4 What would the draft Bill change?
Failure to consult
46. The draft Bill would replace Chapter II of
Part I of RIPA, and also other statutory provisions about access
to communications data, with a new statutory regime making important,
controversial and far-reaching changes which would potentially
affect anyone who communicates by electronic means or who accesses
the internet. It would particularly affect the CSPs. It was therefore
unquestionably a prime candidate for wide-ranging consultation
at a stage when policy was still being formulated and could be
amended. This did not happen.
47. The draft Bill could impose substantial obligations
on all major CSPs operating in the United Kingdom, potentially
involving them in re-structuring of their systems, and certainly
requiring a substantial commitment of human, financial and technical
resources. Since they are to be allowed to recoup their expenditure
from the public purse, it would have been to their advantage and
to the taxpayer's if the policy could have been formulated to
allow the greatest benefits for the least expenditure.
48. In the course of three evidence sessions
we took evidence from 12 witnesses from the major United Kingdom
CSPs: BT, Virgin, Vodafone, Everything Everywhere, Telefónica
(O2); and several of the major overseas CSPs: Google, Hotmail,
Yahoo!, Facebook, Twitter, and Skype. The evidence we received
from the first five of these was to the effect that they had meetings
with Home Office officials, sometimes frequent and usually at
a high level, to discuss communications data, but that none of
these dealt specifically with policy formulation; some were before
the draft Bill was published (but not long before), and some were
post-publication. The evidence of Mark Hughes for Vodafone was
typical: "We have regular meetings with the Home Office at
a high level. We have had one meeting with the Home Office, formally,
post the drafting of the Bill, where we had the opportunity to
ask questions. Some of the questions they were not able to answer
for reasons of sensitivity." [49]
49. The position of the overseas based email
service providers was worse, with the first contact from the Home
Office often coming after they first heard that we had invited
these companies to give us oral evidence. Emma Ascroft told us
on behalf of Yahoo!: "We were invited after the Home Office
heard that we had been invited to give evidence to this Committee
. We had had no contact before. We met the Home Office in
March 2011 to discuss the Government's response to the 2009 consultation
on the changing communications environment, which Yahoo! UK responded
to. We asked for a meeting in September, at which point the Home
Office said there was no progress to report
. there was no
further contact. As I said, the meeting we had with the Home Office
was three weeks ago. Again, it was very much presented to us as
our opportunity to ask the Home Office questions. It was not for
the Home Office to consult us on any options."[50]
This too was the position of the social network providers. On
behalf of Facebook, Simon Milner said categorically: "We
had no dialogue with the Home Office before the Bill was published
... we were never asked [for input] and we never provided it."
Similarly, Colin Crowell for Twitter: "We had one conversation
with the Home Office about two and a half weeks ago.[51]
So we, too, were contacted after the
Bill had been published and had one phone conversation with them
about it."[52]
50. We asked Charles Farr about this apparent
lack of consultation. In the case of the United Kingdom CSPs he
said: "We have been meeting regularly with UK CSPs on communications
data over the past few years, and certainly in the run-up to the
Bill. I believe that we shared our broad thinking about what we
had in mind before the Bill was published, and we have followed
that up with more detailed sessions since the Bill appeared ...
but I fully accept that those discussions need to continue and
go into more detail as we get closer to the time when the Bill
is enacted, should it be so."[53]
51. In the case of the overseas providers, Mr
Farr told us that he had read their evidence "with a lot
of interest"; what he told us was almost the opposite of
what they said. He asserted that there had been a total of 30
meetings with them over a two-year period. He conceded that, because
they went back two years, not all of the meetings were on "the
minutiae of the Bill", but all of them were on communications
data.[54]
On the face of it, there is an inconsistency between these two
accounts. But our witnesses from the CSPs assumed, correctly,
that a Committee inquiring into a draft Bill would be asking about
meetings specifically on that Bill.
52. We asked the Home Office for details of the
meetings they had had with Everything Everywhere. They sent us
a list of 22 meetings which had been held since May 2009. The
last five took place after publication of the Bill. Of the other
17, 12 were described as "Forum with key CSPs", the
other five as bilateral with EE. One of these was with James Brokenshire
MP, the Parliamentary Under-Secretary of State responsible for
security. Officials explained that many of these meetings were
wider working group meetings at which communications data was
discussed "so that they [EE] may not recognise them all as
specific Bill meetings". When we put the list to Jonathan
Grayling, the Head of Law Enforcement Liaison at Everything Everywhere
who had given evidence to us, he confirmed that these meetings
did indeed form part of a series of regular meetings with the
Home Office at which they discussed communications data matters
generally and any outstanding problems. While he valued these
meetings, at some of them the draft Bill was only an agenda item,
usually consisting of a legislation update detailing timescales
and high level plans; the meetings did not involve the Home Office
asking for input to the detailed policy and content of the draft
Bill. The meeting with the Minister on 17 November 2011 (also
attended by James Blendis, Legal Vice President, Everything Everywhere)
was the first at which the Bill was discussed; this was at a very
high level, without going into any detail. The first meeting Mr
Grayling described as specifically on the draft Bill was on 2
April 2012 (a meeting not on the Home Office list). This of course
was only a month before the Queen's Speech, and two months before
publication of the draft Bill. Industry was first given sight
of the draft Bill, under embargo, on 7 June 2012, the week before
its publication; this was the first indication they had of how
the Bill was drafted.
53. What is absolutely clear to us is that the
regular meetings with EE and the other major CSPs would have been
an unrivalled opportunity for the Home Office to discuss with
them the evolving policy and content of the Bill, and to seek
their input on the many matters where their technical and general
expertise could have made a valuable contribution; and that this
opportunity was not taken. The draft Bill is the poorer for it.
54. Mr Grayling has told us: "Subsequent
to the publication of the Bill, consultation has increased dramatically,
and we have had a number of useful meetings at the Home Office
(documented in their list) and they have asked us to provide input
into the way the Bill is drafted and any wording/clause amendments
that we feel would be beneficial." We are glad to hear this;
but, of course, the consultation would have been a great deal
more valuable eighteen months ago.
55. Mr Farr told us: "Parliament and others
had a right to see the legislation before we discussed it in detail
with overseas providers."[55]
We do not accept this. Parliament has a right to see, on its introduction,
a Bill which seeks to implement as fully and clearly as possible
the Government's policy, however controversial that policy may
be. If the policy depends to a large extent on whether it can
be implemented by a few major international corporations, not
to consult them in the formulation of the detailed policy seems
unwise. We note that the Intelligence and Security Committee has
come to a similar conclusion.
56. The Home Office should
not have assumed that a consultation paper published in April
2009 could justify publication of draft legislation three years
later without further consultation with the public and with those
most closely affected by its proposals.
57. The evidence we received
shows that United Kingdom CSPs were not given any details about
the possible content of notices before the draft Bill was published,
overseas CSPs were not consulted about the draft Bill at all,
nor was there any further public consultation.
58. Before re-drafted legislation
is introduced there should be a new round of consultation with
technical experts, industry, law enforcement bodies, public authorities
and civil liberties groups. This consultation should be on the
basis of the narrower, more clearly defined set of proposals on
definitions, narrower clause 1 powers and stronger safeguards
which are recommended in this report. The United Kingdom and overseas
CSPs should be given a clear understanding of the exact nature
of the gap which the draft Bill aims to address so that those
companies can be clear about why the legislation is necessary.
59. Even though many of them
are prepared to cooperate on a voluntary basis, they should also
be told what obligations might be imposed on them. For many, their
willingness to cooperate voluntarily will be reinforced if there
is a statutory basis for the requirement.
60. Meaningful consultation
can take place only once there is clarity as to the real aims
of the Home Office, and clarity as to the expected use of the
powers under the Bill. CSPs should be consulted on the basis of
drafts of the specific notices which will be served on them; these
will have the detail of the obligations to be imposed on them,
and enable them to undertake a better assessment of feasibility
and of the resources and timescales involved.
Clause 1: What communications
data would be accessible?
THE BREADTH OF CLAUSE 1
61. The provision at the centre of the draft
Bill, on which all else depends, is clause 1. This is headed "Power
to ensure or facilitate availability of data". It allows
the Secretary of State by order to ensure that communications
data is available from telecommunications operators so that it
can be obtained by public authorities. The clause then sets out
the main ways in which it is expected that the power will be exercised.
The Home Office states[56]
that in practice an order is likely to impose requirements on
operators to generate all "necessary" communications
data for the services or systems they provide; to collect "necessary"
communications data, where such data is available but not retained;
to retain the data safely and securely; to process the retained
data to facilitate the efficient and effective obtaining of the
data by public authorities; and other matters.
62. These are wide, general requirements which
will be contained in an order. We have not seen a draft of such
an order, and we have been told that we will not be shown one.
But it is clear that the order will only be a framework. The specific
requirements will be imposed by secret notices by the Secretary
of State. The explanatory notes published with the draft Bill
explain: "The expectation is that notices will therefore
be individually tailored to each system or service (or class of
system or service) in respect of which there is an operational
need for communications data to be available from an operator.
The notices will describe, by reference to each service and system,
the description of data which must be retained, where the data
should be stored and, if necessary, how the data should be collected,
generated and processed."
63. A number of points stand out. First, the
only limitation on what communications data should be made available
is that it should be "necessary". Who decides what is
"necessary", and for what purpose, is not specified;
but as the word appears in the explanatory notes and not in the
clause itself, it provides no reassurance. Secondly, even if we
were able to see a draft order, it would be of limited assistance,
since the requirements themselves will be in notices agreed between
the Home Office and each relevant operator or, if not agreed,
imposed on them. Parliament will not even see, still less have
any control over, such notices. Thirdly, for the first time the
CSPs may have to generate data which they would otherwise not
have generated because there was no commercial need to do so.
This data must be retained for 12 monthslonger if it is
required for legal proceedingsand will be available to
the public authorities listed in the draft Bill or added to that
list by order, for the purposes specified in the Bill, and subject
to the safeguards in the Bill.
64. The power of the Secretary of State under
clause 1 has thus been made as wide as possible deliberately
so, for the reasons we explain later. But the Home Office told
some of the CSPs that they had no intention of exercising the
powers widely, as Sarah Hunter explained on behalf of Google:
"...the intent behind the Bill of the officials we met seemed
to be very narrow and reasonable. When we pointed out that the
powers within the Bill were much broader than that, they could
not quite address why there was such a gap."[57]
65. The Home Office told us almost from the outset
of our inquiry that they had no need to issue notices extending
to a wide range of data, and no intention of doing so; but, as
explained in Chapter 3, they would not tell us publicly what the
gaps were which the notices would be used to fill, because they
did not want to publicise what data they currently cannot access.
They accordingly made this clear only in a confidential annex
to their written evidence. Subsequently however, in the second
public evidence session with Home Office officials, Richard Alcock
said:[58]
"We have had discussions [with CSPs] about the additional
data types that we may wish those service providers to retain
there is certain information which is not stored routinely
by UK CSPs, in some cases web logs and in some cases IP data ...
In the majority of cases, fundamentally it is about those two
issues, but there is a broad range of other aspects." Charles
Farr endorsed this: "As Richard has said, one of the areas
where we are struggling is IP resolution. It is not the only
area; the web log issue is also important."[59]
Subsequently Charles Farr repeated
this again, adding that there was also the issue of third party
data which needed to be addressed.[60]
66. We address later in the chapter the vexed
issue of whether these data types are all essential. Given the
wide anxiety raised by the breadth of clause 1, we pressed the
Home Office officials as to why it could not be narrowed to cover
only the gaps which currently needed to be filled. Mr Farr's answer
was: "The fundamental reason why we are nervous about limiting
clause 1 is future-proofing ... Because I genuinely believe that
no sooner will you get this legislation through than something
else will come up, given the pace of change in the communications
industry, which will create another gap, particularly if clever
people know that we have filled one area, and so now try to exploit
another. Future-proofing and flexibility are at the heart of the
language we have used in clause 1." He accepted that the
Home Office could and should look again at the drafting of clause 1:
"I still come back to the point that we can look again at
clause 1 and still have future proofing, because I think we need
to emphasise more clearly that the data types we are interested
in are only those which are relevant to these core questions."
We did receive from Mr Farr the important undertaking that Home
Office officials would look at clause 1 again, and advise
Ministers on whether it can be changed, enhanced or improved."[61]
We believe that it can indeed be changed and improved, by being
narrowed to cover specifically the gaps so far identified. An
undertaking, whether by officials or by ministers, that a power
will be used only to a limited extent, is of little value. Once
a power is on the statute book, it is available to be used, and
also to be misused or abused, at any time in the future. It is
hardly surprising that a proposal for powers of this width has
caused public anxiety.
67. We accept that, given the rapidity of technological
change and development in IT, within a relatively short time after
the implementation of any legislation the Secretary of State may
need to be able to order the retention of other categories of
data. We accept too that changes may need to be made from time
to time for other reasons. Neither of these justifies the retention
of clause 1 in its current form. We note that the Intelligence
and Security Committee has come to a similar conclusion and has
recommended that: "more thought is given to the level of
detail that is included in the Bill, in particular in relation
to the Order-making power. Whilst the Bill does need to be future-proofed
to a certain extent, and we accept that it must not reveal operational
capability, serious consideration must be given as to whether
there is any room for manoeuvre on this point: Parliament and
the public will require more information if they are to be convinced."
68. We attach in Appendix 7 a note considering
which Parliamentary procedures might be appropriate for making
such changes while still retaining Parliamentary control and public
confidence. Primary legislation should not in our view be ruled
out; even without having resort to emergency legislation, a department
like the Home Office with Bills every session should not have
much difficulty in securing any necessary changes within a relatively
short time. We can however understand the reluctance of ministers
to be obliged to have frequent resort to primary legislation.
Our recommendation is therefore for an order subject to the super-affirmative
procedure we describe in Appendix 7, allowing full consideration
by Parliamentary Committees. We caution however that this should
not necessarily be assumed to be always a speedier process than
primary legislation. Where the case for change can be made out,
Parliament will have a duty to attempt to expedite the Parliamentary
process, but even so, primary legislation could sometimes be faster.
Of course, the inclusion of an order-making power would not preclude
the Secretary of State from making use of primary legislation
if an appropriate opportunity were to arise.
69. The Home Office was able
to tell us of specific types of data that are currently not routinely
retained for business purposes by United Kingdom (and many overseas)
CSPs and which would be useful to law enforcement and other investigations.
It is the Home Office's intention to issue notices under the Bill
to ensure that an unknown number of CSPs retain these specific
types of data. The Home Office has however made clear to us that
it does not currently need the power under this legislation to
require other types of data be retained, and does not for the
present intend to issue notices going more widely (except to CSPs
which are not covered by the EU Data Retention Directive, which
might be asked under this legislation to retain for 12 months
data which they already create for business purposes). Clause
1 therefore should be re-drafted with a much narrower scope, so
that the Secretary of State may make orders subject to Parliamentary
approval enabling her to issue notices only to address specific
data gaps as need arises.
70. The Home Office has argued
that there is a case for keeping clause 1 wide because there may
be other data types that emerge from time to time which will be
important to law enforcement but will not be routinely retained
by CSPs for business purposes. We do not accept that this is a
good reason to grant the Secretary of State such wide powers now.
We do not think that Parliament should grant powers that are required
only on the precautionary principle. There should be a current
and pressing need for them.
71. We do however accept
that, depending on how the communications world develops, the
Home Office may in future need the power to require the retention
of other data types. Parliament and government both need to accept
that legislation that covers the internet and other modern technologies
may need revisiting and updating regularly. We have considered
how the Secretary of State might be given powers in the future
to allow her to address new and significant data gaps if and when
they emerge. The alternatives seem to be either primary legislation
on each occasion, or a power to amend clause 1 by order subject
to a super-affirmative procedure which would guarantee fuller
Parliamentary consideration than a standard affirmative order.
72. We attach in Appendix
7 a consideration of the relative advantages and disadvantages
of each course. On balance our preference is for an order subject
to the super-affirmative procedure. We recognise that this will
impose obligations on Parliament which it will have a duty to
discharge effectively.
IP ADDRESS RESOLUTION AND WEB LOGS
73. As outlined in paragraph 65, Home Office
officials eventually told us in public evidence that they would
like clause 1 to enable them to access two specific types of data:
subscriber data relating to IP addresses and web logs.
74. Subscriber data relating to IP addresses
is the information that makes it possible to trace who is using
an IP address at a given point in time. An IP address is a numerical
label assigned to a device connected to the internet (e.g. a computer,
smart phone or printer). The IP address of a device is not constant;
it may change frequently and be shared between several devices.
The originating IP address of a communication is routinely gathered
in many types of internet transaction, but if the CSP does not
hold information on which of its subscribers held which IP address
at a particular point in time it is very hard for law enforcement
authorities to prove an association between an action on the internet
and a particular individual. Not all United Kingdom providers
currently obtain all the data necessary to trace which subscriber
is using which IP address. During the course of our inquiry we
heard of various circumstances in which the lack of this data
has impeded investigations. We accept that if CSPs could be required
to generate and retain information that would allow IP addresses
to be matched to subscribers this would be of significant value
to law enforcement. We do not think that IP address resolution
raises particular privacy concerns.
75. We recommend that a narrower
clause 1 should allow notices to be served on CSPs requiring them
to generate and retain subscriber data relating to IP addresses.
76. The term "web logs" is used to
refer to a record of information that relates to a communication
between a user and the internet. This would include connections
to the world wide web (i.e. what websites a person has accessed)
and also contacts with other internet services, such as smart
phone applications.
77. The Code of Practice for the Acquisition
and Disclosure of Communications Data makes clear that this type
of data can be accessed by law enforcement agencies if it is held
by CSPs. It provides that anything before the first "/"
in a website address is considered to be communications data,
and anything after the first slash is considered to be content.
So the fact that a person visited www.nhs.uk is communications
data and could form part of a web log, but it would not be permissible
to record the fact that a person visited www.nhs.uk/conditions/depression.
Under the current law if a CSP keeps web log data for business
purposes then an order can require them to retain that data for
12 months, but if web logs are never generatedand most
CSPs do not generate them for business purposesthere can
be no requirement to make them available.
78. Sir Peter Fahy, Chief Constable of Greater
Manchester Police, told us that if it were possible to reconcile
IP address and subscriber information and also to identify which
websites were visited by a service user this would resolve the
data gap,[62]
and Peter Davies, Chief Executive of CEOP, agreed,[63]
but neither of them provided examples that proved the importance
of web logs or referred to cases that had been hampered by the
current lack of web log data. The one piece of evidence we saw
that went some way to proving a need was during our visit to the
Metropolitan Police Service,[64]
when officers used real life cases to illustrate how it is hard
to identify whom a suspect is communicating with if those communications
are conducted over the internet on a mobile phone. Those cases
showed that it would be useful to know if suspects were using
a website that allowed them to communicate with others because
the CSP running that website could then be asked for information
about who was contacted. To do this it would be necessary to know
the website visited and the IP address assigned to the suspect
at that time (so the website could be asked to check who the user
of that IP address contacted). This illustrates the Home Office's
case that the need for IP address information and the need for
web log data are connected.
79. The kinds of investigations where it is possible
to imagine web logs being useful include: enabling the identification
of internet services used by a suspect so that further communications
data requests can be made from those services; investigating the
web log associated with a sex offender to determine whether they
had accessed known child abuse websites; and investigating whether
a suspect had accessed a known terrorist website.
80. We have received considerable evidence expressing
concern at the idea of web log data being more widely retained
and made available to public authorities. A submission signed
jointly by representatives from Liberty, Justice, Privacy International,
the Open Rights Group, Big Brother Watch and NO2ID made the case
that web log data should not fall under the definition of communications
data, even though it does already, because it has the potential
to reveal considerable personal information about an individual:
"Throughout her oral evidence the Home Secretary
sought to articulate a distinction between the content of a communication
and the communications data which she characterised as the "who,
when, where, how" of a communication.... A record of the
addresses of websites visited patently reveals a great deal that
is substantive and potentially extremely personal about an individual's
life. An individual's browsing history is liable to betray his
or her political inclinations, state of health, sexuality, religious
sentiments and a huge range of other personal characteristics,
preoccupations and individual interests besides. We fail to see
that the distinction drawn by the Home Secretary can have any
meaning at all if communications data is deemed to include information
of this nature."
81. Retaining web log data would place massive
storage demands on CSPs and this would be costly. Some witnesses
also expressed concerns that the more information that is stored,
and the more sensitive the nature of that data, the greater the
chance of a security breach. Given the potentially sensitive
nature of web logs, a security breach could be particularly damaging
for the individuals whose data was lost. The secure storage of
communications data is addressed in Chapter 5. Briefly, it is
possible (given a willingness to accept the necessary cost) to
achieve a high degree of security of storage. But no one has claimed
or could claim that total 100 per cent security can be guaranteed:
there is bound always to remain the possibility of a breach, whether
as a result of skilled hacking or because of human error or misfeasance.
82. We accept that web logs are a type of communications
data from which significant inferences could be drawn about a
person's interests and, perhaps, activities. Web logs are at the
more intrusive end of the communications data spectrum and it
is at that end that the need for rigorous safeguards is most acute.
Safeguards are discussed in Chapter 5. We believe that the
SPoC and Designated Senior Officer system now in force, if operated
by properly trained and experienced staff, and subject to the
safeguards proposed in the draft Bill and the strengthening of
those safeguards we are recommending, can provide sufficient safeguards
against abuse within the system. The fact that web logs would
be accessible only by certain pubic authorities, that access would
be on a case-by-case basis and only when access was necessary
and proportionate, and the fact that access would be subject to
independent review, are also important.
83. One way of reassuring civil liberties groups
and more importantly the general public, while at the same time
satisfying the needs of law enforcement agencies, would be to
devise a definition of web service that covered only those that
could be used as a method of communication. This would cover websites
offering e-mail and other messaging services, but not websites
that simply supply information. CSPs could then be required only
to keep web logs in so far as they related to visits to communications
sites. This would however prevent, for example, a CSP from being
required to keep records of visits to a site thought to be accessed
by terrorists unless that site also enabled users to communicate
with each other, or to post messages. Whether or not this would
be technically and operationally feasible, and if it was what
the associated costs would be, is not something that we have had
time to explore.
84. Whether clause 1 should
allow notices that require CSPs to retain web logs up to the first
"/" is a key issue. The Bill should be so drafted as
to enable Parliament to address and determine this fundamental
question which is at the heart of this legislation.
85. The Home Office and law
enforcement agencies and (so far as we know) the intelligence
and security services think that access to weblogs is essential
for a wide range of investigations. The civil liberties organisations
argue that web logs are potentially a highly intrusive form of
communications data and that generating and storing web logs gives
rise to unacceptable risks to the privacy of individuals.
86. We are confident that
the safeguards in the draft Bill, together with the recommendations
we make to strengthen those safeguards, can provide a high degree
of protection against abuse of communications data or inadvertent
error by public authorities. We acknowledge that storing web log
data, however securely, carries the possible risk that it may
be hacked into or may fall accidentally into the wrong hands,
and that, if this were to happen, potentially damaging inferences
about people's interests or activities could be drawn. Parliament
will have to decide where the balance between these opposing considerations
should be struck.
87. In 2003, Parliament considered
the Code of Practice for the Acquisition and Disclosure of Communications
Data which included the guidance that web addresses up to the
first "/" should be considered to be communications
data. The presentation of this Bill provides an opportunity for
Parliament to review this controversial issue.
88. We also recommend that
the Home Office should examine whether it would be technically
and operationally feasible, and cost effective, to require CSPs
to keep web logs only on certain types of web services where those
services enable communications between individuals.
THIRD PARTY DATA
89. The Bill is intended to require CSPs operating
in the United Kingdom, whether based here or abroad, to comply
with retention orders served under clause 1 and disclosure requests
made by public authorities. As will be made clear in Chapter 6
there are likely to be significant problems with getting CSPs
based overseas to recognise the extra-territorial application
of United Kingdom legislation, and there will inevitably be cases
where overseas CSPs both refuse to retain the data that the United
Kingdom Government asks them to retain and refuse to disclose
the data that public authorities need. It is not clear, given
the level of informal assistance currently offered by the largest
overseas based CSPs to disclose information to investigators,
especially in urgent cases where lives are at immediate risk,
how significant a problem this actually is. Some overseas based
CSPs are likely to take a more pragmatic approach than others.
It is because of the variable approaches of the different overseas
CSPs to providing communications data that the Home Office argues
that power is also needed under clause 1(3)(c)(ii) to require
United Kingdom CSPs to store and disclose communications data
traversing their networks which relates to services from other
providers. This is commonly referred to as the third party provision.
A simple illustration is that using the third party provision
it would be possible to ask a United Kingdom broadband provider
to collect data on e-mails crossing its network when those e-mails
were sent using one overseas based e-mail provider to another
overseas based e-mail provider.
90. The third party provision has proved particularly
controversial both because of technical concerns and because,
as LINX put it, "The collection and processing of "third
party" communications data by network operators is a substantial
extension of their duties that is, in our opinion, materially
distinct from existing data retention requirements, amounting
to a complete novelty". Big Brother Watch agreed, saying
that if these provisions are passed UK CSPs could in future be
described as "private surveillance operations".
91. To understand the technical concerns it is
useful to understand a little about how third party data would
be collected. It would be necessary to place data probes within
a CSP's network and those probes would be programmed to generate
information from network links within the CSP. Deep Packet Inspection
(DPI) would be used to isolate key pieces of information from
data packets in a CSP's network traffic. The Home Office seemed
confident that this was technically possible. Other witnesses
questioned whether it is technically feasible to extract meaningful
and helpful information from third party services. One of the
primary technical challenges would be dealing with encrypted data.
92. Many internet services are encrypted; this
includes many of the major overseas based communications services
such as Gmail. Encryption is the basis of internet security and
companies encrypt their services to protect their customers. If
these companies are asked directly for communications data and
agree to supply it, whether under RIPA or following a request
under a Mutual Legal Assistance Treaty (MLAT), then they will
decrypt the information, extract the relevant communications data
and provide it to the requesting authority in an accessible format.
They told us however that if information about their service was
collected by another CSP they would not cooperate in helping decrypt
it. Sarah Hunter from Google explained:
"From a Google Inc perspective, we are very
confident about the security of our encryption. If a valid RIPA
request comes in or UK law enforcement goes through the MLAT,
receives a court order and in turn gets Gmail user data, we will
obviously provide that data decrypted. If it was to use a third-party
provider to gather the encrypted data, I think it very unlikely
that Google Inc would provide anyone outside Google Inc with that
key. That is simply because, as everyone said earlier, security
is our most important asset. Our relationship with our users is
predicated on trust. Without that, we have no business".[65]
93. Several witnesses questioned whether valuable
communications data could be retrieved from encrypted services.
Services encrypt not only content but much of the communications
data too, and the UK CSP whose network the encrypted service is
crossing will not be able to decrypt the package, nor could they
legally do so because to do so would be to intercept content.
As Everything Everywhere put it, "even if we were able to
decrypt, you would have to open the whole packet, and then you
are looking at the content".[66]
UK CSPs will not be able to hand over the whole encrypted package
to law enforcement or the Home Office because to do so would be
to hand over content.
94. Bob Hughes, Government Programme Manager
at Telefónica UK-O2, gave a helpful illustration of the
kind of data that a UK CSP would be able to provide about an encrypted
third party service:
"When we are talking about picking up third-party
data, we are now talking about gateway-to-gateway data. This is
very similar to a lot of letters having been passed to a delivery
box on one side of the network, put into a big courier delivery
box and crossing our network to a terminating distribution box
on the other side. Then, all those letters are taken out of the
box and sent on to their various places... All that we will see
when we look at those encrypted data are the two points of the
gateway. We are storing all of these communications, which are
just gateway-to-gateway. We cannot hand over the whole box because
we know that that includes content. We can give you only the piece
that is on the outside of the box that includes all the encrypted
data. Therefore, the value, by comparison with the letter and
its journey from A to B, is much reduced."[67]
95. Although this may sound of limited utility
Home Office officials said it could still be valuable to ongoing
investigations: "Encrypted data can still be very important
and can give you unencrypted chunks of data which are relevant
to the three questions which we are asking ourselves and to which
we come back all the time."[68]
96. One of the significant risks of the third
party provision is that it may actually lead to an increase in
the number of services that use encryption, and this could actually
reduce the amount of communications data available to in the United
Kingdom, a serious unintended consequence directly at odds with
the stated purpose of the legislation. Evidence that this was
a real risk came from Simon Milner, the Director of Policy for
UK and Ireland of Facebook, who explained:
"The security of our networks and the security
of how we store and look after customer data are fundamental to
our businesses. Therefore, when we are concerned that someone
else might be trying to intercept our data, we will move heaven
and earth to ensure the security of our network. It is a grave
concern to us that it might well be part of the new framework
that UK CSPs might be required to retain these data. One would
expect there to be not only implications for relationships in
the internet value chain but changes in behaviour by users. Facebook
users already have the ability to encrypt their traffic, and we
would expect many more UK users to choose to do so were that kind
of measure to be introduced".[69]
97. This issue was also highlighted in evidence
from Virgin, ISPA and Telefónica UK-O2.[70]
98. Microsoft questioned how a United Kingdom
CSP would identify which encrypted information it would be necessary
to store in order to comply with a third party provision notice:
"How can we guarantee that the CSP has identified
the right packets to be stored? Multiple providers, Skype included,
use obfuscation techniques precisely to avoid being detected by
deep packet inspection equipment. My question is a technical one:
how would they guarantee that they would be storing the correct
data under the order?"[71]
99. There are some instances of services that
not only encrypt but have specific software to ensure no communications
data is kept about their users, and no websites can identify their
users when they visit. For example, we took evidence from the
Tor Project, a not-for-profit organisation which encrypts and
redirects its users' communications to ensure they cannot be traced.
The Tor Project is used by people trying to circumvent national
censorship schemes, by victims of crime, by military personnel
working undercover, by journalists wishing to protect their sources
and by whistleblowers.
100. Encryption is not the only technical challenge
posed by the third party provision. We received evidence questioning
whether DPI technology could cope with the level of traffic that
moves across service provider networks. ISPA stated that "DPI
and such technology can be used by ISPs for legitimate traffic
management processes, but it does not follow it could be repurposed
to fulfil the requirements set out in the draft Bill. We are yet
to be convinced that current hardware can handle the volume of
traffic that moves across service provider networks at this level".
101. One of the key technical challenges would
be to programme DPI systems to isolate communications data information
from the content of messages sent. Even BAE Systems Detica, who
as manufacturers of DPI technology were confident of its capabilities,
admitted that it would be challenging to keep the DPI systems
up to date with changes that originating CSPs make to the underlying
formats and protocols used by those services.[72]
The pace at which CSPs change their systems (particularly proprietary
ones) can be very fast. This means that DPI system manufacturers
and CSPs would need to devote significant resources to monitoring
and updating systems both to maintain coverage and to operate
correctly. Microsoft confirmed this:
"We have a dedicated team involved in this obfuscation
constantly in order to protect the integrity of the communications.
At the same time, DPI equipment manufacturers have guys on the
other side trying to work out what we are doing. That will continue.
The point about it from the perspective of this draft Bill is
that it costs money to maintain DPI equipment. We do not just
buy once; there is a constant need to pay to have it updated in
order for it to perform. That is the key hereit is very
expensive".[73]
102. The concerns about the third party provisions
are not limited to questions about their technical feasibility.
UK CSPs would find it challenging to understand even non-encrypted
communications data belonging to other services. Under the current
system the Home Office works with CSPs to categorise their data,
agree what should be exempted as content, and then list the data
available in the "SPoC book". Only the company that
generates the data can give an informed opinion about how the
data should be categorised. A third party will not easily be able
to judge whether a law enforcement agency is right to categorise
a request for third party data as, for example, "subscriber
data", or even as data rather than content. The only data
type the third party could confidently identify is traffic data.
This was illustrated by Jonathan Grayling from Everything Everywhere:
"I think we could probably stand a pretty good chance of
identifying what is content and communications data in our own
data, because we understand it: we understand how our systems
work and how we interpret it. But to understand third-party data,
even if it is not encrypted, is going to provide challenges".[74]
103. The UK CSPs were also concerned about the
commercial implications of the third party provision. They rely
on good relationships with the main internet service providers,
many of whom are based overseas. If some of those providers choose
not to cooperate with this legislation but are aware that UK CSPs
may be ordered to collect data on their services, then this could
change the nature of their relationship. This was a significant
concern for the UK CSPs.[75]
104. The cost of constantly reprogramming DPI
probes to keep abreast of changes to third party services has
already been mentioned. This is not the only significant cost
concern. The cost of the DPI probes themselves would be significant,
and that and the costs of the large scale storage demands worry
the UK CSPs.[76]
Their concerns will be explored further in Chapter 7.
105. Given the significant concerns about the
third party provision some witnesses have called for it to be
dropped.
106. When the UK CSPs gave evidence to us in
September they stated that Home Office officials had given them
oral assurances that the third party provision would be invoked
only after the original service provider had been approached and
all avenues to get them to comply with requests for communications
data had been exhausted. The UK CSPs also said they had been given
assurances that they would not have to decrypt third party data.
These reassurances were important to them and they were very concerned
that there was nothing in the Bill to back-up the Home Office's
promises.[77]
107. We explored this issue with Home Office
officials in October and Charles Farr repeated the reassurance
he had given the UK CSPS:
"I think they [the UK CSPs] were under the misapprehension
that we might go to them to collect third-party data, even before
asking the third-party to cooperate with us. They were understandably
concerned if that were to be the case. Were it to be the case,
the costs would be rather different from what they otherwise might
be. I hope we have reassured them. I would repeat, if I may,
that it would be in extremis for us to go to them and ask for
the collection of third-party data. In the vast majority of cases
we do not expect to, and we have calculated the costs accordingly."[78]
"If they cannot distinguish communications data
from content they will not be required to retain it. We are not
asking for the storage of masses of encrypted data."[79]
108. When asked whether he agreed that the legislation
should reflect these assurances Charles Farr agreed to look at
it.[80] We note that
the Intelligence and Security Committee has recommended that "the
Home Office should have to demonstrate due diligence before resorting
to the use of DPI to collect communications data from overseas
CSPs" and that this should be reflected on the face of the
Bill.
109. The Home Office knows
that not all overseas CSPs will comply with retention notices.
It is for this reason that the notices issued under the order-making
powers in clause 1 may require UK CSPs to keep third party data
traversing their networks. UK CSPs are rightly very nervous about
these provisions. The Home Office has given an oral commitment
to UK CSPs that the Home Secretary will invoke the third party
provisions only after the original data holder has been approached
and all other avenues have been exhausted. The Home Office has
also given a commitment that no CSP will be asked to store or
decrypt encrypted third party data. These commitments should be
given statutory force.
Filtered data
110. Clause 14 provides a power to establish
filtering arrangements to facilitate the acquisition of communications
data. The Request Filter would be used for complex communications
data inquiries that cover several CSPs. As the Home Office explained,
"Internet communications services are technically different
from the telephone services of the past. The communications data
now needed to understand the 'who, how, when and where' of a single
communication may no longer be held by a single communications
provider".[81]
Rather than a public authority having to submit separate
requests to several CSPs, it would submit one request through
the Request Filter which would then interrogate the multiple CSP
databases and automatically analyse the returns, providing investigators
with only the relevant data. CSPs could design their systems to
allow full automation of requests through the filter, or they
could decide to have staff check each request before allowing
the Request Filter to access data. It is important that CSPs have
this choice.
111. The Government's case for the Request Filter
is that it "is intended to enable law enforcement agencies
to continue acquiring complex communications data in a way that
minimises collateral intrusion".[82]
The Home Office sees the benefits as: minimising human error,
speeding up complex requests and minimising collateral intrusion.
The Request Filter is little different from the work that investigators
currently carry out comparing data from multiple CSPs when dealing
with complex enquiries. The difference is that it will be an automated
process which may be faster and less prone to human error, but
will require significant work to develop and will require the
Home Office to impose technical requirements on each provider
to ensure that data from the provider's systems is always returned
to the Filter in the same technical format, thus facilitating
easy data comparison.
112. The Home Office is at pains to assert that
the Request Filter is not a central database: "The legislation
makes clear that the Filter can only acquire and process communications
data to answer a specific public authority request. Once that
request has been answered the Filter will permanently delete all
the communications data it acquired".[83]
The Home Office emphasise this point because in May 2008, when
the last Government announced plans for legislation which would
have required communications data to be stored for a year in a
purpose-built database, the plans were heavily criticised, not
least by the two Parties that now make up the coalition Government.
113. It is however important to consider how
different the proposals for the Request Filter really are from
the previous Government's proposals for a central database. A
central database would have been one repository of communications
data provided by the CSPs but stored on a Government owned and
operated database. The Request Filter is a Government owned and
operated data mining device which, to work efficiently, requires
each CSP to maintain its own database of all its communications
data in a common format. Each CSP database will be able to be
accessed at any time by the Request Filter. So the same data is
being stored about the same people and it is being stored in databases
which are accessible to public authorities given powers under
the Bill. The difference is that instead of one database there
are many and they are privately owned. Although they are privately
owned the Government can stipulate what should be held on them,
for how long, and in what format it should be supplied. The differences
therefore are not as great as the Home Office suggests; the Request
Filter can be equated to a federated database.
114. There is also vigorous debate about whether
the Home Office is right to argue that the Request Filter minimises
collateral intrusion and thus is a tool in protecting privacy.
On the contrary, many witnesses see it as a threat to privacy.
For example LINX stated that:
"Clauses 14-16 establish a requirement that
communications data be processed and assembled by matching related
data from different operators, such that the relationships between
diverse data elements relating to a particular user are capable
of being machine-processed as such. In other words, the draft
Bill requires the functional equivalent of building communications
data profiles on every user, which will contain everything within
the definition of communications data, including time and geolocation
data".
115. LINX point out that it would be technically
possible to "perform profile searches of the following format:
'List all persons who are the designated user of a mobile phone
that was in Location (e.g. Trafalgar Square) at Time (e.g. noon
last Tuesday), and who have read any of the following websites
more than once in the past period (e.g year)' ".
116. There are also questions as to whether the
Filter amounts to a "general monitoring" obligation,
contrary to Article 15 of the EU E-Commerce Directive.[84]
This is not something we have had time to investigate but it
is an issue the Home Office should consider.
117. The Request Filter would make it technically
possible to perform profile searches on individuals. If it was
used in this way there is a risk that it could amount to general
monitoring, but there are safeguards to prevent this. Every request
to the Request Filter will have to go through the same authorisation
process set out in Chapter 2. This includes a requirement to explain
why the request is necessary and proportionate, and needs the
authorisation of a Designated Senior Officer. In addition the
draft Bill puts obligations on the IoCC to monitor the operation
of the Request Filter and examine the audit trails produced. This
safeguard is key, as Professor Peter Sommer told us:
"If these safeguards are not rigorously applied
and fully examined by the Interception of Communications Commissioner
there is a risk that that what is described as "request filtering"
becomes large-scale data mining; the necessity and proportionality
tests need to be applied not to just the individual data streams
as supplied by CSPs but to the likely effect when they are assembled
together."
118. We consider in the following chapter the
role of the IoCC in maintaining public confidence in the Filter.
WHO WILL DESIGN, PROGRAMME AND MAINTAIN
THE REQUEST FILTER?
119. The draft Bill makes the Secretary of State
responsible for setting up and maintaining any filtering arrangements,
and provides the power to transfer this responsibility to a designated
public authority. Day to day operation of the filtering arrangements
may be carried out by an approved body. Evidence from the Home
Office suggests that if the Secretary of State was to transfer
her powers to a designated public authority it would be to the
new National Crime Agency.[85]
The scope of the Bill does not limit who the day to day operation
can be transferred to, and some witnesses have expressed concern
that it could be GCHQ which is not accountable to the public or
to Parliament, although any transfer of functions would not affect
the Secretary of State's responsibility for the exercise of the
functions.
120. Some witnesses have questioned whether it
is appropriate that the Secretary of State should be responsible
for the operation of the Filter. Professor Peter Sommer argued
that "making this a function, direct or delegated, of the
same Secretary of State who also issues interception warrants
and orders under the draft Bill is surely a mistake; if there
is to be a credible and viable independent filtering agency much
more needs to be said about its resources and governance."
121. The Request Filter will be a very complicated
piece of technology. It will need to be constantly updated as
new CSPs are added, existing CSPs merge or CSPs change the kind
of communications data they have available and the format in which
it is held. Witnesses have expressed concern that the public sector
will not be able to attract and retain programmers of sufficient
skill to design and maintain a robust and effective filter. Professor
Peter Sommer wrote: "it will need resources, among them highly
skilled staff who are familiar with the law, the applicable technologies
and police investigative procedure - and who can also act independently.
They will almost certainly need high levels of security clearance.
In the private sector such people are likely to earn fairly high
income; moreover they will want some form of career structure
and stability. But there may not be a sufficiently consistent
flow of work to make this possible."
122. Whoever operates the
Request Filter will need significant expertise and staff at their
disposal. If CSPs update their system and the Request Filter is
not adjusted there is a risk that results will be incomplete,
rendering them useless. The Bill should be amended to say that
the Secretary of State may transfer her responsibilities for operating
the Request Filter to the soon to be established National Crime
Agency but not to other bodies. The National Crime Agency will
need appropriate resources and this should be reflected in the
revised cost/benefit analysis.
EVIDENTIAL QUALITY OF REQUEST FILTER
RESULTS
123. The Home Office's written evidence explains
that "It will be possible to manually check that the Filter
had functioned correctly (to ensure that the result is sound)
that there will be an audit trail of filter requests."[86]
We were not provided with information about how detailed this
audit trail will be and how the audit trail sits with the requirements
that "once the processing and filtering to answer a request
is complete all acquired communications data is immediately destroyed".
The quality of the audit trail is important because if Request
Filter results are to be used as evidence in criminal proceedings,
whether for the prosecution or the defence, they will need to
meet evidential standards. Several of our witnesses, including
LINX, questioned whether they would.
124. However the Director of Public Prosecutions
was not concerned that results from the Request Filter might not
meet evidential standards. His view was that although there would
be challenges the Filter arrangements were "workable provisions".[87]
This was also the view of Lord Carlile
of Berriew QC[88]
and the IoCC.[89]
125. It is our view that the quality of the audit
trail will be key to ensuring that results from the Request Filter
meet evidential standards. It will be necessary for the prosecution
to prove that a result from the Filter is robust and reliable.
To do this they will need a clear audit trail that enables them
to re-run the data processing exercise in order to satisfy the
jury that the correct questions were asked of the Filter and that
the results were accurate. This will require data needed for criminal
proceedings to be held for more than 12 months; this includes
the collateral data that the Filter will have excluded from the
result it provided. Without that collateral data a request could
not be recreated.
126. The Request Filter will
speed up complex inquiries and will minimise collateral intrusion.
These are important benefits. On the other hand the filter introduces
new risks, most obviously the temptation to go on "fishing
expeditions". New safeguards should be introduced to minimise
these risks. In particular the IoCC should be asked to investigate
and report on possible fishing expeditions and to test rigorously
the necessity and proportionality of Filter requests.
Accessible by whom?
127. We explained in Chapter 2 that, of the many
public authorities currently allowed to access communications
data, the only ones listed in section 25 of RIPA are police forces,
SOCA (soon to be replaced by the new National Crime Agency) and
the Scottish Crime and Drugs Enforcement Agency (SCDEA), HMRC
and the intelligence and security services. "Police force"
and "intelligence service" are defined in section 81(1)
of RIPA. All other public authorities permitted to access communications
data are empowered to do so by order of the Secretary of State.
Clause 21(1) of the draft Bill follows exactly the same pattern,
save that the SCDEA do not appear in the list. Again, if any other
public authorities are to be added to the list, this would be
by order of the Secretary of State, subject to affirmative resolution.
128. We are satisfied that the four main users
currently listed in the draft Billthe police, SOCA, HMRC
and the intelligence and security servicesshould remain
on the face of the Bill as public authorities allowed access to
communications data. Together they currently account for 99% of
requests for communications data, and we have no doubt that they
should continue to have access to it, subject always to the enhanced
safeguards we suggest in Chapter 5.
129. We have considered whether there are other
authorities for which an equally strong case can be made, so that
they too should be listed in the Bill even though the use they
make of communications data is on a smaller scale. We believe
that there are two such bodies. The first is the Financial Services
Authority (FSA). In the last three years it has made 5,459 requests
for access to communications data,[90]
2,325 of them in 2011.[91]
The matters it deals with are of increasing
importance. The second is the UK Border Agency (UKBA). It is not
listed as such in the current Order:[92]
instead there is a reference to the
Home Office, but the persons designated to grant authorisations
are officials of the UKBA. They have made 10,103 requests in the
last three years,[93]
some dealing with key immigration offences such as people smuggling
and trafficking, in addition to more routine immigration crimes.
The UKBA too should in our view appear on the face of the Bill,
but under its own name rather than as the Home Office.
LOCAL AUTHORITIES
130. Of some 600 public authorities authorised
to access communications data, over 400 are local authorities,
which are permitted to acquire subscriber data or use data but
not traffic data. Trading standards departments are the principal
users of communications data within local authorities, although
the environmental health departments and housing benefit fraud
investigators also occasionally make use of the powers. Local
authorities enforce numerous statutes and use communications data
to identify criminals who persistently cheat consumers, the taxpayer,
deal in counterfeit goods, and prey on the elderly and vulnerable.
The environmental health departments principally use communications
data to identify fly-tippers. [94]
131. In 2011 141 local authorities notified the
IoCC that they had made a total of 2,130 requests, which is just
0.4% of all communications data requests submitted by public authorities.
Despite this, local authorities accounted for 9% of the reportable
errors. The evidence we received shows that errors by local authorities
cause public concern out of all proportion to the numbers involved.
This seems to be because examples of misuse or abuse of the system
are not only relatively frequent, but also particularly alarming.
BOX 6: Failure of authorisation by local
authorities
The IoCC found that in 2011 two local authorities
made a total of 52 requests which were not approved by a person
of sufficient seniority to act as a designated person, and were
therefore unlawful. In one of those authorities the same person
had acted as the applicant, SPoC and designated person, so that
there was a complete lack of scrutiny; in effect the requests
were self-authorised. In two instances in two different local
authorities the SPoCs processed and the designated persons approved
the acquisition of traffic data, which local authorities are not
permitted to acquire.
132. The IoCC reported one case where a local
authority used communications data in relation to a matter which
was not a criminal offence at all, and did not come close to being
a permitted purpose.
BOX 7: Use of communications data for
an unauthorised purpose
An allegation was made that a parent living outside
the catchment area of a school provided an address within the
catchment area to secure a school place. Communications data was
requested to provide evidence of residence and to confirm the
genuine address. The application stated that the Schools Admissions
Department would withdraw the place for the child if the allegation
was substantiated, but no criminal offences were specified. Nevertheless
the application was authorised and the data released.
133. This was a case which caused considerable
public disquiet; no fewer than seven of our witnesses referred
to it in written evidence. [95]
What causes us still further disquiet is the statement from
the IoCC that "I was satisfied from this that the conduct
undertaken by the Council did not amount to wilful or reckless
use of the powers. It is clear that the Council went through a
considered thought process, that legal advice was sought prior
to submitting the application and that there were ongoing discussions
in relation to whether a prosecution was feasible." This
does nothing to allay our own anxieties. It scarcely needs legal
advice to work out that the support of a schools admissions policy
is not a proper use of communications data. Sir Paul Kennedy has
also argued that "The controls are perfectly in place. I
know there has been the odd incident about the school catchment
area, or something like that, but they are the odd incident and
if there is a criticismand I have said this in a report
beforeit is that local authorities do not always use these
powers as much as perhaps they ought to, to deal with the type
of offending that they are entitled and required to investigate,
and probably have no other means of investigating."[96]
134. The IoCC reports that, of the 141 local
authorities which notified him that they had made use of their
powers in 2011, 58% had made fewer than 10 requests. This plainly
contributes to the number and gravity of the errors: those processing
applications for access to communications data do so infrequently
and have relatively little experience of the system. When local
authorities were added to the list of relevant public authorities[97]
there was no suggestion that applications by them should be subject
to a different procedure from applications by other public authorities.
However the Coalition Agreement included the following undertaking:
"We will ban the use of powers in the Regulation of Investigatory
Powers Act (RIPA) by councils, unless they are signed off by a
magistrate and required for stopping serious crime."[98]
Section 37 of the Protection of Freedoms Act 2012, which came
into force on 1 November, added to RIPA two new sections 23A and
23B, the effect of which is that authorisations for local authorities
to access communications data do not take effect unless and until
approved by a justice of the peace in England and Wales, a sheriff
in Scotland, or a district judge (magistrates' courts) in Northern
Ireland.
135. There are thus historical reasons why, in
the case of RIPA, it is the Act which provides the conditions
subject to which local authorities can access data, even though
it is not the Act itself which grants them the right of access.
We can see no reason why the draft Bill should follow this pattern;
yet clause 11 specifies that judicial approval is needed for access
by local authorities, which are defined by clause 21(1), even
though they would have no right at all to access communications
data unless under the Bill, once enacted, the Secretary of State
made an order permitting such access.
136. If it is thought that local authorities,
or some of them, should have access to communications data, they
should follow the procedure we have suggested for all other public
authorities. We deal in the following chapter with the question
of the conditions which should apply to any access by local authorities.
137. Any public authorities
which make a convincing business case for having access to communications
data should, like the six we have specified in paragraphs 128
and 129, be listed on the face of the Bill. We expect this to
be a greatly reduced number when compared to the authorities currently
listed in the Regulation of Investigatory Powers (Communications
Data) Order 2010.
138. Any necessary changes
to this list should be made by order subject to the super-affirmative
procedure which includes the opportunity of scrutiny by the appropriate
Select Committee.
Accessible for what purposes?
139. Clause 9(6) of the draft Bill sets out the
purposes for which it is permissible to access communications
data. It reads:
(6) For the purposes of this section it is necessary
to obtain communications data for a permitted purpose if it is
necessary to do so
(a) in the interests of national security,
(b) for the purpose of preventing or detecting
crime or of preventing disorder,
(c) for the purpose of preventing or detecting
any conduct in respect of which a penalty may be imposed under
section 123 or 129 of the Financial Services and Markets Act 2000
(civil penalties for market abuse),
(d) in the interests of the economic well-being
of the United Kingdom,
(e) in the interests of public safety,
(f) for the purpose of protecting public health,
(g) for the purpose of assessing or collecting
any tax, duty, levy or other imposition, contribution or charge
payable to a government department,
(h) for the purpose, in an emergency, of preventing
death or injury or any damage to a person's physical or mental
health, or of mitigating any injury or damage to a person's physical
or mental health,
(i) to assist investigations into alleged miscarriages
of justice, or
(j) where a person ("P") has died or
is unable to identify themselves because of a physical or mental
condition
(i) to assist in identifying P, or
(ii) to obtain information about P's next
of kin or other persons connected with P or about the reason for
P's death or condition.
140. Purposes (a), (b) and (d) to (h) were in
RIPA as originally enacted. Purposes (i) and (j) were added in
2006 by Order[99]the
only such additions. Only purpose (c) is new. Schedule 2 to the
draft Bill would amend section 175 of the Financial Services and
Markets Act 2000 so that the FSA could not require CSPs to disclose
data for the purposes of investigations. Conversely, under paragraph
(c) data could be obtained to prevent or detect conduct which
would not necessarily constitute a criminal offence. We are satisfied
that this is a legitimate purpose, and it is for this reason that
we stated in paragraph 129 that a good case can be made for adding
the FSA to the list of public authorities on the face of the Bill.
141. Much the most common reason for requesting
and accessing communications data is "preventing or detecting
crime"purpose (b). "Crime" can of course
include trivial offences, and only the requirements of necessity
and proportionality can prevent communications data being used
for such crimes. But in evidence to us the Home Secretary was
referred to an article she had written in The Sun, where she had
said that "Only suspected terrorists, paedophiles or serious
criminals will be investigated under the Bill". She confirmed
that this was the "main purpose" of the Bill.[100]
142. The draft Bill has annexed to it the Home
Office memorandum on compatibility with the ECHR, and in particular
with Article 8, the right to privacy. Article 8 reads:
"(1) Everyone has the right to respect for
his private and family life, his home and his correspondence.
(2)There shall be no interference by a public authority
with the exercise of this right except such as is in accordance
with the law and is necessary in a democratic society in the interests
of national security, public safety or the economic well-being
of the country, for the prevention of disorder or crime, for the
protection of health or morals, or for the protection of the rights
and freedoms of others."
143. Article 8(2) is tantamount to an exhaustive
list of permitted purposes; no purpose which does not fall within
those words would be permissible. Two such purposes have been
added in the space of 12 years. It is now proposed to add a third.
We believe it is unlikely that a good case can be made for yet
further permitted purposes. Clause 9(7), like the existing provision
in RIPA, would allow the Secretary of State, by order subject
to affirmative resolution, to add yet more permitted purposes.
However the Home Secretary told us: "We have certainly got
no intention of setting out any permitted purposes beyond those
that are in the draft Bill."[101]
144. We sought the views of the House of Lords
Delegated Powers and Regulatory Reform Committee on clause 9(7),
and their conclusion was that "were a Bill to be introduced
containing the same power as in the draft, we would not necessarily
find it acceptable just because it derives from existing legislation."
We agree. We believe that any additions of further permitted purposes
should be by primary legislation, and that clause 9(7) should
be deleted.
145. The fact that there are ten permitted purposes
does not mean that relevant public authorities should have access
to communications data for all those purposes. Currently no authority,
not even any of the four core authorities, is permitted access
for all these purposes. The police do not need, and do not have,
permission to access data for tax purposes or to investigate miscarriages
of justice. Only HMRC need, and have, access for tax purposes;
only the Criminal Cases Review Commission, and its Scottish equivalent,
need and have access to investigate miscarriages of justice, and
they have access for no other purpose. The fire and ambulance
services routinely have access only in the case of life-threatening
emergencies. These are important limitations. Scrutiny of draft
orders which would add public authorities to the list of those
permitted access to communications data should ensure that access
is permitted only for those purposes which are strictly necessary.
146. Of the ten permitted
purposes in clause 9(6) of the draft Bill, seven were in RIPA
originally, two were added by order in 2006, and one is new. We
think it unlikely that there are any other as yet unidentified
purposes which could properly be added. The House of Lords Delegated
Powers and Regulatory Reform Committee has recommended that any
additions to this list should require primary legislation. We
agree. Clause 9(7), which allows the Secretary of State to add
further permitted purposes by order, should be deleted.
147. We are concerned that
the long list of permitted purposes for which communications data
can be requested adds to public disquiet about the breadth of
the Bill. While we do not make specific recommendations about
how this list could be shortened, we recommend that the Government
should consult on whether all the permitted purposes are really
necessary.
49 Q 421. See also the replies
of Simon McCready (Virgin) (Q419), Jonathan Grayling (Everything
Everywhere) (Q421), Bob Hughes (Telefónica/O2) (Q422),
and Mark Hughes (BT) (Q423). Back
50
QQ 548-549 See also the evidence of Stephen Collins (Hotmail)
and Sarah Hunter (Google) (Q547). Back
51
This evidence was given on 6 September. Back
52
QQ 603-608 Back
53
QQ 841-847 Back
54
QQ 841-842 Back
55
QQ 843 Back
56
In the Explanatory Notes to the draft Bill Back
57
Q 553 Back
58
Q 865 Back
59
Q 869 Back
60
Q 919 Back
61
Q 869 Back
62
Q 1096 Back
63
Ibid. Back
64
See Appendix 4. Back
65
Q 595 Back
66
Q 438 Back
67
Q 435 Back
68
Charles Farr, Q 933 Back
69
Q 628 Back
70
Q 26 Back
71
Stephen Collins, Q 632 Back
72
Evidence given in private; this reply cleared for publication. Back
73
Stephen Collins, Q 634 Back
74
Q 500 Back
75
e.g. Virgin Q 420, LINX written Back
76
e.g. see Vodafone and BT Q 452 Back
77
e.g. Everything Everywhere, Q 422 Back
78
Q 883 Back
79
Q 933 Back
80
Ibid. Back
81
Written evidence, paragraph 113 Back
82
Ibid. Back
83
Written evidence, paragraph 118 Back
84
Directive 2000/31/EC of the European Parliament and of the Council
of 8 June 2000 on certain legal aspects of information society
services, in particular electronic commerce, in the Internal Market
(OJ L178 of 17 July 2000). Article 15(1) provides: "Member
States shall not impose a general obligation on providers
to monitor the information which they transmit or store, nor a
general obligation actively to seek facts or circumstances indicating
illegal activity." Back
85
Q 94 Back
86
Paragraph 117 Back
87
Q 819 Back
88
Supplementary written evidence Back
89
Q 689 Back
90
Home Office Business Cases for Public Authorities not currently
listed in the draft Communications Data Bill. Back
91
2011 Annual Report of the Interception of Communications Commissioner,
HC 496. Back
92
The Regulation of Investigatory Powers (Communications Data) Order
2010, SI 2010/480. Back
93
Home Office Business Cases for Public Authorities not currently
listed in the draft Communications Data Bill. Back
94
2011 Annual Report of the Interception of Communications Commissioner,
HC 496. Back
95
This has to be distinguished from a similar case of a local authority
using directed surveillance powers under Part II of RIPA, and
not powers under Chapter II of Part I (Jenny Paton and others
v Poole Borough Council (2010) IPT/09/01/C) http://adam1cor.files.wordpress.com/2010/08/investigatory_powers_tribunal_ruling.pdf
Back
96
Q 678 Back
97
by Article 3 of the Regulation of Investigatory Powers (Communications
Data) Order 2003, SI 2003/3172. Back
98
Chapter 4: Communities and Local Government. Back
99
The Regulation of Investigatory Powers (Communications Data) (Additional
Functions and Amendment) Order 2006, SI 2006/1878 which is now
consolidated by the Regulation of Investigatory Powers (Communications
Data) Order 2010, SI 2010/480. Back
100
QQ 1158-1159 Back
101
Q 1158 Back
|