Wednesday, 23 December 2015

#IPBill Christmas Quiz

[Updated 1 January 2016 with answers at foot of page]

Now that everyone has sent in their submissions to the Joint Parliamentary Committee scrutinising the draft Investigatory Powers Bill, here is a little Christmas quiz to alleviate the withdrawal symptoms.

For most of the questions you need only study the draft Bill. One requires the Explanatory Notes. For one other you have to go slightly further afield. Answers may be indeterminate.

  1. When is a person not a “person”? 
  2. What is an internet communications service? 
  3. How many times does ‘proportionate’ appear? 
  4. How does generation of data differ from obtaining data by generation? 
  5. What may identify an identifier? 
  6. When might you have to grapple with the meaning of meaning? 
  7. How many times is encryption mentioned? 
  8. Can general be specific? 
  9. Which two differently worded provisions describe the same thing? 
  10. When is data not itself?
Answers

Q1.When is a person not a “person”?

In Part 2.

“Person” is defined in Clause 195(1) to include “an organisation and any association or combination of persons”. But that does not apply to Part 2 (dealing with targeted and thematic interception and other types of lawful authority for interception).

Q2. What is an internet communications service?

Anyone’s guess, as was the case with DRIPA and the CTSA 2015.

Clause 47(4)(b) of the draft Bill describes one of three grounds on which the authorities may access an internet connection record. It rests on the critical undefined term 
internet communications service, which is neither a legal nor a technical term of art. 

The Explanatory Notes (paras 120 and 122) give the impression that internet communications service might mean a human to human messaging service, such as e-mail or text messaging. In her statement to Parliament introducing the draft Bill the Home Secretary said that law enforcement would be able to access records about a communications website, but not a mental health website, a medical website or even a news website. But the Guide to Powers and Safeguards (para 46) mentions mapping services. If a mapping service would be included, where is the intended dividing line?

Q3. How many times does ‘proportionate’ appear?


Forty-eight.

Q4. How does generation of data differ from obtaining data by generation?

We know they must be different because Clause 71 (the data retention power) mentions both:

“The requirements or restrictions mentioned in subsection (7)(d) may, in particular, include … (b) requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of— (i) data for retention …”. (emphasis added).

How do they differ? Hmm.

Q5. What may identify an identifier?

Communications data.

Clause 71(9) refers to “communications data which may be used to identify, or assist in identifying … (f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.” (emphasis added).

Clause 71(9) also tells us that “identifier” means an identifier used to facilitate the transmission of a communication.

Q6. When might you have to grapple with the meaning of meaning?

When considering what constitutes the content of a communication.

The definition of “content of a communication” (Clause 193(6)) refers to elements which reveal “anything of what might reasonably be expected to be the meaning of the communication”. We can perhaps see what this is getting at when considering a message that one human being has written to another; but what is meant by the ‘meaning’ of a machine to machine communication, or of the background exchanges between device and server that take place when we access a website? Do we have to consider what 
meaning means to a computer?

Q7. How many times is encryption mentioned?

By name, once (in Clause 169, oversight functions of the Investigatory Powers Commissioner).

In addition Clause 189 (technical capability notices) affects encryption. But similarly to the existing interception capability regulations made under RIPA the clause refers to removal of “removal of electronic protection applied by a relevant operator to any communications or data”.

Q8. Can general be specific?

The draft Bill (e.g. Clause 111(4)) says that the “specified operational purposes” stated in a warrant cannot merely recite the statutory purposes such as national security, but may still be general purposes. However the Home Office Guide to Powers and Safeguards refers throughout to a 
specific operational purpose.

Q9. Which two differently worded provisions describe the same thing?

Clauses 47(6) and 71(9)(f), apparently.

Clause 47(6) defines an “internet connection record”. According to the Explanatory Notes (paras 120 and 190) Clause 71(9)(f) also describes internet connection records. The two provisions are significantly different. 47(6) refers to data identifying a destination “telecommunications service” whereas 71(9)(f) refers to communications data identifying a destination “internet protocol address, or other identifier, of any apparatus”.

Q10. When is data not itself?

When it includes “any information which is not data” (Clause 195(1)).


Sunday, 29 November 2015

Never mind Internet Connection Records, what about Relevant Communications Data?

It was always a good bet that the draft Investigatory Powers Bill would broaden data retention obligations to cover more categories of communications data. That was at the core of the Communications Data Bill, blocked in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.

The draft Bill has duly delivered, accompanied by a blizzard of commentary about the propriety of forcing communications service providers to retain users’ browsing histories.

But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined the label ‘internet connection records’ to describe the new datatypes that it plans should be retained for up to 12 months. These records, it stresses, could include websites and services visited but not individual pages or other content. This is in line with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).

Internet connection records and the proposed restrictions on accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion: not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.

The focus on internet connection records is understandable. The Home Office’s Guide to the powers in the draft Bill focuses on internet connection records.  The estimated cost increase in the Data Retention Impact Assessment mentions only internet connection records as a new category of retained data.

However the draft Bill casts the retention net wider than just internet connection records. Clause 71 of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.  

According to the draft Bill’s Explanatory Notes, one of those six categories (71(9)(f)) corresponds to internet connection records. That leaves five categories which, on the face of them, seem to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act 2015 (CTSA).

For internet communications the current DRIPA data retention categories cover internet access services, internet e-mail and internet telephony. Those categories replicate the 2009 Data Retention Regulations, which implemented the now invalidated EU Data Retention Directive.  The CTSA extended DRIPA to include so-called IP address resolution data. 

We can get an idea of the scope of ‘relevant communications data’ by appreciating that it covers any type of communication on a network, expressly including communications where the sender or recipient is not a human being. This sweeps up not only background interactions that smartphone apps make automatically with their supplier servers, but probably the entire internet of things. 

The type of data about these communications that could be required to be retained goes beyond the relatively familiar sender, recipient, time and location information to data such as the ‘type, method or pattern’ of communication (clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not data’ (clause 195(1)).

In another departure from existing retention laws, providers could be required to generate data specifically for retention (71(8)(b)(i)). At present they can only be required to keep data that they already generate or process in the course of providing their service.

Another change from existing law is that retention notices could be given to any kind of telecommunications operator, not just those providing services to the public as under the existing legislation. Finally, providers could be given a notice requiring them to install specific technical capabilities to support communication data access and retention requirements.

Although the current Home Office Guide and the Impact Assessment talk only about retention of internet connection records by public telecommunication service providers, that would not prevent future changes of policy whereby broader retention notices could be served on a wider variety of communications service providers.  There is no obvious mechanism to bring a change of policy to the attention of the public, since service providers would be obliged not to disclose to anyone else the existence and contents of a retention notice.

All this suggests that it is fairly important to understand what ‘relevant communications data’ might consist of.  That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions that go to make it up. 
















And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.  

relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.

In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.

Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

person” (other than in Part 2) includes an organisation and any association or combination of persons,

Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data
(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,
(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or
(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,
(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(c) which—
(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about the architecture of a telecommunication system, and
(iii) is not about a specific person,
but does not include the content of a communication.

Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description, and
(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable,

Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is (wholly or partly)—
(i) in the United Kingdom, or
(ii) controlled from the United Kingdom.

Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

Entity data” means any data which—
(a) is about—
(i) an entity,
(ii) an association between a telecommunications service and an entity, or
(iii) an association between any part of a telecommunication system and an entity,
(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and
(c) is not events data.


Events data” means any data which identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.

Entity” means a person or thing.

The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but—
(a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded.

data” includes any information which is not data.



Monday, 9 November 2015

From Oversight to Insight - Hidden Surveillance Law Interpretations

The focus of my posts on RIPA, DRIPA and now the Investigatory Powers Bill has been on the scope and extent of the powers – what exactly they enable law enforcement and the agencies to do – rather than on oversight and safeguards, important though those are.

One aspect of oversight, however, bears directly on the scope of the surveillance powers granted by legislation. It relates to an issue that has perhaps not received as much attention in the UK as it has in the USA: secret interpretations of the law.

The problem arose in the USA partly as a result of the secret FISA court system. C
ontroversial previously secret interpretations of the law came to light following the Snowden disclosures. This led to, for instance, the Electronic Frontier Foundation's Secret Law is Not Law campaign.

We have a similar problem on this side of the Atlantic. Here, though, it is about interpretations conceived and acted upon by government without any court involvement.

The clearest example to date is the government’s interpretation of ‘external communications’ under RIPA. This was revealed by senior Home Office official Charles Farr in a witness statement filed in the Investigatory Powers Tribunal case brought by Liberty and others. The background is that GCHQ can intercept in bulk if its objective is to intercept external communications. So the meaning of 'external communications' is significant. The Home Office interpretation was controversial. It also had implications for who (or what) could be regarded as a sender or intended recipient of a communication, a foundational building block of RIPA. (See further paragraphs 6.52 and 12.25 of the Anderson Report ‘A Question of Trust’ and paragraphs 31 to 54 of my submission to Anderson.)

The Home Office’s interpretation, which underpinned the agencies’ operations under RIPA S.8(4) warrants, would not have seen the light of day had the NGOs not brought the IPT legal challenge. That occurred because of the Snowden disclosures. The interpretation was a significant, but previously hidden, aspect of the law under which the agencies were operating.

Another example was The Data Retention and Investigatory Powers Act (DRIPA), rushed through Parliament in four days in July 2014. The Home Office argued that amendments to RIPA’s territoriality provisions and to the definition of telecommunications services did no more than reflect what the legislation had always meant. The claim was untestable, since the public had no way of knowing how the Home Office might have interpreted the provisions either in the minds of its officials or in its previous dealings with communications service providers.

A similar issue is boiling up over the effect on end to end encryption of the Investigatory Powers Bill. The Home Office says, with some justification (although a debate is taking place around possible knock-on effects of other changes), that the draft Bill mirrors existing law. Clause 189(4)(c) of the draft Bill is very similar to paragraph 10 of the Schedule to the 2002 Maintenance of Interception Capability Order. On the face of it neither affects end to end encryption where the protection is applied not by the service provider but by the user. However the public is in no position to know whether the Home Office has adopted some other interpretation or, if so, whether it might be as open to debate as its view of external communications.

The Investigatory Powers Bill provides an opportunity to ensure that the proposed new oversight body proactively seeks out and brings to public attention material legal interpretations on the basis of which powers are exercised or asserted. Service providers might also be able to bring a legal interpretation asserted against them to the attention of the oversight body. This may be all the more necessary in the light of the new disclosure offences built into the draft Bill.

Such mechanisms would enable material legal interpretations to be publicly debated and if appropriate challenged. None of this would require to be made public any legal advice that the government had received, nor any factual matters that should properly remain secret, but only the substance of the legal interpretations themselves.

This could be an important protection against the possibility of groupthink, the tendency for members of a closed group to convince themselves of the rightness of a consensus position and to resist contrary views. It would contribute to the new standards for openness, transparency and oversight that the government has promised in the new legislation. Most fundamentally, by providing not only oversight but insight it would help to satisfy the basic rule of law tenet that the law should be foreseeable and accessible.


[Amended 7 pm 9 November 2015 to include reference to possible knock-on effects of other changes on end to end encryption]

Wednesday, 4 November 2015

Prediction and Verdict - the draft Investigatory Powers Bill

Two months ago I took a shot at predicting what might be in the draft Investigatory Powers Bill. It will replace a confusing patchwork of surveillance and interception legislation centred on RIPA, the Regulation of Investigatory Powers Act 2000. 

I was particularly intrigued by how much of the old draft Communications Data Bill (CDB, or the Snoopers' Charter, blocked by the Liberal Democrats in 2012) might make it through into the new legislation. Today, following a blizzard of leaks and unofficial briefings over the past couple of weeks, the draft Bill has been published along with a mountain of explanatory papers and impact assessments, only some of which I have been able to read at this stage.


Here's an initial impression of how the draft Bill pans out against my predictions. More to come in time as the detail sinks in. As relatively instant comment, some of this may have to be refined or corrected as the light slowly dawns.  And there are many important points that I haven't touched on. The Home Office Guide to Powers and Safeguards is a reasonable place to start to get an overview.  

The 'What is it?' and 'Prediction' sections are as in my original piece. The rest is new.

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Verdict: Still here, but with some changes. There is a new power to extract and examine communications data derived from bulk intercepted content (S.106(8) and see Explanatory Notes 271 to 275). 

The overall objective of a bulk interception warrant must be to intercept communications 'sent by individuals' or 'received by individuals' outside the British Islands. This is a new approach in place of the much criticised RIPA distinction between internal and external communications.

Devil in the detail:



Is it clearer than RIPA? Yes, but some similar nuanced pathways through the legislation remain.

Specific objectives for bulk interception warrants? (This was an Anderson recommendation.) Yes, sort of. S.111(3) says: "A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination."  S111(4) tells us how specific (or not) those purposes have to be: "it is not sufficient simply to use the descriptions contained in section 107(1)(b) or (2) [e.g. 'national security'] , but the purposes may still be general purposes.".

Tighter constraints on searching for communications of persons within British Islands? Looks very similar to RIPA.

Is there a tighter framework for searching captured related communications data? Under RIPA most of the limitations on searching the content of bulk intercepted communications do not apply to related communications data. Related communications data can currently be scooped up alongside both external (at least one end outside British Islands) and collaterally acquired internal (British Isles to British Isles) communications.

In substance this is all retained in the draft Bill. Additionally, related communications data can now include content-derived communications data. The new Bill provides that selection must be necessary and proportionate and examination must be only so far as necessary for the operational purposes.

Prior judicial or quasi-judicial authorisation? See below.

Tighter limits in who can apply for a bulk warrant? Limited to the security and intelligence agencies, for specified purposes that must always include national security.

Background on RIPA bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Verdict: Nothing like as vague as CDB, though the power to give retention notices to CSPs appears to have a significant element of future-proofing built in. The draft Bill also includes a major expansion of the powers to require service providers (extended to include non-public service providers) to install specified technical capabilities, allied to most of the new warrants and communications data acquisition powers (see S.189). At present RIPA only provides this power for interception warrants and for large public service providers.

Background on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

Prediction: Bank on this one coming back in some form.

Verdict: It's back, rebadged as 'internet connection records'. For which read everywhere you go at site or service level on the internet, but not individual pages. Part of a significant extension of DRIPA's data retention provisions.

Is this like a universal CCTV system recording when you go outside your front door and visit the bank and the shops? Or is it like a spybot in your home noting which books you read? Or is it something else? One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives.

It is important to separate the scope of retention from the power to access. Access to this category of data will be more tightly restricted than for other communications data. Local authorities will have no access. The draft Bill sets out specific purposes for which public authorities can demand access to this category of communications data or make a demand that requires it to be processed (s.47(4)). 

The Home Secretary has (very) broadly paraphrased this restriction as 'determining whether someone had accessed a communications website, an illegal website or to resolve an IP address'. Regrettably there is no substitute for quoting the section:

"to identify—
(a) which person or apparatus is using an internet service where—
(i) the service and time of use are already known, but
(ii) the identity of the person or apparatus using the service is not known,
(b) which internet communications service is being used, and when and
how it is being used, by a person or apparatus whose identity is already known, or
(c) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime."
  
Like most requests for standard communications data under RIPA, requests for 'ICR' will not require judicial approval. They are authorised through Designated Persons within the public authorities, who are internally independent from the investigation in question.

The existing, narrower, data retention provisions of DRIPA have been challenged in court by MPs David Davis and Tom Watson and questions are being referred to the European Court of Justice. 

Devil in the detail:


David Anderson said that no detailed proposal should be put forward until a sufficiently compelling operational case had been made out and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring weblog data to be retained. The Home Office has now published an 'Operational Case for the Retention of Internet Connection Records'. This will repay careful scrutiny.

Background on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

Prediction: Probable.

Verdict: Yes, falls within relevant communications data that may be required to be retained. S.71(9) is explicit that the sender or recipient does not need to be a person, and that relevant communications data includes data identifying the location of any telecommunication system by means of which a communication is transmitted. Location of that system is one of the categories of data that the Secretary of State can order to be retained.


Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

Prediction: Data generation to reappear.

Verdict: Yes, as predicted (S.71(8)). A significant change.


Background on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.


Verdict: The definition of communications data has been revised to cover 'entity' and 'events' data. There is also now a definition of the content of a communication, where RIPA had none.

Devil in the detail:

Requires application of a wet towel before commenting on whether anything has changed significantly.

Background on the existing RIPA content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

Prediction:  Anyone's guess.

Verdict: Out.


More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

Prediction:  Anyone’s guess.

Verdict: In.


Background on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Verdict:  Generally the government is proposing a two tier system of Ministerial sign-off of warrants followed by an approval process undertaken by new judicial commissioners before the warrant can take effect (but retrospective in urgent cases).  They would review a decision to issue a warrant to the 'judicial review' standard rather than a de novo reevaluation of the merits.

Some other significant highlights that I didn't cover in my original predictions:


Section 94 Telecommunications Act 1984

What is it? The most mysterious existing power of all, enabling Secretaries of State to give national security directions to telecommunications companies.  Now there will be a 'national security notice' power spelled out in greater detail (S.188).

Extraterritoriality

What is it? RIPA always applied in general terms to telecommunications services provided to the UK from abroad. What wasn't so clear was whether interception warrants, interception capability notices and communications data acquisition notices could require conduct outside the UK, could apply to non-UK providers or how (if at all) they could validly be served on a non-UK provider. DRIPA fixed that. It didn't do the same for communications data retention notices, but which in any case could only require retention of data generated or processed within the UK.

Verdict: Extraterritoriality will apply to targeted interception warrants and mutual assistance warrants (S.29(4)); communications data acquisition notices (S.69(3)); targeted equipment interference warrants (S.99(3)); bulk interception warrants (S.116(3)); bulk acquisition warrants (S.130(3)); bulk equipment interference warrants (S.145(3)); technical capability notices (S.189(8)).


Non-UK operators can rely on a conflict of non-UK law defence in some of these cases: (S.31(5), S.69(4)). A technical capability notice is enforceable against someone outside the UK only if it relates to a targeted interception or mutual assistance warrant, a bulk interception warrant or a communications data acquisition notice or authorisation (S.190(10)).

Communications data retention notices can also be extra-territorial (S.79(1)). However while operators generally have a duty to comply with a notice, if a notice relates to "conduct or persons outside the United Kingdom" the duty is only to "have regard to the requirement or restriction".  (S.79(2))

Computer Network Exploitation (CNE) 

What is it? Official hacking.

Verdict: Warrantry powers formalised in the draft Bill. No surprise at all. Existing general powers were on shaky legal ground and had to be made more transparent. Both targeted and bulk equipment interference warrants are provided.


[Updated 5 November 2015 to add technical capability notices to Extraterritoriality section; section on Broad Ministerial Powers updated 6 November 2015 to add future proofing of retention notices and extension of technical capability notices to non-public service providers (h/t to @neil_neilzone for spotting the latter).]

Sunday, 1 November 2015

Time to free the internet from TV-like regulation?

The CJEU has recently been applying itself to the question of what constitutes a TV-like audiovisual service on the internet. The New Media Online case was about a newspaper website with video content. It held that short local news bulletin, sports and entertainment video clips on a subdomain of the site could be a ‘programme’; and that assessment of the principal purpose of the service must focus on whether it had content and form independent of that of the journalistic activity of the site operator.

The CJEU was set this task by the Audiovisual Media Services (AVMS) Directive. This piece of EU legislation started life in 1989 as the TV without Frontiers Directive, intended in part to facilitate cross-border satellite broadcasting within the EU. In 2007 it morphed into the AVMS Directive. Over the initial objections of the UK government it became the vehicle, in the name of convergence and technical neutrality, for extending TV-like regulation to video on the internet.

Recently the European Commission has been consulting on a revision of the AVMS Directive, asking questions such as whether UGC hosting services such as YouTube and Vimeo should be regulated by the Directive and how to ensure a level playing field for audiovisual media services. 
  • Codeword Alert: level playing field. A level playing field tends to mean raising barriers to entry by imposing the incumbents’ own regulatory burdens on newcomers. The option to level the pitch by rolling back existing regulation rarely features. 
For whatever mysterious reason, when pictures flicker into motion the regulatory alarm bells go off. Suddenly the general law (obscenity, defamation and the rest, enforced through independent courts) is not enough. We must consider regulatory bodies armed with discretionary powers to make more and stricter rules. 

The argument, beguilingly, is that it is illogical to restrict TV regulation to traditional broadcast if the same content is available through the internet. That ignores the fact that TV regulation, far from being the norm, is itself an anomalous restriction on freedom to communicate – one rooted in antiquated notions of spectrum scarcity that the internet has blown to smithereens. As the European Commission itself said in its 1997 Convergence Green Paper: “…in a fully digital environment, scarcity may over time become a less significant issue, calling for current regulatory approaches to be reassessed.”

It is TV-like regulation, not lack of TV-like regulation, that should continually have to justify its existence - let alone extension to the internet. As Judge Dalzell said back in 1996 in ACLU v Reno, “The Internet is a far more speech-enhancing medium than print, the village green, or the mails … As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion”.

The current AVMS Directive applies a specific set of rules to TV-like video on demand services. In the UK we have seen exhaustive attempts to discern just what makes television TV-like, reminiscent of the 1987 case about the Henry Moore altar in the church of St Stephen Walbrook, which had the Court of Ecclesiastical Causes Reserved solemnly considering whether a table possessed a Platonic quality of tableness.

The UK implementation of the Directive set up ATVOD as the video on demand regulator, now to be superseded by OFCOM. Various cases resulting from ATVOD scope determinations have produced a stream of enquiries into whether some website misguided enough to carry video had exhibited sufficient TVness to be caught in the AVMS regulatory net.

Sites have been subjected to fine analysis of factors such as balance of moving images, still images and text, production values, use of opening and closing credits, layout and interface, narrative structure, long-form versus short-form video and debating what the exclusion of online versions of newspapers might mean.

Most head-scratchingly of all, TVness has to take into account whether “the nature and the means of access to the service would lead the user reasonably to expect regulatory protection within the scope of this Directive”. This led to cases such as Playboy TV in which it was argued (unsuccessfully) that the Demand Adult channel was not TV-like because it contained material that would not be allowed on television.

Finding the essence of TVness was the subject of an 80 page OFCOM research report in 2009, followed by another in 2012 that identified ten indicators of TVness.

TVness is a moving target. The Directive specifies that the concept of ‘programme’ has to be interpreted “in a dynamic way taking into account developments in television broadcasting”. So, paradoxically, the less TV-like television becomes the stronger the pressure to widen the net of TV-like regulation: a built in tilting of the playing field in one direction.

Last year Ms Itziar Bilbao Urrutia, creator of The Urban Chick Supremacy Cell, succeeded in convincing an OFCOM appeal that her fetish-themed website (with a total of 58 paying customers) was not TV-like. The site now proudly announces: “We are the only fetish studio in UK that falls outside the AVMS Legislation & ATVOD's remit, and are exempt from complying with these draconian regulations of online video.”

OFCOM’s 29 page dissection of Ms Urrutia’s "art project designed, produced and created by real life dominant women," in which "all violence and speech are part of a fictionalized dystopian Femdom fantasy" is a model of dispassion.

Here is a sample of OFCOM’s comparison with ‘Lara’s World of Uniforms’, a television programme that ATVOD thought was comparable:
“We noted that it featured a mixture of scenes, some of which featured ‘Lara’ on location, dressed in uniform, either talking to camera or conducting an interview. Other scenes featured adult performers, typically dressed in uniform, engaging in sexual acts.”
Ofcom, however, thought this material was clearly distinguishable from the material available on the UCSC Service, in terms of both degree and type:
“The programme began with the host addressing the viewer in what appeared to be a scripted monologue. The programme then cut to a sequence involving Lara and another actress performing a scripted scene which culminated in them engaging in various sexual acts. Ofcom noted that contrastingly, the videos available on the UCSC Service featured very little use of scripted material. For example, Ofcom noted that the dialogue between the participants in the videos featuring sexual activity on the UCSC Service did not appear to have been rehearsed and was not obviously scripted.”
OFCOM’s dedication to the task of placing Ms Urrutia’s website in the correct pigeonhole is impressive. But is that a task that anyone should be called upon to perform? The significant question is not whether a particular service on the internet is TV-like, but whether TV-like regulation is appropriate for anything that happens on the internet. Rather than considering whether the Directive should be extended, the debate should surely be about rolling it back.

Could that mean that the movie received via broadcast on the television set in the living room is regulated differently from the same movie on the internet? Yes. Should we care about that? Not really. Some bumps on the playing field are perhaps a small price for securing the internet as a place governed by the law applicable to speech generally and not by TV-like discretionary regulation.

Saturday, 5 September 2015

Predicting the UK’s new surveillance law

What will this autumn’s draft Investigatory Powers Bill contain?  We can take a reasonable guess at the outline. Interception powers will get a makeover: at a minimum RIPA has to be rewritten intelligibly and reinforced to comply with human rights norms.  In the post-Snowden climate there may be a little more openness about how law enforcement and agencies use their powers.  We will hear a lot about proportionality, safeguards and oversight. 

Filling in the picture is more difficult.  Three surveillance reviews have reported in the last 6 months and between them have made almost 200 recommendations. As yet there is little indication of which ones the government intends to take up. Some of the recommendations would involve wide consultation before a decision could be taken. Yet time for consultations is running out if the draft Bill is to be put before a Joint Parliamentary Committee for pre-legislative scrutiny this autumn.

Perhaps the greatest uncertainty is around the government’s stated intention to press on with the Communications Data Bill – dubbed the Snoopers’ Charter – which stalled in December 2012 following severe criticism of the draft Bill by an all-party Joint Parliamentary Committee.  The CDB would have significantly expanded the amount and types of communications data that service providers could be required to retain (and, for the first time, be compelled to generate) for access by public authorities. After pressure from the Committee the Home Office identified three particular datatypes that it wanted UK service providers to retain: IP address resolution data, weblog data and third party data (explained below).

Bringing back the CDB is not a simple matter of dusting off the 2012 draft. Retention of some IP address resolution data was implemented earlier this year by the Counter Terrorism and Security Act.  The Anderson report accepted that retention of weblog data would be useful, but went on:
“[I]f any proposal is to be brought forward, a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.”
For third party data Anderson said:
“There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues have been fully bottomed out.”
If those recommendations are heeded, that leaves only compulsory generation of data and possibly the ‘request filter’ (see below) that could be brought forward without first making a new case for them. In any event the Anderson report contains hints that law enforcement themselves may not now be pushing so strongly for some of the most ambitious and expensive parts of the CDB. On the CDB generally Anderson comments that “law enforcement itself wishes to reserve its detailed position on these proposals pending further discussions with a Government that has a political mandate to take it forward.” [9.67]

Nor could the government reintroduce unchanged the controversial Ministerial order-making power in Clause 1 of the CDB, described by Anderson as “excessively broad”. The power was at the heart of the CDB and was intended to future-proof the legislation.  It would also have served to keep from public sight operational details of what data was being retained. The Home Office told the Joint Committee in 2012 that it would review the approach in Clause 1:  “We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved.”

A revised draft Communications Data Bill does exist within the Home Office. Anderson reports that:
“The Home Office sought to take the recommendations of the JCDCDB into account and produced a pared-down draft Bill in early 2013, which I have been shown. … Though I asked Ministers in late 2014 for permission to show the draft Bill (or at least a summary of it) to CSPs with whom I discussed the issues … that permission was not forthcoming. It became clear that in the absence of unified political will to progress the proposals, there has been little discussion of them with important stakeholders.”
Add into the mix the Snowden fallout (the Chair of the CDB Joint Committee was unamused to find that it had not been ‘even given any hint’ of the existence of PRISM and TEMPORA), suggestions that the technological systems proposed in the CDB are no longer as relevant or appropriate as they seemed in 2012 (Anderson para 14.29) and a clutch of recent court decisions that, among other things, have invalidated (suspended until March 2016) the existing communications data retention regime under DRIPA (the Data Retention and Investigatory Powers Act 2014) and we have a crystal ball that is cloudy in the extreme. 

Despite all of this, we can take a shot at predicting some of what may be in the new draft Investigatory Powers Bill. (For a more comprehensive survey of the coming debate see here.)

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  According to the Snowden documents back in 2012 TEMPORA processed some 40 billion items a day.

Section 8(4) is primarily a foreign investigatory tool, but has significant domestic overlap.  While it focuses on capturing external communications (at least one end outside the British Islands), those communications are mixed up in the cable with wholly internal communications (both ends within the British Islands). In that situation Section 8(4) allows internal communications to be collaterally swept up into a common pool. The stream of data is filtered down by computers.  GCHQ’s analysts can then track communications of known suspects, search for suspicious material or try to join the dots of communications data to identify unknown suspects

GCHQ’s computers and analysts cannot trawl indiscriminately in the pool of external and internal communications. RIPA Section 16 is their fishing permit. It specifies what they can fish for and some types of hooks that they cannot use.  They may examine intercepted messages only within broad categories certified by the Minister. Without special authorisation the analysts cannot search by content for communications of people known to be within the British Islands at the time. However these constraints do not apply to communications data captured along with the intercepted communications. 

For: Regarded as a valuable tool for tracking the communications of known suspects and identifying previously unknown threats.

Against: General warrants went out with John Wilkes, yet Section 8(4) has the vice of the general warrant: collect in bulk first, then use the intercepted material to form suspicions. By contrast a targeted warrant is (or should be) justified only when there are pre-existing grounds for suspicion. There are also many specific criticisms of the bulk warrant system including the opaqueness of the drafting of RIPA Section 16, the relative absence of controls over searching and analysing captured communications data, the unworkability of the external/internal communications distinction and the ability of the Minister to authorise a search in the pool for the communications of someone known to be within the British Islands.

Status: None of the reviews has recommended abolition of bulk warrants.  Anderson has recommended several changes, including that each warrant should be much more specific in its objectives.  He has also recommended a standalone bulk communications data warrant, to be used where interception of content is not necessary.

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Watch out for: Greater clarity of powers; public avowal of how they are used; specific objectives for warrants; tighter constraints on searching for communications of persons within British Islands; a framework for searching captured communications data; a standalone communications data warrant (perhaps including content-derived communications data); prior judicial or quasi-judicial authorisation; tighter limits on who can apply for a bulk warrant. 

More on bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

For: Future proofing.

Against: Future proofing is inappropriate where intrusive powers are concerned due to unknown consequences. Legislative powers and actual capabilities should be aligned. Overly broad powers breed suspicion. If the real substance is buried two layers down in secret notices to CSPs then neither MPs nor the public can properly understand what is being voted on. An extended designated equipment power (the current RIPA power applies only to interception capability) smacks of surveillance by design, especially in conjunction with the power to compel communications data generation.

Status: Home Office told the Joint CDB Committee that it would look again at Clause 1.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Watch out for: A guessing game to work out how the powers are intended to be used. Or will the government heed the ISC and Anderson’s recommendations that all intrusive capabilities should be publicly avowed?

More on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

For: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Against: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Status: A centrepiece of the original draft Communications Data Bill. Anderson wants a detailed operational case to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.

Prediction: Bank on this one coming back in some form.

Watch out for: Ambiguity and unintelligibility of datatypes: accurate, clear explanations of the datatypes to be retained are essential if an informed debate is to take place. Will a new case be made? Will there be prior consultation separate from the pre-legislative Parliamentary scrutiny? Will it be limited to law enforcement and service providers or will the wider public and NGOs be consulted? How will invalidation of the existing data retention powers in DRIPA be addressed?

More on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

For: The ability to access a minute by minute map of our lives is useful to law enforcement.

Against: Not much different from the authorities putting a tracking bug on every one of us.

Status: The voluntary ATCSA Retention Code, which dates from 2003, specifies retention of location data for phone calls (12 months) and text messages (6 months), in latitude/longitude form.  DRIPA includes the mobile phone cell ID at the start of the communication (up to 12 months). Location data was in scope of the Secretary of State’s powers to direct retention under the draft CDB. The current German draft data retention Bill would require location data to be kept for 4 weeks.

Prediction: Probable.

Watch out for: This could get lost in the detail.

Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

For: Law enforcement want the records to be made.

Against: Crosses a line into surveillance by design: requiring systems to be designed for benefit of the authorities. Could be used to require e.g. public wi-fi providers to collect name and address information from users.

Status: Proposed in the draft Communications Data Bill. Not yet implemented. Surprisingly little attention was paid in the three reviews to this significant extension of existing powers. 

Prediction: Data generation to reappear.

Watch out for: Will there be a lot of noise about it?

More on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Status: Anderson recommended that the boundary (including sub-divisions) should be reviewed, with input from all interested parties including service providers, technical experts and NGOs. The Intelligence and Security Committee suggested an intermediate category of ‘communications data plus’ and that content-derived information should continue to be regarded as content.

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.

Watch out for: Full consultation? A definition of content? Treatment of content-derived communications data.

More on the content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

For: A way of giving the authorities access to communications data that they can’t collect from overseas providers.

Against: Expensive, utility unclear.

Status: As well as demanding that a compelling operational case be made out before any proposals are progressed (see above), Anderson hints that law enforcement may be less keen than they were in 2012: “Law enforcement is also conscious that the proposal of third party data retention was a particularly expensive one, and that its utility will be peculiarly susceptible to technological developments. It may therefore be that this aspect of the Communications Data Bill is no longer judged to be the priority that it once was, even within the law enforcement community.” [9.64]

Prediction:  Anyone's guess.

Watch out for: Lack of clarity over any proposed powers; dividing line between content and communications data.

More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

For: said to be less intrusive by focusing searches

Against: Federated search implies storing detailed profiles to link the databases together (CDB Joint Committee [114]).

Status: Anderson: “The Communications Data Bill contained provision for the retention of third-party data and for a request filter. Law enforcement still endorse the operational requirements which those provisions were meant to address, but want to engage further with industry on the best ways of meeting them.”

Prediction:  Anyone’s guess.

Watch out for: Clarity of technical proposal; consultation?

More on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

For: The principle of the matter. The UK is out of step with most other liberal democracies. Internet and tech companies based in the USA may be more comfortable co-operating with judicial warrants.

Against: Ministers are in a better position to judge the political implications of issuing a sensitive warrant. They are politically accountable for their actions.

Status: Up in the air.  Anderson has recommended a new Judicial Commission to take over authorising interception warrants. RUSI has recommended a more limited scheme. The judgment in the Davis/Watson judicial review of DRIPA has said (subject to appeal) that the CJEU DRI decision means that there must be prior independent authorisation of requests for mandatorily retained communications data. It could be said that the same should apply to interception warrants.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Watch out for:  Concentration on this issue to the detriment of others. It is important, but the scope and reach of powers is critical.