Saturday, 31 December 2016

The Investigatory Powers Act - swan or turkey?

The Investigatory Powers Bill, now the newly minted Investigatory Powers Act, has probably undergone more scrutiny than any legislation in recent memory. Rarely, though, can the need for scrutiny have been so great.
Over 300 pages make up what then Prime Minister David Cameron described as the most important Bill of the last Parliament. When it comes into force the IP Act will replace much of RIPA (the Regulation of Investigatory Powers Act 2000), described by David Anderson Q.C.’s report A Question of Trust as ‘incomprehensible to all but a tiny band of initiates’. It will also supersede a batch of non-RIPA powers that had been exercised in secret over many years - some, so the Investigatory Powers Tribunal has found, on the basis of an insufficiently clear legal framework. 
None of this would have occurred but for the 2013 Snowden revelations of the scale of GCHQ’s use of bulk interception powers. Two years post-Snowden the government was still acknowledging previously unknown (except to those in the know) uses of opaque statutory powers. 
Three Reviews and several Parliamentary Committees later, it remains a matter of opinion whether the thousands of hours of labour that went into the Act have brought forth a swan or a turkey. If the lengthy incubation has produced a swan, it is one whose feathers are already looking distinctly ruffled following the CJEU judgment in Watson/Tele2, issued three weeks after Royal Assent. That decision will at a minimum require the data retention aspects of the Act to be substantially amended. 
So, swan or turkey?
Judicial approval
On the swan side warrants for interception and equipment interference, together with most types of power exercisable by notice, will be subject to prior approval by independent Judicial Commissioners. For some, doubts persist about the degree of the scrutiny that will be exercised. Nevertheless judicial approval is a significant improvement on current practice whereby the Secretary of State alone takes the decision to issue a warrant.
Codified powers
Also swan-like is the impressive 300 page codification of the numerous powers granted to law enforcement and intelligence agencies. A Part entitled ‘Bulk warrants’ is a welcome change from RIPA’s certificated warrants, which forced the reader to play hopscotch around a mosaic of convoluted provisions before the legislation would give up its secrets.
Granted, the IP Act also ties itself in a few impenetrable knots. Parts are built on shaky or even non-existent definitional foundations. But it would be churlish not to acknowledge the IP Act’s overall improvement over its predecessors. 
Parliamentary scrutiny
When we move to consider the Parliamentary scrutiny of bulk powers things become less elegant.
The pre-legislative Joint Committee acknowledged that the witnesses were giving evidence on the basis of incomplete information. In response to the Joint Committee’s recommendation the government produced an Operational Case for Bulk Powers alongside the Bill’s introduction into Parliament. That added a little light to that which A Question of Trust had previously shed on the use of bulk powers. 
But it was only with the publication of David Anderson’s Bulk Powers Review towards the end of the Parliamentary process that greater insight into the full range of ways in which bulk powers are used was provided from an uncontroversial source. (By way of example ‘selector’ - the most basic of bulk interception terms - appears 27 times in the Bulk Powers Review, five times in A Question of Trust and twice in the Operational Case, but not at all in either the Joint Parliamentary Scrutiny Committee Report or the Intelligence and Security Committee Report.)
By the time the Bulk Powers Review was published it was too late for the detailed information within it to fuel a useful Parliamentary debate on how any bulk powers within the Act should be framed. David Anderson touched on the timing when he declined to enter into a discussion of whether bulk powers might be trimmed:
“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path. Technology and terminology will inevitably change faster than the ability of legislators to keep up. The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards. If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
In the event the legislation was flagged through on the Bulk Powers Review’s finding that the powers have a clear operational purpose and that the bulk interception power is of vital utility.
Fully equipped scrutiny at an early stage of the Parliamentary process could have resulted in more closely tailored bulk powers. As discussed below (“Vulnerability to legal challenge”) breadth of powers may come back to haunt the government in the courts.
Mandatory data retention
Views on expanded powers to compel communications data retention are highly polarised. But swan or turkey, data retention will become an issue in the courts. The CJEU judgment in Watson/Tele2, although about the existing DRIPA legislation, will require changes to the IP Act. How extensive those changes need to be will no doubt be controversial and may lead to new legal challenges. So, most likely, will the extension of mandatory data retention to include generation and obtaining of so-called internet connection records: site-level web browsing histories.  
Many would say that officially mandated lists of what we have been reading, be that paper books or websites, cross a red line. In human rights terms that could amount to failure to respect the essence of privacy and freedom of expression: a power that no amount of necessity, proportionality, oversight or safeguarding can legitimise.
Limits on powers v safeguards
The Act is underpinned by the assumption that breadth of powers can be counterbalanced by safeguards (independent prior approval, access restrictions, oversight) and soft limits on their exercise (necessity and proportionality). 
Those may provide protection against abuse. That is of little comfort if the objection is to a kind of intended use: for instance mining the communications data of millions in order to form suspicions, rather than starting with grounds for specific suspicion.
The broader and less specific the power, the more likely it is that some intended but unforeseen or unappreciated use of it will be authorised without prior public awareness and consent. That happened with S.94 of the Telecommunications Act 1984 and, arguably, with bulk interception under RIPA. Certainly, the coming together of the internet and mobile phones resulted in a shift in the intrusion and privacy balance embodied in the RIPA powers. This was facilitated by the deliberate future-proofing of RIPA powers to allow for technological change, an approach repeated (not to its benefit, I would argue) in the IP Act.
In A Question of Trust David Anderson speculated on a future Panopticon of high tech intrusive surveillance powers:
“Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.”
He went on to say, in relation to controlling the exercise of powers by reference to fundamental rights principles of necessity and proportionality:
“Because those concepts as developed by the courts are adaptable, nuanced and context-specific, they are well adapted to balancing the competing imperatives of privacy and security. But for the same reasons, they can appear flexible, and capable of subjective application. As a means of imposing strict limits on state power (my second principle, above) they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be.”
The IP Act abjures hard-edged rules. Instead it grants broad powers mitigated by safeguards and by the day to day application of soft limits: necessity and proportionality.
The philosophy of granting broad powers counterbalanced by safeguards and soft limits reflects a belief that, because the UK has a long tradition of respect for liberty, we can and should trust our authorities, suitably overseen, with powers that we would not wish to see in less scrupulous hands. 
Another view is that the mark of a society with a long tradition of respect for liberty is that it draws clear red lines. It does not grant overly broad or far-reaching powers to state authorities, however much we may believe we can trust them (and their supervisors) and however many safeguards against abuse we may install. 
Both approaches are rooted in a belief (however optimistic that may sometimes seem) that our society is founded on deeply embedded principles of liberty. Yet they lead to markedly different rhetoric and results.
Be that as it may, the IP Act grants broad general powers. Will the Act foster trust in the system that it sets up? 
The question of trust
David Anderson’s original Review was framed as “A Question of Trust”. Although we may believe a system to be operated by dedicated public servants of goodwill and integrity, nevertheless for the sceptic the answer to the question of trust posed by intrusive state powers is found in a version of the precautionary principle: the price of liberty is eternal vigilance.
Whoever may have coined that phrase, the slavery abolitionist Wendell Phillips in 1852 emphasised that it concerns the people at large as well as institutions:
“Eternal vigilance is the price of liberty; … Only by continued oversight can the democrat in office be prevented from hardening into a despot; only by unintermitted agitation can a people be sufficiently awake to principle not to let liberty be smothered in material prosperity.”
Even those less inclined to scepticism may think that a system of broad, general powers and soft limits merits a less generous presumption of trust than specifically limited, concretely defined powers. 
Either way a heavy burden is placed on oversight bodies to ensure openness and transparency. To quote A Question of Trust: “…trust depends on verification rather than reputation, …”. 
One specific point deserves highlighting: the effectiveness of the 5 year review provided for by the IP Act will depend upon sufficient information about the operation of the Act being available for evaluation.
Hidden legal interpretations
Transparency brings us to the question of hidden legal interpretations. The Act leaves it up to the new oversight body whether or not proactively to seek out and publish material legal interpretations on the basis of which powers are exercised or asserted
That this can be done is evident from the 2014 Report of Sir Mark Waller, the Intelligence Service Commissioner, in which he discusses whether there is a legal basis for thematic property interference warrants. That, however, is a beacon in the darkness. Several controversial legal interpretations were hidden until the aftermath of Snowden forced them into public light. 
David Anderson QC in his post-Act reflections has highlighted this as a “jury is out” point, emphasising that “the government must publicise (or the new Commission must prise out of it)” its internal interpretations of technical or controversial concepts in the new legislation. In A Question of Trust he had recommended that public authorities should consider how they could better inform Parliament and the public about how they interpret powers.
Realistically we cannot safely rely on government to do it. The Act includes a raft of new secrecy provisions behind which legal interpretations of matters such as who applies end to end encryption (the service provider or the user), the meaning of ‘internet communications service’, the dividing line between content and secondary data and other contentious points could remain hidden from public view. It will be interesting to see whether the future Investigatory Powers Commission will make a public commitment to implement the proposal.
Vulnerability to legal challenge
In the result the Act is long on safeguards but short on limits to powers. This structure looks increasingly likely to run into legal problems. 
Take the bulk interception warrant-issuing power. It encompasses a variety of differing techniques. They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
The Act makes no differentiation between these different techniques. It is framed at an altogether higher level: necessity for general purposes (national security, alone or in conjunction with serious crime or UK economic well-being), proportionality and the like.
Statutory bulk powers could be differentiated and limited. For instance distinctions could be made between seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could specify its use for that purpose and restrict others. Such limitations could prevent it being used for attempting to detect and predict suspicious behaviour in the general population, Minority Report-style. 
  
The lack of any such differentiation or limitation in relation to specific kinds of bulk technique renders the Act potentially vulnerable to future human rights challenges. Human rights courts are already suggesting that if bulk collection is not inherently repugnant, then at least the powers that enable it must be limited and differentiated.
Thus in Schrems the CJEU (echoing similar comments in Digital Rights Ireland at [57]) said:
“…legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage … without any differentiation, limitation or exception being made in the light of the objective pursued.” (emphasis added)
The same principles are elaborated in the CJEU’s recent Watson/Tele2 judgment, criticising mandatory bulk communication data retention:
“It is comprehensive in that it affects all persons using electronic communication services, even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Further, it does not provide for any exception, and consequently it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy ….
106 Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime …” (emphasis added)
The CJEU is also due to rule on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to the kind of generalised target discovery techniques that could be applied to bulk data obtained under the IP Act powers. As described by Advocate General Mengozzi in his Opinion of 8 September 2016 this involves cross-checking PNR data with scenarios or profile types of persons at risk:
“… the actual interest of PNR schemes … is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks.”
AG Mengozzi recommends that the Agreement must (among other things):
- set out clear and precise categories of data to be collected (and exclude sensitive data)
- include an exhaustive list of offences that would entitled the authorities to process PNR data
- in order to minimise ‘false positives’ generated by automated processing, contain principles and explicit rules:
  • concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared, which must
  • to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime, and which must
  • not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation.
As bulk powers come under greater scrutiny it seems likely that questions of limitation and differentiation of powers will come more strongly to the fore. The IP Act’s philosophy of broad powers counterbalanced with safeguards and soft limits may have produced legislation too generalised in scope and reach to pass muster.

Success in getting broad generally framed powers onto the statute book, though it may please the government in the short term, may be storing up future problems in the courts. One wonders whether, in a few years’ time, the government will come to regret not having fashioned a more specifically limited and differentiated set of powers.

[Amended 31 December 2016 to make clear that not all of RIPA is replaced.]

Saturday, 10 December 2016

Investigatory Powers Act 2016 Christmas Quiz

[Updated 1 January 2017 with answers below]

Now that the Investigatory Powers Bill has received Royal Assent, here is a Christmas quiz on the IPAct and its history. 

For some questions the answer is precise, others may be less so. For some the correct answer may be “we don’t know”.

Answers in the New Year.

Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?

Q.3 The subject line of an email is part of its content for interception purposes. True or false?

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?

Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?

Q.7. How is ‘internet communications service’ defined in the IPAct?

Q.8. Who was Amy?

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?

Q.14. In the IPAct, what is the significance of inferred meaning?

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified?

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?

Q.20. How frequently has Section 94 been used for collecting bulk communications data?


ANSWERS


Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?
According the government the Act introduces one new power: retention of internet connection records. Of the four possibilities (b) One is the only answer that cannot be correct.

Internet connection records are a type of communications data. Powers to mandate retention of some kinds of communications data have existed since 2009. On one view, therefore, ICR retention is not a new power but an extension of an existing power. On that basis the correct answer is (a) None.

If, however, a new power includes extension of an existing power then several other extensions should equally be brought into account: retention of non-ICR communications data to include datatypes beyond current powers; retention extended to include generating and obtaining for retention; extension of most powers to include private telecommunications operators; power for agencies to extract some kinds of content from communications and treat it as metadata; extension of power to issue technical capability notices from interception to most other substantive powers. With ICRs that makes a total of (c) Six. You could argue that a more granular breakdown of these extensions yields a total of (d) More than six.

The total is also (d) More than six if we include powers previously exercised on the basis of opaque statutory provisions, such as S.94 of the Telecommunications Act 1984, that gave no indication they might be exercised in this kind of way.

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?
The interpretation of "person" so as to enable targeted interception warrants to be issued in respect of groups of persons (so-called thematic warrants) instead of named individuals or specific premises.

The remark was made by Joanna Cherry QC MP in Commons Committee on 12 April 2016:
“The current Home Secretary has apparently derived the authority to do so from a broad definition given to the word “person” that is found elsewhere in RIPA, despite the unequivocal reference to “one person” in section 8(1) of RIPA. I suggest that what has gone on in the past is a very unorthodox statutory construction.”
The existence of thematic warrants and the statutory basis asserted for them was revealed by the Intelligence and Security Services Committee in its report of March 2015:
“The term ‘thematic warrant’ is not one defined in statute. However, the Home Secretary clarified that Section 81(1) of RIPA defines a person as “any organisation or any association or combination of persons”, thereby providing a statutory basis for thematic warrants.”

Q.3 The subject line of an email is part of its content for interception purposes. True or false?
True, under RIPA. Under the IP Act it is more complicated.

The subject line would normally fall within the IP Act’s new definition of ‘content’ (S.261(6)) as an “element of the communication… which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication…”.

However for interception the Act allows so-called ‘secondary data’ to be extracted from the content of a communication and treated as communications data instead of content. Secondary data could include, for instance, the date and time of a meeting set out in the subject line of an e-mail. The Act includes similar provisions for equipment interference.

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?
A trick question, this one. Most of the IP Act’s secrecy provisions are accompanied by an enforcement mechanism: a criminal offence or injunction. Curiously, however, no enforcement mechanism is prescribed for the S.255(8) prohibition in respect of technical capability notices.

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?
The IPAct does not provide any secrecy exception for this situation. However the non-disclosure duty is enforceable by the Secretary of State’s application to court for an injunction. It is unlikely (to say the least) that a court would allow an injunction application to be used to prevent access to the courts or to frustrate the court’s own proceedings.

The same point arose in Commons Committee debate on 3 May 2016 in relation to technical capability notices. That provision (now S.255(8) – see Q.4) is differently worded in that it expressly allows for the Secretary of State to give permission for disclosure. Keir Starmer QC MP sought reassurance that the provision could not be used to prevent access to the court:
“I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.”
The Solicitor General responded:
“I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.”
Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?
True. However the Act provides a three layer structure for technical capability notices: the statute, regulations made under the statute, then notices issued by the Secretary of State within the regulations. Regulations have yet to be published, but could specify a narrower class of service providers to whom technical capability notices could be issued.

Q.7. How is ‘internet communications service’ defined in the IPAct?
It isn’t. The term underpins two of the conditions that determine when a mandatorily retained internet connection record can be accessed. Footnote 46 in the draft Communications Data Code of Practice is the closest we approach to an indication of what it is intended to cover. The same omission featured in predecessor DRIPA regulations.

Q.8. Who was Amy?
Amy was a fictitious “quiet, impressionable 14 year old schoolgirl” who featured in a series of National Crime Agency infographics supporting the case for retaining communications data and internet connection records.

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?
False. Although a targeted examination warrant is required in order for content to be selected for examination by reference to someone known to be within the British Islands at the time of the selection, that does not apply to non-content ‘secondary data’ (which itself can include some data extracted from content – see Q.3). 

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?
True. A communications data retention notice can be issued against a public or a private telecommunications operator. A university operating its own network is a telecommunications operator. Communications data can include internet connection records, including site level browsing histories.

The draft Communications Data Code of Practice sets out factors that will be taken into account in deciding which operators in practice will receive notices.

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?
A like for like count is not easy, due to differences in nomenclature and organisation. The overall count appears to be more or less the same.

A cull of authorities entitled to acquire communications data under RIPA was carried out in February 2015, when 13 authorities had their powers removed. One of those removed, the Food Standards Agency, is reinstated under the IP Act together with its Scottish counterpart Food Standards Scotland. The Prudential Regulation Authority will no longer be able to acquire communications data under the IP Act.

A detailed comparison of existing and proposed powers (other than for the police and intelligence services) is contained in the government’s “Operational case for the use of communications data by public authorities” (July 2016).

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?
Seventeen.

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?
11½ months (4 November 2015 to 19 October 2016).

Q.14. In the IPAct, what is the significance of inferred meaning?
The term does not appear in the statute itself. However the Draft Codes of Practice explain how this is an important concept in understanding the distinction between content and communications data.

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?
17.8 billion rows, representing 3 months of data.

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified? 
MI6, according to example A11/2 annexed to the Bulk Powers Review.

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?
62 (compared with 48 in the draft Bill).

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?
About 12 years.

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?
The Investigatory Powers Tribunal held that the use was within the scope of the S.94 power. However before November 2015 it infringed Article 8 of the European Convention on Human Rights because it was not foreseeable that S.94 would be used in that way and also through lack of an adequate system of oversight for most of that period.

Q.20. How frequently has Section 94 been used for collecting bulk communications data?
The Interception of Communications Commissioner’s July 2016 Review of Section 94 directions identified 15 extant bulk communications data directions under S.94. All those directions were for traffic data and required “regular feeds”.