Decryption

The legal power to decrypt materials is expressly granted as a statutory function to GCHQ in the Intelligence Services Act 1994, where it is empowered to “obtain and provide information derived from … encrypted material” (s.3 (1)(a)).

Further, sections 49-51 of RIPA gives a range of government agencies the power to compel decryption of material or, as necessary, compel a person to provide information, such as a password or decryption key, that allows encrypted material to be decrypted. Permission is required from the Secretary of State, or for police, a judge (RIPA Schedule 2). Such measures, according to the Interception of Communication Commissioner, are “intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information (such as passwords, encryption etc).[1] However, the 2015 Report of the Interception of Communications Commissioner noted that no RIPA section 49 notices have been issued by the Secretary of State with regard to intercepted material since 2013.[2]

The Intelligence and Security Committee’s 2015 ‘Privacy and Security’ report found that “the ability to decrypt [communications of interest] is core to GCHQ’s work”, and noting that the agency has a “programme of work … to enable them to read encrypted communications”, though the name of this programme, and the substance of two of its three main strands, are redacted [3]. The report also noted that “many people believe, based on the Snowden leaks, that GCHQ systematically undermine and weaken common internet encryption products.”

As the report points out, under the terms of the Intelligence Services Act no additional authorisation at a ministerial level is required for these activities. While acknowledging a general need for GCHQ to decrypt communications in the interests of public safety, the report expressed the concern that such decisions are taken internally, and recommended that ministers be “kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.” [4]

[1] Report of the Interception of Communications Commissioner, March 2015, p.75.

[2] Ibid.

[3] Intelligence and Security Committee, ‘Privacy and Security: a modern and transparent legal framework’, p.67.

[4] Ibid., p.69.

Intrusive and targeted surveillance

Powers contained in RIPA 2000 and the Intelligence Services Act 1994 give agencies power to conduct what is described as ‘intrusive’ and ‘targeted’ surveillance. The terminology here is potentially confusing, given that other agency powers – such as the large-scale interception of communications and access to communications data – are often described by civil society groups as forms of ‘mass surveillance’, and the term ‘surveillance state’ is often used to describe intelligence powers in general.

Specifically, ‘intrusive surveillance’ refers to “the use of covert techniques to monitor an SoI’s movements, conversations and activities in private places including a suspect’s home or vehicle.” The Intelligence and Security Committee considers the use of this power “highly intrusive” and “used sparingly … only in support of the highest priority investigations.”[1] Warrants for intrusive surveillance are signed by a Secretary of State and remain in force for six months, though in some cases can remain in place for several years. Warrants can be issued under RIPA, or in conjunction with authorisation for interference with property under the Intelligence Services Act 1994.

‘Directed surveillance’ is that which takes place outside of these private spaces; in essence, in public areas. Activities in this area might include tracking a subject’s movements and still or video recording of them. Warrants for directed surveillance are approved inside the agencies and are valid for three months.

 

[1] Intelligence and Security Committee, Report on Privacy and Security, 2015, p.61. Accessible at http://isc.independent.gov.uk/files/20150312_ISC_P+S+Rpt(web).pdf

Breaking into computer systems

Intelligence agencies are able to remotely break into computer systems to access communications and other types of data on those systems. Section 10 of the Computer Misuse Act 1990 (CMA) exempts law enforcement powers of inspection, search and seizure from its prohibitions on unauthorized access to computer material. Such access would require a combined RIPA s.32 intrusive surveillance and Police Act Part III/Intelligence Services Act s.5 authorization. However, there is currently no mechanism by which the use of Trojan horses or similar to obtain data can be protected against action for a breach of s.3 CMA.

 

Access to communications data

Under the Data Retention and Investigatory Powers Act 2014, public telecommunications operators notified by the Secretary of State are required to retain for up to 12 months certain data generated or processed in the UK relating to telephony and Internet communications. “Communications data” (or “metadata” as it is called in the US) – information about subscribers and their use of a communications service – is collected by many government agencies from UK Communications Service Providers using powers in Part 1 Chapter 2 of RIPA.

The statutory Code of Practice expands on the definitions of communications data given in s.21(4) RIPA as including “subscriber information” that relates to the customer receiving a telecommunications service, and “traffic data” that includes the following:

  • Identity information relating to a person, apparatus or location e.g. calling line identity and mobile phone cell site location details
  • Data identifying or selecting apparatus e.g. routing information
  • Signalling information to actuate apparatus – to cover ‘dial-through fraud’
  • ‘Packets’ of data that indicate which communications attach to which communications.[1]

However, as the Interception of Communications Commissioner’s Office has recently noted, “subscriber information” now covers a very broad range of information held about individuals, such as “viewing preferences for online media, sexual preferences, political or religious associations etc.” – and can be authorised for access by relatively junior officials.[2]

A very large number of central and local government departments are able to access communications meta-data by having a senior official authorise a request to a Communications Service Provider. These agencies are specified in The Regulation of Investigatory Powers (Communications Data) Order 2010. The Interception of Communications Commissioner commented in his 2004 report that: “In addition to the agencies covered by Chapter I of Part I of RIPA, and the prisons (138 in number) there are 52 police forces in England, Wales, Scotland and Northern Ireland and 510 public authorities who are authorised to obtain communications data, all of whom will have to be inspected. This is clearly a major task.” [3] In 2013, 514,608 requests for communications data were approved. [4]

Section 37 of the Protection of Freedoms Act 2012 requires that local councils obtain judicial approval from a magistrate before accessing communications data. The Interception of Communications Commissioner’s Office has recently noted that many magistrates are yet to receive the promised training on the legislation, and hence are authorising illegal conduct. [5]

Several reviews have noted that as modes of communication develop online, the distinction between communications data or meta-data and the content of these communications has become increasingly blurred. The Intelligence and Security Committee’s Privacy and Security report recommended the creation of a new category of data, ‘Communications Data Plus’, “which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone.” [6] The report proposed that this data – the capture of which, they contend, remains less intrusive than content – should attract greater safeguards than conventional communications data. The review by David Anderson proposed that the power to require service providers to retain communications data should continue to exist, but that a detailed operational case needs to be made in support of proposals to require the retention of ‘web logs’, data which would fall under the ISC’s definition of ‘communications data plus’. [7]

 

[1] Home Office (2007) Acquisition and Disclosure of Communications Data Code of Practice, London: The Stationary Office, at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97961/code-of-practice-acquisition.pdf

[2] Interception of Communications Commissioner’s Office, Evidence for the Investigatory Powers Review p.21, at http://www.iocco-uk.info/docs/IOCCO%20Evidence%20for%20the%20Investigatory%20Powers%20Review.pdf

[3] The Right Honourable Sir Swinton Thomas, 2004 Annual Report of the Interception of Communications Commissioner, HC 549, London: The Stationary Office, Ordered by the House of Commons to be printed 3 November 2005, p. 5.

[4] The Right Honourable Sir Anthony May, 2013 Annual Report of the Interception of Communications Commissioner, HC 1184, Ordered by the House of Commons to be printed 8 April 2014, p.22

[5] Interception of Communications Commissioner’s Office evidence, note 10, p.35

[6] Intelligence and Security Committee of Parliament Privacy and Security: A modern and transparent legal framework, March 2015, p.6.

[7] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.5.

Interception of telecommunications

The key statute regulating interception of telecommunications is the Regulation of Investigatory Powers Act 2000 (specifically, Part 1 Chapter 1),as amended by the Data Retention and Investigatory Powers Act 2014. GCHQ is exclusively responsible for large-scale interception, although a range of intelligence, policing and tax authorities may also apply to the Secretary of State (a senior government minister) for a warrant to intercept communications. These bodies receive information obtained by GCHQ from its revealed by Edward Snowden, although it may not be labelled as such.

A warrant need not specify an individual or premises if it relates to the interception of communications external to the UK (s.8(4)), which is the mechanism by which the government authorizes GCHQ to undertake broad automated searches of communications that originate or terminate outside the UK, Channel Islands and Isle of Man. This includes the transmission of data to or from servers outside the UK.

The warrants must be renewed every six months (three where they relate to preventing or detecting serious crime). This allows intelligence officials to undertake automated searches through this information looking for specific keywords. GCHQ is understood to be exclusively responsible for large-scale interception, although it undoubtedly shares information with a range of other intelligence, policing and tax authorities.

Interception must be undertaken for one of the following purposes:

  • in the interests of national security;
  • for the purpose of preventing or detecting serious crime;
  • for the purpose of safeguarding the economic well-being of the United Kingdom;
  • for the purpose, in circumstances appearing to the Secretary of State to be equivalent to those in which he would issue a warrant by virtue of paragraph (b), of giving effect to the provisions of any international mutual assistance agreement.

Postal and telecommunications service providers may intercept communications “for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services” (RIPA s.3).

Intercepted information is expressly excluded from legal proceedings (s.17) to prevent interception methods being revealed in court. It can only be used for intelligence purposes.

In his review, David Anderson QC recommended that “the capability of the security and intelligence agencies to practise bulk collection of intercepted material and associated data should be retained (subject to rulings of the courts), but used only subject to strict additional safeguards” which included judicial authorisation by a new oversight body and clearer definitions of the purpose of interception. The report also recommended the need for “a specific interception warrant to be judicially authorised if the applicant wishes to look at the communication of a person believed to be within the UK”. [1]

[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, pp 5-6.