Sunday, 7 February 2016

No Content: Metadata and the draft Investigatory Powers Bill

Puzzled and confused by the draft Investigatory Powers Bill? You are in good company, according to the House of Commons Science and Technology Committee which last week delivered a report on the technological issues raised by the draft Bill. Lack of clarity featured heavily in its concerns.

If that was the starter, this week we get the main course when the Joint Parliamentary Committee appointed to scrutinise the draft Bill delivers its report (Thursday 11 February, 9.30am). We await the results of its deliberations with anticipation.  It has received over 1,500 pages of written evidence as well as oral evidence from nearly 60 witnesses, no mean achievement in the abbreviated timetable allowed for its deliberations.

One of the many areas of controversy around the draft Bill is the proposal to extend the Home Secretary's existing power to require communications service providers to retain communications data. The power would go beyond retention into generating and obtaining data. This would include so-called Internet Connection Records (logs of visited websites) but is far broader than that, potentially reaching out into all aspects of our online lives and into the internet of things as it develops. The government suggests that ICRs are no more than the modern equivalent of an itemised phone bill, a comparison which really does not stand up to scrutiny.  

Communications data retention is itself part of a bigger picture regarding law enforcement and the intelligence agencies' acquisition and use of metadata. Metadata does not include the content of our communications, but the distinction seems to matter less and less when so much can be inferred about our lives from the breadcrumb trail that we leave behind us on the internet.

The Intelligence and Security Committee of Parliament reported in March last year that GCHQ found metadata more useful than content:

The Committee also noted that GCHQ obtained most of its communications data as a by product of bulk interception:

As for law enforcement, David Anderson reported in 'A Question of Trust' that "it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access."

With all this in mind it will be especially interesting to see what the Joint Committee makes of the powers for acquisition and use of metadata. It is, be warned, a complicated topic even without uncertainties about the dividing line between content and metadata. Metadata could be acquired through different routes under the draft Bill and, depending in part on how it is acquired, could be used by different bodies for different purposes.  

So to whet your appetites, and in the hope that it might come in handy in understanding the debate that is about to take place, here is a one page (inevitably oversimplified, I am afraid) visualisation of how metadata fits in to the draft Bill. 

The warrants illustrated are all bulk warrants. While metadata can be acquired under targeted and themetic warrants, to include them would have rendered an already overcrowded graphic impossibly complex. Similarly warrants for Bulk Personal Datasets are not shown. Nor is the residual national security notice under clause 188.  

And if you want to know more about Related Communications Data, take a look at paragraphs 115 onwards in my evidence to the Joint Committee (PDF).

Saturday, 16 January 2016

An itemised phone bill like none ever seen

[Adapted from my evidence (PDF) to the Joint Parliamentary Committee scrutinising the Draft Investigatory Powers Bill]
Mandatory retention of Internet Connection Records - destination IP address, service name (e.g. Facebook or Google), web address (e.g. or - would engage the right of freedom of expression.
This may seem a bold claim in the face of the oft-repeated assertion that ICRs are nothing more than the online equivalent of an itemised phone bill. The Home Secretary, introducing the draft Bill, said:
“So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”
In her oral evidence to the Committee on 13 January 2016 she emphasised that:
“You are not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise because of what people felt was in the draft Communications Data Bill. It is simply about that access to a particular site or the use of the internet for a communication.”
If a comparison can be drawn with an itemised phone bill, this would be an itemised phone bill like none ever seen[i]. We can illustrate this by considering the questions that could be answered by scrutinising an actual itemised phone bill compared with one containing the destination information that would be logged in an ICR.
Who has she spoken to?
This is the focus of the traditional itemised phone bill.
The itemised phone bill shows called telephone numbers. In pre-online, pre-mobile days it would have been a fair assumption that whoever was using the telephone was speaking to somebody at the called number, so that a conversation took place[ii].  That might be somebody at a household telephone or at a public telephone box.  The number might be a private office switchboard[iii], at which point the information on the itemised phone bill terminated.  It gave no information about which extension the call was routed to behind the private switchboard, or who took the call at that extension[iv]. (The former changed to an extent with the advent of DDI numbers.)
A subscriber lookup would provide information about the householder or organisation to whom the called number was allocated.
Itemised phone bills have always, with a few exceptions (e.g. dial-up data calls, recorded message services) essentially given information (including when the call was made and its duration) about conversations between human beings.
What has she been doing?
Our notional ICR itemised phone bill now starts to part company from an actual itemised phone bill. It is possible to infer a partial picture of someone's activities by studying a record of whom she has talked to on the telephone.  ICR logs differ in both degree and kind.
ICRs differ in degree in that we now speak on mobile phones and send text, e-mail, SMS and all the other varieties of messages to people in vastly greater volumes than we ever did in the days of landline telephone conversations. This itself provides a vastly richer and more detailed map of our activities than ever was possible with an itemised phone bill.
ICRs differ in kind from an itemised phone bill in that they are not limited to our conversations (whether voice, e-mail or messages) with other people.  An ICR is an itemised phone bill that would log not just whom we conversed with when, but our online journeys: our 'visits' to the bank, the bookshop, the butcher, the baker, the travel agent, the doctor, the clinic, the hospital, the therapist, the support group, the hotel, the club, the concert hall, the public lecture, the political meeting, the trade union office, the ticket agency and so on without limit.
It would go further, logging not just our consciously initiated activities but also those initiated by our smartphones and connected tablets while they are in our pockets, beside our beds at night and so on.
In this respect ICRs bear little resemblance to an itemised phone bill.  If anything they are more akin to universal CCTV surveillance when we step out beyond our front door and venture into public spaces. However that analogy is itself debatable.
What has she been reading?
ICRs would create logs of every website (or equivalent) that we accessed. On my understanding of the draft Bill that would include blogs and newspaper sites[v].
In this regard ICRs are far removed from both itemised phone bills and CCTV in public places. They do not resemble any kind of log that it has been thought appropriate to compel in the offline world.  It is as if, on our notional itemised phone bill, we were to find a state-mandated list of the titles of the books, newspapers and magazines that we had read in the last 12 months.
We never used to read books over the telephone. Now we read blogs remotely. It is a mere accident of technology that by doing that, instead of reading a physical book in an armchair at home, we engage in what the draft Bill (and RIPA before it) classifies as a 'communication'.
DRIPA was limited to something that people would generally regard as an online communication: internet e-mail, SMS messages and the like.  Reading something remotely, however, is not a communication in the sense of a group of conspirators discussing criminal plots between themselves.  It is a highly personal activity of one individual alone.
Someone who accessed my own blog could[vi] trigger the creation of an ICR showing that they had accessed '' (the URL up to the first slash - but now see footnote [vi]), or maybe '' if they used that address. The ICR might record the name of the blog: 'Cyberleagle'. It would record the date and time of the access[vii]. It would presumably have to be linked at least to source data identifying (to the extent possible) the device that accessed the blog.
Mandating that logs of online reading habits be kept is analogous to being made, in the offline world, to keep a list of the books, newspapers and magazines that we have read in the last year.
Reading is in the nature of a home activity. We are far more cautious about the intrusion of general powers into the home. We treat with greater respect for privacy activity takes place there than activity that takes place in public or semi-public places[viii].  When considering online activities we should always consider whether the activity in question is an extension of the home or an excursion into a public or semi-public place.
State-mandated lists of reading habits also strike at the heart of freedom of expression. Our freedom to choose what to read is jealously protected for good reason.  Reading fuels our quest for knowledge. It is emancipatory[ix].  Merely making an officially mandated list of what we choose to read chills freedom of expression. If the ordinary citizen is put in the position of worrying about whether reading a controversial website might excite official suspicion or trip a red flag on some state computer system, that alone is sufficient to chill freedom of expression whatever the safeguards and restrictions on access.
A proposed law requiring us to make and keep a list of physical books, newspapers and magazines that we had read in the last 12 months could expect to be greeted with public outrage.  This aspect of ICRs is an exact parallel.
Reading is also a large part of the 'online visiting' aspect of ICRs. The two are inextricably entangled.  
Even if 'reading' websites could somehow be conceptually separated from 'visiting' websites, it is difficult to envisage any practicable way in which ICR retention could be implemented for only some types of website. Either way, the whole proposal would stand or fall with the 'reading' element.  

[i]           Nor should we forget that when itemised phone bills first appeared they excited alarm as to how revealing of people's personal lives they could be.
[ii]           Of course other possibilities existed, such as sending a coded signal by a pre-arranged sequence of calls and hang-ups. Nevertheless there was still a communication between two people.
[iii]          The public telephone number of an office switchboard is somewhat equivalent in the internet world to an ISP allocating one public IPv4 address to the household or office router rather than allocating multiple public IPv4 addresses to individual devices in a household. An ISP allocating a public IPv4 address to one individual device in the household or office is a bit like what used to be called a 'direct outside line'.
[iv]          It is somewhat ironic that the example on page 9 of the ICR Operational Case gives 4 digit extension numbers as an example of something equivalent to a port number. A private extension number would never appear on an itemised phone bill. An 'extension' would have appeared on a bill only if the caller dialled a direct line or a DDI number.
[v]           The assumption in the draft Bill appears to be that all websites would be covered by 'telecommunications service' in Clause 47(6)(a) (see e.g. the Guide para 44).  A scheme that required service providers subject to a retention notice to determine whether individual websites were or were not providing a 'telecommunications service' would presumably be unworkable.  If a site were subject to retention under the (differently worded) Clause 71 but fell outside Clause 47(6)(a), then it would not be subject to the access restrictions of Clause 47(4).
[vi]              If only the destination IP address were logged and not the blog's web address that might show only that the Blogger platform was accessed. (The Home Office's recent written evidence to the Committee says that subdomains such as "" would be treated as content, not communications data and so could not form part of an ICR. "" could still be part of an ICR. This differs from the previously understood position. See my further evidence (PDF) to the Committee.)    
[vii]         The ICRs Fact Sheet says: "[An ICR] will involve retention of a destination IP address but can also include a service name (e.g. Facebook or Google) or a web address (e.g. or along with a time/date."
[ix]              "TheresaMay's Threat to the Privacy of Reading" John Naughton, the Guardian, 8 November 2015

Saturday, 2 January 2016

Internet legal developments to look out for in 2016

A preview of some of the UK internet legal developments that we can expect in 2016. Some topics are perennial (see 2015 and 2014), some are new.

EU copyright reform In December 2015 the European Commission published, as part of its Digital Single Market initiative, a proposal for a Regulation on cross-border portability of online content services. In parallel it published a ‘political preview’ of proposals to amend copyright law, for which more detailed legislative proposals and policy initiatives will be worked up during 2016. This process will incorporate the pending review of the Satellite and Cable Broadcasting Directive, which has ventilated the possibility of extending the country of origin copyright rule for TV and radio programmes from satellite to the internet. Other areas of likely interest include copyright exceptions, enforcement (probably against a broader variety of intermediaries) and news aggregation services.

Online consumer contracts In another strand of the Digital Single Market initiative the Commission in December 2015 published proposals for two Directives on online consumer contracts, one applicable to digital content and the other to goods. Member States would be prohibited from enacting either higher or lower levels of consumer protection than specified in the Directives.

Copyright and linking Three more linking cases are on their way to the CJEU, all from Dutch courts: C-160/15 GS Media (a reference from the Dutch Supreme Court concerning a link to an infringing copy of a photograph), C-527/15 Filmspeler (a site blocking case referred by the Central Netherlands District Court; the target site is alleged to have provided a downloadable media player with an add-on containing refreshable lists of links to infringing material; cf Popcorn Time) and C-610/15 Pirate Bay (a site blocking case with linking aspects, referred by the Dutch Supreme Court).

Copyright and temporary copies The C-527/15 Filmspeler reference asks the CJEU whether the transient copies that a user makes when viewing an infringing movie can be excepted from infringement under the EU Copyright Directive’s temporary copies exception. The questions specifically address lawful use and the three step test (which were not covered in the Meltwater/PRCA ‘right to browse’ case).

Site blocking orders The Dutch Supreme Court has referred a site blocking question to the CJEU in C-610/15 Pirate Bay. Meanwhile in the UK the ISPs’ appeal to the Court of Appeal in Cartier v BSkyB (three judgments here, here and here) is pending. This was the first UK trade mark site blocking case and is the first site blocking case since Newzbin 2 to be contested by the ISPs.

Intermediary liability The mere conduit and injunction provisions of the Electronic Commerce Directive are the subject of a German reference to the CJEU in Case 484/14 McFadden. It concerns injunctions against providers of open wi-fi networks to prevent copyright infringement by users. The European Commission has been conducting a public survey on the “regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy” including the intermediary liability provisions of the Electronic Commerce Directive. The survey closes on 6 January 2016. There is crossover with the Commission Communication "Towards a modern, more European copyright framework" issued on 9 December 2015.

The Investigatory Powers Bill Following the Anderson, ISC and RUSI reviews the draft Investigatory Powers Bill has been published and is undergoing formal pre-legislative scrutiny by a Joint Parliamentary Committee. The Committee is expected to report by 11 February 2016. The House of Commons Science and Technology Committee, the Joint Parliamentary Committee on Human Rights and the Intelligence and Security Committee of Parliament are also considering the draft Bill. The Bill itself is expected to be introduced in Parliament in March 2016.

Questions arising out of David Davis and Tom Watson MPs’ legal challenge to the data retention provisions of DRIPA have been referred to the CJEU by the Court of Appeal. A reference from the Swedish courts (C-203/15 Tele2 Sverige) is also pending. [CJEU hearing of both cases will take place on 12 April 2016]

Interception and surveillance complaints to the European Court of Human Rights
 include a case taken by Big Brother Watch, the Open Rights Group, English PEN and Dr Constanze Kurz and one by the Bureau of Investigative Journalism. Amnesty International, Liberty, Privacy International and others have lodged a complaint following the decision of the Investigatory Powers Tribunal on bulk interception and receipt of US PRISM and UPSTREAM interception product. 

Investigatory Powers Tribunal challenges brought by Privacy International and seven ISPs around the world to equipment interference and by Privacy International to use of bulk personal datasets are pending. The latter includes a challenge to the use of national security directions under S.94 Telecommunications Act 1984. 

Mindmap of legal challenges (interactive PDF with links to key documents):

AVMS Directive Review The European Commission is reviewing the Audiovisual Media Services Directive. This raises once again the appropriateness (or not) of extending TV-like regulation to the internet.

EIDAS Regulation The replacement for the Electronic Signatures Directive comes into force on 1 July 2016. As well as electronic signatures it covers ‘electronic identification schemes’ and ‘electronic trust services’.

Data Protection Political agreement on the new General Data Protection Regulation was reached at the end of 2015. The Regulation should be formally ratified early in 2016 and come into force in 2018. Google’s appeal in Vidal-Hall is pending before the UK Supreme Court. Permission to appeal was granted on all points other than whether the claim was a tort.

Net neutrality Revisions to EU telecoms legislation will impose net neutrality rules from 30 April 2016.

[Updated 3 January 2016 to include net neutrality; and 2 February 2016 to include CJEU hearing date in Davis/Watson case.]

Wednesday, 23 December 2015

#IPBill Christmas Quiz

[Updated 1 January 2016 with answers at foot of page]

Now that everyone has sent in their submissions to the Joint Parliamentary Committee scrutinising the draft Investigatory Powers Bill, here is a little Christmas quiz to alleviate the withdrawal symptoms.

For most of the questions you need only study the draft Bill. One requires the Explanatory Notes. For one other you have to go slightly further afield. Answers may be indeterminate.

  1. When is a person not a “person”? 
  2. What is an internet communications service? 
  3. How many times does ‘proportionate’ appear? 
  4. How does generation of data differ from obtaining data by generation? 
  5. What may identify an identifier? 
  6. When might you have to grapple with the meaning of meaning? 
  7. How many times is encryption mentioned? 
  8. Can general be specific? 
  9. Which two differently worded provisions describe the same thing? 
  10. When is data not itself?

Q1.When is a person not a “person”?

In Part 2.

“Person” is defined in Clause 195(1) to include “an organisation and any association or combination of persons”. But that does not apply to Part 2 (dealing with targeted and thematic interception and other types of lawful authority for interception).

Q2. What is an internet communications service?

Anyone’s guess, as was the case with DRIPA and the CTSA 2015.

Clause 47(4)(b) of the draft Bill describes one of three grounds on which the authorities may access an internet connection record. It rests on the critical undefined term 
internet communications service, which is neither a legal nor a technical term of art. 

The Explanatory Notes (paras 120 and 122) give the impression that internet communications service might mean a human to human messaging service, such as e-mail or text messaging. In her statement to Parliament introducing the draft Bill the Home Secretary said that law enforcement would be able to access records about a communications website, but not a mental health website, a medical website or even a news website. But the Guide to Powers and Safeguards (para 46) mentions mapping services. If a mapping service would be included, where is the intended dividing line?

Q3. How many times does ‘proportionate’ appear?


Q4. How does generation of data differ from obtaining data by generation?

We know they must be different because Clause 71 (the data retention power) mentions both:

“The requirements or restrictions mentioned in subsection (7)(d) may, in particular, include … (b) requirements or restrictions in relation to the obtaining (whether by collection, generation or otherwise), generation or processing of— (i) data for retention …”. (emphasis added).

How do they differ? Hmm.

Q5. What may identify an identifier?

Communications data.

Clause 71(9) refers to “communications data which may be used to identify, or assist in identifying … (f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.” (emphasis added).

Clause 71(9) also tells us that “identifier” means an identifier used to facilitate the transmission of a communication.

Q6. When might you have to grapple with the meaning of meaning?

When considering what constitutes the content of a communication.

The definition of “content of a communication” (Clause 193(6)) refers to elements which reveal “anything of what might reasonably be expected to be the meaning of the communication”. We can perhaps see what this is getting at when considering a message that one human being has written to another; but what is meant by the ‘meaning’ of a machine to machine communication, or of the background exchanges between device and server that take place when we access a website? Do we have to consider what 
meaning means to a computer?

Q7. How many times is encryption mentioned?

By name, once (in Clause 169, oversight functions of the Investigatory Powers Commissioner).

In addition Clause 189 (technical capability notices) affects encryption. But similarly to the existing interception capability regulations made under RIPA the clause refers to removal of “removal of electronic protection applied by a relevant operator to any communications or data”.

Q8. Can general be specific?

The draft Bill (e.g. Clause 111(4)) says that the “specified operational purposes” stated in a warrant cannot merely recite the statutory purposes such as national security, but may still be general purposes. However the Home Office Guide to Powers and Safeguards refers throughout to a 
specific operational purpose.

Q9. Which two differently worded provisions describe the same thing?

Clauses 47(6) and 71(9)(f), apparently.

Clause 47(6) defines an “internet connection record”. According to the Explanatory Notes (paras 120 and 190) Clause 71(9)(f) also describes internet connection records. The two provisions are significantly different. 47(6) refers to data identifying a destination “telecommunications service” whereas 71(9)(f) refers to communications data identifying a destination “internet protocol address, or other identifier, of any apparatus”.

Q10. When is data not itself?

When it includes “any information which is not data” (Clause 195(1)).

Sunday, 29 November 2015

Never mind Internet Connection Records, what about Relevant Communications Data?

It was always a good bet that the draft Investigatory Powers Bill would broaden data retention obligations to cover more categories of communications data. That was at the core of the Communications Data Bill, blocked in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.

The draft Bill has duly delivered, accompanied by a blizzard of commentary about the propriety of forcing communications service providers to retain users’ browsing histories.

But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined the label ‘internet connection records’ to describe the new datatypes that it plans should be retained for up to 12 months. These records, it stresses, could include websites and services visited but not individual pages or other content. This is in line with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).

Internet connection records and the proposed restrictions on accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion: not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.

The focus on internet connection records is understandable. The Home Office’s Guide to the powers in the draft Bill focuses on internet connection records.  The estimated cost increase in the Data Retention Impact Assessment mentions only internet connection records as a new category of retained data.

However the draft Bill casts the retention net wider than just internet connection records. Clause 71 of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.  

According to the draft Bill’s Explanatory Notes, one of those six categories (71(9)(f)) corresponds to internet connection records. That leaves five categories which, on the face of them, seem to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act 2015 (CTSA).

For internet communications the current DRIPA data retention categories cover internet access services, internet e-mail and internet telephony. Those categories replicate the 2009 Data Retention Regulations, which implemented the now invalidated EU Data Retention Directive.  The CTSA extended DRIPA to include so-called IP address resolution data. 

We can get an idea of the scope of ‘relevant communications data’ by appreciating that it covers any type of communication on a network, expressly including communications where the sender or recipient is not a human being. This sweeps up not only background interactions that smartphone apps make automatically with their supplier servers, but probably the entire internet of things. 

The type of data about these communications that could be required to be retained goes beyond the relatively familiar sender, recipient, time and location information to data such as the ‘type, method or pattern’ of communication (clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not data’ (clause 195(1)).

In another departure from existing retention laws, providers could be required to generate data specifically for retention (71(8)(b)(i)). At present they can only be required to keep data that they already generate or process in the course of providing their service.

Another change from existing law is that retention notices could be given to any kind of telecommunications operator, not just those providing services to the public as under the existing legislation. Finally, providers could be given a notice requiring them to install specific technical capabilities to support communication data access and retention requirements.

Although the current Home Office Guide and the Impact Assessment talk only about retention of internet connection records by public telecommunication service providers, that would not prevent future changes of policy whereby broader retention notices could be served on a wider variety of communications service providers.  There is no obvious mechanism to bring a change of policy to the attention of the public, since service providers would be obliged not to disclose to anyone else the existence and contents of a retention notice.

All this suggests that it is fairly important to understand what ‘relevant communications data’ might consist of.  That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions that go to make it up. 

And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.  

relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.

In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.

Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

person” (other than in Part 2) includes an organisation and any association or combination of persons,

Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data
(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,
(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or
(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,
(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(c) which—
(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about the architecture of a telecommunication system, and
(iii) is not about a specific person,
but does not include the content of a communication.

Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description, and
(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable,

Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is (wholly or partly)—
(i) in the United Kingdom, or
(ii) controlled from the United Kingdom.

Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

Entity data” means any data which—
(a) is about—
(i) an entity,
(ii) an association between a telecommunications service and an entity, or
(iii) an association between any part of a telecommunication system and an entity,
(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and
(c) is not events data.

Events data” means any data which identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.

Entity” means a person or thing.

The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but—
(a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded.

data” includes any information which is not data.

Monday, 9 November 2015

From Oversight to Insight - Hidden Surveillance Law Interpretations

The focus of my posts on RIPA, DRIPA and now the Investigatory Powers Bill has been on the scope and extent of the powers – what exactly they enable law enforcement and the agencies to do – rather than on oversight and safeguards, important though those are.

One aspect of oversight, however, bears directly on the scope of the surveillance powers granted by legislation. It relates to an issue that has perhaps not received as much attention in the UK as it has in the USA: secret interpretations of the law.

The problem arose in the USA partly as a result of the secret FISA court system. C
ontroversial previously secret interpretations of the law came to light following the Snowden disclosures. This led to, for instance, the Electronic Frontier Foundation's Secret Law is Not Law campaign.

We have a similar problem on this side of the Atlantic. Here, though, it is about interpretations conceived and acted upon by government without any court involvement.

The clearest example to date is the government’s interpretation of ‘external communications’ under RIPA. This was revealed by senior Home Office official Charles Farr in a witness statement filed in the Investigatory Powers Tribunal case brought by Liberty and others. The background is that GCHQ can intercept in bulk if its objective is to intercept external communications. So the meaning of 'external communications' is significant. The Home Office interpretation was controversial. It also had implications for who (or what) could be regarded as a sender or intended recipient of a communication, a foundational building block of RIPA. (See further paragraphs 6.52 and 12.25 of the Anderson Report ‘A Question of Trust’ and paragraphs 31 to 54 of my submission to Anderson.)

The Home Office’s interpretation, which underpinned the agencies’ operations under RIPA S.8(4) warrants, would not have seen the light of day had the NGOs not brought the IPT legal challenge. That occurred because of the Snowden disclosures. The interpretation was a significant, but previously hidden, aspect of the law under which the agencies were operating.

Another example was The Data Retention and Investigatory Powers Act (DRIPA), rushed through Parliament in four days in July 2014. The Home Office argued that amendments to RIPA’s territoriality provisions and to the definition of telecommunications services did no more than reflect what the legislation had always meant. The claim was untestable, since the public had no way of knowing how the Home Office might have interpreted the provisions either in the minds of its officials or in its previous dealings with communications service providers.

A similar issue is boiling up over the effect on end to end encryption of the Investigatory Powers Bill. The Home Office says, with some justification (although a debate is taking place around possible knock-on effects of other changes), that the draft Bill mirrors existing law. Clause 189(4)(c) of the draft Bill is very similar to paragraph 10 of the Schedule to the 2002 Maintenance of Interception Capability Order. On the face of it neither affects end to end encryption where the protection is applied not by the service provider but by the user. However the public is in no position to know whether the Home Office has adopted some other interpretation or, if so, whether it might be as open to debate as its view of external communications.

The Investigatory Powers Bill provides an opportunity to ensure that the proposed new oversight body proactively seeks out and brings to public attention material legal interpretations on the basis of which powers are exercised or asserted. Service providers might also be able to bring a legal interpretation asserted against them to the attention of the oversight body. This may be all the more necessary in the light of the new disclosure offences built into the draft Bill.

Such mechanisms would enable material legal interpretations to be publicly debated and if appropriate challenged. None of this would require to be made public any legal advice that the government had received, nor any factual matters that should properly remain secret, but only the substance of the legal interpretations themselves.

This could be an important protection against the possibility of groupthink, the tendency for members of a closed group to convince themselves of the rightness of a consensus position and to resist contrary views. It would contribute to the new standards for openness, transparency and oversight that the government has promised in the new legislation. Most fundamentally, by providing not only oversight but insight it would help to satisfy the basic rule of law tenet that the law should be foreseeable and accessible.

[Amended 7 pm 9 November 2015 to include reference to possible knock-on effects of other changes on end to end encryption]

Wednesday, 4 November 2015

Prediction and Verdict - the draft Investigatory Powers Bill

Two months ago I took a shot at predicting what might be in the draft Investigatory Powers Bill. It will replace a confusing patchwork of surveillance and interception legislation centred on RIPA, the Regulation of Investigatory Powers Act 2000. 

I was particularly intrigued by how much of the old draft Communications Data Bill (CDB, or the Snoopers' Charter, blocked by the Liberal Democrats in 2012) might make it through into the new legislation. Today, following a blizzard of leaks and unofficial briefings over the past couple of weeks, the draft Bill has been published along with a mountain of explanatory papers and impact assessments, only some of which I have been able to read at this stage.

Here's an initial impression of how the draft Bill pans out against my predictions. More to come in time as the detail sinks in. As relatively instant comment, some of this may have to be refined or corrected as the light slowly dawns.  And there are many important points that I haven't touched on. The Home Office Guide to Powers and Safeguards is a reasonable place to start to get an overview.  

The 'What is it?' and 'Prediction' sections are as in my original piece. The rest is new.

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Verdict: Still here, but with some changes. There is a new power to extract and examine communications data derived from bulk intercepted content (S.106(8) and see Explanatory Notes 271 to 275). 

The overall objective of a bulk interception warrant must be to intercept communications 'sent by individuals' or 'received by individuals' outside the British Islands. This is a new approach in place of the much criticised RIPA distinction between internal and external communications.

Devil in the detail:

Is it clearer than RIPA? Yes, but some similar nuanced pathways through the legislation remain.

Specific objectives for bulk interception warrants? (This was an Anderson recommendation.) Yes, sort of. S.111(3) says: "A bulk interception warrant must specify the operational purposes for which any intercepted material or related communications data obtained under the warrant may be selected for examination."  S111(4) tells us how specific (or not) those purposes have to be: "it is not sufficient simply to use the descriptions contained in section 107(1)(b) or (2) [e.g. 'national security'] , but the purposes may still be general purposes.".

Tighter constraints on searching for communications of persons within British Islands? Looks very similar to RIPA.

Is there a tighter framework for searching captured related communications data? Under RIPA most of the limitations on searching the content of bulk intercepted communications do not apply to related communications data. Related communications data can currently be scooped up alongside both external (at least one end outside British Islands) and collaterally acquired internal (British Isles to British Isles) communications.

In substance this is all retained in the draft Bill. Additionally, related communications data can now include content-derived communications data. The new Bill provides that selection must be necessary and proportionate and examination must be only so far as necessary for the operational purposes.

Prior judicial or quasi-judicial authorisation? See below.

Tighter limits in who can apply for a bulk warrant? Limited to the security and intelligence agencies, for specified purposes that must always include national security.

Background on RIPA bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Verdict: Nothing like as vague as CDB, though the power to give retention notices to CSPs appears to have a significant element of future-proofing built in. The draft Bill also includes a major expansion of the powers to require service providers (extended to include non-public service providers) to install specified technical capabilities, allied to most of the new warrants and communications data acquisition powers (see S.189). At present RIPA only provides this power for interception warrants and for large public service providers.

Background on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

Prediction: Bank on this one coming back in some form.

Verdict: It's back, rebadged as 'internet connection records'. For which read everywhere you go at site or service level on the internet, but not individual pages. Part of a significant extension of DRIPA's data retention provisions.

Is this like a universal CCTV system recording when you go outside your front door and visit the bank and the shops? Or is it like a spybot in your home noting which books you read? Or is it something else? One thing is certain: we can't simply analogise this to keeping a log of which telephone number you called, where and when. This is a record of how we live our digital lives.

It is important to separate the scope of retention from the power to access. Access to this category of data will be more tightly restricted than for other communications data. Local authorities will have no access. The draft Bill sets out specific purposes for which public authorities can demand access to this category of communications data or make a demand that requires it to be processed (s.47(4)). 

The Home Secretary has (very) broadly paraphrased this restriction as 'determining whether someone had accessed a communications website, an illegal website or to resolve an IP address'. Regrettably there is no substitute for quoting the section:

"to identify—
(a) which person or apparatus is using an internet service where—
(i) the service and time of use are already known, but
(ii) the identity of the person or apparatus using the service is not known,
(b) which internet communications service is being used, and when and
how it is being used, by a person or apparatus whose identity is already known, or
(c) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime."
Like most requests for standard communications data under RIPA, requests for 'ICR' will not require judicial approval. They are authorised through Designated Persons within the public authorities, who are internally independent from the investigation in question.

The existing, narrower, data retention provisions of DRIPA have been challenged in court by MPs David Davis and Tom Watson and questions are being referred to the European Court of Justice. 

Devil in the detail:

David Anderson said that no detailed proposal should be put forward until a sufficiently compelling operational case had been made out and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring weblog data to be retained. The Home Office has now published an 'Operational Case for the Retention of Internet Connection Records'. This will repay careful scrutiny.

Background on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

Prediction: Probable.

Verdict: Yes, falls within relevant communications data that may be required to be retained. S.71(9) is explicit that the sender or recipient does not need to be a person, and that relevant communications data includes data identifying the location of any telecommunication system by means of which a communication is transmitted. Location of that system is one of the categories of data that the Secretary of State can order to be retained.

Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

Prediction: Data generation to reappear.

Verdict: Yes, as predicted (S.71(8)). A significant change.

Background on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.

Verdict: The definition of communications data has been revised to cover 'entity' and 'events' data. There is also now a definition of the content of a communication, where RIPA had none.

Devil in the detail:

Requires application of a wet towel before commenting on whether anything has changed significantly.

Background on the existing RIPA content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

Prediction:  Anyone's guess.

Verdict: Out.

More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

Prediction:  Anyone’s guess.

Verdict: In.

Background on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Verdict:  Generally the government is proposing a two tier system of Ministerial sign-off of warrants followed by an approval process undertaken by new judicial commissioners before the warrant can take effect (but retrospective in urgent cases).  They would review a decision to issue a warrant to the 'judicial review' standard rather than a de novo reevaluation of the merits.

Some other significant highlights that I didn't cover in my original predictions:

Section 94 Telecommunications Act 1984

What is it? The most mysterious existing power of all, enabling Secretaries of State to give national security directions to telecommunications companies.  Now there will be a 'national security notice' power spelled out in greater detail (S.188).


What is it? RIPA always applied in general terms to telecommunications services provided to the UK from abroad. What wasn't so clear was whether interception warrants, interception capability notices and communications data acquisition notices could require conduct outside the UK, could apply to non-UK providers or how (if at all) they could validly be served on a non-UK provider. DRIPA fixed that. It didn't do the same for communications data retention notices, but which in any case could only require retention of data generated or processed within the UK.

Verdict: Extraterritoriality will apply to targeted interception warrants and mutual assistance warrants (S.29(4)); communications data acquisition notices (S.69(3)); targeted equipment interference warrants (S.99(3)); bulk interception warrants (S.116(3)); bulk acquisition warrants (S.130(3)); bulk equipment interference warrants (S.145(3)); technical capability notices (S.189(8)).

Non-UK operators can rely on a conflict of non-UK law defence in some of these cases: (S.31(5), S.69(4)). A technical capability notice is enforceable against someone outside the UK only if it relates to a targeted interception or mutual assistance warrant, a bulk interception warrant or a communications data acquisition notice or authorisation (S.190(10)).

Communications data retention notices can also be extra-territorial (S.79(1)). However while operators generally have a duty to comply with a notice, if a notice relates to "conduct or persons outside the United Kingdom" the duty is only to "have regard to the requirement or restriction".  (S.79(2))

Computer Network Exploitation (CNE) 

What is it? Official hacking.

Verdict: Warrantry powers formalised in the draft Bill. No surprise at all. Existing general powers were on shaky legal ground and had to be made more transparent. Both targeted and bulk equipment interference warrants are provided.

[Updated 5 November 2015 to add technical capability notices to Extraterritoriality section; section on Broad Ministerial Powers updated 6 November 2015 to add future proofing of retention notices and extension of technical capability notices to non-public service providers (h/t to @neil_neilzone for spotting the latter).]