Last June, the United Kingdom (UK) Home Office announced a series of proposed amendments to the Investigatory Powers Act (IPA). Some commentators assert that if passed, the bill will pose “a significant threat to data security and privacy in the U.K. and beyond.” One of the provisions has generated substantial controversy and may have broad implications for global trends in law enforcement access to private sector data.
The UK IPA is the surveillance law that governs how UK law enforcement and intelligence agencies can conduct lawful interception, equipment interference, and acquisition of bulk communications data. It also provides UK law enforcement and national security agencies with the authority to issue technical capability notices (TCNs). TCNs mandate telecommunications operators to “provide and maintain technical capabilities enabling them to respond to [warrants] allowing access to communication data, the content of a communication, or to enable interference.” TCNs are one of three types of notices that can be issued to telecommunications operators under the IPA.
The amendment at issue would modify the current TCN regime to require telecommunications providers to give the UK Home Office advance notification of technical changes that would affect law enforcement access to data held by those entities. The proposed amendment (Section 20, 258A) reads:
“The Secretary of State may give a relevant operator a notice in writing under this section requiring the operator to notify the Secretary of State of any proposals of the operator to make any relevant changes specified in the notice.”
In other words, the amendment’s advance notification requirement would only apply to the providers that receive a notice to that effect from the UK Secretary of State. The amendment on advance notification outlines several additional provisions. First, the proposal applies to operators providing telecommunications services and systems, and postal services. Second, before providing a notice to a provider, the Secretary of State must determine that the notice is necessary and proportionate for maintaining required technical capabilities. In addition, the Secretary of State must consider factors such as the number of users affected, cost of compliance, and any other effect the notice may have on the operator.
Various stakeholders expressed worry about the bill. A notable concern among industry groups was the extraterritorial impact of the IPA amendment. The Global Network Initiative (GNI) stated that the notification notice would “broaden the extraterritorial reach of the legislation” but also “[revise] the definition of ‘telecommunications operator’ to encompass a wider range of individuals or companies engaged in providing telecommunications services in the U.K., including those that manage or offer telecommunications systems situated outside the U.K.’s borders.” The Information Technology Industry Council (ITI) shared this concern along with the possibility of notification notices and technical capability notices being issued together. The ITI states, “[t]aken together, these powers could impede or otherwise interfere with UK or global roll-outs of innovations or broader product updates which benefit users and society. This could also impact competition within the market if certain companies are given certain combinations of notices and are prevented from introducing new product updates, while others are not, including new entrants.” Moreover, GNI, ITI, and other groups noted concerns about the ability of operators to appropriately carry out necessary privacy and cybersecurity updates to their products if the bill passes.
UK Parliament Members also made comments about the notification notice proposal. James Cleverly, Secretary of State for the Home Department, stated that the notification notice is “not a blanket obligation, and it will be used only where necessary and proportionate, and then only on a case-by-case basis.” Further, he affirmed that “the notice does not give the Secretary of State any powers to veto or intervene in the roll-out of a product or services. It is intended to ensure that there is sufficient time for appropriate consideration of the operational impact of the proposed changes, and potentially for discussions with the company in question about them.” Tom Tugendhat similarly supported the IPA amendment saying “the requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business.”
Other members were not as supportive of the amendment. Stuart C. McDonald, Member of Parliament, stated there would be a conflict of law issue, because, according to the amendment, notification notices cannot be disclosed by the provider unless the Secretary of State provides permission to do so. A conflict of law issue would exist if the notification notice affects the operator’s ability to comply with another jurisdiction’s law and is unable to disclose the notice.
The type of advanced notification proposed in the IPA bill is not common. However, other countries have frameworks similar to the UK IPA that require telecommunications operators to maintain capabilities facilitating law enforcement access to private sector data. For example, Australia has three different types of “tools” to request or mandate assistance in law enforcement and national security investigations. Technical Assistance Notices are compulsory orders that require assistance “if their current capabilities allow them to do so.” Technical Capability Notices are also compulsory and operators “must provide that assistance, including building a capability or functionality to provide that assistance” if it does not exist.
Other countries have laws obligating providers to assist with law enforcement requests, but do not have advance notifications requirements. For example, the US does not require the type of advanced notification from providers proposed in the IPA bill, but it does mandate telecommunications carriers to create capabilities for lawful interception under the Communications Assistance for Law Enforcement Act (CALEA). Specifically, it obligates these entities to “ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of” lawful interception of wire and electronic communications and accessing call-identifying information. Notably, CALEA does not require telecommunications carriers to decrypt encrypted data.
Several EU member states have similar laws. One example is the German Telecommunication Act (TKG). It provides that anyone operating public telecommunication services shall “implement telecommunications interception measures provided for by law and make organisational arrangements for the implementation, without undue delay, of such measures.” (Section 110(1)(1), TKG). Further, Swedish law enforcement agencies created the the Law Enforcement – Operated Needs for Lawful Access to Communications (LEON) framework to identify the types of information law enforcement agencies needs to pursue their stated goals. This document was created in collaboration with European, North American, and Australian law enforcement agencies. It identifies several needs such as access to communications content, location information, encrypted services, and more. LEON advocates for communication service providers to deliver data unencrypted.
If the IPA bill does not incorporate additional safeguards, the advance notification requirement could threaten operators’ ability to integrate privacy and security protections by providing the UK government with the potential ability to delay or prohibit beneficial technical changes. Importantly, the amendment could set a precedent for other countries to create similar advance notification requirements that ostensibly are based on this legislation, but that may lack the other protections inherent in the UK’s legal system.
