Should I worry about the Investigatory Powers Act?
The so-called Snooper’s Charter has wide-ranging effects for businesses, as well as individuals, so what should you do next? Nik Rawlinson asks the experts
The so-called Snooper’s Charter could have wide-ranging effects for businesses.
How would you feel if we asked you to send us your browsing history? What if we were the Food Standards Agency? Or your local fire and rescue authority? Since the Investigatory Powers Act (IPA) gained royal assent at the end of 2016, only one of those – PC Pro – isn’t entitled to see where you’ve been online.
The Act’s supporters may claim that those with nothing to hide have nothing to fear, but that’s only true if things that are legal now aren’t made illegal in the future. If a law change is applied retrospectively, records of your gambling or browsing of legal pornography might be enough to mark you out for investigation.
Is it any surprise that China used the IPA to justify new surveillance and decryption laws that were passed in late December? China’s actions were, said Li Shouwei, deputy head of the parliament’s criminal law division, “basically the same as what other major countries in the world do”.
A changing legal landscape
Yet, although the Act has been passed, only part of the IPA is in force: the part that replaces the Data Retention and Investigatory Powers Act 2014 (DRIPA), which authorised collection of communications metadata in bulk.
IPA doesn’t apply to your average company with an IT department, as Nicola Fulford, partner and head of data protection at law firm Kemp Little, explains. Instead, the onus for data collection is on telecoms operators, “and even then only when they receive a Home Office or other authority notice that they need to start keeping [a log of your online activities]. There’s no obligation under this law or DRIPA for an ordinary company to keep information just in case somebody comes asking for it.”
In that respect, IT departments are off the hook as the Act doesn’t require them to track employees online. The data that can be captured by a firm’s upstream provider, though, may still be either commercially-sensitive for the business or embarrassing for employees. Either would be ripe for exploitation, should the records ever be compromised.
DRIPA concerned itself primarily with metadata – who was contacting who and when – but IPA digs deeper,
“The Investigatory Powers Act digs deeper, not only examining when someone went online but also what they viewed ”
examining not only when someone went online but what they viewed.
“[The data] reveals a lot about people’s private lives, such as if they are looking at online support groups, or websites about particular health conditions,” Fulford said. “If [an ISP is] holding all of this information it could suffer a hack or breach and some of the information could come into the public domain. They have [a duty of care] to keep the data secure but if it was deleted or never retained in the first place, there would be nothing for them to lose.”
There’s also a risk that information gathered for one purpose may be exploited in other ways as authorised agencies find new methods of exploiting the Act. The debates that led to the IPA’s passing focused primarily on terrorism, but the list of agencies authorised to access your records includes many whose connection to preventing attacks and fighting international crime is tenuous at best.
There are safeguards surrounding who in each organisation has the right to request your records. Bodies that want to examine the data need a valid reason, and each must have dedicated officers and points of contact who are authorised to make requests. They will have received training to ensure they’re working within the bounds of the Human Rights Act, and Fulford’s
advice for anyone receiving a warrant for data is to make sure the person making the request is authorised to do so. Beyond that, there are no grounds on which a communications provider could avoid complying.
How will IPA affect your business?
The websites your employees visit will be logged, and the log, your “Internet Connection Record” maintained for a year. It will include only top-level domains, not specific pages, but the privacy implications are obvious: not only could your ISP find out if your staff are accessing explicit material during working hours – as will anyone to whom it releases the data – but it could build a detailed profile of the services on which you run your company, including cloud storage sites, SaaS providers and more.
What the Act doesn’t do is outlaw encryption, which may have put it in conflict with the EU, even post-Brexit, since the Information Commissioner’s Office (ICO) is committed to keeping parity between British and European data regulations. These state that any company suffering a data breach could face a fine of up to £500,000 in the UK, or 4% of global earnings if the case is heard in Europe. For ISPs gathering large amounts of data about their subscribers, this puts pressure on them to treat records with care.
What will come out of the Brexit negotiations remains to be seen, but even if the ICO’s plans were to change, UK businesses would need to remain mindful of GDPR, Europe’s General Data Protection Regulation. This will come into force in May 2018 and apply to any business that wants to trade with an EU member.
As Kev Jefcoate of encrypted hardware manufacturer iStorage explains, “while GDPR applies to the EU, businesses outside of Europe [but that are doing business inside the Union] still need to comply if they’re carrying personal data. If you fail to protect personal data and it’s breached, you’re liable to the same fines as a company inside Europe.”
iStorage sells its products to American Express, Google and the Swiss Army, and Jefcoate sees the requirements of both IPA and GCPR as a potential point of conflict.“IPA is counter-intuitive to everything the GDPR is trying to achieve, as it says companies should provide backdoors that allow third-parties to check on your encrypted data… We don’t have any backdoors. Part of our process is that we engineer technology without them, and we’ll stay true to our aims of always making the most robust encrypted hardware.”
It’s important to remember that IPA concerns itself with who goes where and when, and it doesn’t allow the Home Office or other body to read your encrypted data, but other regulations could compel a British company or individual to release the keys that would unscramble it if required.
Kemp Little’s Fulford still recommends encrypting your data during transit and when it’s at rest. It won’t stop hackers from finding out where you’ve been online if they access your ISP’s records, but it does provide an extra level of defence.
“The sites your employees visit will be logged, and the log, or your ‘Internet Connection Record’, maintained for a year”
IPA and Europe
The IPA isn’t without its critics, but at its second reading in the House of Commons, in March 2016, it was passed with 281 votes in favour and only 15 against. That margin of “success” might not have been so great had fewer MPs abstained. Its precepts were challenged by David Davis MP, who questioned the legality of GCHQ’s DRIPAbased bulk interception of call records in the High Court. He won, and the government appealed to the European Court of Justice. Davis travelled to Luxembourg, where he accused the government of treating the entire nation as suspects, and shortly after the IPA gained royal assent in December 2016, the Court issued its ruling:“…only the objective of fighting serious crime is capable of justifying such interference. Legislation prescribing a general and indiscriminate retention of data … exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society.” By then, Davis was secretary of state for exiting the EU and had little choice but to step back from the case. It remains to be seen what impact the ruling will have on the Act. It may become a point of contention during trade negotiations after Brexit, or it could be surplus, but in either case, the government said it was “disappointed” at the European court’s ruling. Will it have to rethink its plans? Probably not, in the short term at least. The best advice for UK businesses may be to ensure their staff are aware of the new powers the Act enables, but continue with “business as usual”.