Investigatory Powers Bill
Written evidence submitted by Apple Inc, Facebook Inc, Google Inc, Microsoft Corp, Twitter Inc and Yahoo Inc (IPB 21)
1. The Investigatory Powers Bill is an important piece of legislation and we welcome the UK Government’s commitment to placing surveillance powers in a single bill. As we made clear in our evidence to the Joint Committee, the actions the UK Government takes here could have far reaching implications – for British citizens, our users and for the future of the global technology industry. Decisions made today about UK legislation will set precedents which may be copied elsewhere and have wider ramifications for all parties, both in the UK and overseas.
2. We believe the Government can go further to improve the provisions of the Bill without jeopardising its effectiveness. Important amendments are required to ensure the Bill is worthy of emulation around the world and does not further exacerbate the challenges communications companies outside the UK face, while also protecting the user trust that is essential to the modern data-driven economy.
3. To this end, we have summarised below the concerns that were previously raised to the Joint Committee but which have not been addressed by the Government in the new Bill. We also highlight specific areas where we believe amendments to the Bill are required.
4. Unilateral assertions of extraterritorial jurisdiction will create conflicting legal obligations for overseas providers who are subject to legal obligations elsewhere. As noted below, we believe a more sustainable and workable approach lies in developing new international agreements, as set out by Sir Nigel Sheinwald in his recommendations to the Prime Minister in 2014. The discussions between the US and the UK in this regard provide a much better path toward a workable arrangement than do naked assertions of sovereign power beyond borders.
5. In the ‘Guide to Powers and Safeguards’ published alongside the draft Investigatory Powers Bill, the Government stated that: "Enforcement of obligations against overseas CSPs will be limited to interception and targeted CD acquisition powers."
6. Furthermore, the Home Secretary affirmed in a statement to the House on 1st March 2016, that "a warrant can only be served on a person who is capable of providing the assistance required by the warrant, and that the duty to comply with the warrant can only be enforced against a person who is capable of complying with it."
7. This position is not reflected in the legislation. Currently civil enforcement is available against UK employees of non-UK CSPs. The Bill restates the government’s position and unilaterally asserts UK jurisdiction overseas in seven of the eight major powers in the Bill. This is contradictory to stated Government policy and will likely be replicated abroad, putting overseas based employees of UK CSPs at risk. We do not believe that the government intends to legitimize this heavy-handed practice.
8. Amendments are required on the face of the Bill to make clear that:
· Enforcement powers are limited on the face of the bill to those stated above;
· Warrants can only be served on an entity that can practically and legally comply with a notice;
· That civil enforcement routes cannot be used against UK based employees of overseas CSPs.
9. We agree with the recommendation of Sir Nigel Sheinwald and others that an international framework should be developed to establish a common set of rules to resolve these conflicts across jurisdictions.
10. To support this ambition, amendments are required that:
· Limit the extraterritorial application of UK law to situations where it is done pursuant to an international agreement that permits it;
· Expressly state that where an international agreement exists, no other power may be used to obtain the information.
11. Clarity on encryption is still required. Our companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide. The Bill provides for the power to issue technical capability notices requiring, among other things, the removal of electronic protection where reasonably practicable. The Bill should be amended so that there is an explicit threshold: where a service is encrypted end-to-end, the Bill should recognise it will not be reasonably practicable to provide decrypted content, rather than leave this to be established on a case-by-case basis.
12. The process the Home Secretary should follow in relation to Technical Capability Notices should be brought up to the standard that the rest of the Bill demands. Specifically it remains the case that, unlike in other Parts of the Bill, there is no recognition of the actual conflict of laws situations that will arise for service providers not established in the UK. Additionally, it is unreasonable that a Technical Capability Notice can be issued without judicial authori s ation .
13. The Home Secretary’s position seems to be that subsequent warrants for specific content would be subject to judicial authori s ation and therefore the Home Secretary will still be subject to the checks and balances provided for elsewhere in the Bill.
14. This is a misunderstanding of the effect of a technical capability notice. The damage to security may be done as soon as a company finds itself having to comply with such a Notice and install a back door, whether or not it subsequently has to provide data under warrant.
15. Amendments are required to explicitly state that the Bill’s provision for "obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data" does not extend to the removal of electronic protection provided by another operator.
16. Furthermore, the Bill should be amended to make clear that ‘third party data’ can not be collected, either directly or indirectly via provisions on ICRs.
17. While we believe the Bill’s judicial 'double lock' represents an important step in the right direction, there is room for improvement. To truly serve as a second lock, this function must not only assess the rationality or reasonableness of the ministerial decision, but also ensure that investigatory warrants under the Bill will withstand the full scrutiny of a court.
18. Judicial authorization should also be applied to a broader set of authorities including national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants which have been issued to the Chief of Defence Intelligence and intelligence services.
19. Amendments are required that:
● Make clear the judicial commissioner reviews the actual merits of the application, on the same basis as the authorizing minister;
● Require a judicial warrant for all national security notices, technical capability orders and all modifications to any equipment interference warrants;
● Provide the power for a judicial commissioner to request an amicus brief from affected providers or parties prior to authorization.
20. We maintain that the Bill can and should be more explicit in the language it uses, highlighting that any collection should be pursuant to a specific identifier.
21. The Bill should recognise the high level of intrusion associated with bulk powers and direct agencies with these powers to prioritize the use of targeted collection such that the exception for bulk powers does not swallow the general rule.
22. We also believe that the general safeguards sections should explicitly include 'minimization' provisions, ensuring that only the necessary and proportionate amount of data is obtained, analyzed and retained. All other data should be destroyed.
Transparency and legal process
23. User notification: As a general rule, users should be informed when the Government seeks access to account data. It is important both in terms of transparency, as well as affording users the right to protect their own legal rights. Our users range from individual consumers to large media organizations to large public sector entities. While it may be appropriate to delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation.
24. Amendments are required to:
● Enshrine the principle of user notice and make clear after the expiration of a specific period of time companies are able to notify users or requests, where due process has not been sought by the requesting body to delay notification;
● Provide for a right of appeal in cases where permission to notify a user is refused for service providers to the Investigatory Powers Commissioner;
● Provide that CSPs are permitted to publish data about requests received under international agreements.
25. Where there is a determination that a warrant is necessary, the question should then be to whom the warrant should be directed. It is our view that the same standard – "necessary" – should be applied as a test here. In many cases, the Government can (and often does) obtain the information directly from the users themselves.
26. When that is not possible, the Government should seek the information from the most proximate source with access to the data.
27. The term "urgent" is not defined in the Bill. Clarity on this term - which other countries may directly copy and even seek to abuse - is important.
28. Amendments are required that:
● Specify that a warrant should not be issued to a CSP if the information could be obtained from an individual and no attempt has been made to do so;
● Define the term urgent in line with international legal norms.
29. A robust oversight structure is essential to public confidence. The bill makes improvements to the current regime but as identified by the various reports on these issues, more can be done to build public trust and set an example worthy of global emulation.
30. Amendments are required that:
● Empower the Judicial Appointments Commission to appoint the Investigatory Powers Commissioner and the Judicial commissioners;
● Provide for a statutory provision in the Bill that the Investigatory Powers Commissioner and the Investigatory Powers Tribunal can act on complaints from any party, including overseas CSPs, without either committing a disclosure offence or accepting jurisdiction;
● There should be the possibility for judicial commissioners to request amicus briefs from affected providers;
● Place a statutory duty on the Investigatory Powers Commissioner to report on any significant questions of interpretation of the powers in the Bill;
● Codes of Practice should be subject to approval by a super affirmative procedure.
Network integrity and cyber security requirements
31. There are no statutory provisions relating to the importance of network integrity and cyber security, nor a requirement for agencies to inform companies of vulnerabilities they identify and may be exploited by other actors. We urge the Government to make clear that actions taken under authorization do not introduce new risks or vulnerabilities for users or businesses, and that the goal of eliminating vulnerabilities is one shared by the UK Government. Without this, it would be impossible to see how these provisions could meet the proportionality test.
32. Amendments are required that:
● Prohibit the execution of a warrant that would result in an interruption of service to users of the targeted system;
● Introduce statutory provisions recognising the importance of network integrity and cyber security;
● Provide reassurance on the face of the Bill that there is no conflict with CSPs’ statutory obligations to keep user data and infrastructure secure;
● Require UK authorities to notify any relevant company of vulnerabilities when a warrant either expires or is cancelled.