The ability of law enforcement authorities to access and intercept customer data is once again being debated in the UK Parliament, with a first draft of the Investigatory Powers Bill (the “IPB”) having been read on 4 November 2015.
Following the defeat of the Communications Data Bill ( the ‘Snoopers’ Charter’), in 2013, and the High Court declaring s.1 of the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) invalid and suspending it until 31 December 2016, the problems of outdated legislation, the lack of central oversight and the need for judicial control have not diminished over time. Consequently, the IPB is intended to bring together all of the powers already available to law enforcement and security agencies to intercept, acquire and retain communications data, in one coherent and comprehensive Act.
Currently, the powers to be amalgamated under the IPB are found in DRIPA, the Wireless Telegraphy Act 2006, the Justice and Security Act 2013, Part I of the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Police Act 1997, and are considered by many as outdated and inadequate. Additionally, when the existing legislation was reviewed by David Anderson QC, as part of a review into the terrorism legislation, this status quo was described as “undemocratic, unnecessary and – in the long run – intolerable” and was criticised for its lack of oversight and unchecked executive control.
The IPB proposes a new statutory basis for the interception of data, access to and retention of communications data - which now includes internet connection records (“ICRs”) – equipment interference, and also details the procedures for authorisation of “bulk acquisition warrants” on all of the above. Additionally, it introduces a “double lock” procedure, a requirement for executive and judicial approval for warrant authorisations (required for interception and access to communications data and equipment interference) whether for bulk requests or isolated instances. Previously, warrants were authorised by the Secretary of State. However, under the IPB, all warrants would be subject to a further check by a Judicial Commissioner, who must apply the same principles to the application of a warrant as to an application for judicial review.
Under the IPB, subject to the “double-lock” warrant authorisation, law enforcement agencies, security services, intelligence agencies and (in limited circumstances, and excluding internet connection records) public authorities will be able to:
- intercept data – the actual content of a communication;
- access communications data – the who, what, where and when of a communication;
- interfere with electronic equipment in order to obtain data from a device;
- request bulk warrants for interception, access or interference; and
- access internet connection records – a record of the internet services a specific device has connected to, without revealing every webpage visited or the activities conducted on that webpage.
Notably, the IPB will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA, which require persons in possession of protected information (i.e. encrypted information) to disclose it in an unencrypted form, and to disclose the electronic “key” when necessary and proportionate.
Additionally, the IPB details a stronger oversight regime, as required by the EU, and as demanded by the public. The IPB proposes the creation of a single, new, independent and more powerful Investigatory Powers Commissioner (“IPC”), abolishing the previous offices of the Interception of Communications Commissioner, the Chief Surveillance Commissioner and the Intelligence Services Commissioner. The IPC will have a significantly expanded role in authorising the use of investigatory powers, and a wide-ranging and self-determined remit to oversee any aspect of how law enforcement, security services and intelligence agencies use the powers and capabilities available to them.
The most frequent concern, for organisations and individuals alike, is likely to be the security of the data collected and retained under the IPB. Whilst many people recognise the need for up-to-date legislation, and appreciate that the digital age leads - almost naturally - to the retention of meta-data, such as communications data, the concern is how securely that data is stored. Following the recent hackings of Ashley Madison and TalkTalk, consumer concerns over the security of data and who has access to it are rightly increasing. If the Government wish for the IPB to pass into law, many difficult discussions will surely occur over how to balance access to data and its security.
Unlike the changes proposed in the Communications Data Bill, the territorial reach of the IPB is narrower. For example, providers in the US will not be asked to comply with UK laws, breaking domestic law in the process. How the Government will achieve the interception, acquisition and decryption of data from overseas communications service providers remains to be seen however, it is likely to be via a treaty negotiation. The issue of, and need for, a pan-European or global regime for data collection is unlikely to diminish over time.
Additionally, the issue of encryption is unsolved as Part III of RIPA – which details the procedure for the investigation of data protected by encryption – will remain in force. The explanatory notes to the IPB confirm that the Government does not wish to ban companies generating encrypted data, but reiterates that companies will have to have the capacity to unlock encrypted data if asked by law enforcement, the security services and intelligence agencies. It remains to be seen what would happen in the case of a warrant being issued on a communication service provider to decrypt data when they have implemented end-to-end encryption (for example, of the type used in Apple IMessages and WhatsApp) and therefore have no access to such data, and deliberately promote their services as having this functionality.
The Government has been placed in the unenviable position of achieving national security whilst maintaining individuals’ privacy, in a world where the collection and analysis of big data is prioritised, whilst also being hazardous due to the ever-present problem of cybercrime. Consequently, the IPB will undoubtedly be subject to a raft of necessary public and Parliamentary scrutiny, and the legislation that receives Royal Assent may well look very different to the draft IPB published on 4 November 2015.