Wednesday, 4 November 2015

Prediction and Verdict - the draft Investigatory Powers Bill

Two months ago I took a shot at predicting what might be in the draft Investigatory Powers Bill. It will replace a confusing patchwork of surveillance and interception legislation centred on RIPA, the Regulation of Investigatory Powers Act 2000. 

I was particularly intrigued by how much of the old draft Communications Data Bill (CDB, or the Snoopers' Charter, blocked by the Liberal Democrats in 2012) might make it through into the new legislation. Today, following a blizzard of leaks and unofficial briefings over the past couple of weeks, the draft Bill has been published along with a mountain of explanatory papers and impact assessments, only some of which I have been able to read at this stage.


Here's an initial impression of how the draft Bill pans out against my predictions. More to come in time as the detail sinks in. As relatively instant comment, some of this may have to be refined or corrected as the light slowly dawns.  And there are many important points that I haven't touched on. The Home Office Guide to Powers and Safeguards is a reasonable place to start to get an overview.  

The 'What is it?' and 'Prediction' sections are as in my original piece. The rest is new.

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Verdict: Still here, but with some changes. There is a new power to extract and examine communications data derived from bulk intercepted content (S.106(8) and see Explanatory Notes 271 to 275). 

The overall objective of a bulk interception warrant must be to intercept communications 'sent by individuals' or 'received by individuals' outside the British Islands. This is a new approach in place of the much criticised RIPA distinction between internal and external communications.

Devil in the detail:



Is it clearer than RIPA? Yes, but some similar nuanced pathways through the legislation remain.

Specific objectives for bulk interception warrants? (This was an Anderson recommendation.) Yes, sort of. S.111(3) says: "A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination."  S111(4) tells us how specific (or not) those purposes have to be: "it is not sufficient simply to use the descriptions contained in section 107(1)(b) or (2) [e.g. 'national security'] , but the purposes may still be general purposes.".

Tighter constraints on searching for communications of persons within British Islands? Looks very similar to RIPA.

Is there a tighter framework for searching captured related communications data? Under RIPA most of the limitations on searching the content of bulk intercepted communications do not apply to related communications data. Related communications data can currently be scooped up alongside both external (at least one end outside British Islands) and collaterally acquired internal (British Isles to British Isles) communications.

In substance this is all retained in the draft Bill. Additionally, related communications data can now include content-derived communications data. The new Bill provides that selection must be necessary and proportionate and examination must be only so far as necessary for the operational purposes.

Prior judicial or quasi-judicial authorisation? See below.

Tighter limits in who can apply for a bulk warrant? Limited to the security and intelligence agencies, for specified purposes that must always include national security.

Background on RIPA bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Verdict: Nothing like as vague as CDB, though the power to give retention notices to CSPs appears to have a significant element of future-proofing built in. The draft Bill also includes a major expansion of the powers to require service providers (extended to include non-public service providers) to install specified technical capabilities, allied to most of the new warrants and communications data acquisition powers (see S.189). At present RIPA only provides this power for interception warrants and for large public service providers.

Background on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

Prediction: Bank on this one coming back in some form.

Verdict: It's back, rebadged as 'internet connection records'. For which read everywhere you go at site or service level on the internet, but not individual pages. Part of a significant extension of DRIPA's data retention provisions.

Is this like a universal CCTV system recording when you go outside your front door and visit the bank and the shops? Or is it like a spybot in your home noting which books you read? Or is it something else? One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives.

It is important to separate the scope of retention from the power to access. Access to this category of data will be more tightly restricted than for other communications data. Local authorities will have no access. The draft Bill sets out specific purposes for which public authorities can demand access to this category of communications data or make a demand that requires it to be processed (s.47(4)). 

The Home Secretary has (very) broadly paraphrased this restriction as 'determining whether someone had accessed a communications website, an illegal website or to resolve an IP address'. Regrettably there is no substitute for quoting the section:

"to identify—
(a) which person or apparatus is using an internet service where—
(i) the service and time of use are already known, but
(ii) the identity of the person or apparatus using the service is not known,
(b) which internet communications service is being used, and when and
how it is being used, by a person or apparatus whose identity is already known, or
(c) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime."
  
Like most requests for standard communications data under RIPA, requests for 'ICR' will not require judicial approval. They are authorised through Designated Persons within the public authorities, who are internally independent from the investigation in question.

The existing, narrower, data retention provisions of DRIPA have been challenged in court by MPs David Davis and Tom Watson and questions are being referred to the European Court of Justice. 

Devil in the detail:


David Anderson said that no detailed proposal should be put forward until a sufficiently compelling operational case had been made out and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring weblog data to be retained. The Home Office has now published an 'Operational Case for the Retention of Internet Connection Records'. This will repay careful scrutiny.

Background on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

Prediction: Probable.

Verdict: Yes, falls within relevant communications data that may be required to be retained. S.71(9) is explicit that the sender or recipient does not need to be a person, and that relevant communications data includes data identifying the location of any telecommunication system by means of which a communication is transmitted. Location of that system is one of the categories of data that the Secretary of State can order to be retained.


Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

Prediction: Data generation to reappear.

Verdict: Yes, as predicted (S.71(8)). A significant change.


Background on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.


Verdict: The definition of communications data has been revised to cover 'entity' and 'events' data. There is also now a definition of the content of a communication, where RIPA had none.

Devil in the detail:

Requires application of a wet towel before commenting on whether anything has changed significantly.

Background on the existing RIPA content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

Prediction:  Anyone's guess.

Verdict: Out.


More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

Prediction:  Anyone’s guess.

Verdict: In.


Background on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Verdict:  Generally the government is proposing a two tier system of Ministerial sign-off of warrants followed by an approval process undertaken by new judicial commissioners before the warrant can take effect (but retrospective in urgent cases).  They would review a decision to issue a warrant to the 'judicial review' standard rather than a de novo reevaluation of the merits.

Some other significant highlights that I didn't cover in my original predictions:


Section 94 Telecommunications Act 1984

What is it? The most mysterious existing power of all, enabling Secretaries of State to give national security directions to telecommunications companies.  Now there will be a 'national security notice' power spelled out in greater detail (S.188).

Extraterritoriality

What is it? RIPA always applied in general terms to telecommunications services provided to the UK from abroad. What wasn't so clear was whether interception warrants, interception capability notices and communications data acquisition notices could require conduct outside the UK, could apply to non-UK providers or how (if at all) they could validly be served on a non-UK provider. DRIPA fixed that. It didn't do the same for communications data retention notices, but which in any case could only require retention of data generated or processed within the UK.

Verdict: Extraterritoriality will apply to targeted interception warrants and mutual assistance warrants (S.29(4)); communications data acquisition notices (S.69(3)); targeted equipment interference warrants (S.99(3)); bulk interception warrants (S.116(3)); bulk acquisition warrants (S.130(3)); bulk equipment interference warrants (S.145(3)); technical capability notices (S.189(8)).


Non-UK operators can rely on a conflict of non-UK law defence in some of these cases: (S.31(5), S.69(4)). A technical capability notice is enforceable against someone outside the UK only if it relates to a targeted interception or mutual assistance warrant, a bulk interception warrant or a communications data acquisition notice or authorisation (S.190(10)).

Communications data retention notices can also be extra-territorial (S.79(1)). However while operators generally have a duty to comply with a notice, if a notice relates to "conduct or persons outside the United Kingdom" the duty is only to "have regard to the requirement or restriction".  (S.79(2))

Computer Network Exploitation (CNE) 

What is it? Official hacking.

Verdict: Warrantry powers formalised in the draft Bill. No surprise at all. Existing general powers were on shaky legal ground and had to be made more transparent. Both targeted and bulk equipment interference warrants are provided.


[Updated 5 November 2015 to add technical capability notices to Extraterritoriality section; section on Broad Ministerial Powers updated 6 November 2015 to add future proofing of retention notices and extension of technical capability notices to non-public service providers (h/t to @neil_neilzone for spotting the latter).]

1 comment:

  1. Useful summary. Is EI (warriorpride) new, then?

    As a computer scientist, I cannot work out what 'internet connection records' are. The government background paper, it's a record of all IP to IP address communication (which will not necessarily be recorded by most systems). In principle, this could include tunnelled information, although such information could be considered content.

    If the intention is to work out who's snapchatting with whom, then it would need to include the content.

    It does seem odd to me that just because the design of phone systems enables the identification of communications between end points, that capability should be carried into other technologies. It's not like it's available for the letter post, or talking over the garden gate. And certainly not possible to go back in time as retention of logs implies.

    ReplyDelete