Not their finest hour: the U.K. surveillance law
- Subtitle: The IT Girl
Known to critics as the “Snoopers Charter,” the act is possibly one of the most far-reaching surveillance laws ever passed by a democratic nation. While some sections of the act received Royal Assent on Nov. 29, the act will come into force in stages, initially as early as the end of this year.
The U.K. government first published the draft bill in November 2015 to replace the existing Data Retention and Investigatory Powers Act 2014, or DRIPA, certain sections of which will expire at the end of December. However, the real impetus for the act arguably was to retroactively legitimate practices that the U.K.’s security apparatus had been using for years without disclosure to the public, in addition to expanding the current scope of government surveillance powers.
Weighing in at more than 300 pages, the act is quite long so I will focus only on a few key concerns as noted below.
(i) Big data collection. Under the act, the U.K. government can provide any telecommunications operator with a “data retention notice” that obliges them to retain relevant “communications data,” including the “Internet connection records” of their users. Law enforcement agencies, including the police, intelligence services, etc. will be able to access this data without any court order or warrant on request.
(ii) Bulk interception and data collection. Essentially legalizing the surveillance activities exposed by Edward Snowden, the act permits the collection of metadata and targeted hacking of individual computers, bugging phone calls, reading texts, etc., so long as warrants are properly obtained. Much of the act is devoted to rules around such warrants and the act provides for the Secretary of State, approved by a judicial commissioner, to issue these warrants. These warrants include: (i) interception warrants (targeted, thematic or bulk); (ii) equipment interference warrants (essentially an elegant way of describing “hacking”) (targeted, thematic or bulk); and (iii) bulk communication data acquisition warrants.
(III) Potentially breaking encryption. The act contains a provision allowing the U.K. government to serve a company with a “technical capability notice” requiring the entity to “take all steps specified in the notice for the purpose of complying with those obligations.” These obligations include “obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.” Several technology companies, including Google, Microsoft, Twitter and Yahoo, have interpreted this as obliging vendors upon demand to remove, weaken or circumvent encryption on user’s data whenever “practicable.”
(IV) Speak no evil. Continuing the “big brother” theme, companies that are actually subject to the act are forbidden to generally talk about it. For example, in an effort to possibly deter whistleblowers, the act criminalizes “unauthorized” disclosures under the section dealing with equipment interference warrants and the punishment for any breach is a fine, a prison sentence of up to 12 months (up to five years on conviction on indictment) or both.
(V) Scope. Many of the definitions in the act are (intentionally) quite broad as is the scope of the act. For example, some commenters have noted that the act will apply to any provider of a service that facilitates the creation, management or storage of communications transmitted by means of a “telecommunication system.” According to the draft Code of Practice, this would include cloud-based services and services providers, web-based email, messaging applications, social media companies and online businesses that provide telecommunications services to users and customers as part of their business. The local café providing public Wi-Fi would also likely be in scope as well as “private” networks (schools, universities and domestic homes).
Any Canadian entity that provides a telecommunications service to individuals in the U.K. or controls a telecommunication system in the U.K. may fall within the scope of the act. The act also describes methods of serving warrants on non-U.K. persons, but interception warrants and targeted communication data acquisition are supposed to take into account (i) any requirements or restrictions under the non-U.K. law of that country or territory that are relevant to the taking of those steps; and (ii) the extent to which it is “reasonably practicable to comply with the duty in [a] way that does not breach any of those requirements or restrictions.”
There is no question that the act is controversial. Critics have identified many shortcomings in the act from civil liberties’ and privacy perspectives, alleging that the proposed “checks and balances” in the act, including the new supervisory body, the Investigative Powers Commission, are inadequate. The act has already been criticized by the U.K. Open Rights Group and Privacy International, which described it as “intrusive" and “draconian." A petition asking the U.K. government to repeal the law has thus far garnered 154,888 signatures, but Parliament has declined to schedule a debate on this petition. Court challenges will likely ensue.
By contrast, only days after the act was passed, the federal Privacy Commissioner of Canada, Daniel Therrien, along with his provincial counterparts, stressed, in a formal submission to the Canadian federal government’s public consultation on Canada’s national security framework, the need to address privacy risks related to information sharing and the collection of metadata. Therrien was quoted as saying:
Amen to that and let’s hope that our Parliament — unlike the U.K. Parliament — listens.
Lisa R. Lifshitz is a partner in Torkin Manes’ Business Law Group, specializing in technology and privacy law and is the leader of the firm’s Technology, Privacy and Data Management Group. Lisa has been nationally and internationally recognized for her technology law expertise and enjoys writing and speaking on technology law issues. She is the immediate past president of the Canadian IT Law Association and can be reached at firstname.lastname@example.org. The views presented here are the author's alone.
Column: The IT Girl