History of the UK Regulators' concerns regarding Local Authority use of social media monitoring
In October 2019 Privacy International sent Freedom of Information Act requests to every Local Authority in Great Britain in relation to their use of social media monitoring. You can find our report here.
Below are extracts from the annual reports of the The Office of Surveillance Commissioners (OSC) and Investigatory Powers Commissioner (IPC) which relate to Local Authorities use of social media monitoring.
The Office of Surveillance Commissioners (OSC) and subsequently the Investigatory Powers Commissioner (IPC) regulate and oversee how public authorities use the investigatory powers available to them under existing law.
- Use of social media monitoring by Local Authorities has been a concern since 2011. All public authorities have struggled with the use of the Internet for investigations, particularly social network sites.
- In cash-strapped public authorities, it might be tempting to conduct online investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates etc. But just because one can, do not mean one should.
- Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices.
- [O]ne major consequence of the OSC inspections has been the emergence, during the course of discussions, of investigations being made by public authorities through use of social media and the Internet. When individuals choose to go public or advertise themselves, they cannot normally complaint that those who look at their social media sites are disregarding their rights to privacy. However if the study of an individual site becomes persistent, issues under the legislation may arise.
The Chief Surveillance Commissioner, The Rt Hon Sir Christopher Rose’s Annual Report 2011 - 12 did not refer to social networks but to overt investigations using the internet as a surveillance tool, stating that:
“5.17 A frequent response to my Inspectors’ enquiries regarding a reduction in directed surveillance is that ‘overt’ investigations using the Internet suffice. My Commissioners have expressed concern that some research using the Internet may meet the criteria of directed surveillance. This is particularly true if a profile is built by processing data about a specific individual or group of individuals without their knowledge.
5.18 There is a fine line between general observation, systematic observation and research and it is unwise to rely on a perception of a person’s reasonable expectation or their ability to control their personal data. Like ANPR and CCTV, the Internet is a useful investigative tool but they each operate in domains which are public and private. As with ANPR and CCTV, it is inappropriate to define surveillance solely by the device used; the act of surveillance is of primary consideration and this is defined at section 48(2-4) of RIPA (monitoring, observing, listening and recording by or with the assistance of a surveillance device). The Internet is a surveillance device as defined by RIPA section 48(1). Surveillance is covert “if, and only if, it is conducted in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is, or may be taking place.” Knowing that something is capable of happening is not the same as an awareness that it is or may be taking place. The ease with which an activity meets the legislative threshold demands improved supervision.”
The Chief Surveillance Commissioner, The Rt Hon Sir Christopher Rose’s Annual Report first referred to social network sites in 2012-13 stating that:
“2.4 All public authorities have struggled with the use of the Internet for investigations, particularly social network sites. A particular difficulty is the desire of national bodies to apply a doctrinaire approach which invites error if facts specific to each case are ignored or poorly considered.”
“5.7. I am encouraged by the increasingly mature debate relating to the use of the Internet for investigative purposes, especially the use of social networking sites. It is not always adequate to conflate the off-line with the on-line worlds and I am satisfied that some investigations require authorisation. There are points of detail to work out, particularly in relation to repeated viewing of a publicly available site but, in the main, RIPA Part II can be used effectively. I will continue to support the production of accurate Home Office and ACPO guidance. But it is important to bear in mind that it is not always possible to give definitive answer as to whether particular activity requires authorisation: facts are infinitely variable. Where there is doubt authorisation is prudent.”
The Chief Surveillance Commissioner, The Rt Hon Sir Christopher Rose’s Annual Report 2013-14 referred to social network sites in stating that:
“5.30 This is now a deeply embedded means of communication between people and one that public authorities can exploit for investigative purposes. I am reasonably satisfied that there is now a heightened awareness of the use of the tactic and the advisable authorisations under RIPA that should be considered. Although there remains a significant debate as to how anything made publicly available in this medium can be considered private, my Commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity.
5.31 In cash-strapped public authorities, it might be tempting to conduct online investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates etc. But just because one can, do not mean one should. The same considerations of privacy and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances. It is worth repeating something I said in my 2011-2012 report, paragraph 5.18…[see above].
5.32 Access to social networking sites by investigators in all public authorities is something we examine on inspections. Many, particularly the law enforcement agencies, now have national and local guidance available for their officers and staff. However, many local authorities and government departments have still to recognise the potential for inadvertent or inappropriate use of the sites in their investigative and enforcement role. Whilst many have warned their staff of the dangers of using social media from the perspective of personal security and to avoid any corporate damage, the potential need for a RIPA authorisation has not been so readily explained.
5.33 I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations. Some public authorities have also found it sensible to run an awareness campaign, with an amnesty period for declarations of any unauthorised activity or where, for example, officers have created false personae to disguise their online activities.
The Chief Surveillance Commissioner, The Rt Hon Sir Christopher Rose’s Annual Report 2014-15 stated that:
5.42. Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.
5.43. I am pleased to see that law enforcement agencies have provided and are continually developing detailed guidance to their officers and members of staff about accessing such sites, and the College of Policing is working closely with national leads and other interested parties to ensure a consistent and lawful approach.
5.44. Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.
In the Annual Report of the Chief Surveillance Commissioner, The Rt Hon Lord Judge 2016-2016 he gave the following examples in relation to social networks:
“Example 1: In one particular public authority, once a task is allocated to an internet desk officer, that officer undertakes research using a non attributable computer which stands alone from the authority’s main network. Although it is said that the staff do not use false personas, the activity they undertake is calculated to be covert so as to minimise the risk of compromise to ongoing investigations. Staff typically undertake research on one occasion, although this singular research activity may extend over several hours and involve research of different social media sites linked to the subject. There is a perception by staff within the unit that investigators are reluctant to, or dissuaded from, making more than one request for research to be undertaken on the same subject. The head of the unit believes that investigators are missing opportunities for securing valuable intelligence by restricting their request to singular research; this is a view shared by the inspection team. Very rarely are any requests for research of open source material or social media supported by an authorisation for directed surveillance. In a twelve month period the unit has processed 3,561 requests for internet research, on just two occasions directed surveillance authorisations supported the activity being undertaken.
Example 2: In another public authority, one matter absent from the various policy and guidance documents is the use of the internet for investigative purposes. This technique of investigation and research is expanding exponentially with all manner of new technology and although some knowledge and awareness was evident during discussion with staff, further guidance and advice would benefit investigators and Authorising Officers alike. The key consideration when viewing publicly available information where no privacy settings have been applied, often referred to as ‘open source’ material, is the repeated or systematic collection of private information. Initial research of social media to establish a fact or corroborate an intelligence picture is unlikely to require an authorisation for directed surveillance; whereas repeated visits building up a profile of a person’s lifestyle would do so. Each case must be considered on its individual circumstances and early discussion between the investigator and the Authorising Officer is advised to determine whether activity should be conducted with or without the protection of an authorisation.”
The Annual Report of the Chief Surveillance Commissioner, The Rt Hon Lord Judge 2016-2017 stated:
“4.3 From time to time my Inspectorate is asked why, given that no authorisation has been granted by an individual authority since the previous inspection some three years earlier, the process of inspection and oversight is necessary. The short answer is unequivocal. While local authorities remain vested with the power to deploy covert surveillance, regardless of actual use, the appropriate structures and training must remain in place so that if and when the powers do come to be exercised, as they may have to be in an unexpected and possibly emergency situation, the exercise will be lawful. So, for that reason alone the process of inspection must continue. There is a further consideration. The inspection may reveal inadvertent use and misuse of the legislative powers. The steady expansion in the use of the social media and Internet for the purposes of investigative work provides a striking example of a potential new problem which came to light through the inspection system. Local authority officials, vested with burdensome responsibilities for, among others, the care of children and vulnerable adults, are, like everyone else, permitted to look at whatever material an individual may have chosen to put in the public domain. This is entirely lawful, and requires no authorisation. However, repeated visits to individual sites may develop into an activity which, if it is to continue lawfully, would require appropriate authorisations. Local authorities must therefore put in place arrangements for training officials into a high level of awareness of these risks. Without the inspection process this problem might never have been identified.
15.2 As discussed earlier one major consequence of the OSC inspections has been the emergence, during the course of discussions, of investigations being made by public authorities through use of social media and the Internet. For example, it may help to show whether counterfeit good are being offered for sale on a Facebook page, or reveal that someone who claims to be living alone as a single parent has a social media page which provides a different story, or perhaps, particularly sensitive, enable a check to be made whether concerns about the welfare of a child or vulnerable adult may be justified. When individuals choose to go public or advertise themselves, they cannot normally complaint that those who look at their social media sites are disregarding their rights to privacy. However if the study of an individual site becomes persistent, issues under the legislation may arise.
15.3 The resources available to the OSC do not enable me to say positively that issues relating to the use of social media sites have arisen or are arising in every local authority. What matters is that this potential certainly exists. Senior officials at local authorities should therefore be made aware of it and have the necessary policy documents and training and awareness arrangements in place to address it. This issue has been recognised in the forthcoming Home Office and Scottish Government Codes of Practice (which will be issued at a convenient date after the introduction of the Investigatory Powers Act 2016). However, in advance of the issue, and because of repeated findings in reports made to me by Inspectors and Assistant Surveillance Commissioners throughout this year, I acted on my own initiative. I therefore wrote to all local authorities in April 2017 explaining my concerns, and urging them to undertake internal checks of the use of social media by no doubt well-intentioned members of their staff, and to ensure that appropriate guidance and training should be provided.
15.4 An extract from the letter reads:
“it has become steadily more apparent that a number of officers working for public authorities, particularly those with responsibilities for the care of children and vulnerable adults have started to use the [social media and internet] sites, acting in good faith and on their own initiative. RIPA issues do not normally arise at the start of any investigation which involves accessing “open source” material, but what may begin as lawful overt investigation can drift into covert surveillance which falls within the legislation. Although the investigation of crime is not normally a “core function” of the Council, the protection of children and vulnerable adults certainly is, and any continuing and deeper study of the social media site in question would only be justified by the exercise of that protective function.
These are complex legislative provisions, and without appropriate training and awareness council officers cannot be expected to appreciate and apply them. They may therefore act unlawfully. Ignorance would provide no defence to them personally, nor to the Council for which they were working.
The Surveillance Commissioners have issued further guidance on this issue, and identified circumstances when an appropriate authorisations under the legislation would be required or advisable. The guidance is available on the OSC website as a public document, with the OSC Procedures Guidance. Note 289 is relevant and I highlight it for your attention.
It would be sensible for an internal audit of the use of social media sites and Internet for investigative or official business made across all departments be undertaken now. That would provide the necessary information about the extent to which formal training or awareness of these complex provisions is required.”
15.5 A copy of this letter was sent to the Chair of the Local Government Association and the national police lead for child protection issues, Chief Constable Simon Bailey of the Norfolk Constabulary.
15.6 As I reported last year, many local authorities have first-class arrangements in place for the use of covert tactics, even if, as a matter of policy, they do not intend to deploy them: others do not. Where necessary arrangements to ensure compliance are not in place, I require a report from the Chief Executive after a given period, say six months, about how the inadequacies have been addressed, and indicating that a further inspection may have to be arranged. There have been, and will continue to be occasional inspection revisits. One such revisit will have taken place by the time this report is published. I should, however, highlight that the problem of the non-compliant local authority should be kept in perspective. These authorities very rarely use or attempt to use statutory powers, and the occasions when they have been in breach of the legislative provisions remain very rare indeed. The point, as one of my Inspectors helpfully paraphrased it, is that while they are vested with these significant powers they should remain “match fit”. The inspection process provides both an encouragement and a check that they are.
In 2017, the Investigatory Powers Commissioner replaced the Surveillance Commissioner. The Investigatory Powers Commissioner, Sir Adrian Fulford’s Annual Report 2017-2018 states:
4.37 Local authority guidance on surveillance does not always address how investigators should use social media or where they may need an authorisation. The 2018 revised Home Office code of practice for surveillance contains helpful advice local authorities can incorporate into their policy documents and training.
4.38 Our inspectors were particularly impressed by Durham Country Council, whose senior responsible officer commissioned a helpful audit across the organisation on the ‘Use of social media in Covert Investigations’, to evaluate and report their system is adequate and appropriate for this purpose. We commend this approach.
The Investigatory Powers Commissioner, Sir Brian Leveson's Annual Report 2018 states:
13.13 In 2018, we focused on the use of social media as part of investigative or enforcement activities. We have found that some councils have updated their RIPA or Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A) policies to include sections on social media, whilst others have added an annex. In many cases, this has reflected the text of the August 2018 Code of Practice (CoP), which we encourage. We have commended programmes to raise awareness of the challenges of working with social media; these have variously included intranet information bulletins and internal training updates. However, we have seen that this approach is not universal and some authorities are yet to recognise the implications of social media for their work, both in terms of opportunities and limitations. We are also concerned that awareness programmes and policies can sometimes only consider ‘key departments’ and do not consider the less obvious ways in which their staff may interact with social media. For example, officers working in the areas of childcare, school exclusions, elderly and social care provision and human resources can inadvertently become involved in activities which constitute surveillance. This means they need to be clear on the legal frameworks which govern their work. We will continue to focus on this area in 2019, to ensure that councils are adhering to the relevant guidelines and are considering the implications of retention for any data they obtain in the context of increased public interest and concern about access to private data.
13.14 We are conscious that providing training for staff not directly involved in surveillance or CHIS activities may appear to be an unnecessary cost for councils. However, we have noted that inexperienced staff who have not been trained are vulnerable to inadvertently straying into activities which may not properly be authorised. We recommend that councils invest in training staff to understand the potential for any actions requiring authorisation, and that there are policies and key people in place within the public authority to which they can turn for further advice. We commonly recommended that individuals who had not received RIPA training since our last inspection should be provided with appropriate refresher training on changes that have come into force in recent years.
* Under the Investigatory Powers Act 2016 (IPA), three precursor organisations were merged to form Investigatory Powers Commissioner’s Office (IPCO) in September 2017. The previous organisations were the Office of Surveillance Commissioners (OSC), the Interception of Communications Commissioner’s Office (IOCCO) and the Intelligence Service Commissioner’s Office (ISComm).