Historical background

1.  There is nothing new about the use of communications data by the police and other law enforcement agencies and by the intelligence and security services. Since letters were sent and since the first records of telephone calls began to be kept, knowledge of who wrote or spoke to whom, when and how they wrote or spoke, and where they were when they did so—communications data—has been an important tool in the prevention, detection, investigation and prosecution of crime and of threats to the safety of the state. Knowledge of what people wrote or said—the content of communications—has also been valuable but, as we explain more fully later, that has been regulated entirely differently, and access to the content of communications is outside the scope of the legislation we are considering,  It is not, however, beyond the scope of this report. As we explain in Chapter 5, though the distinction between communications data and content is theoretically clear, it may often be possible to draw from communications data inferences which give strong indications and which are evidentially acceptable of the probable nature and purposes of content. One of the more intractable problems we have had to consider is whether and if so how legislation can or should distinguish and proscribe access to data from which such inferences can convincingly be drawn.

2.  During the last century there was virtually no statutory regulation or control of the persons who could obtain communications data and the uses to which it could be put except for the provisions of the Data Protection Acts 1984 and 1998 which dealt with the processing and protection of personal data, and some general information powers in various other Acts, which permitted a few public authorities to access documents.[1] Perhaps because postal and telecommunications services were originally provided by a state-owned monopoly (the Post Office), interception of all types (including access to communications data) was carried out under the Royal Prerogative with oversight by the Judges' Rules. The only practical limitation, from an investigator's perspective, was that it was not always easy for those wishing to access data to know if the data was there to be accessed, and if so, how to access it. They relied usually on the goodwill and cooperation of the telecommunications companies holding the data; short of a court order for the production of evidence, there were only limited powers to compel the companies to disclose whether they had any relevant data and, if they had, to disclose the data itself. Section 45 of the Telecommunications Act 1984 provided that the disclosure of communications data by a person running a public telecommunications system was prima facie an offence. It was, however, permissible to make a disclosure for the prevention or detection of crime or for the purposes of any criminal proceedings, in the interests of national security or in pursuance of a court order. Section 94 of the 1984 Act enables the Secretary of State to issue directions to telecommunications operators in the interests of national security.[2]

3.  In 2000 the Regulation of Investigatory Powers Act (RIPA) was passed. Chapter II of Part I of the Act—sections 21 to 25—for the first time attempted to regulate who could access communications data, what classes of data they could access, for what purposes, and subject to what controls. This chapter came into force on 5 January 2004[3] and is the principal law which currently governs access to communications data. The chapter does not regulate what data must be retained, dealing only with acquisition and disclosure. Importantly, the only data available to be accessed is the data retained by the Communication Service Providers (CSPs) for their own purposes. These provisions impose on them no obligation to retain data they do not need, or to retain it for longer than they need it. A voluntary Code of Practice was introduced in 2003 with telecommunications operators being asked to retain information on a voluntary basis on the understanding that they would be reimbursed for the additional costs incurred.

4.  At the same time there were important developments on the European front. In April 2004 the United Kingdom was one of four Member States of the EU which put forward a proposal for the mandatory retention of data on communications networks for combating crime. This initiative was superseded in September 2005 by a Commission proposal for a Directive which would have the same effect. The United Kingdom then had the Presidency of the EU and, following the London bombings in July 2005, pressed ahead with the proposals. A general approach was agreed in December 2005, and the Directive was adopted on 15 March 2006.[4] This Data Retention Directive (DRD) had to be transposed into national law within 18 months, and the United Kingdom did so by Regulations which came into force on 1 October 2007.[5] These however applied only to fixed network and mobile phones; the Government postponed implementation with respect to "the retention of communications data relating to internet access, internet telephony and internet email". This was generally welcomed by providers, as the provisions relating to fixed network and mobile phones were far easier to implement than those relating to internet access, internet telephony and internet email.

5.  In May 2008 the previous Government announced plans for legislation which would have required communications data to be stored for a year in a purpose-built database. The proposal would also have completed the implementation of the DRD in the United Kingdom. These plans were strongly criticised however, not least by the Information Commissioner. The Government withdrew the proposal, and instead completed the implementation of the DRD by new Regulations[6] which superseded and revoked the earlier Regulations. The 2009 Regulations are those now in force. They require CSPs notified by the Secretary of State to retain the categories of communications data specified in the Schedule for 12 months. Access to the data is governed by RIPA.

6.  In April 2009 the Government put out to consultation a revised plan[7] in which they suggested that there were three possible approaches. The first was the previous proposal of a centralised database, which they said that they did not intend to pursue. The second was "doing nothing"; they said that they would be failing in their duty to protect the public if they "allowed the capability of public authorities to use communications data to degrade." Doing nothing was therefore in their view not an option. This, they said, left "a range of 'middle way' options" on which they were consulting. In fact only one option was put forward: legislation to compel CSPs based in the United Kingdom to collect and keep all data public authorities might need, including third party data crossing their networks, and to make all this data accessible on a case-by-case basis to public authorities "subject to the same rigorous safeguards that are now in place." An additional proposal—scarcely an alternative—was to address "the problem of fragmentation" by requiring CSPs not only to collect and store the data but to match third party data to their own data where it had features in common. The only choice for those who supported the middle way was therefore whether or not the compulsory retention and availability of data should be supplemented by requiring CSPs to process the data.

7.  An analysis of the replies to this consultation paper was published six months later.[8] On the all-important question "Do you support the Government's approach to maintaining our capabilities? Which of the solutions should it adopt?" the Home Office said that 29% of respondents replied Yes, and 38% No—presumably to the first part of the question, since the second is hardly susceptible of a Yes or No answer. The Information Commissioner supported the approach on the basis that he was glad that the Government had abandoned the idea of a single database, but he remained concerned "that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive". The Home Office cited this as him replying both "yes" and "no" to the same consultation question.

8.  No legislation was proposed before the 2010 general election. The Coalition Agreement, published in May 2010, stated that "We will end the storage of internet and email records without good reason".[9] The Government took no action in the first session, but the 2012 Queen's Speech announced a draft Communications Data Bill. This was presented to both Houses on 14 June 2012.[10] This Joint Committee was constituted on 28 June 2012 with a remit to consider the draft Bill and report to both Houses by 30 November 2012.

The current position

9.  The annual report of the Interception of Communications Commissioner (IoCC) for 2011 states that in that year 494,078 requests were made for access to communications data. We explain in the following chapter how this figure should be interpreted. On any view it is a major encroachment into individual privacy, but it is far from being the only one, and should be considered in context.

Cheshire Constabulary estimated that in 2011 that there were 1.85 million CCTV cameras in the United Kingdom, 1.7 million of which were privately owned. The quality of the images has greatly improved.[11] In 2008 Transport for London alone had over 10,000 CCTV cameras on its rail network, and all its 8,000 buses have CCTV cameras.

The National Policing Improvement Agency operates a national DNA database, which is one of the world's largest, with profiles on an estimated 5,570,284 individuals as of 31 March 2012.[12] It also operates a national automated number plate recognition system, which by March 2011 was receiving 15 million sightings daily, with over 11 billion vehicle sightings stored.[13] In April 2010 the national fingerprint database contained the prints of 8.3m individuals.[14]

The ELMER database, kept by the Serious Organised Crime Agency (SOCA), includes over 1.5m suspicious activity reports submitted by banks, lawyers, insurance companies etc to combat money laundering.[15]

The National Pupil Database holds information on children in schools in England. It includes detailed information about pupils (pre-school, primary, secondary and further education), their test and exam results, prior attainment and progression for all state schools in England. Attainment data is also held for pupils and students in non-maintained special schools, sixth form and Further Education colleges and (where available) independent schools. The National Pupil Database includes information about the characteristics of pupils in the state sector and non-maintained special schools such as gender, ethnicity, first language, eligibility for free school meals, information about special educational needs, as well as detailed information about pupil absence and exclusions.

Mobile phones not only produce data relating to calls, short message service (SMS) messages and general packet radio service (GPRS) connections but they also leave a detailed trail of information relating to users' locations. CSPs know roughly which cell site each phone is connected to at any given time when the phone is switched on. They keep records of the actual cell sites used when communications are sent to and from the phone. This cell site may not be the site which is nearest to the phone, but it will be the site that sends the strongest signal to the phone. This location data can be used, when a phone is in constant use (for example if data is constantly being "pushed" to the phone) to create a map of approximately where that phone was moment by moment. In areas saturated with cell sites this data can suggest locations to within a 50 metre radius. In sparsely populated areas, however, cell sites may connect with phones that are 25 kilometres away.

10.  The reason for all this intrusion is not simply curiosity, or a desire by the authorities unreasonably to investigate individuals' private lives; though from many of the comments we have read this appears to be the view of a section of the public. The reason is that communications data is an invaluable weapon in the defence of national security and in the fight against crime—especially terrorism and other serious crimes. The intelligence and security services and the police are far and away the main users of communications data. There are not infrequently high profile cases where the importance of communications data to an investigation is clear to all.

In June 2007 a vehicle carrying improvised explosive devices was used in an attack on the main terminal building at Glasgow airport. Communications data was used to identify a bomb factory through analysis of calls from suspects' phones to a letting agency. Items and tools used in the making of devices were found, and forensic evidence tied the suspects to the premises. Communications data, including cell site analysis, identified where, from whom and when the vehicles involved were purchased. Communications data also provided evidence of contact between suspects and in particular identified the prior knowledge of a third party who was directed, via text, to an email account containing instructions detailing how that person should answer questions from the authorities after the event.

In 2002, during the investigation into the murder of Holly Wells and Jessica Chapman in Soham, communications data from their mobiles showed that they had been at or very close to the house of Ian Huntley, suggesting flaws in his alibi. Records of calls and text messages between Huntley and his ex-girlfriend, Maxine Carr, also showed that she was in Grimsby when Huntley killed the victims and that she deliberately misled the police over his whereabouts.

In August 2009 two men in disguises entered Graff Diamonds and stole £40m of jewellery. They left taking a hostage at gunpoint. Shots were fired in the street at those who gave chase. CCTV captured the suspects prior to entering the premises; this showed one using a mobile. A handset was recovered in an abandoned vehicle linked to the attack; from this other handsets were identified. Analytical work on call data established contact with the makeup artist who prepared the suspects' facial masks; a car hire firm used for getaway vehicles; and the locations of the suspects at various times during the robbery.[16]

11.  Less high profile, but no less important, is the use of communications data by Her Majesty's Revenue and Customs (HMRC) to uncover tax evasion. There are also uses of communications data which are not connected with crime, but where lives at risk can be saved: the location of individuals who are threatening suicide, and others in life-threatening situations. At the other extreme there are examples of the use of communications data, much quoted by those opposed to the legislation, which show what can happen if the system is misused or abused, and the safeguards are inadequate or bypassed. The majority of these relate to local authorities, and we deal with them in Chapter 4.

12.  A special mention should be made of the work of the Child Exploitation and Online Protection Centre (CEOP), which uses communications data to detect paedophiles. Mr Davies, the Chief Executive, gave us a particularly startling example of how essential to their work was the ability to reconcile an Internet Protocol (IP) address to an individual.[17]

A child contacted a helpline service online, indicating that he had self­harmed and was intending to commit suicide. This was passed on to CEOP who acquired the communications data to reconcile the IP address to an individual. They did so in a very short space of time and passed it on to the local police force. When they got into the address the child had already hanged himself, but was still breathing. If there had been any delay, or if the child had been unlucky enough to be using one of those service providers that do not keep subscriber data relating to IP addresses, that child would now be dead.

13.  "Exponential" is a word we have heard many times in the course of our inquiry but, as we explain in Chapter 3, it is barely adequate to describe the explosion in communications data over the decade since RIPA came into force. The changes in the forms of communications and the volume of exchanges are such that it is hardly surprising that the Government think it appropriate to amend the law governing access to communications data; and this is what the draft Bill would do.

Our procedure

14.  We put out a call for written evidence, and in response received a great deal of valuable information and many conflicting views. All of this evidence is available on our website, except for two categories. The first of these is evidence which was sent to us in confidence. This has helped to inform us and to form our views, but we have not referred to it specifically in this report. The second category consists of some 19,000 emails we received from individuals in response to prompting from two organisations, 38 Degrees and the Open Rights Group. This reflects the anxiety felt by large sections of the public about intrusion by the authorities into their private lives.

15.  In the course of five months, during two of which one or both Houses were in recess, we held 20 meetings (three of them while the House of Lords was in recess). We heard over 23 hours of oral evidence from 54 witnesses—in some cases more than once. These ranged from officials of the Home Office (the Bill's sponsoring department), the police and representatives of other law enforcement agencies, who strongly supported the Bill, to persons and bodies equally strongly opposed to it. The witnesses included the main United Kingdom CSPs and overseas based email providers and social networks. We concluded by hearing the Home Secretary, who spoke on behalf of the Government. Transcripts of all this evidence are available on our website, but in a few cases we allowed witnesses to give evidence to us in private so that the transcripts could be redacted before publication to remove matters that were commercially sensitive or which could have compromised security. Where redactions have been made, this appears in the transcript. To all our witnesses we are most grateful.

16.  We went on two visits. The first was to the Metropolitan Police Central Intelligence Unit (CIU); the second to Everything Everywhere, the company which owns and operates both the T-Mobile and the Orange networks. We include notes of those visits in Appendices 4 and 5. Of particular value to us was to see in operation the procedure by which the authorities request communications data from CSPs, and the procedure of CSPs in response to those requests. We are grateful to both organisations for their time and trouble.

17.  We asked to see the intelligence service, the security service and GCHQ. Their views on the draft Bill would have been helpful to us. The Home Secretary, in accordance with usual practice, would not permit them to give evidence to us, even in private. She offered us "a general briefing on the threat, particularly that from international terrorism, and the Security Service's role in addressing it, [which] would take place off the Parliamentary estate and would be strictly informal and off-the-record". We did not see that this would advance our scrutiny of the draft Bill, and declined the invitation. The intelligence and security services did however give evidence to the Intelligence and Security Committee. This, like us, is a Committee of members of both Houses of Parliament, but it is not a Parliamentary Committee and reports to the Prime Minister rather than to Parliament. Its inquiry into the draft Bill has been limited to the needs of the intelligence and security services. The conclusions and recommendations of the Intelligence and Security Committee are being published on the same day as this report. We thank the Committee for giving us advance sight of its recommendations.

18.  We also wish to place on record our thanks to our specialist adviser, Mr Martin Hoskins, for the support he provided during our consideration of the draft Bill.

19.  Pre-legislative scrutiny provides the opportunity for members from all sides of both Houses to come together and scrutinise the principle and the detail of potentially sensitive draft legislation. It gives an opportunity to build both Member expertise and political consensus. It allows interested parties from outside Parliament to engage with Parliament's scrutiny process and to help inform Members on the consequences of implementing the proposals. It gives Government the chance to hear the preliminary views of Parliament at a stage when policy can still be amended before the introduction of a Bill proper.

20.  We welcome the Government's decision to publish this Bill in draft form. We hope that Departments from across Government will continue to show a commitment to publishing as much legislation as possible in draft, and that Parliament will continue to take advantage of the opportunities that exist for pre-legislative scrutiny.

2   We have been unable to obtain information about how section 94 of the Telecommunications Act 1984 has been used. The provisions of section 94 permit directions to be given without the need for them to be laid before Parliament if disclosure would be against the interests of national security. A person must not disclose anything done by virtue of section 94 if the Secretary of State has notified him that disclosure would be against the interests of national security. Back

3   The Regulation of Investigatory Powers Act 2000 (Commencement No 3) Order 2003, SI 2003/3140, Article 2. Back

4   Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105 of 13 April 2006, page 54. Even now, over five years after the date for transposition, not all Member States have implemented the Directive; in particular, the German Constitutional Court has ruled that the legislation implementing the Directive in Germany is unconstitutional. Back

5   The Data Retention (EC Directive) Regulations 2007, SI 2007/2199. Back

6   The Data Retention (EC Directive) Regulations 2009, SI 2009/859. Back

7   http://www.homeoffice.gov.uk/documents/cons-2009-communications-data?view=Binary  Back

8   http://webarchive.nationalarchives.gov.uk/+/http:/www.homeoffice.gov.uk/documents/cons-2009-communication-data/cons-2009-comms-data-responses2835.pdf?view=Binary Back

9   "The Coalition: our programme for Government" , 10 May 2010, http://www.cabinetoffice.gov.uk/news/coalition-documents  Back

10   Cm 8359. Back

11   See BBC research in 2009 on the density of local authority-owned cctv cameras: http://news.bbc.co.uk/1/hi/uk/8159141.stm and a Channel 4 News assessment that in 2008 there was a cctv camera for every 14 citizens. http://www.channel4.com/news/articles/society/factcheck+how+many+cctv+cameras/2291167.html Back

12   http://www.npia.police.uk/en/8934.htm  Back

13   http://www.npia.police.uk/en/10505.htm  Back

14   http://www.npia.police.uk/en/10504.htm  Back

15   http://www.publications.parliament.uk/pa/ld201011/ldselect/ldeucom/82/82.pdf  Back

16   This example is taken from the written evidence of the Metropolitan Police. Back

17   Q 1096 Back