Sergey Nivens - Fotolia
On 29 November 2016, the Investigatory Powers Act 2016 was given royal assent and enshrined in UK law. The act is designed to consolidate the various surveillance powers that were spread across different legislation and update them for the 21st century, while replacing the previous three surveillance commissioners with a single oversight body.
A replacement was also needed for the Data Retention and Investigatory Powers Act 2014 (Dripa) that expired on the 31 December, 2016.
“Ripa was passed in 2000, six years before the first smartphone was launched, and has no connection with how people use technology these days.”
The Investigatory Powers Act can be subdivided into three elements:
- Interception: accessing communications (telephone, email and any type of messaging) during transmission.
- Interference: accessing electronic equipment, such as computers and smartphones, to obtain communication data.
- Retention: storing internet connection records for 12 months.
These legislative powers are accessible by a variety of government departments, from GCHQ and the Ministry of Defence to the Food Standards Agency and the Gambling Commission. This is overseen by the Investigatory Powers Commission (IPC).
CSPs affected by act
Unlike previous legislation, which focused on telecommunications companies and internet service providers, the Investigatory Powers Act also includes what it terms “communication service providers” (CSPs).
CSPs will be expected to comply with a variety of demands, principal of which will be the retention of internet connection records (ICRs).
An ICR is a record of the websites, but not the individual webpages, that a person has connected to. Around 45.9 million people in the UK currently use the internet, and all of this information will need to be stored for twelve months in case a request is made to access any of these records.
In addition, CSPs should expect to be served data retention notices. Such notices require the company to disclose their customers’ communications data, which is the record of each communication by an individual without disclosing the actual content.
According to clause 66 (2) of the Investigatory Powers Act, companies will be expected to “disclose the data in a way that minimises the amount of data that needs to be processed for the purpose concerned”.
The Communications Data Code of Practice (Draft, Autumn 2016) for the Investigatory Powers Act states in section 14.3 that “a CSP with a larger customer base is more likely to receive a data retention notice”, and that “small CSPs with rapid prospective growth may receive notices in anticipation of future law enforcement requirements”.
These data retention notices will individually detail various requirements a company will be expected to meet. These can include how the data is to be transmitted, processing of the data to ensure multiple items are stored in a single record, or removing records that are of no interest.
Finally, companies should also be prepared for being served a “technical capability notice”. According to clause 253(2) of the Investigatory Powers Act, this means “imposing on the relevant operator any applicable obligations specified in the notice, and requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations.”
Section 10.3 of the draft Communications Data Code of Practice clarifies these obligations, which could take the form of “removal of electronic protection” or “relating to the security of any postal or telecommunications services”.
Each of these formal notices comes with a confidentiality notice. Clause 95(2) of the Investigatory Powers Act states: “A telecommunications operator, or any person employed or engaged for the purposes of the business of a telecommunications operator, must not disclose the existence or contents of a retention notice to any other person.”
“If someone has done a bit of work, they publish it and it is incorporated into other designs. Now, you can no longer talk about what you are doing.”
CSPs will also be expected to maintain records of all the disclosures they have made. These records should include the identity of the public authority, dates when the authorisation was received, information on the origin and the exact communications data that were disclosed.
Section 10.28 of the Code of Practice states: “CSPs subject to a technical capability notice must notify the government of new products and services in advance of their launch.” Therefore, any company developing new communication technology will be expected to disclose it to the government.
The Investigatory Powers Act expects a certain level of security to be enforced. Clause 92(1) states that telecommunication operators must:
- Secure that the data is of the same integrity, and subject to at least the same security and protection, as the data on any system from which it is derived.
- Secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel.
- Protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure.
The exact nature and extent of the security requirements are disclosed in the data retention notices. This can include requirements regarding physical security (CCTV and server cages, for example), technical security (firewalls, antivirus software), personnel security (staff security clearances and training) and procedural security (processes and controls). However, section 16.11 of Code of Practice adds that “there is no single minimum security standard”.
In addition to meeting these security requirements, companies will be expected to erase or destroy, using Home Office-approved products and suppliers, hardware that has been used to store data collected for this act.
Cost of the act
To meet the requirements of the Investigatory Powers Act, the Home Office has made “significant public funding” available to CSPs. Companies are able to apply for contributions towards costs incurred by updating their systems, especially if they need to employ additional staff to manage compliance.
Each civil service department that submit notices will be responsible for considering funding requests. However, Blessing believes the fund is insufficient to meet all of the costs, stating: “They are going to reach the point where they run out of money, and then who knows?”
These costs are likely to be passed onto customers. “They are going to have a significant cost and they cannot sell it on as a benefit to the customer,” observes security consultant Colin Tankard of Digital Pathways.
With these additional costs, companies may be disincentivised to remain in the UK. “Quite a few crypto companies have told me that they will have to move their coding offshore to avoid the risk of being forced by the government to weaken their product’s encryption,” says Strasburger. “Or [to stop] their customers worrying that the UK company might have been secretly forced to insert a back door, so, as a result, go abroad for reliable security.”
Unsurprisingly though, virtual private network (VPN) providers have been found to be flourishing. “We have seen account creations in the UK, and surrounding areas, increase by around 25%,” says Liz Kintzele, vice-president of sales and director of marketing at Golden Frog.
“With the passage of the Investigatory Powers Act, many people in the UK have become increasingly aware and concerned about their online privacy.”
A month after the Investigatory Powers Act was given royal assent, the Court of Justice for the European Union (CJEU) ruled that “European Union [EU] member states cannot pass laws that require CSPs to carry out general and indiscriminate retention of communications data and location data.”
The Home Office responded, stating that “there will be no immediate impact or changes to bulk data collection powers” and that they will appeal the decision.
“The ruling makes a statement about proportionality, since the actual requirements to capture are not specified in the act but, on the face of the notice, it is their wording that needs testing rather than the act as a whole,” says Blessing.
“Since people aren’t allowed to discuss the contents, it’s difficult to work out whether the wording of the individual notices is proportionate.”
There is also potential conflict with the General Data Protection Regulation (GDPR), which is due to become enforceable in 2018. “You are breaking the law by gathering the information under GDPR and you are liable for massive fines by this legislation that you have to capture the information,” says Tankard.
Nonetheless, companies should prepare themselves for receiving notices issued under the Investigatory Powers Act.
Companies should ensure that the relevant staff are fully informed about the act, set aside contingency funds (for example, to cover new hardware that may be needed) and consult experts about what data they are likely to be required to store.
Read more about the Investigatory Powers Act
- Civil rights organisation Liberty plans to lead a crowd-funded legal challenge to the indiscriminate state surveillance powers in Investigatory Powers Act.
- Labour’s shadow home secretary Diane Abbott says wider society must now debate the controversial Investigatory Powers Bill, despite Parliamentary approval.
- As the Investigatory Powers Bill goes through its final stages in parliament, a former GCHQ intelligence officer puts the case for the bulk surveillance powers contained in the legislation.