Wednesday, 14 September 2016

Svensson and GS Media - Free to link or link at your risk?

This is a revised edition of my February 2014 post, which was published immediately after the CJEU's Svensson decision on copyright and linking.  This new version weaves in the 8 September 2016 judgment of the CJEU in GS Media (commentary on GS Media and other post-Svensson material is highlighted).

GS Media puts to rest any remaining illusions that Svensson legitimised linking to all freely available content. GS Media also introduces knowledge thresholds for linking liability, varying according to the commercial or non-commercial nature of the linking activity. (For a report of the GS Media decision see here.)


Svensson was issued on 13 February 2014. It established some important points about the legality of linking under EU copyright law:
  1. A clickable direct link to a copyright work made freely available on another website with the authority of the copyright holder does not infringe. (GS Media repeats this general principle at paragraph [40]).  
  2. It makes no difference if a user clicking on the link is given the impression that the work is present on the linking site. (Svensson [29] and [30], applied in Bestwater. The reasoned order in Bestwater has given rise to much confusion. In reality it does no more than confirm Svensson on this point.)
  3. The reasoning of Svensson suggests that a clickable link can infringe if the copyright holder has not itself authorised the work to be made freely available on the internet. (The UK Intellectual Property Office adopted this interpretation in its June 2014 Copyright Notice on Digital Images, Photographs and the Internet. GS Media has now confirmed ([41]) that Svensson did mean that a link could infringe if the rightholder had not consented to the work being made freely available on another website.  See discussion below, including as to whether 'another website' means only the website linked to or a website anywhere on the internet.)
  4. If the work is initially made available on the internet with restrictions so that only the site’s subscribers can access it, then a link that circumvents those restrictions will infringe (Svensson [31], GS Media [50]); and see further discussion below.
  5. A link can infringe where the work is no longer available on the site on which it was initially communicated, or where it was initially freely available and subsequently restricted, while being accessible on another site without the copyright holder’s authorisation. (Svensson [31]; no change in GS Media.)
It seemed to follow from the reasoning in Svensson, although the judgment did not address this factual situation, that a link to an infringing copy would not infringe if, and for so long as, a copy of the same work was freely available somewhere on the internet with the authority of the copyright holder. The reasoning in GS Media appears to keep this possibility open, albeit again this was not the factual situation before the court.  

In any event this reasoning would not exempt links to infringing copies of works that are not legitimately available on the internet at all (the factual situation in GS Media), or which have only been legitimately made available on the internet under restrictions.

In purely practical terms the Court in Svensson made a valiant attempt to balance the competing considerations of protecting rightsholders’ content without restricting reasonable user behaviour.  However commentators (see hereherehere and here - hat tip to these for some of the questions discussed below) very quickly suggested that the CJEU’s reasoning – giving a very wide meaning to an act of communication, then reining back the scope according to whether the link makes the work available to a ‘new public’ compared with that contemplated by the copyright holder – might store up trouble for the future.

GS Media is another pragmatic attempt to fix some of the problems that Svensson did indeed throw up.  However, it creates new uncertainties and the specifics of the solution that the CJEU has chosen will inevitably attract criticism.  Many people will be reinforced in their view that Svensson took a wrong turning and that linking should not amount to an act of communication at all (the position advocated by the European Copyright Society). Any liability for specific linking activities would then be left to secondary and accessory liability or unfair competition rather than trying to shoehorn such activities into the exclusive right of communication to the public.

Open questions

These are the questions that, in February 2014, I suggested that Svensson had left open for future decisions. Now with [commentary] on whether they remain open.
  1. "The Court draws a distinction between freely available content and, on the other hand, restricted content where a link circumvents the restrictions. Are those intended to be the only two possible categories, so that if a copyright work is not ‘restricted’ it is necessarily ‘freely available’? Or are they two ends of a spectrum, the middle of which has yet to be explored? What, for instance, would be the position if the copyright holder has authorised a licensee to make the content freely available on the internet, but the licensee makes it available only on a restricted basis?" [Not answered. This is a question about the meaning of 'freely available'. Although in GS Media it was argued before the Dutch referring court that one of the links circumvented a restriction, the CJEU judgment assumes that the linked-to unauthorised copy was freely available.]
  2. "Does ‘restricted’ refer only to technical restrictions (and how sophisticated?), or does it also encompass licence or contractual restrictions?" [Still an open question.]
  3. "The judgment refers only to clickable links.  What about other varieties of link, or analogous technologies? The logic of the judgment would seem to apply to inline links where, rather than awaiting the user’s click, the linked-to content is served up automatically to the user when the web page is requested." [Still an open question. Factually, GS Media concerned clickable website links.]
  4. "The judgment refers to links ‘to’ copyright works, affording ‘direct’ access to those works. Does the link have to be to the actual work itself in order to make it available, or does a link to a page containing the work suffice? So applying the Svensson reasoning a clickable link to the URL of a news page makes available the HTML text of that page. Does it also make available a photograph which loads automatically as part of the news page, but which is nevertheless a separate copyright work with its own URL capable of being separately linked to? What about a playable video within the page, or a PDF downloadable from that page? Each of those is a separate copyright work requiring a further click by the user to access it.  Might they be regarded as indirectly, rather than directly, accessible from a link to the news page containing them?" [GS Media glosses over this scenario (sometimes described as reference linking). The referring court framed its questions in terms of a hyperlink to "a [third party] website ... on which the work has been made available". That formulation is consistent with the facts recited by the CJEU at [10]: "By clicking on a hyperlink accompanying that text, users were directed to the Filefactory website, on which another hyperlink allowed them to download electronic files each containing one of those photos."  The nuance of two different hyperlinks was lost in the CJEU's reformulation of the question, referring to: "...the fact of posting, on a website, a hyperlink to protected works." The judgment goes on to refer in various places both to hyperlinks to a "work" and to a "website". Curiously (given the recited facts quoted above) it then states: "it is indisputed that GS Media ... provided the hyperlinks to the files containing the photos at issue, hosted on the Filefactory website..." (emphasis added).  The operative part of the judgment refers to "hyperlinks to protected works".  The distinction between direct and indirect links was not addressed in the judgment. From a freedom of expression perspective imposing liability for a link to a page on a website which may contain both infringing and non-infringing material has different consequences than for a link direct to a single infringing music or video file (although even that case may be nuanced since a single file can contain a mixture of infringing and non-infringing material).]  
  5. Does the reservation for subsequently removed or restricted works apply only to new links created after the initially freely available work was withdrawn or restricted, or do existing links to unauthorised copies automatically become infringing? [Not addressed]
  6.  What is the position where initially the work was lawfully made freely available on the internet under an exception to copyright, such as fair dealing? Is that different from when it was done with the authorisation of the copyright holder?  On the face of it the Svensson version of the 'new public' test would not of itself legitimise linking in the former situation. [Not addressed]
The CJEU's decisions only concern whether a link can amount to 'communication to the public' for the purposes of harmonised EU copyright law. They does not deal with other ways in which linking might infringe, for instance by authorising infringement or joint liability for someone else's infringement.  Nor do they say anything about non-copyright issues such as passing off or unfair competition.

Drilling down to the details

Authorising the initial internet communication

The most significant aspect of the Svensson judgment was, oddly, not mentioned in the operative part of the decision (in which the Court provides its definitive answer to the question posed by the referring national court). The operative part said:

“…the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public' … .”

Taken at its face, that could suggest that a link to any freely available work does not infringe, regardless of whether the copyright holder initially authorised the work to be made freely available on the internet. That would broadly legitimise most links. But if that is right it is difficult to understand the numerous references in the judgment to whether the copyright holders authorised the initial communication to the public on the internet, and the potential audience contemplated when they did so.  In my original February 2014 post I suggested that it was likely that the operative part should instead be understood to mean:

“…the provision on a website of clickable links to works freely available on another website, in circumstances where the copyright holder has authorised such works to be made freely available at [that]/ [an] internet location, does not constitute an ‘act of communication to the public' … .”

The alternatives ‘that’/‘an’ reflect the possible uncertainty about the effect of the judgment on links to unauthorised copies where the copyright holder has authorised the work to be freely available at some other location on the internet. 

GS Media confirms that the reasoning of Svensson, not the wording of the operative part, prevails:

"However, it follows from the reasoning of [Svensson and BestWater] that, by them, the Court intended to refer only to the posting of hyperlinks to works which have been made freely available on another website with the consent of the rightholder..." [41]
This and other passages in GS Media may still leave some room for debate over whether "another website" means only the website linked to or encompasses any website or other location on the internet.   

The curious case of the freelance journalist

The significance of the copyright holder’s authorisation of the initial internet communication is well illustrated by the facts of Svensson itself. According to the CJEU judgment the Swedish proceedings were between four journalists, Mr Svensson, Mr Sjögren, Ms Sahlman and Ms Gadd, who sued Retriever Sverige AB for compensation resulting from Retriever’s inclusion on its website of clickable links to press articles in which the journalists held the copyright.

The Court said:
[The journalists] wrote press articles that were published in the Göteborgs-Posten newspaper and on the Göteborgs-Posten website. Retriever Sverige operates a website that provides its clients, according to their needs, with lists of clickable Internet links to articles published by other websites. It is common ground between the parties that those articles were freely accessible on the Göteborgs-Posten newspaper site. …”
The journalists claimed that by linking to the articles on the newspaper website Retriever was making their articles available to its clients without their consent. When the CJEU discussed ‘new public’ it said:

“a communication, such as that at issue in the [Swedish] proceedings, concerning the same works as those covered by the initial communication and made, as in the case of the initial communication, on the Internet, and therefore by the same technical means, must also be directed at a new public, that is to say, at a public that was not taken into account by the copyright holders when they authorised the initial communication to the public ….
… it must be held that, where all the users of another site to whom the works at issue have been communicated by means of a clickable link could access those works directly on the site on which they were initially communicated, without the involvement of the manager of that other site, the users of the site managed by the latter must be deemed to be potential recipients of the initial communication and, therefore, as being part of the public taken into account by the copyright holders when they authorised the initial communication.
Therefore, since there is no new public, the authorisation of the copyright holders is not required for a communication to the public such as that in the main proceedings.” (emphasis added)
The assumption of the Court in coming to this conclusion on the facts appears to have been that the four copyright holder journalists all authorised the newspaper to make the articles freely available on the newspaper website - the site on which the initial communication on the internet was made and to which Retriever linked.  

But what if the journalists had authorised publication only in the print newspaper and not on the newspaper website? It then seems inescapable that since the initial communication on the internet would not have been authorised by the journalists, a public link to the newspaper website article would be caught, even though the article was freely available on the newspaper website and not subject to any restriction.

Curiously, that scenario may have had some relevance to the Svensson case itself. In his judgment in Paramount Home Entertainment v BSkyB, Mr Justice Arnold summarised the facts of Svensson based on English translations of the Swedish judgments provided by Paramount. He said this:

“14.The claimants were four journalists who between them had written 13 articles published by the Göteborgs-Posten newspaper. Three of the journalists were employed by the newspaper, while one was freelance. All of the articles had all been published not only in print, but also online on the newspaper's website. In the case of one of the articles, which was written by the freelance author, the online publication by the newspaper was not licensed by the author.” (emphasis added)

If that is right, then for one of the 13 articles the copyright holding journalist who wrote it did not authorise initial communication to the public on the internet. For that article (assuming that the journalist had not authorised freely available publication elsewhere on the internet) the CJEU’s conclusion that the link did not amount to a communication to a new public would have been thrown into doubt.


Does Svensson pass the 'reasonable internet user' test?

Whatever the precise facts of Svensson may have been, this example illustrated a fundamental difficulty with the CJEU's judgment, assuming that the 'authorisation of initial communication' reading was correct (as GS Media has now confirmed). Ordinary internet users would be put in the position of publicly linking at their risk to any freely available content on the internet, however reputable the site may be, because they could not be certain and would have no practicable way of finding out whether the site owned copyright in its material, or had properly licensed it in, or whether a third party copyright owner had authorised the same material to be made freely available elsewhere on the internet.

Thanks to the long reach of digital copyright (which Svensson's interpretation of 'making available' arguably extended even further) primary copyright infringement impinges directly on end users.
End users are in no position to clear rights before, for instance, posting links to public discussion forums or on social media platforms. We make decisions to send public tweets, including links, in a matter of seconds.  If we are retweeting, we may not even visit the location to which the original tweet links.  If we are expected to embark on some investigation to satisfy ourselves that our link won’t infringe, for instance because someone’s unlicensed copyright might be lurking behind a reputable site – worse still if there is no practicable investigation that we can make - then we have a regime that risks chilling freedom of expression. 

It is no answer to suggest that if the links are harmless no-one will ever complain.  That would repeat the UK format-shifting episode, where the gap between copyright principle and reality has been so great as to bring copyright into disrepute.  Nor is it an answer to say that you don’t have to tweet links.  That is exactly the kind of chilling effect that copyright law should avoid.

Of course copyright law does contain some built-in freedom of expression accommodation.  Many linking tweets may find refuge in, say, the UK fair dealing exceptions for criticism, review and news reporting (although a passing comment at [53] of GS Media would seem to preclude this).  However these contain their own technicalities and limitations. For instance the UK news reporting exception does not apply to photographs. And the exceptions vary from one country to another, even within the EU. That is problematic for a user given the inherently cross-border nature of the internet. Is a tweeter expected to consider which countries her tweet may be thought to be targeting before tweeting a link?

At least in the UK, civil liability for primary copyright infringement is strict. You can infringe by accident, in situations where you are blameless. It is no excuse that you did everything you could to avoid infringement, or that you had no reason to think you were infringing. GS Media has introduced knowledge thresholds based on a distinction between ordinary and commercial internet use. But in doing so it will have infuriated copyright purists for whom primary infringement of exclusive rights should always be a matter of strict liability. The distinction between non-commercial and commercial use may also create its own problems, not least of identifying what is and is not a linking activity pursued for financial gain. Would it cover a blog that takes advertising? Does the commerciality have to be closely tied to the particular link in question? 

The introduction by GS Media of knowledge thresholds represents a pragmatic attempt to address the obvious problems that Svensson represented for ordinary end-users. The CJEU specifically acknowledges these:

"it may be difficult, in particular for individuals who wish to post such links, to ascertain whether website to which those links are expected to lead, provides access to works which are protected and, if necessary, whether the copyright holders of those works have consented to their posting on the internet. Such ascertaining is all the more difficult where those rights have been the subject of sub-licenses." [46]
However, is the threshold for non-commercial linkers as helpful as it seems?   The test in the operative part of the judgment is whether the user "did not know or could not reasonably have known the illegal nature of the publication of [the linked-to] works on that other website." The use of the negative might suggest that the burden is on the user to prove that it does not satisfy the knowledge test. Contrariwise, at [14] the CJEU referred to the situation where it is "established that the user knew or ought to have known...". That would be closer to secondary copyright infringement in the UK, where a claimant has to prove that the defendant knew or had reason to believe that e.g. the copy was infringing.   
More fundamentally, what contextual facts is the user taken to be aware of in assessing whether s/he could not reasonably have known of the illegal nature of the linked-to work? The judgment at [49] gives the example of where the user has been notified by the copyright holder. That instance apart, is the user assumed to have visited the website before making a link? (How many people check the links in a tweet that they are retweeting?) If so, how much of the website is the user taken to have visited? Does the assumption vary depending on whether website is well known to be reputable or, on the contrary, notorious? What about the vast population of websites that are neither?

The greater the knowledge of surrounding factual circumstances that is imputed to the user, the nearer the regime would move towards placing a diligence obligation on the ordinary user. But that would undermine the contrast that the CJEU drew with commercial users, discussed below.

A good test when evaluating copyright judgments that directly affect the general public, especially internet users, is this: 
  1. Can I explain to a user with confidence exactly what rules s/he has to follow?
  2. Will a reasonable internet user think those rules are sensible?
  3. In any given situation can the user readily ascertain whether what s/he wants to do will infringe?
Svensson just about passed the first question, probably fails the second and certainly fails the third.

GS Media improves the position of non-commercial users on the second and third questions, but does not necessarily convert a fail into a pass. It certainly does not do so for commercial users.

Commercial internet users

In my original February 2014 post I said: "Strict liability has always been the case in the UK for primary infringement (reproduction, communication to the public and some other types of restricted act).  It is a hangover from the hard copy days when copyright was almost entirely a commercial matter and hardly impinged on end users. It was reasonable to expect commercial publishers and broadcasters to clear rights first. Even then dealers, such as commercial distributors, were subject only to secondary infringement: they did not infringe copyright unless they had reason to believe they were handling an infringing copy."
It is instructive to compare that with paragraph [51] of GS Media:

"Furthermore, when the posting of hyperlinks is carried out for profit, it can be expected that the person who posted such a link carries out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead..."
There is, however, no comparison between the commercial publisher or broadcaster of yesteryear, who may have had months in which to clear the rights for a TV programme, book or music production, and a commercial internet actor who may have minutes or at best hours in which to decide whether to include a link on its website.  That is even without revisiting the fundamental question of whether a link is akin to including material in a book, for which clearance might have been required, or referencing it in a footnote for which it would not. 
GS Media has now laid down that where links are provided for "the pursuit of financial gain" there is a rebuttable presumption that the posting has occurred with "the full knowledge of the protected nature of that work and the possible lack of consent to publication on the internet by the copyright holder".  Commercial actors and their legal advisers will be giving close consideration to what constitutes posting of links for pursuit of financial gain and to how the presumption of full knowledge might be rebutted. 

From a broader perspective, a diligence duty runs the risk that rather than go though whatever hoops are required to satisfy the diligence standard, commercial actors will simply refrain from creating links. That brings us neatly to the relevance of fundamental rights and the question whether the GS Media judgment may result in a classic chilling of freedom of expression. 

Whatever happened to Article 10?

One of the more startling aspects of Svensson was the omission of any reference to the impact on the fundamental right of freedom of expression. Notwithstanding that it adopted an interpretation of ‘making available’ of such breadth that it must engage Article 10 ECHR/Article 11 EU Charter, the CJEU conducted no proportionality assessment. In fact there was no mention of Article 10/11 at all in Svensson; this after SABAM v Scarlet and Donald Ashby, in which the CJEU and European Court of Human Rights respectively held that copyright has to be balanced against other fundamental rights.

GS Media remedies the omission to some extent:

"44 GS Media, the German, Portuguese and Slovak Governments and the European Commission claim, however, that the fact of automatically categorising all posting of such links to works published on other websites as ‘communication to the public’, since the copyright holders of those works have not consented to that publication on the internet, would have highly restrictive consequences for freedom of expression and of information and would not be consistent with the right balance which Directive 2001/29 seeks to establish between that freedom and the public interest on the one hand, and the interests of copyright holders in an effective protection of their intellectual property, on the other.
45 In that regard, it should be noted that the internet is in fact of particular importance to freedom of expression and of information, safeguarded by Article 11 of the Charter, and that hyperlinks contribute to its sound operation as well as to the exchange of opinions and information in that network characterised by the availability of immense amounts of information."

However GS Media's balancing of the different fundamental rights involved appears to go no further than the introduction the knowledge qualification for non-commercial makers of links. There is no attempt to balance any chilling effect on the impartation of speech by commercial actors, nor the resulting interference with the freedom of ordinary internet users to receive information from commercial actors through hyperlinks. 

What could the CJEU have done differently?

The CJEU could have avoided these problems had it adopted a narrower view of “making available” at the outset in Svensson. It could have restricted it to material intervention in the actual or putative transmission, so that but for the intervention no transmission would take place.  This was the position advocated by the European Copyright Society.  Questions of liability for linking could then have been left to secondary and accessory liability and perhaps to unfair competition.

Wednesday, 7 September 2016

A trim for bulk powers?

David Anderson Q.C.’s Bulk Powers Review made only one formal recommendation (a Technical Advisory Panel to assist the proposed Investigatory Powers Commission).

However the report drops a tantalising hint of the debate that might have taken place if the Review had been commissioned before the Bill started its passage through Parliament instead of almost at the end.

At [9.17] Anderson says:

“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. 
But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path.  Technology and terminology will inevitably change faster than the ability of legislators to keep up.  The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards.  If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
Let us put aside whether it is sensible or appropriate to try to future-proof powers – my view is that to do so repeats the error of RIPA – and then put aside the debate about whether bulk powers should exist at all. How might one go about a task of trimming bulk powers? What types of conduct might be candidates for never being authorised? What sort of limits on downstream use might be desirable and feasible?

The Report illustrates, perhaps more clearly than before, the very wide range of techniques that are brought to bear on bulk data (whether sourced from interception, equipment interference, bulk communications data acquisition or Bulk Personal Datasets). They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to generalised pattern analysis and anomaly detection (utilised by MI6 on Bulk Personal Datasets in Case Study A11/2) designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics.

Pattern analysis is similar to data mining techniques described in A Question of Trust (AQOT):
"14.43. It is sometimes assumed that GCHQ employs automated data mining algorithms to detect target behaviour, as is often proposed in academic literature. That, it would say, is realistic for tasks such as financial fraud detection, but not for intelligence analysis."
AQOT included possible future developments of such techniques as one of several examples of capabilities that, at least cumulatively, would go beyond Bentham's Panopticon:

"13.19(d) A constant feed of data from vehicles, domestic appliances and healthmonitoring personal devices would enable the Government to identify suspicious (or life-threatening) patterns of behaviour, and take pre-emptive action to warn of risks and protect against them."
AQOT commented on those examples:

"13.20 Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.
13.21. There would be practical risks: not least, maintaining the security of such vast quantities of data. But the crucial objection is that of principle. Such a society would have gone beyond Bentham’s Panopticon…"
Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data. AQOT again:

"Much of [GCHQ's] work involves analysis based on a fragment of information which forms the crucial lead, or seed, for further work. GCHQ’s tradecraft lies in the application of lead-specific analysis to bring together potentially relevant data from diverse data stores in order to prove or disprove a theory or hypothesis. As illustrated by the case study on GCHQ’s website, significant analysis of data may be required before any actual name can be identified. This tradecraft requires very high volumes of queries to be run against communications data as results are dynamically tested, refined and further refined. GCHQ runs several thousand such communications data queries every day. One of the benefits of this targeted approach to data mining is that individuals who are innocent or peripheral to an investigation are never looked at, minimising the need for intrusion into their communications."
A similar explanation of seeded analysis of bulk data was given by Lord Evans in evidence to the Commons Public Bill Committee 24 March 2016. 

A "strong selectors" technique whereby the full catch from a transmission is stored for only a few seconds for processing before being discarded may rate relatively low on the Orwell scale.  Seeded analysis rates fairly high, since it relies on bulk data (albeit filtered to some degree) being stored for later querying. Unseeded pattern analysis and anomaly detection is off the scale.  It is closest to the characterisation by M. Delmas-Marty, a French lawyer quoted in the Review report: "Instead of starting from the target to find the data, one starts with the data to find the target."  
As it stands the Bill's bulk powers regime would empower all these techniques with no distinction between them, leaving it to the judgement of the Secretary of State, the Judicial Commissioners and after the event oversight to regulate and possibly limit their use under principles of necessity and proportionality.

An informed debate about trimming bulk powers could entail discussion of whether unseeded pattern analysis and anomaly detection should be permitted, and if so whether only for very specific and limited purposes.  It could also look at whether specific rules should govern seeded analysis.  It might also consider whether individual sets of "strong selectors" should require separate warrants, by analogy with non-thematic targeted interception warrants. Regrettably, in part due to the late stage at which the Bulk Powers Review has taken place, very little such nuanced debate has taken place.
Trim in the Bill, not Codes of Practice
Limitations on the scope of powers belong in the Bill and should not be left to Codes of Practice.

Although the government often states that the Codes of Practice 'have statutory force' (see e.g. Letter from Lord Keen to Lord Rooker, 8 July 2016, they do not have the same force as a statute. Their status and effect are limited to that set out in Schedule 7 para 6 (which possibly confers on Codes of Practice a weaker general interpretative role than does RIPA s.72).
Trimming approaches
Different kinds of analytical techniques apart, possible approaches to trimming bulk powers can be considered by reference to different facets of the powers.  I give some illustrative examples below, not necessarily to advocate them but more as an aid to understanding.
A.    Purposes
The Bill as currently drafted applies three cumulative sets of purposes to the interception and equipment interference bulk powers:
1.       The statutory purposes (national security etc).  Some have called for national security to be defined.
2.      Operational purposes. A new government amendment in response to a suggestion from the Intelligence and Security Committee provides that a list of purposes approved by the Secretary of State must be maintained by the heads of the intelligence services. The Secretary of State must be satisfied that an operational purpose to be included in the list is specified in a greater level of detail than the statutory purposes.
3.      Overseas-related purpose. The Bulk Powers Operational Case places considerable weight on the fact that the bulk interception and equipment interference powers are overseas-related.  Thus BI is described at 7.1 as a 'capability designed to obtain foreign-focused intelligence'. Similarly BEI is described at 8.2 as 'foreign-focused'. However:
a.      Obtaining 'overseas-related' data need only be the main, not the sole, purpose of the warrant.
b.      Overseas-related communications include those in which the individual overseas is communicating with someone (or something) in the UK.
c.       The 'overseas-related' limitation on purpose is exhausted once the information has been acquired by means of the bulk interception or interference (see the comments on RIPA S.16 in the Liberty IPT case, para 101 et seq. The Bill is structured in a similar way.)
d.     As the Operational Case acknowledges, non-overseas-related communications and information (and associated secondary data and equipment data) may be incidentally acquired. While the Operational Case attempts to downplay the significance of this, it provides no evidence on which to conclude that collateral acquisition may not be on a substantial scale.
e.      There is no obligation to discard, or attempt to discard, or discard upon gaining awareness of its presence, non-overseas-related material acquired in this way.
f.        The need to obtain a targeted examination warrant in relation to persons within the British Islands applies only to content, not to secondary data or equipment data.
g.      Secondary data and equipment data will under the Bill include some material extracted from content that under RIPA would be regarded as content. The expanded categories appear to go wider than what might intuitively be thought of as communications data (see Section F below).
h.      The purposes for which the Operational Case contemplates that secondary data and equipment data may be analysed go far beyond the limited purpose of ascertaining the location of a person ventilated in the Liberty IPT case (see Section G below).
Some possible approaches to trimming:
(1)   Limit the downstream use that can be made of collected material (whether content or secondary data/equipment data) to match the overseas-related main purpose for which it can be collected.
(2)  An obligation to seek out and remove, or remove upon gaining awareness of its presence, non-overseas-related material.
(3)  Raise the location threshold, so that a British Islands resident does not automatically lose content protection merely by venturing half-way across the English Channel (cf Keir Starmer, Commons Committee, 12 April 2016 at col. 116)].

B.    Types of data and communication
With one exception the bulk powers in the Bill make no distinction between types of communication. They range from human to human messaging of various types through to automated communications and single-user activities such as browsing websites.
The one exception arises from the definition of overseas-related communications, applicable to interception and equipment interference bulk powers: communications sent by or received by individuals who are outside the British Islands. 
This would include an e-mail sent by an individual within the British Islands to an individual outside the British Islands and vice versa. It would exclude a search request sent by an individual within the British Islands to an overseas server (since there is a server, not an individual, at the other end). But it would include a search request sent by an individual outside the British Islands to a UK server.
The significance of this exclusion is, however, reduced by the ‘by-catch’ provisions.  Unless the agencies are able to filter out excluded material at the point of collection then, as with RIPA, it is collectable as a necessary incident and falls into the general pool of selectable data.
The Bill contains no indication of when a communication is to be regarded as sent by or received by an individual. An e-mail or text message addressed to an individual clearly is so. What about an e-mail addressed to, or sent by, a corporate account? What about machine-generated e-mails? When is a communication generated by or sent to an individual’s device without the knowledge of the individual to be regarded as sent or received by the individual? Background smartphone communications are an obvious example. What if a car, without the owner/driver/passenger’s knowledge, automatically generates and sends an e-mail requesting a service or an emergency message, including associated location data?
Some possible approaches to trimming:
(1)   Limit the extent to which background and machine generated communications may be regarded as sent or received by an individual.
(2)  An obligation as in B(2) above to remove non-overseas-related material would imply an obligation to remove kinds of overseas communication not sent or received by an individual.
(3)  Should powers apply to all types of communication, or only human to human messaging?
C.    Types of conduct authorised
Some possible approaches to trimming:
(1)   Limit scope by reference to concrete types of conduct that can (or specifically cannot) be authorised. The Centre for Democracy and Technology submission to draft Bill Joint Committee at [42], repeated in CDT evidence to the Public Bill Committee at [20] to [25], suggested this kind of approach for equipment interference warrants in relation to the possibility of mandating encryption back doors.
D.   Use of incidentally collected data
As discussed in my evidence to the Joint Committee ([117]to [137]) and above in relation to overseas-related communications there is a fundamental issue concerning the extent to which domestic content and secondary data collected as a by-product of the overseas-related bulk powers can be used in non-overseas-related ways.
Some possible approaches to trimming:
(1)   As above (B(1)).

E.    Extent of secondary data and equipment data
The Bill embodies a significant shift (compared with RIPA) towards classifying various types of content as secondary data or equipment data (see my blog post).  The Bill appears to go further than extracting communications traffic data (e-mail addresses and the like) from the body of a communication such as an e-mail. It appears to include the ‘who where and when’ not just of communications, but of people’s real world activities per se. 
Some possible approaches to trimming:
(1)   Limit extracted metadata to true communications data (i.e. data about communications).
F.     Types of use of bulk secondary, equipment and communications data
Various uses of bulk metadata have been ventilated. The Bulk Powers Review contains numerous examples. They types of use can differ significantly from each other. For instance:
-         To determine whether the sender or recipient of a communication is within or outside the British Islands (the very limited purpose advanced by the government in the Liberty IPT case – see my evidence to the Joint Committee at [128] to [130])
-         To have visibility of a full historic record so that authorities can go back and find out after the event about a malefactor’s communications and online activities
-         Seeded analysis to find a target’s associates or more about a target’s identity (as discussed above)
-         Target discovery based on patterns of behaviour, as discussed above (see also Operational Case [3.3] and [3.6]).
These various uses have different implications for the rationale for collecting data in bulk. At one end of the spectrum bulk collection is seen as a necessary evil, required only because for technical reasons (e.g. fragmentation of packets or presence of the target in other countries) target communications cannot be separated at point of collection from the rest. That may hold out the prospect that as technology improves it becomes possible to carry out more targeted bulk collection, particularly as real time capabilities increase. 
At the other end of the spectrum (pattern detection and predictive analysis) bulk collection is can become more of an end in itself: amassing data so as to provide the most accurate ‘normal’ baseline against which ‘suspicious’ behaviour patterns can be detected. This appears to carry no prospect of reducing the quantity of metadata collected – probably the opposite.
The Bill is almost completely devoid of concrete limitations on, or distinctions between, the types of use that can be made of bulk metadata. The limits are the statutory purposes, operational purposes and necessity and proportionality. The Bulk Powers Review proposes a Technical Advisory Panel to assist the Investigatory Powers Commission in keeping technological developments under review.
Some possible approaches to trimming:
Limitations on use could be based on e.g.
(1)   the justification provided to the IPT in Liberty;
(2)  specific seeded analysis versus more generalised pattern detection
(3)  limitations on numbers of hops when following possible associations (Twitter followers, Facebook friends etc)
(4)  applying the non-British Islands examination restriction to metadata searches (note Operational Case paras 5.14 to 5.19).
G.    Types and location of conduct authorised by warrants
The bulk warrantry system seems to allow for three possibilities:
(1)   Unilateral conduct by the intercepting or equipment interfering agency without the knowledge or assistance of the CSP
(2)  Assisted conduct under a warrant supported by a technical capability notice
(3)  Assisted conduct under a warrant without the support of a technical capability notice
The Bill does not specify any specific circumstances in which these different approaches are or are not appropriate (other than technical capability notices for equipment interference limited under Clause 228(10)/(11) to UK CSPs). Nor are the different approaches addressed in the Operational Case. Similarly AQOT:
"Implementing a s8(1) warrant generally relies on the cooperation of service providers, acting typically in response to a direction from the Government under RIPA s12. A copy of the intercepted communication is passed by the companies to the intercepting agencies who examine it using their own staff and facilities. External communications may be obtained under a s8(4) warrant either directly by GCHQ, using its own capabilities, or through a service provider." (emphasis added)
Some possible approaches to trimming:
(1)   Limitations (perhaps territorial) on unilateral conduct under bulk warrants.
(2)  Special thresholds for the use of (say) bulk equipment interference warrants.
(3)  Limits on what a technical capability notice can require.

H.   Intermediate stages
Bulk interception and use of its product may take place in several stages, such as: collection, culling (discard of unwanted types of data), filtering (use of positive selectors), storage for subsequent querying by analysts.  Whether these techniques are typically applied to secondary data to the same extent as to content is unclear.
The Bill says nothing detailed about the culling and filtering stages, other than restrictions by reference to someone's location within the British Islands on selection of content for examination.
Some possible approaches to trimming:
(1)   Specific obligation to apply data minimisation techniques at intermediate stages, applicable to both content and metadata
(2)  Specific provisions controlling culling and selector types (for instance requiring individual warrants for "strong selectors")
I.      Real time versus periodic
Is the bulk communications data acquisition power meant to be one that should be exercised occasionally when specific circumstances justify it, or can it be exercised routinely? If the latter, could it be used as a near-real time or quasi-real time feed?

A one-off data dump in exceptional circumstances is a rather different animal from a near real-time tool. In this context the recent IOCCO report speaks of ‘regular feeds’ acquired under S.94 Communications Act 1984.   The Bill appears to cover both possibilities.
Some possible approaches to trimming:
(1)   Specially justified occasions versus frequent routine feeds.

J.     Interaction with communications data retention
The bulk communications data acquisition power is closely linked to the communications data retention power.  The more broadly the data retention power is exercised, the greater the range of datatypes that will be available to be acquired in bulk.
It is significant in this context to recall that the data retention power (a) goes far wider than the internet connection records that the government has so far discussed and budgeted for in its Impact Assessment; and (b) unlike DRIPA, can be used to require relevant communications data to be generated or obtained, not merely retained. 
Some possible approaches to trimming:
(1)   Limit bulk acquisition power to concretely specified types of communications data; and/or
(2)  Require specified public consultation and procedures if any extension of compelled retention or acquisition is contemplated.
K.    Types of operator
The Bill significantly extends the classes of operator to which the various powers can be applied.  The table below compares the powers in current legislation (mainly RIPA, but bearing in mind the extension effected by DRIPA) with those in the Bill.

Compliance and assistance obligations expressly applicable to private operators are highlighted in green.  "Telecommunications operator" under the Bill definition at Clause 233(10) includes private networks (and 'service' is not restricted to a commercial service).  

The draft Codes of Practice suggest that most powers would be exercised more sparingly.




Data retention notice

Public telecommunications operator (DRIPA)

Telecommunications operator (89(1))

Communications data acquisition notice

Provider of a telecommunications service  (RIPA)

Telecommunications operator (62)

Interception warrant

(1) Public telecommunications service (2) telecommunication system wholly or partly within UK (RIPA)

Telecommunications operator (41, 139(5))

Interception capability notice

Public telecommunications services (RIPA) > 10,000 persons in UK) (regulations)

Relevant operator (includes telecommunications operator) (226(1)/228(9))

Other technical capability notices


Relevant operator (includes telecommunications operator) (226(1)/228(9)); (some UK enforceable only)(228(10)/(11))

Equipment interference warrant

? (ISA 1994)

Telecommunications operator (120, 167); UK enforceable only (120(7), 175(5))

Bulk communications data acquisition warrant

Public electronic communications network providers (TA 1984)

Telecommunications operator (157); (UK enforceable only) (157(5))

National security notice

Public electronic communications network providers (TA 1984)

UK telecommunications operator (225(1), 228(9) and (10)).

Some possible approaches to trimming:

(1)   Stricter definitions of the kind of operators that can be subjected to duties to assist or comply, or in what circumstances. 

A.    Technical capability notices
The power to give technical capability notices is open-ended, not limited to the list of examples given in Clause 226(5). 

Some possible approaches to trimming:

(1)   Convert powers to make regulations and give technical capability notices from illustrations into a clearly specified list that limits the exercise of the powers.