The Investigatory Powers Act 2016 – A "Snoopers' Charter" or a legitimate surveillance tool for today's society?
The Government was always under pressure to have this controversial Act finalised by the end of 2016 due to the expiration of the Data Retention and Investigatory Powers Act 2014 (DRIPA). DRIPA, itself an emergency piece of legislation, produced in response to the CJEU decision on data retention in Digital Rights Ireland provided the legal basis for the retention of communications data. With the provisions of the IPA extending beyond the retention of data to the interception of communications, the request for communications data, equipment interference, bulk warrants for communications data and technical capability notices, it is easy to see why Snowden called this "the most extreme surveillance in the history of western democracy".
Due to the extra-territoriality provisions of the IPA this legislation can just about effect any business in any part of the globe that provides a platform for communications to persons in the UK, or controls or provides such a system which is (wholly or partly) (i) in the UK, or (ii) is controlled from the UK. Despite heavy lobbying of this Act by the tech community and privacy activists throughout its Parliamentary journey the passing of the IPA has been justified as necessary and proportionate to national security. During its Parliament journey the UK's previous Prime Minister David Cameron called for a ban on encryption so that the Government would be able to view users' communications and data without the need to request service providers or third party technicians to decrypt it! So how can the UK government gain access to communications data your business holds? Can the UK government now request communications service providers to decrypt messages on demand? Equally are companies obliged to disclose new security features in products it develops to the UK Government?
Distinguishing between communications and communications data and the UK authorities' ability to access it
With any surveillance legislation it is important at the outset to differentiate between the interception of communications, i.e., the actual content, and communications data, the meta data i.e., the ‘who’, ‘when’, ‘where’, and ‘how’. Requests for communications data can be authorised by a senior officer of a particular public service which, for example, in the police service is the rank of an inspector or above. The senior officer can:
authorise the communications data be obtained by an authorised officer in the particular public authority;
allow the authorised officer to ask any person whom he believes is in possession of the communications data or able to obtain it to acquire the data (if not already in possession) and disclose it; or
require by notice a communications service provider whom the authorised officer believes is in possession of the communications data or able to obtain it to acquire the data (if not already in possession) and disclose it.
The threshold for intercepting communications, whether that is stored communications or communications in transit, is much higher in comparison given the level of invasion of privacy. Thus under the IPA a warrant, signed by the Secretary of State, a Government Cabinet Minister in charge of the Home Office, needs to be obtained and then approved by the Investigatory Powers Commissioner, a position that is by appointment of the Prime Minister. The Investigatory Powers Commissioner must have previously held a high judicial office, i.e. that of a High Court judge or above. When reviewing a person's decision to issue a warrant for the decryption of communications or communications data the Investigatory Powers Commissioner needs to determine that:
the warrant is necessary on the grounds provided for in the IPA, for example, national security; and
the behaviour allowed for, under which the warrant has been issued, is proportionate to the desired outcome of that behaviour.
The only exception to this decision making process is in the most urgent of circumstances although the warrant must subsequently receive approval from the Investigatory Powers Commissioner (s24 IPA).
Government requests for decryption of communications and communications data
The UK Government has put provisions in place to ensure that it receives information in an "intelligible form". Therefore upon issuing a warrant to intercept communications or an authorisation or notice, in respect of communications data, it can in advance serve a "technical capability notice" (TCN) (s253). TCNs, in practice, will be placed on companies that are required to give effect to appropriate warrants, authorisations and/or notices on a recurrent basis.
A TCN will impose on communication service providers certain obligations which the provider must comply with. The IPA requires that these obligations are provided by way of Regulations (secondary legislation) which are not yet drafted although the IPA provides a non-exhaustive list of obligations which the Secretary of State may include in any subsequent Regulations. One such obligation listed relates "to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data" (s253(5)(c)), i.e., to decrypt the communication or data. The language of "electronic protection" is used as part of the IPA's attempts to future proof the legislation against new technologies, such as, in this instance those technologies which replace encryption.
Before any TCN is served the Secretary of State has to consult with a communications service provider. It is anticipated that this will take place long before the notice is issued. During any such consultation period the Government will offer advice and guidance besides preparing the company for the possibility of receiving such a notice. Any concerns that a company has about the reasonableness, cost or technical feasibility of the proposed TCN's requirements should be raised with the Government during the consultation phase. Prior to issuing a TCN the Government has to satisfy itself that it is appropriate to do so.
What is the situation on decrypting communications and/or communications data for companies who have not previously been issued with a TCN ahead of receiving a warrant, authorisation and/or notice? Any person receiving a warrant, authorisation or notice under the IPA is "not required to take any steps which it is not reasonably practicable for the relevant operator to take" (ss43(4) and 66(3)). While reasonably practicable is not defined for operators within the UK, in respect of those outside the UK, whether something is reasonably practicable needs to take into account any requirements and restrictions under local law and the extent to which it is reasonably practicable to give effect to the warrant, authorisation or notice without breaching any local requirement or restriction. Consideration will have to be given to whether it is in fact possible for certain companies to decrypt the encryption software it provides to its users.
New security features
Further obligations that can be imposed on relevant operators by way of a TCN include: the provision of facilities or services of a specified description; obligations relating to the security of any telecommunications services; and obligations in respect of the apparatus owned or operated by a relevant operator. How these obligations will work in practice and whether or not it will be necessary for a relevant operator to disclose any new security features they develop to the UK Government will need to be elaborated on in any future Regulations that the Secretary of State produces in conjunction with the IPA. However, the fact that the IPA allows for a TCN to be varied and the Equipment Interference Draft Code of Practice states that the circumstances for varying may include the launch of new services (para. 8.35), certainly suggests that where a communications service provider has received a TCN it needs to keep an open dialogue with the UK Government about its future developments!
As mentioned earlier the Act applies outside the UK and certain provisions can be enforced outside the UK such as targeted interception and mutual assistance warrants (ss41(1) and 43(8)) as well as authorisations for communications data (s66) by civil proceedings brought by the Secretary of State. These provisions however may be limited given that it can be difficult to enforce an overseas' judgment in another jurisdiction. Yet while this may have been the case historically, the IPA highlights the use of EU mutual assistance instruments and international mutual assistance agreements. Given today's heightened security climate it may be that in time enforcement of UK orders overseas will be more successful due to the collaborative effort of countries against international terrorism. MIT is also predicting in its article New UK Surveillance Law Will Have Worldwide Implications that this trend for extensive surveillance, which is just beginning, is set to continue.
Timetable for implementation
While the IPA is now on the statue books and the sections relating to data retention have been brought into force via Commencement No.1 the timetable for the remaining provisions is somewhat elusive. No detailed information has been released to date although the Home Office's press release about the IPA stated:
"some of the provisions will require extensive testing and will not be in place for some time. The Home Office is developing plans for implementing the provisions … and will set out the timetable in due course. This will be subject to detailed consultation with industry and operational partners".
Despite no indication of whether the timeframe will be months or years what is clear is that significant work and collaboration needs to be undertaken to set up this new surveillance framework although things are starting to happen. Lord Justice Fulford has been appointed the first Investigatory Powers Commissioner and the series of Codes of Practice that supplement the Act are at present out for consultation which closes at 11:45pm on 6 April 2016. However, the code of practice relating to the obtaining and retention of communications data is not available although "will be published for consultation in due course".
Regardless of the "strict safeguards" in place and the initial balancing act which must occur between an individual's privacy rights and national security before any relevant public authority can acquire the necessary go ahead for intercepting communications, inferring with equipment and/or obtaining communications data etc. there is no doubt that this area of law is extremely controversial. The IPA already faces a number of challenges. The UK Court of Appeal will need to consider in the forthcoming months the IPA in light of the CJEU's recent decision in Tele2/Watson. Meanwhile, privacy rights activists Liberty after crowdfunding the cost of its legal fees has launched its legal challenge of the IPA.
The IPA is by no means a foregone conclusion. With the majority of the Act still not in force and the implementation timeframe uncertain, any operator to whom the IPA may seriously impact upon would be wise to follow the IPA's development and become involved in the detailed consultation that the Home Office is expected to have with industry and operational partners in order to limit the onerous obligations it may ultimately impose.
 Royal assent is the Monarch's agreement that is required to make a Bill into an Act of Parliament.
 Communications Data Draft Code of Conduct, paragraphs 10.7 and 10.8; and Interception of Communications Draft Code of Conduct, paragraphs 8.7 and 8.8
 Investigatory Powers Act 2016 consultation: codes of practice