The Snowden Effect
Few Britons were greatly exercised by the Snowden documents. For most of my compatriots, secret intelligence evokes thoughts of Bletchley Park and James Bond rather than the Stasi or extraordinary rendition. But the U.K. intelligence community (UKIC) was not immune from the damage caused worldwide by decreased trust on the part of service providers and their customers. Further pressure was applied by a series of legal challenges, some of them successful at least in part, in which the Snowden documents were deployed in the U.K. and in Europe.
The British government and the UKIC itself appear to have concluded that in this new and more contested environment, their interests are best served by greater transparency and stronger oversight.
These aims have been pursued in two different ways. First, since 2013, traditional parliamentary and judge or lawyer-led oversight mechanisms have grown some promising new teeth. Three reports of December 2017 (issued by the Intelligence and Security Committee of Parliament, the Interception of Communications Commissioner and the Intelligence Services Commissioner) illustrate their improved bite. In addition, I was myself asked to report on UKIC activities in 2015 and 2016. Each of those reports is referenced below.
Second, for the purpose of learning rapid lessons from recent terrorist attacks on the U.K., the current Home Secretary devised a new hybrid: the detailed internal review of agency decision-making practices, assessed and quality-assured by an independent person. As the person selected for this task I sought to approach it in the manner of a gadfly on the hide of the beast. An unclassified version of my conclusions, referenced below, was also published in December 2017.
The past five years have seen three principal types of independent intelligence review, not counting the judicial activities of the Investigatory Powers Tribunal and the European courts.
First, the Intelligence and Security Committee of Parliament (ISC), with its staff increased and its powers extended to operational matters, has published some detailed and incisive reports. The perceived independence of the ISC has been much improved by provision for it to elect its own chair—a feature not imitated in Canada's current plans for a National Security and Intelligence Committee of Parliamentarians.
Second, the retired appellate judges entrusted with the oversight of specific aspects of intelligence activity are in the process of being replaced by the Investigatory Powers Commissioner's Office (IPCO), a larger, more powerful and outward-facing regulator headed by the serving appellate judge Sir Adrian Fulford. Sir Adrian and his judicial colleagues, supported by legal and technical staff, will combine traditional oversight functions (well illustrated in the December 2017 report of the Interception of Communications Commissioner, though IPCO’s predecessors have been characterised as inconsistent) with a prior approval function in relation to all domestic and overseas warrants.
Fulford is not an ex-member of the Trotskyist Socialist Action League, in the manner of New Zealand’s redoubtable inspector general of the intelligence services, Cheryl Gwyn. But in the early weeks of his tenure, he has started to demonstrate his full independence by a clear declaration of intent where the supervision of intelligence-sharing is concerned, by tangling publicly with GCHQ and by appointing to his staff (subject to security clearance) some prominent non-government figures.
Third, and less formally, while serving as Independent Reviewer of Terrorism Legislation (IRTL) from 2011-2017, a position about which Lawfare’s Benjamin Wittes wrote in 2012, I was twice commissioned as a security-cleared independent lawyer to lead ad hoc reviews of UKIC activities. The first of those reports, A Question of Trust, became a blueprint for the Investigatory Powers Act 2016. The second, published in August 2016 during the passage of that bill, evaluated the operational case for the various bulk powers used by the UKIC (interception, equipment interference or CNE, storage of metadata, bulk personal datasets). Taking inspiration from the work of the Privacy and Civil Liberties Oversight Board and National Academy of Sciences in the U.S., and supported by 60 case studies, it is probably the fullest available open-source account of how such capabilities are used outside the United States.
There can be no substitute for what each of those three mechanisms provides: the conduct by independent, security-cleared people of their own reviews into UKIC activity. But the terrorist atrocities that occurred between March and June 2017 in London and Manchester resulted in a new and unusual variant: “assurance” by an independent security-cleared scrutineer of detailed internal reviews conducted by MI5 and Counter-Terrorism Policing (CT Policing) into their own handling of pre-attack intelligence relating to those who perpetrated the atrocities.
Intensive work by large teams at both MI5 and the police enabled nine highly classified reviews to be completed by the start of November, covering 1,150 pages. The reviews constituted a minutely detailed account of the intelligence picture prior to each of the attacks—which should be of assistance to future inquests and inquiries—alongside 126 recommendations for operational improvement, some of them rather radical.
As the chosen scrutineer, though by now an ex-IRTL, I sought to influence this process as best I could by embedding myself for long periods of time within Thames House (the London home of MI5) and New Scotland Yard (from where Counter-Terrorism Policing is led), attending internal meetings, requesting internal documents, and generally making a nuisance of myself. As I wrote in my December 2017 public report, which was accompanied by a highly classified letter for the attention of the prime minister and others:
I formed a positive impression of the integrity of the review teams both at MI5 and CT Policing, and found most of the work with which I was presented, even at an early stage of the process, to be of a good standard. But given the request for assurance in my letter of instruction, it was necessary to test the product as rigorously as I could, and where possible to suggest improvements.
Accordingly, on what must have been (in total) many hundreds of occasions I made specific comments on drafts, asked for proof of assertions, requested documents and briefings, identified issues to be confronted, asked for more thorough accounts, suggested the restructuring of reports, challenged assertions that errors were inconsequential, advised that sensitive material was relevant, discouraged complacency and generally sought to promote the value of self-criticism. On a limited number of issues I also made the case, sometimes forcefully, for the consideration of specific operational improvements or for further-reaching recommendations than previous drafts had been prepared to contemplate.
Some of my suggestions or comments precipitated vigorous discussions, some were more appealing to MI5 than to the police or vice versa, and one or two proved controversial. But all were received with courtesy, many were taken up with enthusiasm, and every one was given effect wholly or in substantial part.
Would I recommend this kind of “independent assurance” as a model to others? Not in all circumstances. When large institutions are commanded to perform internal reviews, it is always possible that they will react by going through the motions, or digging defensive redoubts. Even when a window is opened to change, it can close again before long. An outsider who is there to comment rather than to direct an investigation risks being dismissed as a mere irritant by those whose conduct is being examined. Furthermore, association with a process managed by others risks damage to the reputation of the independent person—a danger of which I was acutely conscious.
But on this occasion—though the final verdict is for others to reach—it seemed to me to work well. There were two reasons for this.
First, the shock of successive multiple-casualty attacks had rendered the security services, for a time at least, genuinely open to the possibility of radical change. This enabled agreement to major reforms in relation to the setting of data-driven tripwires for former subjects of interest, the joint working arrangements of MI5 and CT Policing, the release of more knowledge derived from intelligence to local police and agencies, and the removal of outdated distinctions in the way that different types of terrorist threat are assessed and responded to. These and other changes are summarised, to the extent that it was open to me to do so, in my unclassified report.
Second, the fact that these recommendations were generated by MI5 and CT Policing should mean that these organizations are fully invested in implementing those recommendations—something that cannot always be said of external recommendations, which may be perceived within the organisations concerned as misguided or founded on an incomplete understanding of their operations.
I have been asked to monitor the implementation of the recommendations reached in the internal reviews. I look forward to doing so over the next 12 months and to sounding the alarm with the government and with Parliament if there is no follow-through on current good intentions.
The U.K.'s first experience of “internal assurance” was, I believe, a positive one. It produced more detailed and useful recommendations in a short period of time than an independently led review is likely to have done, yet was, in certain respects, more rigorous and more radical than might have been expected of a purely internal review.
But the new “internal assurance” hybrid makes sense only in limited circumstances, such as those which prevailed after the attacks of 2017. The openness to transformative change that followed the shock of those attacks cannot be expected to continue indefinitely. Independent external review of intelligence activity, as it has been strengthened over the past five years, remains the best guarantee that our laws and our liberties are being respected.