The Investigatory Powers Bill is currently making its way through the UK Parliament and is due to become law by the end of 2016. It will:
- reform and expand the powers of UK law enforcement bodies and intelligence agencies to conduct warranted interception, equipment interference (hacking in order to obtain information) or bulk acquisition of communications data.
- introduce judicial approval of warrants issued by the Secretary of State.
- extend the Secretary of State's existing power to require some telecommunications operators to install permanent interception capabilities, so as to include other kinds of warrant and notice.
- empower the Secretary of State's powers to serve a notice directing a telecommunications operator to generate, obtain and retain communications data about users, including site level web browsing histories. This extends existing powers and revives elements of the draft Communications Data Bill on which the pre-2015 Coalition government was deadlocked.
- provide many authorities with a query tool (the request filter) to make complex searches across telecommunications operators' databases of communications data. This would enhance the existing ability to serve targeted notices requiring disclosure of communications data.
- respond to criticisms by the Interception of Communications Commissioner of law enforcement's use of communications data to identify journalistic sources. Questions of MPs' and legal privilege are also addressed.
- introduce an extended list of prohibitions on disclosing the existence of a warrant or notice.
Finally the Bill touches on the current controversy surrounding encryption where the service provider has no key.
The Bill is in part a reaction to the Snowden revelations of the scale of bulk interception conducted by GCHQ. It draws on subsequent reviews of investigatory powers conducted by the Parliamentary Intelligence and Security Committee, David Anderson Q.C. and the Royal United Services Institute. A draft Bill published in November 2015 was scrutinised by three Parliamentary Committees.
The Bill has the potential to affect not only the communications industry but any business that operates a network, whether public or private.
The existing compulsory data retention regime under the Data Retention and Investigatory Powers Act 2014 (DRIPA) expires at the end of December 2016. The government is working to bring the whole of the new Bill into effect before then. Meanwhile a legal challenge to DRIPA brought by MPs David Davis and Tom Watson has been referred to the EU Court of Justice.
Much of the Bill is controversial and amendments are likely as it passes through Parliament. This analysis is based on the Bill as introduced in Parliament on 1 March 2016.
Who would the bill affect?
It would be easy to gain the impression that the Bill affects only the communications industry. However it applies more widely than that, potentially affecting any type of business.
This broad scope flows from the definition at the heart of the Bill: a ‘telecommunications operator’. This includes private as well as public networks and services. It covers not just carriers but online storage providers: those who facilitate the creation, management or storage of communications transmitted, or that may be transmitted, by a telecommunications system.
‘Communication’ is also broadly defined. It covers not just person to person messages, but person to machine, machine to person and machine to machine communications. The internet of things will, as it gathers pace, fall into the embrace of the new legislation.
While the powers are drawn very broadly, no obligation to maintain a capability, retain or disclose data or assist with interception or equipment interference crystallises unless the Secretary of State or a public authority serves a notice or warrant.
So falling within the scope of the Bill does not necessarily mean that anything will be required.
Notices and warrants will generally be subject to secrecy obligations. As a result information on how they have been deployed may not be easy to come by. The most detailed guidance on how they are likely to be exercised will be in Codes of Practice, drafts of which have been published with the Bill.
What does the Bill cover?
The starting point of the Bill, like the existing Regulation of Investigatory Powers Act (RIPA), is to prohibit interception of communications without lawful authority. The interception criminal offence is similar to that under RIPA, but extended to cover communications stored in or by the telecommunications system before transmission as well as after.
Much of the Bill is taken up with enumerating the powers of law enforcement and the intelligence agencies under warrants issued by a Secretary of State and approved by a Judicial Commissioner. An interception warrant constitutes lawful authority for the purposes of the interception offence.
Other types of lawful authority include consent of the sender and intended recipient, interception for monitoring and record-keeping purposes specified under Lawful Business Practice Regulations, and interception by a telecommunications service provider for purposes relating to the provision or operation of the service. The Bill clarifies and broadens this service provider exception compared with that under RIPA.
The warrantry powers under the Bill include:
• Interception warrants (targeted, thematic or bulk)
• Equipment interference warrants (targeted, thematic or bulk)
• Bulk communications data acquisition warrants
Numerous different authorities can, as under RIPA, make targeted demands on telecommunications operators for communications data. A new ‘request filter’ tool will be introduced enabling authorities to make complex queries across databases of communications data held by multiple CSPs.
The Secretary of State will be able to serve technical capability notices to require maintenance of permanent capabilities (including removal of encryption applied by a service provider or on its behalf). Under RIPA this ability applies only to interception. The Bill will introduce technical capability notices covering most warrants and powers.
The Bill will expand on DRIPA’s data retention requirements through compulsory generation, obtaining and retention of a broader range of communications data (including site browsing histories, officially known as internet connection records).
The Secretary of State will be able to serve national security notices on UK telecommunication operators. While broadly defined, national security notices cannot be used for the main purpose of requiring something to be done for which the Bill requires a separate warrant or authorisation.
Business by business
The large public telecommunications provider
Fully in scope for:
• Interception warrants (targeted, thematic or bulk)
• The new equipment interference warrants (targeted, thematic or bulk)
• Technical capability notices
• The ‘request filter’ for querying databases of communications data.
• Broader mandatory data retention
• Bulk communications data acquisition warrants
• National security notices
The provider will benefit from broader purposes for which it can lawfully intercept communications on its network. These will include purposes relating to:
• the provision or operation of the service (this will specifically include identifying, combating or preventing anything which could affect any telecommunication system by means of which the service is provided, or any apparatus attached to such a system).
• the enforcement, in relation to the service, of any enactment relating to (i) the use of telecommunications services, or (ii) the content of communications transmitted by means of such services
• the provision of services or facilities aimed at preventing or restricting the viewing or publication of the content of communications transmitted by means of telecommunications services.
The small ISP
The Bill does not distinguish between large and small ISPs. So according to the letter of the Bill any of the warrants and powers could apply.
However the draft Codes of Practice suggest that the powers mandating permanent capabilities will generally be applied to the larger players:
• Interception and equipment interference: Small companies (with under 10,000 users) will not be obligated to provide a permanent capability, although they may be obligated to give effect to a warrant.
• Bulk communications data acquisition: In practice, technical capability requirements will only be placed on companies that have to make significant technical changes in order to comply with the requirements of a bulk acquisition warrant.
• Communications data acquisition: In practice, technical capability requirements will only be placed on companies that are required to give effect to notices or authorisations on a recurrent basis.
For data retention various factors will be taken into account, including the size or growth rate of a CSP and the number of requests for communications data it receives. A niche market or geographical area served by a CSP may also be a factor.
A small ISP will benefit from the same broader lawful authority purposes as a large provider.
The cloud-based service provider
Most of the Bill’s powers apply to ‘telecommunications operators’. This includes not just network providers, but providers of a service that facilitates the creation, management or storage of communications transmitted, or that may be transmitted, by means of a telecommunication system.
This definition is intentionally broad, as can be seen from the draft Codes of Practice: “Internet based services such as web-based email, messaging applications and cloud-based services" are covered.
Social media companies will also be in scope.
The non-UK communications provider
If an operator is outside the UK and provides a telecommunications service to people in the UK, or controls a telecommunication system in the UK, then it is generally within the scope of the Bill.
Furthermore most of the powers:
• expressly apply to non-UK persons,
• can require things to be done outside the UK and
• specify methods of serving warrants and notices on non-UK persons.
Many of the powers, however, are enforceable by injunction only against persons in the UK. The powers enforceable by injunction against non-UK persons (interception warrants and targeted communications data acquisition notices) permit conflict with the law of another country to be taken into account.
Extraterritoriality provisions were first explicitly enacted in DRIPA. They remain controversial in the Bill and have drawn criticism from international companies.
The powers sit within a broader canvas of ongoing efforts to improve cross-border mutual assistance procedures between nation states. There are also ongoing negotiations between some governments (such as UK and USA) to develop inter-state agreements allowing service providers to comply directly with some cross-border demands without risk of breaking their own countries’ laws.
The online business
An online business that does not think of itself as part of the communications industry may nonetheless be providing a telecommunications service to its users and customers as part of its business. If so, the Bill could apply.
According to the draft Codes of Practice:
“The definition of a telecommunications operator also includes application and website providers but only insofar as they provide a telecommunication service. For example an online market place may only be a telecommunications operator as it provides a connection to an application/website. It may also be a telecommunications operator if and in so far as it provides a messaging service.”
The current regulations under RIPA exclude from any obligation to provide an interception capability those who only provide a public telecommunications service in relation to the provision of banking, insurance, investment or other financial services. So far neither the Bill nor the draft Codes of Practice has indicated whether a similar exclusion will be implemented under the new legislation.
The café providing public Wi-Fi
The café (or perhaps the operator providing the hotspot for the café's customers) would be a telecommunications operator and within scope.
The Home Secretary, when giving evidence to the Joint Committee, was asked whether data retention would be applied to people running Wi-Fi networks in coffee shops. Her response indicated that the possibility of doing so had been deliberately left open:
“It may very well be that there are circumstances where it is appropriate to have that discussion and, potentially, to ask for information to be retained. It is about having that flexibility.”
The media organisation
The provisions regarding protection of journalist privilege will be of particular interest to media organisations, as will the potential for warrants, data retention notices and technical capability notices to be applied to private networks.
The National Union of Journalists regards the journalist privilege protections as weak.
The provider of connected devices
Every time a customer’s connected device calls base, transmits or receives data or updates itself it is making a communication and generating communications data. That is potentially within scope of the Bill.
The organisation operating a private network
The Bill generally applies to private networks: including those of businesses, schools, universities and even domestic households. This represents a significant shift from the powers under the existing legislation, most of which apply only to public telecommunications providers.
Would powers in fact be exercised against private networks? The Home Secretary when giving evidence to the Joint Committee was asked
whether data retention notices could be applied to university or company networks. She said:
“I do not think that it would be right for us to exclude any particular type of network, because of the way in which people conduct their business and their interactions these days. However, for any individual decision, there is an onus on the Home Office to look at the necessity and proportionality of that, the technical feasibility of that, what the costs would be and what the impact on that particular CSP or network would be.”