The long-awaited draft Investigatory Powers Bill was published yesterday.
We’ll be carrying out more detailed analysis of the draft Bill in the coming weeks, and LINX members can expect an in-depth briefing at LINX91, and when we consult on our official response. For now, here’s a first look at some key issues in the new Bill.
Contrary to earlier reports, the draft Bill does not appear to impose any sort of blanket ban on end-to-end encryption. However, the Bill gives the Home Secretary the power to impose on a telecommunications operator “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data”. The explanatory notes explain this as follows:
RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates. … The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.
— Draft Investigatory Powers Bill: Guide to Powers and Safeguards, paragraphS 62-63.
More networks within scope for communications data retention orders
Hat-tip to Andrew Cormack for this observation. It appears that the Bill may open up more networks to orders to retain communications data.
Potentially the most significant change is an extension of the Home Secretary’s powers to order network operators to retain communications data. Under the current Data Retention and Investigatory Powers Act (and the earlier European Data Retention Regulations that were declared invalid by the European Court last year) those orders can only be made against *public* electronic communications services. The draft Bill replaces that by “telecommunications operators”, defined in a way that is likely to include any organisational or inter-organisational network, even those not available to the public.
— Andrew Cormack, Jisc Regulatory Developments blog
The draft Bill would replace the Interception of Communications Commissioner, the Chief Surveillance Commissioner and the Intelligence Services Commissioner with a new Interception Powers Commissioner.
“Judicial commissioners” will be given a role in approval of warrants for approving the issue of interception, equipment interference and bulk warrants. The government is emphasising the “double-lock” whereby “a Judicial Commissioner will in future need to approve warrants issued by the Secretary of State (or a Scottish Minister) before they come into force.”
However, doubts have already been cast on whether this constitutes genuine judicial authorisation. Conservative MP David Davis is one of the doubters:
I draw everybody’s attention to section 19(2), which tells the judicial commissioners they have to make decisions based on judicial review principles, not on the basis of the evidence. In other words the home secretary would have to behave in an extraordinary manner not to get his or her warrant approved. This is not the judge checking the evidence, it is the judge checking that the correct procedure has been followed.
This is not quite the protection it was represented as.
It will also be possible to bypass the “double-lock” for five days in “urgent cases”.
Internet Connection Records
Internet service providers will be required to retain “Internet Connection Records” for a minimum of 12 months. The government describes these ICRs as essentially a list of websites accessed, rather than full URLs.
47 (6) In this section “internet connection record” means data which—
(a) may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).
The Bill clarifies the powers of the security services and law enforcement to hack into computers, phones etc. It will also “create a new obligation on domestic CSPs to assist in giving effect to equipment interference warrants”.
The draft Bill will legalise the practice of the security services obtaining “large volumes of data that are likely to include communications or other data relating to terrorists and serious criminals”, where “the main purpose of the activity is to acquire intelligence relating to individuals outside the UK”. It will also provide for the acquisition of “bulk personal datasets”, which are “sets of personal information about a large number of individuals, the majority of whom will not be of any interest to the security and intelligence agencies”.
The Bill will allow the authorities to make interception and targeted communications data requests to overseas providers. This has already caused alarm among some US providers. Following publication of the Bill, Yahoo VP & Associate General Counsel, Aaron Altschuler, wrote:
Many aspects of the draft Bill would directly impact internet users not just in the UK, but also beyond British borders. Of most concern to us at this stage is the UK Government’s proposal to affirm extraterritorial jurisdiction over foreign service providers. National laws cannot solve an international problem. If emulated around the world, the UK Government’s extraterritoriality clause would create a chaotic legal environment and unpredictability for companies, users, and agencies.
The Bill will be scrutinised by a Joint Committee, with a revised Bill due for release in the Spring. LINX members can expect more details and analysis in due course.