What will be in Investigatory Powers Act Version 1.2?

Never trust version 1.0 of any software. Wait until the bugs have been ironed out, only then open your wallet.

The same is becoming true of the UK’s surveillance legislation.  No sooner was the ink dry on the Investigatory Powers Act 2016 (IP Act) than the first bugs, located in the communications data retention module, were exposed by the EU Court of Justice (CJEU)’s judgment in Tele2/Watson. 

After considerable delay in issuing required fixes, Version 1.1 is currently making its way through Parliament. The pending amendments to the Act make two main changes. They restrict to serious crime the crime-related purposes for which the authorities may demand access to mandatorily retained data, and they introduce prior independent authorisation for non-national security demands.

It remains uncertain whether more changes to the data retention regime will be required in order to comply with the Tele2/Watson judgment.  That should become clearer after the outcome of Liberty’s appeal to the Court of Appeal in its judicial review of the Act and various pending references to the CJEU.

Meanwhile the recent Strasbourg judgment in Big Brother Watch v UK (yet to be made final, pending possible referral to the Grand Chamber) has exposed a separate set of flaws in the IP Act’s predecessor legislation, the Regulation of Investigatory Powers Act 2000 (RIPA). These were in the bulk interception and communications data acquisition modules. To the extent that the flaws have been carried through into the new legislation, fixing them may require the IP Act to be patched with a new Version 1.2.

The BBW judgment does not read directly on to the IP Act. The new legislation is much more detailed than RIPA and introduces the significant improvement that warrants have to be approved by an independent Judicial Commissioner.  Nevertheless, the BBW judgment contains significant implications for the IP Act. 

The Court found that three specific aspects of RIPA violated the European Convention on Human Rights:

• Lack of robust end to end oversight of bulk interception acquisition, selection and searching processes
• Lack of controls on use of communications data acquired from bulk interception
• Insufficient safeguards on access to journalistically privileged material, under both the bulk interception regime and the ordinary communications data acquisition regime

End to end oversight

The bulk interception process starts with selection of the bearers (cables or channels within cables) that will be tapped.  It culminates in various data stores that can be queried by analysts or used as raw material for computer analytics. In between are automated processes for filtering, selecting and analysing the material acquired from the bearers. Some of these processes operate in real time or near real time, others are applied to stored material and take longer. Computerised processes will evolve as available technology develops.

The Court was concerned about lack of robust oversight under RIPA throughout all the stages, but especially selection and search criteria used for filtering. Post factum audit by the Interception of Communications Commissioner was judged insufficient.

For its understanding of the processes the Court relied upon a combination of sources: the Interception Code of Practice under RIPA, the Intelligence and Security Committee Report of March 2015, the Investigatory Powers Tribunal judgment of 5 December 2014 in proceedings brought by Liberty and others, and the Government’s submissions in the Strasbourg proceedings. The Court described the processes thus:

“…there are four distinct stages to the section 8(4) regime:

1.  The interception of a small percentage of Internet bearers, selected as being those most likely to carry external communications of intelligence value.

2.  The filtering and automatic discarding (in near real-time) of a significant percentage of intercepted communications, being the traffic least likely to be of intelligence value.

3.  The application of simple and complex search criteria (by computer) to the remaining communications, with those that match the relevant selectors being retained and those that do not being discarded.

4.  The examination of some (if not all) of the retained material by an analyst).”

The reference to a ‘small percentage’ of internet bearers derives from the March 2015 ISC Report. Earlier in the judgment the Court said:

“… GCHQ’s bulk interception systems operated on a very small percentage of the bearers that made up the Internet and the ISC was satisfied that GCHQ applied levels of filtering and selection such that only a certain amount of the material on those bearers was collected.”

Two points about this passage are worthy of comment. First, while the selected bearers may make up a very small percentage of the estimated 100,000 bearers that make up the global internet (judgment, [9]), that is not same thing as the percentage of bearers that land in the UK.

Second, the ISC report is unclear about how far, if at all, filtering and selection processes are applied not just to content but also to communications data (metadata) extracted from intercepted material. Whilst the report describes filtering, automated searches on communications using complex criteria and analysts performing additional bespoke searches, it also says:

“Related CD (RCD) from interception: GCHQ’s principal source of CD is as a by-product of their interception activities, i.e. when GCHQ intercept a bearer, they extract all CD from that bearer. This is known as ‘Related CD’. GCHQ extract all the RCD from all the bearers they access through their bulk interception capabilities.” (emphasis added)

The impression that collection of related communications data may not be filtered is reinforced by the Snowden documents, which referred to several databases derived from bulk interception and which contained very large volumes of non-content events data. The prototype KARMA POLICE, a dataset focused on website browsing histories, was said to comprise 17.8 billion rows of data, representing 3 months’ collection. (The existence or otherwise of KARMA POLICE and similar databases has not been officially acknowledged, although the then Interception of Communications Commissioner in his 2014 Annual Report reported that he had made recommendations to interception agencies about retention periods for related communications data.)

The ISC was also “surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.”

If it is right that little or no filtering is applied to collection of related communications data (or secondary data as it is known in the IP Act), then the overall end to end process would look something like this (the diagram draws on Snowden documents published by The Intercept as well as the sources already mentioned):

Returning to the BBW judgment, the Court’s concerns related to intercepted ‘communications’ and ‘material’:

“the lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst…”

There is no obvious reason to limit those observations to content. Elsewhere in the judgment the Court was “not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content” and went on:

“The related communications data … could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with…”.

The Court went on to make specific criticisms of RIPA’s lack of restrictions on the use of related communications data, as discussed below.

What does the Court’s finding on end to end oversight mean for the IP Act? The Act introduces independent approval of warrants by Judicial Commissioners, but does it create the robust oversight of the end to end process, particularly of selectors and search criteria, that the Strasbourg Court requires?

The March 2015 ISC Report recommended that the oversight body be given express authority to review the selection of bearers, the application of simple selectors and initial search criteria, and the complex searches which determine which communications are read. David Anderson Q.C.'s (now Lord Anderson) Bulk Powers Review records (para 2.26(g)) an assurance given by the Home Office that that authority is inherent in clauses 205 and 211 of the Bill (now sections 229 and 235 of the IP Act).

Beyond that, under the IP Act the Judicial Commissioners have to consider at the warrant approval stage the necessity and proportionality of conduct authorised by a bulk warrant. Arguably that includes all four stages identified by the Strasbourg Court (see my submission to IPCO earlier this year). If that is right, the RIPA gap may have been partially filled.

However, the IP Act does not specify in terms that selectors and search criteria have to be reviewed. Moreover, focusing on those particular techniques already seems faintly old-fashioned. The Bulk Powers Review reveals the extent to which more sophisticated analytical techniques such as anomaly detection and pattern analysis are brought to bear on intercepted material, particularly communications data. Robust end to end oversight ought to cover these techniques as well as use of selectors and automated queries.  

The remainder of the gap could perhaps be filled by an explanation of how closely the Judicial Commissioners oversee the various selection, searching and other analytical processes.

Filling this gap may not necessarily require amendment of the IP Act, although it would be preferable if it were set out in black and white. It could perhaps be filled by an IPCO advisory notice: first as to its understanding of the relevant requirements of the Act; and second explaining how that translates into practical oversight, as part of bulk warrant approval or otherwise, of the end to end stages involved in bulk interception (and indeed the other bulk powers).

Related Communications Data/Secondary Data

The diagram above shows how communications data can be obtained from bulk interception. Under RIPA this was known as Related Communications Data. In the IP Act it is known as Secondary Data. Unlike RIPA, the IP Act specifies a category of bulk warrant that extracts secondary data alone (without content) from bearers.  However, the IP Act definition of secondary data also permits some items of content to be extracted from communications and treated as communications data.

Like RIPA, the IP Act contains few specific restrictions on the use to which secondary data can be put. It may be examined for a reason falling within the overall statutory purposes and subject to necessity and proportionality. The IP Act adds the requirement that the reason be within the operational purposes (which can be broad) specified in the bulk warrant. As with RIPA, the restriction that the purpose of the bulk interception must be overseas-related does not apply at the examination stage. Like RIPA, there is a requirement to obtain specific authority (a targeted examination warrant, in the case of the IP Act) to select for examination the communications of someone known to be within the British Islands. But like RIPA this applies only to content, not to secondary data.

RIPA’s lack of restriction on examining related communications data was challenged in the Investigatory Powers Tribunal. The government argued (and did so again in the Strasbourg proceedings) that this was necessary in order to be able to determine whether a target was within the British Islands, and hence whether it was necessary to apply for specific authority from the Secretary of State to examine the content of the target’s communications.

The IPT accepted this argument, holding that the difference in the restrictions was justified and proportionate by virtue of the need to be able to determine whether a target was within the British Islands. It rejected as “an impossibly complicated or convoluted course” the suggestion that RIPA could have provided a specific exception to provide for the use of metadata for that purpose.

That, however, left open the question of all the other uses to which metadata could be put. If the Snowden documents referred to above are any guide, those uses are manifold.  Bulk intercepted metadata would hardly be of primary value to GCHQ, as described by the ISC, if its use were restricted to ascertaining whether a target was within or outside the British Islands.

The Strasbourg Court identified this gap in RIPA and held that the absence of restrictions on examining related communications data was a ground on which RIPA violated the ECHR.

The Court accepted that related communications data should be capable of being used in order to ascertain whether a target was within or outside the British Islands. It also accepted that that should not be the only use to which it could be put, since that would impose a stricter regime than for content.

But it found that there should nevertheless be “sufficient safeguards in place to ensure that the exemption of related communications data from the requirements of section 16 of RIPA is limited to the extent necessary to determine whether an individual is, for the time being, in the British Islands.”

Transposed to the IP Act, this could require a structure for selecting secondary data for examination along the following lines:

• Selection permitted in order to determine whether an individual is, for the time being, in the British Islands.
• Targeted examination warrant required if (a) any criteria used for the selection of the secondary data for examination are referable to an individual known to be in the British Islands, and (b) the purpose of using those criteria is to identify secondary data or content relating to communications sent by, or intended for, that individual.
• Otherwise: selection of secondary data permitted (but subject to the robust end to end oversight requirements discussed above).

Although the Court speaks only of sufficient safeguards, it is difficult to see how this could be implemented without amendment of the IP Act.

Journalistic privilege

The Court found RIPA lacking in two areas: bulk interception (for both content and related communications data) and ordinary communications data acquisition. The task of determining to what extent the IP Act remedies the deficiencies is complex. However, in the light of the comparisons below it seems likely that at least some amendments to the legislation will be necessary.

Bulk interception

For bulk interception, the Court was particularly concerned that there were no requirements either:

• circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector),
• requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved.

Consequently, the Court said, it would appear that analysts could search and examine without restriction both the content and the related communications data of those intercepted communications.

For targeted examination warrants the IP Act itself contain some safeguards relating to retention and disclosure of material where the purpose, or one of the purposes, of the warrant is to authorise the selection for examination of journalistic material which the intercepting authority believes is confidential journalistic material. Similar provisions apply if the purpose, or one of the purposes, of the warrant is to identify or confirm a source of journalistic information.

Where a targeted examination warrant is unnecessary the Interception Code of Practice provides for corresponding authorisations and safeguards by a senior official outside the intercepting agency.

Where a communication intercepted under a bulk warrant is retained following examination and it contains confidential journalistic material, the Investigatory Powers Commissioner must be informed as soon as reasonably practicable.

Unlike RIPA, S.2 of the IP Act contains a general provision requiring public authorities to have regard to the particular sensitivity of any information, including confidential journalistic material and the identity of a journalist’s source.

Whilst these provisions are an improvement on RIPA, it will be open to debate whether they are sufficient, particularly since the specific safeguards relate to arrangements for handling, retention, use and destruction of the communications rather than to search and selection.

Bulk communications data acquisition

The IP Act introduces a new bulk communications data acquisition warrant to replace S.94 of the Telecommunications Act 1994. S.94 was not considered in the BBW case.  The IP Act bulk power contains no provisions specifically protecting journalistic privilege. The Code of Practice expands on the general provisions in S.2 of the Act. 

Ordinary communications data acquisition

The RIPA Code of Practice required an application to a judge under PACE 1984 where the purpose of the application was to determine a source. The Strasbourg court criticised this on the basis that it did not apply in every case where there was a request for the communications data of a journalist, or where such collateral intrusion was likely.

The IP Act contains a specific provision requiring a public authority to seek the approval of the Investigatory Powers Commissioner to obtain communications data for the purpose of identifying or confirming a source of journalistic information. This provision appears to suffer the same narrowness of scope criticised by the Strasbourg Court.

Big Brother Watch v UK – implications for the Investigatory Powers Act?

Today I have been transported back in time, to that surreal period following the Snowden revelations in 2013 when anyone who knew anything about the previously obscure RIPA (Regulation of Investigatory Powers Act 2000) was in demand to explain how it was that GCHQ was empowered to conduct bulk interception on a previously unimagined scale.

The answer (explained here) lay in the ‘certificated warrants’ regime under S.8(4) RIPA for intercepting external communications. ‘External’ communications were those sent or received outside the British Islands, thus including communications with one end in the British Islands.

Initially we knew about GCHQ’S TEMPORA programme and, as the months stretched into years, we learned from the Intelligence and Security Committee of the importance to GCHQ of bulk intercepted metadata (related communications data, in RIPA jargon):

“We were surprised to discover that the primary value to GCHQ of bulk interception was not in the actual content of communications, but in the information associated with those communications.” [80] (Report, March 2015)

According to a September 2015 Snowden disclosure, bulk intercepted communications data was processed and extracted into query focused datasets such as KARMA POLICE, containing billions of rows of data. David (now Lord) Anderson QC’s August 2016 Bulk Powers Review gave an indication of some techniques that might be used to analyse metadata, including unseeded pattern analysis.

Once the Investigatory Powers Bill started its journey into legislation the RIPA terminology started to fade. But today it came back to life, with the European Court of Human Rights judgment in Big Brother Watch and others v UK.

The fact that the judgment concerns a largely superseded piece of legislation does not necessarily mean it is of historic interest only. The Court held that both the RIPA bulk interception regime and its provisions for acquiring communications data from telecommunications operators violated Article 8 (privacy) and 10 (freedom of expression) of the European Convention on Human Rights. The interesting question for the future is whether the specific aspects that resulted in the violation have implications for the current Investigatory Powers Act 2016.

The Court expressly did not hold that bulk interception per se was impermissible. But it said that a bulk interception regime, where an agency has broad discretion to intercept communications, does have to be surrounded with more rigorous safeguards around selection and examination of intercepted material. [338]

It is difficult to be categoric about when the absence of a particular feature or safeguard will or will not result in a violation, since the Court endorsed its approach in Zakharov whereby in assessing whether a regime is ‘in accordance with the law’ the Court can have regard to certain factors which are not minimum requirements, such as arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law. [320]

That said, the Court identified three failings in RIPA that were causative of the violations. These concerned selection and examination of intercepted material, related communications data, and journalistic privilege.

Selection and examination of intercepted material

The Court held that lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst, meant that the RIPA S. 8(4) bulk interception regime did not meet the “quality of law” requirement under Article 8 and was incapable of keeping the “interference” with Article 8 to what is “necessary in a democratic society”.

As to whether the IPAct suffers from the same failing, a careful study of the Act may lead to the conclusion that when considering whether to approve a bulk interception warrant the independent Judicial Commissioner should indeed look at the entire selection process. Indeed I argued exactly that in a submission to the Investigatory Powers Commissioner. Whether it is clear that that is the case and, even if it is, whether the legislation and supporting public documents are sufficiently clear as to the level of granularity at which such oversight should be conducted, is another matter.

As regards selectors (the Court’s greatest concern), the Court observed that while it is not necessary that selectors be listed in the warrant, mere after the event audit and the possibility of an application to the IPT was not sufficient. The search criteria and selectors used to filter intercepted communications should be subject to independent oversight. [340]

Related communications data

The RIPA safeguards for examining bulk interception product (notably the certificate to select a communication for examination by reference to someone known to be within the British Islands) did not apply to ‘related communications data’ (RCD). RCD is communications data (in practice traffic data) acquired by means of the interception.

The significance of the difference in treatment is increased when it is appreciated that it includes RCD obtained from incidentally acquired internal communications and that there is no requirement under RIPA to discard such material. As the Court noted: “The related communications data of all intercepted communications – even internal communications incidentally intercepted as a “by-catch” of a section 8(4) warrant – can therefore be searched and selected for examination without restriction.” [348]

The RCD regime under RIPA can be illustrated graphically:

In this regard the IPAct is virtually identical. We now have tweaked definitions of ‘overseas-related communications’ and ‘secondary data’ instead of external communications and RCD, but the structure is the same:

The only substantive additional safeguard is that examination of secondary data has to be for stated operational purposes (which can be broad).

The Court accepted that under RIPA, as the government argued (and had argued in the original IPT proceedings):

“the effectiveness of the [British Islands] safeguard [for examination of content] depends on the intelligence services having a means of determining whether a person is in the British Islands, and access to related communications data would provide them with that means.” [354]

 But it went on:

“Nevertheless, it is a matter of some concern that the intelligence services can search and examine “related communications data” apparently without restriction. While such data is not to be confused with the much broader category of “communications data”, it still represents a significant quantity of data. The Government confirmed at the hearing that “related communications data” obtained under the section 8(4) regime will only ever be traffic data.  

However, … traffic data includes information identifying the location of equipment when a communication is, has been or may be made or received (such as the location of a mobile phone); information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication; routing information identifying equipment through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e-mail headers (other than the subject line of an e-mail, which is classified as content)); web browsing information to the extent that only a host machine, server, domain name or IP address is disclosed (in other words, website addresses and Uniform Resource Locators (“URLs”) up to the first slash are communications data, but after the first slash content); records of correspondence checks comprising details of traffic data from postal items in transmission to a specific address, and online tracking of communications (including postal items and parcels). [355] 

In addition, the Court is not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content. For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with. [356]

Consequently, while the Court does not doubt that related communications data is an essential tool for the intelligence services in the fight against terrorism and serious crime, it does not consider that the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content. While the Court does not suggest that related communications data should only be accessible for the purposes of determining whether or not an individual is in the British Islands, since to do so would be to require the application of stricter standards to related communications data than apply to content, there should nevertheless be sufficient safeguards in place to ensure that the exemption of related communications data from the requirements of section 16 of RIPA is limited to the extent necessary to determine whether an individual is, for the time being, in the British Islands.” [357]

 This is a potentially significant holding. In IPAct terms this would appear to require that selection for examination of secondary data for any purpose other than determining whether an individual is, for the time being, in the British Islands should be subject to different and more stringent limitations and procedures.

It is also noteworthy that, unlike RIPA, the IP Act contains provisions enabling some categories of content to be extracted from intercepted communications and treated as secondary data.

Journalistic privilege

 The Court found violations of Article 10 under both the bulk interception regime and the regime for acquisition of communications data from telecommunications service providers.

For bulk interception, the court focused on lack of protections at the selection and examination stage: “In the Article 10 context, it is of particular concern that there are no requirements – at least, no “above the waterline” requirements – either circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved. Consequently, it would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications.” [493]

For communications data acquisition, the court observed that the protections for journalistic privilege only applied where the purpose of the application was to determine a source; they did not apply in every case where there was a request for the communications data of a journalist, or where such collateral intrusion was likely. [499]

This may have implications for those IPAct journalistic safeguards that are limited to applications made ‘for the purpose of’ intercepting or examining journalistic material or sources.

Illuminating the Investigatory Powers Act

As full implementation of the Investigatory Powers Act (IPAct) draws closer we can usefully ponder some of its more ticklish points of interpretation. These will serve to delineate the IPAct's powers, crystallise the legislation's procedural requirements and determine who can be compelled to do what.

Unlike its predecessor, the Regulation of Investigatory Powers Act 2000 (RIPA), the IPAct comes with expectations of openness and transparency.  The Act itself exposes a panoply of powers to the public gaze.  But despite its 300 pages of detail, decisions will still have to be made about the meaning of some provisions and how they are to be applied.

Previously such legal interpretations have tended to come to light, if at all, as a consequence of the Snowden revelations or during litigation brought by civil liberties organisations. Examples include the meaning of ‘external’ communications under RIPA, the legal basis for thematic interception warrants under RIPA, and the use of S.94 Telecommunications Act 1984 powers to acquire bulk communications data from telecommunications companies.

In the field of surveillance, hidden legal interpretations influencing how powers are wielded are in substance as much part of the law as the statute that grants the powers.  This can be problematic when a cornerstone of the rule of law is that laws should be publicly promulgated. People should be able to know in advance the kind of circumstances in which the powers are liable to be used and understand the manner of their exercise. According to jurisprudential taste, secret law is either bad law or not law at all.

The new Investigatory Powers Commissioner has an opportunity to bring to public view legal interpretations that will mould the use of the IPAct's surveillance powers. 

Most IPAct powers require approval by a Judicial Commissioner or, as now proposed for communications data acquisition, a new Office for Communications Data Authorisations. The Judicial Commissioner or other reviewer may have to form a view about some provision of the Act when approving a warrant or notice.  Some interpretations may have significance that goes wider than a single approval.

Under the IPAct there is scope for an adopted interpretation to be published if that can be done without breaching the Commissioner's responsibilities not to act contrary to the public interest, nor prejudice national security or the prevention or detection of serious crime or the economic well-being of the UK.

What interpretations of the IPAct will have to be considered? The most heavily debated has been the level of scrutiny that Judicial Commissioners are required to apply to Ministerial decisions to issue warrants and technical capability notices. Gratefully donning my techlaw hat, I shall leave that problem to the public and administrative law experts who have been mulling over it since the draft Bill was published in November 2015.

Approval decisions will typically involve assessments of necessity and proportionality. These will by their nature be fact-sensitive and so more difficult to make public without revealing operational matters that ought to remain secret. Nevertheless some general approaches may be capable of being made public.

Among the most likely candidates for publication will be points of statutory construction: aspects of the IPAct's language that require a view to be taken of their correct interpretation.  

I have drawn up a list of provisions that present interpretative challenges of varying degrees of significance. Some of the points are old hobbyhorses, dating back to my comments on the original draft Bill. Others are new. No doubt more will emerge as the IPAct is put into practice.

BULK INTERCEPTION

Selection for examination

What is the issue?

Under a bulk interception warrant what kinds of activities count as selection for examination of intercepted content or secondary data? While the question can be simply put, the answer is not so easy.

Why is it significant?

Selection for examination underpins three provisions of the IPAct.

First, a separate targeted examination warrant must be obtained before selecting intercepted content for examination by use of criteria (such as an e-mail address) referable to an individual known to be in the British Islands, if the purpose is to identify the content of communications sent by or intended for that individual. (S.152(4)) (However, a targeted examination warrant is not required for secondary data. As to what is meant by secondary data, see below.)

Second, it is an offence (subject to applicable knowledge and intent thresholds) to select intercepted content or secondary data for examination in breach of the Act's safeguards. (S.155)

Third, a bulk interception warrant authorising selection for examination must describe the manner in which intercepted content or secondary data will be selected for examination and the conduct by which that activity will be secured (S.136(4)(c)).

The S.136(4)(c) requirement is new compared with the equivalent provisions of RIPA. Curiously, it is not referred to in the draft Interception Code of Practice. 

It is important to know what activities amount to selection for examination.  This is a particular issue with automated processing.

Possible interpretations?

Examination means being read, looked at or listened to (S.263) But what activities are caught by selection for examination? How close a nexus does there have to be between the selection and any subsequent examination?  Does there have to be a specific intention to examine the selected item (for instance when an analyst makes a search request on a database)? Does selection for possible examination suffice?  (It is perhaps of interest that David Anderson Q.C.'s Bulk Powers Review at para 2.17 discusses under the heading of ‘Selection for Examination’ the use of strong and weak selectors to select material for “possible examination” by analysts.)

The Draft Interception Code of Practice describes a sequence of steps from obtaining the data through to examination by an analyst. It uses the term 'selection for examination' in ways that could refer to both selection by the analyst and intermediate processing steps:

"In practice, several different processing systems may be used to effect the interception and/or the obtaining of secondary data, and the selection for examination of the data so obtained. 

These processing systems process data from the communications links or signals that the intercepting authority has chosen to intercept. A degree of filtering is then applied to the traffic on those links and signals, designed to select types of communications of potential intelligence value whilst discarding those least likely to be of intelligence value. As a result of this filtering, which will vary between processing systems, a significant proportion of the communications on these links and signals will be automatically discarded. Further complex searches may then take place to draw out further communications most likely to be of greatest intelligence value, which relate to the agency’s statutory functions. These communications may then be selected for examination for one or more of the operational purposes specified in the warrant where the conditions of necessity and proportionality are met. Only items which have not been filtered out can potentially be selected for examination by authorised persons." (emphasis added)

If selection for examination encompasses only the action of an analyst querying a database then S.136(4)(c) would still require the warrant to describe the manner in which an analyst could select content or secondary data for examination. That could include describing how analysts can go about searching databases. It might also cover the operation of Query Focused Datasets (databases in which the data is organised so as to optimise particular kinds of queries by analysts).

But does selection for examination exclude all the automated processing that takes place between bulk capture and storage? There appears to be no reason in principle why automated selection should be excluded, if the selection is 'for examination'.  

Details of the kinds of automated processing applied between capture and storage are mainly kept secret.  However some clues beyond the draft Code of Practice can be obtained from the Intelligence and Security Committee Report of March 2015 and from the Bulk Powers Review.  The Bulk Powers Review describes a process that uses ‘strong selectors’ (telephone number or email address) to select items in near real time as they are intercepted:

“As the internet traffic flows along those chosen bearers, the system compares the communications against a list of strong selectors in near real-time. Any communications which match the selectors are automatically collected and all other communications are automatically discarded.”

Such selection against a list of e-mail addresses or telephone numbers of interest is not made for any purpose other than examination, or at least possible examination. But does it count as selection for examination if (as described in the Bulk Powers Review) a further triage process may be applied?

“Even where communications are known to relate to specific targets, GCHQ does not have the resources to examine them all. Analysts use their experience and judgement to decide which of the results returned by their queries are most likely to be of intelligence value and will examine only these.”

Weaker selectors may relate to subject-matter and be combined to create complex non-real time queries which determine what material is retained for possible examination after triage. Pattern matching algorithms could perhaps be used to flag up persons exhibiting suspicious behavioural traits as candidates for further investigation.

The question of which, if any, of these processes amount to selection for examination is of considerable significance to the operation of the processes mandated by the IPAct.

Secondary data

What is the issue?

'Secondary data' under the IP Act has been extended, compared with RIPA's equivalent ‘related communications data’, so as to include some elements of the content of a communication. However the definition is difficult to apply and in some respects verges on the metaphysical.  

Why is it significant?

Secondary data, despite its name, is perhaps the most important category of data within the IP Act. It is, roughly speaking, metadata acquired under a targeted, thematic or bulk interception warrant. As such it is not subject to all the usage restrictions that apply to intercepted content.

In particular, unlike for content, there is no requirement to obtain a targeted examination warrant in order to select metadata for examination by use of a selector (such as an e-mail address) referable to someone known to be in the British Islands.

The broader the scope of secondary data, therefore, the more data can be accessed without a targeted examination warrant and the more of what would normally be regarded as content will be included.

Possible interpretations?

Under S.137 of the IPAct secondary data includes:

“identifying data which -

(a) is comprised in, included as part of, attached to or logically associated with the communication (whether by the sender or otherwise),

(b) is capable of being logically separated from the remainder of the communication, and

(c) if it were so separated, would not reveal anything of what might reasonably be considered to be the meaning (if any) of the communication, disregarding any meaning arising from the fact of the communication or from any data relating to the transmission of the communication.”

Identifying data is data which may be used to identify, or assist in identifying, any person, apparatus, system or service, any event, or the location of any person, event or thing.

Identifying data is itself broadly defined. It includes offline as well as online events, such as date or location data on a photograph. However the real challenge is in understanding (c). How does one evaluate the ‘meaning’ of the communication for these purposes? If a name, or a location, or an e-mail address, or a time is extracted from the communication does that on its own reveal anything of its meaning? Is each item extracted to be considered on its own, or are the extracted items of data to be considered together?  How is the ‘meaning’ of a machine to machine communication to be evaluated? Is the test what the communication might mean to a computer or to a human being?

A list of the specific types of data that do and do not fall either side of the line can be a useful aid to understanding abstract data-related definitions such as this. Among the Snowden documents was a GCHQ internal reference list distinguishing between content and related communications data under RIPA.

TECHNICAL CAPABILITY NOTICES

Applied by or on behalf of

What is the issue?

A technical capability notice (TCN) can require a telecommunications operator to install a specified capability to assist with any interception, equipment interference or bulk acquisition warrant, or communications data acquisition notice, that it might receive in the future.

In particular a TCN can require a telecommunications operator to have the capability to remove electronic protection applied by or on behalf of that operator to any communications or data. This includes encryption. But when is encryption applied "by or on behalf of" that operator?

Why is it significant?

During the passage of the Bill through Parliament there was considerable debate about whether a TCN could be used to stop a telecommunications operator providing end to end encryption facilities to its users. The question was never fully resolved. One issue that would arise, if an attempt were made to use TCNs in that way, is whether the E2E encryption was applied by or on behalf of the operator. If not, then there would be no jurisdiction to issue a TCN in relation to that encryption facility.

Possible interpretations?

In principle, encryption could be applied by the operator, by the user, or by both. An operator would no doubt argue that under the E2E model it is providing the user only with the facility to apply encryption and that any encryption is applied by the user, not the operator.  The strength of that argument could vary depending on the precise technical arrangements in a particular case.

MANDATORY DATA RETENTION

Obtaining data by generation

What is the issue?

The IP Act empowers the Secretary of State, with the approval of a Judicial Commissioner, to give a communications data retention notice to a telecommunications operator. A notice can require the operator to retain specified communications data for up to 12 months.

A data retention notice may, in particular, include:

“requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of (i) data for retention, or (ii) retained data.”

This provision makes clear that a requirement to retain data can include obtaining or generating data for retention. But what exactly does that mean? In particular, why does ‘obtaining’ data for retention include ‘generation’?

Why is it significant?

Mandatory communications data retention is one of the most controversial aspects of the IP Act. It is under challenge in the courts and, as a result of previous legal challenges, the government is already having to consult on amendments to the Act.

The powers to require data retention are broader in every respect than those in the predecessor legislation, the Data Retention and Investigatory Powers Act 2014. They can be used against private, not just public, telecommunications operators. They cover a far wider range of data. And they can require data be obtained and generated, not just retained.

So the width of these new powers is significant, especially as telecommunications operators are required not to disclose the existence of data retention notices to which they are subject.

Possible interpretations?

What does it mean to ‘obtain’ data by ‘generation’? It apparently means something different from just generating data for retention, since that is spelt out separately. The most far reaching interpretation would be if the notice could require the operator to require a third party to generate and hand over communications data to the operator. Could that be used to compel, say, a wi-fi operator to obtain and retain a user's identity details?

There was no suggestion during the Parliamentary debates that it could be used in that way, but then the curious drafting of this provision received no attention at all.

INTERNET CONNECTION RECORDS

‘Internet service’ and ‘internet communications service’

What is the issue?

The IPAct uses both ‘internet service’ and ‘internet communications service’ in its provisions that set out the limits on public authority access to internet connection records (ICRs). However it provides no definitions. Nor are these well understood industry or technical terms.

Why is it significant?

ICRs are logs of visited internet destinations such as websites. ICRs are particularly sensitive since they can be a rich source of information about someone’s lifestyle, health, politics, reading habits and so on. The IP Act therefore places more stringent limits, compared with ordinary communications data, on the authorities that may access ICRs and for what purposes.

The Act stipulates several purposes for which, in various different circumstances, a public authority can access ICRs. They include:

• to identify which person or apparatus is using an internet service where the service and time of use are already known. (S.62(3))
• to identify which internet communications service is being used, and when and how it is being used, by a person or apparatus whose identity is already known. (S.62(4)(b)(i) and S.62(5)(c)(i))
• to identify which internet service is being used, and when and how it is being used, by a person or apparatus whose identity is already known. (S.62(4)(b) (iii) and S.62(5)(c) (iii))

The second and third purposes apply identically to internet services and internet communications services. The first purpose applies only to internet services.

The purposes for which the powers can be used may therefore differ, depending on whether we are dealing with an internet service or an internet communications service. But as already noted, the Act does not tell us what either of these terms means.

Possible interpretations?

We can find clues to interpretation in the footnotes to the draft Communications Data Code of Practice. 

Footnote 49 says that an ‘internet service’ is a service provided over the internet. On the face of it this would seem to exclude a service consisting of providing access to the internet. However the example illustrating S.62(3) in paragraph 9.6 of the draft Code suggests differently.

Footnote 49 goes on to say that 'internet service' includes ‘internet communication services, websites and applications.’ It also suggests examples of online travel booking or mapping services.

This explanation presents some problems.

First is the suggestion that internet communication services are a subset of internet services. If that is right then subsections 62(4)(b)(i) and 62(5)(c)(i) of the Act (above, internet communication services) are redundant, since the respective subsections (iii) already cover internet services in identical terms.

If ‘internet communication service’ is redundant, then the uncertainties with its definition may not signify since S.62 can simply be applied to any 'internet service'.

Elsewhere the draft Code suggests that the subsections (iii) relate to ‘other’ internet services (i.e. additional to internet communications services covered by subsections (i)). However that language does not appear in the Act.

Second is the suggestion that websites and applications are different from internet communications services.  On the face of it an internet communication service could mean just e-mail or a messaging service. But if so, what are we to make of ‘applications’ as something different, since many messaging services are app-based?

Last, to add to the confusion, footnote 48 of the Draft Code of Practice says that an internet communication service is a service which provides for the communication between one or more persons over the internet and ‘may include’ email services, instant messaging services, internet telephony services, social networking and web forums.

This goes wider than just e-mail and messaging services. Does it, for instance, include online games with the ability to chat to other players?  In context does ‘person’ refer only to a human being, or does it include machine communications?

Those involved in authorising and approving applications for access to ICRs will have to take a view on what these terms mean and how they fit together within the scheme of the Act. 

Material whose possession is a crime

What is the issue?

Another ground on which access to ICRs may be obtained is to identify where or when a known person is accessing or running a file or program which “wholly or mainly involves making available, or acquiring, material whose possession is a crime”. There are relatively few offences that are committed by mere possession of material. Illicit drugs and indecent images of children are two mentioned in the draft Code of Practice.

Why is it significant?

The width of the definition affects what kinds of criminal activity can be the subject of applications to access ICRs under this head.

Possible interpretations?

Does the section apply more widely than mere possession, for instance where possession is an offence only if it is with a view to some other activity? What about possession offences where possession is not an offence if it is for personal use?

COMMUNICATIONS DATA

URLs up to the first slash

What is the issue?

It has long been understood that under RIPA the portion of a web address to the right of the first slash is content, but otherwise the URL is communications data. RIPA contained a convoluted definition designed to achieve that result. Although the Home Office says that the IPAct achieves the same result, exactly how the definitions achieve that is not always obvious.

Why is it significant

Communications data retention and acquisition powers can be deployed only against communication data, not content. So it is important to know what is and is not content.  It is especially important for Internet Connection Records, which the Home Office has repeatedly said include top-level web addresses but not page URLs.

In June 2015, in A Question of Trust at paragraph 9.53, David Anderson Q.C. said that the Home Office had provided him with this definition of 'weblogs' (now known as ICRs):

“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.”

He went on:

"Under this definition a web log would reveal that a user has visited e.g. www.google.com or www.bbc.co.uk, but not the specific page."

He also noted  that:

"Under the current accepted distinction between content and CD, www.bbc.co.uk would be communications data while www.bbc.co.uk/sport would be content; and this is set out in the Acquisition Code. However there are arbitrary elements to that definition – for example sport.bbc.co.uk (no ‘www.’) takes you to the same place as www.bbc.co.uk/sport.”

Possible interpretations

The House of Commons Science and Technology Committee criticised the data definitions in the draft Bill.  They remain complex and abstract in the final legislation.

Towards the end of the pre-Bill scrutiny the Home Office submitted evidence to the Joint Committee that gave more information about what kinds of data would constitute communications data and ICRs. 

In the table at Annex A para 20 of its written evidence the Home Office classified as ‘content’ the following:

“The url of a webpage in a browsing session (e.g. www.bbc.co.uk/news/story or news.bbc.co.uk or friend’sname.facebook.com)”

The first example reflected the prior understanding that a full URL is content. The second and third examples (subdomains) depart from the previous understanding set out in the above extract from ‘A Question of Trust’ by classifying the material to the left of the first slash as content.

Whatever the merits of this approach in removing some of the arbitrariness noted by David Anderson, it is difficult to find anything in the legislation that draws the line at the point suggested. The Home Office evidence gave no explanation of why it drew the line where it did. 

The draft Communications Data Code of Practice does not address the point specifically, but its explanation of fully qualified domain names at page 17 might perhaps suggest that the Home Office has now reverted to the original position described in A Question of Trust.

Given the sensitivity of ICRs this is an area in which clarity is important, not just for ISPs who are subject to the IPAct's requirements but also so that the general public can know what kinds of data are potentially subject to retention and access. 

This is another example pointing to the desirability of publishing a comprehensive list of datatypes illustrating what kinds of data fall into which categories and, by reference to the definitions in the IPAct itself, why they do so.