Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Draft Investigatory Powers Bill - evidence to committees

Friday, June 3, 2016 - 14:26

Last month the Government published a draft Investigatory Powers Bill for a period of pre-legislative scrutiny before a full Bill is introduced, expected to be in the Spring of 2016. Various Parliamentary committees are considering different aspects of the Bill.

In our evidence to these committees, Jisc is focussing on the new powers the draft Bill would give the Government to order "telecommunications operators" to prepare for future criminal investigations. In particular

  • The definition of "telecommunications operator" is much wider than the public electronic communications networks, "ISPs" or "CSPs" that have been covered by previous data retention legislation. It appears to include any organisation that operates a network, including businesses, universities, colleges and the Janet network itself;
  • Any such organisation could, in future, be ordered to implement "filtering arrangements" or "technical measures" to facilitate future warrants to obtain communications data or content respectively. These terms are neither defined nor limited by the text of the draft Bill, only examples are given. It appears that any technically feasible change could be ordered, affecting all communications through the systems, not just those that turn out to be the subject of warrants. If enhanced access to data or content is available it seems inevitable that it will be discovered and used by criminals, as has happened in the past. Orders that harm the intended function of the network or service (for example by making it less flexible or reliable) are permitted;
  • Organisations will be prohibited from revealing that they have received any type of order. This appears likely to prevent Jisc helping customers and law enforcement authorities, as we do at present, to develop efficient processes and safeguards for criminal investigations. More widely, it is likely to damage trust in all UK organisations falling within the definition of "telecommunications operator", whether or not they have actually received an order.

When the Committees publish the evidence they receive, we'll add links here:

Comments

It may also force the question how wararnt canaries would work in the UK.

So much wasted trust and time.

I suspect it depends on the type of notice. IIUC clause 66 lets you say "we've been ordered to disclose some comms data" (but not whose) whereas clause 77 prohibits you saying "we've received a retention notice". Whether not saying "we haven't..." (i.e. a canary) would be the same offence, I don't know.