nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Lessons from history for UK Home Sec Theresa May's Investigatory Powers Bill

Been there, read the law, got bulk-intercepted

By Alexander J Martin, 17 Mar 2016

IPB “Let me be clear,” Theresa May said on the introduction of the Investigatory Powers Bill in Blighty, “the draft Bill we are publishing today is not a return to the draft Communications Data Bill of 2012.”

She was referring to the previous, the UK's previous coalition government's attempt at a Snoopers' Charter.

This was true in one respect – unlike the aborted Communications Data Bill, the Investigatory Powers Bill is very likely to become law, and to do so this year.

Contrary to the Home Secretary's claims, however, there is a clear continuity between this legislative attempt and those which have come before it.

It is the latest of successive attempts to rush into law an increase of the state's legal facilities for storing and accessing citizens' communications data.

Interception of Communications Act 1985

It was in 1984 that a case heard by the European Court of Human Rights (EctHR) indirectly produced the UK's first surveillance law. Ruling on Malone v The United Kingdom, the Strasbourg court found that the Home Office's ongoing phone tapping activities were in breach of the European Convention on Human Rights (ECHR). The guidelines of the time were “somewhat obscure and open to differing interpretation” said the court, and as such the phone-tapping activities were determined to be not “prescribed by law".

Following this, the government passed the Interception of Communications Act 1985 to meet its obligations under the ECHR – which said that any interference by a public authority under Article 8's right to privacy could only be that which is explicitly allowed by law.

This was the first time a British government had created legislation that dealt specifically with the interception of communications. At the time of its passing, the Bill was criticised for the balance of powers it allocated to the state, and for the lack of clarity in its drafting.

Ironically, it would actually be a matter of the 1985 Act's specificity that would provoke its repeal and the creation of a replacement.

According to the University of Oxford's Law Faculty, on Intercept Communication (PDF), the 1997 case of Halford v The United Kingdom embarrassed the government yet again when the court judged that the 1985 Act did not prescribe the interception of communications made through private telecommunications systems – such as the claimant had used – but only “a public telecommunications system” as the legislation referred to.

A new Labour Government held a consultation (PDF) in which then Home Secretary Jack Straw recognised advances in technology had pulled the carpet from beneath the 1985 Act.

Straw's consultation made public the Government's opinion: “That the law surrounding access to communications data is in need of revision,” and added that it was thus “proposing to establish a clear, statutory framework for access to communications data.”

Alas, the replacement would prove to be anything but.

The Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act 2000 (RIPA) was introduced to Parliament as a Bill in on 9 February 2000. The government declared that it was, as promised, “a clear, statutory framework” regulating the State's access to communications.

The Bill, it said, would bring the UK's surveillance activities in-line with the EU's view of the ECHR before the UK's Human Rights Act 1998 came into force that October – the dubious de jour cause for rushing through the legislation.

Despite these promises, the Bill was critically received by parties involved in the promotion of Human Rights. Rather than offering a welcome protection for the public, its provisions provoked criticism and concern over mandatory data decryption upon request (and prison sentences for those who had forgotten their decryption keys), the fact ISPs were obliged to intercept communications traffic (and cover the costs), and the fact it devolved to broad number of local authorities the legal power to snoop on the public.

Amid this public outcry, and the Labour Party's large majority in the House of Commons, the Bill was assessed to be facing a significant challenge in the House of Lords, where the Conservative Party's Lord Strathclyde would describe it as "a Snoopers' Charter of a Bill," adding it was, "a Bill in which, once again, only the diligence and wisdom of noble Lords is contriving to save the Government from themselves."

Competently apprehensive of this “diligence and wisdom” change came before the Bill reached the Lords. One particular amendment, was the removal of the ability of the police to conduct surveillance on Britons' web browsing without a warrant. This was, arguably, the first appearance of what are being described as Internet Connection Records (ICRs) in the Investigatory Powers Bill.

However, many powers remained, including the Bill's core data slurping provision in section 22, which established the legal justification for the State to issue notices requesting communications data. The RIP Bill completed its Parliamentary passage on 26 July 2000, and received Royal Assent just two days later. RIPA underwrites the legality of the UK's surveillance activities to this day, despite its Parliamentary process lasting less than 170 days – including weekends and recesses.

In his 2015 report, titled A Question of Trust (PDF), the Independent Reviewer of Terrorism Legislation, David Anderson QC, stated that: “RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates.”

Part One of RIPA would now be repealed entirely under the Investigatory Powers Bill, replacing its rules on the “interception of communications and acquisition and disclosure of communications data” with a new regime for authorising and safeguarding those activities.

Ross Anderson, professor of security engineering at the University of Cambridge and current director of FIPR, said: “The current IP Bill is making clear for the first time a lot of the obscure language that was put into the RIP Bill a decade and a half ago. The government of the day was legalising things it didn't want to admit doing.”

Thanks to former NSA sysadmin-turned-whistleblower Edward Snowden we’ve learned that under RIPA GCHQ was archiving millions of Yahoo! webcam conversations, including intimate chats, just in case they turned out to be useful. “Any law that can be used to argue that such behaviour is legal is a bad law,” Anderson said.

Not all that RIPA allowed was at the super-state level. Poole Borough Council was found to have been abusing the Act since 2008 by snooping on a family to see whether they lived in within a school's catchment area. The Council was subsequently found guilty of “improper use of surveillance powers” in 2010.

There have also been complaints that police forces have abused the Act to uncover journalists' sources, claims that saw the coalition government introduce the requirement that police seek judicial authorisation before accessing journalistic communications. Senior police officers, however, can still sign off their subordinates when utilising RIPA powers to pursue members of the public (including journalists) on other matters.

The Act remains the primary legislation regarding investigatory powers today, but it’s been supported by increasingly lengthy data retention rules that let authorities build ever richer datasets that they can trawl.

The Anti-Terrorism, Crime and Security Act 2001

Following the terrorist attacks on the World Trade Towers and the Pentagon of 11 September, the US government rushed through the controversial USA PATRIOT Act. It was criticised in its entirety for its suppression of civil liberties in lieu of expanding the State's security abilities, but it was Title II of the act, covering “Enhanced Surveillance Procedures” that came to be particularly criticised for allowing an unimaginable level of domestic snooping.

Similar legislation was passed in other countries around the world, but in Britain many of the powers contained in the PATRIOT Act to intercept domestic communications were already available under RIPA. The government therefore passed The Anti-Terrorism, Crime and Security Act 2001, Part 11 of which introduced the provision for ISPs to retain their customers' communications data - albeit on a voluntary basis - while also following data protection legislation.

Ben Emmerson QC said in an advice note to the former Information Commissioner in 2012 (summary here, PDF) that the Act’s data retention provision, alongside Section 22 of RIPA, could provide for potentially unlawful collateral use - that data retained voluntarily under the Act was not necessarily legally accessible for some of the more trivial snooping justifications allowed under RIPA.

Part 11 of the Act would be repealed by The Investigatory Powers Bill, consolidating its voluntary rules, and obligations under other legislative instruments, regarding the “retention of communications data”, into a new regime for authorising and safeguarding data retention by intermediaries.

EU Data Retention Directive 2006

A plenary session on retention of telecommunications data was held in the UK following terrorist attacks in Madrid and in London and during the UK's presidency of the European Council.

Hosted by Labour's third Home Secretary, Charles Clarke, the plenary session was attended by Justice and Home Affairs ministers from across the EU who took the opportunity to agree on an EU-wide Directive on data retention.

The European Council subsequently adopted a Directive that obliged member states to pass laws on the mandatory retention of telecommunications data for between six months and two years, for the stated purpose of allowing police and intelligence agencies to query those records. It would be implemented in the UK through The Data Retention (EC Directive) Regulations 2009.

The 2009 Regulations “overlapped to a large degree with the voluntary code [from the 2001 Act] but were more limited, and certainly didn't include web activity data,” according to technology law expert and partner at Bird & Bird, Graham Smith .

The Directive met with a familiar downfall. In response to a case brought by Digital Rights Ireland, the Directive was annulled in its entirety on 8 April 2014, when the Grand Chamber of the Court of Justice of the European Union (notably a separate body from the ECtHR) judged that it seriously infringed upon Human Rights.

Communications Data Bill 2008 & the Interception Modernisation Programme

It was Labour’s fifth Home Secretary, Jacqui Smith – nicknamed “Jackboot Jacqui” – who put forward the Interception Modernisation Programme (IMP) that became a Communications Data Bill in 2008.

The IMP proposed a central warehouse of communications data including web-browsing activity. Ultimately, no legislation was brought forward.

Although no snooping legislation would be passed during the Labour Government's last two years in power, the IMP remained active. It was lead by Charles Farr, a civil servant and former spook whose role in the development of security and surveillance law had made him a bête noire among civil liberties advocates.

Paul Bernal, law lecturer at the University of East Anglia and author of Internet Privacy Rights: Rights to Protect Autonomy, described the 2008 Bill as: “A classic moment in authoritarian history.” It was a moment, he told The Reg, when the government began to think of “using the internet as a control mechanism rather than a freedom mechanism,” and as a means “to monitor everything that's going on and use that information for social control.”

The 2008 Bill ultimately failed, Bernal noted because: “They didn't present it well, and it seemed creepy.”

Communications Data Bill 2012

While the IMP would be cancelled by the coalition government, Farr would remain a presence in the corridors of Whitehall through leading its successor initiative, the Communications Capabilities Development Programme (CCDP). And in May 2012, the CCDP's work produced what would be the coalition government's attempt at a Snoopers' Charter: the Communications Data Bill 2012.

The 2012 Bill formally introduced an obligation on ISPs to retain logs of their clients' web-browsing activities for 12 months, and ensure those logs' availability for law enforcement and intelligence agencies upon request.

Then new Home Secretary, Theresa May, appeared to have had the legislation announced in the Queen's Speech, but it was rapidly retitled as a “draft” following public outcry and statements regarding its relationship with the previous Labour government's plans.

The draft Communications Data Bill published in June 2012 (PDF) almost immediately hurt the coalition government, with many Conservative and Liberal Democrats openly declaring their opposition to. Deputy Prime Minister, Nick Clegg, created a Joint Committee to provide pre-legislative scrutiny of the proposal.

The Joint Committee on the Draft Communications Data Bill published said (PDF) the Bill paid “insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data.”

Julian Huppert – the former MP for Cambridge and Joint Committee member – told us: “The bill, which I fought so hard to kill off, included requests for far more data to be retained about us. The Home Office wanted to have the power to collect information on every website we ever go to, and to make ISPs collect information on what you do on Facebook, Google or any other online provider.”

Clegg withdrew his support and the Liberal Democrats said they’d prevent the Bill from being introduced – the Data Retention Directive was annulled on 8 April 2014. This didn’t deadlock surveillance legislation, however.

Data Retention and Investigatory Powers Act 2014

The UK's 2009 Regulations were now left “dangling without too much visible support,” according to Bird & Bird’s Smith and it would take the coalition government more than three months to declare replacement legislation was necessary.

The Data Retention and Investigatory Powers Bill was introduced on “emergency” grounds on 14 July 2014 and – despite the objections of MPs - the Data Retention and Investigatory Powers Act 2014 (DRIPA) received Royal Assent on the 17 July.

The Government had not tidied up the issues resulting from the annulment of the EU Directive with DRIPA, but also took the opportunity “to expand – or as the Home Office would have it, clarify – the definition of communication service providers to clearly include webmail and social media platforms of all sorts.”

A sunset clause was begrudgingly inserted to DRIPA section 8(3) that stated the legislation would repealed on 31 December 2016. It is this clause that the Home Office cites for rushing ahead with the Investigatory Powers Bill.

That sunset clause, however, was not enough to placate all of the Bill's critics, however. A legal challenge brought by MPs David Davis (Con) and Tom Watson (Lab), which resulted in the High Court finding that sections 1 and 2 of DRIPA were incompatible with the British public's right to respect for private life and communications and to protection of their personal data as given through Articles 7 and 8 of the EU's implementation of the ECHR.

The ruling disapplied the legislation, although that disapplication was suspended until 31 March 2016 so the government could come up with a lawful alternative. The government has appealed against High Court's findings, though, and is travelling to the European Court of Justice to seek redress. The case will be heard on 12 April.

DRIPA will be repealed in its entirety if the Investigatory Powers Bill is passed. Ex-MP Huppert told The Register: “The Home Office are clearly struggling to come up with a workable piece of legislation - this has been worked on for at least six years now and is still not ready to be enacted. I dislike the idea of extending DRIPA - but I’d rather see that than a rushed piece of work now.”

The Counter-Terrorism and Security Act 2015

A Counter-Terrorism and Security Bill was accelerated following the January 2015 Charlie Hebdo attacks in Paris.

The initial Bill raised the hackles of civil liberties proponents but it would be a document containing 18-pages of amendments, tabled by Lords Blair, King, West and Carlile that provoked utter outcry.

The proposed amendments were widely regarded as an attempt to slip the discredited provisions of the Communications Data Bill 2012 into the new legislation - in a manner intended to bypass Parliamentary oversight. These amendments were not included in the final Bill following the public outcry and debate in the Lords, although the attempt to shunt them in remained a bruising experience for those who had believed the idea of a new Snoopers' Charter was dead.

How wrong that would prove to be.

Investigatory Powers Bill 2016

Before the 2015 general election had been even declared, it was confirmed Theresa May would retain her cabinet position as Home Secretary. She also said she planned to reintroduce the provisions of the Communications Data Bill provisions the Liberal Democrats had successfully blocked. A first draft was published on 4 November 2015

Three Parliamentary committees recommended more than 120 amendments but the Investigatory Powers Bill 2016 (PDF) that came in on March 1 saw few amendments made – and those seemingly only to address drafting issues witnesses had complained about.

The Bill is slated to bring most of the intelligence agencies' snooping powers under parliamentary rule for the first time.

However, while the security agencies had almost certainly always had access to Britons' web-browsing histories through instances of the royal prerogative, that power would now be extended to the police through the inclusion of ICRs. Other provisions include bulk hacking powers and the ability to coerce companies into facilitating the State's snooping.

Will it pass?

Critics of the Bill agree with the government's assessment of it being an improvement and much needed replacement for Part 1 of RIPA and the other legislation. But this this is a reflection upon the quality of the preceding laws.

Already the government is falling into past traps of trying to speed things through. The 258-page document was introduced to Parliament on 1 March but the Home Office is rumoured to be pushing for a third reading – and thus a vote on the Bill in the House of Commons – before the end of April.

Ross Anderson summed up its chances, and what it would mean for Britain’s technology industry: “Who will want to buy networking software or banking apps or routers (or anything else critical) from a UK company once the government has openly taken the power to secretly compel UK vendors to install spyware? That will cause real pain, and cost real jobs,” Anderson said. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing