Investigatory Powers Bill

Written evidence submitted by Access Now (IPB 72)

Introduction

1. Thank you for the opportunity to provide comments to the Public Bill Committee regarding the Investigatory Powers Bill (IP Bill). Access Now previously submitted written evidence for the Investigatory Powers Review [1] and comments on the Draft IP Bill to the Joint Committee on the Draft Investigatory Powers Bill, both individually and as part of a coalition of civil society organisations; [2] the House of Commons Science and Technology Committee; [3] and in collaboration with Fight for the Future to the Joint Committee on Human Rights. [4]

2. Access Now is an international organisation that works to defend and extend digital rights of users globally. [5] Through representation in 10 countries around the world, Access Now provides thought leadership and policy recommendations to the public and private sectors to ensure the internet’s continued openness and the protection of fundamental rights. Our Technology Arm operates a 24/7 digital security helpline that provides real time direct technical assistance to users around the world.

3. Communications surveillance interferes with human rights recognised in international law and policies, to which the UK is subject, including individuals’ human right to privacy. Accordingly, laws that permit communications surveillance must respect human rights standards as articulated by the International Principles on the Application of Human Rights to Communications Surveillance, including Necessity, Proportionality, and Integrity of Communications and Systems. [6]

4. Below, we specifically address the impact on human rights, specifically the Principle of Integrity of Communications and Systems, of the IP Bill’s provisions relating to encryption and data retention and propose modifications in accordance with international standards. Equipment interference also poses a risk to human rights. We support the specific recommendations of the Electronic Frontier Foundation on equipment interference. [7] In addition, we urge additional research into the human rights risks of any equipment interference conducted in bulk, which could impact users around the globe,

International law and Integrity of Communications and Systems

5. In June 2015, David Anderson, the Independent Reviewer of Terrorism Legislation, recommended in his Report of the Investigatory Powers Review that a single, comprehensive law replace existing authorities for communications interference. [8] Mr. Anderson suggested the new bill "affirm the privacy of communications" and be written to "so as to enable its essentials to be understood by intelligent readers across the world" and to "cover all essential features." [9] The Investigatory Powers Bill was drafted and introduced as a result of this recommendation. However, the IP Bill fails to provide adequate clarity or precision.

6. The UK has committed to respect human rights under a number of international treaties, including the European Convention on Human Rights ("ECHR"), [10] the EU Charter of Fundamental Rights ("Charter"), [11] and the International Covenant on Civil and Political Rights, among others. [12] Each of these treaties establish rights to privacy and freedom of expression.

7. The European Court of Human Rights ("ECtHR") has explained the standards related to rights under the ECHR as they pertains to communications surveillance. Applying these standards, the ECtHR has recently found a number of government surveillance policies to be in violation of the right to privacy. [13] Additionally, the ECtHR notes that freedom of expression "protects not only the substance of the ideas and information expressed, but also the form in which they are conveyed." [14]

8. The International Principles on the Application of Human Rights to Communications Surveillance ("Principles") have further articulated a framework for the application of human rights protections to modern communications surveillance. [15] The Principles include Necessity, Proportionality, Legality, Transparency, Public Oversight, and Integrity of Communications and Systems. While many of the Principles are implicated by the IP Bill, these comments focus on the Integrity of Communications Systems. The Principle reads,

"In order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for State purposes almost always compromises security more generally, States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State Communications Surveillance purposes. A priori data retention or collection should never be required of service providers. Individuals have the right to express themselves anonymously; States should therefore refrain from compelling the identification of users." [16]

9. As elaborated below, the IP Bill will infringe on human rights and should be modified to bring it into conformity with the UK’s international obligations. The IP Bill fails to protect the Integrity of Communications and Systems. First, the IP Bill enables the government to require service providers or manufacturers to weaken or remove encryption in order to facilitate surveillance, as indicated by the National Crime Agency. [17] Further, the law contains an a priori data retention requirement for service providers.

Encryption

10. Encryption protects the confidentiality and integrity of communications, creating a "zone online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks." [18] In reporting on the connection, the United Nations Special Rapporteur for the Promotion and Protection of the Right to Freedom of Opinion and Expression found that "[e]ncryption and anonymity, today’s leading vehicles for online security, provide individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and information without interference and enabling journalists, civil society organisations, members of ethnic or religious groups, those persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others to exercise the rights to freedom of opinion and expression" and limitations on encryption must be in conformity with human rights. [19] Any compulsion to build weakened security standards, including encryption backdoors or workarounds, is counter to the Principle of Integrity of Communications Systems.

11. The IP Bill creates ambiguity as to the power of the Secretary of State to regulate encryption, particularly whether regulations to be developed under §217 on "technical capability notices" could enable limitations on the use or development of strong encryption or the requirement to implement encryption backdoors. [20] Such requirements would have a direct, deleterious impact on digital security. [21] Further, uncertainty under the law and future regulations would lead to an underdevelopment of security measures. If encryption is weakened, users will lose trust in the security of the internet and modify their behavior accordingly. They may limit sharing of sensitive information or cease trusting security patches. These risks are aggravated by the geographic scope of technical capability notices, which can be given to a person inside or outside the UK. [22]

12. A significant number of organizations and committees that have conducted reviews of the IP Bill recommended clarification on this provision. For instance, the House of Commons Science and Technology Committee, [23] the Joint Committee on the Draft Investigatory Powers Bill, [24] and dozens of civil society organisations, [25] academics, [26] companies, [27] media companies, [28] and governmental offices [29] have asked for a clarification on potential limitations on encryption.

Recommendation

13. Therefore, Access Now recommends §217(4)(C) be modified in accordance with the italicised text below:

"(c) obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data unless such removal would require a modification in the design or implementation of the electronic protection;

Data retention

14. The Principle of Integrity of Communications Systems prohibits a priori data retention requirements, which create an undue burden on business, risk data security, infringe upon individual privacy, and chill the exercise of human rights including freedom of expression and freedom of association. [30] The Court of Justice of the European Union ("CJEU") struck down the EU Data Retention Directive in 2014 because it created a disproportionate interference with the fundamental rights to respect for private life. [31] Human rights violations are particularly pronounced in legislation, such as the IP Bill, devoid of meaningful limits to the scope of the data that provider can be compelled to retain.

15. Data retention measures will lead to legal uncertainty and place a significant burden on UK companies, entrepreneurs, and developers. The prospect of a legal requirement to alter business practices would force providers to invest in and develop the capacity for long-term data retention and storage systems. This would impede the development and competitive implementation of cost-efficient record-keeping systems and have impacts on the security of sensitive user information.

16. As recognised by the Joint Committee on the Draft Investigatory Powers Bill, data retention requirements in the EU are subject to significant change pending the resolution of two additional cases pending before the CJEU, which will likely articulate a standard for data retention at odds with the current language of the IP Bill. [32] As such, the law should not require any modification to current provider practice pending the outcome of the CJEU cases.

Recommendation

17. The implementation of data retention mandates in §§ 78 - 83 should be delayed pending the resolution of the relevant cases before the CJEU.

Conclusion

18. Thank for you for the opportunity to provide written comments. These comments were limited to particular provisions in the IP Bill, though we believe additional analysis is required to determine whether the other authorities, including equipment interference and bulk warrants, comply with the requirements of the Principles.

April 2016


[1] Access Now, Evidence for Investigatory Powers Review, https://www.accessnow.org/cms/assets/uploads/archive/docs/Access_submission_to_IPT_UK.pdf.

[2] Access Now, IPB0112, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26363.pdf; Access Now et al., IPB0109, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26360.html.

[3] Access Now, IPB0049, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/investigatory-powers-bill-technology-issues/written/25186.html.

[4] Access Now and Fight for the Future, DIP0017, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/human-rights-committee/legislative-scrutiny-draft-investigatory-powers-bill/written/25665.html.

[5] Access Now, https://www.accessnow.org.

[6] International Principles on the Application of Human Rights to Communications Surveillance, https://necessaryandproportionate.org.

[7] Electronic Frontier Foundation, Investigatory Powers Bill - EFF Amendments, https://www.eff.org/document/eff-investigatory-powers-bill-amendments.

[8] David Anderson, A Question of Trust: Report of the Investigatory Powers Review 285 (June 2015), https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Web-Accessible1.pdf.

[9] Id.

[10] European Convention on Human Rights, June 1, 2010, available at https://ec.europa.eu/digital-agenda/sites/digitalagenda/files/Convention_ENG.pdf.

[11] International Covenant on Civil and Political Rights, Dec. 16, 1966, S. Treaty Doc. No. 95-20, 6 I.L.M. 368 (1967), 999 U.N.T.S. 171.

[12] Charter of Fundamental Rights of the European Union, art. 8, 2000 O.J. (C 364); European Court of Human Rights Personal data protection factsheet, (Dec. 2015), http://www.echr.coe.int/Documents/FS_Data_ENG.pdf.

[13] European Court of Human Rights, Factsheet - Personal data protection (Feb. 2016), http://www.echr.coe.int/Documents/FS_Data_ENG.pdf

[14] Oberschlick v. Austria, European Court of Human Rights (1991), available at http://hudoc.echr.coe.int/eng?i=001-57716.

[15] International Principles on the Application of Human Rights to Communications Surveillance, https://necessaryandproportionate.org.

[16] Id.

[17] Eric Geller, U.K. official confirms surveillance bill would let cops force companies to decrypt data, The Daily Dot (Apr. 20, 2016), http://www.dailydot.com/politics/encryption-uk-investigatory-powers-bill-nca-director-backdoors/.

[18] Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Human Rights Council, U.N. Doc.A/HRC/29/32 at 3, 6 (May 22, 2015) (by David Kaye).

[19] Id.

[20] Draft IP Bill §§ 217(4)(c) ("The obligations that may be specified in regulations under this section include, among other things- . . . obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications").

[21] Harold Abelson et al., Keys Under Doormats: mandating insecurity by requiring government access to all data and communications, Massachusetts Institute of Technology Technical Report (July 6, 2015), https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8.

[22] Draft IP Bill §§ 218(11)(b).

[23] House of Commons Science and Technology Committee, Investigatory Powers Bill: technology issues para. 43 (Jan. 19, 2016), http://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/573/573.pdf.

[24] Joint Committee on the Draft Investigatory Powers Bill, Draft Investigatory Powers Bill para. 264 (Feb. 3, 2016), http://www.publications.parliament.uk/pa/jt201516/jtselect/jtinvpowers/93/93.pdf.

[25] See e.g. Written evidence submitted by the Center for Democracy & Technology (IPB 36) (Mar. 23, 2016), http://www.publications.parliament.uk/pa/cm201516/cmpublic/investigatorypowers/Memo/IPB36.htm.

[26] See e.g. Written evidence submitted by Dr Paul Bernal, Lecturer in Information Technology, Intellectual Property and Media Law at the University of East Anglia Law School (IPB 06) (Mar. 24, 2016), http://www.publications.parliament.uk/pa/cm201516/cmpublic/investigatorypowers/Memo/IPB06.htm.

[27] See e.g. Written evidence submitted by Apple Inc, Facebook Inc, Google Inc, Microsoft Corp, Twitter Inc and Yahoo Inc (IPB 21) (Mar. 23, 2016), http://www.publications.parliament.uk/pa/cm201516/cmpublic/investigatorypowers/Memo/IPB21.htm

[28] See e.g. Guardian News & Media-written evidence (IPB0040) (Jan. 7, 2016), http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26219.html.

[29] See e.g. The Information Commissioner’s Office-written evidence (IPB0073) (Jan. 7, 2016), http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26307.html.

[30] Supra 15.

[31] Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and Others (C-293/12), available at http://curia.europa.eu/juris/liste.jsf?num=C-293/12.

[32] Home Department v. David Davis and Tele2 Sverige AB v. Post-och Telestyrelsen (Case C-203/15).

 

Prepared 28th April 2016