On the same day as the Telecommunications Regulatory Authority (TRA) of the United Arab Emirates (UAE) announced a ban on BlackBerry Messenger, E-Mail and Web-browsing services from 11 October 2010, the Emirates News Agency (ENA) published a comparative law paper on aspects of US, UK and UAE telecommunications law (see pervious post Blast! BlackBerry blanked for links). No author is cited on the ENA study, but it seems to imply that the banning of BlackBerry services by the TRA UAE was a regulatory measure that could have been taken appropriately and proportionately by Ofcom under UK telecommunications law.
In this post I set out why I consider this to be a fundamentally mistaken analysis.
Section 132 Communications Act 2003
The UK analysis begins with a discussion of section 132 of the Communications Act 2003, which permits the Secretary of State, upon reasonable grounds where considered necessary to protect against threats to public safety, public health or in the interests of national security, to order that certain networks or services are suspended or restricted. Immediately it can be seen that the grounds upon which the Secretary of State can act are more narrow than in the UAE, where the TRA UAE can act on the grounds of public interest. As the provision states that the Secretary of State must only act on reasonable grounds, by implication these must also be published.
Further weight is given to this implied obligation of the Secretary of State (and Ofcom) to publish their reasons for acting from the fact that this section has its roots in European Union law. The Explanatory Notes that were published with the Communications Bill in the House of Lords state that the clause which was enacted as section 132 was the UK expression of the derogation permitted at Article 3(1) of the Authorisation Directive 2002/21/EC. This only permits member states of the EU to suspend or restrict networks or services as set out at Article 52(1) TFEU (formerly Article 46(1) TEC), being the public safety, public health and national security grounds. However, Recital (4) of the Authorisation Directive makes clear that it provides for a regulatory regime which allows operators to “benefit from objective, transparent, non-discriminatory and proportionate rights, conditions and procedures”.
Once ordered, Ofcom is required to give operators directions to implement the Secretary of State’s order. It should be noted that section 132 (and its sister section, section 133) come under the heading of “Powers to deal with emergencies“. Headings in statutes in UK legislation can be used as extrinsic aids to interpretation. Given that other provisions in the Communications Act 2003 and elsewhere provide the regulatory means to obtain communications data or traffic data (which phrases have specific meaning under UK telecommunications law) routinely, a UK court would be likely to find that section 132 only applied to urgent threats requiring imminent action. It is unlikely that a perceived threat that has been in existence since the introduction of BlackBerries, at least since June 2007 for BlackBerry 8800 or December 2009 for BlackBerry Bold for Etisalat, would be considered to be an emergency.
Enforcement Powers of Ofcom
As the UK has an authorisation regime, all communications providers must comply with general conditions made by Ofcom under section 45 of the Communications Act 2003. These are analogous to standard licence conditions for licensed operators. The ENA paper describes Ofcom’s suspension powers following breaches of these general conditions, as well as conditions dealing with premium rate services or provisions concerning the supply of requested information to the regulator. This is largely irrelevant when considering the TRA’s actions, other than to note that Ofcom can under certain circumstances order the suspension of services. However, under UK administrative law, any Ofcom order to suspend services made without reasoning that showed their regulatory action to be objective, transparent, non-discriminatory and proportionate would immediately be vulnerable to an appeal to the Competition Appeal Tribunal (under section 192 of the Communications Act 2003). Merely stating that a direction was made upon the grounds of public safety, public health or national security would not be sufficient. No regulatory intervention could be made under UK law on public interest grounds alone.
The EMA paper faithfully sets out the interception of communications regime under UK telecommunications law. It notes that interception by a public telecommunications operator in accordance with the terms of a properly authorised warrant is lawful, and notes that public telecommunications operators are required to maintain interception capabilities. Where necessary, encryption keys and decryption technologies must also be disclosed in order to enable the relevant persons to decrypt interception information obtained by them under a warrant.
Right to Privacy
The starting point for UK telecommunications law on access to communications or traffic data is the right to privacy, which is set out in the Human Rights Act 1998. This incorporates the European Convention of Human Rights into UK law. Article 8 of the Convention states:
Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
It is extremely difficult to imagine the circumstances that would need to exist in the UK so that a provision similar to the TRA’s Article 11.1 of the Policy on Radiocommunications dated 23 July 2008, which prohibits the use of any encryption techniques unless authorised by TRA, would be considered “necessary in a democratic society”.
The laws of the UK start with the presumption that encryption is lawful and permitted. A regulatory mechanism exists to enable the relevant authorities to obtain access to encrypted communications, and the encryption keys and decryption technologies, where necessary and on an exception basis, in order to monitor or intercept certain communications in the interests of public safety, public health and national security subject to justiciable warrants (see Part IV of the Regulation of Investigatory Powers Act 2000).
The UK system has recently (18 May 2010) been the subject of a ruling of the European Court of Human Rights (in the case of Kennedy v United Kingdom (Application 26839/05)), where it was determined to be consist with Article 8(2) of the Convention. The case also illustrates how a citizen can challenge an interception warrant.
The TRA UAE Policy on Radiocommunications describes a fundamentally different approach. In UAE the default presumption appears to be that encryption is not lawful or permitted. It is only permitted by the TRA or competent authorities where the encryption is determined not to be a threat to public interest, safety or national security.
In summary, the UK approach is that communications are a private matter, with the default position that all encryption or signalling methods being lawful unless subject of specific direction in order to protect against threats to public safety or public health or in the interests of national security.
In contrast, the UAE approach is that communications are not a private matter, with the default position that any form of encryption is not lawful, unless permitted by the TRA UAE. Permission will not be granted if TRA UAE consider that refusing permission would be in the public interest, safety or national security interest. This is not to suggest that this default position and regulatory approach is wrong, it just tackles the question of lawful encryption in a fundamentally different way from the UK.
What is wrong is to imply that the UAE and UK telecommunications regimes are in any way equivalent or comparable, given these diametrically opposed starting points, merely because both systems provide regulators with similar emergency and enforcement powers. The approaches to privacy, and the systems that implement them, are as different as chalk and cheese.