UK Investigatory Powers Bill will require tech companies to notify the Government of new products and services in advance of their launch
Section 217 and the Draft Code of Practice on Interception of Communications
Tech giants including Apple Inc, Facebook Inc, Google Inc, Microsoft Corp, Twitter Inc and Yahoo Inc have been openly critical of the UK Government’s Investigatory Power Bill (IPBill). However, what has not been highlighted is a deeply concerning Draft Code of Practice on Interception on Communications, which will not only affect telecommunications companies small and large, but result in costs to the taxpayer and consumers. It will also fundamentally undermine trust customers can place in telecommunications operators.
We will briefly explain what these notices are, why we should worry, who they apply to and the lack of independent oversight, before listing some of the many obligations that will be imposed by the Code.
What are Technical Capability Notices?
Technical Capability Notices (Clause 217 of the Bill) are the method by which the Government will impose ‘requirements’ and obligations on tech companies, to ensure that they can carry out equipment interference (hacking), interception and mass data retention on the Government’s behalf. The Draft Code of Practice describes obligations which flow from Section 217 in section 8.
The tech companies have raised concerns that Technical Capability Notices will undermine encryption and they demand that where a service is encrypted end-to-end then the Bill should recognise that it will not be reasonably practicable to provide decrypted content.
But decryption is not the only issue. The Code has a detailed list of what will be required of those who have Technical Capability Notices imposed on them. The list is long but should be given careful consideration as it reveals the breadth of power the Government wants to have over telecommunications operators such as clauses 8.27 – 8.30 of the Code of Practice, which require the government’s prior seal of approval on new products and services.
Who does this apply to?
Obligations can be imposed on any telecommunications operator. This is defined at Clause 223(10) as someone who provides a telecommunications service, in Clause 223(11) as a service that consists in the provision of access to, and of facilities for making use of, any telecommunication system. A telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’. To confuse matters, the Draft Code of Practice refers to ‘Communication Service Providers’, which is not defined in the Bill.
Small companies (with under 10,000 users) are not exempt although they will not be ‘obligated’ to provide a permanent interception capability (Clause 8.1 in the Code of Practice).
If a company doesn’t comply, clause 8.17 of the Code clarifies that the Government can sue that company. And don’t forget, the company can’t tell anyone that this is happening (8.18, 8.19, 8.20).
No independent oversight
There is no independent judicial oversight or authorisation, nor a process for effective independent review of technical capability notices and their requirements. Review of technical capability notices are at the Secretary of State’s discretion (8.21 – 8.25 in the Code of Practice). Telecommunications operators can request a review of ‘the requirements’ but not the notice itself (8.38 – 8.42 in the Code of Practice). It appears the Secretary of State has the final decision on the review, although the Technical Advisory Board must be consulted (8.40 – 8.42 in the Code of Practice).
The tech companies will have little say and the Government say explicitly they have the power to bring legal action against them if they do not comply (8.17 Code of Practice).
The IPBill was trumpeted as bringing greater transparency to UK surveillance practices. Technical Capability Notices are just one feature of a new shadowy surveillance framework.
8.27 The communications market is constantly evolving and CSPs subject to technical capability notices will often launch new services.
8.28 CSPs subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service
8.29 Small changes, such as upgrades of systems which are already covered by the existing notice, can be agreed between the Government and CSP in question. However, significant changes will require a variation of the technical capability notice.
8.30 Section 219 of the Act provides that technical capability notices can be varied by the Secretary of State.
- There are a number of reasons why a notice might be varied. These include:
- a CSP launching new services;
- changing law enforcement demands and priorities;
- a recommendation following a review (see section above); or
- to amend or enhance the security requirements