Data sharing, the protection of official data, and just plain old data protection have been keeping senior Whitehall mandarins very busy of late—but there’s a deeply troubling side effect for journalists, privacy campaigners, and anyone who wants to hold truth to power.

The freshly passed Investigatory Powers Act and the soon-to-be waved through Digital Economy Bill have presented an opportunity for Downing Street to help justify its push for an aggressive overhaul of the UK’s four aged Official Secrets Acts (1911, 1920, 1939, 1989). Critics have said that it is an alarming move that could allow the government to crack down on whistle blowers and anyone reporting on the leaks with impunity.

Key proposals for an overhaul of the UK's espionage law have alarmed journalists and whistle blowers: Clarifying the scope of espionage type offences and those related to making unauthorised disclosures.

Proposed increased maximum sentences to reflect the seriousness of some conduct.

New measures to ensure sites are protected if necessary to safeguard national security.

Making clear that the criminal offences protecting sensitive information apply whether the conduct takes place at home or abroad.

Simplifying and modernising the language to remove anachronistic terms like “code words” and “enemy” and replacing them with language that will future proof the legislation.

Providing a process for concerns about illegality and impropriety to be investigated in an independent and rigorous way which is compliant with the European Convention on Human Rights.

A recent review requested by the Cabinet Office and carried out by the Law Commission concluded that the current legislation should be reformed to make it fit for the post-Snowden age. An Espionage Act was proposed to try to keep a lid on the leaking of sensitive government information. And a public consultation process quietly lurched into view, following an "exclusive" in the Daily Telegraph, which also printed, in full, law commissioner David Ormerod’s justification for bringing in such reform.

"Before the digital era, anyone engaging in espionage would be limited as to how much information they could access," he wrote. "But now online communications and storage means the volume of information and associated risk is of a very different scale."

Ormerod insisted that the "proposals aren’t about gagging people who have real concerns," before adding that spook whistle blowers "should have a direct reporting mechanism to someone independent of their agency"—it would presumably allow the government to try to keep sensitive, messy, and embarrassing leaks confined from the outside world.

Such an overhaul to the law, as noted by investigative reporter and computer forensics expert Duncan Campbell, doesn’t only apply to whistle blowers, but it would also reel in journalists, NGOs, hackers, and other individuals "who obtains or gathers" official information, following a tip-off from a leaker. Under the proposals, a jail term of two to 14 years could be dished out for those found to have committed a criminal offence, be they based in the UK or abroad.

How Farr will you go?

So far, the government has sought to distance itself from any suggestion that an Espionage Bill could be laid before MPs as early as May during the state opening of parliament. Downing Street was also keen to stress that the review was commissioned under the request of ex-prime minister David Cameron’s administration.

What Downing Street doesn’t tell you, however, is that the timing of the review came just a short while after ex-MI6 man Charles Farr, 57, arrived at the Cabinet Office—a senior security mandarin who remained in his post despite the change of guard at Number 10, following Britain's vote to leave the European Union.

For anyone well versed in recent British spook history, Farr is a familiar—if shadowy—name. He is the camera-shy architect behind the Snoopers’ Charter in its many guises under successive governments and worked, for years, with then home secretary Theresa May in shaping the Investigatory Powers legislation. It was finally passed by distracted (Brexit) and disarrayed (Labour in-fighting) MPs and peers in late 2016.

Farr was appointed not only as the chair of the Joint Intelligence Committee, but also as the professional head of intelligence analysis at the Cabinet Office in December 2015—the same month that the Law Commission’s review of the leaking of sensitive government data was requested by Downing Street. Before moving to the Cabinet Office, Farr—described as hawkish and tetchy, according to a must-read Sunday Times profile from 2012—had held the role of counter-terrorism chief at the home office.

And, in a rare appearance before a Home Affairs Select Committee five years ago, Farr said that there were no pictures of him online, adding that he wanted it to stay that way. Labour MP and the panel's then chair Keith Vaz retorted: "Everyone knows what you look like: you look like an older version of Harry Potter."

Nonetheless, Farr likes to remain in the shadows.

The Cabinet Office, when repeatedly quizzed by Ars about whether Farr had advised the government to pursue a Law Commission review on sensitive government data leaks, refused to confirm or deny any involvement from the top spook.

"We're not going to give out any further information about it," a spokesperson said. "The decisions that were made are kind of made by the Cabinet Office, and we're not going to be handing out officials' names... we've given all the information that we can." When pushed on whether Farr had recommended the review of the protection of official data to ministers, the spokesperson simply told us: "We're not going to comment on it."

The Law Commission told Ars that the official government request had come from then Cabinet Office minister Matt Hancock—who was demoted to cover the digital brief at the department for culture, media, and sport when May became PM. But it claimed not to know who was steering the policy from within Whitehall.

Its mandate, agreed with Cabinet Office officials, was "to consider the extent to which the relevant legislation effectively protects official information." The Law Commission also noted:

We are aware of the existence of those who disagree with the proposition that the unauthorised disclosure of information should be criminalised. Our terms of reference did not permit us to question this underlying assumption. We do firmly believe, however, that certain categories of information require the effective protection of the criminal law and that it is necessary to ensure sensitive information is safeguarded against those whose goal is to obtain it contrary to the national interest.

And while it talks at length in the review about how "public interest" should be defined, it doesn't once offer up the same scrutiny for what it means by "national interest"—a term wheeled out time and time again by Farr and his former colleagues when justifying the sweeping powers demanded within the Snoopers' Charter to massively ramp up surveillance of Brits' online activity.

Data sharing across Whitehall and beyond will mean more leaks

Hancock, these days, is the government's cheerleader for the Digital Economy Bill—which is currently winging its way with ease through parliament. However, controversial provisions within Part 5 of the draft law fail to offer any safeguards for plans to share citizen data more widely. And everyone from privacy campaigners to doctors are deeply concerned about the government's plans.

The draft law is name-checked a number of times in the Law Commission's Protection of Official Data review, where it explores the wobbly "legislative landscape" on personal information disclosure offences in the UK. "The provisions contained in the Digital Economy Bill do not streamline the legislative landscape, but rather add to it. From a theoretical perspective the legislative landscape looks irrational, dispersed, and lacking in uniformity," it said.

It went on to discuss the "practical implications" by arguing that "the potential for the offences to overlap is likely to be increased when the Digital Economy Bill receives the Royal Assent," seemingly in a clear acknowledgement that more leaks of sensitive government information will take place. Notably, the Law Commission failed to once mention the EU's upcoming General Data Protection Regulation, which Hancock has said will be implemented in full in 2018—in part to allow online businesses to continue to transfer data between the UK and the soon-to-be 27-member state bloc.

Ars sought comment from the Law Commission, but it declined to directly respond to our question about the review skirting over the GDPR. It told us: "Our consultation seeks views on proposals which look to meet 21st century challenges whilst ensuring that people do not commit serious crime inadvertently. We have made clear that the law relating to protection of personal data is far from clear and is evolving rapidly and, as part of this project, have called for a wider review of that area."

The DCMS has since confirmed plans to carry out a review of data protection offences.

Hey, Farr out

Meanwhile, the Cabinet Office's official line on the controversy around any planned Espionage Act remains seemingly dismissive of a review that appears to have been recommended by May's long-term senior security aide, Farr. It told Ars:

We believe in the freedom of the press, and would never do anything to undermine legitimate whistleblowing or investigative journalism—it’s not government policy and never will be. One of the purposes in reviewing the Official Secrets Act is to examine whether safeguards for whistleblowers and journalists need to be strengthened as we make sure the legislation is fit for the digital age.

Brits wishing to challenge the Law Commission's review have until April 3 to wade in. It's worth noting that the majority of its legislative reform recommendations have historically been implemented by the government of the day.

Update

In response to a Freedom of Information request from Ars, the Cabinet Office told us on May 12 that "Farr did not set the terms of reference of the review." It added: "The terms of reference were agreed between the Law Commission and government departments, including the Cabinet Office, in line with protocol."

Readers might be surprised that the Cabinet Office failed to be forthcoming with this information when pressed, several times, on the nature of Farr's involvement with the Law Commission's review of the protection of official data. We were also told that Farr's remit at the Joint Intelligence Organisation "does not include steering policy on the protection of data within Whitehall."