Published by The Lawfare Institute
in Cooperation With
Earlier this month, after more than a year of debate and amendments, the British Parliament passed the Investigatory Powers Bill (IP Bill), a law that authorizes surveillance powers virtually unprecedented anywhere else in the Western world. The bill, dubbed the “snoopers’ charter” by its critics, provides a major overhaul of existing surveillance laws and gives the UK government sweeping spying capabilities over its citizens. The bill includes provisions regarding interception and retention of communications data, equipment interference (also known as hacking), and bulk powers. The bill also introduces, for the first time, judicial supervision of warrants authorized to carry out such powers. After clearing its last Parliamentary hurdle on November 16 in the House of Lords, the IP Bill was officially passed into law after Royal Assent on Tuesday.
This post discusses the Bill’s important and controversial provisions, and examines future hurdles that it may encounter.
Important and Controversial Provisions
The IP Bill has 273 sections and runs 304 pages long. Below is a summary of its key provisions.
Offense of Unlawfully Obtaining Communications Data. The IP Bill contains a new criminal offense for “knowingly or recklessly obtaining communications data from a telecommunications operator without lawful authority” (Part 1). The offense carries a prison sentence of up to two years.
Warrants and Judicial Authorization. The bill introduces, for the first time in UK history, judicial approval of warrants issued by the Government (Part 2). Warrants now receive two levels of approval before being issued, a so-called “double lock” authorization process. First, the Secretary of State may issue a warrant for the interception of communications (Part 2), equipment interference (Part 5), and bulk powers (Parts 6 and 7). The Secretary must consider the warrant to be necessary (i.e. for national security, preventing or detecting crime, or the economic well-being of the UK) and proportionate to what is sought to be achieved. A Judicial Commissioner then reviews the decision regarding necessity and proportionality before the warrant is ultimately granted.
Warrantless Interception of Communications. The bill provides for warrantless interception for administrative or enforcement purposes, including by or on behalf of a telecommunications service (Part 2). This includes the content of communications transmitted by such services. The interception of such communications can also be carried out in response to “a request made in accordance with a relevant international agreement.” This means that communications interception can be done for or against individuals living outside of the UK. For more information on the interception of communications, see the draft code of practice.
Access to ICRs. A warrant is not necessary for relevant public authorities to access ICRs; instead, only a sign-off by a "designated senior officer" is required if the authorization meets three conditions laid out in Part 3. This means they can approve their own access. Importantly, public authorities under this bill include not only police and intelligence services, but also government departments, revenue and customs officials, and even the Food Standards Agency and Gambling Commission. For a full list, contained in Schedule 4 of the bill, see here.
Data Retention. The Secretary of State can require telecommunications companies, through a “retention notice,” to retain relevant communications data for up to a year (Part 4). This notice can require the retention of all data by a company. Data includes the sender or recipient of communications, the time or duration, the type, method or pattern, and all ICRs providing a full list of every website, app and messaging service a person has used (though not the individual pages or messages sent). The government has called this information the modern equivalent of an itemized phone bill, while critics (see here and here) say it's more like a personal diary. The company may also retain data for persons or conduct outside the UK, and it is the responsibility of the company to put in place relevant security systems to protect access to such data.
Equipment Interference. Equipment interference warrants may be issued to authorize interference with any equipment for the purpose of obtaining communications data, equipment data or other information (Part 5). These warrants may authorize physical interference (e.g. downloading data from a possessed device) or remote interference (e.g. installing software to remotely extract information). This allows the gathering of data from "a large number of devices in the specified location.” For more information, see the draft code of practice.
Bulk powers. The IP Bill consolidates bulk powers that are already available to intelligence and security services under existing legislation into a single Bill.
- Bulk Personal Data Sets (BPDs). Intelligence services may retain bulk personal datasets by warrant (Part 7). These data sets contain millions of records about phone calls, travel habits, Internet activity and financial transactions from a wide range of people, most of whom are of no interest to security and intelligence agencies. Although the ability to acquire BPDs is not a new power, the bill seeks to place the practice on firmer legal footing. Here, too, the bill introduces a “double lock” authorization by requiring the issuance of warrants by the Secretary of State, approved by a Judicial Commissioner. A draft code of practice can be found here.
- Bulk Warrants. A warrant for bulk interception may be issued if the main purpose of the warrant is to intercept overseas-related communications or to obtain secondary data (any data comprised in, attached to, or logically associated with a communication) (Part 6). Bulk acquisition warrants may also be issued, which would require telecommunications operators to obtain and disclose communications data specified in a warrant. Finally, bulk equipment interference warrants, which require a person to whom the warrant is addressed to secure interference with equipment for the purposes of obtaining communications, equipment data, or any other information, may be granted. All warrants under this part may only be issued to security and intelligence agencies.
Oversight. The bill provides oversight in the form of an Investigatory Powers Commissioner (IPC) and Judicial Commissioners (Part 8). The Prime Minister is tasked with appointing an IPC as well as Judicial Commissioners to carry out the functions of the IPC. The IPC is tasked with audit compliance, including the undertaking of investigations, while the Judicial Commissioners provide oversight functions. These include the acquisition, retention, use or disclosure of communications interception, communications data, secondary data, bulk personal datasets and the operation of safeguards to protect privacy. The IPC must also submit an annual report to the Prime Minister regarding the carrying out of functions by the Judicial Commissioners.
The bill has now received Royal Assent, which means that it will come into effect in 2017 when the Data Retention and Investigatory Powers Act (DRIPA) legislation expires. The program is likely to be phased in over the next year, with massive effects on the legal scope of British surveillance. Still, looming questions remain, including how the law will work in practice and what affect it will have on the UK’s status as a world-leading digital economy.
Although public opposition to the bill was muted, in part due to its passage being overshadowed by Brexit, a new petition passed on Parliament’s webpage last Saturday that may allow members of Parliament to reconsider the bill. The petition has already reached more than 100,000 signatures. According to the UK’s petitions webpage, petitions that reach this number of signatures are almost always are debated in Parliament, and must at least be considered. The petition may have begun too late, however, and is unlikely to lead to any change in the law.
The bill is also likely to be challenged in court in upcoming months. Just one month before the passage of the bill, the UK’s Investigatory Powers Tribunal—which “investigates and determines complaints which allege that public authorities or law enforcement agencies have unlawfully used covert techniques and infringed [the UK’s] right to privacy”—ruled that British security agencies had been unlawfully collecting massive volumes of personal confidential data without adequate safeguards or supervision for nearly two decades. Relevantly, the Tribunal found that the retention of bulk personal datasets fail to comply with Article 8 of the European Convention on Human Rights. Currently, there are at least three ongoing cases that could result in changes to some of the bill’s provisions, including a major challenge in the European Court of Human Rights that could rule the UK’s mass collection and retention of data illegal. The European Court of Human Rights is not a European Union institution, which means that its judgments will remain (at least for now) binding in the UK despite its vote to leave the European Union.
Some companies are also not willing to leave this decision up to Parliament or the courts. One of the UK’s Internet providers, Andrews & Arnold, has already begun to explore new ways to helps its consumers circumvent the new bill. The company has recently started working with a British nonprofit, Brass Horn Communications, which is planning to build a new Internet provider based on Tor. Tor can be used to browse the Internet anonymously in an effort to help citizens protect themselves against spying. Andrews & Arnold may also consider placing its services outside of the UK, which would allow it to reduce information logged and recorded.
In any case, the implementation of the IP Bill marks a new era in UK surveillance law, though the scope of that mark remains to be seen.