Late last year, the UK Parliament passed the Investigatory Powers Act 2016. This law builds on the Regulation of Investigatory Powers Acts and the Data Retention Laws. This law allows the Government to store all our electronic communications traffic, read the content and meta data and co-opt the product and service vendors to help them. I describe this in more detail below.
The Law was written in the aftermath of Court of Justice of the European Union’s (CJEU) ruling in the Schrems vs. Facebook case that the EU’s Data Retention Directive and hence the member state implementations were in contradiction to the EU’s human rights law, the Charter of Fundamental Rights. Parliament had considered aspects of these proposals twice before under the two previous administrations and rejected them.
This article looks at the new Law, criticises it on Human Rights grounds in that it jeopardises the right to privacy, the right to organise, the right to a fair trial and rights to free speech and on IT Security grounds in that the new regulation of encryption products jeopardises access to electronic trust and privacy. It also examines the likely impact of the recent CJEU ruling on the legality of its predecessor law, and in passing, likely conflicts with last year’s passage of the General Data Protection Regulation (GDPR) by the European Union. This article concludes with a link to the UK Government petition site, where there is a petition calling for the repeal of the Law.
What the Law does
The UK’s new Law
- establishes a judicially supervised process whereby the intelligence services can collect citizens’ electronic communications,
- the purposes for which the data maybe collected,
- the processes by which this data can accessed/reused,
- legalises the intelligence services hacking activity which would otherwise be illegal and
- establishes a process by which the government can mandate the insertion of backdoors into communications products.
In summary, the Government can now collect people’s electronic communications, these records can be accessed by a broad range of police and other public authorities, and product authors/operators can be made to co-operate in these surveillance activities. The passage of this law was opposed, eventually unsuccessfully by dontspyonus, the openrightsgroup and Liberty. It was probably not a coincidence that the Act became Law one week before the CJEU adversely ruled on the legality of its predecessor, the Data Retention & Investigatory Powers Act.
On one hand the Law’s opponents, probably accurately portray this as the authorisation of the most intrusive surveillance powers in a liberal democracy but its proponents argue it is a radical and progressive codification of oversight capability. It looks like we have the judicial authorisation of warrants for the collection of internet and telecom data, tested against proportionality and necessity, although the Independent Reviewer of Terrorism Legislation now asks why the politicians are involved at all if Judges are reviewing and approving on grounds of legal compliance as well as process.
But its opponents argue that the law has been about legalising the intelligence services current excessive behaviour; the illegality been proven by the Investigatory Powers Tribunal findings in Feb. 2015 that their secrecy on their surveillance and intelligence sharing had been illegal. This lens of legalising past questionable behaviour is useful when reviewing the impact of the new law.
The defined collection practices have been extended to include so-called internet connection records, allow the collection of one’s web history. (I review the proposed extensions in an article entitled, Labour’s Front Bench and surveillance, and classified them as legalising Aggressive Hacking, Bulk Interception, the bulk generation of personal data sets and communication acquisitions).
While the collection of data i.e. interception is under strong and senior political and judicial control, access to the collected datasets is far less constrained. The list to whom these are available includes the Police & Coastguard, Home Office Immigration department, the HMRC, the DWP (Fraud & Child Maintenance enforcement) and the Food Standards Agency & Medicines and Healthcare Products Regulatory Agency for whom there is no judicial oversight, thus no independent review that the need to view the data is necessary and proportionate. Organisations permitted to access the retained data sets also includes Local Authorities which do have judicial oversight. Another vulnerability once the bulk data sets have been collected is judicial rulings in civil cases. We are allegedly building these systems to protect ourselves against terrorism and to enhance our child protection capability; evidence from the USA, and the UK suggests that these capabilities will leak into public law enforcement over tax affairs & drug crime (at the least) as illustrated by the list of public bodies that can issue requests on the data sets. There is also UK evidence that local authorities have used their RIPA powers to enforce anti-littering laws, and school place allocation policies. The other leak is likely to be injunctions from civil disputes where publicly held data is required to resolve disputes and can be subpoenaed by the courts.
Because the legislators sought to legalise what the intelligence services had been doing the new laws restate that defence of economic security of the nation as grounds for a warrant; this is the clause and practice which empowers the intelligence services to spy on Trade Unions and their members as they exercise fundamental rights, the freedom of association and the right to organise.
The Investigatory Powers Act weakens the protected speech of journalists, lawyers, doctors and other medical staff. These are reductions in citizen’s rights of freedom of speech and privacy and in the case of Lawyers jeopardises the right to a fair trial. It also weakens the protected speech of MPs, not as much as our other professional advisors but the Wilson Doctrine, of prohibiting the intelligence services from spying on MPs and thus their constituents, is now officially dead.
Backdoors and Encryption
In the run up to publishing the Bill, there was some talk of banning encryption or at least banning encryption not vulnerable to the intelligence services. The Government claimed to have given up on that since without trustworthy encryption there can be no e-commerce. However, the Government has been given powers in §253 to issue technical notices to compel communication service providers to provide technical assistance to the intelligence services where they require it. The Register and Privacy International note that the Codes of Practice published with the Law mean that Technical Notes can be issued requiring Communication Service Provider’s (CSP) to get prior approval for products and that the Government can now legally ensure that strong encryption is not implemented or that backdoors or malware is implemented. These notes are subject to Judicial Commissioner approval and should therefore be subject to tests of proportionality & necessity, however, it remains the case that this is about complete platforms; it is not possible to use these interferences in single cases where probable cause has been demonstrated. The issuing of technical notices will be secret as will any objections and the judicial approval. Is this a problem? Whenever I have considered the constraints of decency and cost and thought, surely they wouldn’t do that, I have been wrong. There is no sense of proportionality in the Home Office or the Security Services. Looking for any self-restraint from the security services and their political masters would seem to be a bad bet. This part of the law is worrying. Backdoors impact all users, the software becomes unsafe since Kerckhoffs’s principle, that a secure system depends uniquely on the secrecy of the key is breached; the backdoor needs to be secret also.
This cannot be said too infrequently; backdoors can’t be restricted to only those for whom they were designed. They become a vulnerability subject to attack by hackers. They also jeopardise ecommerce.
If these notices are used to install backdoors or malware into systems, the UK software industry’s reputation will suffer. It’s possible that some IT companies will withdraw from the UK and that there will be an IT Security brain drain as civil IT security researchers decide to move to work elsewhere. For those who think this unlikely, I remind them that early worldwide forums developing PGP & SSH, discriminated against US citizens and residents because of the US export controls on encryption The backdoors may, some say will, become available to criminal endeavours, foreign powers and maybe even the very terrorist organisations they law is being constructed to fight.
We have another potential conflict with the GDPR which obligates data controllers to provide adequate technical protection. Using software with known backdoors doesn’t really meet this need and while UK courts and the ICO might overlook this, Courts in the rest of the EU will less forgiving.
One reaction is going to be the adoption of TOR and VPNs, and it’s likely that the Government’s reaction is going to be to ban them and control the UK DNS providers; and so the whac-a-mole game begins again.
There will be a massive chilling effect. Let’s all remember the US researcher who refuses to use Amazon because they needed their reading list to be private because it’s an indicator of their research areas and we all know that academics must be first to market with their ideas. Additionally, we need some assurance that the State’s algorithms can tell the difference between citizen’s legitimate research, on say the Middle East vs. potential terrorists conducting other research.
Is it legal?
Opinion is divided on whether the IP Act contradicts the EU’s Data Protection and Privacy Laws. The Court of Justice of the European Union’s ruling, that struck down both the Safe Harbour treaty with the US and the EU’s Data Retention Directive, which gave legal power to collect what is basically private data is based on the Court’s reading of the Charter of Fundamental Rights and the Data Protection Directive. The UK Government’s reaction to this ruling under threat from the CSPs was to relegalise the service provider’s data retention obligations with the Data Retention and Regulatory Powers Act (DRIPA). The Investigatory Powers Act replaces DRIPA which authorises the government and CSPs to hold records on communications on a bulk basis. We now know that DRIPA has been declared as contrary to EU Law by the CJEU. Since this ruling and because of its grounds, there is now a huge question mark on the legality of its successor, the Investigatory Powers Act.
The CJEU has ruled that general monitoring is illegal, that retention must be specific and is only allowed to combat serious crimes, that access to surveillance records must be authorised/approved by an independent authority and that EU data subjects must have access to legal remediation if their rights of privacy are breached.
Late last month, the Court of Justice of the European Union delivered its judgement on the legality of the UK & Swedish data retention and surveillance laws. The basis of their ruling confirms that from 2015, that general monitoring is illegal, that retention must be specific and only allowed to combat serious crimes, that access to surveillance records must be authorised by independent authorities and that EU data subjects must be have access to legal remediation if their rights to privacy are breached. (Here… is the ORG’s take on the ruling.)
As stated above, the IP Act legalises general monitoring and permits access to the record systems created to multiple agencies with no independent oversight. According to Europe’s top judges, including one Briton this contravenes the UK & other EU member state citizen’s right to privacy, one of the fundamental rights in the EU’s charter of rights. These rights are now the subject of an EU regulation (the GDPR) and thus UK law; it’ll be interesting to see how the UK courts deal with any appeals.
The Tories, the securocrats and we ourselves should remember though that this is one area where sanctions can (and almost certainly will) be levied. The previous case “Schrems vs, Facebook” made it clear that the right to transfer data out of the European Union (& the EEA) is dependent on the destination having an “adequate” data protection legal regime which requires a number of features but includes the need to adequately protect personal data, and to allow people access to legal remediation against legal breaches; secret and unsupervised law enforcement access to private data is considered by the CJEU to be prima facie proof of inadequacy. It’s the law enforcement access, in the UK, to the disproportionately broad secret records that will jeopardise the UK’s ability to trade with the EU. If our CSPs are deemed to fail to offer ‘adequate’ protection, the EU can embargo trade with those companies.
As stated above, the law also gives the Government the right to mandate backdoors in UK operated communications products; these powers may also fall foul of the prohibition on general monitoring and the need for independent review.
On its passage through the Lords, the campaigning opponents opened a Government site petition against the Investigatory Powers act that obtained the 100,000 signatures required to be considered for debate in days, and now stands at over 206,000 signatures. This court ruling is a serious impediment, not only will other member states of the EU object to these laws, UK companies may decide that it’s in their best interests not to comply with a potentially illegal law, they’ve done it before. Civil Society organisations are already planning legal challenge. The good news is that the responsible Labour front-bencher is now Dianne Abbott who has called for its repeal.
 Their control framework is approved by the Government, documented in a collaboration agreement and then managers can obtain approval for request from a Justice of the Peace; this is an improvement in terms of control but a massive vulnerability of the right to privacy.
 Let’s remember that FACT worked in an exceedingly close and questionable relationship with Bedfordshire weights and measures using their powers of entry and discovery and that the first Norwich Pharmcal order was issued on the HMRC.
 Not that probable cause is required to obtain a warrant, or access the collected sets
This featured picture is a derived work made from two other pictures, the Privat slogan in stone is from a picture by Isengardt CC 2010 BY posted on flickr; the picture of the flags was taken from publicdomainpictures.net, and is public domain.
This was originally published at http://biog.davelevy.info, at http://wp.me/p7KCT7-18m, I also published a page at storify.com: https://storify.com/DaveLevy/snooping-may-not-be-legal