Wednesday, 12 August 2015

The Coming UK Surveillance Debate

This is a series of 13 posts about the forthcoming Investigatory Powers Bill, due to be published in draft this autumn for pre-legislative scrutiny by a Joint Committee of Parliament.

The Bill will replace a variety of statutes governing interception, mandatory communications data retention and communications data acquisition by public authorities. In particular it will supersede the Data Retention and Investigatory Powers Act 2014 (DRIPA) and parts of the Regulation of Investigatory Powers Act 2000 (RIPA).

  1. Red Lines and no-go zones
  2. Legal and policy origins
  3. Bulk interception, Part 1 (External communications)
  4. Bulk interception, Part 2 (The Section 8(4) certificate)
  5. Bulk interception, Part 3 (Selection of intercepted material for examination)
  6. Targeted interception (Reasonable suspicion, Thematic warrants, Ban on disclosure)
  7. Extraterritoriality, Transparency and Data sharing
  8. Communications Data Retention, Part 1 (Content/communications data boundary, Compelled data generation)
  9. Communications Data Retention, Part 2 (Third party data collection, Request filter)
  10. Communications Data Retention, Part 3 (Retention of weblog data)
  11. Communications Data Retention, Part 4 (Mandatory data retention purposes, Prior independent authorisation)
  12. Communications Data Acquisition
  13. Future-proofing
Other Cyberleagle posts on related themes include:


Key reference documents for the forthcoming Bill:

Privacy and Security: A modern and transparent legal framework (Intelligence and Security Committee of Parliament, March 2015)
A Question of Trust (David Anderson Q.C.'s report on Investigatory Powers, June 2015)
A Democratic Licence to Operate (RUSI Independent Surveillance Review, July 2015)

My own submission to the Anderson Review is here.



The Coming UK Surveillance Debate: Future-proofing

The last in a series of posts on the forthcoming Investigatory Powers Bill


RIPA was future-proofed by writing it in such abstract technology-neutral terms that, combined with some fiendishly tortuous drafting, anyone not in the know had little chance of twigging what it was actually designed to do.

The draft Communications Data Bill took a different approach, building in flexibility to accommodate future technological innovation by granting broad order-making powers to the Secretary of State orders that themselves would contain little detail.  This went down very badly with the Parliamentary Joint Committee that scrutinised it:
We have not seen a draft of such an order, and we have been told that we will not be shown one. But it is clear that the order will only be a framework. The specific requirements will be imposed by secret notices by the Secretary of State.
The Committee went on:
Given the wide anxiety raised by the breadth of clause 1, we pressed the Home Office officials as to why it could not be narrowed to cover only the gaps which currently needed to be filled. Mr Farrs answer was:

The fundamental reason why we are nervous about limiting clause 1 is future-proofing ... Because I genuinely believe that no sooner will you get this legislation through than something else will come up, given the pace of change in the communications industry, which will create another gap, particularly if clever people know that we have filled one area, and so now try to exploit another. Future-proofing and flexibility are at the heart of the language we have used in clause 1.
... We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved. We believe that it can indeed be changed and improved, by being narrowed to cover specifically the gaps so far identified. An undertaking, whether by officials or by ministers, that a power will be used only to a limited extent, is of little value. Once a power is on the statute book, it is available to be used, and also to be misused or abused, at any time in the future. It is hardly surprising that a proposal for powers of this width has caused public anxiety.
The Anderson Report described Clause 1 as an excessively broad power.  (14.24)

A similar criticism can be levelled at the data retention powers under DRIPA, which are exercisable by notice from the Secretary of State to public telecommunications providers. The government treats the notices as secret and has declined to reveal any details about them, even to the court that heard the DRIPA judicial review, on grounds that to do so would prejudice national security.

At least under DRIPA the specific datatypes that can be ordered to be retained are listed, albeit there has been a move towards more generality (and concomitant obscurity) in the amendment made by the Counter-Terrorism and Security Act 2015 to cover IP address resolution data.

Although technological neutrality and future proofing are admirable in many contexts, they can be positively dangerous in the field of invasive powers where all manner of unanticipated activity may inappropriately fall into scope in the future. When powers intrude on fundamental rights of privacy and freedom of expression it may be more important that Parliament and the public have a clear understanding of what is being authorised than that the legislation be future proof. (This broadly corresponds to the suggestion recorded at 12.96(d) in the Anderson report). If legislation goes out of date, in an area of this sensitivity Parliament ought not to begrudge its time spent scrutinising any further proposal for new, extended or reduced powers.

The Coming UK Surveillance Debate: Communications Data Acquisition

One of a series of posts on the forthcoming Investigatory Powers Bill


The boundary between communications data and content is likely to be revisited

One area where the government might look at the possibility of reining back powers is a reduction in the number of public authorities who are able to access communications data and for what purposes.  That is in any event likely to be affected by the restriction on purposes for which mandatorily retained data may be accessed following the DRIPA judicial review judgment (subject to any appeal).

Professional and journalistic privilege should be addressed more robustly than by the current Code of Practice guidance, with at least the promised implementation of the Interception Commissioner’s recommendation for the introduction of judicial authorisation for demands aimed at identifying journalists’ sources. The DRIPA judicial review judgment may result in a broader requirement for judicial or other independent authorisation in any event, at least for mandatorily retained data.

There is room for more stringent constraints on the quantities of data covered by a single authorisation or notice. At the moment a notice could cover communications made from an e-mail address over an hour or two or over a year or more.  There are no limits other than the duty on those involved to satisfy themselves of the proportionality of the demand. Thus the Acquisition of Communications Data Code of Practice states:
“3.54. Designated persons should specify the shortest possible period of time for any authorisation or notice. To do otherwise would impact on the proportionality of the authorisation or notice and impose an unnecessary burden upon the relevant CSP(s).”
Some selected recommendations from many in the Anderson report (which was published before the judgment in the DRIPA judicial review):
Anderson
Public authorities with relevant criminal enforcement powers should in principle be able to acquire communications data. It should not be assumed that the public interest is served by reducing the number of bodies with such powers, unless there are bodies which have no use for them. There should be a mechanism for removing public authorities (or categories of public authorities) which no longer need the powers, and for adding those which need them. (Recommendation 50)

The requirement in RIPA 2000 ss23A-B of judicial approval by a magistrate or sheriff for local authority requests for communications data should be abandoned. Approvals should be granted, after consultation with NAFN, by a DP of appropriate seniority within the requesting public authority. (Recommendation 66)

In recognition of the capacity of modern communications data to produce insights of a highly personal nature, where a novel or contentious request for communications data is made, the DP should refer the matter to ISIC for a Judicial Commissioner to decide whether to authorise the request. (Recommendation 70)


The Coming UK Surveillance Debate: Communications Data Retention, Part 4

One of a series of posts on the forthcoming Investigatory Powers Bill


Mandatory data retention purposes. The July 2015 High Court decision in the Davis/Watson judicial review of DRIPA followed the CJEU DigitalRights Ireland case in April 2014, which invalidated the EU Data Retention Directive.  In July 2014, three months later, the UK government rushed DRIPA through Parliament in a few days as emergency legislation, replacing the previous secondary legislation which, since it implemented the now invalid Directive, was itself vulnerable to challenge.

The government did not claim at the time that DRIPA addressed every aspect of DRI. DRIPA made some accommodations, for instance enabling data retention notices served on communications service providers to specify different periods up to 12 months for retention of different classes of data.  However the government could not rely in the court case on the newly flexible time period.  Since it declined to give any details of DRIPA notices given to CSPs, the court had to assume that any notices that may have been given required retention for the full 12 months.

The CJEU in DRI set out a list of reasons why the Data Retention Directive did not comply with the Charter.  However it left room for doubt as to whether every ground was a self-standing reason for invalidity, or whether only the cumulative list as a whole justified invalidating the Directive.  The High Court had to grapple with this issue and decide which grounds, if any, were meant to be independent conditions for Charter compliance.

It decided that three requirements were stated with such emphasis as to be intended to be self-standing:

-           the legislation must lay down clear and precise rules governing the scope and application of the measure; and imposing minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of the data (paragraphs 52 and 54);

-           access to and use of data retained under a general retention regime must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences (paragraph 61);

-           "Above all", access must be dependent on a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued, and which intervenes following a reasoned request of those authorities (paragraph 62).

Following this judgment (subject to appeal) there is now a question mark over the purposes for which mandatorily retained communications data may be accessed, even if the government can devise an otherwise EU Charter-compliant retention regime. 

While Article 15(1) of the EU Privacy and Data Retention Directive mentions national security as well as investigation of criminal offences as grounds to restrict certain of the privacy protections in the Directive, the CJEU DRI judgment was framed entirely in terms of crime or serious crime.  The order made by the High Court disapplied DRIPA in the following terms, which exclude national security:
“in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences”.
The High Court noted in its judgment:
“In their submissions on remedy following receipt of our draft judgment counsel for the [UK government] raised for the first time the question of whether access to retained data for national security reasons is within the scope of EU law. This was not raised in the oral or written arguments previously addressed to us and we decline to allow it to be raised at this late stage. Whether national security cases should have different provisions for authorisation of access to communications data will no doubt be the subject of careful thought when the new legislation is being drafted.” [123]
National security apart, the purposes for which communications data may currently be accessed under RIPA are considerably broader than either national security or serious offences and, subject to any appeal against the High Court judgment, will have to be revisited at least for mandatorily retained data.

Prior independent authorisation. The method of authorisation of access at least to mandatorily retained communications data will need to be reconsidered in the light of the DRIPA judicial review judgment (subject to appeal), so as to put in place prior authorisation by a court or independent administrative body.

The Coming UK Surveillance Debate: Communications Data Retention, Part 3

One of a series of posts on the forthcoming Investigatory Powers Bill


Retention of weblog data. Perhaps the most contentious and confused aspect of communications data retention is the debate over so-called weblog data. Anderson said:
“What is meant by web log in this context has caused some uncertainty, and independent experts to whom I have spoken criticise the term, and those who use it, on the basis of imprecision (as well as the inapplicability of the term to non-web based services).” [9.53]
The confusion around weblog data is heightened by the fact that the definitional boundaries are different for mandatory retention under DRIPA, voluntary retention under ATCSA 2001 and access to communications data by public authorities under RIPA.

RIPA drew the original line between communications data and content.  A machine identifier (such as an IP address or a URL up to the first slash) was communications data, but a URL after the first slash was content.  As Anderson observes, there are arbitrary elements to the core definition.  So www.bbc.co.uk is communications data, www.bbc.co.uk/sport is content, but sport.bbc.co.uk is communications data (Anderson, 9.54, fn 32).

The Home Office seems to want to extend mandatory retention to include URLs up to the first slash, but not full URLs. That appears from the definition of weblog data that it provided to Anderson:
“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.” [9.53]
Weblogs limited in that way could still, Anderson observes, “reveal, as critics of the proposal point out, that a user has visited a pornography site, or a site for sufferers of a particular medical condition, though the Home Office tell me that it is in practice very difficult to piece together a browsing history.” [9.54]

The Home Office description of weblog data is also intended to cover data such as destination IP addresses, DNS server logs, http ‘GET’ messages and IP service use data. [Anderson 9.54, fn 32] The inclusion of GET messages is odd. A GET message requests a page from the web server. Unless truncated it would be the equivalent of retaining a full URL.

Anderson reports law enforcement apparently pressing the case for compulsory retention of weblog data less strongly than to the Joint Committee in 2012:
“In short, it was not submitted to me, as it was in 2012 to the [Joint Committee], that “access to weblogs is essential for a wide range of investigations”. [9.61]
 However he added:
“it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access. Ultimately it would argue for the retention of web logs, subject to safeguards to be determined by Parliament, if this was identified as the best way to meet its operational needs. But it would expect all avenues to be explored before reaching a final view on the best solution.” 
Recommendations of the three Reviews in relation to weblog data retention are:
ISC
No recommendation
Anderson
Full consideration should be given to alternative means of achieving those purposes, including existing powers, and to the categories of data that should be required to be retained, which should be minimally intrusive. If a sufficiently compelling operational case has been made out, a rigorous assessment should then be conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed. (Recommendation 15)
RUSI
No recommendation

Given the confusion over what is and is not weblog data, I have set out in the table below a tentative analysis (others may have different interpretations and I reserve the right to change my mind!) of the current position on retention and access to some types of communications data. References to ‘Schedule’ are to the Schedule annexed to the Data Retention Regulations 2014 (S.I. 2014/2042) made under DRIPA.

Three points should be borne in mind when reading the table.  First, a ‘Yes’ answer does not mean that that type of data is necessarily covered in all circumstances.  It has at least to satisfy the conditions in rows 2 and (for CTSA 2015) 3 of the table. Second, I have given the benefit of the doubt to CTSA’s difficult definition of relevant internet data (set out in row 3). Third, CTSA can only apply to data that is not already covered by the DRIPA Regulations.

Datatype
Mandatory retention possible under DRIPA?
Mandatory retention possible under CTSA S21?
Can disclosure be required under RIPA Pt I Chapter II?
Comment

Applies only so far as the data is generated or processed within UK by a public telecommunications operator in the process of providing a telecommunications service (DRIPA S. 2(1)).
A telecommunications operator can be required to disclose communications data in its possession and to obtain and disclose it if not in its possession 



Applies only to the extent that the data can identify, identify, or assist in identifying, which IP address or other identifier belongs to the sender or recipient of a communication


At customer’s ISP




Source static IP address
Yes (Schedule, 13(1)(b))

Yes

Source dynamic IP address.
Yes (Schedule, 13(1)(b))

Yes

Source shared IP address (within ISP e.g. CG-NAT)
Yes (Schedule, 13(1)(b))

Yes

Source port number
No
Yes
Yes

Weblog data: destination IP address
No
Probably excluded by S.21(3)(c)
Yes

Weblog data: destination URL (up to first ‘/’)
No
No (excluded by S.21(3)(c))
Yes (traffic data within S. 21(6))
ATCSA 2001 Voluntary Code provides for retention for 4 days
Destination URL (after first ‘/’)
No
No (excluded by S.21(3)(c))
No (excluded by last para of  S.21(6))
Excluded from ATCSA 2001 Voluntary Code





At public wi-fi point









Source MAC address
No
Yes
Yes






At webmail provider or other public host



DRIPA confirmed webmail as a telecommunications service
IP address allocated by user’s ISP
Yes

Yes

Port number allocated by user’s ISP
No
Yes
Yes



The Coming UK Surveillance Debate: Communications Data Retention, Part 2

One of a series of posts on the forthcoming Investigatory Powers Bill


Third party data collection. The Communications Data Bill would have required CSPs to collect and retain third party data travelling across their networks from foreign sources (such as US platforms), so as to make it accessible to communications data demands from UK authorities. However the Anderson Report hints (see quotation below) that the case for third party data collection may now be less strongly pressed by law enforcement.

Recommendations of the three Reviews on collection and retention of third party data:
ISC
No recommendation
Anderson
There should be no question of progressing proposals for the compulsory retention of third party data before such time as a compelling operational case may have been made, there has been full consultation with CSPs and the various legal and technical issues have been fully bottomed out. None of those conditions is currently satisfied. (Recommendation 18)
RUSI
No recommendation

Request filter. The Communications Data Bill would have introduced a request filter, capable of searching across datasets held by multiple communications providers. As with third party data collection the Anderson review hints at a diminution in pressure from law enforcement:
“The Communications Data Bill contained provision for the retention of third-party data and for a request filter. Law enforcement still endorse the operational requirements which those provisions were meant to address, but want to engage further with industry on the best ways of meeting them.” [9.11]
None of the reviews makes a specific recommendation in respect of the request filter, beyond more general comments made about the draft Communications Data Bill.

Retention of so-called IP address resolution data has already been introduced in the Counter-Terrorism and Security Act 2015.  The government has said that this is only a stepping stone. While exactly what more it may have in mind is unclear, it is most likely referring to retention of weblog data. That is discussed in the next post.

The Coming UK Surveillance Debate: Communications Data Retention, Part 1

One of a series of posts on the forthcoming Investigatory Powers Bill


Mandatory communications data retention is already a battleground. The Conservatives did not get their way over the Communications Data Bill in 2012.  The coalition government pushed DRIPA through Parliament in 2014 with indecent haste. In July 2015 the current administration lost the first round of the judicial review challenge to DRIPA. The government has said it will appeal. 

The court judicial review judgment did not hold that the CJEU DRI decision had outlawed a general data retention obligation as such.  The government has been given until March 2016 to implement new legislation remedying the defects identified by the court.

We can expect more blood on the floor in this area. Some likely issues include: 
The boundary between content and communications data is likely to be revisited. As well as its more general implications a change in the dividing line would have a particular impact on the proposed Communications Data Bill third party data collection scheme (discussed below).  The Joint Committee described how the data would be collected:
"It would be necessary to place data probes within a CSP’s network and those probes would be programmed to generate information from network links within the CSP. Deep Packet Inspection (DPI) would be used to isolate key pieces of information from data packets in a CSP’s network traffic." [91] 
Under RIPA that type of activity would be an interception, unless restricted to the acquisition of traffic data comprised in or attached to a communication for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted.
The draft CDB specifically did not authorise any conduct that would amount to an interception. Difficult questions would have arisen about how far DPI for this purpose could go before it became an unlawful interception. If the definition of traffic data were to be widened as the result of a review of the boundary between content and communications data, then the potential scope of third party data collection would be automatically broadened.

Recommendations by the three Reviews on the boundary between content and communications data:
ISC
In relation to communications, given the controversy and confusion around access to Communications Data, we believe that the legislation should clearly define the following terms:
Communications Data should be restricted to basic information about a communication, rather than data which would reveal a persons habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.

Communications Data Plus would include a more detailed class of information which could reveal private information about a persons habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.

Content-Derived Information would include all information which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation. (Recommendation AAA)
Anderson
The definitions of content and of communications data, and any subdivisions, should be reviewed, with input from all interested parties including service providers, technical experts and NGOs, so as to ensure that they properly reflect both current and anticipated technological developments and the privacy interests attaching to different categories of material and data. Content and communications data should continue to be distinguished from one other, and their scope should be clearly delineated in law. (Recommendation 12)
RUSI
Following evidence received by the ISR Panel and further discussion with civil-liberties groups and communications service providers (CSPs), we recommend that definitions of content data and of communications data should be reviewed as part of the drafting of new legislation. They should be clearly delineated in law. (Recommendation 3)

Compelled data generation.  The current data retention law (DRIPA) can require data to be retained only if it is already generated or processed in the UK by the service provider in the course of providing its service.

The voluntary communications data retention provisions of Section 102 ATCSA 2001 are narrower.  They only apply to retention of communications data obtained by or held by telecommunications service providers. The Code of Practice makes clear this simply extends the retention period where data is already held for the CSP’s own business purposes.  This is a higher threshold than mere generation or processing. However unlike this aspect of DRIPA, ATCSA is not limited to the UK.

The Communications Data Bill would for the first time have enabled a provider to be compelled to generate data.  This could for instance have been used to require a provider to collect identifying details of a user.  Many would regard this as crossing a red line between facilitating the authorities’ access to whatever data may already be out there and requiring a provider to design its business to suit the authorities.

For whatever reason – possibly the terms of the voluntary ATCSA Code – it is sometimes assumed that under current law mandatory data retention can only apply to data already retained for some period for the CSP’s own business purposes.  However as the Home Office correctly stated in its response to the consultation on the Data Retention Code of Practice under DRIPA:
 “DRIPA and the preceding legislation provided for the retention of data that was generated or processed by a CSP as part of providing a service. There has never been a requirement for a CSP to retain data for business purposes before it can be retained further.”
Even so, currently a CSP cannot be required to create data that it does not already generate or process in the UK. That condition applies to the new category of 'relevant internet data' added by CTSA 2015 as well as to the original categories covered by DRIPA.

None of the reviews makes any specific recommendations in relation to compelled data generation. Anderson has recommended repeal of the ATCSA voluntary retention provision. (Recommendation 13).