Investigatory Powers Act
The UK’s “world-leading” surveillance legislation is here. But for how long?
At the end of 2016, the UK enshrined into law one of the most ( UKno.1!–Ed) invasive pieces of surveillance apparatus in the world. That may sound like paranoid hyperbole, and it’s important to note Blighty is still a democracy, with a mostly functioning justice system and mostly unarmed police, which makes it far from the worst place one could find oneself.
However, the Regulatory Powers Act is, well, frankly awful. Among other things, the Act requires CSPs (communications service providers) to retain communications metadata (who an individual has texted/messaged/written to and which websites they viewed, but not the content of calls/texts nor the individual pages on said website) for 12 months. This data can than be examined, subject to some “double-locks” and systems of “checks and balances” by intelligence agencies, the police and the Home Office. That’s not surprising, but what is, is several other agencies that feature on the list – the Department for Work and Pensions, the Food Standards Agency and the Gambling Commission, among some 50 others. Further, in the original wording, requests needed only be approved by a “designated senior officer” rather than requiring a formal warrant.
Soon after being signed into law, a challenge against the Act was launched by the civil liberties group Liberty. This will be heard by the High Court later this year, but it’s likely we’ll see some changes to the legislation before that. The Act’s predecessor, The Data Retention and Investigatory Powers Act (DRIPA, introduced as an emergency law in 2014), was challenged in 2016 by Liberty (and several other rights groups) and found illegal by the European Court of Justice. One objection was that “general and indiscriminate retention” of data isn’t legal (exactly what’s prescribed by mandating ICR collecting), except for the “purpose of fighting serious crime”. The IPA defines a serious crime as one where an offender can expect to receive six months’ porridge.
This ruling was appealed, but last January the UK Appeals Court sided with Liberty et al. Government mouthpieces were quick to point out that this ruling applied only to the old DRIPA legislation, never mind that its replacement contains much of the same verbiage, and some considerably worse provisions to boot. So it’s reasonable logical to think those clauses will have to be rewritten.
Worrying as this legislation is, it’s also confusing. So we talked to Neil Brown, senior lawyer and an expert on telecoms laws at decoded: Legal. Much of the confusion stems from the fact that most of the Act, while technically law, hasn’t been implemented yet. As Neil says, “Part 4 [the section which deals with retention of communications data] is one of the few parts of the IP Act which is currently in force”. However, CSPs aren’t required to collect the data until they’ve been asked: “the details of who has been served with what retention notice is not in the public domain, so whether or not ICRs are being collected is an unknown”.
We asked Adrian Kennard at Andrews and Arnold, an independent ISP based in Berkshire UK if they were collecting ICRs. “As we have not been [served with a retention notice] … we are not”. However, the Act also makes it an offence to make unauthorised disclosures, and Adrian adds “I may not always be able to answer that, and obviously you can’t infer anything if I choose not to answer that at some point.”