The UK’s Investigatory Powers Act 2016 (IPA) has several regulatory gaps that must be plugged in future legislative reforms, according to Investigatory Powers Commissioner (IPC) Sir Brian Leveson.
In his annual report published this week, the watchdog said the Investigatory Powers (Amendment) Act 2024 (IPAA) failed to plug holes left behind by the original legislation, adding that any future reforms should be enacted by the Home Office.
For example, privileged information shared by foreign partners is currently not overseen by the IPC. It’s common practice for national intelligence agencies, such as GCHQ, to receive reports from allies overseas, including from those in the Five Eyes alliance.
These reports often contain the kind of privileged information that, in the UK, would require permission from a judicial commissioner, under the IPA, to acquire. Given that this information is handed to intelligence agencies without such authorization, and stored for later use, this presents a loophole through which sensitive information can escape regulatory oversight.
The IPC specifically named GCHQ in its example, noting that GCHQ has voluntarily disclosed its receipt and retention of this information to a judicial commissioner – as it would for data acquired through its own warrants – despite no legal requirement to do so.
Another potential regulatory gap highlighted refers to the UK intelligence community (UKIC) not having to disclose serious data breaches, provided that the breach meets the criteria for a relevant error, as specified by the IPA.
A relevant error refers to an error made by a public authority in the process of meeting any requirements of the IPA that are also subject to review by a judicial commissioner. It means members of the UKIC – MI5, MI6, and GCHQ – do not have to report serious breaches to the Information Commissioner’s Office if they occur while carrying out activities related to the IPA.
Sir Leveson said the reason the UKIC is afforded this exemption is unclear, and it could open up issues regarding public interest disclosures.
“At present, this means that UKIC could commit a serious personal data breach which might not come to the attention of the competent supervisory authority for data protection unless we refer the matter,” he reported.
“Given the possible sensitivities involved, we are not best placed to do this. This may leave a gap which could be contrary to the public interest.”
The IPC also said the IPA is in need of reform to future-proof it from technological developments, owing to “a complex patchwork of legislation that can be difficult to apply to real operational scenarios and difficult to oversee.”
Further, Sir Leveson noted the IPAA introduced “modest changes” to clear up the ambiguous definitions of communications data (CD), but they don’t fully address the issues facing public authorities and regulators.
Electronic financial transaction data continues to present difficulties. The Home Office has made attempts to clarify what is and is not defined as CD with respect to financial transaction data, but the IPC maintains these efforts do not adequately clear up the legal complexities.
The ambiguity here is a cause of frustration for law enforcement agencies (LEAs), for example, as they are left wondering about the correct legal route for acquiring certain types of data for investigations.
Lingering IT gripes
The IPC once again notes the absence of a plan to replace the aging IT systems used by LEAs to manage and disseminate data intercepted under the IPA, saying this is “unacceptable.”
It has badgered the Home Office, which has managed these systems since 2020. The original target for a central replacement system was 2020, although this was later delayed to 2025/26, and then scrapped in 2024.
The Home Office told the IPC that individual LEAs would be responsible for developing their own system that meets compliance requirements as set out by the Act, and they must use the existing system until then.
The IPC said: “While the existing system is currently stable, and being supported by the Home Office, reliance on this system in the absence of new ones being delivered does remain a significant concern.”
“We recognize the complexity of developing new systems while maintaining operational continuity,” Sir Leveson added. “However, the absence of a coherent and comprehensive plan to ensure all LEAs have sustainable, IPA-compliant systems in place before the current system is decommissioned is unacceptable. We continue to urge the Home Office to treat this matter as a priority.”
Clearing up the debate around Technical Capability Notices
Of particular interest to any reports around the IPA at present are movements surrounding Technical Capability Notices, or TCNs, the legal requirements issued to companies like Apple to hand over data under the IPA.
The IPC declined to offer too much that has not already been said about TCNs, which became a hot topic of discussion this year after Apple was served one in January.
To recap, the Home Office issued Apple with a TCN – a legal order to hand over data under the IPA. The law forbids recipients from TCNs disclosing the details of those TCNs, or even revealing that they received one.
To that end, exactly what the Home Office demanded from Apple remains a mystery, although it is widely speculated to concern access to encrypted iCloud data. Apple withdrew Advanced Data Protection in the UK following the order.
Sir Leveson welcomed the Investigatory Powers Tribunal’s April ruling, which sided against the Home Office as it sought to prevent the details of the TCN from playing out in public on national security grounds.
“We welcome the decision of the Tribunal to order that the bare facts of the case be disclosed to the public as we consider it is vitally important for there to be a mature and informed public debate about lawful access capabilities,” he wrote.
The main reason the IPC believes this is beneficial is because of inaccurate reporting. He took issue with the fact that the TCN was referred to essentially as a backdoor for government snooping, describing the nomenclature as crude and erroneous.
“It is important that the public debate is not presented simply as privacy on the one hand, and a government free-for-all on the other,” the IPC wrote. “This cannot be farther from the truth; lawful access can be achieved in a way that strikes a balance between maintaining strong encryption and ensuring law enforcement and the government can protect the public from terrorism, serious crime, and hostile state activity.”
Privacy campaigners and security experts disagree. ®