Privacy, Cybersecurity and Investigatory Powers

A Parliamentary Joint Committee recently published its report on the Draft Investigatory Powers Bill. The Bill covers the operation and regulation of certain investigatory powers of law enforcement agencies in the UK. The Bill has received significant media attention since its initial publication in November last year, not least due to the common perception that it is just a rehash of the failed ‘Snooper’s Charter’ that received so much negative attention during the twilight years of the last Coalition Government. The report on the Bill comes at a time when the scope of similar investigatory powers is also receiving significant media coverage in the context of a US court case between the tech giant, Apple, and the FBI.  Both the court’s decision in the Apple v FBI case in the US, and the impact of the report in the UK, will be of interest to many, including communications service providers (such as internet and phone companies, on whom the Bill places a number of obligations), others in the tech and cybersecurity industries and also the general public whose privacy rights will ultimately be impacted.

What does the Joint Committee’s report say?
In its report, the Joint Committee raises a number of concerns mainly relating to the potential scope of the powers to be granted under the Bill, should it be implemented into law.  The Joint Committee makes a number of detailed recommendations in the report to address these concerns as discussed below.

The Bill proposes the creation of a judicial oversight body and greater involvement of judges in the authorisation of warrants permitting intrusive activities such as targeted interception, equipment interference, and all forms of bulk warrants. The report makes further recommendations aimed at ensuring the proposed new system of judicial oversight delivers the increased independence and oversight which has been promised.

The report recommends that the proposals in the Bill which place obligations on communication service providers to collect and retain users’ internet connection records (ICRs) specifically clarify what form the ICRs would take, as well as the cost and feasibility of creating and storing them.

The report recommends including clarification that proposals in the Bill requiring communications service providers to give access to protected communications and data when required by a warrant will not require encryption keys to be compromised or ‘backdoors’ to be installed onto systems. This recommendation appears to echo the concerns raised by Apple in its court cases against the FBI (see below).

The report expresses concerns over the provisions in the Bill for bulk powers to intercept and acquire communications data and to interfere with equipment. It recommends that the Government publish a fuller justification for each of the bulk powers.

The report also makes recommendations to ensure that vital protections for lawyers and journalists are not compromised.
Further recommendations include the publishing of Codes of Practice to cover the operation of various aspects of the Bill, and a post-legislative review of the Bill five years after it has been enacted.

What stage is the Bill at now?
The Government has now published a latest and final version of the Bill which it considers addresses the majority of recommendations raised in the Joint Committee’s report.  However, many remain concerned that the changes do not go far enough. The Bill will now be considered by the House of Commons and House of Lords before being enacted into law.

What is the Apple v FBI case about?
Apple is fighting a court order obtained by the FBI requiring Apple to ‘break into’ an iPhone recovered during the investigation into the San Bernardino shootings carried out in December last year. Apple has refused to comply with this court order, and is also resisting similar demands from the FBI in other connection with other unrelated investigations.

Apple has stated that the request is “an over reach by the US government”. Its position, broadly, is that complying with the court order would result in Apple having to develop software which would introduce a ‘backdoor’ into the iPhone, rendering every iPhone inherently less secure. Apple, and numerous other big players in the tech industry who have voiced support for Apple (including Google, Facebook and Whatsapp), are concerned about the precedent this would set. If successful, the FBI would potentially be able to require any (or every) software company in the US to manufacture software that undermines the security of its own products. The FBI, on the other hand, argues that complying with the order would only impact upon one device and that Apple’s refusal is hampering a number of its investigations.

In another case between Apple and the FBI concerning a drugs investigation, a court in Brooklyn has ruled in favour of Apple. The case is unrelated to the San Bernadino case but considers largely the same issue of whether the FBI can force Apple to ‘unlock’ a device. Although this judgment does appear to show judicial support for Apple’s position, the judgment in the Brooklyn case will not bind the judge ruling on the San Bernadino and so the relevant issues remain live.

Why is the Joint Committee’s report and the Apple case important?
They serve as reminders of the inherent conflict between privacy and cybersecurity on the one hand, and the investigatory powers of law enforcement, security and intelligence agencies on the other. It remains to be seen how both the US judiciary and the UK Parliament choose to address this conflict and the impact it will ultimately have on all interested parties.

For more information on any of the issues raised, please contact a member of the commercial team at Stevens & Bolton.

Search our site