A Peek Inside the UK’s Investigatory Powers Bill
After more than six months of speculation, the draft Investigatory Powers Bill (“IPB”) was introduced in the House of Commons by Home Secretary Theresa May. With the draft IPB (dubbed the “Snooper’s Charter” by critics), the UK government is attempting to clarify, consolidate, and update the government’s surveillance authorities, which are currently a patchwork of ten laws. This revision to the use and oversight of investigatory powers is the result of nearly 200 recommendations made by three independent reviews over the last year. Along with the IPB, the Home Secretary also issued a “Guide to Powers and Safeguards” which describes the status quo, explains why change is necessary, and summarizes the changes the IPB would make. Some commentators have been surprised by the explicit acknowledgment of the UK’s existing use of bulk surveillance and “equipment interference” powers (namely, hacking).
While the IPB still has a long way to go before becoming law, understanding the potential impact of the bill is important for businesses worldwide. There are some changes to the oversight regime that may be of particular interest to UK citizens, but the provisions which could impact U.S.-based service providers with customers or users in the UK are highlighted below:
Rather than including new authorities in the IPB, the Home Office instead asserts that the Regulation of Investigatory Powers Act (“RIPA”) already requires service providers “to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the [service provider].” On its face, this requirement exempts Internet service providers from any claim that they must decrypt encrypted traffic traversing their networks. However, this does leave open the question of what happens when the encryption system is designed by the provider, but the provider does not hold the key. This obligation bears resemblance to provisions of the Communications Assistance for Law Enforcement Act (“CALEA”), which requires telecom providers to build a lawful access capability but does not require providers to necessarily decrypt communications when they do not have a key. But CALEA does not apply to information services providers (such as messaging apps) while RIPA does.
The IPB applies extraterritorially and includes authority to require providers outside of the United Kingdom to comply with interception warrants (for both targeted and bulk interception). The bill requires consideration of any conflict of laws in the provider’s jurisdiction that would render it “not reasonably practicable” for the provider to comply with the warrant. In addition, in exercising the enforcement authority granted under the proposed law against noncompliant foreign providers, the UK government must account for technical feasibility and costs of compliance.
Communications data acquisition
Similarly, the IPB asserts extraterritorial authority to compel non-UK providers to disclose “communications data” (commonly referred to as metadata in the U.S.) in response to targeted or bulk warrants. It also allows enforcement action against non-UK providers.
Additional investigatory powers
The IPB establishes legal authority, oversight, and enforcement regimes for additional investigatory powers, with accompanying obligations for service providers, but these requirements may not be enforced against non-UK providers. These powers include requirements that telecom providers retain communications data for a year and assist with “equipment interference” – which includes listening to phone calls, tracking locations, copying data and even turning on mobile phone microphones and cameras. U.S.-based providers with offices or employees in the UK technically have obligations under this section, but it does not appear that such obligations are judicially enforceable.
With the bill published, a period of intense scrutiny will begin with civil liberties groups, members of parliament, judges, and service providers exploring the intricate details of the legislation. A revised version is expected to be presented in the spring, but in 2012, a previous “snooper’s charter” (the Draft Communications Data Bill) failed after facing heavy criticism by the parliamentary draft committee for its “insufficient attention to the duty to respect the right to privacy.” The draft committee will likely encounter intense debate once again. Critics are already voicing opposition to the draft Investigatory Powers Bill, while proponents argue that the enhanced oversight regime will be “world-leading.”