Privacy

Taking Stock of the Snoopers' Charter: The U.K.’s Investigatory Powers Bill

By Daniel Severson
Monday, March 14, 2016, 12:17 PM

The United Kingdom is considering its largest overhaul of laws governing electronic surveillance in 15 years. On March 1, the U.K. Home Secretary, Theresa May, introduced the Investigatory Powers Bill, a detailed and technical 245-page bill that proposes to update and consolidate the United Kingdom’s surveillance authorities for the intelligence and security services, as well as law enforcement. The bill provides for interception and retention of communications content and metadata, as well as equipment interference (that is, hacking) and decryption. For the first time in the United Kingdom, the bill also introduces judicial supervision of warrants authorizing these powers.

The bill is scheduled for its second reading in the House of Commons on Tuesday. The shadow home secretary, Andy Burnham, has pledged to challenge the bill over privacy protections. If Labour MPs abstain from voting on the so-called “Snoopers’ Charter,” it will almost certainly pass; Labour votes against could scupper the bill.

This post describes the context of the bill, its key provisions, and next steps.

 

Purpose and Context

In introducing a draft of the bill last November, Theresa May described its intended purpose as follows:

This Bill will govern all the powers available to law enforcement, the security and intelligence agencies and the armed forces to acquire the content of communications or communications data. These include the ability to retain and acquire communications data to be used as evidence in court and to advance investigations; the ability to intercept the contents of communications in order to acquire sensitive intelligence to tackle terrorist plots and serious and organised crimes; the use of equipment interference powers to obtain data covertly from computers; and the use of these powers by the security and intelligence agencies in bulk to identify the most serious threats to the UK from overseas and to rapidly establish links between suspects in the UK.

The United Kingdom previously tried to update surveillance authorities with the Draft Communications Data Bill 2012. The Coalition Government had to abandon the bill, however, after the release of highly-critical reports and divisions emerged between Conservatives and Liberal Democrats.

The Investigatory Powers Bill follows three major reports issued in 2015 on investigatory powers: the government’s independent review of anti-terrorism legislation (the so-called Anderson Report), a report by the Royal United Services Institute (RUSI Report), and findings by the Intelligence and Security Committee of Parliament (ISC Report). Those reports concluded that the legislative framework needs to be modernized, and they formed the basis for the Investigatory Powers Bill.

The current bill emerged after three parliamentary committees conducted extensive pre-legislative scrutiny of a draft bill in February. The Joint Committee considered some 148 pieces of written evidence and heard 56 oral witnesses, producing a 169-page report. The Joint Committee’s work is available here. The Intelligence and Security Committee and the Science and Technology Committee reports are available here and here.

The Government reportedly accepted the “vast majority” of the three committees’ 198 recommendations. On March 1, the Government issued a set of Explanatory Notes to accompany the bill.

The Investigatory Powers Bill consolidates powers found across some 65 Acts of Parliament and abolishes various pieces of legislation such that acquiring communications data will only be permissible pursuant to its procedures and safeguards. The Bill does not replace the Acts governing the United Kingdom’s intelligence and security services.

 

Important and Controversial Provisions

The bill has 233 sections and runs 245 pages. Here are some of the highlights of the bill’s key provisions:

One new power. The bill expressly names various investigative powers that the Government had previously left obscure or unacknowledged until only recently. The Government claims that the bill provides only one new power—the authority to require communications service providers (CSPs) to retain Internet connection records (ICRs), a type of communications data (that is, metadata). ICRs are web logs—records of the Internet services a particular device has connected to, but not every webpage or activity on particular webpages. The bill would give the Secretary of State the power to require CSPs to keep records of ICRs for one year for all Internet users, whether or not they are suspected of a crime. CSPs worry about amassing such information, which could then be subject to theft, misuse, or abuse.

Equipment interference. Also known as hacking, equipment interference can include remotely accessing computers or phones, implanting malware, covertly downloading information, or bypassing security on seized equipment. The Government states that the bill introduces no substantive changes to the existing equipment interference regime; the bill merely makes the powers more visible to industry and the public.

A targeted equipment interference warrant would require a person to interfere with electronic equipment in order to obtain “communications,” “equipment data,” or “any other information.” A second type of warrant—a targeted examination warrant—would authorize the review of protected information obtained through bulk equipment interference.

The intelligence services may obtain equipment interference warrants if necessary in the interests of national security, to prevent or detect serious crime, or in the interests of the “economic well-being of the United Kingdom.” The police may obtain equipment interference warrants only if necessary to prevent or detect serious crime, or to protect life or locate a vulnerable person.

Decryption. Pursuant to clauses 217 and 218, the Secretary of State may serve “technical capability notices” on CSPs in order to facilitate assistance with authorizations under the bill. This could include obligations to remove “electronic protection applied by or on behalf of that operator to any communications or data.” A “technical capability notice” may be served on someone outside the United Kingdom (and require action outside the United Kingdom). But before giving a notice, the Secretary of State must consider the cost and technical feasibility of compliance.

Not surprisingly, these provisions are controversial. Tech firms Apple, Facebook, Google, Microsoft, Mozilla, Twitter, and Yahoo raised concerns in written testimony on the draft bill, including about the prospect of being required to decrypt end-to-end encryption.

The Government issued a factsheet on encryption, maintaining that the bill does not require installing backdoors and asserting that the bill merely retains and clarifies existing authorities for the Government to require CSPs to maintain the ability to remove encryption from communications.

Warrants and judicial authorization. The bill introduces judicial approval of warrants issued by the Government. Here’s how the so-called “dual lock” works. The Secretary of State can issue a warrant for interception of communications (Part 2), equipment interference (Part 5), and bulk powers (Parts 6 & 7) when he or she believes the warrant is necessary on specified grounds (e.g., in the interests of national security or to detect or prevent a serious crime) and the conduct authorized is proportionate to what is sought to be achieved.

This ministerial authorization is subject to subsequent approval by a Judicial Commissioner (a current or former high-level judge appointed by the Prime Minister). In deciding whether to approve warrants, Judicial Commissioners will review the Government’s conclusions whether the warrant is “necessary” and “proportionate.” In doing so, the Judicial Commissioners apply the same principles a court would apply on an application for “judicial review.”

Under U.K. law, judicial review is distinct from an appeal. Judicial review is defined here as “a challenge to the way in which a decision has been made, rather than the rights and wrongs of the conclusion reached.” Similarly, the Home Office’s “Judicial Review Guidance” states: judicial review “is different from a statutory appeal because the court should not normally substitute what it thinks is the ‘correct’ decision; it will only decide whether the decision made was lawful.”

Privacy groups worry that the judicial review test means Judicial Commissioners will merely review the lawfulness of the decisionmaking process under a deferential standard, rather than considering the merits, or individualized suspicion, of a warrant. Writing in the Times, Lord Pannick QC defended the judicial review standard as adopting “the right balance” between deference to the home secretary and responsibility to scrutinize. The bill and explanatory notes do not provide additional guidance on judicial review, and it could remain an area of contention as the bill moves forward.

Oversight. The bill creates a surveillance watchdog in the form of the Investigatory Powers Commissioner (IPC) and other Judicial Commissioners. The IPC audits, inspects, and investigates the Government’s use of investigatory powers and makes annual reports to the Prime Minister about the carrying out of the functions of the Judicial Commissioners.

The bill also provides a process whereby persons can be notified of serious errors in the use of investigatory powers and then bring cases before an Investigatory Powers Tribunal (IPT) with a right of appeal. The bill also creates a Technical Advisory Board representing the interests of industry affected by notices and warrants issued under the proposed statute.

Retention of communications data. The Secretary of State may issue a notice requiring CSPs to store their customers’ metadata (including to/from, time/duration, and type/method/pattern of communication) for up to one year. The recipient can challenge a notice as unreasonable and refer it back to the Secretary of State, who must then confer with the Technical Advisory Board and the Investigatory Powers Commissioner to determine whether to revoke, vary, or confirm the notice. Overseas operators may comply with a retention notice but are not compelled to do so.

The tech industry is concerned about compliance costs for data retention. The Government declined to include 100% cost recovery in the Bill, but supporting documents clarify that the Government intends to continue its policy of reimbursing 100% of such costs.

Bulk powers. The Investigatory Powers Bill consolidates bulk powers that are already available to the intelligence and security services under existing legislation: bulk interception (Regulation of Investigatory Powers Act 2000), bulk equipment interference (Intelligence Services Act 1994), bulk personal data (Intelligence Services Act 1994 and Security Services Act 1989), and bulk communications data (Telecommunications Act 1984).

Following pre-legislative scrutiny, the ISC Report noted that “the Committee has not been provided with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn.”

The government responded to this and other concerns about bulk powers by publishing an “Operational Case for Bulk Powers.” The 47-page document asserts that bulk powers have “played a significant part in every major counter terrorism investigation of the last decade . . . .”

Privacy protections. The Intelligence and Security Committee—a cleared committee with access to sensitive intelligence information—raised concern that privacy protections were inconsistent and did not feature more prominently in the bill. The Committee recommended adding a new Part that would spell out the privacy safeguards that would apply across the full range of investigatory powers, such that privacy protections form “an integral part of the legislation, not merely an add-on.” In the event, the Government merely added the word “privacy” to the title of Part I.

Extraterritorial effect. The Bill’s authorizations for obtaining and retaining communications data (Parts 3 and 4) would apply extraterritorially to overseas communications service providers (CSPs) that handle communications of U.K. citizens. Civil proceedings are not available against persons outside the United Kingdom subject to retention notices.

Transparency. The bill consolidates and expressly mentions the powers available to the intelligence and security services. David Anderson QC, author of the Anderson Report, wrote in The Telegraph that the Bill “gets the most important things right. By avowing every one of the remarkable powers that police and intelligence agencies exercise or aspire to, it restores the rule of law and sets an international benchmark for candour.”

Cost. The Government estimates the Bill will cost the public purse £247 million over 10 years. The Government is working with Internet and telecommunications companies to establish estimates for costs of compliance.

 

What happens next?

The Data Retention and Investigatory Powers Act 2014 sunsets in 2016, so the Government seeks to get legislation passed by the end of December.

The Government formally introduced the bill for its first, formal reading on March 1. A second reading in the House of Commons is scheduled for Tuesday, March 15, at which time members can debate the bill’s main principles. If the bill passes a House vote, it will proceed to the committee stage for line-by-line scrutiny and amendments. A Public Bill Committee could devote up to 20 sessions to the draft bill. The House of Lords will also consider the bill. Both Houses must agree on the text of the bill, and the bill could shuttle back and forth between Houses—a stage sometimes called “ping pong”—before the final language is reached. Finally, the bill becomes an Act with Royal Assent. You can track the progress of the bill through Parliament at this site.

Topics: