_KUBE_ - stock.adobe.com

Investigatory Powers Act: Home Office proposes rethink of safeguards on bulk data collection

David Anderson KC will review the safeguards on intelligence service and police use of bulk datasets following a Home Office assessment that they are 'disproportionate'.

The Home Office's independent review of the Investigatory Powers Act (IPA) will assess whether safeguards on the way the police and intelligence agencies acquire and use bulk databases on UK citizens are too onerous.

Home secretary Suella Braverman asked David Anderson KC on 17 January to conduct a quick turnaround review of UK surveillance law, after police and intelligence services said the law should be reformed.

Anderson’s review follows the Home Office’s own internal review which argued that safeguards introduced by the IPA in 2016 on the collection and acquistion of "bulk datasets" - which contain personal data on a large number of people - were in some cases "disproportionate".

Anderson said in a blog post published on 9 February that he would prioritise whether regulations over the acquisition and use of bulk personal datasets by law enforcement should be updated.

The Home Office published a report on its own internal review last week, which calls for reforms of the oversight regime of the Investigatory Powers Act, the use of bulk personal datasets, and other issues in the light of developments in technology and changing threats to the UK.

The Investigatory Powers Act 2016 is overseen by the Investigatory Powers Commissioner, Brian Leveson, assisted by independent judicial commissioners.

According to the Home Office review, which cites changes in technology over the past five years and new international threats such as Russia’s invasion of Ukraine, parts of the IPA need to be urgently updated.

“It has become apparent that some elements of the oversight regime are now inhibiting the UK intelligence community’s ability to work together and with partners otherwise leaving the British people vulnerable to a wide range of evolving threats,” the review said.

“The UK intelligence community has emphasised the critical importance of updating the legislation to help catch up technologically with the increasingly sophisticated tools used by terrorists, drug smugglers, and organised criminal gangs."

IPA is limiting digital transformation

The Home Office argues that rapid changes in technology coupled with limitations in the Investigatory Powers Act are inhibiting the UK’s intelligence community from exploiting digital technology “required to keep the country safe”.

In 2020, the government increased the budget of the UK Intelligence Community (UKIC) by £173m, to £3.1bn, in part to fund a "digital transformation programme" for intelligence agencies.

The government’s Integrated Review the following year found that the UK is facing a period of rapid technological change, that will bring benefits but also increased competition.

“This pace of change, coupled with limitations within the Act, is inhibiting UKIC’s ability to maximise the benefits of digital transformation, stay ahead of adversaries, and ultimately keep the country safe,” the Home Office said in its review of the IPA.

The Home Office claims that the exceptional growth in the volume and type of data across globally since the Act entered into force has impacted UKIC’s ability to work and collaborate at the "necessary operational pace".

Bulk personal datasets

This has impacted the intelligence agencies’ use of bulk personal datasets (BPDs), which can include people's financial, travel or communications data, the majority of which is of no interest to the intelligence services.

“The BPD safeguards in the current statutory framework are disproportionate for some types of data, creating a negative impact on operational agility, while also harming capability development,” said the review.

The Home Office says existing safeguards limiting the use and acquisition of bulk personal datasets do not take into account the extent to which cloud and commercially available tools now made powerful analysis of datasets possible.

Read more about UK surveillance laws

The safeguards also fail to take into account the fact that most data can, in theory, now be resolved to real-world identities, which means that datasets not previously considered to fall within the protections of the IPA now constitute BPDs.

Reform to Part 7 of the IPA, which governs the use of BPDs, would enable intelligence agencies to take a more robust response to the “deteriorating global security environment” and adapt to a wider range of technology-enabled threats, the Home Office claims.

Among other changes, it says there is a need to increase the duration of warrants for bulk personal datasets so that they do not require renewing every six months. The intrusion caused by the retention and examination of BPDs is often more static and predictable than for other IPA data types where warrants authorise the continuous acquisition of data, it said.

Internet connection records

The Home Office also calls for a rethink on safeguards that limit access by law enforcement and intelligence agencies to internet connection records (ICRs).

The Investigatory Powers Act gave public authorities access to ICRs held by telecommunications operators for the first time, when it became law in 2016.

ICRs include records of websites visited by individuals but not the information searched for; records of new sites visited, but not the articles read; and records of people accessing mobile phone apps, but not what activities they carried out using the app.

The National Crime Agency has carried out a trial of ICRs, working with a "small number" of telecoms operators, the Home Office review reveals. The trial focused on access to websites whose sole purpose was to provide access to illegal images of children.

“Over 120 subjects of interest (SOIs) have been identified accessing one or more of these sites. Intelligence checks suggested that only four of these SOIs could be positively confirmed as previously known to authorities,” it said.

But the Home Office said that the conditions laid down by Parliament to strike a balance between intrusion and privacy, need to be revisited.

“ICRs appear to be currently out of reach for some potentially key investigations, such as those seeking to identify individuals involved in some of the most serious crimes,” it said.

Technical capability notices

Other recommendations from the Home Office include a requirement for telecoms companies and other organisations that provide internet services, to install specific technology to retain telecoms records or intercept their content.

Under the IPA, government departments can issue Data Retention Notices, which require telecoms companies to retain records of their customers’ communications, and Technical Capability Notices (TCNs) to require companies to install an interception capability.

TCNs can require companies to create and install a permanent capability for government to remotely intercept and interfere with their networks, Computer Weekly has previously reported.

Universities and schools, Wi-Fi service operators, or app developers whose app includes a communications service that customers could use, are classed alongside traditional internet and telephone companies which can be served with TCNs.

Under existing arrangements, the government reimburses telecoms operators for 100% of the capital and operation costs for Data Retention Notices. Organisations that receive TCNs qualify for refunds of their operational costs.

Companies are free to install their own technology, but the Home Office argues that costs could become prohibitive unless the government has powers to mandate what technologies telecoms companies install.

“Without the ability to levy technical requirements on telecoms operators, or to benchmark the level of government reimbursement, there is a continuing risk that capabilities become prohibitively expensive as technology continues to evolve,” the Home Office review said.

International co-operation

The Home Office said that data on UK citizens was increasingly held by service providers outside the UK. The UK and US agreed a Data Access Agreement, which came into force on 3 October 2022, that will provide UK law enforcement agencies access to data held on UK citizens in the US, subject to US freedom of speech laws, for investigations relating to serious crimes and terrorism.

It will also enable the US to access data on US citizens in the UK, provided the information is not used to prosecute the death penalty in the US.

The Data Access Agreement will be overseen by the Office of the Investigatory Powers Commissioner (IPCO), which published guidelines today.

March deadline

Anderson has asked for comments for his independent review of the Investigatory Powers Act by 10 March 2023 at the latest.

“Constraints related to the timetable for possible future legislation means that the timescale for comment must of necessity be short,” he wrote on his blog.

Anderson, a barrister at Brick Court Chambers, previously held the post of independent reviewer of terrorism legislation for six years. He carried out two influential reviews into investigatory powers – A question of trust in 2015 and the Bulk powers review in 2016.

In 2018, he was knighted for services to national security and civil liberties, and appointed to the House of Lords where he is as an independent cross-bench peer. 

Main elements of Anderson Review of IPA 2016

  • Consideration of whether changes to definitions within the Act in relation to interception, subscriber data, and third-party data relating to the communications data retention regime are required and whether these would be practicable and desirable;
  • Improvements to the warrantry process to increase efficiency and strengthen resilience whilst maintaining appropriate safeguards;
  • Ways to increase resilience and agility of the oversight regime in light of the experience of the last five years of operation.

Source: Anderson’s Terms of Reference

Read more on IT legislation and regulation