Challenges of complying with the Investigatory Powers Act

CSPs affected by act

Unlike previous legislation, which focused on telecommunications companies and internet service providers, the Investigatory Powers Act also includes what it terms “communication service providers” (CSPs).

CSPs are any company or service that transmits a message from one person to another, including messaging services such as Skype and WhatsApp, and online markets such as Amazon and eBay.

CSPs will be expected to comply with a variety of demands, principal of which will be the retention of internet connection records (ICRs).

An ICR is a record of the websites, but not the individual webpages, that a person has connected to. Around 45.9 million people in the UK currently use the internet, and all of this information will need to be stored for twelve months in case a request is made to access any of these records.

In addition, CSPs should expect to be served data retention notices. Such notices require the company to disclose their customers’ communications data, which is the record of each communication by an individual without disclosing the actual content.

According to clause 66 (2) of the Investigatory Powers Act, companies will be expected to “disclose the data in a way that minimises the amount of data that needs to be processed for the purpose concerned”.

The Communications Data Code of Practice (Draft, Autumn 2016) for the Investigatory Powers Act states in section 14.3 that “a CSP with a larger customer base is more likely to receive a data retention notice”, and that “small CSPs with rapid prospective growth may receive notices in anticipation of future law enforcement requirements”.

These data retention notices will individually detail various requirements a company will be expected to meet. These can include how the data is to be transmitted, processing of the data to ensure multiple items are stored in a single record, or removing records that are of no interest.

Finally, companies should also be prepared for being served a “technical capability notice”. According to clause 253(2) of the Investigatory Powers Act, this means “imposing on the relevant operator any applicable obligations specified in the notice, and requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations.”

Section 10.3 of the draft Communications Data Code of Practice clarifies these obligations, which could take the form of “removal of electronic protection” or “relating to the security of any postal or telecommunications services”.

Confidentiality notices

Each of these formal notices comes with a confidentiality notice. Clause 95(2) of the Investigatory Powers Act states: “A telecommunications operator, or any person employed or engaged for the purposes of the business of a telecommunications operator, must not disclose the existence or contents of a retention notice to any other person.” 

Due to the confidentiality of these notices, companies may no longer be able to discuss certain subjects, such as network analysis and traffic management.

“The IT industry builds on what other people have done,” says James Blessing, CTO of Relish Networks and chair of the Internet Service Providers Association.

“If someone has done a bit of work, they publish it and it is incorporated into other designs. Now, you can no longer talk about what you are doing.”

CSPs will also be expected to maintain records of all the disclosures they have made. These records should include the identity of the public authority, dates when the authorisation was received, information on the origin and the exact communications data that were disclosed.

Section 10.28 of the Code of Practice states: “CSPs subject to a technical capability notice must notify the government of new products and services in advance of their launch.” Therefore, any company developing new communication technology will be expected to disclose it to the government.

The Investigatory Powers Act expects a certain level of security to be enforced. Clause 92(1) states that telecommunication operators must:

• Secure that the data is of the same integrity, and subject to at least the same security and protection, as the data on any system from which it is derived.
• Secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel.
• Protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure.

The exact nature and extent of the security requirements are disclosed in the data retention notices. This can include requirements regarding physical security (CCTV and server cages, for example), technical security (firewalls, antivirus software), personnel security (staff security clearances and training) and procedural security (processes and controls). However, section 16.11 of Code of Practice adds that “there is no single minimum security standard”.

In addition to meeting these security requirements, companies will be expected to erase or destroy, using Home Office-approved products and suppliers, hardware that has been used to store data collected for this act.

Cost of the act

To meet the requirements of the Investigatory Powers Act, the Home Office has made “significant public funding” available to CSPs. Companies are able to apply for contributions towards costs incurred by updating their systems, especially if they need to employ additional staff to manage compliance.

Each civil service department that submit notices will be responsible for considering funding requests. However, Blessing believes the fund is insufficient to meet all of the costs, stating: “They are going to reach the point where they run out of money, and then who knows?”

These costs are likely to be passed onto customers. “They are going to have a significant cost and they cannot sell it on as a benefit to the customer,” observes security consultant Colin Tankard of Digital Pathways.

With these additional costs, companies may be disincentivised to remain in the UK. “Quite a few crypto companies have told me that they will have to move their coding offshore to avoid the risk of being forced by the government to weaken their product’s encryption,” says Strasburger. “Or [to stop] their customers worrying that the UK company might have been secretly forced to insert a back door, so, as a result, go abroad for reliable security.”

Unsurprisingly though, virtual private network (VPN) providers have been found to be flourishing. “We have seen account creations in the UK, and surrounding areas, increase by around 25%,” says Liz Kintzele, vice-president of sales and director of marketing at Golden Frog.

“With the passage of the Investigatory Powers Act, many people in the UK have become increasingly aware and concerned about their online privacy.”

Testing words

A month after the Investigatory Powers Act was given royal assent, the Court of Justice for the European Union (CJEU) ruled that “European Union [EU] member states cannot pass laws that require CSPs to carry out general and indiscriminate retention of communications data and location data.”

The Home Office responded, stating that “there will be no immediate impact or changes to bulk data collection powers” and that they will appeal the decision.

“The ruling makes a statement about proportionality, since the actual requirements to capture are not specified in the act but, on the face of the notice, it is their wording that needs testing rather than the act as a whole,” says Blessing.

“Since people aren’t allowed to discuss the contents, it’s difficult to work out whether the wording of the individual notices is proportionate.”

There is also potential conflict with the General Data Protection Regulation (GDPR), which is due to become enforceable in 2018. “You are breaking the law by gathering the information under GDPR and you are liable for massive fines by this legislation that you have to capture the information,” says Tankard.

Nonetheless, companies should prepare themselves for receiving notices issued under the Investigatory Powers Act.

Companies should ensure that the relevant staff are fully informed about the act, set aside contingency funds (for example, to cover new hardware that may be needed) and consult experts about what data they are likely to be required to store.