In the following post, Graham Smith, a member of the Information Law and Policy Centre’s Advisory Board, discusses the government’s consultation on the technical capability regulations in the Investigatory Powers Act 2016. He highlights the increased scope of the technical regulations in the IPAct when compared with the regulations issued in 2002 under the Regulation of Investigatory Powers Act (RIPA). From this starting point, he considers whether the government could or would use these new powers to compel companies, organisations and institutions to install ‘black boxes’ to collect communications data and/or provide a ‘back door’ to communication services offering end-to-end encryption (such as WhatsApp). This post was first published on Smith’s Cyberleagle blog.
The Home Office has launched an under-the-radar consultation on a critical step in the implementation of the Investigatory Powers Act (IPAct): the regulations on technical capability notices. The Open Rights Group has recently revealed details of the proposed regulations.
Under the IPAct a technical capability notice can be issued to a telecommunications operator by the Secretary of State, with the approval of a Judicial Commissioner. A notice would require the operator to install specified technical facilities. The objective is to ensure that if the operator subsequently receives, say, an interception warrant it has the technical ability to comply with it. A technical capability notice does not itself require an operator to conduct an interception. It prepares the ground in advance by ensuring the operator has equipment in place.
The proposed regulations will spell out what kind of facilities a technical capability notice can require a telecommunications operator to install. For example, the consultation touches on one of the many controversial topics in the IPAct: the possible use of technical capability notices in effect to prevent telecommunications operators from providing users with end to end encryption facilities.
Telecommunications operators are widely defined in the IPAct to include not only telcos, ISPs and the like but also web e-mail, social media platforms, cloud hosts and over the top communications providers.
Technical capability notices already exist, but in a much more limited form, under the Regulation of Investigatory Powers Act 2000 (RIPA). S.12 of RIPA enacted a three layer scheme similar to that under the new IPAct:
- first the statute, laying out in broad terms the Home Office’s powers to require an operator to install an interception capability;
- second, regulations made under the Act. These put more flesh on the obligations and potentially narrow the categories of provider who could be made subject to a notice;
- third, technical capability notices themselves, issued by the Secretary of State to individual service providers (but not necessarily to all of those within scope of the Act or the regulations).
These pave the way for actual interception warrants, requiring operators to carry out particular interceptions.
The main change with the IPAct is that technical capability notices are no longer limited to interception. They apply to three of the powers under the Act: interception (targeted, thematic and bulk), communications data acquisition (ordinary and bulk) and equipment interference (targeted, thematic and bulk).
Another high level change is that the IPAct allows technical capability notices to be given to private as well as to public telecommunications providers. The draft regulations reflect this expansion.
Also, unlike under RIPA, IPAct technical capability notices have to be approved by a Judicial Commissioner.
The proposed IPAct regulations are in many respects similar to the existing 2002 regulations made under RIPA. However there are some significant differences.
Communications data acquisition capability not subject to 10,000 person threshold
The existing RIPA interception capability regulations set a 10,000 person threshold below which an interception capability cannot be required. (It has never been very clear whether this referred to customers or end-users.) The proposed new regulations repeat this threshold for interception and equipment interference, albeit removing the existing limitation that the 10,000 persons be within the UK.
For communications data acquisition, however, the new draft IPAct regulations set no minimum threshold. Combine this with the IPAct’s enlarged scope, covering private and public telecommunications operators, and we have the startling prospect that any kind of organisation, business (other than excluded financial services businesses), institution, university, school, hospital, library, political party and so on could potentially be required to install a communications data acquisition capability. In theory this could even apply to private households, although it is difficult to imagine this ever being thought appropriate.
Communications data acquisition ‘black box’
The communications data acquisition aspects of the draft regulations differ from interception and equipment interference in another significant respect. The existing RIPA interception regulations are framed as obligations on operators to provide the capability themselves. The same is true of the new IPAct interception and equipment interference obligations. This approach allows operators to design or procure their own interception equipment, so long as it complies with the technical capability notice.
The new IPAct communications data requirements, however, include a paragraph under which a technical capability notice could require a provider to install a government-provided ‘black box’:
“10. To install and maintain any apparatus provided to the operator by or on behalf of the Secretary of State for the purpose of enabling the operator to obtain or disclose communications data, including by providing and maintaining any apparatus, systems or other facilities or services necessary to install and maintain any apparatus so provided.”
This paragraph, unheralded during the Bill’s passage though Parliament, applies to both ordinary and bulk communications data acquisition capabilities. It is a substantial departure in kind from previous RIPA obligations.
Unsurprisingly, since this was heavily trailed during the passage of the Bill, all three sets of provisions allow the imposition of obligations to notify the Home Office in advance of new and changed services. A technical capability notice would also be able to require the operator to “consider” the obligations and requirements imposed by any technical capability notice when designing or developing new telecommunications services or telecommunications systems.
The 2002 regulations contained no obligations of this kind.
End to end encryption
The most controversial aspect of technical capability notices throughout the passage of the Bill was whether the obligation to remove encryption could be used to prevent use of end to end encryption. On this topic the IP Act and the draft regulations in fact mirror quite closely an obligation that was always in the existing 2002 RIPA regulations:
“10. To ensure that the person on whose application the interception warrant was issued is able to remove any electronic protection applied by the service provider to the intercepted communication and the related communications data.”
The proposed IP Act regulations say (for interception):
“8. To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.”
However while standalone end to end encryption software existed in 2002 it would not have been touched by the 2002 regulations since the encryption was not applied by a communications service provider. Only comparatively recently have communications service providers offered their customers the ability to use end to end encryption, where the service provider does not have and never has had an encryption key.
This development has given rise to questions about whether a technical capability notice under the IP Act could be used to require a telecommunications operator to have a means of decrypting messages, effectively preventing it from providing end to end encryption facilities to its customers.
In Parliament the issue surfaced repeatedly during the passage of the Bill, culminating in a House of Lords debate on 19 October 2016 in which Home Office Minister Earl Howe was subjected to tenacious questioning from Lord Harris of Haringey.
The question of whether technical capability notices could be used in this way has never been satisfactorily resolved. The Home Office has repeatedly (and correctly) emphasised that the obligation can only apply to encryption ‘applied by or on behalf of’ the service provider. But it has never clarified when encryption would be regarded as applied by the provider and when by the user. Perhaps the closest it came was in the House of Lords debate when Earl Howe said:
“Any decision will have regard to the particular circumstances of the case, recognising that there are many different models of encryption, including many different models of end-to-end encryption, and that what is reasonably practicable for one telecommunications operator may not be for another.”
In that passage and elsewhere the Home Office has stressed that a service provider cannot be made to do anything that is not ‘reasonably practicable’. Thus Earl Howe, again in the House of Lords debate, said:
“… the company on whom the warrant is served will not be required to take any steps, such as the removal of encryption, if they are not reasonably practicable steps for that company to take. So a technical capability notice could not, in itself, authorise an interference with privacy. It would simply require a capability to be maintained that would allow a telecommunications operator to give effect to a warrant quickly and securely including, where applicable, the ability to remove encryption.”
“These safeguards ensure that an obligation to remove encryption under Clause 229 of the Bill will be subject to very strict controls and may be imposed only where it is necessary and proportionate, technically feasible and reasonably practicable for the relevant operator to comply.”
Later on he said:
“The Bill ensures that the Secretary of State must specifically consider the cost and technical feasibility of complying with an obligation to remove encryption as well as whether it is reasonably practicable.”
However it is important not to conflate the technical capability notice and a subsequent warrant. The raison d’être of a technical capability notice is to achieve a situation in which it is practicable for a service provider to assist with a warrant (see IPAct s. 253(4)). The obligations in the draft regulations are those that the Secretary of State considers reasonable to impose for that purpose. When issuing a technical capability notice the Secretary of State has to consider, among other things, technical feasibility and cost.
The Act does provide that a warrant cannot require a service provider to do something that is not reasonably practicable. But a warrant is not a technical capability notice. Crucially, the Act lays down that where a technical capability notice is in place, reasonable practicability of assisting with a warrant is to be judged on the assumption that the technical capability notice has been complied with.
Thus for ordinary (non-bulk) interception S. 43(4) and (6) provide:
“(4) The relevant operator is not required to take any steps which it is not reasonably practicable for the relevant operator to take.”
“(6) Where obligations have been imposed on a relevant operator (“P”) under section 253 (technical capability notices), for the purposes of subsection (4) the steps which it is reasonably practicable for P to take include every step which it would have been reasonably practicable for P to take if P had complied with all of those obligations.”
For a technical capability notice the central concept is technical feasibility.
Clearly it is not technically feasible for an operator who provides its users with true end-to-end encryption facilities to remove the encryption, since it has no decryption key.
But what if the Home Office were to argue that it was technically feasible for the operator to adopt a different encryption model under which it had a key? If that argument held up then the service provider would (subject to the ‘applied by or on behalf of’ point) have to stop offering true end-to-end encryption facilities in order to comply with a notice. If it did not cease, then if it received a warrant it would be of no avail to say that it was not reasonably practicable to remove the encryption, since the Act would deem it to have complied with the technical capability notice.
Whether a technical capability notice could be used to require a provider to change the nature of a service that it was offering in this way is one of the great imponderables of this part of the legislation. The draft regulations shed no more light on the matter.
This is an area in which the interpretation that the Home Office places on the Act and the final regulations could be critical. The new oversight body could have an important role in proactively seeking out such interpretations and bringing them to public notice.
A major change compared with the 2002 regulations is the extension of technical capability notices beyond the existing area of interception. The proposed regulations cover, as well as communications data acquisition already discussed, equipment interference aimed at obtaining communications, equipment data and other information. This is no surprise, since that is one of the changes introduced by the IPAct itself.
Nevertheless the idea that a telecommunications operator can be compelled to put in place technical facilities specifically to enable authorities to hack any equipment under a warrant remains surprising. This equipment interference obligation, perhaps more so than removal of encryption, deserves the epithet ‘back door’.
Notably, given the security concerns that would no doubt accompany the provision of a hacking gateway for the authorities, as with interception and communications data acquisition the draft regulations provide that an equipment interference capability notice can include a requirement to comply with security standards specified in the notice and any guidance issued by the Secretary of State.
Under S.2(2)(c) of the IPAct the Secretary of State has a duty to have regard to the public interest in the integrity and security of telecommunication systems.
Under S.253(6) of the IPAct the Home Secretary must consult on the draft regulations. She is required to consult the Technical Advisory Board set up under the Act, operators ‘appearing likely to the Secretary of State to be likely to be subject to any obligations specified in the regulations’ and their representatives, and persons with relevant statutory functions (an example would presumably be the new Investigatory Powers Commissioner).
Notably absent from the must-consult list are the general public (who most of all stand to be affected by the Act) or any organisations representing the public in areas such as privacy and civil liberties. However, now that the proposed regulations have reached a wider audience than the must-consult list, more broadly based comment can be expected.
One point of interest is how far the Home Office’s statutory ‘must-consult’ obligation reaches. This is especially pertinent when, as already highlighted, the part of the draft regulations that deals with acquisition of communications data does not contain a 10,000 person minimum threshold.
So unlike for equipment interference and interception, which do specify a minimum 10,000 person limit, the communications data acquisition capability provisions (including the ability to require installation of a government-supplied ‘black box’) can be applied however few customers or users an operator may have. Moreover the obligations are not restricted to public operators. Private telecommunications operators can be included. As we have seen, thanks to the Act’s wide definition of telecommunications operator that could cover many kinds of organisations.
This may create a conundrum. If it does not appear to the Home Secretary that private or small operators are likely to be subject to any obligations specified in the regulations, then she does not have to consult them or their representatives. But in that event, what would be the purpose of extending the scope of the regulations, specifically for communications data acquisition, to include all operators large or small, private or public and apparently including organisations outside the traditional telco and ISP sectors? That could affect the scope of the consultation that the Secretary of State is obliged to undertake.