Regulation is in the news again as a result of the Home Office blocking surveillance expert Eric Kind from taking up his role as Head of Investigation at the Investigatory Powers Commissioner’s Office (IPCO) – the newly created agency responsible for regulating organisations managing surveillance, including the Home Office. Ordinarily, it would be unheard of for a regulated organisation to be able to veto the appointment of staff to their regulator, particularly one established through statute as being independent. However, the Home Office was able to do so here by refusing to issue the security clearance required for Kind to do his job. The Investigatory Powers Commissioner, therefore, can’t override this decision, the Home Office doesn’t have to explain their reasoning, nor is there an appeal process.
Behaviour like this can lead to regulatory capture – where the influence of the regulated organisation changes the effect of regulation to direct away from the public interest and toward the interests of the organisations being regulated. The mechanism of blocking security clearances is specific to activities relating to the military and intelligence, but the phenomenon of regulatory capture is more widespread. Consequently, regulatory capture has been well studied, and there’s a body of work describing tried and tested ways to resist it. If the organisations responsible for surveillance regulation were to apply these recommendations, it would improve both the privacy of the public and the trust in agencies carrying out surveillance. When we combine these techniques with advanced cryptography, we can do better still.
Regulatory capture is also a problem in finance – likely contributing to high-profile scandals like Libor manipulation, and payment-protection-insurance misselling. In previous articles, we’ve discussed how regulators’ sluggish response to new fraud techniques has led to their victims unfairly footing the bill. Such behaviour by regulators is rarely the result of clear corruption – regulatory capture is often more subtle. For example, the skills needed by the regulator may only be available by hiring staff from the regulated organisations, bringing their culture and mindset along with them. Regulators’ staff often find career opportunities within the regulator limited and so are reluctant to take a hard-line against the regulated organisation and so close off the option of getting a job there later – likely at a much higher salary. Regulatory capture resulting from sharing of staff and their corresponding culture is, I think, a key reason for surveillance oversight bodies having insufficient regard for the public interest.
The Home Office didn’t comment officially on why they refused Kind’s clearance, but the likely reason was his “previous work and associations”. He is a rare example of someone who has the technical and legal expertise to understand the complex issues surrounding surveillance, but who has established these through working for civil society – promoting human rights – rather than having worked in the surveillance industry. IPCO likely hired him for precisely this reason, but that didn’t fit the culture dominant within the group who frequent the revolving door between the surveillance agencies, their suppliers and the regulatory organisations.
We can do better. The problem of regulatory capture has been well studied, and solutions are available. Surveillance regulators, in my experience, seem less aware of this body of work, in contrast to the medical, health and safety and financial regulators. Wading into decades worth of management and economics research is intimidating, but there’s text-book – Preventing Capture: Special Interest Influence and How to Limit It – summarising the issue and the conclusion helpfully describes preventative measures and experience of regulators applying them. Neither this book, nor other research I’m aware of, explicitly covers regulatory capture in the context of surveillance oversight, but the general approaches discussed can all be implemented, sometimes with adaptation.
For example, the book points out the advantages of a building a regulatory staff with diverse viewpoints and independent expertise. Supporting surveillance research in academia and civil society, including through greater transparency of legal interpretations and technical implementation, would help create a pool of expertise distinct from the surveillance industry. Once these people are at the regulator, we need to allow them to advance their career without having to move into a regulated organisation. We should pay regulators well but also recognise their critical status within society by celebrating when they detect or prevent unlawful activities, just as we (too infrequently) celebrate medical regulators who protect lives.
Scrutiny from journalists and representatives of the public is another approach to mitigate regulatory capture. Within surveillance, the secrecy around specific cases and techniques usually prevents such intervention. This problem was our motivation for building VAMS – a system that allows the public, journalists, and civil society to audit surveillance activity but with cryptographic protection of sensitive content and a distributed ledger to prevent miscreants from re-writing history. The system doesn’t remove the need for a regulator – checking criteria such as “necessary and proportionate” needs analysis of the details and human judgement – but VAMS allows for external validation of some regulatory activities.
Technical solutions aren’t the whole answer to preventing regulatory capture, but they can facilitate solutions already developed and potentially create new ones. The first step to taking advantage of research here is to recognise the problem, and this article is hopefully motivation for discussing regulatory capture in the context of surveillance oversight. I hope that experts in the regulated fields, working for and with regulators, also take advantage of management and economics research dealing with regulatory capture because, as I’ve found, there’s much value here to discover.
That’s a real shame. Eric has done excellent work and would have been a great choice.
wg
I have seen a similar situation arise with the Information Commissioner’s Office and Her Majesty’s Court and Tribunal Service (HMCTS). Lawyers are too afraid to investigate the HMCTS where the very low ranking judiciary are involved (n.b. senior judges are not corrupt and do not need investigating) and the ICO is unable to make any effective orders. I have yet to find a trustworthy news organisation which is prepared to cover this issue. If any journalists are reading this please contact me
This is interesting. Regulatory capture as gone on unperturbed for years and should be halted