Surveillance

Snoopers’ Charter: Extreme Surveillance Becomes UK Law

By Jillian Ventura
Friday, December 2, 2016, 2:31 PM

Earlier this month, after more than a year of debate and amendments, the the (IP Bill), a law that authorizes surveillance powers virtually . The bill, dubbed the “” by its critics, provides a major overhaul of existing surveillance laws and gives the UK government sweeping spying capabilities over its citizens. The bill includes provisions regarding interception and retention of communications data, equipment interference (also known as hacking), and bulk powers. The , for the first time, judicial supervision of warrants authorized to carry out such powers. After clearing its last Parliamentary hurdle on November 16 in the House of Lords, the IP Bill was officially passed into law after .

This post discusses the Bill’s important and controversial provisions, and examines future hurdles that it may encounter.

 

Important and Controversial Provisions

The IP Bill has 273 sections and runs 304 pages long. Below is a summary of its key provisions.

Offense of Unlawfully Obtaining Communications Data. The IP Bill contains for “knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority” (Part 1). The offense carries a prison sentence of up to two years.

Warrants and Judicial Authorization. The bill introduces, for the history, judicial approval of warrants issued by the Government (Part 2). Warrants now receive two levels of approval before being issued, a so-called “double lock” authorization process. First, the Secretary of State may issue a warrant for the interception of communications (Part 2), equipment interference (Part 5), and bulk powers (Parts 6 and 7). The Secretary must consider the warrant to be necessary (i.e. for national security, preventing or detecting crime, or the economic well-being of the UK) and proportionate to what is sought to be achieved. A Judicial Commissioner then reviews the decision regarding necessity and proportionality before the warrant is ultimately granted.

Warrantless Interception of Communications. The bill provides for warrantless interception for administrative or enforcement purposes, including by or on behalf of a telecommunications service (Part 2). This includes the content of communications transmitted by such services. The interception of such communications can also be carried out in response to “a request made in accordance with a relevant international agreement.” This means that communications interception can be done for or against individuals living outside of the UK. For more information on the interception of communications, see the .

Access to ICRs. A warrant is not necessary for relevant public authorities to access ICRs; instead, only a sign-off by a "designated senior officer" is required if the authorization meets three conditions laid out in Part 3. This means they can approve their own access. Importantly, public authorities under this bill include not only police and intelligence services, but also government departments, revenue and customs officials, and even the Food Standards Agency and Gambling Commission. For a full list, contained in , see .

Data Retention. The Secretary of State can require telecommunications companies, through a “retention notice,” to retain relevant communications data for up to a year (Part 4). This notice can require the retention of all data by a company. Data includes the sender or recipient of communications, the time or duration, the type, method or pattern, and all ICRs of every website, app and messaging service a person has used (). The this information the modern equivalent of an itemized phone bill, while critics (see and ) say it's more like a personal diary. The company may also retain data for persons or conduct outside the UK, and it is the responsibility of the company to put in place relevant security systems to protect access to such data.

Equipment Interference. Equipment interference warrants may be issued to authorize interference with any equipment for the purpose of obtaining communications data, equipment data or other information (Part 5). These warrants may authorize physical interference (e.g. downloading data from a possessed device) or remote interference (e.g. installing software to remotely extract information). This allows the gathering of data from ".” For more information, see the .

Bulk powers. The IP Bill that are already available to intelligence and security services under existing legislation into a single Bill.

  • Bulk Personal Data Sets (BPDs). Intelligence services may retain bulk personal datasets by warrant (Part 7). These millions of records about phone calls, travel habits, Internet activity and financial transactions from a wide range of people, to security and intelligence agencies. Although the ability to acquire BPDs is not a new power, the bill seeks to place the practice on firmer legal footing. Here, too, the bill authorization by requiring the issuance of warrants by the Secretary of State, approved by a Judicial Commissioner. A draft code of practice can be found .
  • Bulk Warrants. A warrant for bulk interception may be issued if the main purpose of the warrant is to intercept overseas-related communications or to obtain secondary data (any data comprised in, attached to, or logically associated with a communication) (Part 6). Bulk acquisition warrants may also be issued, which would require telecommunications operators to obtain and disclose communications data specified in a warrant. Finally, bulk equipment interference warrants, which require a person to whom the warrant is addressed to secure interference with equipment for the purposes of obtaining communications, equipment data, or any other information, may be granted. All warrants under this part security and intelligence agencies.

Oversight. The bill provides oversight in the form of an Investigatory Powers Commissioner (IPC) and Judicial Commissioners (Part 8). The Prime Minister is tasked with appointing an IPC as well as Judicial Commissioners to carry out the functions of the IPC. The IPC is tasked with audit compliance, including the undertaking of investigations, while the Judicial Commissioners provide oversight functions. These include the acquisition, retention, use or disclosure of communications interception, communications data, secondary data, bulk personal datasets and the operation of safeguards to protect privacy. The IPC must also submit an annual report to the Prime Minister regarding the carrying out of functions by the Judicial Commissioners.

 

Potential Hurdles                                                                    

The bill has now received Royal Assent, which means that it will when the Data Retention and Investigatory Powers Act (DRIPA) legislation expires. The program is likely to be , with massive effects on the legal scope of British surveillance. Still, looming questions remain, including how the law will work in practice and what affect it will have on the .

Although public opposition to the bill was muted, in part due to its passage being , a new petition passed on Parliament’s webpage last Saturday that may allow . The petition has already reached . According to the , petitions that reach this number of signatures are almost always are debated in Parliament, and must at least be considered. The , however, and is .

The bill is also likely to be challenged in court in upcoming months. Just one month before the passage of the bill, the UK’s —which “investigates and determines complaints which allege that public authorities or law enforcement agencies have unlawfully used covert techniques and infringed [the UK’s] right to privacy”— that British security agencies had been unlawfully collecting massive volumes of personal confidential data without adequate safeguards or supervision for nearly two decades. Relevantly, the Tribunal found that the retention of bulk personal datasets fail to comply with Article 8 of the European Convention on Human Rights. Currently, there are at least that could result in changes to some of the bill’s provisions, including a in the European Court of Human Rights that the UK’s mass collection and retention of data illegal. The European Court of Human Rights is not a European Union institution, which means that its judgments will remain (at least for now) despite its vote to leave the European Union.

Some companies are also not willing to leave this decision up to Parliament or the courts. One of the UK’s Internet providers, Andrews & Arnold, new ways to helps its consumers circumvent the new bill. The company a British nonprofit, , which is planning to build a new Internet provider based on . Tor can be used to browse the Internet anonymously in an effort to help citizens protect themselves against spying. Andrews & Arnold placing its services outside of the UK, which would allow it to reduce information logged and recorded.

In any case, the implementation of the IP Bill marks a new era in UK surveillance law, though the scope of that mark remains to be seen.

Topics: