Investigatory Powers (Amendment) Bill: Communications Data and Internet Connection Records
Updated 26 April 2024
What is communications data?
- Communications data (CD) is information about communications: the ‘who’, ‘where’, ‘when’, ‘how’ and ‘with whom’ of a communication but not the content of the communications (that is the meaning: what was written or said).
- CD is an essential tool for the full range of law enforcement activity and national security investigations. It is used to investigate crime, keep children safe, support or disprove alibis and tie a suspect to a particular crime scene, among other things.
- CD is routinely used as evidence in 95% of serious organised crime investigations and has played a significant role in every major terrorism investigation over the past decade.
- Sometimes CD is the only way to identify offenders, particularly where offences are committed online, such as child sexual exploitation (grooming) or fraud.
- Law enforcement, the intelligence services and other specified public authorities - as set out in Schedule 4 of the Investigatory Powers Act 2016 (IPA 2016) - may acquire CD from telecommunications operators.
- Requests for CD must be approved by the independent Office for Communications Data Authorisations (OCDA), except where they are urgent or are for the purpose of national security, as set out in sections 61 and 61A IPA 2016. Public Authorities are subject to inspection by the Investigatory Powers Commissioners Office (IPCO) with internally authorised applications subject to additional scrutiny.
- In 2022, there were 310,033 applications for CD authorised by OCDA.
Why are changes to the communications data regime needed?
Section 11
- There are two changes to section 11: the first is to define “lawful authority” for the purposes of the section 11 offence and the second is to remove from the scope of the offence the sharing of CD between public authorities.
- Section 11 of the IPA 2016 created a new offence of ‘knowingly or recklessly’ obtaining CD without ‘lawful authority’. However, it does not define ‘lawful authority’ in respect of CD acquisition. There is a definition of ‘lawful authority’ set out in section 6 for the carrying out of interception under the IPA 2016. The new definition will provide clarity and certainty for those who obtain or provide CD under the act.
- At present, government departments are likely to fall within the definition of ‘Telecommunications Operators’ (TO’s) in the IPA 2016 because of the services they offer via digital platforms for citizens to manage their access to public services, for example submitting tax returns, and applying for benefits, passports, or driving licenses.
- The intention behind section 11 was to ensure public authorities had lawful authority before they obtained CD from private sector TOs. It was not the legislative intent to discourage responsible data sharing between public sector organisations. Such sharing is often required to meet their statutory duties and obligations – for example, authenticating an individual’s benefits application against government tax systems and to prevent and detect fraud.
- There is a need to remove the unintended risk for public sector organisations of committing a section 11 offence by receiving CD from another public sector organisation in the exercise of their existing functions.
- The sharing of CD between public authorities will still be required to comply with data protection legislation and will be subject to the oversight of that sharing. There is an agreement between the Investigatory Powers Commissioner (IPC) and the Information Commissioner about their respective roles in that oversight.
Section 12
- Section 12 and Schedule 2 IPA 2016 removed general information gathering powers from public authorities. To compel disclosure of CD from a TO, public authorities must either obtain:
- an IPA authorisation
- a court order or other judicial authorisation
- certain “regulatory powers” relating to the regulation of TOs or Postal Operators or “postal powers”; or
- as secondary data from interception and equipment interference warrants
- As technology and society’s use of technology have developed since the coming into force of the IPA 2016, so the understanding of what will amount to CD, and which organisations will be TOs, has also moved on. As a result, certain bodies with regulatory or supervisory functions, such as those with responsibility for supervising the financial sector and ensuring compliance with Money Laundering and Terrorist Financing Regulations, have found it more difficult to perform their statutory functions as effectively as required.
- For those regulatory or supervisory bodies with IPA 2016 powers, this is an issue – for example, they may be able to acquire CD where there is a serious crime involved, but not if the matter can only lead to the imposition of a civil penalty or large fine.
- For regulatory or supervisory bodies without IPA 2016 powers, they will be unable to carry out their lawful functions due to changes in technology as some of the data for which disclosure is required now falls within the definition of CD and therefore requires an IPA 2016 authorisation.
- The bill therefore seeks to expand the definition of ‘regulatory powers’ to include those with wider, lawfully established and recognised regulatory or supervisory responsibilities, thereby returning their general information gathering powers. This would enable them to gather the information they need to perform their lawful functions where there is no intention to acquire the CD in the course of a criminal investigation.
- Where the purpose of CD acquisition is in the course of a criminal investigation, the Part 3 IPA 2016 authorisation process should still be followed by those organisations authorised under Schedule 4.
Section 261
- The current definition of CD is made up of “Entity data” (for example, phone numbers or other identifiers linked to customer accounts) and “Events data” (for example. the fact that someone has sent or received an email or phone call) with a carve-out to exclude the “content” of a communication.
- At present, section 261 leaves room for some doubt over whether subscriber and account data amounts to CD or could be content in the context of registration details provided in online forms when an individual is setting up an account or taking up a service over the internet. Although the nature of the data itself is such that it should be considered CD, and that was the legislative purpose, it is necessary to make this position clearer in the IPA 2016.
- Due to the complex nature of what is subscriber and account data, this bill will amend section 261 IPA 2016 to remove any potential ambiguity over whether certain data amounts to CD or not. This will provide a clear basis for the acquisition of subscriber and account data as CD and will make it clearer when an error has occurred. This amendment is effectively maintaining the status quo but making the legislative position clearer.
- The amendments to section 261 covering “subscriber data” and “content” will not affect the oversight function of IPCO which continues to inspect and highlight any errors as well as consider and authorise almost all requests for CD.
Internet connection records
- An Internet Connection Record (ICR) is a record of an event held by a Telecommunications Operator about the service to which a device has connected to on the internet.
- Examples can include:
- a record of a website visited, such as a search engine, but not the information that was searched for
- a record of a website visited, but not the articles that were read; or
- a record that a service was accessed, perhaps via an app on a device, but no further details about what actions were undertaken in the app or how it was used
- Internet Connection Records (ICRs) are designed to fill an increasing intelligence gap resulting from communications moving from traditional telephony to the internet, such as the use of instant messaging and voice- over-ip applications rather than traditional text services and telephone calls.
- The way in which the act is currently drafted requires certain thresholds to be met on the ‘known’ elements of the investigation, for example, exactly when a website has been accessed. This limits the ability of operational partners to use ICRs to detect previously ‘unknown’ criminals online.
- The proposed measure aims to allow greater detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access, and service in use, and instead allows these factors to be ‘specified’ within the application.
- Examples of this may be where investigators receive intelligence, perhaps from forensic examination of a seized device, about a previously unknown terrorist website, or one providing access to indecent images of children. In such circumstances investigators would wish to detect other potential subjects accessing those internet resources but would lack unequivocal knowledge that the sites were being accessed by others, or exactly when. This additional access condition would allow investigators to progress this investigation using ICRs where currently they could not.
- This change could revolutionise the ability of the NCA and the intelligence agencies to identify serious criminals, including paedophiles and people traffickers, thereby helping to protect victims, and support against threats to the UK’s national security.
- The use of this new condition will still be overseen by the Investigatory Powers Commissioner and is limited just to the intelligence services and the NCA.
Case study: example of proposed ICR use
High-harm fraud often involves online behaviour that could be identified by ICRs. ICRs could be used, for example, to search for devices which were simultaneously connecting to legitimate banking applications and to malicious control points.
Such behaviour could indicate that a financial fraud is in progress. Improved access to ICRs could enable the intelligence services to detect such activity more effectively and to inform LE colleagues of the identity of the potential fraudsters and of any associated organised crime groups.
Flagging suspicious behaviour in that way can lead to action being taken to prevent criminals from defrauding their intended victims.