Investigatory Powers (Amendment) Bill: Notification Requirement
Updated 26 April 2024
What is the notification requirement?
The notification requirement is an obligation that can be placed on telecommunications operators that provide exceptional lawful access of significant operational value to inform the Secretary of State of changes, including technical changes, that they are intending to make which could affect existing lawful access capabilities. It is intended to provide the Secretary of State, and by extension operational partners, with time to understand the potential impact of the changes and ensure exceptional lawful access can be maintained to keep people safe.
It does not give the Secretary of State any power to intervene in the rollout of these changes nor is their consent required for the rollout to proceed.
The notification requirement will only apply to relevant services provided by the operator, which will not necessarily be all elements of their business. Clear thresholds will be established to define the factors the Secretary of State must consider before placing an operator under the notification requirement – and what factors may trigger it – to ensure that the requirement does not disproportionately affect operators who do not hold operationally relevant data.
Whilst these thresholds will be set in separate regulations in order to futureproof them against future changes in technology, the government expects that, in practice, the requirement will only apply to a relatively small number of companies who routinely provide exceptional lawful access under the Investigatory Powers Act 2016 (IPA 2016).
Indeed, the government intends to discuss with each telecommunications operator the specifics of their obligation before the Secretary of State formally writes to them. These individualised and confidential specifics will be included as part of the formal correspondence from the Secretary of State. There will therefore be sufficient opportunity for the telecommunications operator in question to engage and raise anything that may be practically problematic or that has a wider scope than is obvious from outside. Telecommunication Operators have complex structures and overlapping services, and therefore this engagement with them is important for ensuring accuracy in the notification requirement.
What happens under the current regime?
Under the current regime, a telecommunications operator either has a notice or it does not. It should be noted that whether or not an operator has a notice does not affect whether they can be in receipt of IPA 2016 warrants or authorisations.
If an operator is under a technical capability notice, their notice will currently already contain a requirement to notify the Secretary of State, within a reasonable time, of:
- proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate
- proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice; and
- the development of new telecommunications services or telecommunication systems
This is laid out in The Investigatory Powers (Technical Capability) Regulations 2018 [footnote 1].
What happens when a notification requirement is submitted by a telecommunications operator?
Once an operator submits a notification of change it is for the Secretary of State and operational partners to assess the impact on existing lawful access. It may be that they ask some follow-up questions of the operator to assist them in better understanding the impact.
There is no ability, within the notification process, for the Secretary of State to delay, prevent, or in any way alter the operator’s intended plans.
Should the Secretary of State wish to intervene in any way with the change the operator intends to make, the Secretary of State would use the notices regimes in the same way that is currently available to them. However, it does not automatically follow that any notified change will result in a notice. As previously mentioned, in the first instance it may be that operational partners merely ask some follow-up questions of the operator to assist in understanding any issues relating to lawful access.
The notifications will also be important in giving operational partners time to adjust their ways of working to ensure the capabilities are maintained throughout the process of, and after, the change taking place.
Why is this being introduced now?
As noted in the Home Secretary’s Report on the Operation of the Investigatory Powers Act 2016 [footnote 2], the “Act has not been immune to changes in technology over the last six years” and there is a risk that some of these technological changes have had a negative effect on law enforcement and intelligence services’ capabilities.
The various forms of notice are a critical part of this as they ensure that law enforcement and the intelligence services have access to the capabilities and communications-related data that they need in order to protect national security and for the purposes of the prevention and detection of crime. It is therefore important that we act to ensure the efficacy of the notices both now and for the future.
In many cases, without the capabilities that are provided by telecommunications and postal operators in accordance with the notices it would not be practicable for operators to give effect to IPA 2016 authorisations and warrants. Nor would it be possible for the public authorities to use the respective powers under the IPA 2016 at the scale and pace required for their investigations.
Who will it apply to?
Whilst an obligation to adhere to the notification requirement could be given to any telecommunications operator as defined in the IPA 2016, in practice we anticipate it only being an obligation for a relatively small number of operators who already provide exceptional lawful access of significant operational value.
The government will be setting thresholds for the notification requirement to ensure that it does not disproportionately or unnecessarily affect operators who do not hold or provide operationally relevant data.
What are the safeguards around its use?
In order to ensure the notification requirement does not disproportionately affect those operators who do not hold any, or not significant quantities, of operationally relevant data, the notification requirement will not be imposed on all telecommunications operators.
The Secretary of State will formally inform an operator that they are bound by the notification requirement. This will include the individualised elements set out above.
When considering whether to issue the notification requirement to an operator, the Secretary of State will consider broadly the same factors as would be considered when issuing a notice. These are:
- the likely benefits of the notification requirement
- the likely number of users (if known) of any telecommunications service to which the notification requirement relates
- the likely cost of complying with the notification requirements; and
- any other effect of the notification requirement on the telecommunications operator to whom it relates
What will the threshold for notification be?
The notification requirement is intended for changes that impact on lawful access and where that outcome can reasonably be anticipated by the operator, even if it is not the primary motivation. This could include changes such as the introduction of privacy and security technologies, but also significant changes to data retention where they impact on exceptional lawful access.
There is no intention for security patches [footnote 3] to be covered by the notification requirement and we would never stop a security patch to a system. We cannot foresee a circumstance in which a security patch would have such sweeping effect.
The notification requirement will set out individualised and confidential specifics for each telecommunication operator and will ensure security patches remain out of scope. These specifics will be drawn up in consultation with the company in question to ensure they have sufficient opportunity to provide input and flag anything that may be practically problematic or that has a wider scope than we appreciate.
Should an operator make changes to a part of their system that is not relevant to lawful access, and therefore not covered by the terms of their notification requirement, they will not need to inform the Secretary of State.
As set out above, given telecommunications operators can provide very different services from each other and therefore very different types of lawful access there is an inherent need for individualisation of the notification requirement to ensure it is appropriate for the operator in question. This is why the government intends to consult each telecommunication operator on the individualised and confidential specifics of a notification requirement.
Footnotes
-
The Investigatory Powers (Technical Capability) Regulations 2018 ↩
-
Home Office report on the operation of the Investigatory Powers Act 2016 (accessible version) - GOV.UK (www.gov.uk) ↩
-
As defined by the National Cyber Security Centre- “A security patch fixes a defect in installed software and leaves the intended functionality of the software unchanged”. Further guidance is available ↩