National Security Surveillance in the United Kingdom

November 14, 2023

Executive Summary

  • Introduction. The UK’s security services have a high level of technical capability and robust authorities to conduct electronic surveillance and collect data to protect national security.
    • The legal environment governing national security surveillance in the United Kingdom has changed profoundly in the last decade.
      • Until recently, the services’ capabilities and authorities had been shrouded in both secrecy and legal obscurity.
      • Since 2016, these powers have been authorized and constrained by a comprehensive statutory regime, the Investigatory Powers Act 2016.
  • Agencies that conduct national-security surveillance. In the UK, electronic surveillance for national security purposes is conducted by the three principal intelligence and security agencies: the Security Service (MI5), the Secret Intelligence Service (MI6), and Government Communications Headquarters (GCHQ).
    • GCHQ collects signals intelligence to inform national security, diplomacy, and defense.
    • MI5, the principal domestic security service, protects the UK from terrorism, espionage, subversion, and other threats.
    • MI6 collects foreign intelligence relevant to foreign policy, defense, and other national priorities.
    • None of these agencies has a law-enforcement role. When the ultimate goal of an investigation is prosecution, they must liaise with police or other criminal-enforcement agencies.
      • In the UK, surveillance intercepts cannot be introduced into evidence in criminal prosecutions.
  • Process and standards for approving surveillance. The legal regime for authorizing surveillance changed dramatically with the Investigatory Powers Act 2016 (IPA).
    • Traditionally, warrants to conduct surveillance were issued by the Secretary of State (i.e., the relevant minister: the Home Secretary for MI5 and the Foreign Secretary for MI6).
    • The IPA added to this system a new “double lock”: warrants approved by the Secretary of State must now also be approved by a Judicial Commissioner, a serving or retired judge specially designated to perform this function.
  • Warrants. The process for surveillance begins when the head of one of the three services, or the chief of Defence Intelligence, applies to the relevant minister for a warrant.
    • Under the IPA, targeted warrants fall into two categories: targeted interception warrants or targeted examination
      • Examination warrants permit the service to examine material relating to a person in Britan that was previously collected under a bulk interception warrant (those are discussed below).
    • The Secretary of State may issue an interception warrant for any of the purposes specified in the Act.
      • These include national security, preventing or detecting serious crime, the economic well-being of the United Kingdom (within certain limits), or giving effect to the provisions of a mutual assistance agreement.
    • The minister personally approves the application after finding that it is necessary and proportionate.
    • A Judicial Commissioner then reviews the determination of necessity and proportionality. The Judicial Commissioner does not review the Minister’s findings de novo; instead, a more deferential administrative-law standard applies.
    • If the Judicial Commissioner denies the warrant, the requesting official can seek reconsideration by the Investigatory Powers Commissioner, whose decision is final.
    • Interception warrants are valid for six months.
  • Retention notices. The Secretary of State can serve telecommunications providers with “retention notices,” which compel them to retain specified data (but not content) for up to 12 months.
    • Retention notices do not require the approval of a Judicial Commissioner.
  • Bulk collection. The IPA also permits agencies to conduct untargeted bulk collection.
    • To acquire bulk communications data from a telecommunications operator, the services must obtain a special bulk interception warrant.
      • The process parallels that for ordinary warrants; however, bulk warrants must serve one of the specified “operational purposes” on a secret list maintained by the relevant minister.
    • Bulk acquisition can only be used to collect metadata.
    • Metadata is defined broadly, however, and can include such data as the location of mobile and fixed-line phones from which calls are made or received, the location of computers used to access the internet, the identity of a subscriber to a telephone service or a detailed telephone bill, websites visited from a device, email contacts, map searches, GPS location, and information about devices connected to a Wi-Fi network.
    • The bulk techniques permitted for foreign surveillance, which includes one-end-foreign communications, are more intrusive and allow for the collection of content rather than only metadata.
  • Hacking. Agencies must also obtain warrants to conduct “equipment interference,” such as hacking, for investigatory purposes.
    • Bulk equipment interference is permitted only outside of Britain.
  • Ex post oversight. Primary responsibility for oversight of national security surveillance falls to the Investigatory Powers Commissioner (IPC), a new office created by the 2016 Act.
    • The Commissioner, a current or former judge, is tasked with reviewing both targeted and bulk surveillance conducted by the security services, with a particular focus on safeguards intended to protect privacy.
    • The Commissioner can initiate his or her own oversight reviews, including both thematic reviews of capabilities and focused probes of alleged errors or misconduct.
    • The security and intelligence services are required to provide the IPC with all necessary documents and information.
    • The IPC produces an annual report to the Prime Minister, which must be laid before Parliament and released to the public after needed redactions.
  • Redress. A separate body, the Investigatory Powers Tribunal, investigates and provides redress for surveillance errors committed by the security services and the police.
    • The security services are required to provide the Tribunal with information needed to adjudicate complaints, regardless of security classifications.
    • In order to protect classified information, the Tribunal can sit in closed session without the complainant present.
    • The IPT’s public decisions consist of a statement either that it has found in favor of the complainant (i.e., that there has been unlawful action against the complainant) or that “no determination has been made in his favor” (thus neither confirming nor denying whether any surveillance occurred).
      • When a claim succeeds, the IPT may award compensation and order such other remedies as it sees fit.
    • The Investigatory Powers Commissioner assists the Tribunal in investigating the complaint if needed.
    • The right to complain to the Tribunal is not limited by nationality.
    • When the Investigatory Powers Commissioner, during one of his or her own investigations, discovers that a person was affected by a serious error, the Commissioner must inform that person of his or her right to apply to the Tribunal for remedial action.
  • Parliamentary oversight. Parliamentary oversight is conducted by the Intelligence and Security Committee, which consists of members from both Houses of Parliament.
    • The Committee reviews the policies, finances and administration of the agencies, but not specific operations.
    • The Committee also reviews the “list of operational purposes” for which the agencies are permitted to conduct bulk surveillance.
  • Transparency. The debate surrounding the Snowden disclosures has led to greater transparency around national-security surveillance in the UK.
    • The 2016 Investigatory Powers Act subjected previously unacknowledged surveillance techniques to a detailed, public, comprehensive code, with stronger procedural safeguards.
    • The annual reports of the Investigatory Powers Commissioner provide a wealth of detail, in contrast to the brief and heavily redacted reports of the predecessor institutions.
      • These include data on the numbers of authorizations and detailed accounts of the oversight activities (such as inspections) conducted in relation to each agency and the various types of surveillance.

Download Full Paper

Ian David Leigh

Emeritus Professor of Law, Durham University