Comparative law: chalk and cheese

Charles Russell Brand Image

On the same day as the Telecommunications Regulatory Authority (TRA) of the United Arab Emirates (UAE) announced a ban on BlackBerry Messenger, E-Mail and Web-browsing services from 11 October 2010, the Emirates News Agency (ENA) published a comparative law paper on aspects of US, UK and UAE telecommunications law (see pervious post Blast! BlackBerry blanked for links).  No author is cited on the ENA study, but it seems to imply that the banning of BlackBerry services by the TRA UAE was a regulatory measure that could have been taken appropriately and proportionately by Ofcom under UK telecommunications law.

In this post I set out why I consider this to be a fundamentally mistaken analysis.

Section 132 Communications Act 2003

The UK analysis begins with a discussion of section 132 of the Communications Act 2003, which permits the Secretary of State, upon reasonable grounds where considered necessary to protect against threats to public safety, public health or in the interests of national security, to order that certain networks or services are suspended or restricted.  Immediately it can be seen that the grounds upon which the Secretary of State can act are more narrow than in the UAE, where the TRA UAE can act on the grounds of public interest.  As the provision states that the Secretary of State must only act on reasonable grounds, by implication these must also be published.

Further weight is given to this implied obligation of the Secretary of State (and Ofcom) to publish their reasons for acting from the fact that this section has its roots in European Union law.  The Explanatory Notes that were published with the Communications Bill in the House of Lords state that the clause which was enacted as section 132 was the UK expression of the derogation permitted at Article 3(1) of the Authorisation Directive 2002/21/EC.  This only permits member states of the EU to suspend or restrict networks or services as set out at Article 52(1) TFEU (formerly Article 46(1) TEC), being the public safety, public health and national security grounds.  However, Recital (4) of the Authorisation Directive makes clear that it provides for a regulatory regime which allows operators to “benefit from objective, transparent, non-discriminatory and proportionate rights, conditions and procedures”.

Once ordered, Ofcom is required to give operators directions to implement the Secretary of State’s order.  It should be noted that section 132 (and its sister section, section 133) come under the heading of “Powers to deal with emergencies“.  Headings in statutes in UK legislation can be used as extrinsic aids to interpretation.  Given that other provisions in the Communications Act 2003 and elsewhere provide the regulatory means to obtain communications data or traffic data (which phrases have specific meaning under UK telecommunications law) routinely, a UK court would be likely to find that section 132 only applied to urgent threats requiring imminent action.  It is unlikely that a perceived threat that has been in existence since the introduction of BlackBerries, at least since June 2007 for BlackBerry 8800 or December 2009 for BlackBerry Bold for Etisalat, would be considered to be an emergency. 

Enforcement Powers of Ofcom

As the UK has an authorisation regime, all communications providers must comply with general conditions made by Ofcom under section 45 of the Communications Act 2003.  These are analogous to standard licence conditions for licensed operators.  The ENA paper describes Ofcom’s suspension powers following breaches of these general conditions, as well as conditions dealing with premium rate services or provisions concerning the supply of requested information to the regulator.  This is largely irrelevant when considering the TRA’s actions, other than to note that Ofcom can under certain circumstances order the suspension of services.  However, under UK administrative law, any Ofcom order to suspend services made without reasoning that showed their regulatory action to be objective, transparent, non-discriminatory and proportionate would immediately be vulnerable to an appeal to the Competition Appeal Tribunal (under section 192 of the Communications Act 2003).  Merely stating that a direction was made upon the grounds of public safety, public health or national security would not be sufficient.  No regulatory intervention could be made under UK law on public interest grounds alone.

Interception

The EMA paper faithfully sets out the interception of communications regime under UK telecommunications law.  It notes that interception by a public telecommunications operator in accordance with the terms of a properly authorised warrant is lawful, and notes that public telecommunications operators are required to maintain interception capabilities.  Where necessary, encryption keys and decryption technologies must also be disclosed in order to enable the relevant persons to decrypt interception information obtained by them under a warrant.

Right to Privacy

The starting point for UK telecommunications law on access to communications or traffic data is the right to privacy, which is set out in the Human Rights Act 1998.  This incorporates the European Convention of Human Rights into UK law.  Article 8 of the Convention states:

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It is extremely difficult to imagine the circumstances that would need to exist in the UK so that a provision similar to the  TRA’s Article 11.1 of the Policy on Radiocommunications dated 23 July 2008, which prohibits the use of any encryption techniques unless authorised by TRA, would be considered “necessary in a democratic society”.

Divergent Approaches

The laws of the UK start with the presumption that encryption is lawful and permitted.  A regulatory mechanism exists to enable the relevant authorities to obtain access to encrypted communications, and the encryption keys and decryption technologies, where necessary and on an exception basis, in order to monitor or intercept certain communications in the interests of public safety, public health and national security subject to justiciable warrants (see Part IV of the Regulation of Investigatory Powers Act 2000).

 The UK system has recently (18 May 2010) been the subject of a ruling of the European Court of Human Rights (in the case of Kennedy v United Kingdom (Application 26839/05)), where it was determined to be consist with Article 8(2) of the Convention.  The case also illustrates how a citizen can challenge an interception warrant.

The TRA UAE Policy on Radiocommunications describes a fundamentally different approach.  In UAE the default presumption appears to be that encryption is not lawful or permitted.  It is only permitted by the TRA or competent authorities where the encryption is determined not to be a threat to public interest, safety or national security. 

Conclusion

In summary, the UK approach is that communications are a private matter, with the default position that all encryption or signalling methods being lawful unless subject of specific direction in order to protect against threats to public safety or public health or in the interests of national security.

In contrast, the UAE approach is that communications are not a private matter, with the default position that any form of encryption is not lawful, unless permitted by the TRA UAE.  Permission will not be granted if TRA UAE consider that refusing permission would be in the public interest, safety or national security interest.  This is not to suggest that this default position and regulatory approach is wrong, it just tackles the question of lawful encryption in a fundamentally different way from the UK.

What is wrong is to imply that the UAE and UK telecommunications regimes are in any way equivalent or comparable, given these diametrically opposed starting points, merely because both systems provide regulators with similar emergency and enforcement powers.  The approaches to privacy, and the systems that implement them, are as different as chalk and cheese.

Advertisements

Blast! Blackberry blanked?

BlackBerry Bold (Vodafone UK)

Business travellers to the Middle East will know that taxi drivers in the region often need a little assistance.  There does not appear to be any local requirements to pass examinations, yet alone anything as thorough as “The Knowledge” in London.  As a result, I have relied on Google Maps on my Vodafone Blackberry Bold many times to show a driver where I need to go.

This may be the only useful function above that of a standard mobile phone that a Blackberry Bold will serve for visitors to the United Arab Emirates (UAE) from October.  According to announcements made by the Telecommunications Regulatory Authority (TRA) on 1 August 2010 and 2 August 2010, BlackBerry Messenger, E-Mail and Web-browsing services are to be suspended from 11 October 2010. 

From a telecommunications regulatory viewpoint, these statements are extremely disappointing.  Suspending services which will affect an estimated 500,000 end users without a full explanation is not exactly international best regulatory practice, although a strange legal comparison was published by the Emirates News Agency (of which more in a post to be blogged shortly).

Although the TRA has not set out a legal basis for its suspension of BlackBerry services, this can be guessed at from legal materials on the www.tra.gov.ae website.  This includes the licences of the 4 licensed operators.  Taking the licences of the BlackBerry partners, Etisalat and Du, each states at Article 8.2:

The Licensee shall comply with any directions as the TRA or other competent authority may issue from time to time on matters relating to public interest, safety and/or national security.  The Licensee also undertakes to install at its own expense any equipment required to allow access to its Telecommunications Network and/or the retrieval and storage of data for reasons of public interest, safety and national security.  This obligation shall extend to the provisioning of the facilities terminating at the premises of a competent authority and shall be provided without charges of any kind.  Furthermore, the Licensee shall not undertake to provide any services which do not meet the requirements of any competent authority responsible for public interest, safety and national security.

A breach of a licence condition which has not been remedied on instruction by the TRA can lead to suspension or revocation of a licence (Article 4(1)(c) and Article 5(1)(c) of the Licensing Regulations (Resolution No. (7) of 2008)).  This would appear to me to be the correct legal basis for the TRA’s current intervention.  Article 4(1)(d), suspension in the national interest, which is mentioned in the Emirates News Agency legal analysis, is in my opinion irrelevant, as is its inclusion of discussions on UAE Public Access Mobile Radio Licence provisions.

Failure by Etisalat or Du to comply with the TRA or other competent authority’s directions on, say, the provision of encryption keys or interception equipment to enable interception of BlackBerry communications in the public interest, safety or national security, would be a breach of Article 8.2. 

Rather than publishing an announcement that a particular service would be banned from a certain date, the TRA might have been expected to issue an instruction (using the wording of the UAE Licensing Regulations) to Etisalat and Du that unless the relevant licensee complied with the directions made under Article 8.2 of their licences in respect of access to BlackBerry communications on a predetermined date, it must suspend the relevant BlackBerry services.  Failure to comply with the instruction by the licensee would risk suspension or termination of its licence. 

In many regimes, there would be statutory notice or remedy periods that a regulatory authority would have to follow before it could suspend or revoke a licence.  Some regimes would require public consultation so that persons affected by the proposed regulatory action could comment.  The TRA in the UAE has the benefit of relaxed regulatory provisions that appear to enable it to act largely within its own discretion.  It may be that the TRA has taken these steps, but on the grounds of public interest, safety or national security has decided not to publish any of the relevant details.

There has been much speculation following the TRA announcements about the response to be expected from Research in Motion (RIM), the BlackBerry company.  Strictly this has nothing to do with RIM – the regulatory measures are addressed to Etisalat and Du, who provide BlackBerry handsets to their customers.  The TRA is therefore incorrect when it states that “some BlackBerry services operate beyond enforcement [of the UAE regulatory framework”, as its own suspension shows.

The fact is that without any public information on the nature of any direction to Etisalat and Du, it is impossible to determine why the TRA or other UAE competent authority cannot obtain the communications or traffic data it requires from RIM (via Etisalat or Du) to satisfy its public interest, safety or national security requirements whilst nearly all other countries, particularly Bahrain, the US and EU member states, appear satisfied that the use of BlackBerry Messenger, E-Mail and Web-browsing is not a threat.  The question as to whether the suspension of BlackBerry services in the UAE is an appropriate and proportionate regulatory measure adopted by the TRA is therefore open.