Talal is the Programme Manager for techUK’s Cyber, National Security and Criminal Justice programmes. In this article, he discusses the amendments made by the Home Office to the Investigatory Powers Bill.
Earlier this week, the Home Office published a revised Investigatory Powers Bill, alongside six Codes of Practice and the Government’s response to pre-legislative scrutiny.
In so doing, the Home Office made a number of changes to the draft Bill, including areas that are directly of interest to techUK members such as encryption, extraterritoriality and definitions of key terms such as “data” and Internet Connection Records (ICRs).
Privacy
Part 1 of the Bill now provides a short overview of the privacy safeguards contained throughout the Bill but this falls short of the recommendation by the Intelligence and Security Committee, which called for privacy protections to form the backbone of the Bill and not be merely an add-on.
The privacy section in Part 1 reads more like a summary of privacy protections, through the Home Office simply adding the word “privacy” to the sub-heading, rather than an overarching statement of the Government’s consideration of the protection of privacy as paramount.
Definitions
The term “related communications data” has been replaced with the term “secondary data”. “Secondary data” is defined as data (that is not content) that can be obtained under a targeted or bulk interception warrant. This is intended to clarify the distinction between this type of data and the narrower class of data available under a communications data authorisation.
The definition of the term “data” has also been changed in line with the Joint Committee’s recommendation. The new definition makes clear that the term “data” in the revised Bill includes “data which is not electronic data and any information (whether or not electronic)”.
Extraterritoriality
It seems that little has changed in regards to the concerns raised by the ISC, the Joint Committee and techUK regarding extraterritorial provisions.
Although there are greater and more consistent safeguards on proportionality and conflicts of law for overseas providers, extraterritorial provisions that undermine long term objectives still remain.
The Home Office has acknowledged concerns regarding these provisions, but their response in the overarching documents to the Bill has been to reiterate that it is engaging in preliminary discussions with international partners on a new international framework.
Encryption
The language on encryption has been amended in clauses 217 and 218. Section 189 of the draft Bill proposed that obligations be placed on CSPs “relating to the removal of electronic protection applied by a relevant operator to any communications or data”.
This obligation has now been slightly changed in the new Bill, so that obligations now apply “to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.
Furthermore, the draft Codes of Practice on Communications Data state that “an obligation placed on a CSP to remove encryption only relates to electronic protections that the company has itself applied to the data, or where those protections have been placed on behalf of that CSP”, such as where a CSP has contracted a third party to apply electronic protections.
The Bill has also been revised to clarify that where an obligation is placed on a CSP, which includes the removal of encryption, the technical feasibility and likely cost of complying with those obligations must factored in.
The Government maintains that the purpose of this obligation is to ensure that data can be provided in intelligible form, though it is worth pointing out that more detail could have been provided in the Codes of Practice.
For example, what is the procedure for when the Home Secretary (on advice of the Technical Advisory Board) and the CSP disagree as to the technical feasibility of a technical capability notice? This is not clear on the face of the Bill.
Furthermore, the decision as to the technical feasibility and likely cost of requiring a CSP to remove electronic protection should not be solely in the hands of the Secretary of State, but should require the involvement of a judicial commissioner.
Equipment Interference
Neither the face of the Bill nor the Codes of Practice acknowledge the dangers inherent within equipment interference (EI) provisions.
In fact, the key recommendations by the Committees that attempted to safeguard the use of EI have all been ignored.
Rather than introduce extra EI safeguards, the Home Office have actually extended the powers. Under the new provisions, police officers will now be able to use EI for “threat to life” situations.
The new Bill also provides for the Secretary of State to authorise bulk EI warrants in urgent circumstances.
The concerns regarding bulk equipment interference, and the ISC recommendation that bulk equipment interference be removed from the Bill, have been ignored.
Internet Connection Records
The Bill now has a single definition of ICRs that remains consistent throughout the course of the Bill.
The draft Communications Data Code of Practice includes a section on ICRs that is consistent with that provided for in the Bill and lists the core information that will be included in an ICR such as: an account reference, a source IP and port address, a destination IP and port address and a time/date.
The Codes of Practice admit that there will be no single set of data that constitutes an internet connection record and that in practice “it will depend on the service and service provider concerned”.
This acknowledgement highlights the difficulties that industry will face if required to generate and retain ICRs.
The new Bill has also extended the purposes for which law enforcement can access ICRs to include information about websites that have been accessed that are not related to communications services nor contain illegal material.
Rather than addressing the concerns of industry and the public about the scope of powers related to ICRs, it seems the Home Office have responded by extending the powers rather than limiting them.
Gagging Notices
CSPs will now be able to discuss their retention obligations with systems suppliers, oversight bodies and other companies that are subject to retention obligations. The Bill has been revised to ensure that CSPs can disclose the existence and contents of such notices with the permission of the Secretary of State.
This is to be welcomed. Transparency is crucial to ensuring that confidence in surveillance practices going forward is maintained.
The draft Bill, as it was worded, would have prohibited companies from having the same opportunity and also prevented them from communicating with other companies and share technical solutions to retention notices.
Cost retention
On cost retention, the Bill does not go as far as the Science and Technology Committee would have liked and does not put 100% cost recovery on the face of the Bill.
The supporting documents, however, reaffirm the Government’s longstanding position of reimbursing 100% of the costs associated with data retention and states that there are “no current plans to change that policy”.
Whether this gives industry the reassurance it requires remains to be seen.
Judicial Commissioners
The Government has amended the Bill at Clause 202 to make it explicit that Judicial Commissioners have the power to initiate investigations and receive complaints directly from industry.
This is important and welcomed as it will provide a higher level of transparency and oversight than is currently afforded with such powers.
It is important to note, however, that the judicial review principles afforded in the Bill do not meet US standards on “probable cause”; which could create difficulties in creating the international framework that is referenced above.
Bulk Collection
The Government has now published an operational case for the bulk powers in the Bill. It is crucial that the operational case is carefully scrutinised by parliamentarians.
Post Legislative Scrutiny
Clause 222 requires the Secretary of State to prepare a report on the operation of the Investigatory Powers Act within six years of the Bill being enacted. This is in anticipation of a Select Committee of either House of Parliament (whether acting alone or jointly) undertaking a review of the powers in the Bill within five years and six months of Royal Assent.