Investigatory Powers Act 2016/Investigatory Powers (Technical Capability) Regulations 2017

This is a summary of the content and issues we have seen on a first look at the leaked Investigatory Powers (Technical Capability) Regulations 2017.

The document is available from ORG’s website.

The Regulations follow on from provisions in the Investigatory Powers Act 2016, particularly sections 253 (Technical capability notices).

No obligation to consult the public

The Secretary of State is in fact not under any obligation to consult the public, but instead must consult only a small selection of organisations listed in Section 253 (6) of the Act:

(6) Before making any regulations under this section, the Secretary of State must consult the following persons—

(a) the Technical Advisory Board,

(b) persons appearing to the Secretary of State to be likely to be subject to any obligations specified in the regulations,

(c) persons representing persons falling within paragraph (b), and

(d) persons with statutory functions in relation to persons falling within that paragraph.

The regulations will be laid before Parliament under the affirmative resolution procedure.

Overview of the leaked document

The leaked document is a draft instrument that sets out regulations to enforce Section 253 of Investigatory Powers Act (the Act), which provides for “technical capability notices (TCNs).”

A TCN is a notice that imposes certain obligations on both telecommunications and postal operators, including mobile phone companies and postal service company. The regulations attempt to clarify what kind of obligations will be placed on operators under the Act.

In the Draft, the Regulations comprises three Schedules:

• Schedule 1 concerns warrants under Part 2 ([Targeted] Lawful Interception) or Chapter 1 of Part 6 (Bulk Interception Warrants),
• Schedule 2 concerns the authorisations under Part 3 (Authorisation for Obtaining Communications Data) and the warrants under Chapter 2 of Part 6 (Bulk Acquisition Warrants)
• Schedule 3 applies to the warrants under Part 5 (Equipment Interference Warrants) or Chapter 3 of Part 6 (Bulk Equipment Interference Warrants). Schedule 1 and Schedule two consists of two Part and in both cases Part 1 applies to telecommunications operator and Part 2 applies to postal operator.

Who would be affected

The draft states that obligations under the Regulations therein would be placed on “relevant operators,” which comprises both postal operators and telecommunication operators. Of the two kinds of operator, the postal kind is relatively straightforward and easy to understand while the telecommunication definition is less clear and needs a close examination of the Act to unpick precisely who is potentially affected.

Meaning of “telecommunication operators”

Article 263^[1], entitled “General definitions” does not contain the definition of telecommunications operator as the subject of IPA. Instead, Article 261 (10) of the Act defines this term:

“Telecommunications operator” means a person who—

(a) offers or provides a telecommunications service to persons in the United Kingdom, or

(b) controls or provides a telecommunication system which is (wholly or partly)—

(i) in the United Kingdom, or

(ii) controlled from the United Kingdom.^[2]

Telecommunication service means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system.^[3] For the purpose of the Act, this service does not have to be provided by the person who actually offers it to the customers. In other words, the subcontractors are not exempt from the obligations imposed by the Regulations and the Act, even though the services they are offering and managing might not be their own.^[4] The subsequent paragraph 12 adds that "facilitating the creation, management or storage of communications transmitted, or that may be transmitted" by any telecommunication services falls into "telecommunication service."^[5] Thus, you may become a "telecommunication operator" if your business involves e.g. offering e-mail account (which does not have to be developed by your own business) and data/file storage or management service.

Telecommunications system means a system that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.^[6] System here includes apparatus, which includes any equipment or device and wire and cable.^[7] The same system could be placed wholly or partially within the UK and elsewhere.^[8]

Overseas operators

Section 253^[9] states that overseas operators may be instructed to implement a TCN:

A technical capability notice may be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom).

Scope of the Draft

Article 261 (10) (a)^[10] covers traditional telecommunication service providers, i.e. telephone and mobile companies. Taken together with (12) of the same Article(12) of the same Article, the regulations would also be aimed at ISPs, which just hold a platform for users to transmit, store, and download files. Note that in this case the scope of the application is limited to where the person involved in the communications is physically in the UK.

In turn, Article 261 (10) (b)^[11] envisages to cover a wider range of systems that enable the said communications irrespective of the location of it. Moreover, the word system here is rather broadly understood, crudely covering every and each single piece of facilities necessary for telecommunications. For the operator, one does not have to be in the UK but only operating from overseas using systems in the UK is enough to be regulated by the Act.

The Draft of Regulations on Technical Capability Note therefore shows that the UK government is trying to create the ability to monitor any or all of its citizens’ telecommunications. Even if the company potentially affected by the Act have moved their office and/or branches outside the UK, this does not amount to the avoidance of obligations under the Act.

There is a further distinction between public and private telecommunications system, but so long as Draft is concerned, this seems not to be relevant.

Exclusions from TCNs

Telecommunication operators whose services only relates to banking, insurance, investment or other financial services are excluded from the scope of the application of the Regulations.

Part 1 of Schedule 1 and Schedule 3 are applicable to telecommunication operators only if the number of their customers exceeds 10,000. (p.2, para.9 of the Draft)

Obligations imposed on operators and related problems

Relevant operators, whether they are dealing with postal or telecommunications services, have to take measures as required and in conformity with any TCN aimed at them. However, the Draft illuminates the intention of the government and generates several concerns.

”Real-time” surveillance is envisaged

Telecom operators have to be able to intercept at the email correspondences and the telephone conversations, which are to be handed to the government within 1 working day subsequent to its request.(Schedule 1, para.1) This applies to communications data but also all kinds of secondary data which enable and facilitate the identification of the senders and recipients (Schedule 1, para.4), for instance a phone number.

The government may oblige them to have the capacity to simultaneously intercept or obtain secondary data from the communications of the users of their services, up to 1 in 10,000 populations.(Schedule 1, para.9)

Removal or bypassing of encryption is encouraged

Government want, where possible, to acquire real time information concerning targeted communications (Schedule 1, para 4). To this end, the government could require operators to create so-called “backdoors” in end-to-end encryption (Schedule 1, para 8). This would most likely be re-engineering of software, to bypass e2e encryption, rather than weakening it in transit. While this might aid detection of crime, neither the act nor the draft regulations make any attempt to outline what balancing of risks to end users might be made.

Operators will be asked to provide spying tools

The government can ask the operators to ensure and maintain the necessary apparatus, systems or other facilities or services are in place.(paras.2- 4 of Schedule 1-3) Also, the government can require them to break the encryption so that the information and data could be handed over to it as specified in TCNs.(Schedule 1, para.8, Schedule 2, para.9, and Schedule 3, para.6)

This echoes the calls made by Amber Rudd^[12] after the recent incident in London where the perpetrator was using an encrypted messaging service, WhatsApp,^[13] although the power predates the incident; and the message was recovered by breaking into the phone.

Government can determine future technological changes

The speed at which technology develops in this field is rapid as already recognised.^[14] Prior to the current Draft, several the other drafts of code of practices were published on the Government website^[15] Among them, one draft about on the interception of communication ^[16] provides that once they have received TCNs, telecommunication operators;

must notify the Secretary of State of changes to existing telecommunications services and the development of new services and relevant products in advance of their launch,

so that Government can modify the obligation owed to them under the TCNs where necessary.

This is true of an upgrade and alteration of the existing systems specified by TCNs.^[17] These duties are reiterated in the Draft, so all telecommunication operators given TCNs bears the duty to report any changes in services targeted.^[18]

Cross Border Surveillance

TCNs may be given to persons outside the UK. There is also potential for them to be used for cross-border surveillance purposes.

Article 136(2) ^[19] of the Act provides that Bulk Interception Warrants may be issued for the purpose of (a) the interception of overseas-related communications and (b) the obtaining of secondary data from such communication. Overseas-related communications means communications sent or received by individuals who are outside the UK. ^[20] If the operators do not normally take possession of such data but are able to do so, it can be acquired through warrants under Article 158^[21]

Article 176^[22] provides for Bulk Equipment Interference Warrants in order to obtain overseas-related communications, overseas-related information, and overseas-related equipment data (Article 176 (1)(c) of the Act). Overseas-related information means any information on individuals outside the UK (Article 176(2) of the Act). Overseas-related equipment data means any data which may assist in identifying the persons concerned in targeted communications or related to overseas-related communications or/and data (Article 137(5).^[23],176(3)^[24], and 177^[25])

Each Schedule reaffirms that the operators are obliged to ensure and maintain their capacity to carry out the obligations specified in the warrants and authorisation (paras.2-3 of Schedule 1-3).

The meanings of Overseas-related communications, information, or equipment data could be interpreted very widely, so that any piece of information about anything in relation to other countries is included, because of the absence of specific conditions or limitations.

The Act appears to put these obligations to collect overseas information on overseas companies, if they are subjected to a TCN (and therefore have 10,000 or more UK users and do not fall under the exemptions for financial services).

The effect of the legislation seems to be to allow the government to select and monitor whatever communications are sent and received by whomever from wherever, so long as a TCN is present, they deem it necessary and it is accompanied by the appropriate warrants.

Post is also included

Similarly, postal operators are also required to intercept and obtain secondary data and hand over the data acquired in accordance with a warrant to the government within 1 working day.(Schedule 1, para.15 and 16) They can be asked to develop capabilities to open, copy and reseal any postal item.(Schedule 1, para.17)

Other concerns

Not enough safeguards available

Pursuant to the Article 57 of the Act,^[26] drafted regulations also state that the risk of unauthorised disclosure should be minimised. However, the substances of the Regulations regarding this duty do not appear to be satisfactory.

No remedy available

It is unclear how an operator might appeal, or on what grounds. As there are no criteria set out in the regulations that would help understand the risk assessment, the role of the Surveillance Commissioners appears to be limited to agreeing whether a TCN is "feasible” or not. Yet a TCN could be perfectly feasible, but impose unacceptable risks to customers or the company.

There is nothing in the Act which explains how a decision made by the SoS and ratified by a Commissioner might be appealed.

It is also unclear how an individual who is exposed to risk or suffers from poor decisions made in implementing a TCN might complain.

No transparency

The Draft is being discussed through a “targeted consultation,” which is by its nature not open to the public to comment.

While interception of communications and the acquisition of secondary data needs to be carried out clandestinely, it also needs to be carried out in a fully accountable and democratic manner that allows for review by oversight bodies and in broad terms by the public. The lack of specific information may therefore contravene the judgement in Huvig v France^[27], ECtHR which holds that "domestic law should offer sufficient protection against arbitrary infringements of the rights guaranteed by Article 8" of the ECHR (para 53).

References