techUK Proposed Amendments on the Investigatory Powers Bill
October 2016
Third Party Data
Third party data is defined in the Draft Codes of Practice as data that a Communication Service Provider (CSP) is able to see “in relation to applications or services running over their network, in the clear, but does not process that communications data in any way to route the communication across the network” (Draft Communications Data Code of Practice, 2.71).
The Home Office has been unequivocal that such data would not be included in the Bill. During Committee stage, the Minister reiterated that “the Home Secretary (had) given a clear commitment that we will not require a telecommunications operator to retain third-party data” (Earl Howe, House of Lords, 19 July 2016).
Whilst this commitment is also set out in the Communications Data Draft Code ofPractice (Paragraph 2.61), Clause 58(5)(c) of the Bill states that:
“An authorisation … may, in particular, require a telecommunications operator who controls or provides a telecommunication system to obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system”.
This Clause creates confusion for industry and does not make it explicitly clear that companies will not be required to retain third party data if it is not reasonably practicable for them to do so.
Suggested Amendments
Clause 58(5)(c) should be amended to state that:
“(An authorisation) may, in particular, require a telecommunications operator who controls or provides a telecommunication system to obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system only when the telecommunications operator already retains such data for regular business purposes”
A new clause should also be inserted after Clause 83(2) that should read as follows:
“A retention notice may not require a telecommunications operator to retain any third party data, unless that third party data is retained by the telecommunications operator for their own business purposes.”
This amendment is designed to:
Make explicit the Government’s stated intention that they do not require the retention of third party data and put these on the face of the Bill.
Extraterritorial Jurisdiction
The Bill currently provides UK agencies with several options to seek data from overseas providers, including Mutual Legal Assistance Treaty’s (MLATs), MLAC, international agreements (of the kind recommended by Sir Nigel Sheinwald) and straightforward service of a UK warrant extraterritorially. The Bill does not direct agencies as to which power to use and under what circumstances.
Suggested Amendment
A new clause should be inserted after Clause 39(4) which should state that:
"(4A) If a copy of a warrant served on a person outside the United Kingdom is within the scope of an international mutual assistance agreement then:
(a) the copy of the warrant must be indorsed with a statement that it is served pursuant to such agreement;
(b) the intercepting authority must act in accordance with such agreement;
(c) without prejudice to section 41(4) a telecommunications operator who takes reasonable steps to co-operate with the intercepting authority pursuant to such agreement shall be deemed to have fulfilled the duty imposed by section 41(1)
This amendment is designed to
Ensure that, where a warrant falls within scope of an international agreement between the UK and a foreign government, the requesting agency is bound to notify the receiving operator and follow the terms of the agreement and thus establish such agreements as the primary route by which UK agencies request data from overseas operators, where they exist.
Equipment Interference
techUK welcomes the amendments made during Committee stage which require authorities to consider security and resilience issues before granting an Equipment Interference warrant. However, there still remains some concern within industry as to the consultation process that takes place when companies are issued with an Equipment Interference warrant.
For example, although companies are consulted when issued with National Security and Technical Capability Notices, and are therefore able to highlight any serious security and service concerns they may have, they will not currently be consulted in advance of being issued with an Equipment Interference warrant.
It remains unclear what would happen if a CSP complies with an EI warrant and this in turn causes a wider security breach and/or a “take-down” of service. This could lead to a damaging of reputation, a reduction in confidence of digital services and potentially lead to fines from Ofcom under s105A-D of the Communications Act 2003.
The CSP in such a scenario would also be unable to discuss the reasons for any security breach caused by an EI warrant with Ofcom, and the CSP would be reliant on obtaining the consent of the Secretary of State on a case by case basis – which may not be forthcoming. If a company discloses the reasons for the failure to Ofcom, as they are obliged to do under s105A-D of the Communications Act, they could be committing a criminal offence under the IP Bill. If they do not disclose, they could be fined by Ofcom.
This is an untenable position for the CSP and should be dealt with either on the face of the Bill or in associated Regulations or Codes of Practice, to make clear that the CSP can make disclosures to appropriate security cleared or senior personnel in Ofcom.
Suggested Amendments
A new clause should be inserted at Clause 120 that states that:
“Before serving a telecommunications operator with a copy of an equipment interference warrant under this section, the relevant implementing authority must consult the telecommunications operator likely to become subject to any obligations specified in the warrant”.
This amendment is designed to:
Require public authorities to consult telecommunications operators prior to a relevant authority serving a copy of a targeted or bulk Equipment Interference warrant.
Suggested Amendments
A number of new clauses should be inserted after Clause 120(6) that state that:
“(7) A telecommunications operator may, within such period or circumstances as may be provided for by regulations made by the Secretary of State, refer the warrant to the Secretary of State. There is no requirement for a person who has referred a warrant under this subsection (7) to comply with the warrant, so far as referred, until the Secretary of State has reviewed the warrant in accordance with subsection (8).
(8) The Secretary of State must review any warrant so far as referred to the Secretary of State under subsection (7).
(9) Before deciding the review, the Secretary of State must consult—
(a) the Technical Advisory Board, and
(b) the Investigatory Powers Commissioner.
(10) The Board must consider the technical requirements and the financial consequences, for the person who has made the reference, of the warrant so far as referred.
(11) The Commissioner must consider whether the notice so far as referred is proportionate.
(12) The Board and the Commissioner must—
(a) give the person concerned and the Secretary of State the opportunity to provide evidence, or make representations, to them before reaching their conclusions, and
(b) report their conclusions to—
(i) the person, and
(ii) the Secretary of State.
(13) The Secretary of State may, after considering the conclusions of the Board and the Commissioner—
(a) give a notice under this section to the person stating that subsection (1) or (2) should not be complied with, either in whole or in part, or
(b) give a notice under this section to the person confirming that subsection (1) or (2) should be complied with, either in whole or in part.”
These amendments are designed to:
Enable a telecommunications operator to appeal to the Secretary of State if it believes that, although reasonably practicable to take such steps, assistance with implementation of an Equipment Interference warrant (targeted or bulk) would compromise the integrity, security or availability of a telecoms network.
Suggested Amendments
A new clause should be inserted at the end of Clause 124(3) that states that:
“(d) a disclosure made by a telecommunications operator to a designated person within the Office of Communications (Ofcom).”
A new clause also should be inserted at the end of Clause 126 that states that:
“’designated person’ means the CEO of the Office of Communications (Ofcom) and such other persons within Ofcom as may be designated within regulations made by the Secretary of State.”
Clause 228(8), page 176, at the end of line 42 insert:
“which may be set out within regulations made by the Secretary of State.”
Clause 228(12), page 177, at the end of line 14 insert:
“but notwithstanding subsection (8) such a person may disclose the existence of a notice to a designated person as such term is defined in Clause 126.”
These amendments are designed to:
Enable a telecommunications operator to disclose the existence and impact of Equipment Interference warrants and National Security Notices to Ofcom. This is essential since an Equipment Interference warrant could potentially introduce security vulnerabilities into a telecoms operator’s network and/or result in services to end users being compromised and National Security Notices could potentially require services to be shut down. This would put the telecoms operator in breach of its obligations under s105A-D of the Communications Act 2003 and could result in significant fines.
Encryption
techUK welcomes the debate that was had in the Lords regarding the effect provisions in the Bill, particularly technical capability notices, will have on the use of encryption, including end-to-end encryption.
We are encouraged to hear the Minister stress the importance of encryption in order to keep data secure. Ministers have confirmed that the use of encryption will bear on the Home Secretary’s decision on whether a technical capability notice would be “reasonably practicable”. This assessment of whether a notice is reasonably practicable will also take into account technical feasibility and cost, as well as any conflicts of law for overseas providers.
The Minister was, however, particularly vague on what the Government expected a CSP to do if their service was encrypted end-to-end, stressing that companies should “maintain the ability” to remove encryption. Therefore despite the assurances mentioned above, it would seem that Government wishes to leave open the possibility of requiring a provider to remove end-to-end encryption. Companies still require legal certainty and this can only be provided by introducing further safeguards regarding encryption on the face of the Bill.
Suggested Amendments
Clause 231(4) should be amended to state that:
(4) In the case of a technical capability notice that would impose any obligations relating to the removal by a person of electronic protection applied by or on behalf of that person to any communications or data, in complying with subsection (3) the Secretary of State must in particular take into account the technical feasibility, and likely cost, of complying with those obligations. Should the consultation under subsection (2) clearly establish that the removal of electronic protection applied by or on behalf of the person concerned would require using technical means which that person has no lawful access to or no effective control of, the Secretary of State should refrain from giving the notice.
Furthermore, Clause 231(9)should be amended to state that:
(9) A person to whom a relevant notice is given must comply with the notice, unless the person can prove that, in line with the conclusions of the consultation under subsection (2), it does not have lawful access to or effective control of the technical means to comply with the notice.
This amendment is designed to:
Ensure that a company cannot be required to remove encryption when it is not in possession of the technical means to remove encryption from their services.