Saturday, 31 December 2016

The Investigatory Powers Act - swan or turkey?

The Investigatory Powers Bill, now the newly minted Investigatory Powers Act, has probably undergone more scrutiny than any legislation in recent memory. Rarely, though, can the need for scrutiny have been so great.

Over 300 pages make up what then Prime Minister David Cameron described as the most important Bill of the last Parliament. When it comes into force the IP Act will replace much of RIPA (the Regulation of Investigatory Powers Act 2000), described by David Anderson Q.C.’s report A Question of Trust as ‘incomprehensible to all but a tiny band of initiates’. It will also supersede a batch of non-RIPA powers that had been exercised in secret over many years - some, so the Investigatory Powers Tribunal has found, on the basis of an insufficiently clear legal framework. 
None of this would have occurred but for the 2013 Snowden revelations of the scale of GCHQ’s use of bulk interception powers. Two years post-Snowden the government was still acknowledging previously unknown (except to those in the know) uses of opaque statutory powers. 
Three Reviews and several Parliamentary Committees later, it remains a matter of opinion whether the thousands of hours of labour that went into the Act have brought forth a swan or a turkey. If the lengthy incubation has produced a swan, it is one whose feathers are already looking distinctly ruffled following the CJEU judgment in Watson/Tele2, issued three weeks after Royal Assent. That decision will at a minimum require the data retention aspects of the Act to be substantially amended. 
So, swan or turkey?
Judicial approval
On the swan side warrants for interception and equipment interference, together with most types of power exercisable by notice, will be subject to prior approval by independent Judicial Commissioners. For some, doubts persist about the degree of the scrutiny that will be exercised. Nevertheless judicial approval is a significant improvement on current practice whereby the Secretary of State alone takes the decision to issue a warrant.
Codified powers
Also swan-like is the impressive 300 page codification of the numerous powers granted to law enforcement and intelligence agencies. A Part entitled ‘Bulk warrants’ is a welcome change from RIPA’s certificated warrants, which forced the reader to play hopscotch around a mosaic of convoluted provisions before the legislation would give up its secrets.
Granted, the IP Act also ties itself in a few impenetrable knots. Parts are built on shaky or even non-existent definitional foundations. But it would be churlish not to acknowledge the IP Act’s overall improvement over its predecessors. 
Parliamentary scrutiny
When we move to consider the Parliamentary scrutiny of bulk powers things become less elegant.
The pre-legislative Joint Committee acknowledged that the witnesses were giving evidence on the basis of incomplete information. In response to the Joint Committee’s recommendation the government produced an Operational Case for Bulk Powers alongside the Bill’s introduction into Parliament. That added a little light to that which A Question of Trust had previously shed on the use of bulk powers. 
But it was only with the publication of David Anderson’s Bulk Powers Review towards the end of the Parliamentary process that greater insight into the full range of ways in which bulk powers are used was provided from an uncontroversial source. (By way of example ‘selector’ - the most basic of bulk interception terms - appears 27 times in the Bulk Powers Review, five times in A Question of Trust and twice in the Operational Case, but not at all in either the Joint Parliamentary Scrutiny Committee Report or the Intelligence and Security Committee Report.)
By the time the Bulk Powers Review was published it was too late for the detailed information within it to fuel a useful Parliamentary debate on how any bulk powers within the Act should be framed. David Anderson touched on the timing when he declined to enter into a discussion of whether bulk powers might be trimmed:
“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path. Technology and terminology will inevitably change faster than the ability of legislators to keep up. The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards. If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
In the event the legislation was flagged through on the Bulk Powers Review’s finding that the powers have a clear operational purpose and that the bulk interception power is of vital utility.
Fully equipped scrutiny at an early stage of the Parliamentary process could have resulted in more closely tailored bulk powers. As discussed below (“Vulnerability to legal challenge”) breadth of powers may come back to haunt the government in the courts.
Mandatory data retention
Views on expanded powers to compel communications data retention are highly polarised. But swan or turkey, data retention will become an issue in the courts. The CJEU judgment in Watson/Tele2, although about the existing DRIPA legislation, will require changes to the IP Act. How extensive those changes need to be will no doubt be controversial and may lead to new legal challenges. So, most likely, will the extension of mandatory data retention to include generation and obtaining of so-called internet connection records: site-level web browsing histories.  
Many would say that officially mandated lists of what we have been reading, be that paper books or websites, cross a red line. In human rights terms that could amount to failure to respect the essence of privacy and freedom of expression: a power that no amount of necessity, proportionality, oversight or safeguarding can legitimise.
Limits on powers v safeguards
The Act is underpinned by the assumption that breadth of powers can be counterbalanced by safeguards (independent prior approval, access restrictions, oversight) and soft limits on their exercise (necessity and proportionality). 
Those may provide protection against abuse. That is of little comfort if the objection is to a kind of intended use: for instance mining the communications data of millions in order to form suspicions, rather than starting with grounds for specific suspicion.
The broader and less specific the power, the more likely it is that some intended but unforeseen or unappreciated use of it will be authorised without prior public awareness and consent. That happened with S.94 of the Telecommunications Act 1984 and, arguably, with bulk interception under RIPA. Certainly, the coming together of the internet and mobile phones resulted in a shift in the intrusion and privacy balance embodied in the RIPA powers. This was facilitated by the deliberate future-proofing of RIPA powers to allow for technological change, an approach repeated (not to its benefit, I would argue) in the IP Act.
In A Question of Trust David Anderson speculated on a future Panopticon of high tech intrusive surveillance powers:
“Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.”
He went on to say, in relation to controlling the exercise of powers by reference to fundamental rights principles of necessity and proportionality:
“Because those concepts as developed by the courts are adaptable, nuanced and context-specific, they are well adapted to balancing the competing imperatives of privacy and security. But for the same reasons, they can appear flexible, and capable of subjective application. As a means of imposing strict limits on state power (my second principle, above) they are less certain, and more contestable, than hard-edged rules of a more absolute nature would be.”
The IP Act abjures hard-edged rules. Instead it grants broad powers mitigated by safeguards and by the day to day application of soft limits: necessity and proportionality.
The philosophy of granting broad powers counterbalanced by safeguards and soft limits reflects a belief that, because the UK has a long tradition of respect for liberty, we can and should trust our authorities, suitably overseen, with powers that we would not wish to see in less scrupulous hands. 
Another view is that the mark of a society with a long tradition of respect for liberty is that it draws clear red lines. It does not grant overly broad or far-reaching powers to state authorities, however much we may believe we can trust them (and their supervisors) and however many safeguards against abuse we may install. 
Both approaches are rooted in a belief (however optimistic that may sometimes seem) that our society is founded on deeply embedded principles of liberty. Yet they lead to markedly different rhetoric and results.
Be that as it may, the IP Act grants broad general powers. Will the Act foster trust in the system that it sets up? 
The question of trust
David Anderson’s original Review was framed as “A Question of Trust”. Although we may believe a system to be operated by dedicated public servants of goodwill and integrity, nevertheless for the sceptic the answer to the question of trust posed by intrusive state powers is found in a version of the precautionary principle: the price of liberty is eternal vigilance.
Whoever may have coined that phrase, the slavery abolitionist Wendell Phillips in 1852 emphasised that it concerns the people at large as well as institutions:
“Eternal vigilance is the price of liberty; … Only by continued oversight can the democrat in office be prevented from hardening into a despot; only by unintermitted agitation can a people be sufficiently awake to principle not to let liberty be smothered in material prosperity.”
Even those less inclined to scepticism may think that a system of broad, general powers and soft limits merits a less generous presumption of trust than specifically limited, concretely defined powers. 
Either way a heavy burden is placed on oversight bodies to ensure openness and transparency. To quote A Question of Trust: “…trust depends on verification rather than reputation, …”. 
One specific point deserves highlighting: the effectiveness of the 5 year review provided for by the IP Act will depend upon sufficient information about the operation of the Act being available for evaluation.
Hidden legal interpretations
Transparency brings us to the question of hidden legal interpretations. The Act leaves it up to the new oversight body whether or not proactively to seek out and publish material legal interpretations on the basis of which powers are exercised or asserted
That this can be done is evident from the 2014 Report of Sir Mark Waller, the Intelligence Services Commissioner, in which he discusses whether there is a legal basis for thematic property interference warrants. That, however, is a beacon in the darkness. Several controversial legal interpretations were hidden until the aftermath of Snowden forced them into public light. 
David Anderson QC in his post-Act reflections has highlighted this as a “jury is out” point, emphasising that “the government must publicise (or the new Commission must prise out of it)” its internal interpretations of technical or controversial concepts in the new legislation. In A Question of Trust he had recommended that public authorities should consider how they could better inform Parliament and the public about how they interpret powers.
Realistically we cannot safely rely on government to do it. The Act includes a raft of new secrecy provisions behind which legal interpretations of matters such as who applies end to end encryption (the service provider or the user), the meaning of ‘internet communications service’, the dividing line between content and secondary data and other contentious points could remain hidden from public view. It will be interesting to see whether the future Investigatory Powers Commission will make a public commitment to implement the proposal.
Vulnerability to legal challenge
In the result the Act is long on safeguards but short on limits to powers. This structure looks increasingly likely to run into legal problems. 
Take the bulk interception warrant-issuing power. It encompasses a variety of differing techniques. They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to pure ‘target discovery’: pattern analysis and anomaly detection designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics. Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data, where the starting point for the investigation is an item of information associated with known or suspected wrongdoing.
The Act makes no differentiation between these different techniques. It is framed at an altogether higher level: necessity for general purposes (national security, alone or in conjunction with serious crime or UK economic well-being), proportionality and the like.
Statutory bulk powers could be differentiated and limited. For instance distinctions could be made between seeded and unseeded data mining. If pattern recognition and anomaly detection is valuable for detecting computerised cyber attacks, legislation could specify its use for that purpose and restrict others. Such limitations could prevent it being used for attempting to detect and predict suspicious behaviour in the general population, Minority Report-style. 
  
The lack of any such differentiation or limitation in relation to specific kinds of bulk technique renders the Act potentially vulnerable to future human rights challenges. Human rights courts are already suggesting that if bulk collection is not inherently repugnant, then at least the powers that enable it must be limited and differentiated.
Thus in Schrems the CJEU (echoing similar comments in Digital Rights Ireland at [57]) said:
“…legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage … without any differentiation, limitation or exception being made in the light of the objective pursued.” (emphasis added)
The same principles are elaborated in the CJEU’s recent Watson/Tele2 judgment, criticising mandatory bulk communication data retention:
“It is comprehensive in that it affects all persons using electronic communication services, even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Further, it does not provide for any exception, and consequently it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy ….
106 Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime …” (emphasis added)
The CJEU is also due to rule on the proposed agreement between the EU and Canada over sharing of Passenger Names Records (PNR data). The particular interest of the PNR case is that the techniques intended to be applied to bulk PNR data are similar to the kind of generalised target discovery techniques that could be applied to bulk data obtained under the IP Act powers. As described by Advocate General Mengozzi in his Opinion of 8 September 2016 this involves cross-checking PNR data with scenarios or profile types of persons at risk:
“… the actual interest of PNR schemes … is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks.”
AG Mengozzi recommends that the Agreement must (among other things):
- set out clear and precise categories of data to be collected (and exclude sensitive data)
- include an exhaustive list of offences that would entitled the authorities to process PNR data
- in order to minimise ‘false positives’ generated by automated processing, contain principles and explicit rules:
  • concerning scenarios, predetermined assessment criteria and databases with which PNR would be compared, which must
  • to a large extent make it possible to arrive at results targeting individuals who might be under a reasonable suspicion of participating in terrorism or serious transnational crime, and which must
  • not be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation.
As bulk powers come under greater scrutiny it seems likely that questions of limitation and differentiation of powers will come more strongly to the fore. The IP Act’s philosophy of broad powers counterbalanced with safeguards and soft limits may have produced legislation too generalised in scope and reach to pass muster.

Success in getting broad generally framed powers onto the statute book, though it may please the government in the short term, may be storing up future problems in the courts. One wonders whether, in a few years’ time, the government will come to regret not having fashioned a more specifically limited and differentiated set of powers.

[Amended 31 December 2016 to make clear that not all of RIPA is replaced.]

Saturday, 10 December 2016

Investigatory Powers Act 2016 Christmas Quiz

[Updated 1 January 2017 with answers below]

Now that the Investigatory Powers Bill has received Royal Assent, here is a Christmas quiz on the IPAct and its history. 

For some questions the answer is precise, others may be less so. For some the correct answer may be “we don’t know”.

Answers in the New Year.

Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?

Q.3 The subject line of an email is part of its content for interception purposes. True or false?

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?

Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?

Q.7. How is ‘internet communications service’ defined in the IPAct?

Q.8. Who was Amy?

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?

Q.14. In the IPAct, what is the significance of inferred meaning?

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified?

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?

Q.20. How frequently has Section 94 been used for collecting bulk communications data?


ANSWERS


Q.1 How many new powers does the IPAct introduce: (a) None (b) One (c) Six (d) More than six?
According the government the Act introduces one new power: retention of internet connection records. Of the four possibilities (b) One is the only answer that cannot be correct.

Internet connection records are a type of communications data. Powers to mandate retention of some kinds of communications data have existed since 2009. On one view, therefore, ICR retention is not a new power but an extension of an existing power. On that basis the correct answer is (a) None.

If, however, a new power includes extension of an existing power then several other extensions should equally be brought into account: retention of non-ICR communications data to include datatypes beyond current powers; retention extended to include generating and obtaining for retention; extension of most powers to include private telecommunications operators; power for agencies to extract some kinds of content from communications and treat it as metadata; extension of power to issue technical capability notices from interception to most other substantive powers. With ICRs that makes a total of (c) Six. You could argue that a more granular breakdown of these extensions yields a total of (d) More than six.

The total is also (d) More than six if we include powers previously exercised on the basis of opaque statutory provisions, such as S.94 of the Telecommunications Act 1984, that gave no indication they might be exercised in this kind of way.

Q.2 Which secret (until revealed in 2015) internal government interpretation of RIPA was described in the House of Commons as ‘a very unorthodox statutory construction’?
The interpretation of "person" so as to enable targeted interception warrants to be issued in respect of groups of persons (so-called thematic warrants) instead of named individuals or specific premises.

The remark was made by Joanna Cherry QC MP in Commons Committee on 12 April 2016:

“The current Home Secretary has apparently derived the authority to do so from a broad definition given to the word “person” that is found elsewhere in RIPA, despite the unequivocal reference to “one person” in section 8(1) of RIPA. I suggest that what has gone on in the past is a very unorthodox statutory construction.”
The existence of thematic warrants and the statutory basis asserted for them was revealed by the Intelligence and Security Services Committee in its report of March 2015:
“The term ‘thematic warrant’ is not one defined in statute. However, the Home Secretary clarified that Section 81(1) of RIPA defines a person as “any organisation or any association or combination of persons”, thereby providing a statutory basis for thematic warrants.”

Q.3 The subject line of an email is part of its content for interception purposes. True or false?
True, under RIPA. Under the IP Act it is more complicated.

The subject line would normally fall within the IP Act’s new definition of ‘content’ (S.261(6)) as an “element of the communication… which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication…”.

However for interception the Act allows so-called ‘secondary data’ to be extracted from the content of a communication and treated as communications data instead of content. Secondary data could include, for instance, the date and time of a meeting set out in the subject line of an e-mail. The Act includes similar provisions for equipment interference.

Q.4 In the IPAct, how is the ban on revealing the contents or existence of a technical capability notice enforced?
A trick question, this one. Most of the IP Act’s secrecy provisions are accompanied by an enforcement mechanism: a criminal offence or injunction. Curiously, however, no enforcement mechanism is prescribed for the S.255(8) prohibition in respect of technical capability notices.

Q.5 Under the IPAct, a service provider who wished to challenge a data retention notice in court could not do so because that would break the ban on revealing the notice’s existence or contents. True or false?
The IPAct does not provide any secrecy exception for this situation. However the non-disclosure duty is enforceable by the Secretary of State’s application to court for an injunction. It is unlikely (to say the least) that a court would allow an injunction application to be used to prevent access to the courts or to frustrate the court’s own proceedings.

The same point arose in Commons Committee debate on 3 May 2016 in relation to technical capability notices. That provision (now S.255(8) – see Q.4) is differently worded in that it expressly allows for the Secretary of State to give permission for disclosure. Keir Starmer QC MP sought reassurance that the provision could not be used to prevent access to the court:
“I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.”
The Solicitor General responded:
“I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.”
Q.6 Under the IPAct a university could be made to install interception capabilities on its internal network. True or false?
True. However the Act provides a three layer structure for technical capability notices: the statute, regulations made under the statute, then notices issued by the Secretary of State within the regulations. Regulations have yet to be published, but could specify a narrower class of service providers to whom technical capability notices could be issued.

Q.7. How is ‘internet communications service’ defined in the IPAct?
It isn’t. The term underpins two of the conditions that determine when a mandatorily retained internet connection record can be accessed. Footnote 46 in the draft Communications Data Code of Practice is the closest we approach to an indication of what it is intended to cover. The same omission featured in predecessor DRIPA regulations.

Q.8. Who was Amy?
Amy was a fictitious “quiet, impressionable 14 year old schoolgirl” who featured in a series of National Crime Agency infographics supporting the case for retaining communications data and internet connection records.

Q.9. Under the IPAct, information intercepted in bulk in order to obtain overseas-related communications needs a specific warrant to be accessed for domestic reasons. True or false?
False. Although a targeted examination warrant is required in order for content to be selected for examination by reference to someone known to be within the British Islands at the time of the selection, that does not apply to non-content ‘secondary data’ (which itself can include some data extracted from content – see Q.3).

Q.10. Under the IPAct a university could be made to generate and retain site-level web browsing histories of its academic staff and students. True or false?
True. A communications data retention notice can be issued against a public or a private telecommunications operator. A university operating its own network is a telecommunications operator. Communications data can include internet connection records, including site level browsing histories.

The draft Communications Data Code of Practice sets out factors that will be taken into account in deciding which operators in practice will receive notices.

Q.11. Can more or fewer bodies access communications data under the IPAct than under RIPA?
A like for like count is not easy, due to differences in nomenclature and organisation. The overall count appears to be more or less the same.

A cull of authorities entitled to acquire communications data under RIPA was carried out in February 2015, when 13 authorities had their powers removed. One of those removed, the Food Standards Agency, is reinstated under the IP Act together with its Scottish counterpart Food Standards Scotland. The Prudential Regulation Authority will no longer be able to acquire communications data under the IP Act.

A detailed comparison of existing and proposed powers (other than for the police and intelligence services) is contained in the government’s “Operational case for the use of communications data by public authorities” (July 2016).

Q.12. In 2015 how many people were wrongly accused, arrested or subjected to search warrants as a result of communications data acquisition errors?
Seventeen.

Q.13. How much time elapsed between the Home Secretary telling Parliament that the IPBill would not include powers to force UK companies to capture and retain third party internet traffic and this being written into the Bill?
11½ months (4 November 2015 to 19 October 2016).

Q.14. In the IPAct, what is the significance of inferred meaning?
The term does not appear in the statute itself. However the Draft Codes of Practice explain how this is an important concept in understanding the distinction between content and communications data.

Q.15. KARMA POLICE was (and may or may not still be) a GCHQ database of web browsing records revealed by the Edward Snowden documents. According to those documents how much data did it contain, representing what period of time?
17.8 billion rows, representing 3 months of data.

Q.16. Which agency has used bulk data to analyse patterns of behaviour from which potential hostile actors could be identified? 
MI6, according to example A11/2 annexed to the Bulk Powers Review.

Q.17. How many times does ‘proportionate’ appear in the text of the IPAct?
62 (compared with 48 in the draft Bill).

Q.18. For how long before the government publicly acknowledged its use was Section 94 Telecommunications Act 1984 utilised to collect bulk communications data from public electronic communications network providers?
About 12 years.

Q.19. Was the government’s use of Section 94 for collecting bulk communications data legal or illegal?
The Investigatory Powers Tribunal held that the use was within the scope of the S.94 power. However before November 2015 it infringed Article 8 of the European Convention on Human Rights because it was not foreseeable that S.94 would be used in that way and also through lack of an adequate system of oversight for most of that period.

Q.20. How frequently has Section 94 been used for collecting bulk communications data?
The Interception of Communications Commissioner’s July 2016 Review of Section 94 directions identified 15 extant bulk communications data directions under S.94. All those directions were for traffic data and required “regular feeds”.


Wednesday, 14 September 2016

Svensson and GS Media - Free to link or link at your risk?

This is a revised edition of my February 2014 post, which was published immediately after the CJEU's Svensson decision on copyright and linking.  This new version weaves in the 8 September 2016 judgment of the CJEU in GS Media (commentary on GS Media and other post-Svensson material is highlighted).

GS Media puts to rest any remaining illusions that Svensson legitimised linking to all freely available content. GS Media also introduces knowledge thresholds for linking liability, varying according to the commercial or non-commercial nature of the linking activity. (For a report of the GS Media decision see here.)

Summary

Svensson was issued on 13 February 2014. It established some important points about the legality of linking under EU copyright law:
  1. A clickable direct link to a copyright work made freely available on another website with the authority of the copyright holder does not infringe. (GS Media repeats this general principle at paragraph [40]).  
  2. It makes no difference if a user clicking on the link is given the impression that the work is present on the linking site. (Svensson [29] and [30], applied in Bestwater. The reasoned order in Bestwater has given rise to much confusion. In reality it does no more than confirm Svensson on this point.)
  3. The reasoning of Svensson suggests that a clickable link can infringe if the copyright holder has not itself authorised the work to be made freely available on the internet. (The UK Intellectual Property Office adopted this interpretation in its June 2014 Copyright Notice on Digital Images, Photographs and the Internet. GS Media has now confirmed ([41]) that Svensson did mean that a link could infringe if the rightholder had not consented to the work being made freely available on another website.  See discussion below, including as to whether 'another website' means only the website linked to or a website anywhere on the internet.)
  4. If the work is initially made available on the internet with restrictions so that only the site’s subscribers can access it, then a link that circumvents those restrictions will infringe (Svensson [31], GS Media [50]); and see further discussion below.
  5. A link can infringe where the work is no longer available on the site on which it was initially communicated, or where it was initially freely available and subsequently restricted, while being accessible on another site without the copyright holder’s authorisation. (Svensson [31]; no change in GS Media.)
It seemed to follow from the reasoning in Svensson, although the judgment did not address this factual situation, that a link to an infringing copy would not infringe if, and for so long as, a copy of the same work was freely available somewhere on the internet with the authority of the copyright holder. The reasoning in GS Media appears to keep this possibility open, albeit again this was not the factual situation before the court.  

In any event this reasoning would not exempt links to infringing copies of works that are not legitimately available on the internet at all (the factual situation in GS Media), or which have only been legitimately made available on the internet under restrictions.

In purely practical terms the Court in Svensson made a valiant attempt to balance the competing considerations of protecting rightsholders’ content without restricting reasonable user behaviour.  However commentators (see hereherehere and here - hat tip to these for some of the questions discussed below) very quickly suggested that the CJEU’s reasoning – giving a very wide meaning to an act of communication, then reining back the scope according to whether the link makes the work available to a ‘new public’ compared with that contemplated by the copyright holder – might store up trouble for the future.

GS Media is another pragmatic attempt to fix some of the problems that Svensson did indeed throw up.  However, it creates new uncertainties and the specifics of the solution that the CJEU has chosen will inevitably attract criticism.  Many people will be reinforced in their view that Svensson took a wrong turning and that linking should not amount to an act of communication at all (the position advocated by the European Copyright Society). Any liability for specific linking activities would then be left to secondary and accessory liability or unfair competition rather than trying to shoehorn such activities into the exclusive right of communication to the public.

Open questions

These are the questions that, in February 2014, I suggested that Svensson had left open for future decisions. Now with [commentary] on whether they remain open.
  1. "The Court draws a distinction between freely available content and, on the other hand, restricted content where a link circumvents the restrictions. Are those intended to be the only two possible categories, so that if a copyright work is not ‘restricted’ it is necessarily ‘freely available’? Or are they two ends of a spectrum, the middle of which has yet to be explored? What, for instance, would be the position if the copyright holder has authorised a licensee to make the content freely available on the internet, but the licensee makes it available only on a restricted basis?" [Not answered. This is a question about the meaning of 'freely available'. Although in GS Media it was argued before the Dutch referring court that one of the links circumvented a restriction, the CJEU judgment assumes that the linked-to unauthorised copy was freely available.]
  2. "Does ‘restricted’ refer only to technical restrictions (and how sophisticated?), or does it also encompass licence or contractual restrictions?" [Still an open question.]
  3. "The judgment refers only to clickable links.  What about other varieties of link, or analogous technologies? The logic of the judgment would seem to apply to inline links where, rather than awaiting the user’s click, the linked-to content is served up automatically to the user when the web page is requested." [Still an open question. Factually, GS Media concerned clickable website links.]
  4. "The judgment refers to links ‘to’ copyright works, affording ‘direct’ access to those works. Does the link have to be to the actual work itself in order to make it available, or does a link to a page containing the work suffice? So applying the Svensson reasoning a clickable link to the URL of a news page makes available the HTML text of that page. Does it also make available a photograph which loads automatically as part of the news page, but which is nevertheless a separate copyright work with its own URL capable of being separately linked to? What about a playable video within the page, or a PDF downloadable from that page? Each of those is a separate copyright work requiring a further click by the user to access it.  Might they be regarded as indirectly, rather than directly, accessible from a link to the news page containing them?" [GS Media glosses over this scenario (sometimes described as reference linking). The referring court framed its questions in terms of a hyperlink to "a [third party] website ... on which the work has been made available". That formulation is consistent with the facts recited by the CJEU at [10]: "By clicking on a hyperlink accompanying that text, users were directed to the Filefactory website, on which another hyperlink allowed them to download electronic files each containing one of those photos."  The nuance of two different hyperlinks was lost in the CJEU's reformulation of the question, referring to: "...the fact of posting, on a website, a hyperlink to protected works." The judgment goes on to refer in various places both to hyperlinks to a "work" and to a "website". Curiously (given the recited facts quoted above) it then states: "it is indisputed that GS Media ... provided the hyperlinks to the files containing the photos at issue, hosted on the Filefactory website..." (emphasis added).  The operative part of the judgment refers to "hyperlinks to protected works".  The distinction between direct and indirect links was not addressed in the judgment. From a freedom of expression perspective imposing liability for a link to a page on a website which may contain both infringing and non-infringing material has different consequences than for a link direct to a single infringing music or video file (although even that case may be nuanced since a single file can contain a mixture of infringing and non-infringing material).]  
  5. Does the reservation for subsequently removed or restricted works apply only to new links created after the initially freely available work was withdrawn or restricted, or do existing links to unauthorised copies automatically become infringing? [Not addressed]
  6.  What is the position where initially the work was lawfully made freely available on the internet under an exception to copyright, such as fair dealing? Is that different from when it was done with the authorisation of the copyright holder?  On the face of it the Svensson version of the 'new public' test would not of itself legitimise linking in the former situation. [Not addressed]
The CJEU's decisions only concern whether a link can amount to 'communication to the public' for the purposes of harmonised EU copyright law. They does not deal with other ways in which linking might infringe, for instance by authorising infringement or joint liability for someone else's infringement.  Nor do they say anything about non-copyright issues such as passing off or unfair competition.

Drilling down to the details

Authorising the initial internet communication

The most significant aspect of the Svensson judgment was, oddly, not mentioned in the operative part of the decision (in which the Court provides its definitive answer to the question posed by the referring national court). The operative part said:

“…the provision on a website of clickable links to works freely available on another website does not constitute an ‘act of communication to the public' … .”

Taken at its face, that could suggest that a link to any freely available work does not infringe, regardless of whether the copyright holder initially authorised the work to be made freely available on the internet. That would broadly legitimise most links. But if that is right it is difficult to understand the numerous references in the judgment to whether the copyright holders authorised the initial communication to the public on the internet, and the potential audience contemplated when they did so.  In my original February 2014 post I suggested that it was likely that the operative part should instead be understood to mean:

“…the provision on a website of clickable links to works freely available on another website, in circumstances where the copyright holder has authorised such works to be made freely available at [that]/ [an] internet location, does not constitute an ‘act of communication to the public' … .”

The alternatives ‘that’/‘an’ reflect the possible uncertainty about the effect of the judgment on links to unauthorised copies where the copyright holder has authorised the work to be freely available at some other location on the internet. 

GS Media confirms that the reasoning of Svensson, not the wording of the operative part, prevails:


"However, it follows from the reasoning of [Svensson and BestWater] that, by them, the Court intended to refer only to the posting of hyperlinks to works which have been made freely available on another website with the consent of the rightholder..." [41]
This and other passages in GS Media may still leave some room for debate over whether "another website" means only the website linked to or encompasses any website or other location on the internet.   

The curious case of the freelance journalist


The significance of the copyright holder’s authorisation of the initial internet communication is well illustrated by the facts of Svensson itself. According to the CJEU judgment the Swedish proceedings were between four journalists, Mr Svensson, Mr Sjögren, Ms Sahlman and Ms Gadd, who sued Retriever Sverige AB for compensation resulting from Retriever’s inclusion on its website of clickable links to press articles in which the journalists held the copyright.

The Court said:
[The journalists] wrote press articles that were published in the Göteborgs-Posten newspaper and on the Göteborgs-Posten website. Retriever Sverige operates a website that provides its clients, according to their needs, with lists of clickable Internet links to articles published by other websites. It is common ground between the parties that those articles were freely accessible on the Göteborgs-Posten newspaper site. …”
The journalists claimed that by linking to the articles on the newspaper website Retriever was making their articles available to its clients without their consent. When the CJEU discussed ‘new public’ it said:

“a communication, such as that at issue in the [Swedish] proceedings, concerning the same works as those covered by the initial communication and made, as in the case of the initial communication, on the Internet, and therefore by the same technical means, must also be directed at a new public, that is to say, at a public that was not taken into account by the copyright holders when they authorised the initial communication to the public ….
… it must be held that, where all the users of another site to whom the works at issue have been communicated by means of a clickable link could access those works directly on the site on which they were initially communicated, without the involvement of the manager of that other site, the users of the site managed by the latter must be deemed to be potential recipients of the initial communication and, therefore, as being part of the public taken into account by the copyright holders when they authorised the initial communication.
Therefore, since there is no new public, the authorisation of the copyright holders is not required for a communication to the public such as that in the main proceedings.” (emphasis added)
The assumption of the Court in coming to this conclusion on the facts appears to have been that the four copyright holder journalists all authorised the newspaper to make the articles freely available on the newspaper website - the site on which the initial communication on the internet was made and to which Retriever linked.  

But what if the journalists had authorised publication only in the print newspaper and not on the newspaper website? It then seems inescapable that since the initial communication on the internet would not have been authorised by the journalists, a public link to the newspaper website article would be caught, even though the article was freely available on the newspaper website and not subject to any restriction.

Curiously, that scenario may have had some relevance to the Svensson case itself. In his judgment in Paramount Home Entertainment v BSkyB, Mr Justice Arnold summarised the facts of Svensson based on English translations of the Swedish judgments provided by Paramount. He said this:

“14.The claimants were four journalists who between them had written 13 articles published by the Göteborgs-Posten newspaper. Three of the journalists were employed by the newspaper, while one was freelance. All of the articles had all been published not only in print, but also online on the newspaper's website. In the case of one of the articles, which was written by the freelance author, the online publication by the newspaper was not licensed by the author.” (emphasis added)

If that is right, then for one of the 13 articles the copyright holding journalist who wrote it did not authorise initial communication to the public on the internet. For that article (assuming that the journalist had not authorised freely available publication elsewhere on the internet) the CJEU’s conclusion that the link did not amount to a communication to a new public would have been thrown into doubt.

 

Does Svensson pass the 'reasonable internet user' test?


Whatever the precise facts of Svensson may have been, this example illustrated a fundamental difficulty with the CJEU's judgment, assuming that the 'authorisation of initial communication' reading was correct (as GS Media has now confirmed). Ordinary internet users would be put in the position of publicly linking at their risk to any freely available content on the internet, however reputable the site may be, because they could not be certain and would have no practicable way of finding out whether the site owned copyright in its material, or had properly licensed it in, or whether a third party copyright owner had authorised the same material to be made freely available elsewhere on the internet.

Thanks to the long reach of digital copyright (which Svensson's interpretation of 'making available' arguably extended even further) primary copyright infringement impinges directly on end users.
End users are in no position to clear rights before, for instance, posting links to public discussion forums or on social media platforms. We make decisions to send public tweets, including links, in a matter of seconds.  If we are retweeting, we may not even visit the location to which the original tweet links.  If we are expected to embark on some investigation to satisfy ourselves that our link won’t infringe, for instance because someone’s unlicensed copyright might be lurking behind a reputable site – worse still if there is no practicable investigation that we can make - then we have a regime that risks chilling freedom of expression. 

It is no answer to suggest that if the links are harmless no-one will ever complain.  That would repeat the UK format-shifting episode, where the gap between copyright principle and reality has been so great as to bring copyright into disrepute.  Nor is it an answer to say that you don’t have to tweet links.  That is exactly the kind of chilling effect that copyright law should avoid.

Of course copyright law does contain some built-in freedom of expression accommodation.  Many linking tweets may find refuge in, say, the UK fair dealing exceptions for criticism, review and news reporting (although a passing comment at [53] of GS Media would seem to preclude this).  However these contain their own technicalities and limitations. For instance the UK news reporting exception does not apply to photographs. And the exceptions vary from one country to another, even within the EU. That is problematic for a user given the inherently cross-border nature of the internet. Is a tweeter expected to consider which countries her tweet may be thought to be targeting before tweeting a link?


At least in the UK, civil liability for primary copyright infringement is strict. You can infringe by accident, in situations where you are blameless. It is no excuse that you did everything you could to avoid infringement, or that you had no reason to think you were infringing. GS Media has introduced knowledge thresholds based on a distinction between ordinary and commercial internet use. But in doing so it will have infuriated copyright purists for whom primary infringement of exclusive rights should always be a matter of strict liability. The distinction between non-commercial and commercial use may also create its own problems, not least of identifying what is and is not a linking activity pursued for financial gain. Would it cover a blog that takes advertising? Does the commerciality have to be closely tied to the particular link in question? 

The introduction by GS Media of knowledge thresholds represents a pragmatic attempt to address the obvious problems that Svensson represented for ordinary end-users. The CJEU specifically acknowledges these:

"it may be difficult, in particular for individuals who wish to post such links, to ascertain whether website to which those links are expected to lead, provides access to works which are protected and, if necessary, whether the copyright holders of those works have consented to their posting on the internet. Such ascertaining is all the more difficult where those rights have been the subject of sub-licenses." [46]
However, is the threshold for non-commercial linkers as helpful as it seems?   The test in the operative part of the judgment is whether the user "did not know or could not reasonably have known the illegal nature of the publication of [the linked-to] works on that other website." The use of the negative might suggest that the burden is on the user to prove that it does not satisfy the knowledge test. Contrariwise, at [14] the CJEU referred to the situation where it is "established that the user knew or ought to have known...". That would be closer to secondary copyright infringement in the UK, where a claimant has to prove that the defendant knew or had reason to believe that e.g. the copy was infringing.   
More fundamentally, what contextual facts is the user taken to be aware of in assessing whether s/he could not reasonably have known of the illegal nature of the linked-to work? The judgment at [49] gives the example of where the user has been notified by the copyright holder. That instance apart, is the user assumed to have visited the website before making a link? (How many people check the links in a tweet that they are retweeting?) If so, how much of the website is the user taken to have visited? Does the assumption vary depending on whether website is well known to be reputable or, on the contrary, notorious? What about the vast population of websites that are neither?

The greater the knowledge of surrounding factual circumstances that is imputed to the user, the nearer the regime would move towards placing a diligence obligation on the ordinary user. But that would undermine the contrast that the CJEU drew with commercial users, discussed below.

A good test when evaluating copyright judgments that directly affect the general public, especially internet users, is this: 
  1. Can I explain to a user with confidence exactly what rules s/he has to follow?
  2. Will a reasonable internet user think those rules are sensible?
  3. In any given situation can the user readily ascertain whether what s/he wants to do will infringe?
Svensson just about passed the first question, probably fails the second and certainly fails the third.

GS Media improves the position of non-commercial users on the second and third questions, but does not necessarily convert a fail into a pass. It certainly does not do so for commercial users.

Commercial internet users


In my original February 2014 post I said: "Strict liability has always been the case in the UK for primary infringement (reproduction, communication to the public and some other types of restricted act).  It is a hangover from the hard copy days when copyright was almost entirely a commercial matter and hardly impinged on end users. It was reasonable to expect commercial publishers and broadcasters to clear rights first. Even then dealers, such as commercial distributors, were subject only to secondary infringement: they did not infringe copyright unless they had reason to believe they were handling an infringing copy."
It is instructive to compare that with paragraph [51] of GS Media:

"Furthermore, when the posting of hyperlinks is carried out for profit, it can be expected that the person who posted such a link carries out the necessary checks to ensure that the work concerned is not illegally published on the website to which those hyperlinks lead..."
There is, however, no comparison between the commercial publisher or broadcaster of yesteryear, who may have had months in which to clear the rights for a TV programme, book or music production, and a commercial internet actor who may have minutes or at best hours in which to decide whether to include a link on its website.  That is even without revisiting the fundamental question of whether a link is akin to including material in a book, for which clearance might have been required, or referencing it in a footnote for which it would not. 
GS Media has now laid down that where links are provided for "the pursuit of financial gain" there is a rebuttable presumption that the posting has occurred with "the full knowledge of the protected nature of that work and the possible lack of consent to publication on the internet by the copyright holder".  Commercial actors and their legal advisers will be giving close consideration to what constitutes posting of links for pursuit of financial gain and to how the presumption of full knowledge might be rebutted. 

From a broader perspective, a diligence duty runs the risk that rather than go though whatever hoops are required to satisfy the diligence standard, commercial actors will simply refrain from creating links. That brings us neatly to the relevance of fundamental rights and the question whether the GS Media judgment may result in a classic chilling of freedom of expression. 

Whatever happened to Article 10?

One of the more startling aspects of Svensson was the omission of any reference to the impact on the fundamental right of freedom of expression. Notwithstanding that it adopted an interpretation of ‘making available’ of such breadth that it must engage Article 10 ECHR/Article 11 EU Charter, the CJEU conducted no proportionality assessment. In fact there was no mention of Article 10/11 at all in Svensson; this after SABAM v Scarlet and Donald Ashby, in which the CJEU and European Court of Human Rights respectively held that copyright has to be balanced against other fundamental rights.

GS Media remedies the omission to some extent:

"44 GS Media, the German, Portuguese and Slovak Governments and the European Commission claim, however, that the fact of automatically categorising all posting of such links to works published on other websites as ‘communication to the public’, since the copyright holders of those works have not consented to that publication on the internet, would have highly restrictive consequences for freedom of expression and of information and would not be consistent with the right balance which Directive 2001/29 seeks to establish between that freedom and the public interest on the one hand, and the interests of copyright holders in an effective protection of their intellectual property, on the other.
45 In that regard, it should be noted that the internet is in fact of particular importance to freedom of expression and of information, safeguarded by Article 11 of the Charter, and that hyperlinks contribute to its sound operation as well as to the exchange of opinions and information in that network characterised by the availability of immense amounts of information."

However GS Media's balancing of the different fundamental rights involved appears to go no further than the introduction the knowledge qualification for non-commercial makers of links. There is no attempt to balance any chilling effect on the impartation of speech by commercial actors, nor the resulting interference with the freedom of ordinary internet users to receive information from commercial actors through hyperlinks. 

What could the CJEU have done differently?


The CJEU could have avoided these problems had it adopted a narrower view of “making available” at the outset in Svensson. It could have restricted it to material intervention in the actual or putative transmission, so that but for the intervention no transmission would take place.  This was the position advocated by the European Copyright Society.  Questions of liability for linking could then have been left to secondary and accessory liability and perhaps to unfair competition.

Wednesday, 7 September 2016

A trim for bulk powers?

David Anderson Q.C.’s Bulk Powers Review made only one formal recommendation (a Technical Advisory Panel to assist the proposed Investigatory Powers Commission).

However the report drops a tantalising hint of the debate that might have taken place if the Review had been commissioned before the Bill started its passage through Parliament instead of almost at the end.

At [9.17] Anderson says:

“I have reflected on whether there might be scope for recommending the “trimming” of some of the bulk powers, for example by describing types of conduct that should never be authorised, or by seeking to limit the downstream use that may be made of collected material. 
But particularly at this late stage of the parliamentary process, I have not thought it appropriate to start down that path.  Technology and terminology will inevitably change faster than the ability of legislators to keep up.  The scheme of the Bill, which it is not my business to disrupt, is of broad future-proofed powers, detailed codes of practice and strong and vigorous safeguards.  If the new law is to have any hope of accommodating the evolution of technology over the next 10 or 15 years, it needs to avoid the trap of an excessively prescriptive and technically-defined approach.”
Let us put aside whether it is sensible or appropriate to try to future-proof powers – my view is that to do so repeats the error of RIPA – and then put aside the debate about whether bulk powers should exist at all. How might one go about a task of trimming bulk powers? What types of conduct might be candidates for never being authorised? What sort of limits on downstream use might be desirable and feasible?

The Report illustrates, perhaps more clearly than before, the very wide range of techniques that are brought to bear on bulk data (whether sourced from interception, equipment interference, bulk communications data acquisition or Bulk Personal Datasets). They range from real-time application of 'strong selectors' at the point of interception (akin to multiple simultaneous targeted interception), through to generalised pattern analysis and anomaly detection (utilised by MI6 on Bulk Personal Datasets in Case Study A11/2) designed to detect suspicious behaviour, perhaps in the future using machine learning and predictive analytics.

Pattern analysis is similar to data mining techniques described in A Question of Trust (AQOT):
"14.43. It is sometimes assumed that GCHQ employs automated data mining algorithms to detect target behaviour, as is often proposed in academic literature. That, it would say, is realistic for tasks such as financial fraud detection, but not for intelligence analysis."
AQOT included possible future developments of such techniques as one of several examples of capabilities that, at least cumulatively, would go beyond Bentham's Panopticon:

"13.19(d) A constant feed of data from vehicles, domestic appliances and healthmonitoring personal devices would enable the Government to identify suspicious (or life-threatening) patterns of behaviour, and take pre-emptive action to warn of risks and protect against them."
AQOT commented on those examples:

"13.20 Much of this is technically possible, or plausible. The impact of such powers on the innocent could be mitigated by the usual apparatus of safeguards, regulators and Codes of Practice. But a country constructed on such a basis would surely be intolerable to many of its inhabitants. A state that enjoyed all those powers would be truly totalitarian, even if the authorities had the best interests of its people at heart.
13.21. There would be practical risks: not least, maintaining the security of such vast quantities of data. But the crucial objection is that of principle. Such a society would have gone beyond Bentham’s Panopticon…"
Between the two ends of the spectrum are seeded analysis techniques, applied to current and historic bulk data. AQOT again:

"Much of [GCHQ's] work involves analysis based on a fragment of information which forms the crucial lead, or seed, for further work. GCHQ’s tradecraft lies in the application of lead-specific analysis to bring together potentially relevant data from diverse data stores in order to prove or disprove a theory or hypothesis. As illustrated by the case study on GCHQ’s website, significant analysis of data may be required before any actual name can be identified. This tradecraft requires very high volumes of queries to be run against communications data as results are dynamically tested, refined and further refined. GCHQ runs several thousand such communications data queries every day. One of the benefits of this targeted approach to data mining is that individuals who are innocent or peripheral to an investigation are never looked at, minimising the need for intrusion into their communications."
A similar explanation of seeded analysis of bulk data was given by Lord Evans in evidence to the Commons Public Bill Committee 24 March 2016. 

A "strong selectors" technique whereby the full catch from a transmission is stored for only a few seconds for processing before being discarded may rate relatively low on the Orwell scale.  Seeded analysis rates fairly high, since it relies on bulk data (albeit filtered to some degree) being stored for later querying. Unseeded pattern analysis and anomaly detection is off the scale.  It is closest to the characterisation by M. Delmas-Marty, a French lawyer quoted in the Review report: "Instead of starting from the target to find the data, one starts with the data to find the target."  
As it stands the Bill's bulk powers regime would empower all these techniques with no distinction between them, leaving it to the judgement of the Secretary of State, the Judicial Commissioners and after the event oversight to regulate and possibly limit their use under principles of necessity and proportionality.

An informed debate about trimming bulk powers could entail discussion of whether unseeded pattern analysis and anomaly detection should be permitted, and if so whether only for very specific and limited purposes.  It could also look at whether specific rules should govern seeded analysis.  It might also consider whether individual sets of "strong selectors" should require separate warrants, by analogy with non-thematic targeted interception warrants. Regrettably, in part due to the late stage at which the Bulk Powers Review has taken place, very little such nuanced debate has taken place.
Trim in the Bill, not Codes of Practice
Limitations on the scope of powers belong in the Bill and should not be left to Codes of Practice.

Although the government often states that the Codes of Practice 'have statutory force' (see e.g. Letter from Lord Keen to Lord Rooker, 8 July 2016, they do not have the same force as a statute. Their status and effect are limited to that set out in Schedule 7 para 6 (which possibly confers on Codes of Practice a weaker general interpretative role than does RIPA s.72).
Trimming approaches
Different kinds of analytical techniques apart, possible approaches to trimming bulk powers can be considered by reference to different facets of the powers.  I give some illustrative examples below, not necessarily to advocate them but more as an aid to understanding.
A.    Purposes
The Bill as currently drafted applies three cumulative sets of purposes to the interception and equipment interference bulk powers:
1.       The statutory purposes (national security etc).  Some have called for national security to be defined.
2.      Operational purposes. A new government amendment in response to a suggestion from the Intelligence and Security Committee provides that a list of purposes approved by the Secretary of State must be maintained by the heads of the intelligence services. The Secretary of State must be satisfied that an operational purpose to be included in the list is specified in a greater level of detail than the statutory purposes.
3.      Overseas-related purpose. The Bulk Powers Operational Case places considerable weight on the fact that the bulk interception and equipment interference powers are overseas-related.  Thus BI is described at 7.1 as a 'capability designed to obtain foreign-focused intelligence'. Similarly BEI is described at 8.2 as 'foreign-focused'. However:
a.      Obtaining 'overseas-related' data need only be the main, not the sole, purpose of the warrant.
b.      Overseas-related communications include those in which the individual overseas is communicating with someone (or something) in the UK.
c.       The 'overseas-related' limitation on purpose is exhausted once the information has been acquired by means of the bulk interception or interference (see the comments on RIPA S.16 in the Liberty IPT case, para 101 et seq. The Bill is structured in a similar way.)
d.     As the Operational Case acknowledges, non-overseas-related communications and information (and associated secondary data and equipment data) may be incidentally acquired. While the Operational Case attempts to downplay the significance of this, it provides no evidence on which to conclude that collateral acquisition may not be on a substantial scale.
e.      There is no obligation to discard, or attempt to discard, or discard upon gaining awareness of its presence, non-overseas-related material acquired in this way.
f.        The need to obtain a targeted examination warrant in relation to persons within the British Islands applies only to content, not to secondary data or equipment data.
g.      Secondary data and equipment data will under the Bill include some material extracted from content that under RIPA would be regarded as content. The expanded categories appear to go wider than what might intuitively be thought of as communications data (see Section F below).
h.      The purposes for which the Operational Case contemplates that secondary data and equipment data may be analysed go far beyond the limited purpose of ascertaining the location of a person ventilated in the Liberty IPT case (see Section G below).
Some possible approaches to trimming:
(1)   Limit the downstream use that can be made of collected material (whether content or secondary data/equipment data) to match the overseas-related main purpose for which it can be collected.
(2)  An obligation to seek out and remove, or remove upon gaining awareness of its presence, non-overseas-related material.
(3)  Raise the location threshold, so that a British Islands resident does not automatically lose content protection merely by venturing half-way across the English Channel (cf Keir Starmer, Commons Committee, 12 April 2016 at col. 116)].

B.    Types of data and communication
With one exception the bulk powers in the Bill make no distinction between types of communication. They range from human to human messaging of various types through to automated communications and single-user activities such as browsing websites.
The one exception arises from the definition of overseas-related communications, applicable to interception and equipment interference bulk powers: communications sent by or received by individuals who are outside the British Islands. 
This would include an e-mail sent by an individual within the British Islands to an individual outside the British Islands and vice versa. It would exclude a search request sent by an individual within the British Islands to an overseas server (since there is a server, not an individual, at the other end). But it would include a search request sent by an individual outside the British Islands to a UK server.
The significance of this exclusion is, however, reduced by the ‘by-catch’ provisions.  Unless the agencies are able to filter out excluded material at the point of collection then, as with RIPA, it is collectable as a necessary incident and falls into the general pool of selectable data.
The Bill contains no indication of when a communication is to be regarded as sent by or received by an individual. An e-mail or text message addressed to an individual clearly is so. What about an e-mail addressed to, or sent by, a corporate account? What about machine-generated e-mails? When is a communication generated by or sent to an individual’s device without the knowledge of the individual to be regarded as sent or received by the individual? Background smartphone communications are an obvious example. What if a car, without the owner/driver/passenger’s knowledge, automatically generates and sends an e-mail requesting a service or an emergency message, including associated location data?
Some possible approaches to trimming:
(1)   Limit the extent to which background and machine generated communications may be regarded as sent or received by an individual.
(2)  An obligation as in B(2) above to remove non-overseas-related material would imply an obligation to remove kinds of overseas communication not sent or received by an individual.
(3)  Should powers apply to all types of communication, or only human to human messaging?
C.    Types of conduct authorised
Some possible approaches to trimming:
(1)   Limit scope by reference to concrete types of conduct that can (or specifically cannot) be authorised. The Centre for Democracy and Technology submission to draft Bill Joint Committee at [42], repeated in CDT evidence to the Public Bill Committee at [20] to [25], suggested this kind of approach for equipment interference warrants in relation to the possibility of mandating encryption back doors.
D.   Use of incidentally collected data
As discussed in my evidence to the Joint Committee ([117]to [137]) and above in relation to overseas-related communications there is a fundamental issue concerning the extent to which domestic content and secondary data collected as a by-product of the overseas-related bulk powers can be used in non-overseas-related ways.
Some possible approaches to trimming:
(1)   As above (B(1)).

E.    Extent of secondary data and equipment data
The Bill embodies a significant shift (compared with RIPA) towards classifying various types of content as secondary data or equipment data (see my blog post).  The Bill appears to go further than extracting communications traffic data (e-mail addresses and the like) from the body of a communication such as an e-mail. It appears to include the ‘who where and when’ not just of communications, but of people’s real world activities per se. 
Some possible approaches to trimming:
(1)   Limit extracted metadata to true communications data (i.e. data about communications).
F.     Types of use of bulk secondary, equipment and communications data
Various uses of bulk metadata have been ventilated. The Bulk Powers Review contains numerous examples. They types of use can differ significantly from each other. For instance:
-         To determine whether the sender or recipient of a communication is within or outside the British Islands (the very limited purpose advanced by the government in the Liberty IPT case – see my evidence to the Joint Committee at [128] to [130])
-         To have visibility of a full historic record so that authorities can go back and find out after the event about a malefactor’s communications and online activities
-         Seeded analysis to find a target’s associates or more about a target’s identity (as discussed above)
-         Target discovery based on patterns of behaviour, as discussed above (see also Operational Case [3.3] and [3.6]).
These various uses have different implications for the rationale for collecting data in bulk. At one end of the spectrum bulk collection is seen as a necessary evil, required only because for technical reasons (e.g. fragmentation of packets or presence of the target in other countries) target communications cannot be separated at point of collection from the rest. That may hold out the prospect that as technology improves it becomes possible to carry out more targeted bulk collection, particularly as real time capabilities increase. 
At the other end of the spectrum (pattern detection and predictive analysis) bulk collection is can become more of an end in itself: amassing data so as to provide the most accurate ‘normal’ baseline against which ‘suspicious’ behaviour patterns can be detected. This appears to carry no prospect of reducing the quantity of metadata collected – probably the opposite.
The Bill is almost completely devoid of concrete limitations on, or distinctions between, the types of use that can be made of bulk metadata. The limits are the statutory purposes, operational purposes and necessity and proportionality. The Bulk Powers Review proposes a Technical Advisory Panel to assist the Investigatory Powers Commission in keeping technological developments under review.
Some possible approaches to trimming:
Limitations on use could be based on e.g.
(1)   the justification provided to the IPT in Liberty;
(2)  specific seeded analysis versus more generalised pattern detection
(3)  limitations on numbers of hops when following possible associations (Twitter followers, Facebook friends etc)
(4)  applying the non-British Islands examination restriction to metadata searches (note Operational Case paras 5.14 to 5.19).
G.    Types and location of conduct authorised by warrants
The bulk warrantry system seems to allow for three possibilities:
(1)   Unilateral conduct by the intercepting or equipment interfering agency without the knowledge or assistance of the CSP
(2)  Assisted conduct under a warrant supported by a technical capability notice
(3)  Assisted conduct under a warrant without the support of a technical capability notice
The Bill does not specify any specific circumstances in which these different approaches are or are not appropriate (other than technical capability notices for equipment interference limited under Clause 228(10)/(11) to UK CSPs). Nor are the different approaches addressed in the Operational Case. Similarly AQOT:
"Implementing a s8(1) warrant generally relies on the cooperation of service providers, acting typically in response to a direction from the Government under RIPA s12. A copy of the intercepted communication is passed by the companies to the intercepting agencies who examine it using their own staff and facilities. External communications may be obtained under a s8(4) warrant either directly by GCHQ, using its own capabilities, or through a service provider." (emphasis added)
Some possible approaches to trimming:
(1)   Limitations (perhaps territorial) on unilateral conduct under bulk warrants.
(2)  Special thresholds for the use of (say) bulk equipment interference warrants.
(3)  Limits on what a technical capability notice can require.

H.   Intermediate stages
Bulk interception and use of its product may take place in several stages, such as: collection, culling (discard of unwanted types of data), filtering (use of positive selectors), storage for subsequent querying by analysts.  Whether these techniques are typically applied to secondary data to the same extent as to content is unclear.
The Bill says nothing detailed about the culling and filtering stages, other than restrictions by reference to someone's location within the British Islands on selection of content for examination.
Some possible approaches to trimming:
(1)   Specific obligation to apply data minimisation techniques at intermediate stages, applicable to both content and metadata
(2)  Specific provisions controlling culling and selector types (for instance requiring individual warrants for "strong selectors")
I.      Real time versus periodic
Is the bulk communications data acquisition power meant to be one that should be exercised occasionally when specific circumstances justify it, or can it be exercised routinely? If the latter, could it be used as a near-real time or quasi-real time feed?

A one-off data dump in exceptional circumstances is a rather different animal from a near real-time tool. In this context the recent IOCCO report speaks of ‘regular feeds’ acquired under S.94 Communications Act 1984.   The Bill appears to cover both possibilities.
Some possible approaches to trimming:
(1)   Specially justified occasions versus frequent routine feeds.

J.     Interaction with communications data retention
The bulk communications data acquisition power is closely linked to the communications data retention power.  The more broadly the data retention power is exercised, the greater the range of datatypes that will be available to be acquired in bulk.
It is significant in this context to recall that the data retention power (a) goes far wider than the internet connection records that the government has so far discussed and budgeted for in its Impact Assessment; and (b) unlike DRIPA, can be used to require relevant communications data to be generated or obtained, not merely retained. 
Some possible approaches to trimming:
(1)   Limit bulk acquisition power to concretely specified types of communications data; and/or
(2)  Require specified public consultation and procedures if any extension of compelled retention or acquisition is contemplated.
K.    Types of operator
The Bill significantly extends the classes of operator to which the various powers can be applied.  The table below compares the powers in current legislation (mainly RIPA, but bearing in mind the extension effected by DRIPA) with those in the Bill.

Compliance and assistance obligations expressly applicable to private operators are highlighted in green.  "Telecommunications operator" under the Bill definition at Clause 233(10) includes private networks (and 'service' is not restricted to a commercial service).  

The draft Codes of Practice suggest that most powers would be exercised more sparingly.



Power

Current

IPBill

Data retention notice

Public telecommunications operator (DRIPA)

Telecommunications operator (89(1))

Communications data acquisition notice

Provider of a telecommunications service  (RIPA)

Telecommunications operator (62)

Interception warrant

(1) Public telecommunications service (2) telecommunication system wholly or partly within UK (RIPA)

Telecommunications operator (41, 139(5))

Interception capability notice

Public telecommunications services (RIPA) > 10,000 persons in UK) (regulations)

Relevant operator (includes telecommunications operator) (226(1)/228(9))

Other technical capability notices

None

Relevant operator (includes telecommunications operator) (226(1)/228(9)); (some UK enforceable only)(228(10)/(11))

Equipment interference warrant

? (ISA 1994)

Telecommunications operator (120, 167); UK enforceable only (120(7), 175(5))

Bulk communications data acquisition warrant

Public electronic communications network providers (TA 1984)

Telecommunications operator (157); (UK enforceable only) (157(5))

National security notice

Public electronic communications network providers (TA 1984)

UK telecommunications operator (225(1), 228(9) and (10)).

 
Some possible approaches to trimming:


(1)   Stricter definitions of the kind of operators that can be subjected to duties to assist or comply, or in what circumstances. 


L.    Technical capability notices
The power to give technical capability notices is open-ended, not limited to the list of examples given in Clause 226(5). 


Some possible approaches to trimming:


(1)   Convert powers to make regulations and give technical capability notices from illustrations into a clearly specified list that limits the exercise of the powers.