The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and keep everyone safe requires little justification. We live in a dangerous and uncertain world where anyone can be a victim of intolerance. So in a show of political awareness and legislative dexterity, the UK government is currently seeking to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated—in a democratic state, at least.
In November 2015, the UK Government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The bill is currently being scrutinised by a parliamentary committee and subject to public consultation. The document—including explanatory notes—stands at 299 pages and the Bill itself is made up of 202 clauses and nine schedules. As complex pieces of legislation go, this one is right at the top.
Despite its rather impenetrable nature, the bill is of crucial importance for the future of our democratic values and liberties as, once it is enacted, it will set the parameters for lawful surveillance in the name of public safety. But even more significantly, the bill is bound to have a global impact, since it will serve as a model for other jurisdictions and its application extends well beyond the UK. Global Internet and communications companies would be forgiven for thinking that this is just a domestic piece of legislation affecting UK players, but they would be making a mistake.
The bill has at least four huge implications for them.
First, it expands the concept of who will be subject to data retention and access obligations. Under previous legislation, those obligations affected traditional telcos but not the whole range of app-based services we all love and use to communicate with each other–including the bad guys. Understandably, the UK government wants to change that so the providers of so-called over-the-top services are also caught by the provisions dealing with the retention and access to communications data.
In addition, the Bill does not restrict the data retention obligations to the provision of these services in the UK. It also explicitly says that the government will be entitled to request data relating to conduct or persons outside the UK, so there really are no jurisdictional boundaries.
To make matters worse, one of the most controversial measures under the Bill–”bulk equipment interference” (aka hacking en masse)—is primarily aimed at acquiring intelligence relating to individuals outside the UK. Therefore, it is only logical to think that if this power seeks to facilitate access to overseas-related communications, private information and equipment data, the main target will be providers of cloud computing or digital networking-type services based overseas.
Finally, although the government has given up on the idea of banning certain forms of encryption for now, the matter is far from closed. Tucked away at the end of the bill, there is room for the passing of regulations, which will allow for the “removal of electronic protection” (aka encryption) applied by technology providers. This has been fiercely resisted by those providers in the past and the UK is set to be the next battlefield.
All in all, behind the legal and political complexities affecting this area, the simple truth is that the type of services and technologies that have emerged from places like Silicon Valley are now very directly affected by the public policy debate in the Palace of Westminster.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives blog.