Provision of Real-time Lawful Interception Assistance

REGULATION OF INVESTIGATORY POWERS ACT 2000

The Regulation of Investigatory Powers Act 2000 (RIPA) gives senior cabinet ministers the power to authorise the interception of a person’s communications following an application made by an intelligence or law enforcement agency (LEA).

Under Section 5 of RIPA, any Secretary of State can issue an intercept warrant where he or she believes:

• it is necessary in the interests of national security for the purpose of preventing or detecting serious crime or for the purpose of safeguarding the economic wellbeing of the UK; and

• that the conduct authorised by the warrant is proportionate to its intended purpose.

An interception warrant must name or describe either one person as the interception subject or a single set of premises as the premises in relation to which the relevant interception is to take place (Section 8(1) of RIPA).

However, under Section 8(4)(b) of RIPA, the relevant Secretary of State has broader authority in relation to external communications. He or she may issue a certificate accompanying an interception warrant relating to external communications that provides for the interception of material that he or she considers it is necessary to examine. RIPA defines the term ‘external communication’ as a communication sent or received outside the British Isles (Section 20 of RIPA). The Interception of Communications Code of Practice (IOC COP) states that an external communication does not include communications both sent and received in the British Isles, even if they pass outside the British Isles (page 22 of IOC COP).

Section 11(4) of RIPA establishes a general requirement on public telecommunications service providers in the UK to take all reasonably practical steps requested by the relevant LEA to give effect to an interception warrant.

In addition to the general requirement to assist in giving effect to a warrant under Section 11(4), the Secretary of State may, under Section 12 of RIPA, order a public telecommunications service provider to maintain an interception capability. Under Section 12 of RIPA and the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931), the relevant Secretary of State has the authority to order a public telecommunications service provider to maintain the practical capability to assist in relation to intercept warrants. To carry out the order, a notice is given in accordance with the order to the relevant service provider. The powers in question only apply to providers of a public telecommunications service whose service is intended to be provided to more than 10,000 people.

INTELLIGENCE SERVICES ACT 1994

Under Section 5 of the Intelligence Services Act 1994 (ISA), the Secretary of State may, on an application made by the Security Service, the Intelligence Services or GCHQ, issue a warrant in respect of any specified property or in respect of wireless telegraphy. This power may be broad enough to permit the government direct access to Vodafone’s network by the Security Services in some instances. Although large parts of ISA have been repealed, Section 5 is still in force.

A warrant under Section 5 of the ISA will be granted by the Secretary of State if he or she is satisfied that:

• the taking of the action by the Security Service, the Intelligence Service or GCHQ is necessary to assist the particular agency in carrying out any of its statutory functions;

• it is necessary and proportionate to what the agency seeks to achieve and could not reasonably be achieved by other (less intrusive) means; and

• satisfactory arrangements are in place to ensure that the agency will not obtain or disclose information except insofar as necessary for the proper discharge of one of its functions.

Section 11(1)(a) of RIPA provides for the possibility that an intercept warrant can be effected by the LEA or intelligence agency that applied for it without any assistance. One interpretation of this is that in instances where interception takes place via a pre-existing intercept capability, the LEA or intelligence agency need not inform the service provider in question that the intercept has occurred.

Disclosure of Communications Data

REGULATION OF INVESTIGATORY POWERS ACT 2000

RIPA gives LEAs, intelligence agencies and a wide range of other public authorities the legal authority to acquire metadata relating to customer communications. The powers require anyone who provides a telecommunications service to disclose customers’ metadata they possess or are able to obtain. The powers relate to traffic data, service use information and subscriber information, but not the content of the communications.

Under Section 22(4) of RIPA, a notice may be issued by a person holding a prescribed office, rank or position within a relevant public authority designated with the power to acquire communications data by order under Section 25(2) and under the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480).

Under Section 22(3) of RIPA, persons within a public authority may be given an authorisation to directly obtain the communications data in question in certain circumstances, for example where notification may prejudice an investigation or operation.

Under Section 22(2) of RIPA, the designated person can only issue a notice or an authorisation where they believe it is necessary on one of eight grounds. These include:

• in the interests of national security;

• to prevent or detect crime or prevent disorder;

• in the interests of the economic wellbeing of the UK; and

• in the interests of protecting public safety or to protect public health.

The designated person must believe that the conduct authorised by the notice or authorisation is proportionate.

National Security and Emergency Powers

TELECOMMUNICATIONS ACT 1984

Under Section 94 of the Telecommunications Act 1984 (Section 94) and after consultation with OFCOM and/or providers of public electronic communications networks, the Secretary of State may give OFCOM or the network provider general directions as he or she believes necessary in the interests of national security or relations with the government of a country or territory outside the UK. Although the Communications Act 2003 superseded most of the Telecommunications Act 1984, Section 94 is still in force.

Under Section 94, if network providers are given directions to do or not do something as directed by the Secretary of State, they must not disclose them if the Secretary of State has notified them that he or she believes that disclosure is against the interests of national security or relations with the government of a country or territory outside the UK. The Secretary of State may, with the approval of the Treasury, make grants to providers of public electronic communications networks to defray or contribute towards any losses the network provider may sustain by reason of compliance with the directions under Section 94.

COMMUNICATIONS ACT 2003

Under Section 132 of the Communications Act 2003, the Secretary of State may require 

OFCOM, the UK’s communications regulator, to give a direction to suspend or restrict the network, services or facilities of an electronic communications network provider or an electronic communications service provider to protect the public from any threat to public safety, to public health or in the interests of national security.

CIVIL CONTINGENCIES ACT 2004

Under the Civil Contingencies Act 2004 (CCA), the government is given broad powers for a limited period of time during civil emergencies. These include the authority to protect or restore systems of communications such as Vodafone’s network. The government’s emergency powers could, in theory, extend to other actions in relation to Vodafone’s network.

As an operator of a public electronic communications network that makes telephone services available (whether for spoken communication or for the transmission of data), Vodafone would be classified as a Category 2 Utility Responder under the CCA (Schedule 1 Part 3 of the CCA).

Under Sections 1 and 19 of the CCA, disruption to a system of communication may constitute an emergency for the purposes of Part 1 of the Act. Part 1 addresses local arrangements for civil protection. Part 2 addresses emergency powers.

Under Section 6(1) of the CCA, the government may require or permit Vodafone to disclose information on request to another organisation or person designated as an emergency responder under the CCA in connection with their functions in the emergency.

Under Sections 20 and 22 of the CCA, the Queen or senior Cabinet ministers (in practice the Home Secretary) may make emergency regulations for protecting or restoring a system of communication if they are satisfied that this is appropriate for preventing, controlling or mitigating an aspect or effect of the emergency in question.

Oversight of the Use of Powers

The judiciary plays no role in the authorisation of interception warrants under RIPA. The Interception of Communications Commissioner, appointed under Section 57(1) of RIPA, keeps under review the exercise and performance of the interception powers granted under RIPA. These include the power of the Secretaries of State to issue intercept warrants and the procedures of the agencies involved in conducting interception. The Commissioner presents an annual report to the Prime Minister which is published on the website of the Interception of Communications Commissioner’s Office.

The Investigatory Powers Tribunal, established under Section 65 of RIPA, hears complaints in relation to powers granted under RIPA. It is also the only forum that hears complaints about any alleged conduct by or on behalf of the British intelligence agencies (MI5, MI6 and GCHQ). It may award compensation, quash intercept warrants or authorisations and order the destruction of any records obtained by an intercept warrant or authorisation. The decisions of the Tribunal are not subject to appeal or questioning by any court in the UK. A decision by the Tribunal not to uphold a claim based on the Human Rights Act 1998 could be taken to the European Court of Human Rights in Strasbourg if certain conditions of that Court were satisfied.

If a public telecommunications service provider believes that a Section 12 of RIPA notice places unreasonable technical and/or financial demands on it, it may refer the issue to a specialist panel of advisors that is set up under Section 13 of RIPA called the Technical Advisory Board (TAB). The TAB reports its conclusions to the relevant Secretary of State, who may either withdraw the notice or issue a new notice. Note that the Section 12 order and notice procedure is outside the remit of the Interception of Communications Commissioner (Section 57(2)(a) of RIPA).

Regarding the disclosure of communications data, under Section 37 of the Protection of Freedoms Act 2012 and Sections 23A and 23B of RIPA, local authorities are required to gain judicial approval from a local magistrate for an authorisation or notice to acquire communications data. There is no judicial oversight in relation to the approval of notices or authorisations issued by law enforcement agencies or intelligence agencies.

The judiciary plays no role in the authorisation of interception warrants under Section 5 of ISA. The Intelligence Services Commissioner, appointed under Section 59(1) of RIPA, keeps under review the exercise and performance of the powers granted by Section 5 of ISA. The Commissioner presents an annual report to the Prime Minister, who lays it before the Houses of Parliament. It is published on the Commissioner’s Office website.

There is governmental oversight in relation to the directions given under Section 94, as the Secretary of State must lay a copy of every direction given before each House of Parliament, unless he or she believes that disclosure of the direction is against:

• the interests of national security;

• relations with the government of a country or territory outside the UK; or

• the commercial interests of some other person.

The CCA sets limits on the emergency regulations that can be made under it (Section 23 of CCA). For example, any emergency regulations must be laid before, and approved by, Parliament as soon as practicable after first being made (Section 26(1)(a)). In any event, they automatically lapse after 30 days (Section 27). Emergency regulations may not amend the Human Rights Act 1998 (Section 23(5)(a)). The Houses of Parliament may pass resolutions cancelling the emergency regulations or amending them (Section 27).

Censorship-related Powers

SHUT-DOWN OF NETWORK AND SERVICES

Communications Act 2003

Under Section 132 of the Communications Act 2003, the Secretary of State may require OFCOM, the UK’s communications regulator, to give a direction to suspend or restrict the network, services or facilities of an electronic communications network provider or an electronic communications service provider to protect the public from any threat to public safety, to public health or in the interests of national security.

BLOCKING OF URLS & IP ADDRESSES

Terrorism Act 2006

Although the government does not have the legal authority to require Vodafone to block IP addresses, a process exists under Section 3 of the Terrorism Act 2006 which allows a police constable to require the removal or modification of terrorism-related material. This provision is designed to apply to the providers of hosting services, rather than those carrying communications and, as such, it is unlikely to apply to Vodafone’s electronic communications network or the provision of electronic communications services.

Where a police constable believes illegal terrorism-related material is available on a website, he or she may serve notice on the person(s) responsible for that material, requiring the material’s removal or modification within two working days. According to official guidance on notices issued under Section 3, such notices can be served on anyone involved in the provision or use of electronic services, including the content provider, hosting internet service providers (except where they are acting as ‘mere conduits’) and webmaster. Therefore, Vodafone could be required by the police to remove or modify illegal terrorism-related material where Vodafone hosts that content. In respect of its network, Vodafone is likely to be considered a ‘mere conduit’.

If a person fails to comply with a notice served under Section 3, he or she will not be able to use the defence of non- endorsement contained in Sections 1 and 2 of the Terrorism Act 2006 should prosecution ensue under those Sections. Therefore, if Vodafone did not comply with a police notice, it would potentially incur criminal liability.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

Civil Contingencies Act 2004

Under the CCA, the government is given broad powers for a limited time during civil emergencies. These include the authority to protect or restore systems of communications such as Vodafone’s network. The government’s emergency powers could, in theory, extend to other actions in relation to Vodafone’s network. Part 1 of the CCA addresses local arrangements for civil protection; Part 2 addresses emergency powers.

An emergency is defined in Sections 1 and 19 as:

• an event or situation which threatens serious damage to human welfare in a place in the UK;

• serious damage to the environment of a place in the UK; or

• war, or terrorism, which threatens serious damage to the security of the UK.

Disruption to a system of communication (eg a mobile network) may constitute an emergency for these purposes.

MTPAS

The Mobile Telecommunication Privileged Access Scheme (MTPAS) is an agreed protocol between network operators and the police. MTPAS is designed to address the issue that, when a major emergency incident occurs, mobile networks tend to experience abnormally high concentrations of calls jeopardising the network itself (since the network may not be able to cope with such high volumes of traffic). MTPAS ensures that those providing support to the scene of the emergency incident (such as police and ambulance services) are able to continue using the network.

Under MTPAS, when a major emergency incident occurs, the Police Gold Commander in charge of responding to that incident can notify network operators (including Vodafone) that a major incident has occurred. A provider would then take steps to ensure that the mobile network continues to operate and does not break down under the increased volumes of traffic made by ordinary network users in response to the incident. Individuals with privileged access to the network consist of Category 1 and 2 Responders (as defined in the CCA) and partner organisations directly supporting them at the scene of the incident.

Oversight of the Use of Powers (Censorship-related)

COMMUNICATIONS ACT 2003

Where a provider of a public electronic communications network or service receives a direction under Section 132 of the Communications Act 2003, that provider may appeal that direction to the Competition Appeals Tribunal.

TERRORISM ACT 2006

Part 1 of the Terrorism Act 2006 (including Section 3) is subject to annual review by the Independent Review of Terrorism Legislation. The role of the Independent Reviewer of Terrorism Legislation is to inform the public and political debate on anti-terrorism law in the UK, in particular through regular reports which are prepared for the Home Secretary or Treasury and then laid before Parliament.

CIVIL CONTINGENCIES ACT 2004

The CCA sets limits on the emergency regulations that can be made under it. For example, under Section 27, any emergency regulations must be laid before, and approved by, Parliament as soon as practicable after first being made and Parliament may pass resolutions amending or cancelling those emergency regulations. Section 23 states that emergency regulations may not amend the Human Rights Act 1998. Emergency regulations automatically lapse after 30 days according to Section 26.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key? 

Yes. Under Part I of the Regulation of Investigatory Powers Act 2000 (RIPA), the government has the power to impose a specific obligation to maintain intercept capability in relation to communications data. This relates to intercepted communications and the more general authority on disclosure of protected or encrypted electronic data (including communications data) under Part III of RIPA.

i. Section 12 of RIPA: Maintenance of intercept capability

Under Section 12 of RIPA and the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931) (see ‘Provision of real-time interception assistance’ above), the relevant Secretary of State has the authority to order a public telecommunications service provider to maintain the practical capability to assist in relation to intercept warrants. The order can be carried out by giving a notice in accordance with the order to the relevant service provider.

Paragraph 10 of Part II of the Schedule to the 2002 Order is an obligation on the service provider to ‘ensure that the person on whose application the interception warrant was issued is able to remove any electronic protection applied by the service provider to the intercepted communication and the related communications data’ [emphasis added].

ii. Part III of RIPA: Disclosure of protected or encrypted data

Part III of RIPA sets out the powers under which public authorities or other persons with the appropriate permission may ask persons to disclose protected or encrypted data. Under Section 49(2) of RIPA, a notice requiring disclosure must be served on the person whom it is believed has possession of the code, password or algorithm required to access the protected information. Schedule 2 of RIPA sets out who has the appropriate permission to ask for the disclosure: the police, the National Crime Agency, HMRC and other persons holding office under the Crown.

A Section 49 notice can only be issued if the requirement of disclosure is proportionate to what is sought to be achieved and if it is not reasonably practicable to obtain the protected data in an intelligible form in any other way. In addition, the notice to disclose may only be served:

• in the interests of national security;

• for the purposes of preventing or detecting crime;

• in the interests of the economic wellbeing of the UK; or

• for the purposes of securing the effective exercise or proper performance by a public authority of any statutory power or statutory duty.

When a Section 49 notice is served on a person, he or she is entitled to use any key or password in his or her possession to obtain access to the protected data and disclose the information in an intelligible form, or, alternatively, to disclose the key itself (Section 50(1) and (2)). A person who knowingly fails to make the disclosure required to satisfy the notice is guilty of an offence, punishable by imprisonment or a fine, or both.

The Investigation of Protected Electronic Information Code of Practice states that the National Technical Assistance Centre (NTAC) at Government Communication Headquarters must approve any Section 49 notice before permission is sought for that notice to be served. (However, since the Code of Practice is not binding, NTAC approval is not mandatory.) NTAC is the lead national authority for all matters relating to the processing of protected data into intelligible form.

In terms of judicial oversight, because protected data can be obtained in such a variety of scenarios, the rules on whether judicial approval is required to issue the relevant Section 49 notice are complex. In general terms, a Circuit judge (in England and Wales) can grant written authorisation to a public authority to serve the Section 49 notice. However, sometimes higher judicial approval is required; in other instances, no judicial approval is required. For example, where the protected data is obtained under an intercept warrant, then the Secretary of State who issued the warrant may give permission to issue the Section 49 notice.

Finally, because protected data may be acquired by a range of intelligence agencies, law enforcement agencies and public authorities acting under different parts of RIPA, the exercise of powers under Part III is also kept under review by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

Vodafone answers this question in two parts:

a. Could a relevant state law enforcement body, intelligence agency or other authorised public body use Part III of RIPA as the legal basis for requiring a telecommunications operator to decrypt data encrypted by third parties?

The current scope of the obligations in RIPA on CSPs in relation to the decryption of encrypted data carried over their networks is set out in the answer to Question 1 above. Public disclosures in recent months during the pre-legislative scrutiny of the Investigatory Powers Bill suggest that the Home Office interprets the decryption obligations in Part III of RIPA to apply to encryption applied by the CSP, not by third parties.

b. What potential does a telecommunications operator have to be required to provide equipment interference or some other form of assistance in order to decrypt data encrypted by third parties?

In certain circumstances, the Intelligence Agencies (the Security Service, the Secret Intelligence Service and GCHQ) and some law enforcement authorities appear to be able to authorise assistance from the telecommunications operator in order to facilitate the implementation of equipment interference powers. However, there is no indication that such powers could be used to oblige a telecommunications operator to decrypt third-party data.

Property and equipment interference powers are set out in:

• the Intelligence Services Act 1994 (ISA) in relation to the Intelligence Agencies; and

• the Police Act 1997 (the PA).

To answer the question, Vodafone will focus on the equipment interference powers (EI) available to the Intelligence Agencies under ISA.

The EI powers were publicly avowed in detail for the first time in February 2015 when the Home Office published a consultation on a draft Equipment Interference Code of Practice, on the same day that the Investigatory Powers Tribunal (IPT) published its second judgment in the action brought by Liberty, Privacy International and others.

During the course of 2015, more information about the statutory basis and operational use of EI powers was placed in the public domain, notably in the Intelligence and Security Committee’s ‘Report on Privacy and Security’ published in March 2015 where details of GCHQ’s activity known as Computer Network Exploitation (CNE) were set out. Submissions by Home Office personnel to the Parliamentary committees reviewing the Investigatory Powers Bill (the IP Bill) since November 2015 have also clarified to some extent the scope of the EI powers under ISA. The IPT judgment in the claim by Privacy International and seven ISPs, dated 12 February 2016, also further clarified the operational scope and statutory basis of CNE.

The Equipment Interference Code of Practice (the EICOP) was finally published in January 2016.

While the focus of this Legal Annexe is in relation to the current legal arrangements under ISA and RIPA, not what is proposed in the revised IP Bill, Vodafone notes that ISA will not be repealed when the IP Bill becomes law, so the EI-related provisions of ISA will remain relevant in the context of the new Investigatory Powers Act in due course.

The EI powers are set out in Sections 5 and 7 of the ISA, with supplementary detail as to process in Section 6. Broadly speaking, Section 5 gives the Secretary of State authority to issue warrants authorising entry into or interference with property or wireless telegraphy in the UK if such action is likely to be of substantial value in assisting the Intelligence Agencies to fulfil their statutory functions. (This is subject to certain requirements including the usual statutory tests and purposes relating to investigatory powers.)

Section 7 provides the Secretary of State with a similar power of authorisation in relation to entry and interference outside the UK. Crucially, any such entry or interference authorised under Section 5 or Section 7 is not unlawful in the UK. This excludes actions from criminal and civil liability, notably under the Computer Misuse Act 1990.

The power to issue a warrant authorising interference contained in Section 5 of the ISA is couched in quite broad terms, and refers to ‘assisting’, as follows:

‘authorising the taking … of such action … in respect of any property so specified or in respect of wireless telegraphy so specified if the Secretary of State … thinks it necessary for the action to be taken on the ground that it is likely to be of substantial value in assisting, as the case may be … the Intelligence Agencies’ [emphasis added].

This wording does not appear to confine the scope of a warrant to authorising only actions undertaken by an Intelligence Agency. The wording of the EICOP underscores this interpretation. It states that property and equipment interference warrants under Section 5 of ISA and authorisations under Section 7 of ISA can be sought not only in respect of members of the Intelligence Agencies, but also in respect of persons acting on their behalf or in their support.

Furthermore, the Home Office’s Investigatory Powers Bill, Government Response to PreLegislative Scrutiny, published in March 2016, in describing how important the cooperation of CSPs is for the use of investigatory powers, states on page 39 that ‘the assistance of CSPs may also be necessary in order to gain direct access to a suspect’s device by using equipment interference powers’.

So, it seems reasonable to assume that the government interprets the EI powers in ISA to include the ability to authorise a CSP’s assistance in implementing equipment interference. There is, however, no indication that such EI powers could also be used to require a CSP to decrypt any third-party data itself. To the best of Vodafone’s knowledge, such a practice has not been publicly avowed during the official disclosures relating to the Investigatory Powers Bill.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

Vodafone’s understanding is that the current powers under RIPA relating to the decryption of protected data (explained in Question 1 above) would apply to a CSP where the CSP is in ‘possession’ of the ‘key’ (both broadly defined in Part III of RIPA) that enables access to protected information.

On the face of it, the provisions of RIPA would not deter a CSP from offering a service that enables third parties to encrypt communications, so long as the CSP did not possess any key to such encryption.

However, to the best of Vodafone’s knowledge, the question of how the relevant provisions of RIPA could be interpreted as applying to the service provider of a service that was end-to-end encrypted (such that keys were only held on a customer’s device) has not been specifically addressed in any publicly available court judgment or in the relevant Home Office Code of Practice.

As RIPA is drafted to be technology neutral, it applies in the same way to BAU and to OTT services.

Investigatory Powers Bill

Vodafone notes that the question of whether the powers set out in the IP Bill could be used to compel a CSP to decrypt end-to-end encrypted data carried over the CSP’s network has remained a prominent issue in the pre-legislative scrutiny phase of the IP Bill, focusing on the meaning of Clause 189 of the IP Bill (now Clause 217 of the revised Bill).

The Home Office’s latest explanation of what is proposed is set out in Sections 6 and 7 of the revised draft EICOP (in relation to the anticipated Investigatory Powers Act) that was published on 1 March 2016, along with the revised IP Bill.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.

There do not appear to be any such examples; in fact, in the recent case of Laurie Love v National Crime Agency (NCA), the NCA applied to use ‘old’ legislation in this way and the court rejected its application.

The original seizure warrant was made under the Computer Misuse Act 1990. Mr Love applied for his seized hardware to be returned to him under the Police Property Act 1897 (PPA). Section 1 of the PPA allows an individual to make an application to the court for the return of an individual’s property that is in the possession of the police.

In a hearing on 12 April 2016, the NCA sought a direction from the court that Mr Love provide his passwords in the interests of good case management, on the basis of the court’s case management powers for civil proceedings under Rule 3A of the Magistrates’ Court Rules 1981 SI 552 (as amended). The NCA further relied on the Criminal Procedure (Amendment) Rules 2016 SI 120 to attempt to persuade the court to order the disclosure of the encryption keys or passwords.

Mr Love submitted that the NCA should be making an approach under Section 49 of RIPA instead and that a court direction under its case management powers requiring the submission of the passwords in question would breach:

• Article 1 (respect of human rights);

• Article 8 (right to private and family life);

• Article 1 Protocol 1 rights (the right to property); and

• Section 3 of the Human Rights Act 1998.

The court agreed with Mr Love and rejected the NCA’s application. In its judgment, the court stated at paragraph 10 that ‘the case management powers of the court are not to be used to circumvent specific legislation that has been passed in order to deal with the disclosure sought’, and that the correct approach would be to seek disclosure through the Section 49 procedure under RIPA.

On 10 May 2016, the City of Westminster Magistrates’ Court decided not to grant the NCA’s application for disclosure of encryption passwords from the claimant, Mr Love, in relation to encrypted material on computer hardware previously seized from him.

The judgment to the case is accessible here: https://www.judiciary.gov.uk/wp-content/ uploads/2016/05/love-v-nca.pdf