Investigatory Powers Bill: The Juicy Bits
4 November 2015
At last the UK government today published the draft Investigatory Powers Bill, after about a week of carefully crafted briefings aimed at managing opinion, and even dissent. The document comes bundled with a lot of supplementary material, purporting to be from “A Guide” to “Explanatory Notes”. As Richard Clayton advised me a while back: don’t read them! Those are simply smoke-and-mirrors, designed to mislead, provide material for lazy journalists and confuse the reader — the only thing that has legal validity is the law itself on pages 35-227.
The good news is that I read through those 181 pages, and extracted the “juicy bits” from a technology public policy point of view. I am no lawyer, but am not as much interested in the fine print of the law. I am interested in the capabilities that the government wants to grant itself when it comes to, basically, attacking computers and telecommunication systems — with a view to understanding the business of policing and intelligence. So here are my notes…
- Part 1 is the carrot: it creates a number of offenses in relation to anyone intercepting communications without a warrant (but not providers of course), and public officials abusing access to communications data. Given the secrecy governing both interception, the difficulty of detecting unauthorized interception though hacking, and the nation state adversaries likely to mount it, this whole section is cute but akes no difference to the threat landscape. Whatever.
- However 10(1)(b) contains a gem: It states that the spooks cannot hack (offense under computer misuse act) without a warrant, unless there is no “British Islands” connection! This means for example that a GCHQ operation in Iraq, in support of a local operation, might not need a warrant. It is unclear to me whether there is a prohibition on ex-filtrating data from such an operation back to the UK — but that is not clear from 10(2)(a).
- 10(3)(b) Of course with a warrant for “Equipment interference” they can hack anywhere.
Part 2 deals with access to communications content or Interception, though “Targeted Interception Warrants”. These do what you expect: they allow the compulsion of an operator to hand over content and associated communication data from telecommunications operators and services.
- 12(3) Interestingly there is also the introduction of a “Targeted Examination Warrant”, which allows for the extracting of content from data collected using a “Bulk Interception Warrant”. The word “bulk” is key throughout the bill, and it is only through some mysterious psychological trick that the UK political establishment can still pretend this bill is not about mass surveillance.
- 12(8) Lists what communications data are to be intercepted: they include senders, receivers, equipment identifiers, service identifiers, events, locations, etc.
- 13(2)(b) Tells us that whole organizations, or even loose groups that share a common purpose may be targeted by a warrant in one go.
- 13(2)(c) It also tells us that a warrant may be issued for the purposes of Research and Development of interception kit. Presumably the need for training sets for machine learning models, or even ground truth sets for their evaluation, could be justified under this provision.
- 14(3)(c) Maintains as grounds for issuing a warrant the “Economic well-being of the United Kingdom”, but only in relation to national security. So presumably bugging the EU and trade summits is still OK. However 14(4) clarifies that economic espionage is only applicable to getting information about persons or acts outside the British Islands. I guess this means no domestic economic intelligence gathering.
- 14(6) States that proportionality when it comes to national security and prevention of serious crime, needs to take into account whether the data couple be otherwise obtained. But not when it comes to economic espionage. Ok.
- 16 is a bone to MPs who recently learned their communications are no safer than anyone else’s: the Prime Minister themselves has to sign off warrants for their interception. I am sure opposition MPs feel much better now.
- 23(7) Further explains what it means to issue a warrant for “testing and training” activities. Basically it can relate to the development of apparatus or systems for the interception of communications. Again this provision seems to be in place to test live system, or to collect data to calibrate interception systems and encompases train machine learning models.
- 31 relates to the duties of telecommunication operators to assist in implementing interception warrants, and also other warrants. It is super-hot!
- 31(3) States that operators must help, even if they are not in the UK.
- 31(4) and 31(5) state that these operators do not need to take any steps that are not reasonable, such as break foreign laws or 31(5)(a).
- 31(6) is the “backdoor activation” clause, and applies across all warrants: it states that if the operator was told to implement mechanisms to facilitate the servicing of warrants (Section 189), then asking them to service the warrant be considered reasonable.
- 31(7) Failing to comply with a warrant might send you 12 months in jail though civil proceedings 31(8).
- 39 is also a gem: it allows UK telecommunication operators to respond to foreign requests subject to the existence of a high level bilateral agreement, and without a UK warrant.
- 43 Makes it clear that interception warrants should remains secret, and (42) intercepted material should stay out of the courts .
- 45(4) States that the definition of telecommunication operator is as in (193). Don’t hold your breath, there is nothing particularly illuminating awaiting us there.
Part 3 deals with notices for obtaining communications data. These, as you expect, are all data that are not about the “meaning” of the conversation in a wide sense — including all meta-data (sender, receiver, location, equipment, and more).
- 46 is the money section, spanning 2 pages, and dealing with authorization.
- 46(1)(b)(ii) Again lists grounds for getting communications data the need to develop systems, and test them. This clause would cover collecting data for training models.
- 46(2)(a) States that the warrant allows an officer to collect the data from “any person”. So for example, it would be fine, under this definition to collect the data from the operator, or anyone else: for example a friendly intelligence agency, or even a hacker (see 46(4)(c) too). However, the powers for bulk communication data collection later, make this seem nearly benign.
- 46(5)(c) Clarifies that an operator may be required to collect communications data from another operator. Just to deal with the layered nature of the internet, if anything else.
- 46(7) Lists the reason for collection — they are extensive and include the prevention of disorder.
- 47(4) Seem to provide a low-bar for doing “directory lookup” and “reverse directory lookup” through “internet service records”, namely trying to trace the services used by known people, and the identity of people using known services.
- 47(7) Defines what “internet service records” are.
- 50(1) states that telecommunication operators must comply with notices for communications data.
- 51 establishes The Filter – our old friend from the previous round of failed legislation.
- Basically 51(1) states that the Secretary of State can create an infrastructure, to help with the provision of access to communications data, 51(2) by asking operators to give a lot more data to the filter, and then the filter returning only the necessary data to fulfill the notice. This is in effect enabling a centralized traffic data retention, management, processing regime. In conjunction with the bulk communication data access later, it paints a bleak picture of the future.
- 52(2) States that a notice should specifically say that the filter may be used. And then it can be used to fulfill the request.
- 53 tries to convince us that the data held by the filter will be secured. Not sure how. Whatever.
- 61 is a bone to civil society: it states that a commissioner should approve any communication data request to unveil a journalists source. I am sure that this very special case will be used to gain as much good faith as possible from that profession. And probably to imply (as in the Guardian article) that other professions are also protected. They are not.
- 69 establishes the extra-territoriality of Part 3 — foreign operators can be issued notices for communication data.
Part 4 deals with notices to retain communications data. This is basically the EU data retention directive (declared incompatible with Human Rights law) on steroids.
- 71 states that one or more providers, or whole categories of them, can be asked to retain data for up to 12 months (71(3)).
- 71(9) lists the types of data that can be retained: senders, receivers, time, duration, type, method, pattern (!), the systems used, location, IP address or other identifiers. Notice that “Pattern” figures in the list, and I take it as a sign that more complex traffic analysis is on the horizon.
- 77(2) states that these notices are secret! Which makes this legislation even worse than the data retention directive: at least it provided certainty about which services and what data were to be retained.
Part 5 deals with “equipment interference”, a soft euphemism for hacking private equipment. Warrants can be issues to enable the security services and police to do that.
- 81 establishes the targeted equipment interference warrant (“licence to hack”) including the ability to then get communication, communications data and “equipment data”.
- 81(9) Establishes a targeted examination warrant for examining material sourced from a bulk equipment interference warrant (see Part 6 Chap 3).
- 82 tries to elucidate “equipment data” and largely fails, as “anything facilitating the functioning of a systems”, ie. anything around the device. And somehow related to a communication? Maybe.
- 83 explains what kind of equipment can be targeted. Besides the obvious all equipment associated with a specific activity 83(f) can be targeted.83(g) seems to allow for authorizing the hacking of hacking infrastructures. Is that an authorization to counter-hack? Interesting.
- 85 states that the Prime Minister themselves needs to authorize the hacking of MPs. Well, that is a relief. I wonder if that covers their aides or spouses. I think not.
- 89 deals with issuing hacking warrants to the police.
- 101(1) states that a telecommunication operator, either in the UK or outside 100(2), must help with the hacking according to the instructions on the hacking warrant.
- Furthermore 102 makes it an offence to disclose the hacking warrant, in effect gagging them about their role in the hacking.
- 104(1) states the UK police can only hack things with a UK connection.
- 105(1) defines communication, that can be collected by the warrant, as anything, including cyber-physical systems.
Part 6 deals with “all things bulk”, namely bulk interception, bulk acquisition, bulk interference, and bulk data sets. It is, in effect, clearly legalizing the existing mass surveillance practices of GCHQ and other agencies.
- 106 defines the purpose of bulk interception warrants to target overseas communications, where at least one end of the communication is abroad 106(3).
- 106(4) These can the be used to collect content, meta-data, select further communications and disclose them to specific people.
- 107(b) states that the purpose must be nationals security and also specifies that if overseas providers need to cooperate their needs must be considered 107(1)(f).
- 108 gives more explanation about the need to consider the needs of overseas operators that will be called to implement bulk interception warrants. I presume this is in order to safeguard the reputation of UK telcos, like Vodafone, by considering the risks they face if found to provide such capabilities to the UK.
- 116(5) States that telecommunication operators, even abroad, have an obligation to cooperate with bulk interception warrants. This points to the infamous Section 30 and 31 from earlier.
- 118 Has provisions for transferring the bulk intercepted data overseas, presumably as part of a five-eyes type agreement.
- 119 limits the selectors that may be used on the bulk intercepted material. For example 119(4) seems to restrict the selection of UK persons.
- 121(2) Is a cheeky one: it defines “examination” as a person looking, listening or reading the intercepted material. Leaving the door open for the automated mass surveillance systems like Tempora, without restrictions on examination.
- 122 deals with the issuing of bulk acquisition warrants. Those allow the collection of masses of communications data from telco operators in bulk. In fact it compels telecommunication operators to disclose such data in bulk.
- 130 again specifies extra-territorial duties for operators to comply, as well as links to provisions for building in equipment to comply.
- 133 Makes it an offence to disclose a bulk acquisition warrant. This means that data can be lifted in bulk and no one can know about it.
- 135 Has provisions for bulk equipment interference. This is interference of equipment, mostly abroad, at a mass scale to facilitate access to communications, meta-data and equipment information 135(1)(c).
- 145(4) States that operators must comply with instructions to help in the implementation of bulk equipment interference warrants. Oh, Joy.
- 148 Makes it an offense to disclose such an activity or warrant.
- 149(2) is again cheeky to define examination as reading, looking or listening by a person, rather than a machine — excluding from the definition automated computer attack scripts.
- 150 weirdly has provisions for the handling of bulk personal data sets. These warrants allow the security services to handle and process data sets involving personal information of non-targets. However it does not seem to impose obligations to hand such data sets over to them. It does not contain the usual compulsion powers on providers. Thus I am puzzled, and I leave it up to someone else to figure out what this is about.
Misc provisions has a few gems buried:
- 184 states that different warrants may be combined as defined in schedule 7. This combines interception and equipment interference warrants, for example.
- 185 Specifies that telco providers may be paid to service warrants.
- 186 states that “compliance systems” may be commissioned and used. Presumably this is the provision that allows the secretary of state to outsource and build the Filter — eg. a centralized repository of communications data. or other infrastructures.
- 188 Has provisions for “National security notices” on telecommunications operators asking them to do anything, in case of national emergency or to help the intelligence agencies.
- 189 Is about building back-doors into telecommunication systems. 189(3) states that regulations can impose obligations to provide facilities or services 189(4)(a), install specific equipment 189(4)(b), remove electronic protection 189(4)(c), etc.
- 189(8) specifies such back-door facilities can be imposed on non-UK operators too.
- 190(8) creates a gag order around the fact that such back-doors were put in place.
- 190(11) clarifies that capabilities may relate to interception, bulk interception or communication data access.
- 193 Defines communications as any messages between people or things, including cyber-physical commands.
- 193(6) is the 1 sentence that all the news, and briefs, were about: it states that by definition, when it comes to web-browsing, the service accessed is “not content”, but communications data. To me it feels out of place, and I would not be surprised if it will be a sacrificial clause: the one that will be struck off as a concession to civil society pressure.
- 193(10) defines as a telecommunications operator as anyone providing a telecommunications service. In turn 193(11) makes use of a telecommunication systems; finally in 193(13) a telecommunication systems simply makes use of some form of electromagnetic or electric means to transmit communications. I read this to mean: anything that can send or receive data, by means other than carrier pigeon (those are postal services, defined separately).
- 195(1) Quote: “data” includes any information which is not data,
I skipped here all the tedious, and historically ineffectual, provisions around tribunals and commissioners. the tl;dr is that all the zoo of commissioners are replaced by a single one.
(Many thanks to Wendy M. Grossman for editing suggestions)