GCHQ, encrypted chats and IPA 2016

Can Yeginsu and Anthony Jones |

This article was first published on Lexis®PSL on 8 July 2019. Click for a free trial of Lexis®PSL.

Corporate Crime analysis: An open letter signed by over 50 organisations, including Apple, WhatsApp, Liberty and Privacy International, recently called on the UK Government Communications Headquarters (GCHQ) to abandon a proposal to eavesdrop on encrypted chats. Can Yeginsu and Anthony Jones, barristers at 4 New Square Chambers, explain the background to the proposal and consider some of the related legislation in this area.

What is the background to the GCHQ’s plans to eavesdrop on encrypted chats?

In November 2018, a GCHQ discussion paper proposed a system of eavesdropping on encrypted communications services, such as WhatsApp, which would have involved those services being required automatically to copy each communication to a third party as well as the recipient, without the sender or recipient being aware.

What is the legislative framework which would allow the GCHQ to use such powers and what restrictions exist on the use of such powers? Will this be easy to put into practice?

One of the significant aspects of the GCHQ proposal—the so-called ‘ghost protocol’ for the operation of these encrypted services—was that it did not rely upon the existing laws which provide for ‘equipment interference’ (ie lawful hacking) under Part 5 of the Investigatory Powers Act 2016. Instead, the proposal relied upon the consent of the relevant service provider to add the security services as a silent third-party recipient of communications. Were that consent given, it would be a simple software matter to put the system in practice.

What are the key concerns with the use of such powers?

The key concern with such a proposal—communications services facilitating GCHQ eavesdropping without GCHQ needing to go through the ordinary legal channels for authorising surveillance—is that service users suffer all the potential interference with their privacy and freedom of communication with limited legal recourse (since it is their private service provider, rather than a public authority, which is intercepting their communications).

IPA 2016, which regulates the powers of public authorities, including the GCHQ, to use covert surveillance, has proven to be controversial even after it received Royal Assent. What changes have been made after IPA 2016 was enacted to address concerns that the powers it gave public authorities were too wide?

The UK’s regime for surveillance and retention of communications and associated data has consistently been challenged in the past decade, and the Court of Justice gave guidance in a case brought by Tom Watson among others that no EU nation had the power to pass a law which provides for ‘general and indiscriminate retention’ of communication and location data, requiring instead limits of strict necessity referable to objective criteria.

The Data Retention and Acquisition Regulations 2018, SI 2018/1123 (which entered into force on 31 October 2018) seek to give effect to that limit, by amending the Regulation of Investigatory Powers Act 2000 and IPA 2016, Pts 3, 4. Those amendments include:

  • creating a new power for the Investigatory Powers Commissioner to authorise communications data requests made by a public authority
  • permitting the internal authorisation of requests in cases with urgency or national security where the request is made by the intelligence agencies
  • creating a new threshold of ‘serious crime’, which includes offences in which an adult may be sentenced to imprisonment for at least twelve months and any offence committed by a body corporate removing three of the previous statutory purposes for retaining and acquiring communications data (ie public health), collecting any tax or other charge payable to a government department and exercising functions relating to the regulation of financial services and markets or financial stability
  • seeking to enhance the transparency of the retention regime by providing additional considerations that must be taken into account by the Secretary of State before a retention notice is issued to a telecommunications or postal operator

Interviewed by Alex Heshmaty.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.