This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



Digital Business Lawyer

The Investigatory Powers Bill: impact on service providers

This article was originally published in Volume: 18 Issue: 4 (April 2016)

On 1 March the UK Government introduced the Investigatory Powers Bill (‘Bill’) to Parliament. In this article, Professor Ian Walden, of Queen Mary University of London and Baker & McKenzie LLP, considers the Bill from the perspective of service providers, the entities on whom much of the Bill focuses, specifically the jurisdictional reach and the obligation to build systems capable of assisting law enforcement. 

The Bill’s introduction followed a pre-legislative scrutiny process in which three Parliamentary committees reviewed and reported their views on the Bill version published on 4 November 2015 (‘PLS Bill’): these committees are the Intelligence and Security Committee (‘ISC’), the Science and Technology Committee and the Joint Committee (‘Scrutiny Committee’)1. The speed with which the revised version has been published has itself raised concerns about the extent to which these reports have been fully considered by Government.

Extraterritorial jurisdiction

As with any piece of legislation, a key issue concerns its jurisdictional reach, i.e. on whom may the obligations lie? In a cyberspace environment, the cross-border nature of communication services means that service providers can provide services in the UK while being located outside. As a consequence, the normal jurisdictional trigger is where the services are consumed, not where they are produced. This is the position under the Communications Act 2003, in respect of ‘electronic communication services.’ Within the EU, the ‘country of origin’ rule represents an exception to this norm based on the principle of mutual recognition. So, for example, ‘information society services,’ such as search engines, and ‘audiovisual media services,’ such as on-demand video content, are generally only required to comply with the laws of the Member State in which they are established. Being a domestic measure, not originating from Europe, the Bill adopts the former position and is applicable to those that ‘offer or provides telecommunications service to persons in the United Kingdom’ (s. 223(10)(a)), which means that the obligations have exterritorial effect.

Under the Regulation of Investigatory Powers Act 2000 (‘RIPA’), the jurisdictional reach of Part 1 was implied rather than express. However, this generated considerable uncertainty, which the Government chose to address through amendments in the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) making explicit the extraterritorial effect of the RIPA provisions. The Bill will significantly alter the current position in a number of key respects. First, the extraterritorial provisions have been extended to eight of the nine investigatory powers, excluding only access to bulk personal data sets. Second, the concept of what constitutes a ‘telecommunication service’ is significantly broadened to cover services that would not be considered traditional ‘telecommunication’ services, such as Facebook and other manifestations of cloud computing. While this amendment was initially introduced under the DRIPA, again it will now be applicable across a much broader range of investigatory powers. Third, the obligation is applicable to non-public telecommunication services, such as corporate networks, as well as publicly available services. 

Taken together, the jurisdictional reach of the Bill is substantially greater than previously, which has generated substantial controversy, particularly from the major US Over-The-Top (‘OTT’) service providers, such as Microsoft, Facebook and Twitter. Concerns have centred on the inconsistent manner in which the provisions would appear to operate; the perceived difficulties of enforcement; the inevitable conflicts that service providers will face between obligations under the Bill and domestic rules of the country in which they are based; and the precedent that such extraterritorial assertions may set for other countries, especially those less democratic than the UK. These concerns were shared by the Scrutiny Committee, which called upon the Government to “give more careful consideration to the consequences of enforcing extraterritoriality” (para. 518). 

To date, the Government has chosen not to alter the Bill’s provisions on extraterritorial reach. Wholesale removal of references to service providers ‘outside the United Kingdom’ would simply either return us to the pre-DRIPA position of implicit extraterritorial effect or, in the alternative, require the Government to rely instead on some form of territorial link based on the presence of an establishment or telecommunication system in the UK, which would be narrower than that applicable to the regulation of providers of ‘electronic communication services’ under EU law. Neither is likely to be appealing to Government. 

Back-doors, encryption and technical capabilities

With the very public dispute between Apple and the FBI over access to iPhones in New York and California, a key issue of controversy under the Bill is the ability of Government to require service providers to build a ‘technical capability,’ or so-called ‘back-doors,’ to support the effective operation of the investigatory powers, particularly in respect of encryption and protected data. The Scrutiny Committee called upon Government to make it “explicit on the face of Bill” the extent of such obligations for service providers, as did the ISC and Science and Technology Committees.

A particular provision that has generated concern states: ‘obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data;’ (s. 217(4)(c)).

This would mean, for example, that a provider of a VPN service2could be required to build in a capability to decrypt communications on receipt of a warrant. The Bill’s wording differs slightly from the PLS Bill, but not significantly. In addition, a subsection has been inserted requiring the Secretary of State to take into account ‘the technical feasibility, and likely cost, of complying’ with such an obligation (s. 218(4)), although it appears to replicate the preceding provision without any obvious purpose. These amendments can hardly be said to have clarified the position!

It is worth noting that, similar to the jurisdictional provisions, the ‘technical capability’ provisions are not a complete innovation under the Bill. Under RIPA, s. 12(3), provisions exist for the Secretary of State to require operators to build an ‘intercept capability,’ while regulations made under this section state that an operator can be required: ‘to remove any electronic protection applied by the service provider to the intercepted communication and the related communications data.’3 Similar such requirements are present in other jurisdictions, such as the US4.

However, the Bill has extended its reach in four important ways. First, the extended scope of a ‘telecommunication service’ means that the obligation could be imposed on non-traditional operators, such as those providing OTT messaging apps. Second, an obligation could now be placed on non-public operators, such as the universities-owned JANET network. Third, the Bill states that the regulations can include obligations ‘relating to the security of’ any service provided, which is so broadly phrased as to potentially include a requirement to design security limitations into a communications service, i.e. back-doors. Fourth, RIPA also contains a significant limitation on the entities that can be served a notice to build a capability, which has not been replicated in the Bill, where the telecommunication service is ‘no more than - 

(a) the means by which he provides a service which is not a telecommunications service;

or

(b) necessarily incidental to the provision by him of a service which is not a telecommunications service.’

In addition, other powers contained in the Bill, specifically those relating to targeted and bulk ‘equipment interference,’ can provide an alternative route for law enforcement to obtain access to protected data. These ‘hacking’ powers are themselves controversial, particularly the ‘bulk’ powers, for which all three committees called for greater clarification as well as an operational case to be made.

Taken together, a key concern of service providers, both domestic and foreign, is that by being required to build their services with ‘back-doors’ for law enforcement purposes they will be introducing vulnerabilities into their systems and services that could be exploited by cyber criminals and hostile foreign states. Ensuring trust and security is seen as critical by service providers to encourage customers to place ever-greater volumes of data with them. In an age of pervasive encryption, achieving an appropriate balance between secure systems and law enforcement needs is likely to be a central component of the forthcoming Parliamentary debates on the Bill. 

 

Professor Ian Walden Of Counsel

Baker & McKenzie LLP, London

Professor of Information and Communications Law

Queen Mary University of London

Ian.Walden@bakermckenzie.com

 

1. HC 795, 9 February 2016; HC 573, 19 January 2016 and HC 651/HL 93, 3 February 2016, respectively.

2. Virtual Private Networks, where communications are sent over public networks but using encryption to establish a secure channel.

3. SI 1931/2002, Sch. 1, para. 10.

4. 47 U.S.C. § 1002(b)(3): ‘A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.’




Search Publication Archives



Our publication archives contain all of our articles, dating back to 1999.
Canít find what you are looking for?
Try an Advanced Search

Log in to digital business lawyer
Subscribe to digital business lawyer
Register for a Free Trial to digital business lawyer
E-Law Alerts
digital business lawyer Pricing

Social Media

Follow digital business lawyer on Twitterdigital business lawyer on LinkedIndigital business lawyer RSS Feed