Publication - Guidance

Equipment interference code of practice

Published: 20 Dec 2017

Code of practice issued under section 24 of the Regulation of Investigatory Powers (Scotland) Act 2000.

51 page PDF

470.5 kB

51 page PDF

470.5 kB

Contents
Equipment interference code of practice
2 Scope and definitions

51 page PDF

470.5 kB

2 Scope and definitions

Overview

2.1 This chapter provides guidance on the scope of targeted equipment interference and relevant definitions, and on the circumstances where a targeted equipment interference warrant is required for a relevant agency to undertake related activity.

2.2 Targeted equipment interference describes a range of techniques that may be used by the relevant agencies to obtain communications, equipment data or other information from the equipment. The material so obtained may be used evidentially or as intelligence, or in some cases to test, maintain or develop equipment interference capabilities.

2.3 Targeted equipment interference operations vary in complexity. The relevant agencies may covertly download data from a subject's mobile device when it is left unattended, or they may use someone's login credentials to gain access to data held on a computer. More complex targeted equipment interference operations may involve exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device.

2.4 For the purposes of the Act, a targeted equipment interference warrant can only be obtained for the purposes of obtaining communications, equipment data or other information.

2.5 Interference with equipment that is not for the purpose of acquiring communications, equipment data or other information will continue to fall within the definition of 'property interference' for the purposes of the Covert Surveillance and Property Interference Code of Practice. For example, disabling an alarm system to allow covert access to a building does not constitute equipment interference, although it may be necessary to interfere with the alarm system (equipment) to acquire equipment data in order to understand the alarm's operating system to enable it to be disabled. In such circumstances, the purpose of the interference is to defeat the alarm system and the acquisition of the equipment data is incidental. To the extent such activities would otherwise be unlawful, it should continue to be authorised under Part 3 of the Police Act 1997 ("the 1997 Act").

2.6 This distinction has been drawn so that the Act can apply tailored safeguards, handling arrangements and oversight to activity where the purpose of the interference is to acquire communications, equipment data or other information from equipment. Different considerations, safeguards and legislation will apply where the purpose of the interference does not fall within those categories.

Equipment

2.7 Equipment is defined in section 135 of the Act. "Equipment" comprises any equipment producing "electromagnetic, acoustic or other emissions" and any device capable of being used in connection with such equipment. "Equipment" for these purposes is not limited to equipment which is switched on and/or is emitting signals but also includes equipment which is capable of producing such emissions.

2.8 The definition of equipment is technology neutral. Examples of the types of equipment captured by the definition include devices that are "computers" for the purposes of the CMA, such as desktop computers, laptops, tablets, smart phones, other internet-enabled or networked devices and any other devices capable of being used in connection with such equipment. Cables, wires and storage devices (such as USB storage devices, CDs or hard disks drives) are also covered as they can also produce "emissions" in the form of an electromagnetic field.

Equipment data

2.9 A targeted equipment interference warrant may authorise the obtaining of communications, equipment data and other information. A warrant may also provide for the obtaining of only equipment data. Equipment data comprises:

  • systems data which is comprised in, included as part of, attached to or logically associated with the communications or information being acquired; and
  • identifying data which is comprised in, included as part of, attached to or logically associated with the communications or information, which is capable of being logically separated from the remainder of the communication or item of information and which, once separated, does not reveal anything of what might reasonably be considered to be the meaning (if any) of the communication or item information.

2.10 Equipment data is defined in section 100 of the Act. Equipment data includes:

  • Systems data
    • systems data includes two types of data. It includes the data which (when a communication is transmitted via a telecommunications system) is comprised in, attached to or logically associated with that communication and is necessary for the telecommunications system to transmit the communication. Second, there is other data comprised in, attached to or logically associated with communications or items of information which enable systems or services to function. While this second type of systems data is not necessary for a transmission system to transmit a communication, it is also not content. These two types of data make up the broader set of information which is called systems data [5] .
    • examples of systems data would be:
      • messages sent between items of network infrastructure to enable the system to manage the flow of communications;
      • router configurations or firewall configurations;
      • software operating system (version);
      • historical contacts from sources such as instant messenger applications or web forums;
      • alternative account identifiers such as email addresses or user IDs; and
      • the period of time a router has been active on a network.
  • Identifying data:
    • a communication or item of information may include data which may:
      • be used to identify, or assist in identifying, any person, apparatus, system or service;
      • be used to identify any event; or
      • be used to identify the location of any person, event or thing.
    • In most cases this data will be systems data. There will, however, be cases where this information does not enable or otherwise facilitate the functioning of a service or system and therefore is not systems data. Where such data can be logically separated from the remainder of the communication or item of information and does not, once separated, reveal anything of what might reasonably be considered to be the meaning (if any) of any communication or item of information (disregarding any inferred meaning) it is identifying data.
    • Examples of such data include:
      • the location of a meeting in a calendar appointment;
      • photograph information - such as the time/date and location it was taken; and
      • contact 'mailto' addresses within a webpage.

Telecommunications operator

2.11 There are obligations under Part 5 of the Act which apply to telecommunications operators.

2.12 A telecommunications operator is a person who offers or provides a telecommunications service to persons in the UK or who controls or provides a telecommunications system which is (in whole or in part) in or controlled from the UK. This definition makes clear that obligations in the Act cannot be imposed on telecommunications operators whose equipment is not in or controlled from the UK or who do not offer or provide services to persons in the UK.

2.13 Section 261 of the Act defines 'telecommunications service' to mean any service that consists in the provision of access to, and of facilities for making use of, any telecommunications system (whether or not one provided by the person providing the service); and defines 'telecommunications system' to mean any system (including the apparatus comprised in it) that exists (whether wholly or partly in the UK or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy. The definition of 'telecommunications service' in the Act is intentionally broad so that it remains relevant for new technologies.

2.14 The Act makes clear that any service which consists of or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of a telecommunications system are included within the meaning of 'telecommunications service'. Internet‑based services such as web-based email, messaging applications and cloud-based services are, therefore, covered by this definition.

2.15 The definition of a telecommunications operator also includes application and website providers but only insofar as they provide a telecommunications service. For example, an online market place may be a telecommunications operator as it provides a connection to an application/website and because it provides a messaging service.

2.16 Telecommunications operators may also include those persons who provide services where customers, guests or members of the public are provided with access to communications services that are ancillary to the provision of another service, for example in commercial premises such as hotels or public premises such as airport lounges or public transport.

Restrictions on interference with equipment - Computer Misuse Act 1990

2.17 Interfering with the functions of a computer and accessing its data or its programs, where there is no lawful authority to do so, may in certain circumstances amount to a criminal offence. Section 14 of the Act imposes restrictions on the relevant agencies, where it is considered that the proposed conduct would constitute one or more offences under sections 1 to 3A of the CMA. Accordingly, it is important that the relevant agencies understand when a CMA offence is likely to be committed.

2.18 "Computer" is not defined in the CMA; rather the Act relies on the ordinary meaning of the word in the relevant context.

2.19 The offences relating to unauthorised interferences with computers are summarised below.

  • Section 1: unauthorised access to computer material
  • Section 2: unauthorised access with intent to commit or facilitate commission of further offences
  • Section 3: Unauthorised acts with intent to impair, or with recklessness as to impairing the operation of a computer
  • Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage
  • Section 3A: Making, supplying or obtaining articles for use in an offence under section 1, 3 or 3ZA.

2.20 The CMA provides that access will not be 'unauthorised' and an offence will not be committed if the conduct in question takes place pursuant to a relevant authorisation.

Mandatory use of targeted equipment interference warrants: Restrictions on interference for the relevant agencies

2.21 Whether a targeted equipment interference warrant is available or required will depend on a number of factors, including whether the CMA is engaged, the relevant agencies making the application, the nature of the targeted equipment interference, where the interference is taking place and where the conduct takes place from and whether there is a requirement that the activity is covert.

2.22 By virtue of section 14 of the Act, the relevant agencies may not, for the purpose of obtaining communications, private information or equipment data, obtain a property interference authorisation under Part 3 of the 1997 Act if the conduct would (unless done with lawful authority) constitute an offence under the CMA. Where section 14 of the Act applies, the relevant agencies must obtain a targeted equipment interference warrant under Part 5 of the Act to authorise targeted equipment interference, unless the conduct is capable of being authorised under another power (for example if the relevant agencies are exercising any powers of inspection, search or seizure or undertaking any other conduct that is authorised or required under an enactment or rule of law).

2.23 Accordingly, the relevant agencies will apply for a targeted equipment interference warrant under the Act where the CMA is engaged and the conduct cannot be authorised under another power.

2.24 The relevant agencies may only issue a targeted equipment interference warrant if there is a British Islands connection. A British Islands connection exists if:

  • any of the conduct authorised by the warrant would take place in the British Islands (regardless of the location of the equipment that would, or may, be interfered with),
  • any of the equipment which would, or may, be interfered with would, or may, be in the British Islands at some time while the interference is taking place, or
  • a purpose of the interference is to obtain—
    • i. communications sent by, or to, a person who is, or whom the law enforcement officer believes to be, for the time being in the British Islands,
    • ii. information relating to an individual who is, or whom the law enforcement officer believes to be, for the time being in the British Islands, or
    • iii. equipment data which forms part of, or is connected with, communications or information falling within i. or ii above.

2.25 To further ensure that targeted equipment interference activities are focused on investigations or operations within the British Islands the relevant agencies should not obtain a targeted equipment interference warrant for interference that takes place outside of the British Islands unless the subject of investigation is a UK national or is likely to become the subject of criminal or civil proceedings in the UK, or if the operation is likely to affect a UK national or give rise to material likely to be used in evidence before a UK court. For example, such circumstances may arise where material is being acquired from equipment in the British Islands, but the equipment is subsequently temporarily taken outside the British Islands and the material continues to be captured [6] .

Example: A relevant agency has obtained a targeted equipment interference warrant authorising the acquisition of communications, information and equipment data from a subject's equipment. The subject temporarily leaves the British Islands with the relevant equipment. The law enforcement agency may continue to obtain material from the equipment while the target is outside the British Islands.

Non-mandatory use of targeted equipment interference warrants

2.26 Section 14 of the Act restricts the ability of the relevant agencies to authorise interference with equipment under the 1997 Act. Where the purpose of the interference is to obtain communications, private information or equipment data and the applicant considers the conduct would, unless done with lawful authority, constitute an offence under the CMA, activity which was previously authorised under the 1997 Act should now be authorised under Part 5 of the Act, which is subject to enhanced safeguards tailored for this manner of activity.

2.27 As with existing property interference powers in the 1997 Act, this does not prohibit the relevant agencies from using other powers available to them to access communications, equipment data or other information. In particular, the relevant agencies may continue to exercise their powers of inspection, search or seizure or undertake any other conduct amounting to interference for these purposes that is authorised or required under an enactment or rule of law. For the avoidance of doubt, and notwithstanding any other provisions of this code, a targeted equipment interference warrant will not be required where the interference is authorised under another power.


Contact