The Regulation of Investigatory Powers Act
None of the major US companies regards itself as compelled to comply with UK RIPA warrants. And a jolly good thing this is too, you might think. But this isn't a case of them taking any kind of moral stand, and it isn't a case that they take a cavalier attitude to local law. It's because they can't comply with RIPA warrants.
The Woolwich report quotes the Home Office as saying "complying with RIPA would leave US companies in breach of US legislation (including the Wiretap Act in relation to lawful interception)". US companies can and do comply with requests from Britain's NTAC (National Technical Assistance Centre, a body largely staffed by GCHQ) if under the US Electronic Communications Privacy Act (ECPA) the company believes in good faith "that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay".
But that clearly only works if the UK spooks are aware of that immediate danger of death, and in this case they weren't. Say Facebook had spotted the message - would it have been reported? Not necessarily, because it's clearly going to be rather difficult to distinguish between random nutjobs making daft threats and actual homicidal maniacs who really are going to kill somebody in a few months' time.
But say it was spotted, say it was reported. Probably, the FBI would be the first stop, and then the threat might have made its way across the Atlantic via various channels until it was in the hands of MI5 and GCHQ. One might speculate that this would take a while, and that there would be plenty of opportunity for someone along the chain to write "no further action" on the message.
Note also that it's reasonable for US CSPs to be nervous about proactively passing information on their users to foreign law enforcement agencies. Say they'd found this post, say they'd been absolutely certain that this was a British (or at least non-US) citizen talking about a crime he proposed to commit in the UK, then they probably wouldn't be laying themselves open to trouble with the US authorities if they tipped off the British spooks. But if they weren't sure about these things? Neither the US CSPs nor the security agencies will want to do anything that would put them in breach of US law - they've quite enough trouble in that department already.
That's clearly not ideal, but it's about the best you're going to get at the moment. In the absence of an obvious and immediate threat to life, the Brit spooks' best bet is the US-UK Mutual Legal Assistance Treaty. An MLAT request for assistance in an investigation is made via the US authorities, and it gives the US company in question authority to share information with the UK. From the point of view of the US CSPs MLAT is probably the tidiest and safest way to comply with a UK request: but as the report points out, the average time taken to turn one of these requests around is 286 days. The ISC still thinks MLAT is useful in criminal prosecutions where there is evidence of wrongdoing, but "where the aim is to determine the threat posed by individuals and there is as yet insufficient evidence for criminal prosecution," it's of no use whatsoever.
Now compare and contrast with how RIPA operates in the UK. If the security services want an individual's communications data, they apply for a RIPA warrant via the Home Office. This requires a justification that it is both necessary and proportionate, and the various investigations into Adewobale and his co-conspirator Michael Adebolajo mainly failed to meet that threshold. They were Subjects of Interest, but the security services largely failed to find sufficient evidence to warrant more intensive surveillance.
Unless they've concocted an amazingly widespread and complex cover story, the report does seem to suggest that here we have largely honest coppers and internal-security spooks being correct and proportionate about the people they bug (which, reading around the report's redactions, we take to be what "intrusive surveillance" means). There's a possible argument that more intrusive surveillance of either man might have made a difference, but there was no legal justification for it, and given that the intrusive surveillance already carried out on one of them hadn't come up with much, the spooks would probably have moved on to likelier targets even under a laxer supervisory regime.
Granted you've got your legal justification in the UK, however, you can then serve a UK telecoms company or ISP for billing records and sundry metadata. This can be very useful, as is clear from the report. MI5 for example failed to obtain billing data for Adebowale's landline (this is one of several small, possibly non game-changing mistakes the report highlights). If it had done so, it would have found a call to a Yemeni number belonging to someone believed to be in contact with Al Qaeda in the Arabian Peninsula. A mobile phone left in the car after the attack also showed Adebowale had been in touch with a "wide range of extremists", including an AQAP suspect, but by then it was too late.
Of the landline error, the report says:
Had MI5 found this telephone contact (from the billing data), it would probably have led them to seek further communications data, which would have revealed previous contact or attempted contact with this number on five other dates since 26 September 2012. It might also have led them to seek traces with other partners who might have been able to provide further information on the communications with SoI ECHO [the AQAP suspect], including discussions about potential extremist activity.
So although retained communications data was no game-changer in the investigations into Adebowale and Adebolajo, we can see how it might have been, and surely has been in other cases. That however does not mean that the retention of everybody's/ data is either necessary or proportionate.
A RIPA warrant can cover different kinds of data - billing data for a mobile phone or landline, or perhaps an IP address. In the first cases you're looking for what a known individual has been up to, while in the latter you're checking out the individual who's been up to it. Once you have that individual and their ISP, you've got a shot at finding out what else they've been up to. Almost inevitably, this is going to lead the British security services to something outside UK jurisdiction. They can start to build a picture if the suspect's activities are mainly within UK jurisdiction, but otherwise they're unsighted. Which is where we came in.