Investigatory Powers Bill: a new era for the monitoring of communications
Published on 10th Nov 2015
On 4 November 2015, the UK government published its proposed draft Investigatory Powers Bill (the “Bill”) for consultation. The Bill replaces large parts of the Regulation of Investigatory Powers Act 2000 (“RIPA”), and aims to consolidate in one place existing powers under RIPA and other existing legislation in relation to the interception of communications and the acquisition of data about communications. It also sets out a new oversight regime for these powers, and extends them to cover “internet connection records”.
Even before its publication, its content has been an emotive subject, and the current consultation on the Bill – which has no published timeframe at present – is likely to lead to further such commentary as its detail is unpicked.
In this briefing, we outline the main powers and provisions in the Bill, and highlight the key areas of change. Specifically, we look at:
- the state’s existing powers in relation to the interception of communications;
- key changes proposed by the Bill, including in relation to:
- oversight of powers;
- entities affected;
- interception by law enforcement and government agencies;
- the acquisition and retention of communications data;
- covert access to computer and other equipment;
- interception by businesses; and
- the next steps for the Bill.
The Bill has relevance for nearly every business and individual, not just as their data may be collected under these powers by law enforcement, but because RIPA (and in turn the new Bill) provides part of the statutory framework under which monitoring of workplace communications may take place (and provides for unlawful monitoring to be an offence).
What are the state’s existing powers in relation to the interception of communications?
Existing powers are dealt with in a patchwork of existing legislation.
Under RIPA, specified government agencies acquired rights to intercept communications and acquire communications data if certain criteria are met, alongside a more limited right to call for the disclosure of protected data either in plain text, or in limited circumstances alongside the relevant encryption key.
Related powers exist under other legislation, notably the Intelligence Services Act 1994 and the Telecommunications Act 1984 in respect of the security services’ activities in relation to interfering with electronic equipment (such as computers and smartphones) and acquisition of bulk data respectively.
RIPA was amended by the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) last year after the EU data retention directive was struck down by the Court of Justice of the European Union. However, as well as addressing issues in relation to acquisition of communications data in the light of that decision, DRIPA also broadened the definition of telecommunications service to cover internet-based services and clarified that a number of RIPA provisions were to have extra-territorial effect outside the UK.
The consequence of this was that any telecommunication service provider based anywhere in the world who offers telecommunications related services to customers in the UK can be served with an interception warrant under RIPA.
Key changes proposed by the Bill
As published, the Bill is around 200 pages long. While we have highlighted the main aspects below, it should be borne in mind that there is a fair amount of additional detail in the Bill.
Oversight
The Bill introduces an oversight model for the Bill consisting of a new Investigatory Powers Commissioner (“IPC”) alongside a number of Judicial Commissioners. The IPC and the Judicial Commissioners must all hold, or have held, a high judicial office. In practice this means that they must each have been at least a high court judge.
The IPC will have an oversight function to audit, investigate and scrutinise the exercise of the various powers in the Bill. As discussed below, the Judicial Commissioners’ role is to authorise interception warrants.
Entities caught by the Bill: more businesses will be subject to the Bill
Although RIPA regulated both public and private telecommunications services and systems, the majority of the provisions in the Bill do not differentiate between public and private systems and services. Consequently, more businesses will be subject to the terms of the Bill, even if they do not provide these services to the general public.
Under the Bill, a telecommunications operator is anyone who:
- provides access to, or facilitates the making use of, telecommunications systems; or
- controls or provides a system for the purpose of facilitating the transmission of electronic communications.
The broadening of the definition of telecommunications service introduced by DRIPA is retained, meaning that the providers of internet-based services (such as over-the-top communications providers and software platforms that provide and support online digital communications) are likely to fall within the definition of a telecommunications operator.
For the majority of the provisions in the Bill, there is no requirement that these systems or services are directed at the public. For example, the requirement to maintain technical capabilities (such as to remove electronic protection of communications) and to retain certain information for 12 months after being issued with a notice will now apply to both private and public telecommunications operators. (Previously, the maintenance requirements only applied to public telecommunications operators.)
Interception warrants (discussed in further detail below) can be served on anyone. It is likely that those who fall within the definition of telecommunications operator are more likely to receive such warrants as they have the capability to incept communications in the course of their transmission, but the Bill does not formally restrict warrants to operators.
Interception by law enforcement and government agencies, and interception warrants
The powers of interception under the Bill are largely unchanged from the powers under RIPA. Five law enforcement agencies, MI5, GCHQ, SIS and the Ministry of Defence, can all seek a warrant to intercept the content of a communication in the course of transmission for the purposes of:
- national security interests
- the prevention or detection of serious crime
- the economic well-being of the UK to the extent relevant to national security
- to give effect to international mutual assistance arrangements.
In a similar manner to the powers under RIPA (as amended by DRIPA), these powers have extra-territorial effect and can be directed to telecommunications operators outside the UK if they offer services to customers in the UK.
Pre-publication discussions centred around who would have the power to issues interception warrants under the Bill. The government proposes that warrants will be issued via a double-lock process. The first tier will be authorisation by the Secretary of State, based on whether the interception is necessary and proportionate. This must be followed by the approval of one of the Judicial Commissioners (a new group of senior judges) before the warrant can be issued. In urgent cases the Secretary of State can issue an urgent warrant, but this must be followed up by the approval of a Judicial Commissioner within five working days.
If a Judicial Commissioner does not approve a warrant, then they must set out written reasons for the refusal. The Secretary of State may appeal to the IPC but if the IPC also refuses to issue the warrant then there is no further right of appeal and the warrant cannot be issued.
Overall, businesses and the public are likely to welcome the greater judicial scrutiny of these powers. However, it remains to be seen whether the involvement of the Judicial Commissioners will have an appreciable effect on the number of warrants issued.
Additional safeguards are proposed for MPs: the Secretary of State must consult with the Prime Minister before authorising a warrant in relation to these individuals, effectively writing the “Wilson Doctrine” into law.
However, no particular safeguards are included in respect of legally privileged communications (beyond the double-lock warrant process in the same way as any other interception). Separately, the acquisition of legally privileged, journalistic and other sensitive communications data will be considered in a new code of practice to be issued by the Secretary of State.
Communications data: acquisition
Communications data is information about communications – in effect the “who”, “when”, “where” and “how” data relating to communications – but not their content. The existing provisions around providing data have been overhauled.
Public authorities may request this data from any telecommunications operator (not just those offering services to the public) provided that this request is authorised by a designated person following consultation with a single point of contact. Notably, the disclosure of this information continues not to require a warrant.
As a counterbalance to the above rights and a check on potential abuse, a new criminal offence of wilfully or recklessly acquiring communications data will be created.
Communications data: retention
The Bill includes a power to require telecommunications operators to retain communications data for up to 12 months (in effect ensuring it is available for access under other powers in RIPA). This broadly replicates the position under the old regime.
However, the Bill does introduce a new requirement on operators to retain “internet connection records” for up to 12 months. However, although this term is used extensively in the Bill’s guidance notes, it is not actually used in the Bill itself. The Bill refers to “internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program“.
The guidance notes are clear that this is a record of the internet services that the device connect to (such as the website or app) rather than the particular page viewed or communications sent. In the announcement in the House of Commons, the Secretary of State likened this to an itemised phone bill, which has been brought up-to-date to deal with modern technology.
This is a key change for telecommunications operators, and this concept will require closer scrutiny by business over the coming months. The duty to retain such information may prove to be a significant burden, especially in light of cyber-attacks and hacking when such information could be at risk of third party attacks and access. In some respects, this requirement fits uneasily with data protection legislation requirements to delete such information as quickly as possible and to make reasonable efforts to keep it secure.
Covert access to computer and other equipment
The Bill contains express provision to enable warrants to be issued permitting MI5, GCHQ, SIS, law enforcement and the Ministry of Defence to covertly obtain private data from computers and other equipment. This is the first time that these powers have been clearly laid out in legislation.
There is also a duty on telecommunications operators to assist with this covert recovery of data if they are presented with a warrant, although this has to be authorised by the Secretary of State. This would include assisting the security services in by-passing the relevant encryption, although there is no ban on the use of encryption in services which operators provide.
Rules for UK intelligence to continue programmes for bulk collection and analysis of data
The Bill also expressly lays out the powers of the security services to undertake the bulk collection of communications data. In a similar manner to the powers of interception, MI5, GCHQ or SIS are able to apply for a warrant if the bulk collection is in the interests of national security or if required for serious crime or economic well-being. The warrant must be authorised by both the Secretary of State and a Judicial Commissioner.
The Bill seeks to safeguard the storage of data acquired through bulk collection and restricts the ability to access and copy such information.
The Bill also includes provision for the access of any data acquired under a bulk collection. Permission will have to be sought on the grounds that it is necessary for a specific operational purpose and this must accompanied by a warrant authorised by both the Secretary of State and the Judicial Commissioner.
Interception by businesses
Unlawful interception will remain a criminal offence. Interception with the consent of the sender and recipient will be permitted. In addition, the Secretary of State may make further regulations authorising interception by businesses for monitoring and record keeping purposes.
Under RIPA, regulations (commonly known as the Lawful Business Practice Regulations) permitted businesses to record or monitor communications without the consent of all parties if the monitoring or recording was relevant to the business. The Bill does not expressly repeal the Lawful Business Practice Regulations and it is unclear at present whether this will continue in force or whether it will be replaced by new regulations on the subject.
When the position is clearer, businesses will need to assess whether their current monitoring and interception activities (e.g. in relation to email and ‘phone calls) continue to be permitted.
Retained Powers
The Bill does not propose repealing all of RIPA. The Bill only expressly repeals Part 1, and Parts 2 and 3 look likely to remain. Part 2 deals with surveillance and covert human intelligence sources, and Part 3 with investigation of electronic data protected by encryption – the power (controversial when originally introduced) to call for the disclosure of protected data either in plain text, or in limited circumstances alongside the relevant encryption key. There is an additional right in the Bill on telecommunications operators to maintain capabilities to remove electronic protection. Again this has wide application to public and private operators, in this instance to retain the ability to decrypt communications. This is a general extension of the provisions within RIPA.
Next steps
At this stage, the Bill is being published for public consultation. Following this consultation, the government plans to introduce a formal Bill to Parliament in 2016. It will then have to pass through the various committee stages and will face further scrutiny both within and outside Parliament. While criticism outside Parliament has already surfaced, the Bill appeared to have broad support during its presentation to the House of Commons, so it remains to be seen how extensive any further changes will be in practice.