The United Kingdom (U.K.) government has recently unveiled plans to revise the Investigatory Powers Act 2016 (IPA), the primary legislation governing the surveillance of electronic communications in the United Kingdom. The proposed revisions include five objectives pertaining to changes in the notices regime within the IPA, the process through which the government can ask private companies to carry out surveillance on its behalf, such as interception of communications and equipment interference (hacking). The proposed changes to the IPA notices regimes include an obligation to comply with the content of a potential notice during the review period and before a notice is actually served, an obligation to disclose technical information about the company’s systems during the same review period, measures to strengthen the extraterritorial application of the notices and obligations for companies to give advance notice to the U.K. Secretary of State before implementing any technical changes. This article focuses on the latter two changes. It examines how the United Kingdom likely would be in breach of international human rights law (IHRL) by interfering with the privacy and security of online users both within and outside of its borders, should it decide to move forward with the proposed revisions.
Blocking End-to-End Encryption and Important Security Updates
The existing IPA regime appears to already allow the U.K. government to demand that companies alter their services in a manner that may affect all users. For example, a technical capability notice requiring the “removal by a relevant operator of electronic protection” could be used to force a service, such as WhatsApp or Signal, to remove or undermine the end-to-end encryption of the services it provides worldwide, if the government considers that such a measure is proportionate to the aim sought. Objective 4 of the proposed changes adds another layer to the current regulatory landscape by including an obligation for companies to notify the government before introducing any technical changes to their systems.
While the proposal does not specify what technical changes would require notification, these may include changes in the architecture of software that would interfere with the U.K.’s current surveillance powers. As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.
Global Application of Notices
The aim of Objective 3 is to strengthen the extraterritorial effects of the existing regulatory regime by making clear that any notices “continue to apply to the operators to whom it was intended to apply, including those that have adopted more complex corporate structures.” This would mean that the operators with a multinational presence would have to adhere to the U.K. government’s orders in every country of operation.
Several of the current provisions of the IPA already have extraterritorial application. Section 253(8), for example, states that a technical capability notice “may be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom).” Indeed, ensuring that the IPA applies abroad has been a major policy goal for the United Kingdom, following the 2015 Report of the Independent Reviewer of Terrorism Legislation, which noted that companies “will reject requests which they feel are illegal in their host jurisdiction, or which they believe it would be unethical to meet, for example where the interests of a third country might be adversely impacted.”
The government’s insistence on the extraterritoriality of notices perhaps stems from the strong resistance it might have faced from companies refusing to comply with IPA requirements. As the text of the consultation highlights, “for our investigatory powers to remain effective against a backdrop of rapid technological change, companies must work openly and willingly with us…Additionally, we believe that it would be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes. We propose to draw on existing precedent in wider UK legislation as a starting point for these options” In other words, failure to comply with these obligations would be subject to stronger enforcement besides the option to only bring civil proceedings against the company that is currently available to the Secretary of State.
Facing the Music
Underpinned by the legitimate (and recurring) government aim to prevent terrorism and crime, the U.K. proposal comes at a time of intense global debates centering the importance of cybersecurity as well as the on-going efforts of governments across the world to undermine now-everyday communication security measures (such as encryption). The European Union, for instance, is currently on both sides of this debate, with two different legislative proposals: one that aims to prevent child sexual abuse online through the implementation of a number of measures — some of which would inevitably require online platforms to circumvent protections like end-to-end encryption — and another that seeks to enhance security requirements for digital products and ensure that they “are placed on the market with fewer vulnerabilities.” The latter, known as Cyber Resilience Act (CRA), follows Europe’s past and recent experiences with the WannaCry cyber-attack, which seriously impacted several sectors, and the Pegasus revelations which highlighted how spyware developed by NSO Group was used to hack journalists, activists, and politicians around the world, . The Pegasus revelations resulted in the establishment of a special Committee of Inquiry and a European Parliament recommendation calling upon European Union Member States to ensure that vulnerabilities are patched and not exploited.
Against this backdrop, the main issue Objectives 3 and 4 jointly pose is that the United Kingdom could breach international human rights law by, for example, preventing a communications services provider from either fixing security gaps in software through the provision of security updates or applying advanced protections such as end-to-end encryption to their services, at a global level. Specifically, these measures not only are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private life, but they could also result in failure to respect the human rights of individuals located abroad.
When examining whether mass surveillance measures are necessary and proportionate under Article 8 ECHR, the European Court of Human Rights has focused its review on whether appropriate safeguards against government abuse exist.While the Court has not recently carried out a balancing exercise between the benefits sought by mass surveillance and its impact on society, the Grand Chamber judgment from S. and Marper v. the U.K., a case in which the Court found unanimously that the collection and retention of DNA and fingerprints of innocent people was contrary to Article 8, could nevertheless shed light on the scope of the government’s powers in this analogous, mass surveillance context:
In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the Court to consider the applicants’ criticism regarding the adequacy of certain particular safeguards, such as too broad an access to the personal data concerned and insufficient protection against the misuse or abuse of such data.
The similarly indiscriminate nature of a revised notice under Objectives 3 and 4 could require compromising the security of millions of devices by asking the operator to abstain from patching a security gap. If, for instance, the notice targets a dominant company with massive international presence, it is hard to see how such a measure would ever satisfy necessity and proportionality requirements. This is because it would be extremely onerous, if not impossible, for a company to only provide security updates for specific devices or for devices in specific regions only. And that is assuming that the government already has a group of persons in mind when the notice is served; if not, then it would be impossible for the pre-emptive deployment of a measure like this to ever satisfy the balancing requirements of Article 8, which requires that any measures interfering with privacy be necessary and proportionate. Like in Marper, where the Court found that retaining everyone’s DNA on a database for the purposes of preventing crime failed to strike a fair balance between competing interests, indiscriminate mass surveillance is unlikely to meet the e proportionality test.
More importantly, expanding the extraterritorial effects of the notices regimes would entitle the U.K. government to decide the fate of data privacy and security for virtually every citizen in the world. For example, a notice asking operators to undermine end-to-end encryption would mean that end-to-end encryption would also be weakened for citizens in states with authoritarian regimes and a weak rule of law. To that end, it is worth noting that, in relation to access to encrypted communications for journalists, human rights defenders and other categories at risk, the United Nations (U.N.) High Commissioner for Human Rights has underlined that:
encryption and anonymity tools are widely used around the world, including by human rights defenders, civil society, journalists, whistle-blowers and political dissidents facing persecution and harassment. Weakening them jeopardizes the privacy of all users and exposes them to unlawful interferences not only by States, but also by non-State actors, including criminal networks.
Furthermore, secure communications channels are often the sole means for journalists and human rights defenders to avoid persecution or even torture. In the event the United Kingdom exercises the full extent of its purported enforcement powers under these proposed laws, it is possible it would be accountable for human rights violations occurring outside its borders. This was also the conclusion reached by the U.N. High Commissioner for Human Rights in his Report on the Right to Privacy in the Digital Age:
where a State exercises regulatory jurisdiction over a third party that controls a person’s information (for example, a cloud service provider), that State also has to extend human rights protections to those whose privacy would be affected by accessing or using that information.
* * *
The proposed changes to the notices regimes under the IPA raise significant concerns about their compatibility with IHRL. In the evolving landscape of digital rights and security, these proposed changes underscore the imperative need for governments to strike an appropriate balance between national security and individual rights. As it revises domestic surveillance laws, the United Kingdom should recommit to its obligations under international law to safeguard individual rights at home and abroad.