RIPA is the main UK law governing investigatory powers. Large parts of RIPA are to be replaced by the end of 2016. On 4 November 2015, the government published the draft Investigatory Power Bill (IPB), which brings together all its powers to obtain content and communications data from communications providers. The IPB, which includes powers drawn not only from RIPA but from other relevant statutes, is due to go through a process of public consultation until early 2016. It will be considered by the Houses of Parliament, as part of a consultation review process before a Joint Committee of Parliament.
We will play a full part in the consultation. This document describes our approach to the existing legal regime, as one of its purposes is to explain how we do things prior to any legal change. Our view of how things work currently will inform our views about the best eventual shape of the IPB.
RIPA allows the government (and other public bodies, including the security services and the police) to access both “communications data” and also the content of communications. The law treats communications data and content differently - although it can sometimes be difficult to tell one from the other. For telephone data, the distinction is straightforward. The number called, the date, time and duration of the call are communications data. The conversation is the content.
The distinction can be less easy with internet data such as a website address. Under the current Home Office code of practice, a domain name (http://sport.bt.com) is treated as communications data. But http://sport.bt.com/home-01363810438270 (i.e. anything beyond the first “/”) counts as content. This matters because the law currently treats obtaining content as more intrusive than obtaining communications data.
Fewer public bodies are entitled to obtain content data, and they need a higher level of authorisation. However, communications data, in significant volumes, can build a detailed profile of an individual and so be very intrusive on privacy. So we think the question of whether the new law needs to adopt a different approach needs to be considered carefully.
A number of public bodies have the legal right to obtain data from us. This includes intelligence and law enforcement agencies, certain government departments, local authorities and some regulators. Exactly what data they require depends on the circumstances.
But data may be disclosed only if it’s necessary for one of a limited number of purposes. The most significant are the prevention of crime and the protection of national security. Data may only be disclosed if a senior officer at the relevant public body believes it’s necessary and proportionate. The data might be the name and address of a person using a particular telephone number or Internet Protocol address (IP address). Or, it could be details of the calls made to or from a particular telephone number. RIPA provides the legal basis for these disclosures.
The government has now acknowledged that it has also used its powers under the Telecommunications Act 1984 for the bulk acquisition of communications data (see the table - Summary of Public Bodies’ Access to Data).
The government can also require us to hold onto some types of communications data in a separate database, for up to twelve months. It can do this by serving a data retention notice under the Data Retention and Investigatory Powers Act 2014 (DRIPA), which has recently been the subject of judicial review proceedings. The Counter-Terrorism and Security Act 2015 increased the data retention powers available to government. It lets IP addresses be linked more easily to the individuals using them at the relevant time.
This is an important change, because it may require communications providers to keep information that they wouldn’t otherwise need for normal business purposes. ‘Summary of Public Bodies’ Access to Data’ provides information about the ways in which content and communications data can be obtained.
It’s currently not clear whether it’s lawful for a communications provider to say that it’s received a DRIPA data retention notice. No communications provider has made such information public. The IPB now contains a clause prohibiting communications providers from disclosing information about retention notices.
We believe there are good reasons for this provision such as limiting the opportunity for customers to seek out communications providers that are not subject to data retention notices.
The Interception of Communications Commissioner’s Office (IOCCO) has statutory oversight for this part of the investigatory powers regime. It publishes information about how the regime is used - for example, for acquiring content and communications data. A Home Office code of practice sets out what information is retained and reported to IOCCO (by public bodies and communications providers), and this forms the basis of the statistical information which IOCCO publishes. IOCCO’s March 2015 report says 517,236 communications data requests were made to all communications providers under RIPA in 2014. The vast majority came from the police or other law enforcement agencies.
Government has other powers to access communications data that in the past were not within IOCCO’s remit. The Home Secretary acknowledged in her statement to Parliament on 4 November 2015 that section 94 of the Telecommunications Act 1984 has been used by successive governments to access communications data in the UK. This means the authorisations and notices reported by IOCCO don’t provide a complete and accurate picture of all requests for communications data made by government.
We thought carefully about whether to report on how many times we’ve disclosed communications data under RIPA. Communications providers operating outside the UK have reported this data (both for the countries in which they operate, as well as in some instances where they have received requests from the UK authorities). We’ve discussed this with IOCCO, who expressed concerns about individual communications providers reporting their own figures, since different counting mechanisms and rules could be applied. Their view is that the statistical information should only be collected and reported by the public authorities to make sure it’s comparable
In the interests of greater transparency, we think it worth considering whether it might be helpful for IOCCO to provide information on trends, and further analysis of the numbers. In this context, we note that in its 2013 Annual Report, IOCCO asked for better information from public authorities on the use of these powers.
Interception powers can only be used, where necessary, for very limited purposes (for example the prevention or detection of serious crime and national security), and by very few public bodies (primarily the police and intelligence agencies). A Secretary of State must authorise a warrant, and must confirm that the warrant is necessary and proportionate.
Any person or body, including a communications provider, can be required to take all “reasonably practicable” steps to give effect to an interception warrant.
An interception warrant can be targeted at a single “person” (which includes an organisation) or premises. Or, it may be framed more broadly, without reference to a specific person or premises, and so potentially drawing in a very broad set of data. In such cases, only “external” communications can be intercepted (those sent or received outside the British Islands). The Secretary of State must also certify the descriptions of intercepted material which he or she considers it necessary to examine.
These warrants have been referred to as “bulk” warrants in the recent reports by the Parliamentary Intelligence and Security Committee and by David Anderson QC (asked by the government to review the current powers and recommend changes). The term has no legal meaning though. It simply describes any warrant that is not targeted at a single person or premises, and so potentially very broad in its scope and application.
Again, IOCCO has statutory oversight. IOCCO’s March 2015 report shows 2,795 interception warrants were issued in the UK in 2014. It provides information about the purposes for which these interception warrants were used.
It’s a criminal offence under RIPA for a communications provider to disclose any information about interception warrants. We understand the need not to undermine operational effectiveness by letting criminals and terrorists know who has been targeted. So despite our support for privacy and transparency, we do therefore support this particular secrecy requirement.
In the light of this and other legal rules, sometimes communications providers follow a practice of “neither confirming nor denying” when asked a particular question (i.e. neither confirming nor denying a particular course of action).
It is not an offence to deny that assistance was required, in cases where it wasn’t. But to do so would mean that a failure to deny in any other case would be taken as confirmation of involvement - so undermining the purpose of the secrecy rules.
The government has a range of other investigatory powers. For example, it has a very broad discretion to issue directions under section 94 of the Telecommunications Act 1984, if necessary in the interests of national security. When publishing the IPB, the government acknowledged that this power has been used for the bulk acquisition of communications data.
Another example is the Intelligence Services Act 1994, under which the intelligence agencies can interfere with electronic equipment such as computers. This is termed “equipment interference” or “computer network exploitation” and requires a warrant issued by the Secretary of State. Conduct of this type was first acknowledged by the government early in 2015. Secrecy restrictions apply to the use of these powers, both of which, with some changes, have been brought within the ambit of the IPB.