Don't Emulate the United States' Terrible Surveillance Oversight, Britain
Update: As predicted, DRIP has already become law: it received royal assent on Thursday July 17, 2014.
The UK government is currently forcing through Parliament a wide-ranging set of changes to that country's digital surveillance and data retention law. The pace of the progression of the new amendments, called the Digital Retention and Investigatory Powers Bill (or "DRIP") has been astounding. Introduced without warning last Friday, if not opposed by peers in Britain's House of Lords, it looks like it may become law within the week.
Opponents of the bill are having to work as individuals, as the leadership of all the major parties support the bill, including Labour, the main opposition party, and governing coalition partners the Liberal Democrats, despite that party's historic reputation for defending civil liberties. The price for these parties' support appears to have been a handful of minor concessions to allow further oversight.
That price is far too low. The oversight proposals appear to be based on the United States' surveillance review mechanisms: a privacy and civil liberties oversight board modeled on the United State's board of the same name, and a sunset (expiry) date on the legislation. Both of these approaches have proven to be failures within the United States.
DRIP's sunset proposals are an echo of the same clauses in the United States' PATRIOT Act, where expansive wiretapping clauses written in the weeks after 9/11 were built to expire on December 31, 2005. Like DRIP, the sunset provisions were an attempt to mollify those concerned that the legislation was rushing through emergency measures without due consideration. Thirteen years later, and four sunsets later, none of these temporary provisions have been substantially reformed, moderated or revoked. It seems to be a law of nature: just as the sun always rises after a sunset, so sunset clauses are always renewed.
If British members of parliament believe they will be given more scope from a future government to re-consider their decisions after a sunset period, they should ask themselves what will make the future different from today, when existing oversight bodies such as the UK's Intelligence and Security Committee and the House of Lords Constitution Committee have been ignored.
The misadventures of the United States' Privacy and Civil Liberties Oversight Board are even less inspiring. Created in 2005 on the recommendation of the Senate 9-11 Commission, the PCLOB operated for barely a year before being caught between disputes between Congress and the Presidency. One of its members resigned over Whitehouse interference. Between January 2008, and May 2013, the PLOB lacked members and was effectively non-existent. While the newly-reformed independent executive agency has subsequently been critical of the NSA's domestic surveillance program, this has largely been in response to the Snowden documents, and the impact of its reports has so far been limited.
True oversight means being time to consider the issues at length, and with technical and policy assistance. Britain is not the only country in Europe responding to the revocation of the Data Retention Directive. To avoid violating EU law again, its politicians should consult with other countries to develop a consistent and rights-friendly surveillance policy. Britain's PCLOB is so far based on a promise: it is not mentioned in DRIP bill, and has been given no statutory powers. An oversight body needs the right to subpoena, and the right of access to technical expertise. It should be a Parliamentary institution, not a board that reports to the Prime Minister. Better still, open judicial review of surveillance warrants should be introduced, rather than the secret and executive-driven model currently mandated by UK law.
As Labour Member of Parliament Tom Watson notes, the urgency ceded by Britain's opposition parties to DRIP's passage make little sense. The government claims that the law needs to be passed quickly to re-impose data retention on ISPs after the Europe-wide Data Retention Directive was revoked as a violation of European human rights by the EU's Court of Justice (CJEU). But the CJEU's decision was in April; any legal challenge to continuing data retention within the United Kingdom would take at least seven months to complete. Besides, the point of the CJEU's decision was that data retention requires greater oversight and better consideration of human rights, not less. To ram through a blunt data retention bill while postponing or evading the civil liberties consequences is exactly the opposite of the intent of that court.
At best, these rushed proposals simply buy the government more time for its unnecessary and disproportionate surveillance measures before they are eventually struck down once again by the European Courts. At worse, Britain is running blindly into an unsafe regime of mass data collection and analysis that we already know to be violations of European human rights law, with public oversight systems that has been proven by the United States to be woefully insufficient.