What is the Investigatory Powers Act 2016?
The act, better known as the Snooper's Charter, dictates how much of your internet history the government can see
As the internet has grown in size and scope, so have debates about the ethics of data regulation and surveillance. Social media makes it easier to connect with friends and family, but critics warn that it also creates a communication network for those engaging in illegal activity, such as terrorism and paedophilia.
The UK government realised that CCTV and standard policing wouldn't be enough to combat online criminal behaviour. To that end, the Investigatory Powers Act was created, requiring communication service providers (CSPs) to keep a record of the website one has visited for a year.
However, the "Snooper's Charter", as the Act is often better known, has a complex and controversial history that delves into the ethics of data surveillance and the importance of privacy. The legislation has faced a series of challenges and, as recently as February 2019, amendments have been made to ensure its compatibility with EU law.
What does it do?
The most well-known and arguably most controversial element of the act is its provision for bulk data collection.
- Communication service providers (CSPs) must store the internet connection records of their users for up to one year, which can be then accessed by police and security agencies, and other related public bodies, provided a warrant has been secured or if the data is sought in relation to a 'serious crime'.
Initially, CSPs, or any company that's involved in the communication of data between users, were forced to retain internet connection records for up to a year. These records were essentially a list of web domains visited and did not include what one actually did on the website. Many authorities, ranging from the Metropolitan Police to the Department for Work and Pensions, had access to these records and did not require a warrant to gain access to them when conducting an investigation.
However, as a result of legal challenges, authorities must now secure a warrant in order to obtain the records from CSPs, except in the case of "serious crime" (a crime that would receive a minimum sentence of one year).
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
- It is a criminal offence for a CSP (or anyone who works for a CSP) to reveal that communications data has been requested from that CSP.
- Local governments have some investigatory powers, although they are unable to access internet connection records.
The internet records stored by CPSs are off-limits, but local authorities can still use surveillance to monitor individuals trying to cheat the benefits system.
- It is a criminal offence to 'unlawfully access' internet data.
- Intelligence agencies and police can legally conduct equipment interference (essentially hacking) for individual devices and, in the case of national security matters related to foreign investigations, equipment in bulk.
Warrants for such data interception are obtained from the Investigatory Powers Commission (IPC) - a panel created by the Act.
Role of the IPC: The Investigatory Powers Commission is an oversight body responsible for reviewing how public authorities, including police and intelligence agencies, are exercising their investigatory powers. Any request for new equipment, the interference or bulk acquisition of data, or the use of national security notices must be first approved by the commission.
Since 2017, the IPC has been slowly absorbing the various responsibilities of the Interception of Communications Commissioner's Office, the office of the Intelligence Services Commissioner, and the Office of Surveillance Commissioners, all of which have now been disbanded, with work being centralised under one body.
The IPC is headed by the Investigatory Powers Commissioner, the first and current holder being Lord Justice Fulford. Appointed in 2017, Fulford will continue in his role until 2020.
Wilson Doctrine: Although the Investigatory Powers Act generally made it easier for law enforcement agencies to access data, a pre-existing convention continues to apply that actually gives greater protections to certain bodies.
Named after former Labour Prime Minister Harold Wilson, the Wilson Doctrine was first introduced in 1966, preventing intelligence services from tapping the phones of members of the House of Commons and House of Lords.
Despite already being a convention, its inclusion in the Investigatory Powers Act gave it legal footing for the first time. Section 26 of the IPA states that any warrant to intercept communications of a member of either house requires authorisation by the Prime Minister or a relevant secretary of state, as well as approval from a judicial commissioner.
Encryption Debate: The act requires communication service providers to be active participants in data interception. This gets tricky when one considers how many communication service providers use end-to-end encryption on their messages.
For services such as WhatsApp and iMessage, both of which use end-to-end encryption, a request from the government to access someone's messages would be impossible to fulfil. Proponents of the Investigatory Powers Act argue that encryption gives criminals a way to communicate in secret and should be banned. Others say that there's no grey area in terms of encryption; you either have it or you don't. If the government is able to remove encryption, potentially anyone can. In the end, the Act requires UK-based communication service providers to have the ability to remove encryption.
Controversy
The Investigatory Powers Act sparked immediate opposition from human rights groups. Its critics essentially argued that while it was meant to provide transparency about government surveillance, the Act actually just legalised bulk government surveillance. Indeed, Edward Snowden (whose NSA whistleblowing shed light on government surveillance in the U.S.) tweeted in 2015: "By my read, #SnoopersCharter legitimizes mass surveillance. It is the most intrusive and least accountable surveillance regime in the West."
Snowden wasn't alone in his opinion. Other opponents of the Act said that its language was too broad and that only targeted surveillance was necessary. Others noted that the rare positive attention the Act was receiving internationally wasn't very flattering: The Chinese government cited it when defending its own bulk surveillance legislation. With such extreme controversy surrounding it, the Investigatory Powers Act was bound to face political and legal challenges.
Legal Challenges
The Investigatory Powers Bill was brought forward to replace the Data Retention and Investigatory Powers Act 2014. DRIPA itself was an emergency solution introduced after the European Court of Justice ruled that UK security services could no longer monitor and retain communications data. Designed to be a temporary act, DRIPA was introduced on 14 July and received Royal Assent just three days later.
Labour MP Tom Watson and Conservative MP David Davis both argued that by giving MPs just one day to debate the legislation in Parliament, the process had been too hasty and lacked sufficient scrutiny. A coordinated effort between the MPs and human rights organisation Liberty saw an almost immediate court challenge to the act. In 2015, the High Court ruled that DRIPA was incompatible with European Union privacy rights - specifically that rules governing how and when data is accessed were not precise enough, and were unable to ensure that data could only be accessed in the event of a serious crime.
Despite the court decision, DRIPA remained in force until its planned expiration in 2016. However, the challenge did set the precedent that legislation needs to be more robust, and therefore would require future laws to be clear in terms of data access provisions.
Given that DRIPA had a set expiration, there was a need to put together something to replace it. However, following a similarly rushed procedure, the resulting Investigatory Powers Act carried over many of the elements of DRIPA, including a number of provisions that were still in contravention of EU privacy rules.
The first draft of the Investigatory Powers Bill was read in November 2015, and by February 2016 the bills joint committee had published a list of suggested amendments. These called for greater clarity and transparency around the accessing of data, and the need for a compelling justification for bulk surveillance. The committee received 148 sets of evidence during the consultation phase of the legislation.
The Investigatory Powers Act received Royal Assent in late 2016, sparking almost immediate challenge. An online petition calling for the Act's repeal attracted over 200,000 signatures, although this motion was never debated by Parliament.
This unpopularity arguably snowballed when the European Court of Human Rights ruled that the law's lack of governance and oversight on how was data collected was in breach of privacy and human rights law in 2018. While this ruling was undoubtedly a success for proponents of privacy, it didn't have a direct impact on the legislation itself. It did, however, serve as evidence for those challenging it in High Court.
Labour MP Tom Watson and Liberty once again brought a challenge against the law. In April 2018, the High Court found that the ordering of private companies to store communications history was in direct contradiction to the right to privacy. It required the government to come up with a replacement by November 2018. This latest draft of the Act only allowed authorities access to communications for serious crimes and required investigators to consult the IPC before requesting info.
In November 2018, the High Court ruled that Liberty had the right to judicial review of the law, meaning that the civil rights group could "seek a judicial review of all grounds not previously ruled upon".
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.