Investigatory Powers Act: Back doors, black boxes, and tech capability regs

The Home Office has launched an under-the-radar consultation on a critical step in the implementation of the Investigatory Powers Act (IP Act): the regulations on technical capability notices. The Open Rights Group has recently revealed details of the proposed regulations.

Under the IP Act, a technical capability notice can be issued to a telecommunications operator by the secretary of state with the approval of a judicial commissioner. A notice would require the operator to install specified technical facilities. The objective is to ensure that if the operator subsequently receives, say, an interception warrant it has the technical ability to comply with it. A technical capability notice does not itself require an operator to conduct an interception. It prepares the ground in advance by ensuring the operator has equipment in place.

The proposed regulations will spell out what kind of facilities a technical capability notice can require a telecommunications operator to install. For example, the consultation touches on one of the many controversial topics in the IP Act: the possible use of technical capability notices in effect to prevent telecommunications operators from providing users with end-to-end encryption facilities.

Telecommunications operators are widely defined in the IP Act to include not only telcos, ISPs, and the like but also Web e-mail, social media platforms, cloud hosts, and over the top communications providers.

Technical capability notices already exist, but in a much more limited form, under the Regulation of Investigatory Powers Act 2000 (RIPA). S.12 of RIPA enacted a three layer scheme similar to that under the new IP Act:

  • first the statute, laying out in broad terms the Home Office’s powers to require an operator to install an interception capability;
  • second, regulations made under the Act. These put more flesh on the obligations and potentially narrow the categories of provider who could be made subject to a notice;
  • third, technical capability notices themselves, issued by the Secretary of State to individual service providers (but not necessarily to all of those within scope of the Act or the regulations).

These pave the way for actual interception warrants, requiring operators to carry out particular interceptions.

The main change with the IP Act is that technical capability notices are no longer limited to interception. They apply to three of the powers under the Act: interception (targeted, thematic, and bulk), communications data acquisition (ordinary and bulk), and equipment interference (targeted, thematic, and bulk).

Another high level change is that the IP Act allows technical capability notices to be given to private as well as to public telecommunications providers. The draft regulations reflect this expansion.

Also, unlike under RIPA, IP Act technical capability notices have to be approved by a judicial commissioner.

The proposed IP Act regulations are in many respects similar to the existing 2002 regulations made under RIPA. However there are some significant differences.

Read more…