4 Extra-territoriality in Part 1 of RIPA
(1) Part 1 of the Regulation of Investigatory Powers Act 2000
(communications) is amended as follows.
(2) In section 11 (implementation of interception warrants), after
subsection (2) insert –
- (2A) A copy of a warrant may be served under subsection (2) on a person
outside the United Kingdom (and may relate to conduct outside the
United Kingdom).
(3) In subsection (4) of that section, after "that person" insert
"(whether or not the person is in the United Kingdom)".
(5) In subsection (8) of that section, after "enforceable" insert
"(including in the case of a person outside the United Kingdom)".
(6) In section 12 (maintenance of interception capability), after subsection
(3) insert –
- (3A) An obligation may be imposed in accordance with an order under
this section on, and a notice under subsection (2) given to,
persons outside the United Kingdom (and may be so imposed or
given in relation to conduct outside the United Kingdom).
I did some snipping to get rid of admin stuff, but those terms extend the authority of the UK home secretary to give him jurisdiction on ordering wiretapping outside of the UK. Section 11 of RIPA is about wiretaps, section 12 is about ensuring the ability to have wiretaps.
If this passes, the following will be law in the UK:
(4) Where a copy of an interception warrant has been served by or on behalf
of the person to whom it is addressed on—
(a) a person who provides a postal service,
(b) a person who provides a public telecommunications service, or
(c) a person not falling within paragraph (b) who has control of the
whole or any part of a telecommunication system located wholly or
partly in the United Kingdom,it shall (subject to subsection (5))
be the duty of that person (whether or not the person is in the
United Kingdom) to take all such steps for giving effect to the
warrant as are notified to him by or on behalf of the person to
whom the warrant is addressed.
(8) A person’s duty under subsection (4) to take steps for giving effect to
a warrant shall be enforceable (including in the case of a person
outside the United Kingdom) by civil proceedings by the Secretary of
State for an injunction, or for specific performance of a statutory duty
under section 45 of the Court of Session Act 1988, or for any other
appropriate relief.
To put it plainly, this act, if it passes, will allow the UK to seek civil redress against companies that have no link to the United Kingdom if they refuse to spy on their users, so long as they can argue that some part of the communications system is in the UK. To me, that reads like it will be valid if there are users in the UK.
> To me, that reads like it will be valid if there are users in the UK.
There's even better: applying it if the company's packets ever transit through the UK (since that means "[some] part of a telecommunication system partly in the United Kingdom").
And IIRC it just happens that most of the backbone capacity between US and EU goes through the UK.
Yeah, there's a clever trick hidden in there. You can be liable if you control part of a system that is partially located in the UK. It doesn't actually say you have to control the part located in the UK.
>will allow the UK to seek civil redress against companies that have no link to the United Kingdom //
No, not "no link" as you assert. Instead the S8 you quote says they must have whole or partial control of a telecoms system located at least partially in the UK. [There's clearly no point in having powers over those who don't control the system as they're useless in getting information/control from that system.]
It's right that a company acting in the UK - eg offering a service to users, those users being in the UK - should come under UK law IMO, that's sovereignty.
I'm not comment on the other aspects only the jurisdiction aspect here.
offering a service to users, those users being in the UK should come under UK law
This is an attractively simple but terrible line of thinking. It implies that everyone is e.g. obliged either to block Chinese users or obey Chinese censorship (and infosurveillance) law.
Global jurisdiction is bad enough when it's just the US. If every country's jurisdiction extends to every website, that's a disaster. It's entirely possible for countries to have laws that are completely incompatible: http://blogs.msdn.com/b/oldnewthing/archive/2003/08/22/54679...
I actually don't have a problem with those things mentioned in the MSDN article. If you want to do business in different countries I think you should expect to make some effort to abide by the laws and customs of those countries. If India, for example, want to block your software because it shows a particular border then why should "but we made it in USA" make any difference at all - India is a democratic sovereign nation, no?
A mere informational website? Well it's a problem, if you simply off-shore a news server to by-pass reporting restrictions and such that clearly makes a mockery of the legal system and those it's seeking to protect. To me it's fine to serve up that news if you don't undergo business in the country in which the legal blocks have been put in place.
If you expect anyone to abide by any laws online then how are you going to square this except by user origin, where the actions become realised.
There's an interesting way of interpreting the definitions here.
See (4)(b) in the parent comment, where it says "a person who provides a public telecommunications service"?
The definition of "public telecommunications service" is found in s2(1) of RIPA. Selected elements are cut'n'pasted below:
"public telecommunications service" means any telecommunications service which is offered or provided to, or to a substantial section of, the public in any one or more parts of the United Kingdom";
"telecommunications service" means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service) [amended by this new Bill to include] "any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system"
"telecommunication system" means any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy.
IANAL, but the inclusion "or elsewhere" in that last paragraph suggests to me that it doesn't matter where the system is based.
I'm imagining that the use case scenario for this would be where the UK authorities have identified a terrorist suspect who they think might be communicating with his fellow terrorists via an SSL-enabled website (for the sake of argument, let's call it PuffinParty.com) that's based overseas, with no offices, employees or other presence in the UK. The terrorist suspect's laptop has rock-solid security, preventing endpoint interception and/or a MITM attack.
Let's say PuffinParty.com, like most websites, offers its services to anyone with a valid credit card - i.e. it offers a service to the public in the United Kingdom. That makes it a "public telecommunications service".
Let's say PuffinParty.com users can send private messages to one another. That makes it a "telecommunications service" and its back-end is a "telecommunications system".
So, it looks like this law would allow the UK authorities to serve an interception warrant on PuffinParty.com's CEO. If the CEO ignores the warrant, the Secretary of State could seek an injunction. If the CEO ignored the injunction, that could presumably result in him being held in "contempt of court", leading to the issuance of a warrant for his arrest, which could be exercised the next time they visit or pass through the UK?
If this passes, the following will be law in the UK:
To put it plainly, this act, if it passes, will allow the UK to seek civil redress against companies that have no link to the United Kingdom if they refuse to spy on their users, so long as they can argue that some part of the communications system is in the UK. To me, that reads like it will be valid if there are users in the UK.