Out-Law News 3 min. read
04 Mar 2016, 11:00 am
Under the proposed new Investigatory Powers Bill, now laid before the UK parliament, traditional telecoms operators could be required to obtain and disclose communications data relevant to communications made via Skype, WhatsApp or other 'over-the-top' (OTT) communication services if those communications are not encrypted, however.
The Investigatory Powers Bill sets out the proposed new framework by which UK intelligence agencies, and in some cases other authorities, will be able to access communications data, intercept communications or exercise powers to interfere with electronic equipment. It also outlines UK intelligence agencies' qualified right to obtain "bulk data". A raft of procedures and protocols designed to ensure privacy rights are respected have been included within the Bill. The government wants to the new Bill to be in force before the end of 2016.
The new Bill is an updated draft of the one that the government published in November 2015 which was examined by three separate parliamentary committees.
Under the communications data rules contained in the Bill, telecoms operators could be ordered to share communications data they either possess or are "capable of obtaining" with the intelligence agencies upon request.
Telecoms operators could also be required to "obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system", according to proposed legislation.
However, in performing their duties to share communications data, telecoms operators will not be required "to take any steps" that are "not reasonably practicable" for them to take.
The Bill gives the government the power to serve a "technical capability notice" on telecoms operators which could, among other things, compel those companies to remove "electronic protection applied by or on behalf of that operator to any communications or data".
In a statement the Home Office said that telecoms operators would not be required to remove encryption that they have not themselves applied. A draft code of practice on communications data (118-page / 831KB PDF), published by the government, fleshes out in more detail how the communications data rules will work in practice also addressed "third party data".
The draft code said that communication service providers "in receipt of a requirement to obtain and disclose third party data which is encrypted by the third party [are] under no obligation to decrypt such information".
The government had been asked to clarify the position in relation to encryption by the UK parliament's Science and Technology Committee, which assessed the technical feasibility of the government's initial draft Investigatory Powers Bill.
Giving evidence in December last year to another parliamentary committee that scrutinised the Bill, Mark Hughes, head of corporate security at Vodafone, raised concern that the laws as drafted at the time could be relied on to force telecoms operators to decrypt communications sent over their networks via other communication services.
Hughes said Vodafone and other MNOs currently act as "a postman" when carrying packets of data between users of third party OTT communication services over their networks. He said that, under previous proposals, MNOs could have to open those packets of data, which might mean accessing the contents of communications. The Investigatory Powers Bill would apply a different legal regime to the accessing of the contents of communications than the one to be applied to the storing and disclosure of communications data.
"You can already start to see how the lines are being blurred between traffic data and content when you start having to open packets of data as they cross the internet," Hughes said.
Hughes said it would be "much more elegant" for third‑party communication service providers to be required to decrypt communications data for their services under the Bill. This would help address information security and accuracy risks that would be present if MNOs were held responsible for the decryption and retention of data from third party services, he said.
Under the new Bill, telecoms operators could be asked to retain a new category of communications data – internet connection records (ICRs).
ICRs are defined under the Bill as "communications data which – may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)".
A more practical explanation of what ICRs are (31-page / 424KB PDF) is outlined in a supporting document published by the government.
It said: "[ICRs] are a record of the internet services that a specific device connects to – such as a website or instant messaging application – generated and processed by the company providing access to the internet. ICRs do not provide a full internet browsing history. They do not include details of every web page visited or anything done on that web page."
The government said that it is currently "impossible for law enforcement to identify consistently who has sent a particular communication online" because ICRs do not have to be retained under existing surveillance laws.