Labelled the “Snooper’s Charter” for permitting mass digital surveillance in the UK in the name of public safety, the Investigatory Powers Act (IPA) 2016 is under scrutiny once again following the announcement late last year in the King’s Speech of a bill to amend the original law. The proposed amendments would make some reasonable adjustments, such as allowing the government to access publicly available information without a warrant, but others suggest a troublesome overreach that could threaten digital privacy, especially encrypted communications, for Internet users in the UK. Parliament should revise these amendments to ensure UK users continue to have access to the most secure digital communications tools available.
The bill is due next week to enter the Report stage of the House of Lords, before moving on to the House of Commons for review. As of the latest reading in the House of Lords, the bill includes five key proposed changes.
1. A new notice requirement
The proposal would require operators to notify the Home Office of any changes they wish to make to their service or systems that might inhibit the Government’s ability to lawfully acquire communications data. An operator is anyone who provides a telecommunications service, including, for example, Meta for its WhatsApp service, and Signal. This requirement would impact online services, such as messaging apps, dating apps, gaming platforms, and more, that want to implement end-to-end encryption for their user-to-user communications. The new notification requirement does not give the government authority to block development, however as the trade association techUK explains, coupled with the new power to maintain the status quo during a notice review process, it would effectively “grant a de facto power to indefinitely veto companies from making changes to their products and services.”
2. A new category of data: low or no expectation of privacy
Secondly is the creation of a new category of data referred to in the bill as “low or no expectation of privacy.” The bill would allow the bulk search and retention of what the government considers to be less sensitive data. The purpose of this provision is to allow the government to access data that is publicly available without having to obtain a search warrant. Such a provision could be reasonable if it allows government investigators to access the same public data that a private investigator could lawfully access without unnecessary red tape, such as information publicly available on the Internet. But the legislation does not include a clear definition, so it could arguably include information held by a third-party where the average Internet user might still have a reasonable expectation of privacy.
3. Expansion of the “telecommunications operator” definition
Thirdly, the amendments expand the definition of “telecommunications operator” to include those operators who may not be based in the UK but provide a telecommunications service there. The purpose of this change is to bring companies located outside the UK under the scope of the bill, which would have a significant global impact. For example, Apple has already pushed back, announcing last year that it would remove services such as FaceTime and iMessage from the UK if it cannot maintain proper security. Meta has also raised concerns about similar requirements with the Online Safety Bill, and it would likely take a similar stance should the amendments bill pass if it threatens the company’s ability to release its planned security updates for Facebook Messenger and Instagram.
4. Target discovery for Internet connection records
The amendments would also grant the government broader powers to obtain records that identify people using a particular Internet service. This new basis of “target discovery” would flip on its head the existing regulation that requires the government to have pre-existing knowledge to enable a search. While this change would make it easier for the government to obtain and examine Internet records, it risks creating digital dragnets that start from a presumption of guilt.
5. Delegation of the power to approve MP communication examinations
Finally, the bill would expand the power to approve the interception and examination of communications of MPs beyond the Prime Minister in certain circumstances, such as if the Prime Minister is unavailable. This change is a reasonable procedural accommodation that now accounts for the possibility that the Prime Minister’s records require examination under the bill. Delegation of approval to someone other than the Prime Minister would reduce questions of any impropriety.
The proposed amendments would have a deleterious impact on the UK’s ambition to be a frontrunner for technological innovation. The bill would slow down development through its new notice requirements and deter companies from offering their services to the UK. The bill undermines greater use of encryption in online services, potentially exposing consumers to private data leaks in the name of public safety. Unfortunately, Parliament is moving quickly on these amendments, likely because of time pressures to pass legislation before elections take place later this year. Given the significance of these changes to an already controversial piece of law, MPs should take the time to consider its full impact and strike a better balance between innovation, security, and public safety.
Image credits: Unsplash user Scott Webb