Investigatory Powers Bill

Further written evidence submitted by techUK (IPB 57)

First Proposed Amendments on the Investigatory Powers Bill

Prepared for the Public Bill Committee

About techUK

techUK represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 850 companies are members of techUK. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses.

Summary

techUK welcomes the scrutiny that the Bill has faced to date and is particularly pleased to see the Public Bill Committee conduct detailed line by line scrutiny of the Bill.

Following techUK’s first briefing [1] to the Public Bill Committee in March, which outlined our key concerns with the Investigatory Powers Bill, we would like to follow up with a more detailed note that outlines specific changes that our members would like to see made to the face of the Bill. These changes reflect the first set of amendments that we would like to be made to the Bill, and follows the order schedule that the Public Bill Committee has published.

This document therefore outlines amendments that techUK would like made to between Clauses 1-74 (Schedules 1-5 of the Public Bill Committee Schedule of Order). These will focus on:

· Privacy (Part 1) – Schedule 1

· Definitions of Internet Connection Records (Clause 54) – Schedule 4

· Third party data retention (Clause 78) – Schedule 6

· Equipment Interference (Clauses 91 and 112) – Schedules 6 and 7

· Extraterritoriality - Jurisdiction and Enforcement (Clauses 34, 35, 36, 76, 86, 109, 110, 111, 131, 147, 148, 149, 167, 217 and 218) – Schedules 3, 6, 7 and 9)

In line with concerns outlined within techUK’s previous evidence to the Bill Committee and those highlighted within this document, it is crucial that these are resolved through amendments to the contents on the face of the Bill itself (and not through policy statements and Codes of Practice).

This will provide the legal certainty and clarity that industry needs to appropriately understand their legal obligations, whilst ensuring that any future operational changes established by the Bill are properly debated by both Houses of Parliament.

techUK will follow up with the Bill Committee in the coming weeks with further amendments relating to items in the latter schedules of the Bill.

Part 1 (Clause 1)

Privacy and Transparency

The Intelligence and Security Committee (ISC), along with others, called for an overarching privacy statement to appear on the face of the Bill, clearly setting out the universal privacy protections which apply across the full range of investigatory powers afforded to the security services. This will form the basis from which exceptional powers may be built around and ensure that the protection of privacy is an integral part of the legislation.

Suggested Amendment

Part 1 of the Bill should include an additional section that explicitly addresses each privacy safeguard within the Bill and includes a Clause that explicitly sets out the universal privacy protections which apply across the full range of investigatory powers.

This amendment is designed to:

Set the correct context for the Bill and provide a foundation of privacy from which exceptional powers provided for in the Bill are drawn from. This will increase confidence in the use of investigatory powers and provide further transparency.

Part 3 (Clause 54)

Internet Connection Records

Despite various submissions to the Home Office from industry, concerns remain over the definition of Internet Connection Records (ICRs) provided for in Clause 54 of the Bill and corresponding use of the undefined term "internet communication service". ICRs are not a term that industry has used before and the lack of a consistent, clear definitions of what an ICR is in practice creates additional difficulties for industry.

Tellingly, the Codes of Practice to the Bill admit this by stating that there will be no single set of data that constitutes an internet connection record and that in practice "it will depend on the service and service provider concerned". This acknowledgement highlights the difficulties that industry will face if required to generate and retain ICRs.

Current Legislation

Currently, Clause 54(4)(b) uses the term "internet communication service" which is currently undefined in the Bill.

Suggested Amendment

An additional Clause should be inserted after Clause 54(6) that states should read as follows:

"An "Internet communications service" means a service which provides for communication by voice, e-mail or other message between two or more individuals (including an individual acting on behalf of an organisation) over the internet".

This amendment is designed to:

Restrict the purposes of accessing an internet connection record in relation to identifying an internet communication service to mean identifying human to human messaging, rather than for instance including machine to machine messaging or web searches.

This is consistent with what techUK understand to be the intention of the Code of Practice, which describes an internet communication service as a "service which provides for the communication between one or more persons over the internet and may include email services, internet telephony services and web forums" (Draft Communications Data Code of Practice, 7.3).

Part 4 (Clause 78)

Third Party Data

Third party data is defined in the Codes of Practice as data that a Communication Service Provider (CSP) is able to see "in relation to applications or services running over their network, in the clear, but does not process that communications data in any way to route the communication across the network".

The Home Office has been unequivocal that such data would not be included in the Bill, with the Home Secretary informing the House on the 4th of November 2015 that the Bill "will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas" (Theresa May MP, House of Commons, 4 November 2015).

Furthermore, the Draft Codes of Practice for Communications Data state that "a data retention notice can never require a CSP to retain the content of communications or third party data". (Paragraph 2.61)

The overly broad definition of "relevant communications data", which now extends to sixteen different definitions and sub-definitions, however, could be interpreted as giving the Secretary of State the power to require a CSP to retain third party data (since the definition does not expressly exclude third party data).

Current Legislation

There are currently no clauses within the Bill that explicitly state that CSPs will not be required to retain third party data.

Suggested Amendment

A new clause should be inserted after Clause 78(2) that should read as follows:

"A retention notice may not require a telecommunications operator to retain any third party data, unless that third party data is retained by the telecommunications operator for their own business purposes".

Current Legislation

Clause 78(9) currently states that:

"In this Part "relevant communications data" means communications data which may be used to identify, or assist in identifying, any of the following –

(a) the sender or recipient of a communication (whether or not a person),

(b) the time or duration of a communication,

(c) the type, method or pattern, or fact, of communication,

(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted, or

(e) the location of any such system, and this expression therefore includes, in particular, internet connection records.

Suggested Amendment

Clause 78(9) should be amended to state that:

"In this Part "relevant communications data" means:

(a) communications data of the kind mentioned in the Schedule to the Data Retention (EC Directive) Regulations 2009 (SI 2009/859), or

(b) relevant internet data not falling within paragraph (a), or

(c) internet connection records.

"relevant internet data" means communications data which may be used to identify, or assist in identifying, the sender or recipient of a communication (whether or not a person)."

These amendments are designed to:

Make explicit the Government’s stated intention that they do not require the retention of third party data and put these on the face of the Bill.

It will also replicate the Data Retention and Investigatory Powers Act (DRIPA) in its original form, including both IP address resolution and the newly added internet connection records, ensuring that the definition of "relevant communications data" is consistent with current legislation and only adds one single additional type of communications data with internet connection records.

   

Part 5 (Clause 91 and Clause 112)

Equipment Interference

The security and integrity of a company’s networks and services are a crucial aspect of their ability to compete globally, and companies have legal obligations to ensure that they are secure.

Equipment Interference (EI) can have serious ramifications for businesses, potentially creating new risks and vulnerabilities for individuals and businesses. For this reason, the Joint Committee on the draft Investigatory Powers Bill called for Equipment Interference warrants to include a "detailed risk analysis of the possibilities of system damage and collateral intrusion and how such risks will be minimised".

Neither the face of the Bill nor the Codes of Practice, however, acknowledge the dangers inherent within equipment interference provisions and the potential effect such provisions may have on critical national infrastructure.

Current Legislation

There are currently no clauses within the Bill that relate to ‘security integrity and privacy’ and ‘protection of critical national infrastructure’.

Suggested Amendments

Two new clauses should be inserted into the Bill under the heading of ‘Supplementary provision’ (After Section 112).

These new clauses will state:

‘Security integrity and privacy’

"The person making an application for a warrant under this equipment interference must make a detailed assessment of –

(a) the risk to the security or integrity of systems or networks that the proposed activity may involve;

(b) the risk to the privacy of those not being specifically targeted;

(c) the steps they propose to take to minimise the risks in subsection (a) and (b);"

‘Protection for critical national infrastructure’

"The person making an application for a warrant under this part must make a detailed assessment of the risks of the proposed activity to any critical national infrastructure."

Current Legislation

Currently, Clause 91(1)(c) states that:

"the Secretary of State considers that satisfactory arrangements made for the purposes of sections 112 and 113 (safeguards relating to the disclosure etc.) are in force in relation to the warrant"

Suggested Amendment

Clause 91(1)(c) should be amended, in line with the new clauses outlined above, as follows:

"the Secretary of State considers that appropriate assessments for the purposes of section [security integrity and privacy] and [protection for critical national infrastructure] have been made and having taken account of them the warrant is proportionate."

Suggested Amendment

Clause 91(2) should include another provision at the end that should read as follows:

Clause 91 (2)(c): "the assessment under section [Protection for critical national infrastructure] concludes that there is a risk to critical national infrastructure of the proposed activity."

These amendments are designed to:

Ensure that the Secretary of State must make an assessment of the risks to the security and integrity of networks as described in the Equipment Interference draft code of practice (page 21, para 3.31) and as recommended by the Joint Committee.

This will minimise any potential risks and make sure that they are taken into account before a warrant is granted.

Parts 2, 3, 4, 5, 6 and 9 (Various Clauses as per Page 1)

Extraterritoriality – Jurisdiction and Enforcement

Government has recognised that the current legal framework for law enforcement to request lawful access to data from other jurisdictions is fragmented, with conflicts of law making it difficult for companies and users to navigate their way and understand their privacy rights.

Despite the Home Office’s recognition and previous acceptance of conflicting legal obligations for companies, and despite the recommendations put forward by Sir Nigel Sheinwald in his report to the Prime Minister, extraterritorial provisions that undermine the long term objective of an international framework still remain within the Bill.

Suggested Amendments

techUK supports the suggested amendments that were submitted by Yahoo, Google, Facebook, Microsoft, Twitter and Apple on extraterritorial provisions within the Bill (Clauses 34, 35, 36, 76, 86, 109, 110, 111, 131, 147, 148, 149, 167, 217 and 218).

April 2016


[1] techUK submits evidence to Public Bill Committee on Investigatory Powers Bill (29 March 2016). Retrieved from http://www.techuk.org/insights/news/item/8169-techuk-submits-evidence-to-public-bill-committee-on-investigatory-powers-bill

 

Prepared 12th April 2016