The Investigatory Powers Act 2016, nicknamed the ‘snooper’s charter’, came into force in 2016 amid controversy and outrage from privacy campaigners.
Campaigners claimed that the legislation went ‘too far for a democratic state’ and ‘violated privacy’, with some even arguing that the act would ‘provide an international standard to authoritarian regimes around the world’ to justify their own intrusive surveillance powers.
The new law requires web and phone companies to store everyone’s web browsing histories for 12 months and give the police, security services and official access to the data.
The primary content of the act provides security services and police with new powers to access computing devices and to collect communications data in bulk.
The Home Office however have made clear that some provisions will require extensive testing and will not be in place for some time. However, powers to require web and phone companies to collect communications data have been in force since December last year, the date when the previous Data Retention and Investigatory Powers Act 2014 expired.
The executive director of the Open Rights Group, Jim Killock statedregarding the legislation:
“The IP Act will have an impact that goes beyond the UK’s shores. It is likely that other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance powers.”
He was correct, they did. In 2016, the Chinese government cited the new act when defending its own intrusive anti-terrorism legislation.
A key driver behind the creation of the Investigatory Powers Act 2016 was the expiration of the Data Retention and Investigatory Powers Act 2014 (DRIPA) on the 31st of December, 2016.
A replacement was also needed as “The other existing legislation was a mixture of bills, the main one of which was the Regulation of Investigatory Powers Act 2000” according to the Joint Committee on the Draft Investigatory Powers Bill in 2016.
The Data Retention and Investigatory Powers Act 2014 allowed security services to continue to have access to phone and internet records of individuals following a previous repeal of these rights by the Court of Justice of the European Union. The act was criticised by some Members of Parliament for the speed at which the act was passed through parliament and by some groups as being an infringement of privacy.
Following legal action, in July 2015, the High Court issued an order that sections 1 and 2 of the Act were unlawful, and were to be suspended until March 2016, giving the government a deadline to come up with alternative legislation which was compatible with EU law.
Soon after, the Investigatory Powers Act 2016 was proposed to replace existing interception powers with a new targeted interception power. Providing for targeted interception of communications by a ‘limited number’ of public authorities for a ‘limited number’ of purposes when a warrant is in place.
The Investigatory Powers Act 2016, the often nicknamed ‘Snooper’s Charter’, was passed by both Houses of Parliament on the 29th of November 2016. The act went into force on December that year.
The Act covers three elements:
- Interception of communications data during transmission.
- Interference (or hacking) of electronic equipment to obtain communication data.
- Retention of internet connection records for 12 months.
These powers are available to a variety of government departments from GCHQ to the Food Standards Agency and access is overseen by the Investigatory Powers Commission. A list of organisations to which this data is available can be found in the Appendix.
The Act expanded the powers available to the intelligence community and upon on DRIPA’s data retention requirements through compulsory generation, obtaining and retention of a broader range of communications data.
It should be noted however that a great deal of the act didn’t introduce new powers but legally establish previous surveillance and hacking activities utilised in previous legislation. These activities include the collection of data from around the world and targeted hacking of individuals computers.
The draft bill was published in 2015, and a Joint Committee of the House of Commons and House of Lords was established to scrutinise the draft bill. The Joint Committee published its pre-legislative scrutiny report in March 2016 and the Government accepted a number of its recommendations, and the revised bill was introduced in the House of Commons, where it was subject to debate by Members of Parliament.
In March 2016 the House of Commons passed the Investigatory Powers Bill on its second reading by 281 votes to 15, moving the bill to the committee stage. At the committee stage constitutional, technology, and human rights issues were examined.
The draft Bill generated significant controversy regarding intrusive powers and mass data collection. While the Home Office said the Bill was compatible with the European Convention on Human Rights, the content of the Bill had raised concerns about the impact on privacy.
According to a House of Lords report on the Investigatory Powers Act, the act also clarifies that in all circumstances, when law enforcement or the security and intelligence agencies wish to intercept the communications of a person believed to be in the UK, or examine the communications of a person believed to be in the UK that have been collected in bulk, a targeted interception warrant or targeted examination warrant must be sought.
Throughout the act, the government use the term “equipment interference” to refer to hacking and splits it into two categories: targeted and bulk. Targeted allows law enforcement and security agencies to access specific devices while bulk covers larger groups.
In January 2016 a report published by the Intelligence and Security Committee said:
“We have therefore recommended that the new legislation contains an entirely new part dedicated to overarching privacy protections, which should form the backbone of the draft legislation around which the exceptional powers are then built. This will ensure that privacy is an integral part of the legislation rather than an add-on.”
The committee also recommended that bulk personal data warrants are removed from the legislation. Conservative MP Dominic Grieve later clarified the extent of these freedoms by saying “the principle of the right to privacy against the state is maintained except if there is a good and sufficient reason why that should not happen”.
The government however did not remove them. However, Gavin E. L. Hall a doctoral researcher at the University of Birmingham, argues in an article in the ‘Fair Observer’ titled ‘Is the Snooper’s Charter as Bad as You Think?’ that public fear of the bill isn’t justified. Hall makes the case that there are “benefits to formally codifying in law what state security services can and cannot do and that while it may technically be possible under the bill to impugn individual freedom, John Bull has little to fear.”
This Act like its predecessors is largely legalising practices already taking place. The Act expands on DRIPA’s data retention requirements through compulsory generation, obtaining and retention of a broader range of communications data, including internet browsing data. Various authorities can, as with RIPA, make targeted demands on telecom operators for communications data.
As of the 5th of May 2017, a leaked government draft document further elaborates on this and details how the government is seeking to ‘compel telecommunications operators to provide real time access to named individuals’ communications within one working day.
The government is also reportedly asking for the capability to obtain or intercept ‘secondary data from 6,500 people at any one time’.
Perhaps most controversially, the leaked document indicates that the government is demanding that telecoms providers “provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection”.
The Home Office has stressed that a service provider cannot be made to do anything that is not reasonably “practicable” but what does that actually mean?
Earl Howe, in a 2016 House of Lords debate on the matter, said:
“The company on whom the warrant is served will not be required to take any steps, such as the removal of encryption, if they are not reasonably practicable steps for that company to take. So a technical capability notice could not, in itself, authorise an interference with privacy. It would simply require a capability to be maintained that would allow a telecommunications operator to give effect to a warrant quickly and securely including, where applicable, the ability to remove encryption.
These safeguards ensure that an obligation to remove encryption under Clause 229 of the Bill will be subject to very strict controls and may be imposed only where it is necessary and proportionate, technically feasible and reasonably practicable for the relevant operator to comply.”
Clearly, it is not feasible for an operator who provides its users with end-to-end encryption facilities, such as WhatsApp, to remove the encryption, since it has no decryption key and therefore outrage over this part of the act would seem to be largely unwarranted.
In conclusion, while the boundary of legitimate surveillance is drawn in a similar fashion as in previous legislation as in the Investigatory Powers Act 2016, much of the Act is taken up with enumerating the powers of law enforcement and the intelligence agencies under warrants issued by a Secretary of State and approved by a Judicial Commissioner.
One of the biggest sources of controversy with this act and the driver behind the ‘Snoopers Charter’ moniker is that the law requires telecoms companies to store internet browsing histories for 12 months and give security services and other agencies unprecedented access to the data. However, while critics of the legislation have dubbed it the “Snoopers’ Charter” and civil rights advocates have slammed it for being invasive, technology experts cite the benefits to formally setting out the limits of what the state is allowed to do and what it is not allowed to do.
That being said, following its passage into law, the Act continues to be subject to a serious legal challenge, launched by human rights group Liberty due to the European Court of Justice’s December ruling that bulk data collection is unlawful. It remains to be seen what happens next in the saga that is UK surveillance legislation.