Study assesses impact of Investigatory Powers Act during its first five years and suggests potential changes
Credit: René/Pixabay
A major government report has found that the ability of law-enforcement and intelligence agencies to collect bulk personal data is stymied by “disproportionate” levels of protection.
When the Investigatory Powers Act 2016 (IPA) first passed into law, the government committed to review its operations – and whether it remains fit for purpose – after five years. This review was undertaken in the second half of last year and have now been published, including the primary conclusion that the law has been successful in delivering its primary objective of the “consolidation of existing powers relating to communications data”. It has also successfully delivered “enhanced oversight and safeguards for use of powers”, the assessment said.
The one area where the report identifies a possible need for the law to be updated is in “modernisation and futureproofing”, where “the review has demonstrated that the act has not been immune to changes in technology over the last six years”.
According to the Home Office-led review, this is particularly true in relation to the ability of authorities to collect bulk personal data sets (BPD), which constitute “data that has been obtained consisting of personal data relating to a number of individuals, and the nature of that data set is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to the UK intelligence community” (UKIC).
In the years since the act – known to its critics as the ‘Snoopers Charter’ – first passed into law, intelligence officers have increasingly encountered difficulty in collecting the bulk data needed to support investigations, the review found. Challenges have been created by growth in the amount of digital data created – and by what the report suggests are excessive protections for bulk data provided for by the IPA.
Related content
- Government appoints £2m firm to help build search tool for citizens’ internet records
- New investigatory powers commissioner to oversee all forms of government surveillance
- High court gives government six months to amend data-retention law
“The exceptional growth in volume and types of data across all sectors of society globally since the act entered into force has impacted UKIC’s ability to work and collaborate at the necessary operational pace,” the report says. “The BPD safeguards in the current statutory framework are disproportionate for some types of data, creating a negative impact on operational agility, whilst also harming capability development. The safeguards in [the act] do not account for the way that data and its availability has evolved since the act passed. In particular, it did not foresee: the exponential increase in the use of, complexity, and changing nature of data; the extent to which cloud and commercially available tools would make powerful analysis of datasets possible; the possibility that most data referencing human activity can in theory be resolved to real world identities, rendering datasets that would not previously have been considered BPD within the scope of… the act.”
Quoting a portion of the government’s 2021 Integrated Review into defence and national security, the IPA report suggests that “reform” to the relevant portions of the act would enable authorities to “take a more robust approach in response to… a wider range of state and non-state threats enabled by technology”.
Some degree of reform to the bulk data collection regime is “will be necessary in the short term to ensure law enforcement and the intelligence agencies can continue to effectively exercise the capabilities they need to tackle serious crime and protect national security”.
In the longer term, the Home Office says that “it is likely that the act will need to be kept under review, informed by further years of operation, with more substantial reform inevitably necessary in future due to the continued unpredictability of developments in technology, and the challenges of forecasting the way that data is collected and stored against the evolving requirements of protecting national security and tackling serious crime”.
Last month, the home secretary Suella Braverman appointed crossbench peer Lord David Anderson to conduct an external review of the Investigatory Powers Act – which “ill be entirely independent from the [department’s] statutory report”.
Due to be published later this year, the remit of Lord Anderson’s report will be to “assess the case for legislative change, now or in the future… [and to] focus in particular on the effectiveness of the bulk personal data set regime, criteria for obtaining internet connection records”.
Connection records
As exclusively revealed by PublicTechnology last year, government has been quietly progressing plans to create a national service through which authorities can search for and obtain citizens’ internet connection records (ICR) from communications firms. While they do not constitute a full browsing history of all individual webpages visited, and ICR does include information on all sites or apps a user has accessed, as well as data on IP addresses, devices used, time of visit, and customer account details.
Technical work is already underway on the possible rollout of a nationwide platform allowing authorities to tap into this data from communications providers. This follows trials with a small band of telecoms firms led by the National Crime Agency.
The Home Office’s five-year review provides more detail on these trials, which the report says were “focussed on access to websites whose sole purpose was to provide access to illegal images of children [with] over 120 subjects of interest… identified accessing one or more of these sites” – only four of which it claims “could be positively confirmed as [being] previously known to authorities.
“Following the conclusion of the trial an informed decision will be taken on any approach to national service commissioning, fully considering the expected costs and benefits”, the review said.
But it added that the “high bar that must be met before an ICR authorisation can be granted” means that, in many cases, authorities find themselves unable to lawfully collect citizens’ internet connection records.
“The conditions [for granting authorisation] were developed as parliament considered the balance at the time the bill was making its way through parliament, between intrusion into privacy, and the likely benefit that might be obtained from ICRs,” according to the review. “The trial has now shown significant operational benefit. The way in which the conditions are drafted, and the uncertainty about how to interpret aspects of them, means that ICRs appear to be currently out of reach for some potentially key investigations, such as those seeking to identify individuals involved in some of the most serious crimes.”
