UK.gov admits Investigatory Powers Act illegal under EU law

Cops to be stripped of powers to OK access to comms data in tweaks to Snooper's Charter


Police forces will no longer be able to grant themselves access to surveillance data if new government proposals to the Snooper's Charter are accepted.

The move is one of a number of proposed changes (PDF) to the data retention rules in the controversial Investigatory Powers Act, which the government has been forced to admit doesn't abide by European laws.

Under surveillance laws, internet and telcos must retain communications data for up to a year – and up to now, senior staff in public authorities have been able to rubber-stamp access to this information.

But in a landmark ruling in a case brought by deputy Labour leader Tom Watson last year, the Court of Justice of the European Union deemed indiscriminate data retention illegal.

The court said that access to retained data must only be granted for cases of serious crime, and that authorisation should come from an independent body, not the police or public bodies.

At the time, it wasn't immediately clear what impact the ruling would have on the Investigatory Powers Act, which had only just received royal assent.

Now the government has admitted that "some aspects of the current regime... do not satisfy the requirements of the CJEU's judgment" – in that the IPA doesn't provide for independent authorisation of access requests and that access isn't limited to serious crime.

The Home Office acknowledged that the judgment "is clear that requests to acquire retained communications data must be approved by a court or independent administrative body".

And so it has said that public authorities will no longer be able to authorise requests, and proposed handing that power to a new body, the Office for Communications Data Authorisation, which will sit under the Investigatory Powers Commissioner.

But, the government added, creating such a body will require "significant" effort, which will include setting up IT systems and processes that can handle electronic applications from 600-plus public authorities.

Six months in prison? Sure, that seems serious

The government also set out amendments designed to address the fact data is not currently retained only in serious cases.

One concession here is to remove the purposes of public health, collecting taxes and financial services and market regulations from the act.

However, the government argued that there are lots of different definitions of "serious", and went ahead and plumped for a low bar: that an adult should be "capable" of being imprisoned for six months.

This is rather than another possible threshold that they should "reasonably expect" such a sentence, and is significantly shorter than other definitions of serious crime, which put it at three years in prison.

The Home Office said that threshold "would significantly undermine the utility of communications data in the prevention or detection of crime".

But the proposal was slammed by Liberty director Martha Spurrier. "The government has defined the 'serious crime' exception absurdly broadly – to include crimes punishable by only a few months in prison," she said.

"It fails to propose the robust system of independent oversight that is so vital to protect our rights and ignores other critical changes demanded by the court."

Watson was equally underwhelmed, saying that although the Home Office was making "significant concessions" he would be pushing for greater protections for privacy, as the proposals are "still flawed".

"Ministers aren't above the law – they don't get to pick and choose which rights violations they address and they can't haggle with the courts to avoid properly protecting people's freedom. All of the fundamental safeguards demanded by the court must now be implemented."

Meanwhile, Open Rights Group director Jim Killock pointed out on Twitter that the publication of the consultation came at a rather inopportune time for civil rights groups to respond.

The consultation closes on January 18. ®

Similar topics

Narrower topics


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022