The Investigatory Powers Act, meant to make the UK safer, poses risks to cybersecurity and keeps privacy concerns alive
From the very first day it was proposed, the UK’s new surveillance laws received plenty of criticism. Many headlines relating to it highlighted almost no positives; it has been described as ‘extreme’, ‘dystopian’ and ‘an assault on freedom’. Edward Snowden, a flag-bearer of digital privacy, tweeted that the new rules go “further than many autocracies.”
The legislation in question is the Investigatory Powers Act 2016, which was passed late last year, and was debated and scrutinised in Parliament for about a year, during which concerns were abound. David Davies, a Conservative MP, reflecting the views of numerous others in the legislature at the time, said in March 2016 that there was “lots to worry about.”
Aside from the media and some inside Parliament, Silicon Valley had also expressed its discontent, including Apple. This seems not to be any surprise considering the tech giants’ standoff with the FBI over the unlocking of an iPhone belonging to a terrorist (read more). Such a stance was a reflection of other technology companies and their thoughts on government electronic surveillance.
Peter Church, a specialist technology lawyer at Linklaters, a law firm, expressed a slightly different view, warning of the risk of precise definitions “becoming out of date very quickly.” Such comments were made in consideration of the fast-moving digital the world has now been experiencing for decades.
The Act 2016 is an attempt to give intelligence agencies the powers it needs to conduct its electronic surveillance effectively and legally. This is during an age when not only technological innovation continues to develop and change quickly, but also when the issue of digital privacy has become such a prominent human rights issue. Edward Snowden’s revelations of the NSA’s foreign espionage programs in America in 2013 was very much the springboard for this.
But what are people to really make of these new surveillance laws? Do they constitute an attack on liberty that many media outlets claim it to be? Do such laws actually go further than some autocratic states? Or is it a genuine attempt to allow intelligence agencies to conduct its work and make the country safer in a lawful manner? It is in this analytical piece that The Cyber Solicitor attempts to find the answers.
Exploring the Act
Finding the answers, and determining both the malignant, as well as the beneficial, features of such laws, is not, by any means, totally straightforward. Of course, it is critical to look at such an Act in detail before determining its worth. The Investigatory Powers Act 2016, in summary, provides a framework for intelligence agencies to intercept and gather communications data within the UK. Specifically, section 1 of the Act “sets out the extent to which certain investigatory powers may be used to interfere with privacy” while imposing “certain duties in relation to privacy” along with “other protections with privacy.”
As well as privacy protections being provided within the Act itself, safeguards from other legal frameworks, such as the Human Rights Act 1998, Data Protection Act 1998 and Wireless Telegraphy Act 2006 are included. Related misconduct offences in public office may also derive from English common law.
Section 3 of the Act 2016 details the requirements for “unlawful interception.” Simply, any interception that is carried out in the UK without lawful authority (a warrant) will be deemed as unlawful. The key to this definition is that the interception of communications must be made while in transit and must be carried out in the UK. An exception can be made where consent to the interception may be given as opposed to a warrant, or where the interceptor has “a right to control the operation or use of the system” in question. This refers to the conduct element of the offence of unlawful interception. Furthermore, if either the sender or recipient of the communication believes that the interception was unlawful, then section 8 permits either party to bring an action against the inceptor as long as the requirements laid out in section 3 are met.
The mental element of an offence under the Act is detailed in section 11, where it says a person must either “knowingly or recklessly obtain communications data” without legal authority to be guilty of a criminal offence. The type of personnel this is relevant to encompass anybody holding “an office, rank or position with a relevant public authority,” which could include the police, the NHS and other public bodies. A maximum of 12 months imprisonment or a fine are the prescribed punishments for such unlawful conduct.
Before public authorities can intercept and obtain communications data, a judicial commissioner must first determine whether granting permission to do so would be “proportionate to what is sought to be achieved by that conduct.” In terms of what constitutes as relevant grounds for intercepting communications, section 20 outlines what these may be. Matters of national security, for example, would be a valid reason for the interception. In addition, if it will help to prevent serious crime, or is for economic well-being “so far as those interests are also relevant to the interests of national security” then it will be permitted. Anything outside of these grounds would not be sufficient to obtain an interception warrant, including the activities of trade unions, according to the Act.
Perhaps one of the most highlighted aspects of the bill is section 87, which says that any collected data can be retained for no longer than 12 months. Telecommunications operators must ensure that this retained data is protected from any unlawful conduct “using appropriate technical and organisational measures.” Furthermore, these operators must use adequate security systems controlling data access in order to “protect against any unlawful disclosure” as stated in section 93.
With regard to oversight, the Investigatory Powers Commissioner (IPC) is given the ability to inspect and investigate, by an audit or by other appropriate means, the use of the powers granted by the 2016 Act by public authorities. These investigations can look at all the powers granted, from the interception and acquisition of data to the retention and disclosure of the data. Through such inspections, the IPC should ensure that the safeguards and protections given to privacy are evident. While scrutinising public authorities, it is the judicial commissioner’s role to ensure that the IPC does not jeopardise the success of an intelligence operation, compromise the safety of those involved, or “unduly impede the operational effectiveness of an intelligence service, a police force” or any other of Her Majesty’s forces.
It is a No From Europe
The only court hearing so far regarding this new Act of Parliament has come from the Court of Justice of the European Union. Simply put, it ruled that Member States of the EU could not implement laws or rules that would obligate electronic communications service providers to retain and provide State access to bulk data. Following precedent, the court cited the Digital Rights Ireland judgement from 2014 to support the ruling. In that case, the Court of Justice held that any retention of data was not permitted if such retention goes beyond what was considered necessary for purposes of preventing serious crime. Although the court case does not look specifically at the Investigatory Powers Act of the UK, it did make reference to the new laws as well as data retention laws in Sweden.
The court went on to say that any laws which permit broad and indiscriminate data retention, which is not confined to a particular geographical area or type of person or group, goes beyond what is “strictly necessary” to fight serious crime. It argued that such laws could not be justified in “a democratic society” and contravenes “the protection of the fundamental right to respect for private life.”
Essentially, what this court ruling suggests is that laws which allow the mass collection and retention of data for the purposes of fighting and preventing serious crime, like terrorism, are, by default, unreasonable. It sees such conduct as disproportional to these aims, and thus the 2016 Act would not be worth its encroachment upon privacy.
It is the European Convention on Human Rights that underpins this line of argument. But attached to this Convention is the important historical context which shows why Europe has often been quite unfavourable of mass electronic surveillance and bulk data retention. The particular human right in question here is found in Article 8, which details the right to family and private life.
Although, while Article 8 says that citizens have a right to privacy and that this should not be interfered with, for the purposes of national security, public safety or the economic well-being of the country, this right may be encroached upon to an extent where is necessary.
Even so, the courts in Europe have tended to give these exceptions to upholding privacy quite limited scope. The premise of this lies in Europe’s history. The French Revolution in the 18th century was a stand against the absolute rule of the monarchy, and a desire to empower the people with the ability to hold authorities to account and set limits to their power. A devastating second world war left Europe divided and scarred by the autocratic agenda of the Nazi’s in Germany. Out of these events and others came the need to unite economically and politically, and hence today the EU is a symbol of this unity and progress, although this may debatable to some. Nevertheless, the European Convention on Human Rights was established upon the lessons learnt from the tragedies of world wars and bloody revolutions.
All of this underpins the general approach of many European countries to individual rights. The general consensus seems to be that, where possible, these rights should prevail over any kinds of mass surveillance. Any laws which grant such powers is seen as overreaching and not totally justified, as they are a reflection of the tyrannical experiences which have taken place before.
Even though this tendency has been put under strain with the number of terror attacks in Europe in the last few years, the European Courts of Justice have seemed to have stuck to, more or less, the same legal stance. Accordingly, the UK’s Investigatory Powers Act, in terms of European law, falls on the side of being overreaching, unjustified and, thus, unlawful.
There are two possible concerns underpinning this ruling. The first is that it is the actual laws themselves that go too far in achieving its aims (mitigating serious crime and terrorism) because they are overreaching in achieving those aims. The second relates to the fear that public bodies, of whom have been granted powers by the law, may abuse these powers due to the broad scope of them. It is perhaps more the combination of both that suggests that the Act 2016 could be undesirable and thus unlawful.
The premise of the first interpretation has focused the idea that those in the realms of law and politics, and thus those responsible for making and initiating law and policy, often have an incomplete understanding of technology and the notion of privacy in the digital age. Never before have so many people had masses of information and data about them located in a single place. Whereas one’s property and papers detailing information about themselves could be found in their home, a smartphone can contain many texts, photos, videos, messages and other digital information spanning over years. Thus, intercepting and obtaining data generated from these devices, and other digital services, creates a gold mine of what can be quite personal, sensitive and revealing information. Hence, when governments, internet service providers, and businesses have access to such data, it leaves many uncomfortable.
It could be argued that law and policy makers do not quite appreciate this reality, and thus seek to implement rules that may threaten certain rights. Sustaining privacy in the digital age is important because the data being protected is so vast and telling. Although, The Investigatory Powers Act says it is only website metadata that is collected; this would only reveal the website visited (www.thecybersolicitor.com), and not the actual content that may be accessed or viewed on that site (https://www.thecybersolicitor.com/single-post/2017/01/28/What-are-VPNs). But even this does not entirely shield a user’s specific online activity; the title of the website can sometimes be revealing enough.
Even so, if the Investigatory Powers Act only permits these powers for the purposes of national security, economic well-being or others that would seem reasonable, why would it matter if this data is collected? The main concern would probably be that collecting all this data from millions across the country will create a honeypot for hackers on the web to steal such data for various malicious means.
But also, this interpretation may also come from the notion that such laws will not actually be effective in fighting and preventing serious crime. Those involved in plotting or carrying out serious acts of crime or terrorism are unlikely to use in the more regular capacity. Instead, it is the dark web (read more) where these criminals are more likely to conduct their illegal and potentially dangerous activities.
This feeds into the second concern underpinning European Court’s ruling, which involves a stubborn scepticism of law enforcement and intelligence agencies, as well as government and politicians in general. If the powers granted are too broad, there is a likely a chance of abuse. In defence of this broadness, though, it could be argued that it allows the laws to keep up with the fast-moving and technology-driven world. Establishing laws which are too narrow or specific may quickly become outdated, and thus inapplicable and useless.
Even so, the possibility of governments, public authorities, or intelligence agencies using the powers granted adversely or abusively remains a worry. But appreciating the current threats which may be of concern, of which the justification of such powers is based on, should be considered.
One of these threats is terrorism. With the distant, yet still fairly prominent, threat of IS, combined with turmoil and war in the Middle East and North Africa, many world leaders of the West have focused on ways to prevent fatal terrorist attacks at home, fuelled by radical and aggressive ideas and beliefs. One way of achieving this is by using internet data and traffic to track and obstruct potential attacks. Examining a users’ search queries, websites visited, and other electronic activity can give an indication to their motives. If a user watches a video on how to make a home-made petrol bomb and then proceeds to search various popular tourist destinations in London, such as Buckingham palace, it would certainly, and rightly, attract the attention of security and intelligence agencies. From there, it is likely that these authorities would collect further information, conduct further targeted tracking and surveillance to determine whether this activity is either a false alarm or is likely to materialise into, or be a part of, a potential attack endangering public safety. This so-called ‘guilt by association’ may be how the Investigatory Powers Act is meant to help make the UK safer, by providing a framework to legitimise the workings of intelligence agencies to uphold national security and the peace of the UK citizens.
But problems arise nevertheless. For one, it can potentially be unfairly discriminative. Britain shares a lot of its surveillance work with American intelligence agencies, which was revealed by the Snowden leaks, and does so because of the strong alliance between the two countries. American intelligence agencies may use this shared data to bar people from entering the country if it believes it has substantial reason to believe it could be a pose danger. But numerous complaints by British Muslims have been made about not being allowed entry into the US based on their internet activity. Furthermore, with a President like Mr Trump, who has made it clear his disapproval of Islam, this worry of an abuse of power by the State, by barring the freedoms of individuals seemingly based on their religious affiliations as well as their online activity, may be a legitimate one.
These intelligence agencies are not necessarily playing guessing games to track down these potential terrorists or criminals, though; certainly in the UK, they are well-equipped to make far more accurate predictions. But with terrorism being such a prominent threat amongst many Western countries, there may be a tendency for many of these security agencies to be ‘trigger-happy’ and slightly paranoid when conducting their surveillance, thus, leading to some irrational inaccuracies in their work, resulting in wrongly accusing people of terrorist or criminal activity.
However, what should also be recognised is that the effectiveness of these surveillance programs is not exactly known, at least publicly. The work of intelligence agencies is confidential and secret, and so much of the process and the end results of its work are kept behind closed doors. Therefore, it would be quite a stretch to say that the surveillance programs have no effectiveness in fighting or preventing serious crime or terrorism. Only those inside the ropes will truly know if that is at all the case, and such knowledge is unlikely to made public. Even if it were to be made public, it would probably be unspecific and vague, barring a whistleblower.
Do You Trust Your Leaders?
Given that the true effectiveness of electronic surveillance is essentially unknown makes it, therefore, difficult to determine whether the Investigatory Powers Act satisfies the exception to upholding privacy, as provided by Article 8 of the European Convention on Human Rights. The complaints made by British Muslims may, of course, be a genuine reason to believe that these new laws are perhaps not worth their alleged encroachment on privacy. However, these false alarms cannot be measured against the success rate of the surveillance, in terms of how many threats it has managed to thwart. It is thus difficult to side with either argument.
Should, then, the security agencies and the government be given the benefit of the doubt? The Courts of England and Wales seem to think so. In the case of Liberty v Government Communications Headquarters (2014), the Investigatory Powers Tribunal held that as long as the activities of GCHQ were subject to the oversight of intelligence commissioners, of whom sought to ensure that the activities complied with the safeguards to civil liberties, and are conducted with a warrant provided by the relevant authority in accordance with the statute in question, then such activities would be deemed lawful. The Courts here were in no position to question the legitimacy of an Act of Parliament permitting these surveillance powers; it must accept that no statute passed by Parliament can be struck down by the judiciary, recognising the constitutional arrangements of the UK. Parliamentary sovereignty is essentially the centrepiece of the UK’s constitution. This was established in the case of Pickin v British Railways Board (1974). Accordingly, as long as intelligence agencies act in accordance with the statute, then its conduct will be sufficiently lawful. The long-standing doctrine here is that Parliament consists of representatives elected by the people, and thus, the laws that these representatives pass gain their legitimacy from the mandate provided by the electorate. Thus, UK citizens are highly unlikely to vote into office representatives whose policies would conflict with their rights. If this did turn out to be the case whilst these representatives were in office, then they would subject to the political consequences; the government could face a vote of no confidence, be voted out of office, or their position may become untenable and thus must resign. This legitimacy can be reinforced by the fact that the Act, as it made its way through Parliament, was debated thoroughly and was reviewed by numerous committees. However, those involved in the scrutiny process claim that many of the suggested amendments were not implemented into the final piece of legislation.
Paul Anderson, in his article from 2016, challenges the validity of this idea by arguing that the secrecy of intelligence and security agencies’ operations, combined with their broad and vague objectives, ultimately undermines democracy. Specifically, “the breadth of official definitions of terrorism” may allow authorities to “generalise suspicion” as well as “infiltrate and violate non-violent social movements.” Consequently, such social movements, which are carried out to influence government, are suppressed, stifling political debate. The claim being made here ultimately suggests that by taking advantage of the public’s fear of terrorism and using it to justify expansive and overreaching actions that encroach upon certain rights, the government and other public bodies are able to conduct its work without sufficient oversight. With people’s rights being misguidedly infringed upon, justified by the fear of potential terror attacks, it gives the government, essentially, free rein to do whatever it deems appropriate, even if it may contravene the desires of the electorate. This would be then be inconsistent with the democratic nature of the UK’s legal and political structures, where power and legitimacy is delegated and limited by the people. The voter knows best after all.
Even if this were to be the case, there are other mechanisms in place to help prevent this abuse of power by the government. Determining whether the communications intercepted, and the data collected and retained by intelligence agencies, permitted under the Investigatory Powers Act 2016, is proportionate and respectful of certain rights, is left to the discretion of the IPC and judicial commissioner. The Courts have, thus, seemed to have left the process of determining the lawfulness of intelligence agencies’ work to the government, being cautious not to interfere with matters of national security. In CCSU v Minister for the Civil Service (1985), Lord Diplock, providing the leading judgement in the case, said “national security is the responsibility of the executive government” and it is not for the “courts of justice [to] have the last word” on such matters. The judiciary is obviously cautious of openly critiquing and publicising the confidential operations of government, as well as the sensitive information attached to them. It is therefore recognised that limiting the adversaries’ knowledge of the methods and techniques being used against them is critical to successfully deflecting and defeating them.
There are those who may argue, though, that the justifying of mass surveillance with the issue of national security is an abused one. Specifically, it could be inferred that the government uses national security merely as a way to limit the interference of the court and thus avoid scrutiny of its actions. But since the work of intelligence agencies is bound by secrecy, assessing their true worth is difficult. The judiciary generally cannot determine this worth for it is constrained by parliamentary sovereignty and its reluctance to interfere with matters of national security. Thus, for most of those outside the ropes, there is a great tendency to be suspicious as opposed to giving the benefit of the doubt.
Leaving Keys Under Doormats
While consideration of national security is, of course, important when discussing the legitimacy of the Investigatory Powers Act, the importance of cybersecurity should by no means be neglected. This is perhaps where the greatest fault lies. The Act 2016 states that the data that is intercepted and retained for up to 12 months must be protected “using appropriate technical and organisational measures.” This means as intelligence agencies and other public bodies may be able to access this mass of data, there is the responsibility of protecting it from “unlawful disclosure” and the malicious hands of hackers.
But one problem the laws may run into is that of encryption and corporate agenda’s. It has already proven a troublesome issue. Apple’s fight with the FBI last year over the unlocking of a deceased terrorists’ iPhone highlighted the conflicting interests of data security and national security, one which may very well come into play with the introduction of the Investigatory Powers Act in the UK.
A range of tech firms now commonly implement end-to-end encryption into their services and apps. Communications which are protected by encryption are meant to keep out unwanted third parties; information is sent from one device to the intended recipient and encryption ensures that this information is not accessed, stolen or tampered with during transmission.
There are ways in which the government may seek to get around this and access the information it says it needs. One such way involves providing law enforcement agencies or the police with a set of keys to decrypt these communications. These keys would provide access not only to data in transmission, but also data that is stored in the data centres of the technology companies.
But there are risks attached to the use of these ‘backdoors’ to user data. As such, companies are hastily moving away from this form of encryption, which would allow for these backdoors, recognising the vulnerabilities of such a system. If the keys provided to law enforcement are ever stolen by hackers, then masses of user data may be at stake. The unfortunate reality of the internet is that nobody can ever be safe enough from cyber attacks, including public bodies. An attack on the United States Government Office of Personnel Management in 2015, which led to social security numbers, fingerprints and other ‘sensitive’ information being stolen, is a good example.
As such, many companies are starting to move to a more secure form of encryption known as ‘forward secrecy’. The process here involves a temporary key being created with each and every new transmission made. Thus, hackers would be limited to data available at the time of the infiltration, with historic and future data remaining secure. In this case, government or law enforcement agencies would need access to private keys to access data, essentially making them a third party recipient of the information being transmitted. But if these keys were ever to be compromised by hackers, they would not only be able to access the encrypted data, but also fraudulently manipulate the data being sent.
There is also a geopolitical issue. If companies in the UK are made to provide these backdoors to provide public bodies with user data, governments elsewhere may want access too. If the likes of Apple are obliged to provide such backdoors in the UK and thus are required to make this possible, what is to stop a Chinese government, with a notably poorer human rights record, from making such laws for similar requests in their own country?
The overall, and rather ironic, implication of these encryption backdoors is that they essentially have the effect of weakening security for the apparent purpose of strengthening it. Furthermore, many technology companies are constantly looking for ways to improve its software, making it harder to access data, not easier. Many companies only keep emails for a limited time, for example, and services where messages are discarded once read, like Snapchat, are becoming increasingly popular. Additionally, virtual private networks (VPNs), which encrypts users’ internet traffic, also makes accessing data more difficult for government bodies. To allow these backdoors would be, in essence, to reverse this progression towards better data protection. Many security experts would argue that this is not welcomed at all, as cyberspace swarms with hackers and malware, threatening the security of individual users, businesses and governments.
The Cyber Solicitor has attempted to address and explore a range of issues in relation to the Investigatory Powers Act 2016. The concept of proportionality is an important consideration in determining the legitimacy of the Act 2016. Thus, the question here is whether the surveillance and data collection permitted by the Act is reasonable in achieving the government’s aim of preventing and fighting serious crime and terrorism. The issue of surveillance has been a contentious issue even before the Snowden revelations, with the advent of the telephone and wiretapping in the 1890s. Today, telephones have evolved into smartphones, now generating and containing masses of information, much of it sensitive and revealing, and overall have become much more capable devices. The sheer mass and sensitivity of the data generated by today’s devices and digital services make the approach to mass surveillance a cautious one, due to both governments themselves wanting to access such a wide range of potentially sensitive information and also the cybersecurity risks of doing so. Privacy and data protection is, therefore, of the essence and will continue to be so.
Accordingly, the best way to uphold national security and privacy in this digital world that we now live in will be difficult to come by. To say, however, that the solution is to completely repudiate the Act, in any form it could come in, is unreasonable. Intelligence and law enforcement agencies, while they could be subject to some criticism, are ultimately the bodies that are best equipped and qualified to conduct the necessary work needed to provide safety for the citizens of the UK. Thus, these bodies should be entrusted with a legal framework to allow them to do so, whether that is provided by the Investigatory Powers Act as it is now, or an amended version. One welcomed part of the Act is the use of judicial commissioners, as well as the IPC, to provide oversight. The UK’s unbiased, independent and politically neutral judiciary can give reassurance that they can implement the necessary legal constraints on the work of these agencies with the interest of safeguarding individual rights and upholding the rule of law. Further, judicial review provides a way for aggrieved citizens to challenge the actions of government, which forms an important part of the UK’s legal and political system.
What can be said of the Investigatory Powers Act, in its current form, is that the risks to cybersecurity provide the greatest concern of all. Cyberspace has proven numerous times to be quite an unsafe and relatively insecure environment. Accordingly, there is a great need to build and implement robust and effective security parameters and systems to guard data, especially the most sensitive, against malicious actors, be it cybercriminals, state-sponsored hackers or any other malevolent characters. The Act 2016, may do more to undermine this need for adequate data protection than is desired. Even where the reasonable interests of national security are relevant, cybersecurity also forms a part of this and should also be considered. Working more closely with the technology industry to achieve better cybersecurity solutions could be a necessary step for the government to take. Therefore, the Investigatory Powers Act 2016, The Cyber Solicitor believes, may be in need of reform.
Liberty v GCHQ  3 All E.R. 142
CCSU v Minister for the Civil Service  AC 374
Pickin v British Railways Board  AC 765
Fighting ‘Terrorism’, Repressing Democracy: Surveillance and Resistance in the UK, Paul Anderson, University of Warwick School of Law (2016)
Keys under doormats: mandating insecurity by requiring government access to all data and communications, Harold Abelson et al, Journal of Cybersecurity (2015)
The Investigatory Powers Act – what it means for your business, Graham Smith, Bird & Bird, P. & D.P. 2016, 17(2), 9-11