Can GCHQ order techies to work as govt snoops? Experts fear: 'Yes'
UK Home Office's response to concerns are a riddle wrapped in an enigma
You've been served
"It seems to suggest that a warrant to assist can be served on anyone, not just the telecoms operators as some had suggested," said the professor. "But the letter further suggests, and I am just an engineer and not a lawyer, that only the telecoms providers would be obliged to cooperate."
After re-reading section 126, 127, 128 and 190 of the law again and, in conjunction with the Home Office letter, Prof Woodward came to the conclusion that "anyone, for example a researcher, could be served with a warrant to assist in equipment interference."
"I must confess if this did happen to me, with a court issued warrant, I'd feel obliged to cooperate. I'm not sure I'd want to see what would happen if I refused to assist them in executing the warrant," the professor concluded.
My concern is rather that some CSPs will be more helpful than the legislation justifies
Peter Sommer, professor of digital forensics at Birmingham City University, and a specialist advisor to a parliamentary committee that scrutinized the surveillance law, said the process of considering the legislation was flawed.
"There are in fact rather a lot of ambiguities in the IPA legislation," Sommer told El Reg. "Although it was examined by quite a number of committees as well as on the floors of the Commons and Lords, none of them really gave themselves sufficient time to examine the wording with the detail required."
The sheer difficulties of turning policy into unambiguous words or appreciating how words might in future be interpreted should not be underestimated, he explained. Even though clarifications were obtained and rewordings made, the final law was imperfect, and the bulk interception provisions clauses are not the only resulting difficulties.
A key detail is whether or not one of these warrants can force someone, let alone a telco, to aid the government against their will: can it be safely ignored, can it be used to pressure people to comply because it's too much cost and effort to successfully resist, or must it be obeyed without question?
"My understanding is that a warrant cannot exist in the absence of a power for it to be issued," Sommer said. Second, the Single Intelligence Account and GCHQ in particular would be very unwise to expect to get productive enforced cooperation. Far better to produce good reasons to motivate people to help.
"Paradoxically, my concern is rather that some communication service providers will be more helpful than the legislation justifies. After all, some telcos plainly gave assistance for intercepts under the old section 94 of the Telecommunications Act 1984 – a feature later rectified under IPA."
Steven Murdoch, a security researcher at the University College London and authentication vendor VASCO, argued it would be up to the courts to adjudicate on the legislation and decide how it applies in practice.
"The Home Office opinion as to what the act says isn’t binding, nor are the explanatory notes that accompany it," he said. "The law says what the law says, and interpretation is up to the courts – who may chose to take into account other information like statements in Parliament, but may not."
What's the rush?
Murdoch agreed with Sommer that some of these ambiguities are the result of the speed at which the act went from draft to law, adding that "it would have been better if there were more time for scrutiny where these issues could have been ironed out."
"Most importantly, I would be more confident that over-broad interpretations of the law could be prevented if there is more transparency in the exercise of powers," he concluded.
Prof Woodward added: "I find the Home Office letter interesting as it perhaps indicates what they intended, even if the courts interpret it differently when it is tested by the judiciary."
After reflecting on the subject, Prof Woodward said he believed that it was likely that warrants would to be served on telcos before being passed on to researchers.
"It would be the telco [who had received the warrant] who would pass on the warrant to an individual that they felt was required/could assist in the telco executing the warrant," Woodward speculated. "So the telco would have to consider that an individual (other than, say, one of their own employees) had some special capability necessary to give effect to the warrant. The practicalities of that relationship would seem to be fraught with difficulty."
But why even bother going to anyone but an actual comms provider?
Sommer responded: "I strongly suspect that the SIAs will want to approach the matter co-operatively. GCHQ and the Home Office already have developed relationships with most of the CSPs that they are likely to need help from; indeed you can see that many of them already have ex-GCHQ staff.
"This leads me to observe that the main role of section 190 is to protect the CSP which is willing to help but also needs cover against legal action from the customers whose equipment is being penetrated - 'sorry, we were compelled'."
Graham Smith, an IT and internet lawyer at Bird&Bird, explained that the new law repeats a formulation found in earlier UK surveillance laws that imposes duties to assist only on telecoms operators:
As the Home Office letter says, a warrant "can only be served on a person whom the equipment interference authority considers may be capable of providing the assistance required by the warrant" See e.g. S. 126(2)(a), 190(2)(a). When they say 'any person' in the next para, they must mean subject to that qualification.
The HO [Home Office] is correct that only a telecommunications operator can be compelled to assist: S.128(1)/(2) impose the specific duty to take steps notified to the operator. S.128(5) sets out the "reasonably practicable" exception. S128(7) sets out the enforceability of the duty imposed by S.128(1)/(2). S.190(5) applies these provisions to bulk warrants.
This does leave a question as to why, when no enforceable duty to assist applies to anyone other than a telecoms operator, the Act uses the word 'require' in S.126(1) and 190(1) (and indeed in the equivalent provisions elsewhere in the Act). For what it's worth, that repeats the formula used in S.11(2) of the existing RIPA legislation for interception warrants, which has been in place since 2000.
The Investigatory Powers Act can be found online in full, here.
The IPA's definition of a "telecommunications operator" is widely scoped so that many organisations are covered by this definition. "Bulk equipment interference" is not just about some specialist bits of switching equipment located in a building somewhere, Clubley argued.
Do you run a boutique ISP?
Section 261 of the Act defines that a "telecommunications operator" is anyone who provides or controls a communications network of any kind. Paragraph 10 of section 261 talks about how you are also considered to be a telecommunications operator even if you only merely "control" the telecommunications system in question; actual ownership does not appear to be required. That would appear to obligate some third-party maintenance vendors to assist with a Bulk Equipment Interference warrant issued against equipment owned by their customers.
Both private and public telecommunications operators are covered by the bulk equipment interference warrants. ®