Saturday, 10 December 2016

Investigatory Powers Act 2016 Christmas Quiz

[Updated 1 January 2017 with answers below]

Now that the Investigatory Powers Bill has received Royal Assent, here is a Christmas quiz on the IPAct and its history. 

For some questions the answer is precise, others may be less so. For some the correct answer may be “we don’t know”.

Answers in the New Year.

Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?

Q.3 The subject line of an email is part of its content for interception purposes. True or false?

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?

Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?

Q.7. How is ‘internet communications service’ defined in the IPAct?

Q.8. Who was Amy?

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?

Q.14. In the IPAct, what is the significance of inferred meaning?

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified?

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?

Q.20. How frequently has Section 94 been used for collecting bulk communications data?


ANSWERS


Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?
According the government the Act introduces one new power: retention of internet connection records. Of the four possibilities (b) One is the only answer that cannot be correct.

Internet connection records are a type of communications data. Powers to mandate retention of some kinds of communications data have existed since 2009. On one view, therefore, ICR retention is not a new power but an extension of an existing power. On that basis the correct answer is (a) None.

If, however, a new power includes extension of an existing power then several other extensions should equally be brought into account: retention of non-ICR communications data to include datatypes beyond current powers; retention extended to include generating and obtaining for retention; extension of most powers to include private telecommunications operators; power for agencies to extract some kinds of content from communications and treat it as metadata; extension of power to issue technical capability notices from interception to most other substantive powers. With ICRs that makes a total of (c) Six. You could argue that a more granular breakdown of these extensions yields a total of (d) More than six.

The total is also (d) More than six if we include powers previously exercised on the basis of opaque statutory provisions, such as S.94 of the Telecommunications Act 1984, that gave no indication they might be exercised in this kind of way.

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?
The interpretation of "person" so as to enable targeted interception warrants to be issued in respect of groups of persons (so-called thematic warrants) instead of named individuals or specific premises.

The remark was made by Joanna Cherry QC MP in Commons Committee on 12 April 2016:
“The current Home Secretary has apparently derived the authority to do so from a broad definition given to the word “person” that is found elsewhere in RIPA, despite the unequivocal reference to “one person” in section 8(1) of RIPA. I suggest that what has gone on in the past is a very unorthodox statutory construction.”
The existence of thematic warrants and the statutory basis asserted for them was revealed by the Intelligence and Security Services Committee in its report of March 2015:
“The term ‘thematic warrant’ is not one defined in statute. However, the Home Secretary clarified that Section 81(1) of RIPA defines a person as “any organisation or any association or combination of persons”, thereby providing a statutory basis for thematic warrants.”

Q.3 The subject line of an email is part of its content for interception purposes. True or false?
True, under RIPA. Under the IP Act it is more complicated.

The subject line would normally fall within the IP Act’s new definition of ‘content’ (S.261(6)) as an “element of the communication… which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication…”.

However for interception the Act allows so-called ‘secondary data’ to be extracted from the content of a communication and treated as communications data instead of content. Secondary data could include, for instance, the date and time of a meeting set out in the subject line of an e-mail. The Act includes similar provisions for equipment interference.

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?
A trick question, this one. Most of the IP Act’s secrecy provisions are accompanied by an enforcement mechanism: a criminal offence or injunction. Curiously, however, no enforcement mechanism is prescribed for the S.255(8) prohibition in respect of technical capability notices.

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?
The IPAct does not provide any secrecy exception for this situation. However the non-disclosure duty is enforceable by the Secretary of State’s application to court for an injunction. It is unlikely (to say the least) that a court would allow an injunction application to be used to prevent access to the courts or to frustrate the court’s own proceedings.

The same point arose in Commons Committee debate on 3 May 2016 in relation to technical capability notices. That provision (now S.255(8) – see Q.4) is differently worded in that it expressly allows for the Secretary of State to give permission for disclosure. Keir Starmer QC MP sought reassurance that the provision could not be used to prevent access to the court:
“I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.”
The Solicitor General responded:
“I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.”
Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?
True. However the Act provides a three layer structure for technical capability notices: the statute, regulations made under the statute, then notices issued by the Secretary of State within the regulations. Regulations have yet to be published, but could specify a narrower class of service providers to whom technical capability notices could be issued.

Q.7. How is ‘internet communications service’ defined in the IPAct?
It isn’t. The term underpins two of the conditions that determine when a mandatorily retained internet connection record can be accessed. Footnote 46 in the draft Communications Data Code of Practice is the closest we approach to an indication of what it is intended to cover. The same omission featured in predecessor DRIPA regulations.

Q.8. Who was Amy?
Amy was a fictitious “quiet, impressionable 14 year old schoolgirl” who featured in a series of National Crime Agency infographics supporting the case for retaining communications data and internet connection records.

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?
False. Although a targeted examination warrant is required in order for content to be selected for examination by reference to someone known to be within the British Islands at the time of the selection, that does not apply to non-content ‘secondary data’ (which itself can include some data extracted from content – see Q.3). 

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?
True. A communications data retention notice can be issued against a public or a private telecommunications operator. A university operating its own network is a telecommunications operator. Communications data can include internet connection records, including site level browsing histories.

The draft Communications Data Code of Practice sets out factors that will be taken into account in deciding which operators in practice will receive notices.

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?
A like for like count is not easy, due to differences in nomenclature and organisation. The overall count appears to be more or less the same.

A cull of authorities entitled to acquire communications data under RIPA was carried out in February 2015, when 13 authorities had their powers removed. One of those removed, the Food Standards Agency, is reinstated under the IP Act together with its Scottish counterpart Food Standards Scotland. The Prudential Regulation Authority will no longer be able to acquire communications data under the IP Act.

A detailed comparison of existing and proposed powers (other than for the police and intelligence services) is contained in the government’s “Operational case for the use of communications data by public authorities” (July 2016).

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?
Seventeen.

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?
11½ months (4 November 2015 to 19 October 2016).

Q.14. In the IPAct, what is the significance of inferred meaning?
The term does not appear in the statute itself. However the Draft Codes of Practice explain how this is an important concept in understanding the distinction between content and communications data.

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?
17.8 billion rows, representing 3 months of data.

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified? 
MI6, according to example A11/2 annexed to the Bulk Powers Review.

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?
62 (compared with 48 in the draft Bill).

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?
About 12 years.

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?
The Investigatory Powers Tribunal held that the use was within the scope of the S.94 power. However before November 2015 it infringed Article 8 of the European Convention on Human Rights because it was not foreseeable that S.94 would be used in that way and also through lack of an adequate system of oversight for most of that period.

Q.20. How frequently has Section 94 been used for collecting bulk communications data?
The Interception of Communications Commissioner’s July 2016 Review of Section 94 directions identified 15 extant bulk communications data directions under S.94. All those directions were for traffic data and required “regular feeds”.

 

No comments:

Post a Comment