Thursday, 22 February 2018

Illuminating the Investigatory Powers Act

As full implementation of the Investigatory Powers Act (IPAct) draws closer we can usefully ponder some of its more ticklish points of interpretation. These will serve to delineate the IPAct's powers, crystallise the legislation's procedural requirements and determine who can be compelled to do what.

Unlike its predecessor, the Regulation of Investigatory Powers Act 2000 (RIPA), the IPAct comes with expectations of openness and transparency.  The Act itself exposes a panoply of powers to the public gaze.  But despite its 300 pages of detail, decisions will still have to be made about the meaning of some provisions and how they are to be applied.

Previously such legal interpretations have tended to come to light, if at all, as a consequence of the Snowden revelations or during litigation brought by civil liberties organisations. Examples include the meaning of ‘external’ communications under RIPA, the legal basis for thematic interception warrants under RIPA, and the use of S.94 Telecommunications Act 1984 powers to acquire bulk communications data from telecommunications companies.

In the field of surveillance, hidden legal interpretations influencing how powers are wielded are in substance as much part of the law as the statute that grants the powers.  This can be problematic when a cornerstone of the rule of law is that laws should be publicly promulgated. People should be able to know in advance the kind of circumstances in which the powers are liable to be used and understand the manner of their exercise. According to jurisprudential taste, secret law is either bad law or not law at all.

The new Investigatory Powers Commissioner has an opportunity to bring to public view legal interpretations that will mould the use of the IPAct's surveillance powers. 

Most IPAct powers require approval by a Judicial Commissioner or, as now proposed for communications data acquisition, a new Office for Communications Data Authorisations. The Judicial Commissioner or other reviewer may have to form a view about some provision of the Act when approving a warrant or notice.  Some interpretations may have significance that goes wider than a single approval.

Under the IPAct there is scope for an adopted interpretation to be published if that can be done without breaching the Commissioner's responsibilities not to act contrary to the public interest, nor prejudice national security or the prevention or detection of serious crime or the economic well-being of the UK.

What interpretations of the IPAct will have to be considered? The most heavily debated has been the level of scrutiny that Judicial Commissioners are required to apply to Ministerial decisions to issue warrants and technical capability notices. Gratefully donning my techlaw hat, I shall leave that problem to the public and administrative law experts who have been mulling over it since the draft Bill was published in November 2015.

Approval decisions will typically involve assessments of necessity and proportionality. These will by their nature be fact-sensitive and so more difficult to make public without revealing operational matters that ought to remain secret. Nevertheless some general approaches may be capable of being made public.

Among the most likely candidates for publication will be points of statutory construction: aspects of the IPAct's language that require a view to be taken of their correct interpretation.  

I have drawn up a list of provisions that present interpretative challenges of varying degrees of significance. Some of the points are old hobbyhorses, dating back to my comments on the original draft Bill. Others are new. No doubt more will emerge as the IPAct is put into practice.


Selection for examination

What is the issue?

Under a bulk interception warrant what kinds of activities count as selection for examination of intercepted content or secondary data? While the question can be simply put, the answer is not so easy.

Why is it significant?

Selection for examination underpins three provisions of the IPAct.

First, a separate targeted examination warrant must be obtained before selecting intercepted content for examination by use of criteria (such as an e-mail address) referable to an individual known to be in the British Islands, if the purpose is to identify the content of communications sent by or intended for that individual. (S.152(4)) (However, a targeted examination warrant is not required for secondary data. As to what is meant by secondary data, see below.)

Second, it is an offence (subject to applicable knowledge and intent thresholds) to select intercepted content or secondary data for examination in breach of the Act's safeguards. (S.155)

Third, a bulk interception warrant authorising selection for examination must describe the manner in which intercepted content or secondary data will be selected for examination and the conduct by which that activity will be secured (S.136(4)(c)).

The S.136(4)(c) requirement is new compared with the equivalent provisions of RIPA. Curiously, it is not referred to in the draft Interception Code of Practice

It is important to know what activities amount to selection for examination.  This is a particular issue with automated processing.

Possible interpretations?

Examination means being read, looked at or listened to (S.263) But what activities are caught by selection for examination? How close a nexus does there have to be between the selection and any subsequent examination?  Does there have to be a specific intention to examine the selected item (for instance when an analyst makes a search request on a database)? Does selection for possible examination suffice?  (It is perhaps of interest that David Anderson Q.C.'s Bulk Powers Review at para 2.17 discusses under the heading of ‘Selection for Examination’ the use of strong and weak selectors to select material for “possible examination” by analysts.)

The Draft Interception Code of Practice describes a sequence of steps from obtaining the data through to examination by an analyst. It uses the term 'selection for examination' in ways that could refer to both selection by the analyst and intermediate processing steps:
"In practice, several different processing systems may be used to effect the interception and/or the obtaining of secondary data, and the selection for examination of the data so obtained. 
These processing systems process data from the communications links or signals that the intercepting authority has chosen to intercept. A degree of filtering is then applied to the traffic on those links and signals, designed to select types of communications of potential intelligence value whilst discarding those least likely to be of intelligence value. As a result of this filtering, which will vary between processing systems, a significant proportion of the communications on these links and signals will be automatically discarded. Further complex searches may then take place to draw out further communications most likely to be of greatest intelligence value, which relate to the agency’s statutory functions. These communications may then be selected for examination for one or more of the operational purposes specified in the warrant where the conditions of necessity and proportionality are met. Only items which have not been filtered out can potentially be selected for examination by authorised persons." (emphasis added)
If selection for examination encompasses only the action of an analyst querying a database then S.136(4)(c) would still require the warrant to describe the manner in which an analyst could select content or secondary data for examination. That could include describing how analysts can go about searching databases. It might also cover the operation of Query Focused Datasets (databases in which the data is organised so as to optimise particular kinds of queries by analysts).

But does selection for examination exclude all the automated processing that takes place between bulk capture and storage? There appears to be no reason in principle why automated selection should be excluded, if the selection is 'for examination'.  

Details of the kinds of automated processing applied between capture and storage are mainly kept secret.  However some clues beyond the draft Code of Practice can be obtained from the Intelligence and Security Committee Report of March 2015 and from the Bulk Powers Review.  The Bulk Powers Review describes a process that uses ‘strong selectors’ (telephone number or email address) to select items in near real time as they are intercepted:

“As the internet traffic flows along those chosen bearers, the system compares the communications against a list of strong selectors in near real-time. Any communications which match the selectors are automatically collected and all other communications are automatically discarded.”

Such selection against a list of e-mail addresses or telephone numbers of interest is not made for any purpose other than examination, or at least possible examination. But does it count as selection for examination if (as described in the Bulk Powers Review) a further triage process may be applied?

“Even where communications are known to relate to specific targets, GCHQ does not have the resources to examine them all. Analysts use their experience and judgement to decide which of the results returned by their queries are most likely to be of intelligence value and will examine only these.”

Weaker selectors may relate to subject-matter and be combined to create complex non-real time queries which determine what material is retained for possible examination after triage. Pattern matching algorithms could perhaps be used to flag up persons exhibiting suspicious behavioural traits as candidates for further investigation.

The question of which, if any, of these processes amount to selection for examination is of considerable significance to the operation of the processes mandated by the IPAct.

Secondary data

What is the issue?

'Secondary data' under the IP Act has been extended, compared with RIPA's equivalent ‘related communications data’, so as to include some elements of the content of a communication. However the definition is difficult to apply and in some respects verges on the metaphysical.  

Why is it significant?

Secondary data, despite its name, is perhaps the most important category of data within the IP Act. It is, roughly speaking, metadata acquired under a targeted, thematic or bulk interception warrant. As such it is not subject to all the usage restrictions that apply to intercepted content.

In particular, unlike for content, there is no requirement to obtain a targeted examination warrant in order to select metadata for examination by use of a selector (such as an e-mail address) referable to someone known to be in the British Islands.

The broader the scope of secondary data, therefore, the more data can be accessed without a targeted examination warrant and the more of what would normally be regarded as content will be included.

Possible interpretations?

Under S.137 of the IPAct secondary data includes:

“identifying data which -

(a) is comprised in, included as part of, attached to or logically associated with the communication (whether by the sender or otherwise),
(b) is capable of being logically separated from the remainder of the communication, and
(c) if it were so separated, would not reveal anything of what might reasonably be considered to be the meaning (if any) of the communication, disregarding any meaning arising from the fact of the communication or from any data relating to the transmission of the communication.”

Identifying data is data which may be used to identify, or assist in identifying, any person, apparatus, system or service, any event, or the location of any person, event or thing.

Identifying data is itself broadly defined. It includes offline as well as online events, such as date or location data on a photograph. However the real challenge is in understanding (c). How does one evaluate the ‘meaning’ of the communication for these purposes? If a name, or a location, or an e-mail address, or a time is extracted from the communication does that on its own reveal anything of its meaning? Is each item extracted to be considered on its own, or are the extracted items of data to be considered together?  How is the ‘meaning’ of a machine to machine communication to be evaluated? Is the test what the communication might mean to a computer or to a human being?

A list of the specific types of data that do and do not fall either side of the line can be a useful aid to understanding abstract data-related definitions such as this. Among the Snowden documents was a GCHQ internal reference list distinguishing between content and related communications data under RIPA.


Applied by or on behalf of

What is the issue?

A technical capability notice (TCN) can require a telecommunications operator to install a specified capability to assist with any interception, equipment interference or bulk acquisition warrant, or communications data acquisition notice, that it might receive in the future.

In particular a TCN can require a telecommunications operator to have the capability to remove electronic protection applied by or on behalf of that operator to any communications or data. This includes encryption. But when is encryption applied "by or on behalf of" that operator?

Why is it significant?

During the passage of the Bill through Parliament there was considerable debate about whether a TCN could be used to stop a telecommunications operator providing end to end encryption facilities to its users. The question was never fully resolved. One issue that would arise, if an attempt were made to use TCNs in that way, is whether the E2E encryption was applied by or on behalf of the operator. If not, then there would be no jurisdiction to issue a TCN in relation to that encryption facility.

Possible interpretations?

In principle, encryption could be applied by the operator, by the user, or by both. An operator would no doubt argue that under the E2E model it is providing the user only with the facility to apply encryption and that any encryption is applied by the user, not the operator.  The strength of that argument could vary depending on the precise technical arrangements in a particular case.


Obtaining data by generation

What is the issue?

The IP Act empowers the Secretary of State, with the approval of a Judicial Commissioner, to give a communications data retention notice to a telecommunications operator. A notice can require the operator to retain specified communications data for up to 12 months.

A data retention notice may, in particular, include:

“requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of (i) data for retention, or (ii) retained data.”

This provision makes clear that a requirement to retain data can include obtaining or generating data for retention. But what exactly does that mean? In particular, why does ‘obtaining’ data for retention include ‘generation’?

Why is it significant?

Mandatory communications data retention is one of the most controversial aspects of the IP Act. It is under challenge in the courts and, as a result of previous legal challenges, the government is already having to consult on amendments to the Act.

The powers to require data retention are broader in every respect than those in the predecessor legislation, the Data Retention and Investigatory Powers Act 2014. They can be used against private, not just public, telecommunications operators. They cover a far wider range of data. And they can require data be obtained and generated, not just retained.

So the width of these new powers is significant, especially as telecommunications operators are required not to disclose the existence of data retention notices to which they are subject.

Possible interpretations?

What does it mean to ‘obtain’ data by ‘generation’? It apparently means something different from just generating data for retention, since that is spelt out separately. The most far reaching interpretation would be if the notice could require the operator to require a third party to generate and hand over communications data to the operator. Could that be used to compel, say, a wi-fi operator to obtain and retain a user's identity details?

There was no suggestion during the Parliamentary debates that it could be used in that way, but then the curious drafting of this provision received no attention at all.


‘Internet service’ and ‘internet communications service’

What is the issue?

The IPAct uses both ‘internet service’ and ‘internet communications service’ in its provisions that set out the limits on public authority access to internet connection records (ICRs). However it provides no definitions. Nor are these well understood industry or technical terms.

Why is it significant?

ICRs are logs of visited internet destinations such as websites. ICRs are particularly sensitive since they can be a rich source of information about someone’s lifestyle, health, politics, reading habits and so on. The IP Act therefore places more stringent limits, compared with ordinary communications data, on the authorities that may access ICRs and for what purposes.

The Act stipulates several purposes for which, in various different circumstances, a public authority can access ICRs. They include:
  • to identify which person or apparatus is using an internet service where the service and time of use are already known. (S.62(3))
  • to identify which internet communications service is being used, and when and how it is being used, by a person or apparatus whose identity is already known. (S.62(4)(b)(i) and S.62(5)(c)(i))
  • to identify which internet service is being used, and when and how it is being used, by a person or apparatus whose identity is already known. (S.62(4)(b) (iii) and S.62(5)(c) (iii))

The second and third purposes apply identically to internet services and internet communications services. The first purpose applies only to internet services.

The purposes for which the powers can be used may therefore differ, depending on whether we are dealing with an internet service or an internet communications service. But as already noted, the Act does not tell us what either of these terms means.

Possible interpretations?

We can find clues to interpretation in the footnotes to the draft Communications Data Code of Practice. 

Footnote 49 says that an ‘internet service’ is a service provided over the internet. On the face of it this would seem to exclude a service consisting of providing access to the internet. However the example illustrating S.62(3) in paragraph 9.6 of the draft Code suggests differently.

Footnote 49 goes on to say that 'internet service' includes ‘internet communication services, websites and applications.’ It also suggests examples of online travel booking or mapping services.

This explanation presents some problems.

First is the suggestion that internet communication services are a subset of internet services. If that is right then subsections 62(4)(b)(i) and 62(5)(c)(i) of the Act (above, internet communication services) are redundant, since the respective subsections (iii) already cover internet services in identical terms.

If ‘internet communication service’ is redundant, then the uncertainties with its definition may not signify since S.62 can simply be applied to any 'internet service'.

Elsewhere the draft Code suggests that the subsections (iii) relate to ‘other’ internet services (i.e. additional to internet communications services covered by subsections (i)). However that language does not appear in the Act.

Second is the suggestion that websites and applications are different from internet communications services.  On the face of it an internet communication service could mean just e-mail or a messaging service. But if so, what are we to make of ‘applications’ as something different, since many messaging services are app-based?

Last, to add to the confusion, footnote 48 of the Draft Code of Practice says that an internet communication service is a service which provides for the communication between one or more persons over the internet and ‘may include’ email services, instant messaging services, internet telephony services, social networking and web forums.

This goes wider than just e-mail and messaging services. Does it, for instance, include online games with the ability to chat to other players?  In context does ‘person’ refer only to a human being, or does it include machine communications?

Those involved in authorising and approving applications for access to ICRs will have to take a view on what these terms mean and how they fit together within the scheme of the Act. 

Material whose possession is a crime

What is the issue?

Another ground on which access to ICRs may be obtained is to identify where or when a known person is accessing or running a file or program which “wholly or mainly involves making available, or acquiring, material whose possession is a crime”. There are relatively few offences that are committed by mere possession of material. Illicit drugs and indecent images of children are two mentioned in the draft Code of Practice.

Why is it significant?

The width of the definition affects what kinds of criminal activity can be the subject of applications to access ICRs under this head.

Possible interpretations?

Does the section apply more widely than mere possession, for instance where possession is an offence only if it is with a view to some other activity? What about possession offences where possession is not an offence if it is for personal use?


URLs up to the first slash

What is the issue?

It has long been understood that under RIPA the portion of a web address to the right of the first slash is content, but otherwise the URL is communications data. RIPA contained a convoluted definition designed to achieve that result. Although the Home Office says that the IPAct achieves the same result, exactly how the definitions achieve that is not always obvious.

Why is it significant

Communications data retention and acquisition powers can be deployed only against communication data, not content. So it is important to know what is and is not content.  It is especially important for Internet Connection Records, which the Home Office has repeatedly said include top-level web addresses but not page URLs.

In June 2015, in A Question of Trust at paragraph 9.53, David Anderson Q.C. said that the Home Office had provided him with this definition of 'weblogs' (now known as ICRs):

“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.”

He went on:

"Under this definition a web log would reveal that a user has visited e.g. or, but not the specific page."

He also noted  that:

"Under the current accepted distinction between content and CD, would be communications data while would be content; and this is set out in the Acquisition Code. However there are arbitrary elements to that definition – for example (no ‘www.’) takes you to the same place as”

Possible interpretations

The House of Commons Science and Technology Committee criticised the data definitions in the draft Bill.  They remain complex and abstract in the final legislation.

Towards the end of the pre-Bill scrutiny the Home Office submitted evidence to the Joint Committee that gave more information about what kinds of data would constitute communications data and ICRs. 

In the table at Annex A para 20 of its written evidence the Home Office classified as ‘content’ the following:

“The url of a webpage in a browsing session (e.g. or or friend’”

The first example reflected the prior understanding that a full URL is content. The second and third examples (subdomains) depart from the previous understanding set out in the above extract from ‘A Question of Trust’ by classifying the material to the left of the first slash as content.

Whatever the merits of this approach in removing some of the arbitrariness noted by David Anderson, it is difficult to find anything in the legislation that draws the line at the point suggested. The Home Office evidence gave no explanation of why it drew the line where it did. 

The draft Communications Data Code of Practice does not address the point specifically, but its explanation of fully qualified domain names at page 17 might perhaps suggest that the Home Office has now reverted to the original position described in A Question of Trust.

Given the sensitivity of ICRs this is an area in which clarity is important, not just for ISPs who are subject to the IPAct's requirements but also so that the general public can know what kinds of data are potentially subject to retention and access. 

This is another example pointing to the desirability of publishing a comprehensive list of datatypes illustrating what kinds of data fall into which categories and, by reference to the definitions in the IPAct itself, why they do so.

Monday, 18 December 2017

Internet legal developments to look out for in 2018

A preview of some of the UK internet legal developments that we can expect in 2018. Any future EU legislation will be subject to Brexit considerations and may or may not apply in the UK.

EU copyright reform In 2016 the European Commission published
proposals for

-         a Directive on Copyright in the Digital Single Market. As it navigates the EU legislative process the proposal continues to excite controversy, mainly over the proposed publishers’ ancillary right and the clash between Article 13 and the ECommerce Directive's intermediary liability provisions.  

-         a Regulation extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to broadcasters' ancillary online transmissions. Most of the Commission’s proposal was recently rejected by the European Parliament.

-         legislation to mandate a degree of online content portability within the EU. The Regulation on cross-border portability of online content services in the internal market was adopted on 14 June 2017 and will apply from 20 March 2018.
EU online business As part of its Digital Single Market proposals the European Commission published a proposal for a Regulation on "Geo-blocking and other forms of discrimination". It aims to prevent online retailers from discriminating, technically or commercially, on the basis of nationality, residence or location of a customer. Political agreement was reached in November 2017. The Regulation would come into force nine months from publication in the EU Official Journal.

Telecoms privacy The proposed EU ePrivacy Regulation continues to make a choppy voyage through the EU legislative process.

Intermediary liability On 28 September 2017 the European Commission
published a Communication on Tackling Illegal Content Online.  This is a set of nominally voluntary guidelines under which online platforms would adopt institutionalised notice and takedown/staydown procedures and proactive content filtering processes, based in part on a system of 'trusted flaggers'. The scheme would cover every kind of illegality from terrorist content, through copyright to defamation. The Commission aims to determine by May 2018 whether additional legislative measures are needed.
Politicians have increasingly questioned the continued appropriateness of intermediary liability protections under the Electronic Commerce Directive. The UK Committee on Standards in Public Life has suggested that Brexit presents an opportunity to depart from the Directive. The government has published its Internet Safety Strategy Green Paper. More to come in 2018.

The hearing of the appeal to the UK Supreme Court in Cartier on who should bear the cost of complying with site blocking injunctions should be heard during 2018.
TV-like regulation of the internet The review of the EU Audio Visual Media Services Directive continues. The Commission proposal adopted on 25 May 2016 would further extend the Directive's applicability to on-demand providers and internet platforms.

Pending CJEU copyright cases More copyright references are pending in the EU Court of Justice. Issues under consideration include whether the EU Charter of Fundamental Rights can be relied upon to justify exceptions or limitations beyond those in the Copyright Directive; and whether a link to a PDF amounts to publication for the purposes of the quotation exception (Spiegel Online GmbH v Volker Beck, C-516/17). Another case on the making available right (Renckhoff, C-161/17) is pending. It is also reported that the Dutch Tom Kabinet case on secondhand e-book trading has been referred to the CJEU.
ECommerce Directive Two cases involving Uber are before the CJEU, addressing in different contexts whether Uber’s service is an information society service within the Electronic Commerce Directive. Advocate General Szpunar gave an Opinion in Asociación Profesional Élite Taxi v Uber Systems Spain, C-434/15 on 11 May 2017 and in Uber France SAS, Case C320/16 on 4 July 2017.
Online pornography The Digital Economy Act 2017 grants powers to a regulator (recently formally proposed to be the British Board of Film Classification) to determine age control mechanisms for internet sites that make ‘R18’ pornography available; and to direct ISPs to block such sites that either do not comply with age verification or contain material that would not be granted an R18 certificate. The DCMS has published documents including draft guidance to the Age Verification Regulator.

Cross-border liability and jurisdiction
Ilsjan (Case C-194/16) is another CJEU reference on the Article 7(2) (ex-Art 5(3)) tort jurisdiction provisions of the EU Jurisdiction Regulation. The case concerns a claim for correction and removal of harmful comments. It asks questions around mere accessibility as a threshold for jurisdiction (as found in Pez Hejduk) and the eDate/Martinez ‘centre of interests’ criterion for recovery in respect of the entire harm suffered throughout the EU. The AG Opinion in Ilsjan was delivered on 13 July 2017.
The French CNIL/Google case on search engine de-indexing has raised significant issues on extraterritoriality, including whether Google can be required to de-index on a global basis. The Conseil d'Etat has referred various questions about this to the CJEU.

Online state surveillance The UK’s
Investigatory Powers Act 2016 (IP Act), partially implemented in 2016 and 2017, is expected to come fully in force in 2018. However the government has acknowledged that the mandatory communications data retention provisions of the Act are unlawful in the light of the Watson/Tele2 decision of the CJEU. It has launched a consultation on proposed amendments to the Act, including a new Office for Communications Data Authorisation to approve requests for communications data . Meanwhile a reference to the CJEU from the Investigatory Powers Tribunal questions whether the Watson decision applies to national security, and if so how.
The IP Act (in particular the bulk powers provisions) may also be indirectly affected by cases in the CJEU (challenges to the EU-US Privacy Shield), in the European Court of Human Rights (various NGOs challenging the existing RIPA bulk interception regime) and by a judicial review by Privacy International of an Investigatory Powers Tribunal decision on equipment interference powers. However in that case the Court of Appeal has held that the Tribunal decision is not susceptible of judicial review.  One of the CJEU challenges to the EU-US Privacy Shield was held by the General Court on 22 November 2017 to be inadmissible for lack of standing.
Liberty's challenge by way of judicial review to the IP Act bulk powers and data retention powers is pending.
Compliance of the UK’s surveillance laws with EU Charter fundamental rights will be a factor in any data protection adequacy decision that is sought once the UK becomes a non-EU third country post-Brexit.

[Update 18 Dec. Replaced 'EU law' in last para with 'EU Charter fundamental rights'.]

Wednesday, 13 December 2017

Cyberleagle Christmas Quiz

[Updated with answers, 1 January 2018]

15 questions to illuminate the festive season. Answers in the New Year. (Remember that this is an English law blog). 

Tech teasers 

1. How many data definitions does the Investigatory Powers Act 2016 (IP Act) contain?

Twenty-one: Communications data, Relevant communications data, Entity data, Events data, Internet connection record, Postal data, Private information, Secondary data, Systems data, Related systems data, Equipment data, Overseas-related equipment data, Identifying data, Target data, Authorisation data, Protected data, Personal data, Sensitive personal data, Targeted data, Content, and Data. 

2. A technical capability notice (TCN) under the IP Act could prevent a message service from providing end to end encryption to its users. True, False or Maybe?

Maybe. A TCN could require the provider to have a capability to remove electronic protection applied by it if, among other things, that is technically feasible. The most significant question is whether the message service provider is regarded as itself applying the E2E encryption. If so, then a TCN could possibly be used to require such a provider to adopt a different model. If the user is regarded as applying the encryption then a TCN could not be used. 

3. Under the IP Act a TCN requiring installation of a permanent equipment interference capability could be served on a telecommunications operator but not a device manufacturer. True, False or Maybe?

True. Device manufacturers are outside the scope of TCNs. If a device manufacturer provides a telecommunications service (for instance where a phone manufacturer also provides its own messaging service) then it could be within scope, but only for its telecommunications service activities. 

4. Who made a hash of a hashtag?

In an interview in March 2017 Home Secretary Amber Rudd famously referred to the need for assistance from those who ‘understand the necessary hashtags’.  A week later a Home Office Minister explained that she had intended to refer to image hashing, not hashtags. So strictly speaking she made a hashtag of a hash.

Brave new world

5. Who marked the new era of post-Snowden transparency by holding a private stakeholder-only consultation on a potentially contentious IP Act draft Statutory Instrument?

As required by the IP Act the Home Secretary consulted various specified stakeholders on draft technical capability regulations (see 2 and 3 above) prior to laying them before Parliament for approval. The consultation was conducted privately, excluding the general public and civil society groups. However the Open Rights Group obtained and published a copy of the draft regulations.

6. Who received an early lesson in the independence of the new Investigatory Powers Commissioner?

GCHQ. Its November 2017 approach to the Investigatory Powers Commissioner to discuss the possibility of a protocol for reducing evidential issues in Investigatory Powers Tribunal or other cases was politely but firmly rebuffed. 

The penumbra of ECJ jurisdiction
7. The EU Court of Justice (CJEU) judgment in Watson/Tele2 was issued 22 days after the IP Act received Royal Assent. How long elapsed before the Home Office published proposals to amend the Act to take account of the decision?

344 days. The Consultation was published on 30 November 2017.

8. The Investigatory Powers Tribunal has recently made a referral to the CJEU. What is the main question that the CJEU will have to answer about the scope of its Watson decision?  

Paraphrased, the main question is whether national security is excluded from the Watson decision as being outside the scope of EU law.

9. What change was made in the IP Act’s bulk powers, compared with S.8(4) RIPA, that would render the CJEU’s Q.8 answer especially significant?

In the IP Act the purposes for which the bulk powers may be exercised are all framed by reference to national security. In RIPA (as amended by DRIPA 2014) the serious crime purpose does not have to be related to national security. 

10. After Brexit we won't need to worry about CJEU surveillance judgments, even if we exit the EU with no deal. True, False or Maybe? 

False, at least if the UK wishes to have a data protection adequacy determination that would enable EU countries to transfer personal data to the UK. As the USA discovered in Schrems, a third country’s surveillance regime can be a significant factor in an adequacy determination.

Copyright offline and online

11. Tweeting a link to infringing material is itself an infringement of copyright. True, False or Maybe?  

Maybe, depending on whether (a) you know that the material is infringing; or (b) you are linking for financial gain, in which case you would be rebuttably presumed to know. This is the result of the CJEU’s decision in GS Media.

12. Reading an infringing copy of a paper book is not copyright infringement. Viewing an infringing copy online is. True, False or Maybe?

True, at least if what you do online is sufficiently deliberate and knowing.  EU copyright law treats screen and buffer copies as engaging the reproduction right. The CJEU in Filmspeler held that the user of a multimedia player add-on containing links to infringing movies infringed the reproduction right by viewing an infringing copy accessed via the link.  This was because, as a rule, the purchaser of such a player deliberately and in full knowledge of the circumstances accessed a free and unauthorised offer of protected works. This took the activity outside the Copyright Directive’s exception for transient and temporary copies. The same reasoning can be applied to an online book.

13. Whereas selling a set-top box equipped with PVR facilities is legal, providing a cloud-based remote PVR service infringes copyright. True, False or Maybe?

True. Established by the CJEU in VCAST, 29 November 2017.

14. Format-shifting infringes copyright. True, False or Maybe?

True.  Seven years after the Hargreaves Review identified this as an aspect of copyright that puts the law into confusion and disrepute, format shifting remains an infringement.

15. Illegal downloading is a crime. True, False or Maybe?

False. A user who downloads without the permission of the copyright owner commits a civil infringement of copyright, but without more that is not a crime.  In 2014 PIPCU (the Police Intellectual Property Crime Unit) deployed replacement website ads proclaiming that ‘Illegal downloading is a crime’. PIPCU later explained this on the basis that “Downloading falls within s.45 of the Serious Crime Act 2007 if it encourages s.107 CDPA 1988 offences”.