What does the UK’s Draft Investigatory Powers Bill mean for ICT companies’ responsibility to respect privacy?

The UK government recently published the long-anticipated draft Investigatory Powers Bill, outlining proposed surveillance reforms. 

All sides of the debate broadly agree that UK legislation in this area needs an overhaul, as it does not adequately address the needs of intelligence and security agencies in accessing modern digital communications for the purpose of fighting crime nor does it provide sufficient privacy protections.

The Bill draws on the recommendations of three reviews of UK surveillance legislation published in 2015 - by The Parliamentary Intelligence and Security Committee (ISC), the Independent Reviewer of Terrorism Legislation, David Anderson, and the Panel of the Independent Surveillance Review convened by the Royal United Services Institute (RUSI). Collectively, these three reviews contain almost 200 recommendations for surveillance reform. In the coming months the draft Bill will be carefully analysed, scrutinised, debated and tested in the run up to a Parliamentary vote anticipated in 2016. At IHRB, we have followed the debate closely and will continue to do so. Here, I offer initial reflections on the draft Bill, focusing on the implications for ICT companies.

Definition of Telecommunications Companies

Firstly, the Bill updates the definition of telecommunication companies and services currently in existing legislation such as the Regulation of Investigatory Powers Act 2000 (RIPA) to include ICT companies providing services such as social media and messaging applications, most of which were developed after current legislation was passed. Telecommunications services are defined in the Bill as:

“where a service consists in [sic] or includes facilitating the creation, management or storage of communications transmitted, or that it may be transmitted by such a [telecommunications] system”.

With the development of the “Internet of things” and “big data”, in the not too distant future this definition could encompass a much wider range of companies that rely on Internet services to deliver products and services. The issue of surveillance is no longer confined to the ICT sector and is likely to become a cross-sector issue that impacts a wider range of companies. Therefore, all companies developing products that utilise Internet services should pay attention to this draft Bill.

The draft Bill states it “places the same obligations on all companies providing services to the UK or in control of communications systems in the UK.” Therefore, companies based overseas fall under this draft Bill, but it is not clear how this will be enforced. There seems to be a regulatory gap, and the draft Bill falls short of David Anderson’s recommendation to strengthen data sharing procedures such as through the Mutual Legal Assistance Treaty (MLAT). Witnesses from the ICT sector giving oral evidence at a recent session of Parliament’s Science and Technology Committee expressed concern at the impression there is more obligation on UK-based companies to disclose data, putting them at a commercial disadvantage over non-UK based companies.

Encryption

In the build up to the publication of the draft Bill, there was much speculation that the government would ban encryption, or insist on communication “backdoors” which would put everyone’s digital security at risk. The draft Bill includes obligations “relating to the removal of any electronic protection applied by a relevant operator to any communications or data” when presented with the relevant notice. This is widely reported to refer to end-to-end encryption, considered the strongest kind of encryption as only the sender and recipient of the communication hold the “keys” and communications are unable to be decrypted by anyone, including the company providing the service. Some commercial applications use end-to-end encryption such as Apple’s iMessage. While it is unclear what exactly this clause refers to and what the impact might be commercially on companies if forced to remove end-to-end encryption, users do have other options if they feel the law does not sufficiently protect their communications, such as using end-to-end encryption services which do not involve a “relevant operator”, such as PGP encrypted email.

Internet Connection Records (ICRs)

One of the new provisions in the draft Bill obligates companies providing access to the Internet, such as ISPs and mobile operators, to retain its users’ Internet Connection Records (ICRs) for up to 12 months. ICRs include a record of Internet services accessed by a particular device at a particular time, such as email services, messaging applications or websites. The Home Secretary described this as the “equivalent of an itemised phone bill”. In the case of resolving an IP address (finding out who used a particular service), this would show, for example, that a particular smartphone connected to a particular email service at a particular time. However, ICRs also reveal websites visited (but not the individual page). This is not the equivalent of an itemised phone bill. Knowing a user has visited www.google.com doesn’t reveal much, but knowing a user has visited www.lgbt.foundation does. In addition, neither the police or intelligence and security services would need a warrant to obtain this information. In certain cases it may be needed to access this kind of ICRs (for example if someone was accessing an illegal website), but it does not seem accurate to describe these as the equivalent of an itemised phone bill, and as there is no authorisation required, the necessary and proportionate test has been removed. In addition, during the recent session of the Science and Technology Committee, witnesses from the ICT Sector expressed concern about how the separation of content and communications data in this context could technically happen. 

Companies required to retain their customer ICRs for 12 months will be served with a Data Retention Notice issued by the Secretary of State, when it is deemed “necessary and proportionate” to do so. It is unclear which companies can expect to receive this and the conditions under which it would be necessary and proportionate to retain all user ICRs. 

Bulk Collection of Data

One of the more surprising elements of the draft Bill is that it lays bare the surveillance powers that already exist in the Telecommunications Act 1984, RIPA, and the 2014 Data Retention and Investigatory Powers Act (DRIPA). Publicly avowed for the first time is much of the bulk collection capabilities revealed by Edward Snowden in 2013, and which civil society groups have subsequently challenged, in and out of both the UK and European courts. 

In the draft Bill there are provisions for bulk interception of communications, bulk collection of communications data (including bulk interception of undersea cables as revealed in the Tempora program), the acquisition and use of bulk personal datasets and provisions for bulk equipment interference (which allows data to be obtained from a device by either gaining remote access to a computer or mobile phone, or covertly downloading its contents during a physical search). There are concerns that bulk equipment interference essentially means companies must assist security services hack their customer’s devices.  Companies are also prevented from disclosing if they have received warrants relating to bulk powers. Therefore, this continues to leave a hole in corporate efforts to be transparent about its relationship with the government. 

Although telecommunications companies would already have permanent interception capabilities for content on their systems by law, the Bill goes further, in obligating companies to have capabilities in place that can assist with these other methods of obtaining data, which may require an overhaul of their systems and new storage and processing capabilities at a significant cost.

With such a huge amount of additional data potentially collected and retained by companies in case the police or intelligence agencies want to look at it, there are significant concerns about data security. The Bill comes in the wake of a cyberattack on one of the UK’s biggest Internet service providers, Talk Talk, which resulted in the exposure of customer financial details. So who stores this data? What assurances are there of data security? 

Safeguards: Authorisation and Oversight

The Bill contains new proposals on strengthening the authorisation process of issuing warrants for interception (by introducing an element of judicial review) and strengthening oversight (by combining the three existing oversight bodies into one headed by a senior judge) but it is unclear what the role and effectiveness of the judiciary will actually be, and this has already been questioned by civil society.

But the fact remains that the existing and proposed powers to collect citizens’ communications and data raise many questions and concerns for privacy. It could be argued that the powers that exist, and are being sought, when taken as a whole are so sweeping and intrusive that they call into question whether any authorisation or oversight regime could provide sufficient checks and balances to control it.

Now that the capabilities won and sought for control over people’s communications have been laid bare, the debate will start. Telecommunications companies (under the draft Bill definition) have a central role in collecting and providing a range of data, but the details of who, what, when and where are not clear. There are many questions companies should be asking about their obligations to collect data under this draft Bill and over the coming months companies should outline to the extent possible what these obligations mean, in an open and transparent way. There are also many technical terms in the draft Bill that need clear definitions and should not be muddled by any stakeholder to strengthen their own position.

The Bill should of course adequately address security needs, but it must also strengthen, safeguard, and protect human rights.