The Draft Investigatory Powers (IP) Bill was published on the 4th of November. It aims to “govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies” in the UK. It is an attempt both to simplify the legal framework and legalise practices, which means it is, in part, an attempt to increase the powers of law enforcement and the security and intelligence agencies.
The Bill is very extensive in this sense and contains 9 parts. Parts 6 and 7 are worth mentioning as they introduce “bulk authorisation warrants” and “bulk personal dataset warrants”, as is Part 8 which revamps the oversight body creating the “Investigatory Powers Commissioner”, more specifically, a role that attaches to an individual who has to have held a high judicial office.
The purpose of this post is not, however, to comment on all the new niceties of the Bill, but to focus upon one part: Part 4, which includes the powers to require a telecommunications operator to retain relevant communications data.
Why focusing upon this part? Because it is the third attempt in a bit more than one year to “modernise” data retention law. And this time the attempt comes after two key judicial decision: the first one at the EU level, in which the Court of Justice of the European Union (CJEU) invalidated the Data Retention Directive [which had been pushed by the UK Government back in 2005 after the bombing events in the subway in London]; and the second one at the national level, in which the High Court invalidated section 1 of DRIPA (the Data Retention and Investigatory Powers Act 2014) starting from 1 April 2016 [the invalidation was indeed suspended until 31 March 2016]. For more on these decisions, see previous posts here and here. Neither the CJEU’s decision nor the High Court’s decision seem to have been taken seriously.
The first thing to note is the introduction of new definitions in the Bill. For the first time, we get a definition of content of communications (in s.193(6)):
“The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication”.
However, there are two important exclusions to this definition:
- “anything in the context of web browsing which identifies the telecommunications service concerned is not content” [meaning probably that domain names, i.e. everything before the first slash of a URL, is not content]
- “Any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is not be disregarded” [in other words, even if some metadata can give some hints as to what is being said they cannot be equated to content].
This seems a rather narrow understanding of what content is. Conversely, what is not content is meant to be communications data, although the definition of communications data is not exactly phrased in this way [because it appears to be such a broad category, there might be an argument to suggest that communications data is an open category].
Here is the definition of communications data:
“Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data—
(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,
(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or
(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,
(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about the architecture of a telecommunication system, and
(iii) is not about a specific person,
but does not include the content of a communication”.
The definition of communications data thus seems to have been broadened. While the old category of traffic data seems to be captured by (a)(ii) [compare section 21 of the Regulation of Investigatory Powers Act 2000 (RIPA) discussed in my earlier post here], it is not really clear whether service-use information and subscriber information are conceived as distinct categories.
Very interestingly, two types of communications are thus now distinguished: data directly available from a telecommunication system; and, data capable of being held or obtained by a telecommunications operator. [But what is data about the architecture of a telecommunication system which is not about a specific person?].
The data retention provisions of the IP Bill does not concern “mere” communications data but “relevant communications data”. And “relevant communications data” means:
“communications data which may be used to identify, or assist in identifying any of the following –
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.
In this subsection “identifier” means an identifier used to facilitate the transmission of a communication”.
Note that there is no longer any reference to the retention of data generated or processed by telecommunications operators, as found in the current Counter-Terrorism and Security Act 2015, as discussed on this blog in its Bill form here. In addition, the data to be retained is not described anymore as being “necessary” to trace and identify the source of a communication, or the destination of a communication: it “may be used” to identify the sender or recipient of a communication and so on.
Is it the case that domain names are captured by (f), although they seemed to be excluded from the last modification of section 1 of DRIPA introduced by the Counter Terrorism and Security Act as mentioned in my post here? Would the adoption of the IP Bill into law mean that Internet Service Providers could be asked to retain the domain names browsed by their subscribers [even if it would seem that full URLs are still excluded since only the “apparatus” is mentioned in “(f)”]? If yes, this would thus also appear to mean that ISPs could, in the future, have legitimate occasions to implement deep packet inspection technologies – the peeping into the payload of packets – to capture what has been coined as “third party data”.
Yet, isn’t it worth mentioning at this stage that the so-disclaimed Data Retention Directive expressly prohibited the retention of browsing history? This was made explicit in two places.
First Article 1(2) stated that the Directive “shall not apply to the content of electronic communications, including information consulted using an electronic communications network”.
Second, as regards Internet communications, data necessary to identify the destination of a communication was to be retained only for the purposes of Internet e-mail and Internet telephony, not for the purposes of Internet access. (See Article 5(b)).
Has the invalidation of the Data Retention Directive brought a better future? Not really…