Understanding the ‘Investigatory Powers Act 2016’

At the end of last year, on Tuesday 29th November, the Investigatory Powers Act 2016 was passed into law after it was approved by both Houses of Parliament, and the Queen granted her Royal Assent. I have found it quite difficult to find enough writing that makes it clear what the recently introduced Investigatory Powers Act really means, with references to the Act itself. As someone working in the technology industry and living in a connected world, I knew the Act would affect me, but it was not entirely clear how. I am going to explore the main facets of the Act and its possible real life implications, making close reference to the Act as much as possible so as to keep any speculation accurate. I will make my own view clear from the get-go: I am a vehement supporter of online privacy, I believe the premise that governments and law enforcement being able to access personal information about an individual more easily in order to make them safer is a fallacy, as there are constantly data leaks from public bodies and private companies (looking at you Yahoo!), and I believe that any move to weaken encryption makes us all more vulnerable. I do also try and reconcile this with the fact that law enforcement bodies need to do their jobs in order to keep us safe, and that having access to more information can aid them to work more effectively.

CSP / Telecommunication Operator

Before examining the Act, it is important to understand a piece of nomenclature used by the government: the interchanging use of the terms ‘Telecommunication Operator’ and ‘Communication Service Provider’. The two terms actually mean the same thing and are just used in different contexts, the Act uses ‘Telecommunication Operator’ throughout, whereas the Codes of Practise use the term ‘Communication Service Provider’ (CSPs). It is important to understand this definition because it is intentionally wide-reaching, and therefore will affect a number of entities. Both terms are defined as:

a person who offers or provides a telecommunication service to persons in the UK or who controls or provides a telecommunication system which is, (in whole or in part) in or controlled from the UK. […] The definition of ‘telecommunications service’ in the Act is intentionally broad so that it remains relevant for new technologies. […] Internet based services such as web-based email, messaging applications and cloud-based services are, therefore, covered by this definition.

The government means for this definition to be as broad as possible in order to future proof the Act. I would speculate that there will be some confusion as to how far reaching this definition will go. Do cafés with free WIFI come under this definition? Technically, yes. But whether or not they are affected by the law in a day-to-day operational sense, we are yet to see.

Investigatory Powers Commissioner, Judicial Commissioner(s) and the Double Lock

In the Act, there are three main roles when it comes to issuing warrants:

  • Secretary of State
  • Investigatory Powers Commissioner
  • Judicial Commissioners

The Investigatory Powers Commissioner will be a judge appointed by the Prime Minister to audit and review actions or requests made by government officials pertaining to this law, their main job is to ensure the correct use of the Act.

Following the appointment of the Investigatory Powers Commissioner, the Prime Minister will also appoint ‘such number of other Judicial Commissioners as the Prime Minister considers necessary for the carrying out of the functions of the Judicial Commissioners.’ The role of these judges, as with the Investigatory Powers Commissioner, will be to grant and deny warrants.

The Investigatory Powers Commissioner has to be approved by the UK’s highest ranking judges, and the Judicial Commissioners have to be approved by the the UK’s highest ranking judges and the Investigatory Powers Commissioner.

In order for a warrant to be issued, both a Judicial Commissioner and the Secretary of State need to agree on it. This is called a ‘double lock’. The idea is that this is a safeguard to ensure the new powers are not abused.

Some have argued that the double lock system does not go far enough, while others have argued that is unnecessarily cumbersome — the efficacy of this system will only be clear after some time.

Internet Connection Records

Though the Investigatory Powers Act came into law with a surprisingly quiet media reaction, you may have seen this list being circulated, showing the various government bodies able to access your browsing data. This is probably the most popular talking point of the Act. The article is titled ‘A list of everyone who can see your entire internet browsing history’, and is lifted from the blog of Chris Yiu, a General Manager for Uber.

This is where confusion understanding the Act arises. The section of the Act to which the list refers covers CSPs keeping Internet Connection Records (ICRs). According to this factsheet released by the government last year, and as Yiu says on this blog, Internet Connection Records are not the same as your full browsing history:

ICRs do not provide a full internet browsing history. The ICRs do not reveal every web page that a person visited or any action carried out on that web page.

The Independent is not quite correct in saying the list is ‘of everyone who can see your entire internet browsing history’, because it is slightly more nuanced than that. The way it works is a ‘designated senior officer’ (and you can see that list of people and what exact authority they have in Schedule 4, Part 1 of the Act) from those listed government bodies can approve a request to see a persons’ communications data without a warrant — which Glyn Moody argues is where the double lock system falls down, as there is not even a single lock here. Communications data includes: IP address, the service accessed (i.e. Facebook), the time/ date of access, and the network access provider used to view it (i.e. an ISP such as Virgin Media). The Codes of Practise describes it as:

the ‘who’, ‘when’, ‘where’, and ‘how’ of a communication but not the content i.e. what was said or written

It is important to make clear that someone from the Food Standard Agency cannot just ask their boss to see my full browsing history for a year, including the dodgy pictures I sent my girlfriend — they may be able see that I sent an image of some sort, but not the image itself.

So under what pretence is this authorisation allowed to be made? The given list of reasons a civil servant can request to see your communications data is very broad and includes a number of reasons I find worrying, however the main one is: ‘for the purpose of preventing or detecting crime or of preventing disorder’.

Sentences like that are where this kind of legislation falls down for me. I want nothing more than for our law enforcers to be able to catch paedophiles and terrorists, which is often cited as the reason for push this legislation through — see the ‘Key Facts’ sections of the ICR factsheet — people do not mind having a degree of their civil liberties stripped away from them if they believe it is so the real baddies can be caught. “If you’ve done nothing wrong, you’ve got nothing to hide” is the key phrase here, yet, it is lines like that, combined with the fact that there are a number of government bodies who probably do not need to be able to access my browsing data, that lead one to question whether this legislation goes too far. I do not mind someone accessing my information if they have strong reason to believe I am a going to kill someone. However, I am your typical twenty-something, liberal Londoner, I like a protest and have been going to protests for years. And disorder is key to protest, so should someone be able to see my full communications data because of that?

I doubt Joe Bloggs the Civil Servant will just present my name to his boss, tell them I am a smelly hippy and that he wants all my internet records, but (hyperbolic simplifications allowing) it is within the realms of possibility.

Interception of Communication

A step-up from the gathering of ICRs is the interception of communication aka hacking. This is the section of the Act that sets out how an authority can hack a device, it reads as follows:

For the purposes of this Act, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if: (a) the person does a relevant act in relation to the system, and (b) the effect of the relevant act is to make any content of the communication available, at a relevant time, to a person who is not the sender or intended recipient of the communication.

A ‘relevant act’ is described as:

(a) modifying, or interfering with, the system or its operation; (b) monitoring transmissions made by means of the system; (c) monitoring transmissions made by wireless telegraphy to or from apparatus that is part of the system.

In the Act, the definition of telecommunication system is a system in the UK that facilitates ‘the transmission of communications by any means involving the use of electrical or electromagnetic energy.’

Although slightly arduous to read, I include the full section of these descriptions to highlight just how broad the definition of interception is. The Act basically tells us that, with a warrant, any device that sends communications can be tampered with so as to allow access to the contents of that communication.

This diverges from the collection of ICRs because of how much more information is made available, but because of this it is also more difficult to request. Where with ICRs a civil servant would need authority from a ‘designated senior officer’, for full blown hacking the system is (thankfully) more complex.

In order to legally intercept communications, someone from this list of heads of agencies (note that the head of the FSA isn’t even allowed to see my texts, what a win for privacy!) has to apply for a warrant. The only people who can issue the warrant are the Secretary of State with approval of a Judicial Commissioner — therefore going through the double lock system.

The list of reasons for allowing hacking is also significantly more stringent than the list of reasons for allowing someone access to Internet Connection Records. They are namely: if it is in the interests of national security; if it is to prevent serious crime; or, for the economic well-being of the United Kingdom (as long as it is relevant to national security).

As ‘national security’ and ‘economic well-being’ are both vague terms, a part of me wonders if they could be used in the favour of the state? For example, if this law were in place when then-Prime Minister David Cameron tweeted: “The Labour Party is now a threat to our national security, our economic security and your family’s security”, after the election of Jeremy Corbyn as Labour leader, could they have legally had Corbyn’s phone or computer hacked?

Perhaps this is where the double lock will prove useful. It could be argued that by having a non-political entity, a Judge who has been selected by the Prime Minister and approved by the UK’s highest ranking Judges (see: importance of independent judiciary), these political shenanigans should not be allowed. But only time will tell.

Technical Capability Notice

This is one of the most controversial parts of the Act as it could have devastating effects on encryption. Tucked into the ‘Miscellaneous’ part of the Act, Section 253 tells us that the Secretary of State, with approval from a Judicial Commissioner, can ask a CSP for,

the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.

This could be translated into the authorities asking a CSP to decrypt information by installing a backdoor into encryption software, and can be issued to someone in the UK or overseas.

We can see concerns surrounding the technical capability notice from the world’s leading tech companies in the written evidence submitted by Apple, Facebook, Google, Microsoft, Twitter and Yahoo when the Bill was being reviewed. They suggested that:

the Bill should recognise it will not be reasonably practicable to provide decrypted content, rather than leave this to be established on a case-by-case basis.

Anyone who followed the ‘FBI–Apple encryption dispute’ regarding the decryption of an iPhone 5c following the 2015 San Bernardino attack, knows this could open a huge can of worms. Apple, supported by privacy campaigners all around, contended that you cannot just pick and choose what is decrypted. Apple made the argument that it is better for everyone if firmware with a backdoor just does not exist, rather than it exist and be prone to human error or malice. If they made a version of firmware with a backdoor in it, and it leaked, that would make everyone vulnerable. The point of encryption is that it should be almost impossible for someone to access the information other than the sender and receiver.

Whether or not this is used for the purpose of ending encryption is difficult to say right now. The Act specifies that it must be ‘practicable’, and I imagine (maybe it is more of a hope) that most tech companies would argue that potentially reducing security for their whole customer base is not practicable. The other point to consider is the practicality of forcing companies to do this. The UK government would not be able to force Apple or Facebook to put a backdoor on their encryption. They could, at worst, give them a fine. But what more could they do, ban access to Facebook? Ban Apple from selling their products in the UK? It is unlikely. And because of that I feel quietly confident that a technical capability notice will not be the end of encryption as we know it.

For many privacy campaigners, this is the most worrying part of the Act largely because of its vagueness. It can be argued that government hacking, in the sense of interception, is not a new phenomenon, and that, really, it is business as usual. David Anderson QC argues that, though many are concerned about government hacking, it is ‘a widespread practice which few countries even acknowledge in their law’ and therefore the Investigatory Powers Act is positive because it allows for transparency.

One may make the point that although some of the agencies listed as being able to request their Internet Connection Records should not be there, so what if someone from the Department of Health can see that they spend all day browsing cat pictures? If it means the police can more easily catch a paedophile or terrorist, who cares?

This argument does not fully gel with me because the list of people who can access ICRs really is gratuitous and the fact that there is no need for a warrant to access this information means there is not a proper safeguard. It is also concerning because of the disastrous record government departments have with keeping data safe — there were 8,995 data breaches recorded by the 17 largest departments in 2014–15, which hardly puts one at ease.

The Investigatory Powers Act is an important piece of legislation, though not necessarily a good one. It will affect our future interactions with technology, and our understanding of privacy for years to come. I hope that the powers are not abused, that different government agencies do not unnecessarily access people’s information, and that this information is kept as securely as possible. Unfortunately, there will inevitably be data breaches and leaks, so make sure to get yourself a nice VPN hosted outside the UK when looking at dodgy websites, use an encrypted voice/messaging service for all your sassy pictures and phone calls, and use GPG/PGP encryption when emailing the cute pictures of your dogs that you do not want the government to see.