Out-Law / Your Daily Need-To-Know

UK government to reform communication surveillance laws

Out-Law News | 04 Nov 2015 | 4:54 pm | 5 min. read

Data recording what websites internet users have visited will need to be retained for up to 12 months by telecommunication service providers under proposed new surveillance laws that have been outlined by the UK government.

The Investigatory Powers Bill (299-page / 3.54MB PDF) would give UK law enforcement and intelligence agencies the power to require telecommunication service providers to retain and hand over "internet connection records" (ICRs) to help combat terrorism, serious crime or protect the UK's economic interests, among other limited purposes provided for in the legislation.

ICRs have been included within the definition of 'communications data' for the first time, with the Bill setting out the specific legal framework, including authorisation procedures, safeguards and oversight arrangements that would apply to the storing and accessing of such data.

The Bill also sets out new rules to govern the interception of communications and use of equipment interference powers. It also outlines UK intelligence agencies' qualified right to obtain "bulk data" whether via their powers to access communications data, intercept communications or carry out equipment interference activities.

On communications data, UK home secretary Theresa May said that ICRs would not convey details of the individual web pages that people browse but instead only apply to the home pages of sites they visit. A list of ICRs would be the "modern equivalent of an itemised phone bill", she said.

ICRs are defined in the Bill as data that "may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and [which] is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)".

In a statement before parliament, May said that the government was not banning the encryption of communications data. However, under the Bill communications service providers would be required to take all "reasonably practicable" steps to help authorities to access the communications data they have been authorised to obtain, whether encrypted or not.

Communication service providers could be compelled to set up filtering systems to help with the targeting of requests for communications data, according to the proposed new legislation.

The legal framework relating to the interception of communications is different to the one that applies to communications data and is also set out in the new Bill.

Fewer authorities are permitted to request the interception of communications than can request access to communications data. Intercepting authorities include the head of an intelligence service, the director general of the National Crime Agency and the head of the Metropolitan police.

Under the Bill, warrants to intercept communications can only be issued through a joint authorisation process that involves the secretary of state - in practice the home secretary - and "judicial commissioners". The "double lock" system of authorisation, as May described it, requires consideration to be given to the necessity and proportionality of the warrant requests and whether measures are in place to safeguard privacy and data security.

In "urgent cases", the secretary of state would be empowered, under the Bill, to grant warrants for the interception of communications on their own, with retrospective review of that decision by a judicial commissioner.

May said that it is the UK government's view that the warrants granted in the UK would have "extra-territorial" effect, and therefore place communications service providers placed abroad subject to the new legislation.

The 'equipment interference' powers will help the security and intelligence agencies, law enforcement and the armed forces covertly obtain information from computers and other devices, according to explanatory notes issued alongside the Bill.

"Where necessary and proportionate, law enforcement agencies and the security and intelligence agencies need to be able to access communications or other private information held on computers, in order to gain valuable intelligence in national security and serious crime investigations and to help gather evidence for use in criminal prosecutions," it said. "Equipment interference plays an important role in mitigating the loss of intelligence that may no longer be obtained through other techniques, such as interception, as a result of sophisticated encryption. It can sometimes be the only method by which to acquire the data."

Powers to obtain bulk data, whether via interception of communications, the communications data regime or via equipment interference, would be reserved for use by security and intelligence agencies for national security reasons only.

"Robust safeguards govern access to this data to ensure it is only examined where it is necessary and proportionate to do so," the government said. "Warrants will be issued by the secretary of state and must be approved by a judicial commissioner before coming into force. The draft Bill will require that bulk interception and bulk equipment interference warrants may only be issued where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK. Conduct within the UK or interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose."

The Bill is to be scrutinised by a parliamentary committee. A revised Bill is to be laid before the parliament in the spring next year, May said. She said the intention is for the new legislation to come into force before stop-gap surveillance laws contained in the Data Retention and Investigatory Powers (DRIP) Act expire at the end of 2016. The Bill, when finalised, will also replace other existing legislation, including the Regulation of Investigatory Powers Act (RIPA).

Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "Getting rid of the previously proposed ban on encryption appears to be positive but we need to decipher what this really means and whether service providers will indirectly be forced down this route."

"Similarly, the Bill refers to a ‘double lock’ for interception warrants which requires authorisation by both secretary of state and a judge, however we need to unpack what the ‘urgency procedure’ that would enable the secretary of state to authorise without the judge means in practice – if by the time the judge arrives, the data has already been obtained, and the judge would not have authorised the warrant in question, this solution has a big flaw in it. The circumstances in which the ‘urgency procedure’ could be applied and how it will work in detail need to be looked at," he said.

Dautlich said that the intensity of the debate that has preceded the publication of the Investigatory Powers Bill "highlights the importance of information security in a digital age".

"One very serious challenge is that there are not enough qualified security specialists in the UK," Dautlich said. "The proficiency of hackers is moving at an alarming pace, and the seriousness and volume of security breaches organisations are suffering suggests that collectively there is a significant shortage of skilled cyber-security specialists, and of other professionals involved in such breaches. Business leaders need to engage on this, at several levels, because there are some solutions available."

New EU data protection laws currently being negotiated look like setting new rules on the processing of personal data by law enforcement agencies.