Sunday, 25 January 2015

Latest score in the jurisdiction game: Internet 0, EU Court of Justice 2

The CJEU in Pez Hejduk (22 January 2015) has plumped for mere accessibility as the threshold for online copyright jurisdiction under Article 5(3) of the EU Jurisdiction Regulation.

Mere accessibility is problematic for the internet. Exposing a website to the jurisdiction (or a fortiori the laws) of any country from which it can be accessed is, David Post has argued, not a reasonable outcome. (Some, epitomised by the Gutnick-inspired English defamation cases, may consider it quite reasonable since anyone posting to the internet knows the worldwide reach of the medium).  From a broader perspective mere accessibility chills cross-border freedom of expression, encourages geo-blocking of websites and impedes the free flow of information across borders.  Pez Hejduk is another bad day for the internet.

The CJEU headed down this road in October 2013 with Pinckney, a copyright infringement case against a German CD pressing company. The litigation was brought in France on the basis that the CDs could be purchased in France from a UK website unconnected with the German company. That was said to amount to damage in France.

For a tort such as copyright infringement Article 5(3) allows the plaintiff to sue in the place of the damage.  Article 5(3) is an exception to the primary rule that proceedings have to be brought in an EU defendant’s home country. Article 5(3) is the kind of effects-based rule that, unless it is kept within bounds, has the potential to create jurisdictional overreach. 

That potential is magnified with the inherently cross-border nature of the internet.
In Pinckney the court agreed with the plaintiff that damage was shown by the ability to purchase the CDs in France. It was irrelevant what kind of copyright infringement (reproduction? distribution? making available to the public?) was alleged against the German pressing company. Copyright infringement was to be treated as a general concept. Harm could apparently be relied upon however remote might be the causal relationship between the actual infringement alleged (reproduction in Germany?) and the harm relied upon (availability of CDs in France via an unconnected UK website).

So like the smile on the Cheshire Cat, jurisdictional harm seemed to float free, decoupled from any specific territorial infringement alleged against the defendant. That was not a promising start for keeping damage-based jurisdiction on the internet within sensible bounds.

Pez Hedjuk concerned photographs published on a German .de website. The copyright owner sued in Austria.  Again the precise basis of the infringement allegations is not entirely clear from the CJEU judgment.  It seems likely that the claim was for making available to the public in Austria from the German website, thus infringing Austrian copyright.

In Pez Hejduk causation was less tenuous than in Pinckney.  The Court identified a specific causal event as giving rise to the alleged damage: “the activation of the process for the technical display of the photographs on that website”. Even so the CJEU could have gone on to find that, for the purpose of jurisdiction under Article 5(3), a website operator does not cause damage in Member States that it has not targeted.  But it did not do so.

The CJEU held that the mere fact that the .de website was accessible in Austria was sufficient to establish damage under Article 5(3), where (as would inevitably be the case) the photographs were protected by copyright in Austria as well as in Germany. There was no basis in Article 5(3) for limiting jurisdiction to cases where the German site had targeted Austria.

Article 5(3) is supposed to be a strictly limited special derogation from the general rule under the Regulation that a plaintiff must sue in the defendant’s Member State. But for the internet mere accessibility comes close to turning the exception into the rule. Unless the site or content is geo-blocked a plaintiff can, based on mere accessibility of the site, sue in parallel in any number of Member States (albeit limited in each case to damage caused within the Member State in which it sues).

The twin prongs of mere accessibility and Pinckney’s broad causation brush are a recipe for jurisdictional overreach.

The Pinckney approach is odd when one considers that a plaintiff relying on Article 5(3) can sue only for damage caused within that Member State. How can the existence or likelihood of relevant damage (a jurisdictional issue) be evaluated if no attention is paid to the causal link between the specific infringement alleged and the harm relied upon?

The unwillingness of the Court in both Pinckney and Pez Hejduk (in each case rejecting the recommendations of the Advocate General) to align Article 5(3) more closely with the scope of the substantive right by way of targeting is difficult to understand, given that it has already gone down the path of interpreting Article 5(3) differently for different rights:

“the meaning of [Article 5(3)] may vary according to the nature of the right allegedly infringed…” (para 29).

eDate/Martinez (defamation/privacy), Wintersteiger (trade mark) and Pinckney (copyright) are all examples of this.  The Court may be making an implicit distinction between the nature of the right (which it allows can affect the interpretation of Article 5(3)) and its substance (which cannot). Whether the two are separable is open to question. Can the nature of a right be characterised without regard to its substance? What is the basis for distinguishing between relevant and irrelevant aspects of a right?

The Court in Pez Hejduk also relied on the lack of mention of targeting in Article 5(3):

“It is clear from [Pinckney] that, unlike Article 15(1)(c) … Article 5(3) does not require, in particular, that the activity concerned be ‘directed to’ the Member State in which the court seised is situated ...”.

It is true that unlike Article 15(1)(c), Article 5(3) makes no mention of directing activities. But nor does it mention mere accessibility; nature of the right versus substance; centre of interests of the plaintiff (edate/Martinez); limitation of damage to that caused in the Member State; country of registration of the trade mark (Wintersteiger); or any of the other glosses that the CJEU has placed on Article 5(3).

Perhaps the most persuasive reason relied upon by the Court in Pez Hejduk is that the Member State court best placed to exercise jurisdiction is the one that will apply its own law:

“The courts of other Member States in principle retain jurisdiction, in the light of Article 5(3) … and the principle of territoriality, to rule on the damage to copyright or rights related to copyright caused in their respective Member States, given that they are best placed, first, to ascertain whether those rights guaranteed by the Member State concerned have in fact been infringed and, secondly, to determine the nature of the damage caused …”.

However where the claim is copyright infringement by the presence of content on a website the most likely basis of a cross border claim will be making available to the public. As a matter of substantive EU copyright law (applying Sportradar to copyright) there can be no infringement and so no damage caused by a tort if the site is not targeted to that Member State. That will be the same throughout the EU. In those circumstances it is hard to see what practical purpose is served by allowing mere accessibility rather than targeting to be the jurisdictional threshold.

Sunday, 4 January 2015

Internet legal developments to look out for in 2015

Some EU and UK internet legal developments to look out for in 2015 (last year’s list here). (And see here for Cyberlaw Memes and Themes for 2015.)

        EU copyright reform The last European Commission closed its Public Consultation on EU copyright rules on 5 February 2014. The new Commission has announced that EU copyright modernisation will be a priority for 2015, as part of a Digital Single Market package.

        Copyright Private Copying Exception On 1 October 2014 the UK introduced its new format shifting (‘personal copying for private use’) copyright exception. At the end of November three UK music industry bodies (The Musicians’ Union, The British Academy of Songwriters, Composers and Authors and UK Music) announced that they were mounting a judicial review court challenge to the legislation.   Their case is that the exception should have provided fair compensation to copyright holders and consequently does not comply with the EU Copyright Directive.

        Online copyright jurisdictionPez Hejduk (C-279/13) is a pending reference to the CJEU concerning cross-border jurisdiction over online copyright infringement under Article 5(3) of the Brussels Jurisdiction Regulation.  The Advocate General has proposed that the Court should lay down a different rule from any of those adopted in previous cases (eDate/Martinez, Wintersteiger and Pinckney): jurisdiction limited to the courts of place of the event causing the damage, with a possible exception for the place of damage where the site was clearly and incontestably targeted towards one or more other Member States.  Judgment is due on 22 January 2015.

        Copyright and linking C More Entertainment (C-279/13) is the last of a trilogy of copyright linking cases to come before the CJEU (the others were Svensson and Bestwater). A date for judgment is not yet available.

        Site blocking orders 2014 saw the most significant UK site blocking case since Newzbin2, Cartier v BSkyB. It was the first UK trade mark site blocking case, the first since Newzbin2 to be contested by the ISPs and the first in which a third party (the Open Rights Group) intervened.  Numerous points were decided in three judgments and an injunction was granted. We can expect further site blocking applications in 2015. 

        Intermediary liability The pending Delfi reference to the European Court of Human Rights Grand Chamber concerns an online newspaper’s defamation liability for readers’ unmoderated comments on editorial articles. Various NGOs and media organisations have weighed in with interventions.  

The mere conduit and injunction provisions of the ECommerce Directive are the subject of a German reference to the CJEU in Case 484/14 McFadden. It concerns injunctions against providers of open wi-fi networks to prevent copyright infringement by users.

        RIPA, DRIPA and the Counter-Terrorism and Security BillClause 17 of the C-TS Bill currently going through the UK Parliament will extend mandatory data retention to certain IP address resolution data, subject to the same 31 December 2016 sunset clause as DRIPA.  A legal challenge to S.1 of DRIPA by MPs David Davis and Tom Watson is under way. The High Court on 8 December 2014 granted permission to bring the judicial review application. Various current reviews of RIPA, DRIPA and other investigatory powers legislation will report during 2015. The reviews are conducted by: Independent Reviewer of Terrorism Legislation, RUSI, Intelligence and Security Committee of Parliament, and the Interception of Communications Commissioner (police acquisition of communications data to identify journalistic sources). 

Interception and surveillance complaints to the European Court of Human Rights include a case taken by Big Brother Watch, the Open Rights Group, English PEN and Dr Constanze Kurz and one by the Bureau of Investigative Journalism. See mindmap of legal challenges. Also look out for any further developments arising out of the Investigatory Powers Tribunal decision in December that, in the light of disclosures of interception practice made by the government in the proceedings, future use of Section 8(4) warrants and PRISM intelligence sharing would be ‘in accordance with the law’ under Article 8 of the European Convention on Human Rights. Legality prior to the government disclosures has still to be determined. 

        Social media offences The Criminal Justice and Courts Bill currently proceeding through Parliament will create a new ‘revenge porn’ offence.  It will also increase the maximum penalty under the Malicious Communications Act 1988 from six months to two years imprisonment.

        Consumer Rights Act The Consumer Rights Bill currently before Parliament will, as part of a wholesale reform of consumer goods and services law, introduce a separate category of consumer contracts for supply of digital content, to which a self-standing set of implied conditions will apply.

        Data protection A new General Data Protection Regulation (perhaps). The pending appeal in Vidal-Hall v Google. The CJEU reference in Case C-362/14 Schrems v Irish Data Protection Commissioner.

Saturday, 3 January 2015

Cyberlaw memes and themes for 2015

(And see Internet legal developments to look out for in 2015.)

It is tempting just to change 2014 to 2015 in last year’s piece and recirculate.  Nudging and Bludgeoning, Magic wand politics, Politicians not understanding the internet, the Internet as Wild West, Cory Doctorow’s warning of the Coming War on General Purpose Computing, Technological neutrality, Copyright wars, Site blocking and Privacy are as topical as they were a year ago.

But that would be a cop out. So here are a few more memes and themes for 2015.

The War on the Internet. A cynic might say that a politician loves nothing more than an unwinnable war against an intangible enemy. Each setback demonstrates the resourcefulness and cunning of the opponent. Stronger measures are urgently required. Tough action plays to the electoral audience. Another setback feeds the cycle. 

Look out for War on the Internet slogans - ‘Social Responsibility’’, ‘Must Do More', ‘Internet Wild West’, ‘No Ungoverned Space’ - while tech businesses are demonised, scorned and blamed for the ill of the moment.

The Internet as security zone.  We know the rules when we pass through airport security: double-checked IDs, no risky items, unlimited inspection and above all no jokes. Will the internet come to resemble a security zone or be the poster child for freedom under the law?  Internet laws and quasi-laws challenging anonymity, demanding removal of undesirable content, empowering suspicionless state interception and criminalising badly judged tweets are with us already.

Berlin Walls in cyberspace. In the pre-internet world only the most repressive states attempted to erect impermeable borders, shielding their citizenry from noxious foreign influences and imposing a monopoly of national law on the state’s subjects.  In its most extreme form this was manifested in sealed physical borders, bans on external travel, import bans on books and jamming of foreign broadcasts.  

There are signs that, fearful of the inherent global nature of the internet, even liberal democratic states may be tempted to try to erect borders in cyberspace that are less permeable than their pre-internet physical equivalents. For more discussion see slides and video from my presentation at the Aberystwyth University Internet Jurisdiction Symposium, September 2014.

Fantasy Internet Ministers praise the liberating qualities of search engines and social media platforms.  Politicians of all stripes demand more freedom for internet users.  National border walls in cyberspace are torn down. MPs repeal restrictive internet laws and rein back intrusive state powers. Free flow of information across frontiers becomes sacrosanct.


Friday, 2 January 2015

The tangled net of GCHQ’s fishing warrant

The Section 8(4) RIPA warrant is the most powerful interception tool available to UK intelligence agencies. While a targeted Section 8(1) warrant has to name a person or a set of premises, a section 8(4) warrant can authorise bulk interception of millions of simultaneous communications on an internet backbone.

Periodically renewed Section 8(4) warrants are thought to authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, which reportedly processes 40 billion items of data per day.

Following the Snowden revelations a group of NGOs including Liberty, Privacy International  and Amnesty International challenged Section 8(4) in the Investigatory Powers Tribunal. The IPT found in December that, in the light of disclosures of interception practice made by the government in the proceedings, future use of Section 8(4) warrants would be ‘in accordance with the law’ under Article 8 of the European Convention on Human Rights. The legality of previous Section 8(4) interception has still to be determined.

The justification for the Section 8(4) warrant is that investigating terrorism and crime abroad is harder than domestically. It is said that a Section 8(4) warrant is primarily aimed at external communications (sent, received or both outside the British Islands) and not primarily at people located here; and that the purpose of accessing external communications is primarily to obtain information about people abroad. (IPT judgment, [145] and [147]).

But is the purpose of Section 8(4) to gain access to external communications? Or is it to gain access to the communications of people outside the British Islands? Is it a mixture of the two? Bearing in mind that people within the British Islands may send and receive external communications, the objectives are significantly different.

In fact Section 8(4) goes some way towards both objectives, but gives full effect to neither.  The result is a warrant with an avowed purpose to intercept external communications, but which in reality sweeps up both internal and external communications and then treats them identically. Or, if its purpose is to access communications of people outside the British Islands, it nevertheless allows some access to the communications of people within the British Islands.

These points are especially significant when it is appreciated that under Section 8(4) not only capture of communications but also their searchability does not depend on pre-existing grounds for suspicion. The bulk capture stage is suspicionless. Agencies trawling the intercepted material are then not confined to looking for activities of known suspects. The agencies can use keyword and other subject-matter searches to fish for new targets in the general pool of captured internal and external communications.  It is apt to describe Section 8(4) as a fishing warrant. 

This dual use of RIPA was confirmed by senior Home Office official Charles Farr in the IPT proceedings:

“Other information that is obtained via interception is used to identify other previously unknown communications of existing targets, and to identify new targets for investigation. Indeed, a significant proportion of initial intelligence leads derive from interception operations.” (emphasis added) (Farr witness statement, paragraph 31)

This article discusses how the Section 8(4) warrant implements the two avowed purposes and concludes with some observations on points for consideration in the forthcoming likely reform of RIPA.

How far is it the purpose of Section 8(4) to gain access to external communications?

A Section 8(4) warrant, like a targeted Section 8(1) warrant, has to be for a statutory purpose: national security, preventing or detecting serious crime or safeguarding the UK’s economic wellbeing (if relevant to national security).  These purposes govern all three stages of the Section 8(4) warrant structure: Capture, Select, Examine. The scheme is illustrated in this diagram:

The first stage, Capture, is the only point at which the internal/external communication distinction is relevant. In terms of the broader Section 8(4) legislative scheme the distinction plays no more than a fleeting introductory role. This has become more obvious following the judgment of the IPT.

Section 8(4) authorises “the interception of external communications in the course of their transmission by means of a telecommunication system”. However it also authorises “all such conduct (including the interception of communications not identified by the warrant) as it is necessary to undertake in order to do what is expressly authorised or required by the warrant”.

In other words, internal as well as external communications can be captured under a Section 8(4) warrant if they are unavoidably swept up in the interception process. 

On 4 July 2000 the government Minister Lord Bassam, in a letter to Lord Phillips during passage of the Bill, pointed out that:

“Clause 8(5) could, for example, make lawful the interception of internal communications where these mixed with external communications on a trunk used mainly for external purposes.”

In the House of Lords debate on the Bill on 12 July 2000 he said:

“It is still the intention that Clause 8(4) warrants should be aimed at external communications. Clause 8(5) limits such a warrant to authorising the interception of external communications together with whatever other conduct is necessary to achieve that external interception. Whenever such a warrant is signed, the Secretary of State must be convinced that the conduct it will authorise as a whole is proportionate—my favourite word—to the objects to be achieved. His decision to sign will be overseen by the Interception of Communications Commissioner.”

In the IPT proceedings Charles Farr said:

“Section 5(6)(a) makes clear that the conduct authorised by a section 8(4) warrant may in principle include the interception of communications which are not external communications insofar as that is necessary in order to intercept the external communications to which the warrant relates. But the primary purpose and object of any conduct authorised or required by a section 8(4) warrant must consist in the interception of external communications.” (witness statement, paragraph 155)

With this emphasis on external communications we might expect the distinction between internal and external communications to suffuse the whole of the Section 8(4) regime including the subsequent selection and examination stages. 

In fact, as can be seen from the IPT’s judgment, the distinction has no relevance at those stages:

“It is also common ground that the interception under a s.8(4) warrant (what the Respondents call “Stage one”) occurs before any question of selection for examination (what the Respondents call “Stage two”) arises under s.16. As Mr Ryder put it, the relevance of the internal/external distinction has no relation to the s.16 examination, when a communication may be accessed and read. The identification of communication links for interception is, as he described it, a ‘generic’ exercise, not an exercise which is done specifically case by case and communication by communication.” [95] (emphasis added)

The criteria that constrain selection and examination are different from internal/external communication.

The primacy that Section 8(4) accords to external communications at the capture stage is thus of limited significance.  External and internal communications are inseparable as they pass through a fibre optic cable. If the Secretary of State’s purpose is to capture external communications, and he has a basis for believing that the warrant will fulfil that purpose and is necessary and proportionate, Section 8(4) in practice authorises the capture of all communications passing through the cable whether internal or external. The captured communications, both internal and external, then form a common pool and are treated alike.

The limited significance of the external/internal distinction in the overall scheme of Section 8(4) can also be seen in the IPT’s discussion of the position if the Secretary of State had adopted an incorrect legal interpretation of ‘external communication’.

“…the distinction only arises at “Stage one”, when there is no examination:

i) All communications, whether they be external or internal, intercepted by s.8(4) warrant come to be considered for examination by reference to s.16 of RIPA, to which we turn below. It is that section which does what Mr Ryder called in argument the “heavy lifting”.” (emphasis in original) [101]

The IPT also referred to what it termed ‘inchoate’ external communications. This reflects the fact that in many cases the intercepting agency cannot know whether it is capturing an internal or an external communication. This is because the distinction depends on the location of the sender or recipient when the communication is sent or received respectively. For communications such as e-mails, the location of the recipient cannot be determined by looking at the communication or its related communications data.  The location of the mailbox may be ascertainable, but that cannot reveal the location of a person who picks up the message after the interception has taken place.

Lord Bassam recognised this for mobile roaming during the Parliamentary debate on the Bill:

“Even after interception, it may not be practicably possible to guarantee to filter out all internal messages. Messages may well be split into separate parts which are sent by different routes. Only some of these will contain the originator and the intended final recipient. Without this information it will not be possible to distinguish internal messages from external. In some cases it may not be possible even if this information is available. For example, a message between two foreign registered mobile phones, if both happened to be roaming in the UK, would be an internal communication, but there would be nothing in the message to indicate that.” (emphasis added) (Hansard, 12 July 2000)

The IPT judgment observed:

“It is inevitable that, when a telephone call is made from a mobile phone or IPhone, or an email is sent to an email address, it will not necessarily be known whether it will be received in the United Kingdom or in the course of travel or at a foreign destination. It is accepted that once and if received abroad by the intended recipient it will be an external communication, even if the sender did not know, when he or she made the call or sent the email, that that was to be the case.” [(94(iii)]

Selection and Examination – people outside the British Islands?

The Selection and Examination stages follow Capture. Examination is the point at which human analysts can read, look at or listen to captured material.  Although they are limited to examining material described in the Secretary of State’s certificate on the warrant, that description could be as wide as all communications between the UK and a named country, or passing through a particular cable.  

More significantly, analysts can (with some exceptions) only examine material that has been selected in ways that do not breach the Section 16(2) prohibitions. These are the provisions that do the ‘heavy lifting’ referred to by the IPT. Generally they reflect the second avowed purpose of Section 8(4) – to gain access to the communications of people outside the British Isles, but not those of people within the British Isles.

Lord Bassam, in the House of Lords debate on 12 July 2000, said:

“selection may not use factors which are referable to an individual known to be for the time being in the British Islands”

However RIPA is not that straightforward. Under Section 16(2) a selection factor is prohibited if it:

“(a) is referable to an individual who is known to be for the time being in the British Islands; and
(b) has as its purpose, or one of its purposes, the identification of material contained in communications sent by him, or intended for him.”

Lord Bassam’s summary reflects (a), but not the significant additional limitation in (b). This narrows the scope of the Section 16(2) prohibition, enabling at least one kind of search to be made using the name of someone known to be within the British Isles.  

Some examples illustrate the apparent effect of the Section 16(2) prohibitions. These apply whether the captured communications were internal or external.

-         An analyst could not (without a modification to the warrant) search for Joe Smith’s communications by (say) his e-mail address if he knows that Joe Smith is within the British Islands.  

-         If Joe Smith’s communication turns up in response to:
o   a subject matter search (e.g. ‘Syria’), not referable to any individual
o   a search using someone else’s name (not known to be within the British Islands) or the name of a corporation
o   a search for his own name within the body of someone else’s communication
o   a search for his own name aimed at finding his own communications, if the agency does not know that he is for the time being within the British Islands
then according to the letter of Section 16(2) it could apparently be examined.  (However if the examination itself involves a process of further selection, an analyst could be prohibited (without a warrant modification) from focusing on communications of someone known to be within the British Islands of which s/he becomes aware during examination.)

-         If Joe Smith has left the British Islands since sending the communication, then the analyst could apparently search using his name, since Joe Smith is no longer ‘for the time being’ within the British Islands

As to the last point, the IPT judgment could be read differently (para 143):

“Communications intercepted under a s.8(4) warrant cannot be read if sent by or to a person located in the UK, by reference to the s.16(2) procedure discussed at some length above.”

However that would not take account of ‘for the time being’, which on the face of it refers to the time of search, not the time of the communication.

This extract from the Foreign Secretary’s evidence to the Intelligence and Security Committee on 23 October 2014 also seems to conflate time of communication and time of search:

“The Foreign Secretary clarified after the meeting that, if a communication is intercepted under an s.8(4) warrant, and if one end is outside of the UK, it may be selected for examination without a 16(3) modification if the subject of interest is the non-UK end of the communication; however, if the subject of interest is the party in the UK, or if both ends are UK, there needs to be a 16(3) modification or 8(1) warrant authorised by the Secretary of State before it can be selected. He undertook to write to the Committee with further detail.”

Section 16 provides some limited gateways permitting examination even if the material was selected using factors prohibited by Section 16(2). 

The most potentially significant gateway is an additional certificate under Section 16(3). This allows otherwise prohibited examination if the Secretary of State certifies that selection by factors referable to the individual in question is necessary for national security, prevention or detection of serious crime, or national security-related UK economic wellbeing; and the material relates only to communications sent during a maximum period of three months (six months for national security). The extent to which Section 16(3) has been used is not public. 

There is also a procedure known as an ‘overlapping’ Section 8(1) targeted warrant. The procedure was first described in the Interception Commissioner’s Report for 1986 under the pre-RIPA interception regime. It appears that its purpose is to buttress the examination of communications to or from persons within the British Isles legitimately available for examination through the Section 8(4) procedure. However the procedure’s exact use and legal significance is unclear. The status of overlapping warrants and their relationship to Section 16(3) were issues during the passage of the Bill.

Reform of RIPA

Several reviews of RIPA are currently in progress. They include the Investigatory Powers Review by the Independent Reviewer of Terrorism Legislation under the Data Retention and Investigatory Powers Act 2014 (DRIPA), due to report by May 2015; the RUSI Independent Surveillance Review and an inquiry by the Intelligence and Security Committee of Parliament.

Reform of RIPA will be a priority after the 2015 General Election, with legislators mindful of the sunset date of 31 December 2016 for the RIPA amendments made by DRIPA. The pros and cons of Section 8(4) warrants will be hotly contested. Among the possibilities that we can anticipate being advocated may be:
-         Abolish all suspicionless bulk capture of communications.
-         Limit selection and examination under a Section 8(4) warrant to communications of pre-existing suspects.
-         Maintain the status quo.
-         Enact more extensive powers.

There will of course be debate around broader overarching issues such as whether it is any longer appropriate to treat communications data as deserving less privacy protection than content.

RIPA is notoriously difficult to understand.  The convoluted selection and examination provisions of Section 16 are among the most difficult to untangle. Whatever the eventual policy outcomes of the forthcoming debates, any new legislation should be clear, accessible and reflect the purposes for which it is enacted. 

The discussion above highlights some specific issues that are likely to have to be considered should Section 8(4) survive in any recognisable form.

Before commenting on these, one fundamental issue that will be relevant to any interception regime is hidden legal interpretations.

Hidden Legal Interpretations

Legal interpretations are critical to the operation of RIPA. An obvious example is the interpretation of ‘external communications’.  Others mentioned in this article include overlap of selection and examination, what constitutes an agency’s knowledge of someone’s whereabouts and whether it is bound to make enquiries, the relevance and extent of the various statutory purposes said to be embodied in the legislation, the significance of ‘for the time being’ in section 16(2) and the legal effect (if any) of overlapping warrants.  There have been other examples, such as extra-territoriality.

The agencies conduct their activities on the basis of legal interpretations of the legislation which generally remain hidden from view.  It took the extraordinary event of the Snowden disclosures for the government to reveal, in the resulting IPT proceedings, its particular (and widely criticised) interpretation of external communications.

It would be a significant step forward if the Interception Commissioner (or any future equivalent oversight body) were to be charged with publishing legal interpretations on the basis of which the agencies operate under interception legislation.

Turning to specific issues around Section 8(4):

Incidental awareness

Section 16(2) is structured as if selection and examination are separate phases. Yet if that were so, analysts would be able to examine and use material of which they became incidentally aware as a result of a permitted search, but which they could not legitimately have targeted directly. 

If while reading a communication selected by means of a permissible factor an analyst becomes interested in its sender or recipient, and that person is known to be within the British Isles, does that amount to selection? Does Section 16 then prohibit further examination without a modification to the warrant? This ought to be the case, and may be supported by para 105 of the IPT judgment, but is less than clear on the face of the statute.

This kind of issue may be covered in internal intelligence agency guidance documents.  It ought to be specifically and clearly addressed in legislation. It also may bear on the use of overlapping Section 8(1) warrants.

Internal/external communications

Warrants to intercept external communications go back to Section 4 of the Official Secrets Act 1920, which used the same definition of external communications as does Section 8(4). However the distinction now has limited significance in the overall scheme of Section 8(4) warrants. It is also curious that Parliament should have knowingly hung Section 8(4) on the slender thread of something largely unascertainable.

That is not to say that the distinction has no constraining effect on the initial interception stage. For instance, could a Secretary of State sign a Section 8(4) warrant to tap a domestic cable carrying 99% internal communications if his primary purpose and object was genuinely to capture some of the 1% external communications?

The Secretary of State would have to consider whether the warrant was necessary and proportionate, including in particular whether the information thought necessary to obtain under the warrant could reasonably be obtained by other means (Section 5(4)). Such considerations, and the requirement to certify a description of intercepted material considered necessary to be examined, ought to drive a Secretary of State towards directing Section 8(4) warrants at cables that are most likely to contain the highest proportion of external communications.  That approach is borne out by Charles Farr’s witness statement in the IPT proceedings (para 154):

“Thus, when conducting interception under a section 8(4) warrant, knowledge of the way in which communications are routed over the internet is combined with regular surveys of internet traffic to identify those bearers that are most likely to contain external communications that will meet the descriptions of material certified by the Secretary of State under section 8(4)(b)(i) of RIPA. While this approach may lead to the interception of some communications that are not external, section 8(4) operations are conducted in a way that keeps this to the minimum necessary to achieve the objective of intercepting wanted external communications.”

While broad considerations of necessity and proportionality give some comfort, they are not the most concrete of protections.  If Section 8(4) were to survive in anything like its current form, consideration might be given to, for instance, explicitly restricting it to international cables.

If it remained an avowed purpose of a Section 8(4) replacement to focus on interception of external communications, then consideration could be given to extending that beyond the capture stage. The agency could be required (to the extent feasible) to sift out and discard internal communications after capture. It could be required to cease examining a communication that it realised was internal. If a selection/examination distinction based on a person's location within or outside the British Islands were to be retained, then the scope for examining communications of people within the British Islands would bear reconsideration .  

Knowledge of location of a person

The prohibited Section 16(2) selection factors refer to an individual ‘known’ to be within the British Isles.  The agency is therefore on the face of it free to search for the communications of someone whose whereabouts are unknown, or if it suspects but does not know that the individual is within the British Isles (IPT judgment, [104] - [105]).

‘Known’ presumably means known to the agency.  Does that mean known to the particular analyst responsible for setting the selector, known to a group of analysts, or include anything in the records and archives of the agency?

Does it include information within the intercept material itself? One would assume not, since the agency could never safely set a name selector to search the pool of intercept material if it was deemed to know everything within it.

However there is a relevant difference between content and related communications data captured under a Section 8(4) warrant.  The section 16(2) restrictions do not apply to the related communications data.

The government argued before the IPT that this was justified by the use of related communications data in order to determine whether someone was for the time being within the British Isles. This was necessary in order for the safeguard in Section 16(2)(a) to work properly:

“In other words, an important reason why the Intelligence Services need access to related communications data under the s.8(4) Regime is precisely so as to ensure that the s. 16 safeguard works properly and, insofar as possible, factors are not used at the selection that are - albeit not to the knowledge of the Intelligence Services - “referable to an individual who is ... for the time being in the British Islands”.” [112]

The government submitted that this was plainly the express, and sensible, purpose of Parliament.

The government argument seems implicitly to posit some duty on the agency to enquire into the location of a selection target, albeit that is not spelt out in Section 16.

The IPT accepted that the different treatment of communications data

“is justified and proportionate by virtue of the use of that communications data for the purpose of identifying the individuals whose intercepted material is to be protected by reference to s.16(2)(a).”[114]

The IPT rejected the NGOs’ argument that use of communications data for this purpose could be addressed by an exception in the legislation, saying that it was an “impossibly complicated or convoluted course”. That issue could be revisited in any reform of RIPA.

[Updated 2 Jan 2015 15.30 with additional reference to certificates; and 23.30 to substitute British Islands for British Isles (thanks to @RichGreenhill for pointing that out; and 3 Jan 2015 15:11 to add reference to RIP Bill debate on S16(3)/overlapping warrants.)]

Sunday, 21 December 2014

A Cheltenham Carol

On the Twelfth Day of Christmas my true love sent to me:

Twelve Zettabytes

Eleven Encryption Layers

Ten Coders Coding

Nine Hackers Hacking

Eight Routers Routing

Seven Inspected Packets

Six Spies-a-Spying

Five Back Doors

Four Fishing Warrants

Three Haystacks

Two Secret Laws

And a Paean to Proportionality


Wednesday, 3 December 2014

Another round of data retention

[Updated 4 December 2014]
[Further updated 20 January 2015 to add tweet.]
[Also updated 5 January 2015 with this brief commentary on the Home Office Factsheet:

Page 1: Top Lines

"IP resolution is the ability to identify who in the real world was using an Internet IP address at a given point in time." Data retention at best identifies the device or connection being used and any associated subscriber details. The subscriber is not necessarily the user. Page 2 of the Factsheet is accurate: "This data can help identify who has made a communication, when, where and how." (emphasis added) 

Page 1: Background

"However, some IP addresses are shared and allocated dynamically." True, but dynamic allocation is not what Clause 17 is about. Dynamic IP address allocation is sequential temporary allocation of a public IP address to one customer after another. Dynamic IP addresses are already explicitly mentioned in the DRIPA datatypes (Data Retention Regulations 2014, Schedule, Paras 13(1)(b) and 11(3)). It is evident from the diagram on page 3 of the Factsheet that the problem being addressed by Clause 17 is simultaneous sharing of a single public IP address by multiple ISP customers. 

Page 3 : Diagram

"At 4pm 2,500 people are using a single IP address on the internet." Exactly. The issue is simultaneous sharing of a single IP address, not dynamic (sequential) allocation of an IP address. 

"The e-mail service provider now provides police with IP address and port number used to send the e-mail and accurate time."  In order to do this the e-mail service provider in the diagram example will have had to retain IP address, port number and timing data.  Will such providers, as well as internet access providers, be subject to mandatory retention?

"Police seek details from internet access provider. Internet access provider now identifies the individual using the unique combination of IP address and port number provided at 4pm." The internet access provider identifies the customer, who may be but is not necessarily the individual who used the device in question.] 

Four months after DRIPA and 18 months after putting down a marker in the May 2013 Queen’s Speech, the UK government has embarked on a new round of legislation for mandatory retention of communications data. This time it is under the banner of IP address matching.

The Counter-Terrorism and Security Bill had its Second Reading yesterday and is expected to go into Committee on 9 December. Clause 17 will extend DRIPA to new categories of communications data.

DRIPA’s existing data retention obligations, rushed through Parliament in four days in July, are of course controversial. They are the subject of a threatened legal challenge by David Davis MP and Tom Watson MP.  The proposal to add IP address matching dates back to a recommendation of the Joint Committee on the draft CommunicationsData Bill in December 2012.

What new categories of communications data would have to be retained?

Clause 17, like so much UK legislation in this field, is difficult to understand. The Explanatory Notes and the Impact Assessments are more detailed, but still confusing. (The Home Office has subsequently issued a Factsheet.) MPs suggested in the Second Reading that the drafting of Clause 17 needs to be examined critically.  They are right.

The overall aim seems to be to mandate retention of data that can link a given communication made via a simultaneously shared public IP address to one of many devices or connections that may have been using that IP address at a given time.  Clause 17 labels this “relevant internet data”. We might call it linking data.

This appears to break down something along the following lines (the first two of these are illustrated in the useful diagram in the Home Office Factsheet).
  • Some ISP and mobile operator systems don’t allocate one public IP address to one customer device or connection, but have many customers sharing an IP address simultaneously. They could be required to retain linking data such as port numbers.
  • Even if an ISP retains IP address and (say) port number records, it cannot be sure of identifying a single device or connection unless law enforcement can provide it with a both a port number and an IP address to look up. So a cloud storage or web e-mail provider accessed by the user could also be required to retain logs of linking data visible to it, such as port numbers.
  • Operators such as public Wi-Fi hotspots could be required to log MAC addresses.
Weblog data (records of websites accessed by customers) would be excluded from mandatory retention by internet access providers such as ISPs and mobile operators.

The Overarching Impact Assessment provides this summary:

“IP Resolution: Allow for a power to require communications service providers to retain the data necessary to attribute an IP address to an individual.”

Taken literally, that is a power to require the impossible. We don’t have IP addresses tattooed on our foreheads. Even if we did that would not identify us, as opposed to someone else, as the user of the device at any given time. An IP address at best identifies a device or a connection. The ISP may then be able to link that with the identity of its subscriber customer, but no more. The subscriber may or may or not be the user. The Factsheet diagram, unfortunately, perpetuates the myth that an IP address identifies a user.

DRIPA in fact already covers retention of subscriber data for IP addresses (both where the IP address is static and where it is dynamically allocated in sequence to different customer devices and connections). What it doesn’t cover is the single public IP address simultaneously shared among many of an ISP’s customers.

The Bill is meant to be only about IP address matching. So it is not immediately obvious why the Impact Assessments say that the Bill will expand DRIPA to cover a wider range of internet services. On the other hand Clause 17 does not seem to do this, since it only amends the categories of data to be retained. DRIPA has already adopted an extremely broad underlying definition of telecommunication services.

The new obligations would be subject to the same 31 December 2016 sunset clause as DRIPA. As with DRIPA itself, mandatory retention will apply only to data generated or processed in the UK by public providers in the process of providing the telecommunications services concerned; and then only to those on whom the government serves a notice. The Impact Assessment says that the service providers most likely to be affected by the Bill have been consulted.

That is my current stab at what Clause 17 is trying to do.  However it is a puzzling piece of drafting. Here are some questions worth considering.

What is ‘relevant internet data’?
Clause 17(3)(b) defines this as communications data relating to an internet access service or an internet communications service which:

“may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.

This is the most curious part of Clause 17. The problem is surely not identifying which IP address ‘belongs’ to a given sender or recipient of the communication, but identifying which device or connection (of many) was used to make a given communication via a given shared public IP address. Is it drafted the wrong way round?

What is an ‘identifier’?
The Clause says that “identifier” means “an identifier used to facilitate the transmission of a communication”.  More helpfully, Clause 17(3)(b) tells us that an IP address is an identifier. The Explanatory Notes seem to conflate linking data and the shared identifier that we are trying to tie to a device or connection:

“…  An IP address can often be shared by hundreds of people at once – in order to resolve an IP address to an individual other data ("other identifier" in this clause) would be required.”

Whatever the ‘other data’ may be, surely it is not the ‘other identifier’ in Clause 17(3)(b)?

What else might be covered by ‘identifier’? A MAC address, although it operates at a lower (physical) layer than an IP address, would seem to qualify. But Clause 17 is not avowedly about retention of new categories of identifiers, only retention of data capable of linking shared identifiers (such as IP addresses) to an individual device or connection. If a MAC address is itself an identifier, does that prevent it being linking data? The Explanatory Notes suggest that a MAC address could also be linking data:

“Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses.

Are there circumstances in which a MAC address could be used to identify the particular device that sent a communication via a shared IP address? Public Wi-Fi hotspots seem a likely candidate. However a MAC address would presumably be less useful than a port number, assuming that the MAC address is not visible from outside the hotspot and so could not be logged at the other end of the communication.

What are an internet access service and an internet communications service? 
These are the foundation stones of Clause 17. Communications data cannot be required to be retained unless it relates to an internet access service or an internet communications service. These terms are also critical to the scope of the weblog data exclusion. Many will be surprised, therefore, to find that neither term is defined.

What do the terms mean? The glib answer is ‘whatever they meant in the EU Data Retention Directive’. That is their origin. They were used (but not defined) in the Directive.

The 2009 Data Retention Regulations, which implemented the Directive, followed its terminology. When the Directive was invalidated DRIPA re-enacted the datatypes that were in the Schedule to the 2009 Regulations. So the 2014Data Retention Regulations that were made under DRIPA again used the two terms, notably in the definition of ‘User ID’: “a unique identifier allocated to persons when they subscribe to, or register with, an internet access service or internet communications service.” Perhaps unsurprisingly given the government’s commitment to re-enact the 2009 datatypes identically, the 2014 Regulations again left the terms undefined. 

That is a plausible historical reason why the terms have been left undefined in Clause 17. But even though there is a breadcrumb trail back to the Directive, the lack of definitions in the Directive means that uncertainty remains particularly over ‘internet communications service’. Does it relate to any type of communication, or is it more limited, for instance to e-mail, messaging or telephony providers? The diagram in the Factsheet uses the example of an e-mail provider. However the Impact Assessment suggests that the government believes it has a broad meaning, covering for instance cloud storage services:

“For example w[h]ere a user uploads an illicit file to a cloud server that server provider, if subject to a data retention notice, would be required to retain sufficient information to enable the internet access provider to identify the user.”

We look forward to illumination of these and no doubt other points as the Bill proceeds. Meanwhile, the bigger question of whether any of this is compatible with the European Convention on Human Rights and the EU Charter of Fundamental Rights remains to be fought out. 

[My 8 point tweet of points on Clause 17:


[Updated 4 December 2014 with references to the Home Office Factsheet and minor clarifications and edits. Further update 5 January 2015 with comments on the Home Office Factsheet. Further updated 20 January 2015 to add tweet.]