The UK's Regulation of Investigatory Powers Act 2000 (RIPA) sets out sweeping reforms to the UK's interception of communications regime.
The Act provides the legal basis upon which monitoring of communications can be done legally so long as it is necessary and proportionate to prevent and detect serious crime and terrorism.
The Regulation of Investigatory Powers Act 2000 (RIPA) places certain duties upon the digital communications industry to release confidential information about their customers, hand over electronic data protected by encryption or passwords, and introduce surveillance measures across their networks.
Interception, disclosure of data, surveillance and encrypted data
RIPA makes provision for and about the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; provides for Commissioners and a tribunal with functions and jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters.
Unlawful interception of communications
The Regulation of Investigatory Powers Act 2000 section 1, creates two offences of unlawful interception. Subsection (1) relates to public postal services and public telecommunications systems whereas subsection (2) relates to private telecommunications systems. Such offences can only be committed intentionally and without lawful authority, are triable either way and any prosecution requires the DPP's consent. The maximum penalty on conviction on indictment is imprisonment for a term not exceeding two years or a fine.
Section 3 provides a defence if it is reasonably believed that parties involved in the communication consented to interception. Interception is also permitted under warrant and under Regulations issued by the Secretary of State
Interception of Communications Commissioner
The Interception of Communications Commissioner plays a vital role in scrutinising aspects of the Security Service's work. His task is to keep under review the issue of warrants for the interception of communications. He also reviews the adequacy of arrangements for ensuring the product of interception is properly handled.
He does this by reviewing the warrant applications that the intercepting agencies have made to the Secretary of State, in order to make sure that the Secretary of State was right to sign the warrants. He also visits the Security Service and other agencies to examine his selection of interception warrants with the officers responsible for the relevant investigations.
The Commissioner's role is defined under RIPA Section 57 which provides for the Prime Minister to appoint the Commissioner, who must hold or have held high judicial office within the meaning of the Appellate Jurisdiction Act 1876. He or she is appointed for a period of three years with the possibility of re-appointment.
The law requires the Security Service to provide the Commissioner with any documents or information he needs to carry out his functions. The Commissioner submits an annual report to the Prime Minister which is subsequently laid before Parliament and published. He includes in this report a review of the interception processes and a summary of the value of the intercepts. He also provides, in a closed annex which is not published, accounts of the operational successes achieved as a result of the interception warrants he has reviewed.
- ISPs now have to provide an interception capability and have one day to provide the mechanism upon request from law enforcement. Intercepted data must be transmitted in real-time to person who was granted the warrant;
- To monitor or record business communications, inform users that this will take place and respect a person’s (including workers) right to privacy and autonomy. Monitoring must be legitimate and proportionate to the business purposes (e.g. for training, security and quality assurance). See The Telecommunications (Lawful Business Practice) Regulations 2000
- Passwords for encrypted data must be made available to law enforcement, so a corporate requirement exists to keep keys to servers. Failing this, a certified copy of the plain text document must be supplied.
- Warrants can only be issued by an authorised person, e.g. Director General of Security Services, Chief of Secret Intelligence Service, Commissioner of Police, and the Commissioners of Customs and Excise. The warrant must relate to a specific person and their premises. The Secretary of State can also issue a certificate to intercept all external (to and from UK) communications. The Technical Advisory Board (TAB) oversees this regime.
Part III RIPA allows a circuit judge to serve a disclosure notice on a person requiring them to disclose the encryption key or the document in intelligible form. Failure to comply may result in a 5 year jail term.
- Communications Data Bill (proposed update to UK interception of communications regime)
Updated 10th June 2013