Skip to main content

Investigatory Powers Bill published

Posted by Sam Frances on Thursday, November 5th, 2015 at 18:31

The long-awaited draft Investigatory Powers Bill was published yesterday.

We’ll be carrying out more detailed analysis of the draft Bill in the coming weeks, and LINX members can expect an in-depth briefing at LINX91, and when we consult on our official response. For now, here’s a first look at some key issues in the new Bill.

Encryption

Contrary to earlier reports, the draft Bill does not appear to impose any sort of blanket ban on end-to-end encryption. However, the Bill gives the Home Secretary the power to impose on a telecommunications operator “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data”. The explanatory notes explain this as follows:

RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates. … The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.
— Draft Investigatory Powers Bill: Guide to Powers and Safeguards, paragraphS 62-63.

More networks within scope for communications data retention orders

Hat-tip to Andrew Cormack for this observation. It appears that the Bill may open up more networks to orders to retain communications data.

Potentially the most significant change is an extension of the Home Secretary’s powers to order network operators to retain communications data. Under the current Data Retention and Investigatory Powers Act (and the earlier European Data Retention Regulations that were declared invalid by the European Court last year) those orders can only be made against *public* electronic communications services. The draft Bill replaces that by “telecommunications operators”, defined in a way that is likely to include any organisational or inter-organisational network, even those not available to the public.
— Andrew Cormack, Jisc Regulatory Developments blog

Consolidated oversight

The draft Bill would replace the Interception of Communications Commissioner, the Chief Surveillance Commissioner and the Intelligence Services Commissioner with a new Interception Powers Commissioner.

Judicial commissioners

“Judicial commissioners” will be given a role in approval of warrants for approving the issue of interception, equipment interference and bulk warrants. The government is emphasising the “double-lock” whereby “a Judicial Commissioner will in future need to approve warrants issued by the Secretary of State (or a Scottish Minister) before they come into force.”

However, doubts have already been cast on whether this constitutes genuine judicial authorisation. Conservative MP David Davis is one of the doubters:

I draw everybody’s attention to section 19(2), which tells the judicial commissioners they have to make decisions based on judicial review principles, not on the basis of the evidence. In other words the home secretary would have to behave in an extraordinary manner not to get his or her warrant approved. This is not the judge checking the evidence, it is the judge checking that the correct procedure has been followed.

This is not quite the protection it was represented as.

It will also be possible to bypass the “double-lock” for five days in “urgent cases”.

Internet Connection Records

Internet service providers will be required to retain “Internet Connection Records” for a minimum of 12 months. The government describes these ICRs as essentially a list of websites accessed, rather than full URLs.

47 (6) In this section “internet connection record” means data which—
(a) may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).

Equipment interference

The Bill clarifies the powers of the security services and law enforcement to hack into computers, phones etc. It will also “create a new obligation on domestic CSPs to assist in giving effect to equipment interference warrants”.

Bulk powers

The draft Bill will legalise the practice of the security services obtaining “large volumes of data that are likely to include communications or other data relating to terrorists and serious criminals”, where “the main purpose of the activity is to acquire intelligence relating to individuals outside the UK”. It will also provide for the acquisition of “bulk personal datasets”, which are “sets of personal information about a large number of individuals, the majority of whom will not be of any interest to the security and intelligence agencies”.

Extra-territoriality

The Bill will allow the authorities to make interception and targeted communications data requests to overseas providers. This has already caused alarm among some US providers. Following publication of the Bill, Yahoo VP & Associate General Counsel, Aaron Altschuler, wrote:

Many aspects of the draft Bill would directly impact internet users not just in the UK, but also beyond British borders. Of most concern to us at this stage is the UK Government’s proposal to affirm extraterritorial jurisdiction over foreign service providers. National laws cannot solve an international problem. If emulated around the world, the UK Government’s extraterritoriality clause would create a chaotic legal environment and unpredictability for companies, users, and agencies.

The Bill will be scrutinised by a Joint Committee, with a revised Bill due for release in the Spring. LINX members can expect more details and analysis in due course.

With over 770 members connecting from over 76 different countries worldwide, LINX members have access to direct routes from a large number of diverse international peering partners.

© London Internet Exchange, 2018 Registered office: London Internet Exchange Limited, 2nd Floor, Trinity Court, Trinity Street, Peterborough PE1 1DA United Kingdom . Registered in England, Number: 3137929
VAT Registration Number: GB 665 9580 82 Head office main telephone number Telephone: +44 (0)1733 207700 Fax: +44 (0)1733 207729

Web Design by Web Design by Bluestorm Design & Marketing

Leave Feedback

Cookies

This site uses cookies to store information on your computer. Some of these cookies are essential to make our site work and have already been set. By using our site you accept the terms of our Privacy Policy.

×