The Investigatory Powers Act 2016 (IPA 2016), now 10 years’ old, is seriously out of date. It provides the main legal framework within which the police, the intelligence and security services, and the courts access and use evidence in electronic form. Digital evidence now features in 90% of all crimes, from street incidents to those with more obvious high-tech components.
The obsolescence is a function of changes in communications and computer technologies, together with what they have enabled in new social and commercial structures. There are 88 million UK smartphone contracts serving a population of 69 million. Each of these devices records the activities of its owners and, via records of connections to cell masts, shows their movements.
Around 70% of the population uses social media every day. Credit card purchases and travel activities also create potential evidence. Public systems such as ANPR, CCTV and facial recognition add to the mix. Large numbers of commercial companies constantly exchange data with other companies in supply chains. The use of cloud services for processing and storage continues to grow – 49% of UK adults use it and 98% of UK businesses. Many will think it commendable that digital forensic technicians are constantly examining new developments for their potential as reliable evidence.
Most people are in favour of the investigating authorities having strong powers and are ready to complain about intelligence failures when crimes appear to have gone undetected. But those same people become alarmed when they realise that powers to hack into their smartphones and computers mean that, without controls, their financial status via banking links, their health records via the NHS App, and their intimate correspondence, photos and downloads are now potentially available to the UK authorities.
The law must be clear and consistent
The simple response is “a balance must be struck”. But law requires clarity and consistency in application, which means highly detailed legislation. What can and cannot be done in specific circumstances? What warrants and authorisations are required? And how does oversight operate? IPA 2016 has 272 sections and 10 schedules providing a density of provisions, definitions and means of oversight. There are also eight Codes of Practice.
IPA interacts with, among others, the Police and Criminal Evidence Act 1984 (PACE), the Data Protection Act 2018, the Computer Misuse Act 1990, the Criminal Investigations and Procedure Act 2016, and the Criminal Procedure Rules, which govern the activities of the courts. In addition, there are obligations on telecommunications companies, internet service providers (ISPs) and others to collect and retain data, and to have the necessary capabilities to respond to law enforcement and agency orders and requests.
Equipment interference powers are ambiguous
The IPA also set up a proper formal means for authorising official hacking, known as equipment interference. This was very welcome. But at the moment, there are no protocols and procedures about how this can be safely and reliably carried out, in the way there are for acquiring the contents of computers and phones via formal forensics. The current position is that judges are having to interpret “Parliament’s intentions” in now ambiguous legislation for situations that Parliament never anticipated.
Many of the Operation Venetic EncroChat hearings in the UK, which relied on digital evidence obtained by French police from a hacking operation into the EncroChat encrypted phone network, were preoccupied with some of these issues.
At the heart of many of the problems has been the apparent determination to treat “intercept” evidence as different from all other kinds of evidence by declaring it, and any reference to it, inadmissible. The doctrine was introduced in the 1985 Interception of Communications Act, maintained in the Regulation of Investigatory Powers Act 2000 (RIPA) and is currently, somewhat revised, in s56 IPA 2016.
If you acquire content in transit between phones – that is, “intercept” it – it is inadmissible. Capture the same content in storage on a phone that has been seized and forensically examined, or on a phone that has been subject to officially warranted hacking, and the harvested data can be used in evidence.
The problem with interception
Back in 1985, the distinction between admissible “communications data” – who called whom, when and for how long – and inadmissible message content was simple. Phones were analogue and consisted of a microphone, a speaker and a dialler. No local storage. They were physically linked directly by wires, which were switched together at a telephone exchange. Interception was done by placing clips across the transmission line or at the exchange.
Today, voice traffic is digital, as are emails, file transfers, social media postings, web browsing and financial transactions. Phones have significant storage and processing capabilities, and data is carried on cables, which also carry much other traffic that has to be filtered to extract desired material.
Internet exchanges and switches have caching and storage facilities to improve efficiency, and many popular apps, such as email, also use “store-and-forward” techniques. Your email doesn’t go immediately to the recipient. Instead, it goes to a server at the recipient’s ISP, where it is stored until the recipient’s device asks for it. In webmail, the data is permanently stored on the server, as it is under the IMAP email protocol. How, then, do we readily distinguish between admissible stored data and inadmissible data in the course of transmission?
The route attempted by the framers of IPA 2016 was to extend as far as possible the definition of “communications data”. A further problem under the IPA’s predecessor legislation, RIPA, was that the only element of web traffic that was communications data was the URL up to the first backslash – for example, www.bbc.co.uk/. Prosecutors could say their suspect went to Gmail.com, but not produce the page showing what emails had been sent and received, even if those pages didn’t include message content.
To overcome this, the Home Office produced the notion of an Internet Content Record and other concepts of “secondary” data and “interception-related conduct”. These all sound plausible and reflect investigator requirements, but they do not easily result in material that can be filtered out and produced from the internet datastream.
Blurred boundaries
A 2020 report from the Investigatory Powers Commissioner’s Office (IPCO) said: “Targeted equipment interference applications have the potential to be complex, describing technically complicated and potentially novel actions. This poses a challenge to the authorities applying for warrants because they are required accurately, yet succinctly, to describe the planned operation, as well as providing an appropriate assessment as to the extent of risk for any collateral intrusion.”
It went on to say: “It is also challenging at times to define the boundaries between targeted equipment interference, targeted interception of live-time communications and the field of digital forensics.”
IPCO judicial commissioners have access to a distinguished Technical Advisory Panel, but the very high level of security that members need tends to mean that it excludes anyone with substantial defence witness expertise who might introduce more critical scepticism.
The National Crime Agency’s Operation Venetic in 2020 was the exploitation of the breach of a heavily encrypted smartphone system called EncroChat. The result was the conviction of a large number of serious organised criminals, wholesalers in cocaine, and members of rival gangs taking out contracts against each other and now and then killing innocent bystanders.
The breach, designed by the Dutch, deployed by the French and with the evidence packs supplied to the UK National Crime Agency (NCA) via Europol, used equipment interference techniques. But the methods were labelled by the French national defence as “secret” so that the NCA, prosecutors and the courts did not know how it worked but were asked to accept the results. Much court time was expended in deciding whether the data had been collected from storage, and hence was admissible, or acquired in transit, making it inadmissible.
Ephemeral storage
The courts’ eventual view was that the bulk of the data had existed as storage, albeit very briefly, on the hacked EncroChat phones. The argument was that the phones used end-to-end encryption, so encrypting and decrypting only took place on the phones, but the recovered data was unencrypted, so it must have been stored at some point, however briefly.
The contrary view is that the Dutch/French tool worked by weakening the encryption, so the keys were available to the French to perform decryption at their own facilities, which would have meant the material was caught in transmission and therefore inadmissible. (The actual arguments are more complicated than can be set out here.) No UK person ever had definitive knowledge of how the hacking tool worked.
There were also deep worries about the reliability of the tendered evidence – defence computer analysis, later accepted by the prosecution, showed that the tool frequently broke down so that the record of messages sent and received was incomplete and unreliable.
Presiding judges faced considerable challenges in interpreting the law. Most people will be happy with the specific outcomes of dangerous criminals being convicted, but the worry is that unfortunate precedents may have been set. There were also difficult arguments about the extent of disclosure to defence experts wishing to attempt reverse engineering of the tool.
There are potential long-term problems arising from the “brief temporary storage” argument. ISPs also maintain systems to filter malware – and, via Cleanfeed, known child sexual abuse material – is data capture there “storage” or is the data “in transmission”?
Should intercept data be admissible in court?
The answer is surely not more complex definitions of “communications data” but to do what happens in almost every other jurisdiction – admit content into evidence. The consequence might even result in a shorter bill than the current IPA 2016.
The arguments historically put forward – transcription costs, storage costs, the problem of making proper disclosure while protecting the privacy of innocent third parties, and revealing methods of interception – in the subsequent numerous reviewing committees no longer make sense.
Transcription costs: Back in 1985, it meant someone listening to lengthy taped voice conversations and typing them out, but digital material doesn’t need transcription and voice-to-text software is now extremely accurate.
Storage costs: This used to mean quantities of magnetic tape or paper bundles, but today a fingernail-sized 1TB micro SDXC card costs £90 and can hold 500 million pages of simple text, 100 million formatted pages or over 500 movies each one-hour long. A 10TB external hard disk costs £200.
Making proper disclosure while protecting the privacy of innocent third parties: This is an existing difficulty for stored digital data, including that on smartphones, PCs and corporate systems. It is not unique to intercept material. AI techniques for searching against criteria can assist.
The revelation of methods of interception: Most interception will take place at the premises of and in association with the equipment owned by telecommunications companies and major ISPs, including social media. There are published standards – by ETSI and CALEA – for how intercept data can be reliably captured and preserved, and specialised acquisition hardware and software are widely available. Where these are not used, prosecutors can still make Public Interest Immunity applications for non-disclosure.
Law revision falls to the Home Office. The current home secretary, Shabana Mahmood, and her House of Lords colleague, David Hanson, have some grounding in the issues, as both served on the select committee that reviewed the draft IPA in 2015. Will they now act?
Peter Sommer has acted as an expert in a large number of digital evidence cases over the past 30 years. His account of Venetic/EncroChat can be read here, and his detailed analysis of IPA reform can be read here.