Investigatory Powers Act 2016

(Redirected from Government hacking)

An Investigatory Powers Bill was announced in the Queen's Speech in May 2015[1]. "New legislation will modernise the law on communications data"

It included elements of the previous Communications Data Bill. It replaces the Data Retention and Investigatory Powers Act 2014 and large sections of the Regulation of Investigatory Powers Act 2000.

Many of the activities were already taking place, but not properly outlined in law, such as bulk collection of metadata by GCHQ, and became known because of the Snowden revelations.

Data retention and acquisition

Retention of communications data

The meaning of “communications data”

Article 261 severs communications data from the content of communications: content is the very substance and main message of certain communications, while communications data apparently covers all the remaining types of data. (Article 261 (5), (6))[2] Communications data comprises Entity data and Events data, which is held, or going to be held, or is capable of being held by a telecommunications service operator (Article 261 (5)(a)(i), (c)(i)).[3]

  • Entity data relates to the association between an entity and a telecommunication service or telecommunications system or could be description and identification of an entity (Article 261 (3)).[4] Entity here means either a person or thing (Article 261 (7)).[5]
  • Events data means any data which identifies or describes an event, whether it mentions the location or not. It can be deduced that events here mean any incident that involves one or more persons or devices taking some kind of action at a certain time (Article 261 (4)).[6]


For example, if someone sent a message to you about the sender’s daily schedule such as;

------------------------------------------------------------------
On 31st May at 10:49, XXX wrote;


Good morning, how are you? Today, I am cycling to the British Library and spend a few hours studying therein with a couple of classmates. After that, I will head to the London Bridge alone. Shall we meet in front of London Eye at 6 pm? I found a nice restaurant nearby:)


Sent from iPhone7
------------------------------------------------------------------

Since content falls without the scope of a Retention Notice, what the sender actually wrote is not to be retained. Content is defined as the part that contains the "meaning" of the message.

Information such as the timing of the transmission, the devices used, and probably the location of the sender and the recipient are considered and thus can be retained as "communications data."

However, as Article 261 (6) declares, the content of communication does not cover

"any meaning arising from the fact of the communication or from any data relating to the transmission of the communication."

In other words, any inference that could be reasonably and logically reached from such pieces of information is not content, despite it containing “meaning”.

The Act therefore concedes that although the content of the communication is not to be retained or accessed by the governmental authority, there is ample opportunity for them to obtain information which contains “meaning” and which could be more powerful than the mere content.

Retention Notice

By virtue of Article 87,[7] the SoS may require, through a Retention Notice, a telecommunication operator to retain relevant communications data for a maximum period of 12 months (Article 87 (1), (3)).[8] A Retention Notice is given in written format (Article 98 (1)) and communicated to the operator in such a manner as SoS considers appropriate (Article 87 (7)).[9]

Relevant communications data here means communications data identifying or assisting to identify;

(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted, or
(e) the location of any such system,

and this expression therefore includes, in particular, internet connection records.

Safeguards

  • Lawfulness: Pursuant to Article 87 (1)(a),[10] before issuing a Retention Notice, the SoS must consider it is necessary and proportionate in the light of the grounds provided in Article 61 (7) (See below).[11]
  • Judicial approval: A Retention Notice also must be approved by a Judicial Commissioner (Article 87 (1)(b)).[12] However, the procedure of judicial approval is the same as that for Bulk Powers: it is not mandatory and a Judicial Commissioner may avoid making a decision (Article 89).
  • Review by SoS: Review of the Retention Notice takes place based on the reference made by a telecommunications operator to whom the notice was given. The operator may make a reference I accordance with the regulation by SoS (Article 90 (1)).[13] While waiting for the result of the review, the operator does not have to comply with the notice (Article 90 (4)).[14] Although the operator does not owe the obligation to make such a reference, once it was communicated to SoS, it must be reviewed by SoS in consultation with the Technical Advisory Board and a Judicial Commissioner (Article 90 (5), (6)).[15] Both the Board and the Commissioner must offer the chance for the operator to provide the evidence or make representations before drawing the conclusions and report it to SoS and the operator (Article 90 (9)).[16] Consideration of the Board focuses on the technical requirements and the financial consequences for the operator, whereas the Commissioner on the proportionality. (Article (7), (8))[17] In turn, SoS may vary, revoke, or confirm the retention in question, with the approval of the Investigatory Powers Commissioner. (Article 90 (10))[18]
  • Prohibition on Disclosure: Articles 92[19] and 93,[20] concomitantly, ensures that the data should be secured and only accessed by the authorised person, and should not be unlawfully disclosed.

Internal authorisation by police and other authorities

Article 61 permits a designated senior officer of a relevant authority to authorise any officer of the authority (meaning the authority to which the officer belongs) to engage in any conduct which:

(a) is for the purpose of obtaining the data from any person, and
(b) relates to—
(i) a telecommunication system, or
(ii) data derived from a telecommunication system.

There are some requirements to be met prior to such an authorisation e.g. necessity and proportionality tests (Article 61 (1)(b), (c)).[21] In order to meet the criteria for the necessity, the purpose of the authorisation needs to fall within the following 10 criteria enumerated in Article 61 (7):[22]

(1) in the interests of national security,
(2) preventing or detecting crime or preventing disorder,
(3) the economic well-being of the UK so far as relevant to national security,

These first three are similar to the other authorisations and warrants. However, in the provisions elsewhere, the word “serious crime” is employed to restrict the level of intensity of crime targeted.

However, here the term “crime” is used, meaning that it is easier to obtain communications data concerning a relatively minor incident through an internal authorisation.

The breadth of possibilities for obtaining data with just internal authorisation under Part 3 is considerable, including:

(4) public safety,
(5) public health,
(6) assessing or collecting any payment to governmental bodies,
(7) preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,
(8) to assist investigations into alleged miscarriages of justice,
(9) where a person (“P”) has died or is unable to identify themselves because of a physical or mental condition—
(i) to assist in identifying P, or
(ii) to obtain information about P’s next of kin or other persons connected with P or about the reason for P’s death or condition, or
(10) exercising functions relating to—
(i) the regulation of financial services and markets, or
(ii) financial stability.

Preventing or mitigating any injury or damage to physical or mental health is of course much broader than “serious crime” or even “crime.” The list also includes obtaining the data of a person who has passed away or who cannot identify him/herself either because of mental or physical reasons.

Aside from the vagueness of those requirements, the biggest problem here lies in the fact that when the officer grants the authorisation, there is no external review. Normally, a lower-ranked officer merely asks a senior officer for authorisation to obtain data in order to investigate a certain incident. For some authorities, permission of a court is needed.

Despite the conditions set out by different provisions as explained below, the impartiality of the decision and restraints on abuse of this power rely largely on the possibility of retrospective examination by oversight bodies.

Limitations for Internal Authorisations

In addition to the necessity and proportionality tests stated in Article 61 (1),[23] the same article enumerates five conditions to which granting the authorisation is subject in its third paragraph.

Limitation 1: Internet Connection Records

Internet Connection Records (ICRs) serves as an exception to Article 61, the meaning of which is communications data which;

(a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person). (Article 62 (7))[24]

A designated senior officer (DSO) of a local authority (ie, a council) may not authorise obtaining data which is capable of being obtained only by processing ICRs (Article 62 (1)).[25] However, it is permissible for the officer of a relevant public authority, such as the police or various law enforcement and regulatory agencies, where any of the three conditions are met (Article 62 (2)).[26]

Condition A concerns any of the grounds in Article 61 (7)[27], where a designated senior officer considers it necessary to know which person or apparatus is using an internet service. The preconditions for this is that either the service and the time of use or the identity of the person/apparatus is already known (Article 62 (3)).[28]

Condition B concerns any of the grounds in Article 61 (7)[29] but preventing or detecting crime. the authorisation may be granted for the purpose of identifying:

Suppose, in all of the following, a person/apparatus is already identified

  • Which internet communications service is being used, and when and how it is being used by them
  • When and how is it for them to obtain access to, or run, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime, or
  • Which internet service is being used, and when and how it is being used by them (Article 62 (4))[30]

Condition C concerns of preventing and detecting crime all the grounds in Article 61 (7).[31] On the same preconditions, the same kinds of data may be obtained both as the above. Here is crime limited to certain categories thereof; either serious crime or other relevant crimes (Article 62 (5)).[32] Other relevant crimes consists of:

(a) an offence for which an individual who has reached the age of 18 (or, in relation to Scotland or Northern Ireland, 21) is capable of being sentenced to imprisonment for a term of 12 months or more (disregarding any enactment prohibiting or restricting the imprisonment of individuals who have no previous convictions), or
(b) an offence—
(i) by a person who is not an individual, or
(ii) which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy

Hence, where crime is or is to be committed by a group pf persons, the incidents falls within the remit of internal authorisation irrespective of how serious the crime is.

Limitation 2: Exceptional Cases

Article 63 allows a designated senior officer to grant an authorisation on an exceptional basis (Article 63 (1), (2)).[33] Exceptional circumstances provided by Article 63 are:

(a) an imminent threat to life or another emergency,
(b) the investigation or operation concerned is one where there is an exceptional need, in the interests of national security, to keep knowledge of it to a minimum,
(c) there is an opportunity to obtain information where—
(i) the opportunity is rare,
(ii) the time to act is short, and
(iii) the need to obtain the information is significant and in the interests of national security, or
(d) the size of the relevant public authority concerned is such that it is not practicable to have a designated senior officer who is not working on the investigation or operation concerned.

These are referred as examples, which implies that there could be other circumstances where emergency or exceptional authorisations can be granted (Article 63 (3)).[34]

Limitation 3: Restrictions on the Power of Local Authorities

There are some restrictions that only apply to local authorities. First, having noted that internal authorisation normally dispenses with the need for judicial approval, this is not the case with the DSO of a local authority.

In order for a DSO of a local authority to grant an authorisation, the local authority must have concluded a collaboration agreement with another public authority. (Article 74(1))[35]

These collaboration agreements require the internal authorisation of a DSO of the “supplying authority” to be granted authorisation by another local authority (the “subscribing authority”) (Article 78 (1))[36] In other words, the authorities authorise each others’ requests, in an attempt to create an additional level of independence.

Finally, authorisation from the DSO of a local authority does not take effect until it is approved by a relevant judicial authority (Article 75 (2)),[37] which is a local judicial body in each country in the UK. (Article 75 (7))[38]

Limitation 4: Consultation with a “Single Point of Contact”

Article 76 (1)[39] obliges a DSO to consult with a “single point of contact” prior to granting an authorisation, except in the event of an imminent threat to life or another emergency or in the interest of national security (Article 76 (2), (3)).[40]

A single point of contact is an official of a public authority and is responsible for advising either the person applying for or granting an authorisation (Article 76 (4)).[41] A person acting as a single point of contact may give advice on different aspects of the authorisation (Article 76 (5), (6), (7)).[42]

Article 76 (8)[43] adds that a “Single Point of Contact” can act as an authorising officer or make requests themselves.

Limitation 5: Journalistic Sources

When a request is made “for the purpose of identifying or confirming a source of journalistic information”, an authorisation does not come into effect until a Judicial Commissioner approves it.

Note that this is a narrower obligation than making a request which “may” or “is likely to” identify a journalistic source: it only catches requests which are specifically designed to reveal a journalistic source.

Except in cases of “imminent threat to life”, a Judicial Commissioner must review the authorisation (Article 77 (5)).[44] They must take account of the public interest in protecting a source of journalistic information against other needs which may override the public interest in the journalists’ confidentiality of their sources (Article 77 (6)).[45] After considering it, if a Judicial Commissioner has denied approving the authorisation, the Commissioner may quash it (Article 77 (7)).[46]

The “filter”

Article 67, 68 and 69[47] constitutes a bundle of provisions relating to “Filtering Arrangements”.

It has a separate system of authorisations for obtaining communications data.

Filtering Arrangements may be used for two purposes; one is to assist a designated senior officer who is considering whether to grant an authorisation to for obtaining communications data (Article 67 (1)(a)).[48]

The other is to facilitate the lawful, efficient and effective obtaining of communications data from any person in pursuant to an authorization (Article 67 (1)(b)).[49]

Filtering Arrangements may be used, only if the authorisation is specifically aimed at each; to obtain and disclose or process communications data. (Article 68 (2))[50]

Authorities that can use retained data including ICRs

Bulk powers

IP Act also enables the government to issue warrants which appear to be directed at a group of people without specific targeting.

Bulk Interception

Article 136[51] provides that Bulk Interception Warrants must satisfy the two sets of conditions. Condition A limits the purpose of the warrant to either or both of; interception of the communications which has been sent or received by the individuals who are outside the British Islands; or the obtaining of secondary which comprises almost all kinds of data and information which enable and facilitate the identification of the senders and recipients. (Article 136 (2), (3)[52], Article 137(3), (4), (5))[53]

Condition B limits the activity, on the part of the person to whom it is addressed (the addressee), to secure any one of more of;

(a) interception of the communication while being transmitted;
(b) the obtaining secondary data from communications transmitted;
(c) the selection for the examination of intercepted content or secondary data;
(d) the disclosure of anything that is obtained under the warrant. (Article 136 (4))[54]

Bulk Acquisition

Article 158[55] provides that Bulk Acquisition Warrants authorise or require the addressee to secure, by whatever means and manner under the warrant, any one or more of the following;

  • Requiring a telecommunication operator to disclose any communications data to the person specified in the warrant. If the operator does not possess the communications data sought by the warrant, they may be required to obtain them and thus hand over them to the government so long as they are technically capable of doing so. (Article 158 (6) (ii), (iii))[56]
  • Selection for the examination of the communications obtained under the warrant, and
  • The disclosure of the communications data obtained under the warrant

Implementation: Interplay with TCNs

Both Bulk Interception and Bulk Acquisition Warrants are to be implemented by the addressee, called the Implementing Authority. The Implementing Authority can require any person to give assistance in implementing the warrants. (Article 149(1), (2)[57] , 168 (1), (2)[58]) They can seek assistance from the person outside the UK by making a copy of the warrants available to the person. (Article 149 (3)[59] , 168 (3)[60]) The person who has been asked for the assistance i.e. a telecommunications operator, irrespective of the location, owes a duty to assist with the implementation. (Article 43[61] in conjunction with 149 (5), (6)[62] , 170 (1), (2)[63])

A copy of the warrants at stake may be sent directly to the person who has been asked for the assistance where he has a principal office or any physically approachable point within the UK via electronic or other types of delivery means. (Article 42 (3)(a), (b)[64], 169 (3)(a), (b)[65]) If there should no other practicality for the copy to be sent to the expected recipient, the implementing authority substitute for making it available for inspection within the UK. (Article 43(3)(c), (4)[66], 169 (3)(c), (4)[67] ) The duty of the telecommunication operator may be affirmed and reinforced by adopting TCN. (Article 170 (3), (4))[68]

Bulk personal datasets

The meaning of personal data

In relation to Bulk Personal Dataset (BPD), personal data has the same meaning as in Data Protection Act 1998 (DPA). Article 1 (1) of DPA[69] reads;

“personal data” means data which relate to a living individual who can be identified—

(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the [person who can control how the data is treated],

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

One difference is that under IP Act, personal data could also cover the data relating to a deceased person if related to a living person. (Article 199 (2))[70]

Two types of warrants

Two different warrants can be issued under Part 7; Class BPD Warrant and Specific BPD Warrant. (Article 200 (3))[71] The latter authorises an intelligence service to retain or to retain and examine, any BPD described in the warrant, while the former does about BPD of a certain class of people. (Article 200 (3))[72] In principle, unless authorised by warrants under this Part, an intelligence service may not retain or examine communications data. (Article 200 (1), (2))[73]

There exist a few extra restrictions on a Class BPD Warrants: An intelligence service may not retain, or retain and examine in reliance of such a warrant, if the head of the service considers the BPD at stake consists of or includes protected data (Article 202 (1))[74], health records, or sensitive personal data. (Article 202 (2))[75] First, protected data is defined as a residual category of data, so what constitutes non-protected data is more ready to understand. Non-protected data consists of secondary data (as a set of systems data and identifying data) and non-private information. (Article 202 (1))[76] Thus, an inference is that protected material includes the content of the communications and private information which is about your privacy and your family.

Second, health record means any records which;

(a) consists of information relating to the physical or mental health or condition of an individual,
(b) was made by or on behalf of a health professional in connection with the care of that individual, and
(c) was obtained by the intelligence service from a health professional or a health service body or from a person acting on behalf of a health professional or a health service body in relation to the record or the copy. (Article 206 (6))[77]

Of the three, the first two are virtually the same as those enshrined in Article 68 of DPA[78], whereas the subcategory (c) is not present therein. The subcategory inserts a new sort of health records as a form of copy. As a result of this, where SoS consider there are “exceptional and compelling circumstances,” retention of the copy of health records are allowed, as well as its original documents. (Article 206 (3))[79]

Third, sensitive personal data has the same meaning as in DPA. Article 2 of DPA[80] defines it as;

personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992 c. 52.1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Note that regarding this sensitive personal data category, retention may be authorised unless this type of data accounts for the substantial portions of BPD. (Article 202 (2) (b))[81]

Exceptions

Exceptions to Article 200 (3)[82] are set put by Article 201: pursuant thereto, an intelligence service is not considered to be breaching Article 201 (1) or (2)[83];

  • When BPD has been obtained through the warrant or authorisations under the Act, or
  • When the purpose of retention or examination is to destroy the dataset at issue.

Furthermore, there are some more loopholes:

  • When an intelligence service observes the conditions imposed by a Judicial Commissioner after it refuses to approve a specific BPD warrant. (Article 210 (3)(b), (8))[84]
  • Regarding the expiry of a class BPD warrant,
- during the 5 working days commencing on the day or expiry,
- after a new application for a specific / class BPD warrant or authorisation for retention for further consideration,
- while the period not exceeding 3 months, subject to an authorisation by SoS with the approval from a Judicial Commissioner and
- in case that an intelligent service makes an application during the period as in (iii), until the application is determined. (Article 219 (2), (3), (7), (8))[85]

Finally,

  • Regarding an initial examination, after an intelligence service has concluded that a certain dataset is to be electronically retained for later use, between the determination of the application. (Article 220 (1), (2), (5))[86]

Accordingly, despite the additional restrictions on a Class BPD Warrant, there are plenty of possibilities to make it possible.

Bulk hacking

This section corresponds to Chapter 3 of Part 6 concerning Bulk Equipment Interference.

Cross-border Surveillance

In relation to territorial safeguards for Targeted Equipment Interference, Bulk Equipment Interference Warrants aim to reach any people with a non-established connection with the UK and obtain data / information from their equipment and communications.

Article 176[87] provides for Bulk Equipment Interference Warrants in order to obtain overseas-related communications, overseas-related information, and overseas-related equipment data (Article 176 (1)(c) of the Act). Overseas-related information means any information on individuals outside the UK (Article 176(2) of the Act). Overseas-related equipment data means any data which may assist in identifying the persons concerned in targeted communications or related to overseas-related communications or/and data (Article 137(5)).[88],176(3)[89], and 177[90]).

Safeguards for Bulk Powers

Lawfulness

As outlined in Article 176, a Bulk Equipment Interference Warrant should seek to obtain overseas-related communications, information, and equipment data (Article 178(a)).[91] The purpose of the warrant is necessary if it is for:

(a) the interests of national security (Article 178 (1)(b)(i)).[92]
(b) preventing or detecting serious crime
(c) the interests of the economic well-being of the UK (Article 178 (1)(b)(ii), (2))[93]

Second grounds are quite similar for Targeted Equipment Interference, (see Article 102 (5)(b))[94] but the prevention and detection of serious crime can stand alone as the grounds in itself unlike the situation outlined in Article 102 (2)(a).[95]

These grounds contemplated in Article 176 are identical to those in Articles 138 (1)(b) and (2)[96], 158 (1)(a) and (2)[97] and Article 206 (6)[98]

Judicial Review

The review system for Bulk Equipment Interference is almost identical to that for Targeted Equipment Interference. In an emergency, SoS can allow a warrant to be issued without prior judicial review (Article 178 (1)(f)).[99]

Moreover, in any of the bulk powers, an approval from a Judicial Commissioner is not a prerequisite and the Commissioner may refuse to make a decision on a certain case by communicating the reason to SoS. (Articles 140 (3) and (4)[100], 165 (3) and (4)[101], 179 (3) and (4)[102], and 208 (3) and (4)[103])

Oversight arrangements

IP Commissioner and the Judicial Commissioners

First of all, this needs to be clear: the Investigatory Powers Commissioner (IP Commissioner) is, at the same time, a Judicial Commissioner and together with the other Judicial Commissioners, are collectively called the Judicial Commissioners. (Article 227 (7))[104]

Both are appointed by the Prime Minister (PM) and must hold or have held a high judicial office (Article 227 (2)).[105] They have to be jointly recommended by: (a) the Lord Chancellor, (b) the Lord Chief Justice of England and Wales, (c) the Lord President of the Court of Session, and (d) the Lord Chief Justice of Northern Ireland.

In the case of Judicial Commissioners other than the IP Commissioner, a recommendation from the IP Commissioner is also required. (Article 227 (3), (4))[106]

The PM has an obligation to consult with the Scottish First Minister beforehand and conclude a memorandum of understanding with the Minister about the appointment (Article 227 (5), (6)).[107]

The IP Commissioner can in most cases delegate the exercise of their functions to the other Judicial Commissioners (Article 227 (8)).[108] They cannot delegate the capacity to make recommendations in appointing the other Judicial Commissioner provided for in Article 227 (5)[109], nor the capacity to appoint the members of the Technology Advisory Panel provided for in Article 247 (1).[110] However, the delegation does not prevent from IP Commissioner exercising its function. (Article 227 (10))[111]

Each Judicial Commissioner serves for three years and may be re-appointed (Article 229 (2), (3)). They are not removed from the office unless a resolution has been passed by each of the House of Parliament on the grounds for instance of a conviction or bankruptcy (Article 228 (4), (5)).[112]

IP Tribunal

See, Investigatory Powers Tribunal

Advisory Bodies

Technical Advisory Board

Technical Advisory Board consists of such members as appointed by SoS through the regulation. (Article 245 (1))[113] That regulation must also pay attention to the following 4 points.

  • 1. whether the membership of the Board includes persons likely effectively to represent the interests of the persons who own the obligations under retention notice, national security notice, or TCN i.e. telecommunication operators
  • 2. whether the membership of the Board includes persons likely effectively to represent the interests of persons who can apply for the warrant and / or authorisations i.e. in many cases SoS or other governmental authorities
  • 3. whether such other persons (if any) as SoS considers appropriate is appointed to be members of the Board, and
  • 4. whether the Board is so constituted as to produce the balance between the interests of the telecommunications operators mentioned in 1 and those of the issuing authorities mentioned in 2.

Technology Advisory Panel

Technical Advisory Panel is appointed by IP Commissioner so that the Panel can provide the advice to IP Commissioner, SoS, and the Scottish Minister, about; (a) The impact of the change in technology on the investigatory powers whose exercise is subject to review by the IP Commissioner, and (b) The availability and development of technologies to use such powers while minimising interference with privacy. (Article 246 (1))[114] The Panel Must give advice on (a) and (b) to IP Commissioner at the request of IP Commissioner and may do so to IP Commissioner or SoS and the Scottish Commissioner where the Panel considers appropriate. (Article 246 (2), (3), (4))[115]

The other task for the Panel is to make a report about their carrying out their functions at the end of each calendar year to be submitted to IP Commissioner, while the copy of the report to SoS and the Scottish Minister where necessary. (Article 256 (5), (6))[116] Apart from the positive obligations and mandate, the Panel is under some negative obligations not to act in contrary to national security, the prevention and detection of serious crime, and the economic well-being of the UK. More specifically, the Panel has to make sure that its members do not;

(a) jeopardise the success of an intelligence or security operation or a law enforcement operation,
(b) compromise the safety or security of those involved, or
(c) unduly impede the operational effectiveness of an intelligence service, a police force, a government department or Her Majesty’s forces. (Article 247 (4))[117]

Authorisation regime

Equipment interference

Part 5 (Equipment Interference Warrants) and Chapter 3 of Part 6 (Bulk Equipment Interference Warrants) deals with “equipment interference.”

Under Part 5, a warrant can be issued to authorise Targeted Equipment Interference or Targeted Examinations.(Article 99 (1))[118]

Targeted Interference

What information can be obtained

A Targeted Equipment Interference Warrant is a warrant which authorises or requires the person to whom it is addressed to secure interference with any equipment, for instance a laptop or a mobile phone (Article 99 (2)).[119] It purports to allow communications data, equipment data, and any other information to be obtained (Article 99 (2)).[120]

According to Article 99 (4),[121] obtaining communications includes:

(a) monitoring, observing or listening to a person’s communications or other activities;
(b) recording anything which is monitored, observed or listened to.

Subject to the definitions in Section 100[122], equipment data comprises two kinds of data, being systems data and identifying data (Article 177 (1), (2)).[123] Systems data is any data that is connected with enabling, facilitating, identifying or the functioning of postal / telecommunications services and any other systems holding communications or other information. (Article 263 (4), (5))[124]

The implication is that not only textual communications but every other kind of data - such as photos, pictures, video files, or voice recordings - can be obtained under a Targeted Equipment Interference Warrant.

Safeguards for Targeted Equipment Interference

Subjected Communications

Additionally, so long as it is expressly provided for in the warrant, any conduct ancillary to obtaining the stated data or information is authorised (Article 99 (5)(a)).[125] That is to say that the warrant must list the kinds of supporting activities that may be needed to deliver the required result.

Any assistance necessary to deliver the activity outlined in the warrant is also authorised (Article 99 (5)(b)).[126]

However, the same warrant may not authorise or require a person to acquire or examine communications other than stored communication. If he / she does so, it amounts to an offence under Part 3 unless it is done under (another) legal authority. (Article 99 (6)).[127] Stored communication is defined as communications stored in or by a telecommunications system, including stored before or after it is transmitted. (Article 99 (8)).[128]

In other words, Targeted Equipment Interference Warrants cannot be used for the purpose of intercepting transmissions.

Lawfulness

The purpose of the warrant needs to be necessary on the grounds of:

  • the interests of national security
  • preventing or detecting serious crime; or
  • the economic well-being of the UK (Article 102 (5))[129]

Of the three, national security serves as the strongest grounds. Preventing or detecting serious crime is not sufficient by itself (Article 102 (2)(a)),[130] and economic well-being of the UK is limited to matters that are relevant to national security and only where the information sought relates to actions and intentions of the person outside the UK (Article 102 (6)).[131]

The “British Islands Connection”

Article 107[132] sets out restrictions on issuing Targeted Equipment Interference Warrants.

The Article specifies that authorities issuing a Targeted Equipment Interference Warrant must consider that there is the presence of a “British Islands connection”. (Article 107 (1))[133]

This connection arises when;

(1) the conduct authorised under the warrant takes place within the UK;
(2) the equipment interfered is or may be, at some point of the interference, within the UK
(3) the purpose of the warrant is to obtain the communication and/or information involving a person who is, or is believed to be, within the UK (Article 107 (4)).[134]

Hence the scope of Targeted Equipment Interference appears to be limited to conduct, equipment, or persons in the UK. However, law enforcement authorities are not under strict obligations to confirm this connection but rather must merely consider that it exists.

Judicial Review

Judicial Commissioners must review the warrants in terms of necessity and proportionality, using the same principles that would be applied by a court (Article 108 (1), (2), (3)).[135] Nevertheless, Judicial Commissioners can refuse to make a review (Article 108 (4)).[136] In such a case, Judicial Commissioners have to tell the person made an application for the warrant in a written form (Article 108 (4)).[137] An Investigatory Powers Commissioner may be asked to make a decision instead of Judicial Commissioners in these circumstances (Article 108 (5)).[138]

Data Retention and Sharing

Sections 129 and 130 have relevant clauses. See 5. International data sharing and other arrangements.[139]

Exception for Safeguards: Targeted Examination Warrants

A Targeted Examination Warrant outlined in Article 99 (1)[140] is a warrant which authorises or requires the person to whom it is addressed to carry out the selection of protected material obtained under Bulk Equipment Interference warrant for examination in breach of the prohibition in Section 193 (4).[141] Section 193 (4) prohibits to seek to identify communications of, or private information relating to, individuals within the UK. In this sense, Targeted Examination Warrants countervails the safeguards for Bulk Equipment Interference Warrant.

Article 99 (9)[142] explains the meaning of protected material in a complex manner but examining protected material fundamentally equates to deciphering private information about a person’s private or family life. (Article 135 (1))[143]

Accordingly, by a combination of Bulk Equipment Interference and Targeted Examination Warrants, information and communications relating to a person who does not have a British Island connection could also be obtained.

Technical Capability Notices

Definition

Article 253 (2)[144] defines a Technical Capability Notice (TCN) as “a notice—

(a) imposing on the relevant operator any applicable obligations specified in the notice, and
(b) requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations.”

It must be given in the form of written communication. (Article 255 (5))[145]

Contents of TCNs

A TCN must have a finite period of within which obligations therein are exhausted and may have different timescales along with different steps (Article 253 (7)).[146]

The actual contents of the obligations that are included in a TCN may be specified by Regulations under Article 253 (4)[147] insofar as SoS considers it is reasonable in order to secure that the operators have the capability to assist implementing relevant authorisations and ensure they can comply with a TCN. (Article 253 (4) (a), (b)[148]) Such obligations cover a wide range of issues, e.g. provision of necessary facilities (Article 253 (5)).[149] See also our TCNs page particularly at 4.1.

Whatever the obligations are, the notice is enforceable and the addressee must comply with them if they relate a person in the UK (Article 253 (9), (10)).[150]

Furthermore, Article 255 (11)[151] states that even regarding a person outside the UK, the obligations must be carried out so long as they are involved in achieving:<unclear who this relates to>

(a) a targeted interception warrant or mutual assistance warrant under Chapter 1 of Part 2;
(b) a bulk interception warrant;
(c) an authorisation or notice given under Part 3.

Broad range of subject and scope

A TCN is issued by Secretary of State (SoS) toward a postal operator and / or telecommunications operator, including those who are proposing to become an operator (Article 253 (1),(3)).[152]

A TCN is framed as a means of achieving the capability to deliver what is sought in warrants issued under Part 2.5. and 6 and any authorisation or notice under Part 3 (Article 253 (3)).[153] These warrants, authorisations and notices are collectively described as relevant authorisations in Article 253 (3).[154]

A TCN may be given to persons outside the UK. It may require actions or changes to be taken outside the UK (Article 253 (8)).[155] In such cases, a TCN can be given in either of the following ways provided in Article 255 (6))[156]: When the person has his office or other places, where his business take place, in the UK, a TCN is delivered to such locations. Meanwhile, when the person does not have the above places in the UK, a document containing a TCN can be sent and received by the address specified by the person. This address including e-mail address and the recipient does not necessarily have to be the person addressed, for the recipient will accept the document on the person’s behalf.

Therefore, if the operators do not own any contact point physically in the UK, they can still, directly or indirectly, be subject to a TCN and carry out the obligations presented.

Insufficient review mechanism

A TCN may be presented to an operator when the SoS considers it is necessary and proportionate (Article 253(1)(a), (b))[157] and such considerations should be affirmed by a Judicial Commissioner (Article 253(1)(c)).[158]) The Commissioner must consider the necessity and proportionality of the TCN in question (Article 254 (3) (b)).[159] In doing so, a Judicial Commissioner must apply the same principle as invoked as the judicial court, and take into account the view of the SoS on the necessity and proportionality (Article 254 (2), (3) (a)).

A Judicial Commissioner can refuse to make a decision by providing a written explanation of their reason (Article 254 (4)).[160] In such a case, in place of a Judicial Commissioner, the SoS may an Investigatory Powers Commissioner to approve of the notices. (Article 154 (5))[161] There exist no provisions in the Act that oblige an Investigatory Powers Commissioner to abide by the existing principles available in a judicial court.

Similarly, there are no limitations or conditions set out in the Act about when and under what circumstances a Judicial Commissioner may refuse to assess the application. This implies that a TCN might be approved without being thoroughly considered in the light of necessity and proportionality.

Other rules

Article 255 (7)[162] provides that the SoS may create further provisions about the issuance of relevant notices, in a form of regulations.

International data sharing and other arrangements

Sharing data with overseas authorities

Sections 129[163] and 130[164] are positioned as clauses setting out safeguards for issuing Targeted Equipment Interference and/or Targeted Examination Warrant (Article 102[165], 104[166], 106[167]). Although each is applicable to different situations, the substance of the safeguards enshrined in them are identical, for Section 130 follows Section 129 (Article 130 (2)).[168]

Section 130 obliges the authorities issuing relevant warrants (the issuing authorities) to ensure that they never give any materials or copies thereof to authorities outside the UK. Subsection (2) requires that safeguards provided for in Section 129 (2) to (5) are satisfied. These are discussed below.[169]

Safeguards in place?

Section 129 concerns retention and disclosure. It has a bundle of safeguard clauses. Subsection (2)[170] limits data sharing among the authorities to the minimum extent which is necessary, in terms of the extent of disclosure and availability, and in particular, the number of persons to who have access to materials and the number and the extent of copies to be made (Article 129 (3)).[171]

The necessity test appears self-repetitious and thus does not contribute to clarification. Subsection (3)[172] states that necessity arises if something is;

(1) or likely to become necessary on any grounds for that justifies the original authorisation.
(2) necessary for facilitating any functions of the issuing authorities or of the Judicial Commissioners or of the Investigatory Powers Tribunal under or in relation to this Act,
(3) necessary for the purpose of legal proceedings, or
(4) necessary for the performance of the functions of any person under any enactment.

The second safeguard concerns the storing of the material. Subsection (4)[173] states that every copy of the materials must be kept secure. Thirdly it is required that once the materials lose the grounds for the retention every copy is to be destroyed as soon as possible (Article 129 (5)).[174]

These are the safeguards in necessity (minimisation), retention, and destroy. For materials held in the UK government to be shared with authorities outside the UK, it suffices that these requirements appear to be met to the issuing authority in the UK (Article 130 (2)).[175]

There are no duties on UK authorities to confirm that their overseas counterparts actually have the capacity and intention to abide by the requirements of necessity nor are duties imposed to see if copies are kept or destroyed in accordance with requirements in Section 129.[176]

See also

External links

References

  1. Queen's Speech 2015, 2015-05-27, GOV.UK
  2. Article 261 (5), (6)
  3. Article 261 (5)(a)(i), (c)(i)
  4. Article 261 (3)
  5. Article 261 (7)
  6. Article 261 (4)
  7. Article 87
  8. Article 87 (1), (3)
  9. Article 87 (7)
  10. http://www.legislation.gov.uk/ukpga/2016/25/section/87/enacted Article 87 (1)(a)]
  11. [1.2 Internal Authorisation https://wiki.openrightsgroup.org/wiki/Investigatory_Powers_Act_2016#Internal_authorisation_by_police_and_other_authorities]
  12. Article 87 (1)(b)
  13. Article 90 (1)
  14. Article 90 (4)
  15. Article 90 (5), (6)
  16. Article 90 (9)
  17. Article 90 (7), (8)
  18. Article 90 (10)
  19. Article 92
  20. Article 93
  21. Article 61 (1)(b), (c)
  22. Article 61 (7)
  23. Article 61 (1)
  24. Article 62 (7)
  25. Article 62 (1)
  26. Article 62 (2)
  27. Article 61 (7)
  28. Article 62 (3)
  29. Article 61 (7)
  30. Article 62 (4)
  31. Article 61 (7)
  32. Article 62 (5(
  33. Article 63 (1), (2)
  34. Article 63 (3)
  35. Article 74 (1)
  36. Article 78 (1)
  37. Article 75 (2)
  38. Article 75 (7)
  39. Article 76 (1)
  40. Article 76 (2), (3)
  41. Article 76 (4)
  42. Article 76 (5), (6), (7)
  43. Article 76 (8)
  44. Article 77 (5)
  45. Article 77 (6)
  46. Article 77 (7)
  47. Part 3: Filtering arrangements for obtaining data
  48. Article 67 (1)(a)
  49. Article 67 (1)(b)
  50. Article 68 (2)
  51. Article 136
  52. Article 136 (2), (3)
  53. Article 137 (3), (4), (5)
  54. Article 136 (4)
  55. Article 158
  56. Article 158 (6) (ii), (iii)
  57. Article 149 (1), (2)
  58. Article 168 (1), (2)
  59. Article 149 (3)
  60. Article 168 (3)
  61. Article 43
  62. Article 149 (5), (6)
  63. Article 170 (1), (2)
  64. Article 42 (3)(a), (b)
  65. Article 169 (3)(a), (b)
  66. Article 43(3)(c), (4)
  67. Article 169 (3)(c)
  68. Article 170 (3), (4)
  69. Article 1(1)
  70. Article 199 (2)
  71. Article 200 (3)
  72. Article 200 (3)
  73. Article 200 (1), (2)
  74. Article 202 (1)
  75. Article 202 (2)
  76. Article 202 (1)
  77. Article 206 (6)
  78. Article 68
  79. Article 206 (3)
  80. Article 2
  81. Article 202 (b)
  82. Article 200 (3)
  83. Article 201 (1), (2)
  84. Article 210 (3)(b), (8)
  85. Article 219 (2), (3), (7), (8)
  86. Article 220 (1), (2), (5)
  87. Article 176 of the Act
  88. Article 137(5) of the Act
  89. Article 176(3 of the Act)
  90. Article 177 of the Act
  91. Article 178 (a)
  92. Article 178 (1)(b)(i)
  93. Article 178 (1)(b)(ii), (2)
  94. Article 102 (5)(b)
  95. Article 102 (2)(a)
  96. Article 138(1)(b), (2)
  97. Article (1)(a), (2)
  98. Article 206 (6)
  99. Article 178 (1)(f)
  100. Article 227
  101. Article 165
  102. Article 179
  103. Article 208
  104. Article 227 (7)
  105. Article 227 (2)
  106. Article 227 (3), (4)
  107. Article 227 (5), (6)
  108. Article 227 (8)
  109. Article 227 (5)
  110. Article 247 (1)
  111. Article 227 (10)
  112. Article 228 (4), (5)
  113. Article 245 (1)
  114. Article 246 (1)
  115. Article 246 (2), (3), (49
  116. Article 256 (5), (6)
  117. Article 247 (4)
  118. Article 99 (1)
  119. Article 99 (2)
  120. Article 99 (2)
  121. Article 99 (4)
  122. Article 100
  123. Article 177 (1), (2)
  124. Article 263 (4), (5)
  125. Article 99 (5)(a)
  126. Article 99 (5)(b)
  127. Article 99 (6)
  128. Article 99 (8
  129. Article 102 (5)
  130. Article 102 (2)(a)
  131. Article 102 (6)
  132. Article 107
  133. Article 107 (1)
  134. Article 107 (4)
  135. Article 108 (1), (2), (3)
  136. Article 108 (4)
  137. Article 108 (4)
  138. Article 108 (5)
  139. [1]
  140. Article 99 (1)
  141. Article 193 (4)
  142. Article 99 (9)
  143. Article 198 (1)
  144. Article 253 (2)
  145. Article 255 (5)
  146. Article 253 (7)
  147. Article 253 (4)
  148. Article 253 (4) (a), (b)
  149. Article 253 (5)
  150. Article 253 (9), (10)
  151. Article 253 (11)
  152. Article 253 (1), (3)
  153. Article 253 (3)
  154. Article 253 (3)
  155. Article 253 (8)
  156. Article 255 (6)
  157. Article 253
  158. Article 253
  159. Article 254 (3)
  160. Article 254 (4)
  161. Article 154 (5)
  162. Article 255 (7)
  163. Article 129
  164. Article 130
  165. Article 102
  166. Article 104
  167. Article 106
  168. Article 130 (2)
  169. Article 129 (2), (3), (4), (5)
  170. Article 129 (2)
  171. Article 129 (3)
  172. Article 130 (3)
  173. Article 129 (4)
  174. Article 129 (5)
  175. Article 130 (2)
  176. See Intelligence sharing between the UK and the USA, Open Rights Group 2017