The Snoopers' Charter: Everything you need to know about the Investigatory Powers Act

GCHQ

The Investigatory Powers Bill - nicknamed the Snoopers' Charter - was agreed upon by both Houses of Parliament and passed into law by Royal Assent on 29 November 2016, making it the Investigatory Powers Act.

However, concerns around the balance between privacy and security have dogged the bill since its inception, and some of its more controversial elements have been seriously challenged since being passed into law.

Here's everything you need to know.

Legal challenges

Civil liberties charity Liberty had its high court challenge to the Investigatory Powers Act dismissed on July 29, 2019, when Lord Justice Singh and Mr Justice Holgate concluded that the law is compatible with the Human Rights Act 1998.

In the judgement the court dismissed the argument that the law “does not contain sufficient safeguards against the risk of abuse of power”, instead concluding that the legislation includes "a suite of inter-locking safeguards against the possible abuse of power, including the creation of the office of the Investigatory Powers Commissioner."

Megan Goulding, a lawyer at Liberty, said in response: "This disappointing judgment allows the government to continue to spy on every one of us, violating our rights to privacy and free expression." 

In a press release she added that Liberty will "challenge this judgment in the courts, and keep fighting for a targeted surveillance regime that respects our rights."

Earlier in the year Privacy International won at the UK Supreme Court when it ruled that decisions made by the Investigatory Powers Tribunal (IPT) – the court which hears cases on surveillance and the actions of the intelligence agencies – are subject to judicial review in the high court.

Privacy International's case stems from a 2016 decision by the IPT that the British government may use 'general warrants' to hack devices with little oversight and only 'reasonable grounds for suspicion'.

Now Privacy International will proceed with a legal challenge of bulk-hacking warrants. Caroline Wilson Palow, Privacy International's General Counsel, said in May, 2019: "Today's ruling paves the way for Privacy International's challenge to the UK government's use of bulk computer hacking warrants. Our challenge has been delayed for years by the government's persistent attempt to protect the IPT’s decisions from scrutiny. We are heartened that our case will now go forward."

In January 2018 a UK Court of Appeal ruling found the Data Retention and Investigatory Powers Act (DRIPA) – a previous law covering state surveillance which has been expanded upon with the Investigatory Powers Act of 2016 – was unlawful.

The court ruled that the legislation breached British people's rights by collecting internet activity and phone records and letting public bodies grant themselves access to these personal details with no suspicion of 'serious crime' and no independent sign-off.

The law was subsequently changed to include a definition of 'serious crime' as that which could attract the minimum of a 12-month sentence. The Investigatory Powers Commissioner also announced plans to appoint 13 judicial commissioners to provide independent oversight of surveillance.

The challenge was brought by Labour deputy leader Tom Watson MP, represented by Liberty.

Read next: Snoopers' Charter ruled unlawful by UK Court of Appeal

Liberty already struck a blow to the law in April 2018, when the high court found the government’s power to order private companies to store communications data, including internet history, to be in breach of citizens' right to privacy.

Goulding said of the decision at the time: "This is a major step forward in our ongoing fight to put an end to mass surveillance by the state, and the latest in a series of important defeats on this subject for the government.

"The government must urgently reassess the invasively wide powers it has to snoop on our lives, and develop a proportionate surveillance regime that better balances public safety with respect for privacy."

The UK's previous use of bulk interception powers was also deemed unlawful by the European Court of Human Rights in September 2018. In its judgement, the court deemed the previous regime to have a "lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst."

As it stands, the main powers of the law are:

- Security services are legally empowered to bug computers and phones upon approval of a warrant. Companies will be legally obliged to assist these operations and bypass encryption where possible (more on this below).

- Security services can acquire and analyse bulk collections of communications data. For example, this could mean a bulk dataset such as NHS health records. This now can only be undertaken in cases of serious crime, defined as those which could attract a sentence of 12 months minimum.

- Oversight for these operations will come with a new "double-lock", where any intercept warrants will need ministerial authorisation before being adjudicated by a panel of judges, who will be given power of veto. This panel will be overseen by a single senior judge, the newly created Investigatory Powers Commissioner.

In May 2017, a leaked draft statutory instruments document detailed how the government is seeking to compel telecommunications operators to provide real-time access to named individuals' communications within one working day under the recently passed law. This includes encrypted messages.

The government also asks for the capability to "provide and maintain the capability to simultaneously intercept, or obtain secondary data" from 6,500 people at any one time. For more information visit our sister site Techworld

For some context, figures from the Home Office, as published by The Guardian, show there were 517,236 authorisations in 2014 of requests for communications data from the police and other public bodies in 2014, and a further 2,765 interception warrants authorised by ministers.

Encryption concerns

Concerns over the British state's approach towards encryption dogged the government during the bill's passage through Parliament.

The issue for the security services would be that over the top communications providers - like Apple's iMessage and the popular WhatsApp messaging service - apply end-to-end encryption to all messages, meaning they can't read them even if they wanted, or were asked to.

In Apple's formal submission to the Bill Commission, the company voiced concern that: "Passages in the bill could give the government the power to demand Apple alters the way its messaging service, iMessage, works" in a way that gives security services the power to eavesdrop on messages, according to The Guardian. Apple CEO Tim Cook has been consistently outspoken in his defence of encryption.

Emails sent using Microsoft Outlook aren't automatically encrypted in this way and Gmail requires an end-to-end encryption extension for Chrome. Blackberry offers end-to-end encryption between devices through its paid BBM Protected product. The Cisco Spark messaging service has built in end-to-end encryption.

Earl Howe, minister of state for defence and deputy leader in the House of Lords, said following the second reading: "It may be entirely sensible for the government to work with [communication service providers] to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data.

"Law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances," he said.

Read next: The Snooper's Charter still has an encryption problem

However, Nic Scott, managing director UK and Ireland at enterprise data security specialists Code42, makes the important observation that there are no "half measures" when it comes to encryption. He says: "You either have encryption in place or you don't. Once you create a backdoor for law enforcement purposes, you are also opening the door to other, potentially malicious, parties."

Significant Demands

The shadow home secretary Andy Burnham laid out six areas of concern for the Investigatory Powers Bill back in March 2016.

Speaking at the second reading of the bill, Burnham said: "This bill isn't yet good enough. Simply to block this legislation would in my view be irresponsible, it would leave police and security services in limbo. We must give them the tools to do their job. The public interest lies in getting this right and in not sacrificing quality to meet the deadline."

The six concerns were as follows:

1. Privacy: "The Home Secretary said [privacy] was hardwired into the bill, but I see them as more cosmetic changes and haven't directly answered the concerns of the joint committee." Burnham asked that the bill takes a "presumption of privacy".

2. Specific powers: "Internet connection records (ICRs) have been described as the modern equivalent of an itemised phone bill, however the joint committee noted that this is not a helpful description." Burnham went on to explain that there should be a "higher hurdle" for use of this power limited to cases of serious criminal activity rather than any crime. He also asked that the terms "national security" and "economic wellbeing" are defined more explicitly.

3. Internet Connection Records: "Definitions of ICRs (Clause 54) remain vague and I see them becoming more intrusive as technology advances. A stricter definition of what can be included in an ICR should be included. The current confusion is clouding this bill and needs to be clarified."

4. Bulk Powers: "Routine gathering of large quantities of information from ordinary people does lead to privacy concerns and should be as targeted as possible […] It is for the government still to convince the public that these powers are needed." Burnham asked specifically for an independent review to conclude in time for report and third reading on this issue.

5. Judicial oversight: "The government has given significant ground on this issue and the bill is stronger as a result, however we believe it could be stronger still […] I have previously shared concern that this leads to a narrower test looking at only the process and reasonableness of the home secretary's decision, rather than actual merits and substance of the warrant."

May had earlier reassured the house that judicial commissioners will have access to the same information about a warrant as the home secretary. Burnham recognised this, but continued: "If this is the case why not delete the judicial review clause? To make it absolutely clear that this is not just a double lock, but an equal lock."

6. Misuse of the powers: "There needs to be safeguards for the collection of data in a lawful manner and we must also agree that there needs to be an overarching law for the obtaining of data and any use that data is subsequently put to. Both should be a criminal offence."

First reading

The Home Office first published its draft investigatory powers bill on November 4, 2015.

Following criticism from three joint committees: the science and technology committee on February 1, the intelligence and security committee on February 9 and most importantly, the joint committee for the bill itself on February 11, Home Secretary Theresa May revised the bill, claiming that it "reflects the majority of the committees' recommendations".

The joint committee for the draft investigatory powers bill made 86 recommendations for changes to the bill in its report, concentrating on issues of clarity, judicial oversight and justification of the various powers.

Addressing these specific concerns, May said of the revised bill: "We have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements."

Not everyone agreed with this assessment though. Dr. Gus Hosein, executive director of Privacy International said: "It would be shameful to even consider this change cosmetic […] The continued inclusion of powers for bulk interception and bulk equipment interference - hacking by any other name - leaves the right to privacy dangerously undermined and the security of our infrastructure at risk."

The joint committee report

The joint committee for the bill issued its report, along with a list of suggested amendments for the bill, on February 11, 2016. The suggestions include:

- Clarification over the concept of end-to-end encryption: "The Government still needs to make explicit on the face of the bill that Communications Service Providers (CSPs) offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so."

1 2 Page 1
Page 1 of 2
9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon