Tuesday, 10 November 2015

#IPBill Police ask you to break in to A&A offices and steal a hard drive?

One of the most disturbing parts of the Draft Investigatory Powers Bill is section 46(4)(c) which allows a suitably authorised officer to "ask any person whom the authorised officer believes is not in possession of the communications data but is capable of obtaining it, to obtain it..."

Now, "ask" or "request" are odd phrases to use in any law, and I have encountered legislation that uses it before. The PECR section 32 where I "may request" that the ICO take enforcement action - but you can request all you like and they have confirmed that the law does not "require" them to even consider your request. Obviously merely asking someone to do something does not, in itself convey any duty or requirement on them to actually do it, even if asked by a policeman! So just delete that clause surely!

However, it is not so simple, as section 50(2) says "It is the duty of a telecommunications operator who is obtaining or disclosing communications data, in response to a request or requirement for the data in pursuance of an authorisation, to obtain or disclose the data in a way that minimises the amount of data that needs to be processed for the purpose concerned." Now this is tricky as it seems to be simply saying you only minimise the data you get, but it sort also says you have a duty to actually "obtain" the data even if just "requested" to get it rather than being a "requirement" (as per other sections). So it sort of gives "ask" some power all of a sudden! [update: as someone points out, this is only those "obtaining" or "disclosing" so is not forcing one to "obtain" if "asked", even so, see below that you can be "required" to obtain data anyway]

Also section 66 says "It is an offence for a telecommunications operator, or any person employed for the purposes of the business of a telecommunications operator, to disclose, without reasonable excuse, to any person the existence ..." so you have to keep the request quiet.

Also section 65 makes this lawful, well, maybe. It makes the "asking" lawful, and anything you have to do as a "requirement", but does not actually make lawful the complying when simply "asked" to do something, even if you have a duty to comply!

But that is only "telecommunications operators", right? Well, yes, and sort of no. 193(10) defines that as  anyone that "offers or provides a telecommunications service to persons in the United Kingdom"but goes on in (11) with "“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).". Note the lack of "public" in the provision, so anyone that merely "facilitates" the making use of a telecommunications system to others, even if not for profit, not part of a business and even if not to the public, is a "telecommunications operator". that means that even if you just pay the bill for your family's broadband you are a "telecommunications operator" and could be "asked" to do stuff by the police, secretly, even if what you are asked to do is illegal.

Note that 46(40)(d) allows an authorised officer to "require" a telecommunications operator obtain data, and 50(1) makes it a duty to comply, so anyone who is deemed a "telecommunications operator" can be ordered to do anything necessary to obtain communications data from anyone by any means, and 65 makes it lawful.

So police can order people to do things, such things are deemed lawful regardless, and they have to be kept secret.

What a lovely country we all live in. I may have to move.


  1. Christ on a bike. Someone was on a roll when they composed this dog's breakfast.

  2. No - it applies to "a telecommunications operator who is obtaining or disclosing communications data, in response to a request". If you reject the request out of hand, you aren't "obtaining or disclosing communications data", so it doesn't apply.

    "What a lovely country we all live in. I may have to move."

    Agreed. The excessive snooping is taking on disturbing proportions already - and why?! "Because they can"? They've been taking far too much interest in our private communications for years now, even with Ms Perry having been transported somewhere she can do less harm, but where is the opposition which will take an opposing stance?!

    1. Good point, but the fact they can require a telecommunications operator to do things means the whole asking stuff is pointless anyway.

    2. Indeed, they can also come round and ask you to wash their patrol car for them or to go round investigating a series of recent burglaries...

      Charitably, we could try to tell ourselves that "in a way that minimises the amount of data that needs to be processed" is a requirement for you to disclose the smallest amount of data required for the police's needs - or more cynically, as a precaution against the obvious response to any request: "Certainly, officer, this pile of LTO7 tapes holds all the communications data for the period in question ... good luck sifting through half a petabyte of packet dumps to find what you're after". (Common in civil cases, apparently: sue a big company for patent infringement, they'll hand over a mountain of internal mail, hoping you won't spot the incriminating bit about needing to license your patent for their new product.)

  3. What is your understanding of the DIPB in respect of compensation for the additional costs, should a Retention Notice be served? Section 185 talks about "an appropriate contribution in respect of such of their relevant costs as the Secretary of State considers appropriate". Other sections refer to a "fair contribution" So is the government willing to compensate you in full, or only partially, for the costs of implementing systems you currently neither have nor want?

    On the other hand Section 190 states that the likely cost of complying with the notice must be considered before issuing a Retention Notice. Is it being over optimistic to hope that they'll leave AAISP alone because the costs would be prohibitive, whereas the larger ISPs probably already have systems in place to comply with a Retention Notice?

    1. Indeed, and a question that needs to be asked - ISPs are not the police, and not even being accused of any wrong doing here - so clearly the costs should, in my opinion, be fully paid by the government including any extra costs such as complying with subject access requests for data we would not previously have retained. My initial thoughts are, if any issue with no paying full costs, is set up a network operating company that rents kit and links and provides the service, but operates at zero assets and zero profit - the second an order is not 100% fully then it has to be wound up as no longer viable (and a new company set up in its place which has not had an order).

    2. I like the sound of that idea. The beauty is that neither of those network illiterates, May or Cameron, would be able to resort to their usual trick of standing up in the Commons to accuse A&A of "assisting criminals & terrorists". To do so would divulge the fact that a retention order had been served.

  4. What constitutes a "reasonable excuse" for disclosing the existence of a request? For example, what if your employment contract requires you to get advice from the company's lawyers about the request's validity? Or to inform a manager whenever you access a customer's data? Stretching a bit further... what if A&A's contract with a customer specifies that the customer will be informed whenever staff access certain data?

    How about automated notification? Suppose A&A have automated logging and reporting of queries against customer data - is the person handling the data request required to attempt to defeat this, if they know about it?

    If you are required to log my web history, there's an obvious risk of data theft. I hope that a competent ISP would try to set up monitoring that is hard for a hacker or rogue employee to bypass.