The Investigatory Powers Bill: Let's work together to spy on your customers
One interesting thing that has come to light in the course of the unexpectedly good parliamentary scrutiny by the Intelligence and Security Committee of the Investigatory Powers Bill (their recommendations having alas been almost completely ignored by the Home Secretary) is the attitude the UK Home Office takes when rendering a communications provider amenable to surveillance and data retention.
The Investigatory Powers Bill, and indeed similar regimes abroad, allows the Secretary of State to issue a variety of notices compelling entities to act, and often also mandating secrecy. The imaginations of those members of the public who scrutinize these bills are thus vivid with the idea of the government spontaneously turning up one day and gagging you with some official document.
However, oral evidence given by the Home Office to the Intelligence and Security Committee reveals that this is not the case, and in fact the issuance of an official notice is not the start but the culmination of an extended period of government—business relationship-building. Essentially, a provider is approached, meetings are had and infrastructure is examined, in order to determine what data a provider can reasonably be expected to maintain.
This is an answer, though not necessarily a nice one, to the question of how the extremely open-ended powers of the Investigatory Powers Bill will be applied in terms of the material expectations placed on providers. According to this testimony, the government strongly predicates the requirements of its notices on what a provider is actually capable of doing. They meet and collaborate with the provider in order to assess what is possible. The notice is less the initiating force and more a receipt of the completion of the process, a souveneir; shake hands, goodbye, you'll get the notice in the post.
Cooperation. This makes notices look less like instruments of compulsion and more like something which providers want so they can say “we're legally obliged to do this” if anyone criticises their actions in regard to retention and other powers.
Indeed, there is further evidence of this. The various notices defined by the Investigatory Powers Bill come with gag clauses. Adrian Kennard, the director of a small UK ISP, was invited to a meeting with the Home Office to discuss the concerns of the ISP industry regarding the bill. According to civil servants, the large ISPs asked for these gagging clauses. This suggests a highly consensual relationship between large providers, who simply want to be able to make a theatrical claim that they're obliged to do X, Y and Z in case it makes for bad PR.
Here are some choice quotes from the oral evidence given to the Committee, emphasis mine:
Richard Alcock (Communication Capabilities Directorate, part of the Home Office): [...] By virtue of the work that we have done with industry, we have formed quite a good relationship with some of the suppliers. We understand their architectures and we have evidence of historical costs.
...
Richard Alcock: In terms of internet connection records, we worked over the summer with the service providers we are likely to place notices on. We shared information and projections over data volumes and estimates of historical costs for particular types of implementation, noting that those will vary over time, because comms service provider systems are constantly changing, either for technology’s sake or by virtue of mergers and acquisitions. We have had a number of bilateral and multilateral meetings with those providers to go through some of our assumptions.
...
Richard Alcock: In the context of communications data, we would define the kind of information or fair data fields that we would want a comms service provider to retain for a period of up to 12 months. The process by which we would do that is not as simple as engineers in the Home Office working up a list and then sending it to a supplier. We work very closely with the comms service providers, **even before serving a notice,** to understand the technical feasibility, practicality, costs and robustness of the arrangements, noting that in the context of communications data all the data that are retained and used, where necessary and proportionate, have to be built to an evidential standard. Once that was done, we would serve a written notice, signed by the Home Secretary, on those suppliers, defining the specific fields and data fields that we wished to collect. Those fields will be a function of the different industry suppliers, by virtue of the fact that all the back-office and technical systems are quite different, depending on which comms service provider you are talking to.
...
Richard Alcock: We work with operational stakeholders to identify the comms service providers from which we are most likely to get operational benefit. There are in the order of 200 or 300 organisations that would class themselves as comms service providers in the United Kingdom. In relation to comms data, we will certainly not place obligations on every one of those providers. As I said, we will already have spoken to those that are likely to have notices placed on them.
...
Richard Alcock: We are working with operational stakeholders to understand where we would accrue most operational benefit from the retention of particular data types. Through that work, we have come to our best assessment of the organisations on which we would be likely to serve notices. We have worked with those organisations to establish best estimates, noting all the examples that previous witnesses have given, but we continue to work with industry to validate some of the assumptions, noting that we will need to do some detailed engineering work really to hone down some of the figures. I would expect us to go through a process, possibly, of looking at providers again and prioritising some over others.
...
Richard Alcock: For a number of years, we have managed to maintain very productive, very constructive relationships with UK providers.
...
Richard Alcock: I go back to the point that I keep making. It is about forging constructive working relationships with the comms service providers. All comms service providers are different. All systems are different. We need to work out pragmatic ways in which we can satisfy requests from the UK Government.
...
Richard Alcock: Going back to what I said, the expectation is that, when served with a notice, providers would provide us with data **in the clear**. That would involve working with the particular provider of the day to work out how best that could be achieved.
There are two elements of this:
Consultation with providers to identify feasibilities as part of formulating and passing legislation.
Consultation with providers in prospect of the issuance of a notice.
It seems quite apparent that there is considerable voluntary cooperation between providers in both cases.
Advance warning. However, this suggests a significant problem for the Government with regard to a provider sufficiently opposed to measures such as those provided for by the Bill. The notice, and the gag clause which is part of it, is only imposed at the end of the cooperation process. Thus, it would be entirely within an organization's prerogative to reveal that it has been contacted by the Government in prospect of the issuance of such a notice.
If the Government were afraid of this, its remaining prerogative would be to issue such a notice without prior consultation. However, in doing so the Government would have little idea of what, in technical terms, the provider will and will not have a capability to comply with, forcing them to guess conservatively, or issue an overbearing notice they can't comply with in a bid to force them to cooperate to obtain a more reasonable notice.
Enforceability of gag orders. Even assuming a gag order is in place, the governmental will to enforce such orders is questionable. As mentioned, they may be more theatrics for the sake of ISP's vanity than something the government actually wants. Moreover, even if the government actually does want the gag, violating it isn't a crime:
The duty under subsection (1) or (2) is enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or for any other appropriate relief.
This clause pertains both to compliance with the notice and with the corresponding gag order. When evaluated in consideration of a gag order, it seems like this clause would only be useful if the Home Office knew a provider was going to scream and had time to get an injunction in place. “Specific performance” or “appropriate relief” by contrast imply after-the-fact proceedings, and I don't know how “appropriate relief” is to be interpreted, but the term suggests rectifying an infringement, not punishment. This suggests that the only prerogative to a court in light of a violation of a gag order would be an entirely pointless requirement to stop violating the gag order. This is only my amateur interpretation.
There also appears to be an interesting flaw in the gag order itself:
A telecommunications operator, or any person employed or engaged for the purposes of the business of a telecommunications operator, must not disclose the existence and contents of a retention notice to any other person.
A person who does not have anything to do with a telecommunications operator but who somehow becomes aware of the notice doesn't thus appear to be bound by the gag order.