What is the Crime Overseas Production Order Bill - and why does it matter?

Image: iStock
Image: iStock

A proposal working its way through the House of Lords would give authorities even more control over user data from Silicon Valley companies

Share

Since 2015 the British government has been in talks with the United States about the passing of a new bill that has the potential to drastically extend the rights of authorities to access user data, without the user being alerted, and making that information legally admissible in court - marking a departure from the covert data scraping that was exposed by the Snowden revelations.

In essence the bill - the Crime (Overseas Production Order), or OPO - proposes a legal mechanism in which authorities can secretly approach companies based in the USA to obtain data on UK citizens in criminal proceedings.

Of course, the very nature of data is transnational, and much of our most critical data - which will be of most interest to prosecutors - will be hosted with companies like Amazon, Facebook, Twitter, and Google.

At present, if British authorities submit data requests to Silicon Valley companies like Google they have to file a request to authorities in California, which must then be sanctioned in the UK and the USA as well. So this bill would expedite the process, which currently takes on average of 12 months, with proposal promising to bring this down to just weeks or even days.

According to critics of the proposal, which has received little public attention to date, the OPO could threaten journalistic sources, as well as legal privileges, and provide access to extremely confidential information including, for example, medical information.

Rebecca Niblock, criminal law partner at Kingsley Napley, has tracked the proposal closely. As she explains in a blog post: "The House of Lords briefing paper on the new proposals set out the way in which an application for an OPO must specify the data being sought. To grant an OPO, a judge must be satisfied that the data is likely to be of substantial value to the criminal proceedings or the investigation in relation to which it is requested, and that production of the data would be in the public interest.

"Once an order has been authorised the subject of that order should provide the requested data to the investigating or prosecuting authority that applied for the order. This brings the powers of the courts in relation to data stored by companies abroad, where there is an international agreement, into line with those based in the UK."

Lack of outcry

The shoratege of attention on the bill is surprising considering the ongoing opposition from civil liberty groups to the Investigatory Powers Act of 2016 - also known as the 'Snooper's Charter' - and the recent verdict of the European Court of Human Rights that UK authorities' past surveillance practices had breached human rights law.

Still, it's interesting timing, as a recent House of Lords briefing paper details how the the Snoopers' Charter does not go far enough, arguing that although data can be acquired overseas for investigation, it cannot be used as evidence in court. 

"Why this hasn't received much attention is a slight mystery to me," says Niblock, speaking with Computerworld UK. "I think one of the reasons might be that at the moment it's drafted totally outward-facing, and so it's all about the information the UK can get from the USA - and obviously there's going to be a flip side, the US has said clearly throughout it is going to have to be reciprocal.

"I think it might have got more attention if it was about the US being able to access UK data."

Although citizens might be weary of surreptitious data collection by intelligence agencies in the 'Five Eyes' pact, as revealed by NSA contractor and whistleblower Edward Snowden, there is one key difference here.

"Since Snowden we've understood this is all happening anyway, but the big difference with this is it can be used in court, whereas before it couldn't be used in court, it wasn't admissible evidence," Niblock explained. "It is a huge extension of their powers... and especially given that the person whose data it is may not find out for a long time that their data has been accessed."

GDPR implications

There is also a bitter irony that legislation with such potential for overreach is being proposed just months after the General Data Protection Regulation (GDPR) came into effect across Europe.

The European Production Order recently proposed by the European Commission offers a blueprint for what the final British equivalent regulation might look like after its exit from the European Union. It is reasonable to assume that as Britain and the Information Commissioner has recommended mirroring European data law surrounding GDPR, there will be some close similarities between the British and European proposals.

The Commission proposes that law enforcement in EU member states will be able to "better track down leads online and across borders, while providing sufficient safeguards for the rights and freedoms of all concerned".

It outlines rules that will make it "easier and faster" for "police and judicial authorities to obtain the electronic evidence, such as emails or documents located on the cloud, they need to investigate, prosecute and convict criminals and terrorists".

The proposal would be cross-border and apply to all member states. One hypothetical could be Turkey joining the EU and then requesting digital information on dissidents in other EU countries, under the pretext of fighting terrorism or crime. Or, says Niblock, Poland today - which has "got real rule of law issues at the moment and without any scrutiny".

"I was looking at the European Production Order and thinking: 'oh, it's quite good we're leaving the EU - that's one bright thing about Brexit'," says Niblock. "Then I found out we are doing exactly the same thing and have been thinking about it - in the government document it says we have been negotiating with the US since March 2015."

Privacy

Aside from the concerns this raises about the privacy of citizens' data, a reciprocal deal being pursued with the USA could also cause clashes between European and British relations about the privacy of European citizens' data.

A major concern for the proposal is that as part of the requests, non-disclosure agreements would be tacked on to mean the data subject has no way to know if their data is being accessed.

"The inclusion of non-disclosure agreements means basically a company like Facebook, or whatever, would not have to disclose the order has been made," says Niblock. This NDA would most likely expire after a given date, but that could be years rather than months.

"I had a client last year who found out that data he had in the US had been seized by US authorities," says Niblock. "[It was] Outlook data, and he got an email a year later saying, by the way, we are informing you of this now."

The proposals could put the Silicon Valley giants in the strange situation of moral arbiter or official gatekeeper to user data and user experience - just as they are under intense pressure from leading politicians in America to crack down on the issue of 'fake news', they are finding themselves stuck in the cross roads and possibly unprepared.

"How is a tech company going to make a decision about legal privilege?" asks Niblock. "Realistically they're not. So, all of the data is going to go to the authority and anything that shouldn't be disclosed like journalistic data, legal privilege, any other confidential, medical data, that's going to be with the authority to then work out the best way of excluding that material without damaging their case."

Regulating the internet

At the turn of 2018 British prime minister Theresa May toured Silicon Valley, which was widely reported as a warning shot that Britain would be attempting to further regulate the internet.

She invoked the reprehensible issues of "child abuse, modern slavery" and the "spreading of terrorist and extremist content". But it is not unprecedented for these universally condemnable issues to be brought up in an attempt to justify or push through draconian legislation that erodes the rights of citizens.

Europe has similarly placed pressure on the Silicon Valley companies about hosting extremist content, although the definition of what is considered extreme or extremist is nebulous.

"Government must have been consulting with the tech companies," says Niblock. "I can't imagine they would come up with this without having had these discussions."

There has been some push back. Fair Trials has brought attention to the OPO, and the Liberal Democrats' Lord Paddick also raised concerns that the proposals could compromise journalists' sources.

What next?

The proposal will enter the House of Commons to be debated in Parliament. It is reasonable to conclude that the contents of the bill will prove largely uncontroversial within the ruling Conservative-DUP coalition, particularly with the track record of the government in its stance on encryption and citizens' right to privacy.

Meanwhile, the chaos surrounding Brexit threatens to overshadow the entire process. What are the worst case scenarios?

Niblock says: "The government will be able to access data with very little scrutiny, or little to no scrutiny, applied at the service provider end. The service provider will then have these obligations to hand over data without having regard to the sort of data that needs to be protected - legally privileged material, journalistic sources, medical information and so on, hugely expanding the amount of information that's available to authorities."

It isn't much of a jump, either, to imagine a scenario where data is collected and organised by the Silicon Valley companies to avoid being swamped by requests from authorities.

How much time is there to challenge the bill? Officially it's hard to say, but it could be just months or even weeks.

"Recommended For You"

European Parliament delays vote on sharing passenger data with US authorities What is the right to be forgotten and what do businesses need to do?