“There is still an element of vagueness about encryption” – Graham Smith on UK’s Investigatory Powers Act
Just a month after the UK passed the Investigatory Powers Act, the Court of Justice of the European Union (CJEU) ruled that EU countries cannot force telecommunications companies to retain communications data of all customers. The ruling has serious implications for the IP Act, which will, when it comes into force next year, entrench the bulk surveillance powers of UK authorities. It will also extend existing powers in several ways. Even though Tresorit is not a UK company and, by design, cannot decrypt user files, many of our users in the UK are concerned about their privacy in general. Thus, we have asked leading internet law expert Graham Smith, a UK Partner at international law firm Bird & Bird about the recent ruling and the details of the IP Act.
What are the implications of the CJEU ruling for the IP Act?
This is a very significant judgment. The UK case will now go back to the Court of Appeal, which will have to decide on the validity of the Data Retention and Investigatory Powers Act (DRIPA) in the light of the CJEU ruling. The CJEU has laid down a series of requirements, at least some of which are clearly not present in DRIPA.
The future UK significance of the CJEU judgment lies in its effect on the data retention provisions of the new IP Act, which will replace DRIPA on 30 December. Some of the CJEU’s requirements may be addressed relatively easily by changes to the IP Act, but others may cause the UK government serious difficulties. The IP Act extends compulsory communications data retention to so-called Internet Connection Records (site-level web browsing histories). ICRs are more intrusive than ordinary communications data and they are likely to raise further issues about the implications of the CJEU judgment.
What were the most significant changes of the IP Act compared to DRIPA, the current legislation?
The government view is that the Investigatory Powers Act introduces only one new power: retention of Internet Connection Records. However, ICRs are an extension of the existing data retention powers. If that counts as a new power, we should add other extended powers as well.
The extension of data retention powers to Internet Connection Records means that Internet Service Providers can be required, by notice, to generate and retain site-level web browsing histories of users. A notice would require an ISP to conduct the specified data retention on a continuing basis and keep the data for up to one year (however, it would not necessarily be the full year for all types of data). Each ISP would keep its own database and a “request filter” would enable authorities to conduct a federated search over the databases.
Another extension is that the data retention powers can be applied to all communications data, not just that relating to human to human messages such as email and instant messaging as under the existing legislation. The new power can be applied much more widely than that, for example to machine to machine communications as well.
Numerous authorities can self-authorise to request communications data, although there are restrictions on access to ICRs and to data regarding journalistic sources. Communications data, including ICRs, can also be acquired in bulk by the intelligence agencies via a bulk communications data acquisition warrant for which Judicial Commissioner approval is required.
The type of operators against whom powers can be exercised is extended, too: most of the powers in the existing legislation could be used only against public telecommunications operators who are providing their services to the general public. The Investigatory Powers Act powers can be applied to operators of private networks (for example businesses, cafes, libraries or schools in the UK). Whether the powers will actually be used that broadly is another matter.
What kind of companies are in the scope of the Act?
Generally, the IP Act powers can be applied to “telecommunications operators”. That is deliberately defined very broadly to cover not just telecommunication companies and ISPs, but also webmail providers, social media platforms, and cloud-based services. The definition includes (in addition to the provision of telecommunications access), any case “where the service consists in or includes facilitating the creation, management or storage of communications that is transmitted or may be transmitted by means of such a system”
Does the Investigatory Powers Act apply to non-UK companies, as well?
The scope of the Act generally is not restricted to operators within the UK. It also applies to a non-UK company that is providing a service to persons in the UK. However, every individual kind of power, warrant or notice can have its own slightly different variation on how far it can be exercised or enforced territorially. Some can be used against non-UK companies. Some can require a non-UK company to take steps outside the UK to comply, which is important if the non-UK company has its equipment outside the UK. It may be taken into account whether compliance with the UK law might be contrary to the law of the country in which a non-UK operator has to take steps. Such provisions may help resolve issues when a provider finds itself caught between the laws of the UK and another country. Some powers state that a non-UK company has to comply but the enforcement mechanism does not apply to it.
What are the implications for businesses that fall into the category of telecommunication operators? Should they start preparing in any way?
Companies do not have to do anything unless and until they receive a notice or a warrant. A data retention or technical capability notice would not be a notice “out of the blue”, because the authorities have to consult with the company first. Although the powers can apply to different kinds of operators, there is a significant difference between the width of the powers and how they are likely to be exercised in practice. As far as costs are concerned, there is a scheme whereby the government contributes to the costs of companies served with a notice or warrant.
Do you think that most of the notices and warrants are going to be served to the telecommunications providers rather than individual businesses (for example, small network providers such as cafés)?
The Act itself does not distinguish between large and small telecommunications operators. So, according to the letter of the Act, any of the warrants and powers could apply to a small ISP. However, the draft Codes of Practice suggest that the powers mandating permanent capabilities or data retention will generally be applied to the larger players.
A communications data acquisition notice is more likely for some kinds of business. For instance, a hotel can be served with a communications data acquisition notice already under the existing laws, requiring it to hand over communications data about the use of phone or internet connection by a particular guest. However, that is different from imposing mandatory data retention.
While the IP Bill has been under debate, companies who already are obliged to retain various types of communications data under the existing Data Retention and Investigatory Powers Act have been in discussions with the authorities about retention of internet connection records.
There were discussions about the Act giving powers to UK authorities to require technology companies build backdoors into end-to-end encrypted systems. What does the Investigatory Powers Act say on encryption?
In some ways, this is not a new debate. The existing Regulation of Investigatory Powers Act (RIPA) already provides for interception capability notices, mandating permanent interception capabilities. Since 2002, there has been a provision under this law effectively reflecting the expectation of law enforcement that if a provider is responding to an interception warrant and has the ability to decrypt the interception product, then it should do so and hand over the interception product in plaintext to the intercepting authority.
The Investigatory Powers Act extends capability notices from interception to cover most kinds of warrant and power. As with the existing legislation, under the Investigatory Powers Act a technical capability notice can require a removal of the encryption applied by a service provider or on its behalf. A technical capability notice will require the approval of a Judicial Commissioner.
This has become a big issue because now, unlike in 2002, end-to-end encryption facilities may be provided by service providers rather than just being a standalone piece of encryption software.
The question is, could a technical capability notice require a provider to change its business model so as to ensure that it has the ability to decrypt? This is an area where there still is an element of vagueness about whether a technical capability notice could be used in that way.
How will the Investigatory Powers Act affect companies who also have to comply with the EU’s General Data Protection Regulation (GDPR)? What happens after Brexit?
The GDPR will come into force while the UK is still in the EU. After Brexit, if the UK becomes a third country (as the USA is at the moment), the European Commission will be expected to make an adequacy decision on the UK’s level of data protection. In that situation it could and would look at the surveillance practices in the UK, similarly to what it has done with the EU-US Privacy Shield. Areas where there may be questions could include bulk powers (as with the US) and mandatory data retention.
What is the background of the IP Act? Why was an update needed to the existing legislation in the UK?
The first driving force was Snowden’s revelations about the scale of bulk interception activities, not only in the US by the National Security Agency but also by the UK Government Communications Headquarters (GCHQ). Further disclosures by the UK government followed. The reasoning behind the Bill was, rather than have legislation that obscures how powers will be exercised as much as sheds light on them, a comprehensive and understandable piece of legislation was needed. It would set out clearly and fully the type of powers that would be exercised and what the agencies and law enforcement could and could not do. The second cause was the change of government in 2015. When the Conservative government came into power, it went forward with extended mandatory data retention powers proposed in the 2012 Draft Communications Data Bill, nicknamed the Snooper’s Charter. This draft legislation was blocked by the Liberal Democrats back then, but now many of its ideas have found their way into the new IP Act.
|About Graham Smith: Partner at Bird & Bird LLP, based in London, UK. As one of the UK’s leading Internet law experts, he is specialized in internet, IT and intellectual property law. He has advised companies on lawful access issues under RIPA. He gave evidence to the Joint Parliamentary Committee that conducted pre-legislative scrutiny of the Investigatory Powers Bill. He tweets under @cyberleagle and you can follow his blog here: www.cyberleagle.com.|