two reports, and the Surveillance Commissioners have issued guidance on the need for appropriate authorisations to cover these developments.

Extract from OSC Procedures & Guidance document

Covert surveillance of Social Networking Sites (SNS)

288. The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.

288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.

288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).

288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.

288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).

Section 5.18.

  • Inspectors and the Assistant Surveillance Commissioners pay particular attention to the way this developing method of criminal activity is kept under covert surveillance. The topic forms the basis for numerous requests for guidance. Perhaps the most significant feature is that investigating authorities cannot proceed on the basis that because social networking developed after much of the legislation came into force it is immunised from compliance with it. Requirements for appropriate authorisation may arise from the work done by those whose roles do not traditionally fall within RIPA or RIP(S)A. The necessary training and information must be addressed by the Senior Responsible Officer in each authority.

See our blog post on RIPA and social networks.

Common inspection findings Section 5.23

  • Some of the more common areas of criticism revealed in the inspection reports. They must be seen in context. In relation to law enforcement agencies, the standard of applications to and decisions of Authorising Officers for directed surveillance, property interference and intrusive surveillance are generally sound. Much of this is due to increased focus on the statutory requirements, clear internal leadership and investment in training.
  • The greatest complexity arises in the context of CHIS… In the context of social media in particular, it is sometimes difficult to recognise when a CHIS relationship has been established.

See our blog post on common inspection findings.

Section 5.24.

  • Some intelligence cases are too brief, others too long; most are of appropriate length; similarly with reviews, when a pertinent summary of what has happened since the latest update is required with, so far as possible, a simple explanation why the covert activity remains necessary and proportionate;
  • Occasional formulaic considerations given to the potential for collateral intrusion; for the OSC it remains a crucial feature that any authorisation for covert surveillance should be confined to those against whom there are grounds for suspicion, not their families or friends;
  • Authorisations for surveillance tactics and equipment use which, when reviews and cancellations are examined, appear to have been too widely drawn at the outset;
  • The conduct parameters for a CHIS are sometimes unclear and occasionally in such cases, the full extent of risks to the CHIS are insufficiently addressed, or, where the records are required by statute, left incomplete;
  • At cancellation, occasionally more detail is required from the Authorising Officer about the activity conducted, the value of the surveillance, the resulting product, and its management, and whether there has been any tangible or beneficial outcome, together with greater attention to any collateral intrusion;
  • In relation to public authorities the need for training for those vested with surveillance responsibilities is sometimes overlooked, particularly when budgets have been seriously depleted; in the case of adjacent local authorities training costs could perhaps be shared.

This is a summary of the detailed annual report – clearly the OSC places a high value on training (mentioned 19 times!), and indicates difficulties that arise as a result of not providing the training for all personnel involved or likely to be involved in authorised activity.

One emerging trend not addressed in the report is the rise in covert surveillance undertaken without the protection of RIPA when a local authority deems it necessary and proportionate to conduct covert surveillance in relation to preventing or detecting crime which does not meet the six month criteria, or a public authority deems it necessary and proportionate to conduct covert surveillance as part of its legitimate pursuit of responsibilities in relation to public safety, public health, regulation, and enforcement, in compliance with Article 8 Human Rights (commonly known as ‘non RIPA Surveillance’). See our blog post here for more on this issue.

Act Now’s programme of RIPA Courses address all of the issues raised in the report, and those associated with non RIPA surveillance, research and gathering of intelligence as well as evidence from social media. If your training budget is an issue, our online RIPA training is worth trying out. Module 1 is free.

The OSC Procedures & Guidance document (July 2016) has now been re issued and is, for the first time, available to download from the OSC website.

Act Now also has a RIPA policy and procedures manual which is very useful for those revising their RIPA documents. It contains useful guidance for staff on when RIPA applies and how to complete the authorisation forms.

Raise awareness of RIPA in your organisation with our RIPA poster.

Steve Morris is a former police officer who delivers RIPA Courses as well as a course on Internet Investigations for Act Now Training. This article first appeared on the company's blog.