The UK Investigatory Powers Bill: Adding Much Needed Transparency

James Pooler is a political science student at New York University and an intern for the Council on Foreign Relations’ Digital and Cyberspace Policy program. 

Following David Cameron’s resignation after the United Kingdom’s vote to leave the European Union, Theresa May became the country’s second female prime minister. As most of the attention has focused on the political reshuffling at the top – the new cabinet, committees, and Brexit negotiators—there has been considerably less attention given the Investigatory Powers Bill, a surveillance bill meant to consolidate and formalize the authority of British intelligence and law enforcement agencies, which the new prime minister championed in her previous job as Home Secretary.

In March 2016, the bill passed the House of Commons by a landslide 281 to 15 vote. The Liberal Democrats voted against it, dubbing it “Snooper’s Charter.” The bill recently underwent a second reading at the House of Lords, and is expected to pass by the end of this year. While it has been significantly edited, privacy advocates are alarmed over issues of collection and retention of data, encryption, and warrants for law enforcement that had not been explicitly defined. The bill has four major provisions.

First, it requires communication service providers (CSPs) such as telcos, messaging app providers, and social networking sites, to collect and retain internet connection records of all their users for up to a year. The records include but are not limited to IP address, browsing history, names of services consulted and other metadata, but exclude content of communications. A cabinet minister would have the power to require CSPs to make information readily available to law enforcement as to identify “which individual has used a specific internet service, how a subject of interest is communicating online, or whether an individual is accessing or making available illegal material.”

Second, it explicitly legalizes government-enabled equipment interference, colloquially known as lawful hacking. Intelligence, armed forces, and law enforcement would be able to apply for targeted equipment interception warrants for six months, and could require compliance from CSPs to facilitate interference. These warrants are required for both targeted and bulk interceptions—the latter in the event that intelligence cannot identify a target, a practice the Federal Bureau of Investigation has been pushing for in the United States with its request to amend Rule 41.

Third, it empowers cabinet ministers to issue “technical capability notices” to CSPs, which would “impose any obligations relating to the removal by a person of electronic protection applied by or on behalf of that person to any communications or data.” While the bill does not mandate backdoors, it expects CSPs to maintain the ability to decrypt end-to-end encryption. Given the current debate about encryption, this provision has garnered some of the most controversy.

Fourth, the draft legislation reforms the oversight of these new and existing powers by creating a dedicated investigatory powers commission and a new way of authorizing warrants. The commission would be an independent body dedicated to the oversight of communications data, interception, equipment interference, and related work of law enforcement and intelligence agencies. The new warrant procedure would require that interception warrants granted by a cabinet minister be approved by the investigatory powers commission.

Facebook, Google, Microsoft, Twitter and Yahoo unanimously expressed their opposition in a written statement to the British Parliament. Their primary concern is the legal conflicts such a law would create when tech companies seeking to comply with the law take measures that have extraterritorial effect. For example, it is not inconceivable that UK authorities could ask a company like Microsoft to hand over customer data held in another country whose laws forbid such disclosure. Apple also expressed concern over the bill’s “technical capability notices” and their consequences on encryption, noting that “companies should remain free to implement strong encryption to protect customers.”

Opposition has also come from the Court of Justice of the European Union (CJEU), which deemed bulk data collection to only be lawful when used to investigate serious crimes. A CJEU representative declared that data retention laws should “limit interference with fundamental rights” to what is strictly necessary. Moreover, the CJEU has a history of rejecting bulk collection. In the wake of Edward Snowden’s revelations, the court invalidated the EU Data Retention Directive adopted in 2006 following bombings in London and Madrid, deeming that bulk collection’s “wide-ranging and particularly serious interference […] with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.”

For all of the opposition that the bill has received, there are a few silver linings. First, the bill formalizes and brings to light powers that the UK government had once exercised in the shadows. The new transparency and accountability mechanisms, overseen by the judiciary, will ensure that these issues remain in the public domain. Furthermore, the Home Secretary will be required to provide a review of the legislation’s implementation five years after it enters into force, possibly providing a mechanism for review. Second, the bill isn’t nearly as intrusive as other interception and surveillance regimes, such as France’s year-old intelligence bill and Russia’s new anti-terrorism laws both of which have less oversight mechanisms.

Despite its seemingly Orwellian features, the Investigatory Powers Bill introduces few new powers that the UK authorities didn’t already have, brings transparency to those powers, and provides the oversight and accountability mechanisms that such extraordinary powers deserve.