Draft Communications Data Bill - Draft Communications Data Bill Joint Committee Contents


4  What would the draft Bill change?

Failure to consult

46.  The draft Bill would replace Chapter II of Part I of RIPA, and also other statutory provisions about access to communications data, with a new statutory regime making important, controversial and far-reaching changes which would potentially affect anyone who communicates by electronic means or who accesses the internet. It would particularly affect the CSPs. It was therefore unquestionably a prime candidate for wide-ranging consultation at a stage when policy was still being formulated and could be amended. This did not happen.

47.  The draft Bill could impose substantial obligations on all major CSPs operating in the United Kingdom, potentially involving them in re-structuring of their systems, and certainly requiring a substantial commitment of human, financial and technical resources. Since they are to be allowed to recoup their expenditure from the public purse, it would have been to their advantage and to the taxpayer's if the policy could have been formulated to allow the greatest benefits for the least expenditure.

48.  In the course of three evidence sessions we took evidence from 12 witnesses from the major United Kingdom CSPs: BT, Virgin, Vodafone, Everything Everywhere, Telefónica (O2); and several of the major overseas CSPs: Google, Hotmail, Yahoo!, Facebook, Twitter, and Skype. The evidence we received from the first five of these was to the effect that they had meetings with Home Office officials, sometimes frequent and usually at a high level, to discuss communications data, but that none of these dealt specifically with policy formulation; some were before the draft Bill was published (but not long before), and some were post-publication. The evidence of Mark Hughes for Vodafone was typical: "We have regular meetings with the Home Office at a high level. We have had one meeting with the Home Office, formally, post the drafting of the Bill, where we had the opportunity to ask questions. Some of the questions they were not able to answer for reasons of sensitivity." [49]

49.  The position of the overseas based email service providers was worse, with the first contact from the Home Office often coming after they first heard that we had invited these companies to give us oral evidence. Emma Ascroft told us on behalf of Yahoo!: "We were invited after the Home Office heard that we had been invited to give evidence to this Committee …. We had had no contact before. We met the Home Office in March 2011 to discuss the Government's response to the 2009 consultation on the changing communications environment, which Yahoo! UK responded to. We asked for a meeting in September, at which point the Home Office said there was no progress to report…. there was no further contact. As I said, the meeting we had with the Home Office was three weeks ago. Again, it was very much presented to us as our opportunity to ask the Home Office questions. It was not for the Home Office to consult us on any options."[50] This too was the position of the social network providers. On behalf of Facebook, Simon Milner said categorically: "We had no dialogue with the Home Office before the Bill was published ... we were never asked [for input] and we never provided it." Similarly, Colin Crowell for Twitter: "We had one conversation with the Home Office about two and a half weeks ago.[51] So we, too, were contacted after the Bill had been published and had one phone conversation with them about it."[52]

50.  We asked Charles Farr about this apparent lack of consultation. In the case of the United Kingdom CSPs he said: "We have been meeting regularly with UK CSPs on communications data over the past few years, and certainly in the run-up to the Bill. I believe that we shared our broad thinking about what we had in mind before the Bill was published, and we have followed that up with more detailed sessions since the Bill appeared ... but I fully accept that those discussions need to continue and go into more detail as we get closer to the time when the Bill is enacted, should it be so."[53]

51.  In the case of the overseas providers, Mr Farr told us that he had read their evidence "with a lot of interest"; what he told us was almost the opposite of what they said. He asserted that there had been a total of 30 meetings with them over a two-year period. He conceded that, because they went back two years, not all of the meetings were on "the minutiae of the Bill", but all of them were on communications data.[54] On the face of it, there is an inconsistency between these two accounts.  But our witnesses from the CSPs assumed, correctly, that a Committee inquiring into a draft Bill would be asking about meetings specifically on that Bill.  

52.  We asked the Home Office for details of the meetings they had had with Everything Everywhere. They sent us a list of 22 meetings which had been held since May 2009. The last five took place after publication of the Bill. Of the other 17, 12 were described as "Forum with key CSPs", the other five as bilateral with EE. One of these was with James Brokenshire MP, the Parliamentary Under-Secretary of State responsible for security. Officials explained that many of these meetings were wider working group meetings at which communications data was discussed "so that they [EE] may not recognise them all as specific Bill meetings". When we put the list to Jonathan Grayling, the Head of Law Enforcement Liaison at Everything Everywhere who had given evidence to us, he confirmed that these meetings did indeed form part of a series of regular meetings with the Home Office at which they discussed communications data matters generally and any outstanding problems. While he valued these meetings, at some of them the draft Bill was only an agenda item, usually consisting of a legislation update detailing timescales and high level plans; the meetings did not involve the Home Office asking for input to the detailed policy and content of the draft Bill. The meeting with the Minister on 17 November 2011 (also attended by James Blendis, Legal Vice President, Everything Everywhere) was the first at which the Bill was discussed; this was at a very high level, without going into any detail. The first meeting Mr Grayling described as specifically on the draft Bill was on 2 April 2012 (a meeting not on the Home Office list). This of course was only a month before the Queen's Speech, and two months before publication of the draft Bill. Industry was first given sight of the draft Bill, under embargo, on 7 June 2012, the week before its publication; this was the first indication they had of how the Bill was drafted.

53.  What is absolutely clear to us is that the regular meetings with EE and the other major CSPs would have been an unrivalled opportunity for the Home Office to discuss with them the evolving policy and content of the Bill, and to seek their input on the many matters where their technical and general expertise could have made a valuable contribution; and that this opportunity was not taken. The draft Bill is the poorer for it.

54.  Mr Grayling has told us: "Subsequent to the publication of the Bill, consultation has increased dramatically, and we have had a number of useful meetings at the Home Office (documented in their list) and they have asked us to provide input into the way the Bill is drafted and any wording/clause amendments that we feel would be beneficial." We are glad to hear this; but, of course, the consultation would have been a great deal more valuable eighteen months ago.

55.  Mr Farr told us: "Parliament and others had a right to see the legislation before we discussed it in detail with overseas providers."[55] We do not accept this. Parliament has a right to see, on its introduction, a Bill which seeks to implement as fully and clearly as possible the Government's policy, however controversial that policy may be. If the policy depends to a large extent on whether it can be implemented by a few major international corporations, not to consult them in the formulation of the detailed policy seems unwise. We note that the Intelligence and Security Committee has come to a similar conclusion.

56.  The Home Office should not have assumed that a consultation paper published in April 2009 could justify publication of draft legislation three years later without further consultation with the public and with those most closely affected by its proposals.

57.  The evidence we received shows that United Kingdom CSPs were not given any details about the possible content of notices before the draft Bill was published, overseas CSPs were not consulted about the draft Bill at all, nor was there any further public consultation.

58.  Before re-drafted legislation is introduced there should be a new round of consultation with technical experts, industry, law enforcement bodies, public authorities and civil liberties groups. This consultation should be on the basis of the narrower, more clearly defined set of proposals on definitions, narrower clause 1 powers and stronger safeguards which are recommended in this report. The United Kingdom and overseas CSPs should be given a clear understanding of the exact nature of the gap which the draft Bill aims to address so that those companies can be clear about why the legislation is necessary.

59.  Even though many of them are prepared to cooperate on a voluntary basis, they should also be told what obligations might be imposed on them. For many, their willingness to cooperate voluntarily will be reinforced if there is a statutory basis for the requirement.

60.  Meaningful consultation can take place only once there is clarity as to the real aims of the Home Office, and clarity as to the expected use of the powers under the Bill. CSPs should be consulted on the basis of drafts of the specific notices which will be served on them; these will have the detail of the obligations to be imposed on them, and enable them to undertake a better assessment of feasibility and of the resources and timescales involved.

Clause 1: What communications data would be accessible?

THE BREADTH OF CLAUSE 1

61.  The provision at the centre of the draft Bill, on which all else depends, is clause 1. This is headed "Power to ensure or facilitate availability of data". It allows the Secretary of State by order to ensure that communications data is available from telecommunications operators so that it can be obtained by public authorities. The clause then sets out the main ways in which it is expected that the power will be exercised. The Home Office states[56] that in practice an order is likely to impose requirements on operators to generate all "necessary" communications data for the services or systems they provide; to collect "necessary" communications data, where such data is available but not retained; to retain the data safely and securely; to process the retained data to facilitate the efficient and effective obtaining of the data by public authorities; and other matters.

62.  These are wide, general requirements which will be contained in an order. We have not seen a draft of such an order, and we have been told that we will not be shown one. But it is clear that the order will only be a framework. The specific requirements will be imposed by secret notices by the Secretary of State. The explanatory notes published with the draft Bill explain: "The expectation is that notices will therefore be individually tailored to each system or service (or class of system or service) in respect of which there is an operational need for communications data to be available from an operator. The notices will describe, by reference to each service and system, the description of data which must be retained, where the data should be stored and, if necessary, how the data should be collected, generated and processed."

63.  A number of points stand out. First, the only limitation on what communications data should be made available is that it should be "necessary". Who decides what is "necessary", and for what purpose, is not specified; but as the word appears in the explanatory notes and not in the clause itself, it provides no reassurance. Secondly, even if we were able to see a draft order, it would be of limited assistance, since the requirements themselves will be in notices agreed between the Home Office and each relevant operator or, if not agreed, imposed on them. Parliament will not even see, still less have any control over, such notices. Thirdly, for the first time the CSPs may have to generate data which they would otherwise not have generated because there was no commercial need to do so. This data must be retained for 12 months—longer if it is required for legal proceedings—and will be available to the public authorities listed in the draft Bill or added to that list by order, for the purposes specified in the Bill, and subject to the safeguards in the Bill.

64.  The power of the Secretary of State under clause 1 has thus been made as wide as possible— deliberately so, for the reasons we explain later. But the Home Office told some of the CSPs that they had no intention of exercising the powers widely, as Sarah Hunter explained on behalf of Google: "...the intent behind the Bill of the officials we met seemed to be very narrow and reasonable. When we pointed out that the powers within the Bill were much broader than that, they could not quite address why there was such a gap."[57]

65.  The Home Office told us almost from the outset of our inquiry that they had no need to issue notices extending to a wide range of data, and no intention of doing so; but, as explained in Chapter 3, they would not tell us publicly what the gaps were which the notices would be used to fill, because they did not want to publicise what data they currently cannot access. They accordingly made this clear only in a confidential annex to their written evidence. Subsequently however, in the second public evidence session with Home Office officials, Richard Alcock said:[58] "We have had discussions [with CSPs] about the additional data types that we may wish those service providers to retain … there is certain information which is not stored routinely by UK CSPs, in some cases web logs and in some cases IP data ... In the majority of cases, fundamentally it is about those two issues, but there is a broad range of other aspects." Charles Farr endorsed this: "As Richard has said, one of the areas where we are struggling is IP resolution. It is not the only area; the web log issue is also important."[59] Subsequently Charles Farr repeated this again, adding that there was also the issue of third party data which needed to be addressed.[60]

66.  We address later in the chapter the vexed issue of whether these data types are all essential. Given the wide anxiety raised by the breadth of clause 1, we pressed the Home Office officials as to why it could not be narrowed to cover only the gaps which currently needed to be filled. Mr Farr's answer was: "The fundamental reason why we are nervous about limiting clause 1 is future-proofing ... Because I genuinely believe that no sooner will you get this legislation through than something else will come up, given the pace of change in the communications industry, which will create another gap, particularly if clever people know that we have filled one area, and so now try to exploit another. Future-proofing and flexibility are at the heart of the language we have used in clause 1." He accepted that the Home Office could and should look again at the drafting of clause 1: "I still come back to the point that we can look again at clause 1 and still have future proofing, because I think we need to emphasise more clearly that the data types we are interested in are only those which are relevant to these core questions." We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved."[61] We believe that it can indeed be changed and improved, by being narrowed to cover specifically the gaps so far identified. An undertaking, whether by officials or by ministers, that a power will be used only to a limited extent, is of little value. Once a power is on the statute book, it is available to be used, and also to be misused or abused, at any time in the future. It is hardly surprising that a proposal for powers of this width has caused public anxiety.

67.  We accept that, given the rapidity of technological change and development in IT, within a relatively short time after the implementation of any legislation the Secretary of State may need to be able to order the retention of other categories of data. We accept too that changes may need to be made from time to time for other reasons. Neither of these justifies the retention of clause 1 in its current form. We note that the Intelligence and Security Committee has come to a similar conclusion and has recommended that: "more thought is given to the level of detail that is included in the Bill, in particular in relation to the Order-making power. Whilst the Bill does need to be future-proofed to a certain extent, and we accept that it must not reveal operational capability, serious consideration must be given as to whether there is any room for manoeuvre on this point: Parliament and the public will require more information if they are to be convinced."

68.   We attach in Appendix 7 a note considering which Parliamentary procedures might be appropriate for making such changes while still retaining Parliamentary control and public confidence. Primary legislation should not in our view be ruled out; even without having resort to emergency legislation, a department like the Home Office with Bills every session should not have much difficulty in securing any necessary changes within a relatively short time. We can however understand the reluctance of ministers to be obliged to have frequent resort to primary legislation. Our recommendation is therefore for an order subject to the super-affirmative procedure we describe in Appendix 7, allowing full consideration by Parliamentary Committees. We caution however that this should not necessarily be assumed to be always a speedier process than primary legislation. Where the case for change can be made out, Parliament will have a duty to attempt to expedite the Parliamentary process, but even so, primary legislation could sometimes be faster. Of course, the inclusion of an order-making power would not preclude the Secretary of State from making use of primary legislation if an appropriate opportunity were to arise.

69.  The Home Office was able to tell us of specific types of data that are currently not routinely retained for business purposes by United Kingdom (and many overseas) CSPs and which would be useful to law enforcement and other investigations. It is the Home Office's intention to issue notices under the Bill to ensure that an unknown number of CSPs retain these specific types of data. The Home Office has however made clear to us that it does not currently need the power under this legislation to require other types of data be retained, and does not for the present intend to issue notices going more widely (except to CSPs which are not covered by the EU Data Retention Directive, which might be asked under this legislation to retain for 12 months data which they already create for business purposes). Clause 1 therefore should be re-drafted with a much narrower scope, so that the Secretary of State may make orders subject to Parliamentary approval enabling her to issue notices only to address specific data gaps as need arises.

70.  The Home Office has argued that there is a case for keeping clause 1 wide because there may be other data types that emerge from time to time which will be important to law enforcement but will not be routinely retained by CSPs for business purposes. We do not accept that this is a good reason to grant the Secretary of State such wide powers now. We do not think that Parliament should grant powers that are required only on the precautionary principle. There should be a current and pressing need for them.

71.  We do however accept that, depending on how the communications world develops, the Home Office may in future need the power to require the retention of other data types. Parliament and government both need to accept that legislation that covers the internet and other modern technologies may need revisiting and updating regularly. We have considered how the Secretary of State might be given powers in the future to allow her to address new and significant data gaps if and when they emerge. The alternatives seem to be either primary legislation on each occasion, or a power to amend clause 1 by order subject to a super-affirmative procedure which would guarantee fuller Parliamentary consideration than a standard affirmative order.

72.  We attach in Appendix 7 a consideration of the relative advantages and disadvantages of each course. On balance our preference is for an order subject to the super-affirmative procedure. We recognise that this will impose obligations on Parliament which it will have a duty to discharge effectively.

IP ADDRESS RESOLUTION AND WEB LOGS

73.  As outlined in paragraph 65, Home Office officials eventually told us in public evidence that they would like clause 1 to enable them to access two specific types of data: subscriber data relating to IP addresses and web logs.

74.  Subscriber data relating to IP addresses is the information that makes it possible to trace who is using an IP address at a given point in time. An IP address is a numerical label assigned to a device connected to the internet (e.g. a computer, smart phone or printer). The IP address of a device is not constant; it may change frequently and be shared between several devices. The originating IP address of a communication is routinely gathered in many types of internet transaction, but if the CSP does not hold information on which of its subscribers held which IP address at a particular point in time it is very hard for law enforcement authorities to prove an association between an action on the internet and a particular individual. Not all United Kingdom providers currently obtain all the data necessary to trace which subscriber is using which IP address. During the course of our inquiry we heard of various circumstances in which the lack of this data has impeded investigations. We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns.

75.  We recommend that a narrower clause 1 should allow notices to be served on CSPs requiring them to generate and retain subscriber data relating to IP addresses.

76.  The term "web logs" is used to refer to a record of information that relates to a communication between a user and the internet. This would include connections to the world wide web (i.e. what websites a person has accessed) and also contacts with other internet services, such as smart phone applications.

77.  The Code of Practice for the Acquisition and Disclosure of Communications Data makes clear that this type of data can be accessed by law enforcement agencies if it is held by CSPs. It provides that anything before the first "/" in a website address is considered to be communications data, and anything after the first slash is considered to be content. So the fact that a person visited www.nhs.uk is communications data and could form part of a web log, but it would not be permissible to record the fact that a person visited www.nhs.uk/conditions/depression. Under the current law if a CSP keeps web log data for business purposes then an order can require them to retain that data for 12 months, but if web logs are never generated—and most CSPs do not generate them for business purposes—there can be no requirement to make them available.

78.  Sir Peter Fahy, Chief Constable of Greater Manchester Police, told us that if it were possible to reconcile IP address and subscriber information and also to identify which websites were visited by a service user this would resolve the data gap,[62] and Peter Davies, Chief Executive of CEOP, agreed,[63] but neither of them provided examples that proved the importance of web logs or referred to cases that had been hampered by the current lack of web log data. The one piece of evidence we saw that went some way to proving a need was during our visit to the Metropolitan Police Service,[64] when officers used real life cases to illustrate how it is hard to identify whom a suspect is communicating with if those communications are conducted over the internet on a mobile phone. Those cases showed that it would be useful to know if suspects were using a website that allowed them to communicate with others because the CSP running that website could then be asked for information about who was contacted. To do this it would be necessary to know the website visited and the IP address assigned to the suspect at that time (so the website could be asked to check who the user of that IP address contacted). This illustrates the Home Office's case that the need for IP address information and the need for web log data are connected.

79.  The kinds of investigations where it is possible to imagine web logs being useful include: enabling the identification of internet services used by a suspect so that further communications data requests can be made from those services; investigating the web log associated with a sex offender to determine whether they had accessed known child abuse websites; and investigating whether a suspect had accessed a known terrorist website.

80.  We have received considerable evidence expressing concern at the idea of web log data being more widely retained and made available to public authorities. A submission signed jointly by representatives from Liberty, Justice, Privacy International, the Open Rights Group, Big Brother Watch and NO2ID made the case that web log data should not fall under the definition of communications data, even though it does already, because it has the potential to reveal considerable personal information about an individual:

"Throughout her oral evidence the Home Secretary sought to articulate a distinction between the content of a communication and the communications data which she characterised as the "who, when, where, how" of a communication.... A record of the addresses of websites visited patently reveals a great deal that is substantive and potentially extremely personal about an individual's life. An individual's browsing history is liable to betray his or her political inclinations, state of health, sexuality, religious sentiments and a huge range of other personal characteristics, preoccupations and individual interests besides. We fail to see that the distinction drawn by the Home Secretary can have any meaning at all if communications data is deemed to include information of this nature."

81.  Retaining web log data would place massive storage demands on CSPs and this would be costly. Some witnesses also expressed concerns that the more information that is stored, and the more sensitive the nature of that data, the greater the chance of a security breach. Given the potentially sensitive nature of web logs, a security breach could be particularly damaging for the individuals whose data was lost. The secure storage of communications data is addressed in Chapter 5. Briefly, it is possible (given a willingness to accept the necessary cost) to achieve a high degree of security of storage. But no one has claimed or could claim that total 100 per cent security can be guaranteed: there is bound always to remain the possibility of a breach, whether as a result of skilled hacking or because of human error or misfeasance.

82.  We accept that web logs are a type of communications data from which significant inferences could be drawn about a person's interests and, perhaps, activities. Web logs are at the more intrusive end of the communications data spectrum and it is at that end that the need for rigorous safeguards is most acute. Safeguards are discussed in Chapter 5. We believe that the SPoC and Designated Senior Officer system now in force, if operated by properly trained and experienced staff, and subject to the safeguards proposed in the draft Bill and the strengthening of those safeguards we are recommending, can provide sufficient safeguards against abuse within the system. The fact that web logs would be accessible only by certain pubic authorities, that access would be on a case-by-case basis and only when access was necessary and proportionate, and the fact that access would be subject to independent review, are also important.

83.  One way of reassuring civil liberties groups and more importantly the general public, while at the same time satisfying the needs of law enforcement agencies, would be to devise a definition of web service that covered only those that could be used as a method of communication. This would cover websites offering e-mail and other messaging services, but not websites that simply supply information. CSPs could then be required only to keep web logs in so far as they related to visits to communications sites. This would however prevent, for example, a CSP from being required to keep records of visits to a site thought to be accessed by terrorists unless that site also enabled users to communicate with each other, or to post messages. Whether or not this would be technically and operationally feasible, and if it was what the associated costs would be, is not something that we have had time to explore.

84.  Whether clause 1 should allow notices that require CSPs to retain web logs up to the first "/" is a key issue. The Bill should be so drafted as to enable Parliament to address and determine this fundamental question which is at the heart of this legislation.

85.  The Home Office and law enforcement agencies and (so far as we know) the intelligence and security services think that access to weblogs is essential for a wide range of investigations. The civil liberties organisations argue that web logs are potentially a highly intrusive form of communications data and that generating and storing web logs gives rise to unacceptable risks to the privacy of individuals.

86.  We are confident that the safeguards in the draft Bill, together with the recommendations we make to strengthen those safeguards, can provide a high degree of protection against abuse of communications data or inadvertent error by public authorities. We acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people's interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.

87.  In 2003, Parliament considered the Code of Practice for the Acquisition and Disclosure of Communications Data which included the guidance that web addresses up to the first "/" should be considered to be communications data. The presentation of this Bill provides an opportunity for Parliament to review this controversial issue.

88.  We also recommend that the Home Office should examine whether it would be technically and operationally feasible, and cost effective, to require CSPs to keep web logs only on certain types of web services where those services enable communications between individuals.

THIRD PARTY DATA

89.  The Bill is intended to require CSPs operating in the United Kingdom, whether based here or abroad, to comply with retention orders served under clause 1 and disclosure requests made by public authorities. As will be made clear in Chapter 6 there are likely to be significant problems with getting CSPs based overseas to recognise the extra-territorial application of United Kingdom legislation, and there will inevitably be cases where overseas CSPs both refuse to retain the data that the United Kingdom Government asks them to retain and refuse to disclose the data that public authorities need. It is not clear, given the level of informal assistance currently offered by the largest overseas based CSPs to disclose information to investigators, especially in urgent cases where lives are at immediate risk, how significant a problem this actually is. Some overseas based CSPs are likely to take a more pragmatic approach than others. It is because of the variable approaches of the different overseas CSPs to providing communications data that the Home Office argues that power is also needed under clause 1(3)(c)(ii) to require United Kingdom CSPs to store and disclose communications data traversing their networks which relates to services from other providers. This is commonly referred to as the third party provision. A simple illustration is that using the third party provision it would be possible to ask a United Kingdom broadband provider to collect data on e-mails crossing its network when those e-mails were sent using one overseas based e-mail provider to another overseas based e-mail provider.

90.  The third party provision has proved particularly controversial both because of technical concerns and because, as LINX put it, "The collection and processing of "third party" communications data by network operators is a substantial extension of their duties that is, in our opinion, materially distinct from existing data retention requirements, amounting to a complete novelty". Big Brother Watch agreed, saying that if these provisions are passed UK CSPs could in future be described as "private surveillance operations".

91.  To understand the technical concerns it is useful to understand a little about how third party data would be collected. It would be necessary to place data probes within a CSP's network and those probes would be programmed to generate information from network links within the CSP. Deep Packet Inspection (DPI) would be used to isolate key pieces of information from data packets in a CSP's network traffic. The Home Office seemed confident that this was technically possible. Other witnesses questioned whether it is technically feasible to extract meaningful and helpful information from third party services. One of the primary technical challenges would be dealing with encrypted data.

92.  Many internet services are encrypted; this includes many of the major overseas based communications services such as Gmail. Encryption is the basis of internet security and companies encrypt their services to protect their customers. If these companies are asked directly for communications data and agree to supply it, whether under RIPA or following a request under a Mutual Legal Assistance Treaty (MLAT), then they will decrypt the information, extract the relevant communications data and provide it to the requesting authority in an accessible format. They told us however that if information about their service was collected by another CSP they would not cooperate in helping decrypt it. Sarah Hunter from Google explained:

"From a Google Inc perspective, we are very confident about the security of our encryption. If a valid RIPA request comes in or UK law enforcement goes through the MLAT, receives a court order and in turn gets Gmail user data, we will obviously provide that data decrypted. If it was to use a third-party provider to gather the encrypted data, I think it very unlikely that Google Inc would provide anyone outside Google Inc with that key. That is simply because, as everyone said earlier, security is our most important asset. Our relationship with our users is predicated on trust. Without that, we have no business".[65]

93.  Several witnesses questioned whether valuable communications data could be retrieved from encrypted services. Services encrypt not only content but much of the communications data too, and the UK CSP whose network the encrypted service is crossing will not be able to decrypt the package, nor could they legally do so because to do so would be to intercept content. As Everything Everywhere put it, "even if we were able to decrypt, you would have to open the whole packet, and then you are looking at the content".[66] UK CSPs will not be able to hand over the whole encrypted package to law enforcement or the Home Office because to do so would be to hand over content.

94.  Bob Hughes, Government Programme Manager at Telefónica UK-O2, gave a helpful illustration of the kind of data that a UK CSP would be able to provide about an encrypted third party service:

"When we are talking about picking up third-party data, we are now talking about gateway-to-gateway data. This is very similar to a lot of letters having been passed to a delivery box on one side of the network, put into a big courier delivery box and crossing our network to a terminating distribution box on the other side. Then, all those letters are taken out of the box and sent on to their various places... All that we will see when we look at those encrypted data are the two points of the gateway. We are storing all of these communications, which are just gateway-to-gateway. We cannot hand over the whole box because we know that that includes content. We can give you only the piece that is on the outside of the box that includes all the encrypted data. Therefore, the value, by comparison with the letter and its journey from A to B, is much reduced."[67]

95.  Although this may sound of limited utility Home Office officials said it could still be valuable to ongoing investigations: "Encrypted data can still be very important and can give you unencrypted chunks of data which are relevant to the three questions which we are asking ourselves and to which we come back all the time."[68]

96.  One of the significant risks of the third party provision is that it may actually lead to an increase in the number of services that use encryption, and this could actually reduce the amount of communications data available to in the United Kingdom, a serious unintended consequence directly at odds with the stated purpose of the legislation. Evidence that this was a real risk came from Simon Milner, the Director of Policy for UK and Ireland of Facebook, who explained:

"The security of our networks and the security of how we store and look after customer data are fundamental to our businesses. Therefore, when we are concerned that someone else might be trying to intercept our data, we will move heaven and earth to ensure the security of our network. It is a grave concern to us that it might well be part of the new framework that UK CSPs might be required to retain these data. One would expect there to be not only implications for relationships in the internet value chain but changes in behaviour by users. Facebook users already have the ability to encrypt their traffic, and we would expect many more UK users to choose to do so were that kind of measure to be introduced".[69]

97.  This issue was also highlighted in evidence from Virgin, ISPA and Telefónica UK-O2.[70]

98.  Microsoft questioned how a United Kingdom CSP would identify which encrypted information it would be necessary to store in order to comply with a third party provision notice:

"How can we guarantee that the CSP has identified the right packets to be stored? Multiple providers, Skype included, use obfuscation techniques precisely to avoid being detected by deep packet inspection equipment. My question is a technical one: how would they guarantee that they would be storing the correct data under the order?"[71]

99.  There are some instances of services that not only encrypt but have specific software to ensure no communications data is kept about their users, and no websites can identify their users when they visit. For example, we took evidence from the Tor Project, a not-for-profit organisation which encrypts and redirects its users' communications to ensure they cannot be traced. The Tor Project is used by people trying to circumvent national censorship schemes, by victims of crime, by military personnel working undercover, by journalists wishing to protect their sources and by whistleblowers.

100.  Encryption is not the only technical challenge posed by the third party provision. We received evidence questioning whether DPI technology could cope with the level of traffic that moves across service provider networks. ISPA stated that "DPI and such technology can be used by ISPs for legitimate traffic management processes, but it does not follow it could be repurposed to fulfil the requirements set out in the draft Bill. We are yet to be convinced that current hardware can handle the volume of traffic that moves across service provider networks at this level".

101.  One of the key technical challenges would be to programme DPI systems to isolate communications data information from the content of messages sent. Even BAE Systems Detica, who as manufacturers of DPI technology were confident of its capabilities, admitted that it would be challenging to keep the DPI systems up to date with changes that originating CSPs make to the underlying formats and protocols used by those services.[72] The pace at which CSPs change their systems (particularly proprietary ones) can be very fast. This means that DPI system manufacturers and CSPs would need to devote significant resources to monitoring and updating systems both to maintain coverage and to operate correctly. Microsoft confirmed this:

"We have a dedicated team involved in this obfuscation constantly in order to protect the integrity of the communications. At the same time, DPI equipment manufacturers have guys on the other side trying to work out what we are doing. That will continue. The point about it from the perspective of this draft Bill is that it costs money to maintain DPI equipment. We do not just buy once; there is a constant need to pay to have it updated in order for it to perform. That is the key here—it is very expensive".[73]

102.  The concerns about the third party provisions are not limited to questions about their technical feasibility. UK CSPs would find it challenging to understand even non-encrypted communications data belonging to other services. Under the current system the Home Office works with CSPs to categorise their data, agree what should be exempted as content, and then list the data available in the "SPoC book". Only the company that generates the data can give an informed opinion about how the data should be categorised. A third party will not easily be able to judge whether a law enforcement agency is right to categorise a request for third party data as, for example, "subscriber data", or even as data rather than content. The only data type the third party could confidently identify is traffic data. This was illustrated by Jonathan Grayling from Everything Everywhere: "I think we could probably stand a pretty good chance of identifying what is content and communications data in our own data, because we understand it: we understand how our systems work and how we interpret it. But to understand third-party data, even if it is not encrypted, is going to provide challenges".[74]

103.  The UK CSPs were also concerned about the commercial implications of the third party provision. They rely on good relationships with the main internet service providers, many of whom are based overseas. If some of those providers choose not to cooperate with this legislation but are aware that UK CSPs may be ordered to collect data on their services, then this could change the nature of their relationship. This was a significant concern for the UK CSPs.[75]

104.  The cost of constantly reprogramming DPI probes to keep abreast of changes to third party services has already been mentioned. This is not the only significant cost concern. The cost of the DPI probes themselves would be significant, and that and the costs of the large scale storage demands worry the UK CSPs.[76] Their concerns will be explored further in Chapter 7.

105.  Given the significant concerns about the third party provision some witnesses have called for it to be dropped.

106.  When the UK CSPs gave evidence to us in September they stated that Home Office officials had given them oral assurances that the third party provision would be invoked only after the original service provider had been approached and all avenues to get them to comply with requests for communications data had been exhausted. The UK CSPs also said they had been given assurances that they would not have to decrypt third party data. These reassurances were important to them and they were very concerned that there was nothing in the Bill to back-up the Home Office's promises.[77]

107.  We explored this issue with Home Office officials in October and Charles Farr repeated the reassurance he had given the UK CSPS:

"I think they [the UK CSPs] were under the misapprehension that we might go to them to collect third-party data, even before asking the third-party to cooperate with us. They were understandably concerned if that were to be the case. Were it to be the case, the costs would be rather different from what they otherwise might be. I hope we have reassured them. I would repeat, if I may, that it would be in extremis for us to go to them and ask for the collection of third-party data. In the vast majority of cases we do not expect to, and we have calculated the costs accordingly."[78]

"If they cannot distinguish communications data from content they will not be required to retain it. We are not asking for the storage of masses of encrypted data."[79]

108.  When asked whether he agreed that the legislation should reflect these assurances Charles Farr agreed to look at it.[80] We note that the Intelligence and Security Committee has recommended that "the Home Office should have to demonstrate due diligence before resorting to the use of DPI to collect communications data from overseas CSPs" and that this should be reflected on the face of the Bill.

109.  The Home Office knows that not all overseas CSPs will comply with retention notices. It is for this reason that the notices issued under the order-making powers in clause 1 may require UK CSPs to keep third party data traversing their networks. UK CSPs are rightly very nervous about these provisions. The Home Office has given an oral commitment to UK CSPs that the Home Secretary will invoke the third party provisions only after the original data holder has been approached and all other avenues have been exhausted. The Home Office has also given a commitment that no CSP will be asked to store or decrypt encrypted third party data. These commitments should be given statutory force.

Filtered data

110.  Clause 14 provides a power to establish filtering arrangements to facilitate the acquisition of communications data. The Request Filter would be used for complex communications data inquiries that cover several CSPs. As the Home Office explained, "Internet communications services are technically different from the telephone services of the past. The communications data now needed to understand the 'who, how, when and where' of a single communication may no longer be held by a single communications provider".[81] Rather than a public authority having to submit separate requests to several CSPs, it would submit one request through the Request Filter which would then interrogate the multiple CSP databases and automatically analyse the returns, providing investigators with only the relevant data. CSPs could design their systems to allow full automation of requests through the filter, or they could decide to have staff check each request before allowing the Request Filter to access data. It is important that CSPs have this choice.

111.  The Government's case for the Request Filter is that it "is intended to enable law enforcement agencies to continue acquiring complex communications data in a way that minimises collateral intrusion".[82] The Home Office sees the benefits as: minimising human error, speeding up complex requests and minimising collateral intrusion. The Request Filter is little different from the work that investigators currently carry out comparing data from multiple CSPs when dealing with complex enquiries. The difference is that it will be an automated process which may be faster and less prone to human error, but will require significant work to develop and will require the Home Office to impose technical requirements on each provider to ensure that data from the provider's systems is always returned to the Filter in the same technical format, thus facilitating easy data comparison.

112.  The Home Office is at pains to assert that the Request Filter is not a central database: "The legislation makes clear that the Filter can only acquire and process communications data to answer a specific public authority request. Once that request has been answered the Filter will permanently delete all the communications data it acquired".[83] The Home Office emphasise this point because in May 2008, when the last Government announced plans for legislation which would have required communications data to be stored for a year in a purpose-built database, the plans were heavily criticised, not least by the two Parties that now make up the coalition Government.

113.  It is however important to consider how different the proposals for the Request Filter really are from the previous Government's proposals for a central database. A central database would have been one repository of communications data provided by the CSPs but stored on a Government owned and operated database. The Request Filter is a Government owned and operated data mining device which, to work efficiently, requires each CSP to maintain its own database of all its communications data in a common format. Each CSP database will be able to be accessed at any time by the Request Filter. So the same data is being stored about the same people and it is being stored in databases which are accessible to public authorities given powers under the Bill. The difference is that instead of one database there are many and they are privately owned. Although they are privately owned the Government can stipulate what should be held on them, for how long, and in what format it should be supplied. The differences therefore are not as great as the Home Office suggests; the Request Filter can be equated to a federated database.

114.  There is also vigorous debate about whether the Home Office is right to argue that the Request Filter minimises collateral intrusion and thus is a tool in protecting privacy. On the contrary, many witnesses see it as a threat to privacy. For example LINX stated that:

"Clauses 14-16 establish a requirement that communications data be processed and assembled by matching related data from different operators, such that the relationships between diverse data elements relating to a particular user are capable of being machine-processed as such. In other words, the draft Bill requires the functional equivalent of building communications data profiles on every user, which will contain everything within the definition of communications data, including time and geolocation data".

115.  LINX point out that it would be technically possible to "perform profile searches of the following format: 'List all persons who are the designated user of a mobile phone that was in Location (e.g. Trafalgar Square) at Time (e.g. noon last Tuesday), and who have read any of the following websites more than once in the past period (e.g year)' ".

116.  There are also questions as to whether the Filter amounts to a "general monitoring" obligation, contrary to Article 15 of the EU E-Commerce Directive.[84] This is not something we have had time to investigate but it is an issue the Home Office should consider.

117.  The Request Filter would make it technically possible to perform profile searches on individuals. If it was used in this way there is a risk that it could amount to general monitoring, but there are safeguards to prevent this. Every request to the Request Filter will have to go through the same authorisation process set out in Chapter 2. This includes a requirement to explain why the request is necessary and proportionate, and needs the authorisation of a Designated Senior Officer. In addition the draft Bill puts obligations on the IoCC to monitor the operation of the Request Filter and examine the audit trails produced. This safeguard is key, as Professor Peter Sommer told us:

"If these safeguards are not rigorously applied and fully examined by the Interception of Communications Commissioner there is a risk that that what is described as "request filtering" becomes large-scale data mining; the necessity and proportionality tests need to be applied not to just the individual data streams as supplied by CSPs but to the likely effect when they are assembled together."

118.  We consider in the following chapter the role of the IoCC in maintaining public confidence in the Filter.

WHO WILL DESIGN, PROGRAMME AND MAINTAIN THE REQUEST FILTER?

119.  The draft Bill makes the Secretary of State responsible for setting up and maintaining any filtering arrangements, and provides the power to transfer this responsibility to a designated public authority. Day to day operation of the filtering arrangements may be carried out by an approved body. Evidence from the Home Office suggests that if the Secretary of State was to transfer her powers to a designated public authority it would be to the new National Crime Agency.[85] The scope of the Bill does not limit who the day to day operation can be transferred to, and some witnesses have expressed concern that it could be GCHQ which is not accountable to the public or to Parliament, although any transfer of functions would not affect the Secretary of State's responsibility for the exercise of the functions.

120.  Some witnesses have questioned whether it is appropriate that the Secretary of State should be responsible for the operation of the Filter. Professor Peter Sommer argued that "making this a function, direct or delegated, of the same Secretary of State who also issues interception warrants and orders under the draft Bill is surely a mistake; if there is to be a credible and viable independent filtering agency much more needs to be said about its resources and governance."

121.  The Request Filter will be a very complicated piece of technology. It will need to be constantly updated as new CSPs are added, existing CSPs merge or CSPs change the kind of communications data they have available and the format in which it is held. Witnesses have expressed concern that the public sector will not be able to attract and retain programmers of sufficient skill to design and maintain a robust and effective filter. Professor Peter Sommer wrote: "it will need resources, among them highly skilled staff who are familiar with the law, the applicable technologies and police investigative procedure - and who can also act independently. They will almost certainly need high levels of security clearance. In the private sector such people are likely to earn fairly high income; moreover they will want some form of career structure and stability. But there may not be a sufficiently consistent flow of work to make this possible."

122.  Whoever operates the Request Filter will need significant expertise and staff at their disposal. If CSPs update their system and the Request Filter is not adjusted there is a risk that results will be incomplete, rendering them useless. The Bill should be amended to say that the Secretary of State may transfer her responsibilities for operating the Request Filter to the soon to be established National Crime Agency but not to other bodies. The National Crime Agency will need appropriate resources and this should be reflected in the revised cost/benefit analysis.

EVIDENTIAL QUALITY OF REQUEST FILTER RESULTS

123.  The Home Office's written evidence explains that "It will be possible to manually check that the Filter had functioned correctly (to ensure that the result is sound) that there will be an audit trail of filter requests."[86] We were not provided with information about how detailed this audit trail will be and how the audit trail sits with the requirements that "once the processing and filtering to answer a request is complete all acquired communications data is immediately destroyed". The quality of the audit trail is important because if Request Filter results are to be used as evidence in criminal proceedings, whether for the prosecution or the defence, they will need to meet evidential standards. Several of our witnesses, including LINX, questioned whether they would.

124.  However the Director of Public Prosecutions was not concerned that results from the Request Filter might not meet evidential standards. His view was that although there would be challenges the Filter arrangements were "workable provisions".[87] This was also the view of Lord Carlile of Berriew QC[88] and the IoCC.[89]

125.  It is our view that the quality of the audit trail will be key to ensuring that results from the Request Filter meet evidential standards. It will be necessary for the prosecution to prove that a result from the Filter is robust and reliable. To do this they will need a clear audit trail that enables them to re-run the data processing exercise in order to satisfy the jury that the correct questions were asked of the Filter and that the results were accurate. This will require data needed for criminal proceedings to be held for more than 12 months; this includes the collateral data that the Filter will have excluded from the result it provided. Without that collateral data a request could not be recreated.

126.  The Request Filter will speed up complex inquiries and will minimise collateral intrusion. These are important benefits. On the other hand the filter introduces new risks, most obviously the temptation to go on "fishing expeditions". New safeguards should be introduced to minimise these risks. In particular the IoCC should be asked to investigate and report on possible fishing expeditions and to test rigorously the necessity and proportionality of Filter requests.

Accessible by whom?

127.  We explained in Chapter 2 that, of the many public authorities currently allowed to access communications data, the only ones listed in section 25 of RIPA are police forces, SOCA (soon to be replaced by the new National Crime Agency) and the Scottish Crime and Drugs Enforcement Agency (SCDEA), HMRC and the intelligence and security services. "Police force" and "intelligence service" are defined in section 81(1) of RIPA. All other public authorities permitted to access communications data are empowered to do so by order of the Secretary of State. Clause 21(1) of the draft Bill follows exactly the same pattern, save that the SCDEA do not appear in the list. Again, if any other public authorities are to be added to the list, this would be by order of the Secretary of State, subject to affirmative resolution.

128.  We are satisfied that the four main users currently listed in the draft Bill—the police, SOCA, HMRC and the intelligence and security services—should remain on the face of the Bill as public authorities allowed access to communications data. Together they currently account for 99% of requests for communications data, and we have no doubt that they should continue to have access to it, subject always to the enhanced safeguards we suggest in Chapter 5.

129.  We have considered whether there are other authorities for which an equally strong case can be made, so that they too should be listed in the Bill even though the use they make of communications data is on a smaller scale. We believe that there are two such bodies. The first is the Financial Services Authority (FSA). In the last three years it has made 5,459 requests for access to communications data,[90] 2,325 of them in 2011.[91] The matters it deals with are of increasing importance. The second is the UK Border Agency (UKBA). It is not listed as such in the current Order:[92] instead there is a reference to the Home Office, but the persons designated to grant authorisations are officials of the UKBA. They have made 10,103 requests in the last three years,[93] some dealing with key immigration offences such as people smuggling and trafficking, in addition to more routine immigration crimes. The UKBA too should in our view appear on the face of the Bill, but under its own name rather than as the Home Office.

LOCAL AUTHORITIES

130.  Of some 600 public authorities authorised to access communications data, over 400 are local authorities, which are permitted to acquire subscriber data or use data but not traffic data. Trading standards departments are the principal users of communications data within local authorities, although the environmental health departments and housing benefit fraud investigators also occasionally make use of the powers. Local authorities enforce numerous statutes and use communications data to identify criminals who persistently cheat consumers, the taxpayer, deal in counterfeit goods, and prey on the elderly and vulnerable. The environmental health departments principally use communications data to identify fly-tippers. [94]

131.  In 2011 141 local authorities notified the IoCC that they had made a total of 2,130 requests, which is just 0.4% of all communications data requests submitted by public authorities. Despite this, local authorities accounted for 9% of the reportable errors. The evidence we received shows that errors by local authorities cause public concern out of all proportion to the numbers involved. This seems to be because examples of misuse or abuse of the system are not only relatively frequent, but also particularly alarming.

BOX 6: Failure of authorisation by local authorities

The IoCC found that in 2011 two local authorities made a total of 52 requests which were not approved by a person of sufficient seniority to act as a designated person, and were therefore unlawful. In one of those authorities the same person had acted as the applicant, SPoC and designated person, so that there was a complete lack of scrutiny; in effect the requests were self-authorised. In two instances in two different local authorities the SPoCs processed and the designated persons approved the acquisition of traffic data, which local authorities are not permitted to acquire.

132.  The IoCC reported one case where a local authority used communications data in relation to a matter which was not a criminal offence at all, and did not come close to being a permitted purpose.

BOX 7: Use of communications data for an unauthorised purpose

An allegation was made that a parent living outside the catchment area of a school provided an address within the catchment area to secure a school place. Communications data was requested to provide evidence of residence and to confirm the genuine address. The application stated that the Schools Admissions Department would withdraw the place for the child if the allegation was substantiated, but no criminal offences were specified. Nevertheless the application was authorised and the data released.

133.  This was a case which caused considerable public disquiet; no fewer than seven of our witnesses referred to it in written evidence. [95] What causes us still further disquiet is the statement from the IoCC that "I was satisfied from this that the conduct undertaken by the Council did not amount to wilful or reckless use of the powers. It is clear that the Council went through a considered thought process, that legal advice was sought prior to submitting the application and that there were ongoing discussions in relation to whether a prosecution was feasible." This does nothing to allay our own anxieties. It scarcely needs legal advice to work out that the support of a schools admissions policy is not a proper use of communications data. Sir Paul Kennedy has also argued that "The controls are perfectly in place. I know there has been the odd incident about the school catchment area, or something like that, but they are the odd incident and if there is a criticism—and I have said this in a report before—it is that local authorities do not always use these powers as much as perhaps they ought to, to deal with the type of offending that they are entitled and required to investigate, and probably have no other means of investigating."[96]

134.  The IoCC reports that, of the 141 local authorities which notified him that they had made use of their powers in 2011, 58% had made fewer than 10 requests. This plainly contributes to the number and gravity of the errors: those processing applications for access to communications data do so infrequently and have relatively little experience of the system. When local authorities were added to the list of relevant public authorities[97] there was no suggestion that applications by them should be subject to a different procedure from applications by other public authorities. However the Coalition Agreement included the following undertaking: "We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime."[98] Section 37 of the Protection of Freedoms Act 2012, which came into force on 1 November, added to RIPA two new sections 23A and 23B, the effect of which is that authorisations for local authorities to access communications data do not take effect unless and until approved by a justice of the peace in England and Wales, a sheriff in Scotland, or a district judge (magistrates' courts) in Northern Ireland.

135.  There are thus historical reasons why, in the case of RIPA, it is the Act which provides the conditions subject to which local authorities can access data, even though it is not the Act itself which grants them the right of access. We can see no reason why the draft Bill should follow this pattern; yet clause 11 specifies that judicial approval is needed for access by local authorities, which are defined by clause 21(1), even though they would have no right at all to access communications data unless under the Bill, once enacted, the Secretary of State made an order permitting such access.

136.  If it is thought that local authorities, or some of them, should have access to communications data, they should follow the procedure we have suggested for all other public authorities. We deal in the following chapter with the question of the conditions which should apply to any access by local authorities.

137.  Any public authorities which make a convincing business case for having access to communications data should, like the six we have specified in paragraphs 128 and 129, be listed on the face of the Bill. We expect this to be a greatly reduced number when compared to the authorities currently listed in the Regulation of Investigatory Powers (Communications Data) Order 2010.

138.  Any necessary changes to this list should be made by order subject to the super-affirmative procedure which includes the opportunity of scrutiny by the appropriate Select Committee.

Accessible for what purposes?

139.  Clause 9(6) of the draft Bill sets out the purposes for which it is permissible to access communications data. It reads:

(6)   For the purposes of this section it is necessary to obtain communications data for a permitted purpose if it is necessary to do so—

(a)  in the interests of national security,

(b)  for the purpose of preventing or detecting crime or of preventing disorder,

(c)  for the purpose of preventing or detecting any conduct in respect of which a penalty may be imposed under section 123 or 129 of the Financial Services and Markets Act 2000 (civil penalties for market abuse),

(d)  in the interests of the economic well-being of the United Kingdom,

(e)  in the interests of public safety,

(f)  for the purpose of protecting public health,

(g)  for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,

(h)  for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health,

(i)  to assist investigations into alleged miscarriages of justice, or

(j)  where a person ("P") has died or is unable to identify themselves because of a physical or mental condition—

(i)    to assist in identifying P, or

(ii)    to obtain information about P's next of kin or other persons connected with P or about the reason for P's death or condition.

140.  Purposes (a), (b) and (d) to (h) were in RIPA as originally enacted. Purposes (i) and (j) were added in 2006 by Order[99]—the only such additions. Only purpose (c) is new. Schedule 2 to the draft Bill would amend section 175 of the Financial Services and Markets Act 2000 so that the FSA could not require CSPs to disclose data for the purposes of investigations. Conversely, under paragraph (c) data could be obtained to prevent or detect conduct which would not necessarily constitute a criminal offence. We are satisfied that this is a legitimate purpose, and it is for this reason that we stated in paragraph 129 that a good case can be made for adding the FSA to the list of public authorities on the face of the Bill.

141.  Much the most common reason for requesting and accessing communications data is "preventing or detecting crime"—purpose (b). "Crime" can of course include trivial offences, and only the requirements of necessity and proportionality can prevent communications data being used for such crimes. But in evidence to us the Home Secretary was referred to an article she had written in The Sun, where she had said that "Only suspected terrorists, paedophiles or serious criminals will be investigated under the Bill". She confirmed that this was the "main purpose" of the Bill.[100]

142.  The draft Bill has annexed to it the Home Office memorandum on compatibility with the ECHR, and in particular with Article 8, the right to privacy. Article 8 reads:

"(1)  Everyone has the right to respect for his private and family life, his home and his correspondence.

(2)There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

143.  Article 8(2) is tantamount to an exhaustive list of permitted purposes; no purpose which does not fall within those words would be permissible. Two such purposes have been added in the space of 12 years. It is now proposed to add a third. We believe it is unlikely that a good case can be made for yet further permitted purposes. Clause 9(7), like the existing provision in RIPA, would allow the Secretary of State, by order subject to affirmative resolution, to add yet more permitted purposes. However the Home Secretary told us: "We have certainly got no intention of setting out any permitted purposes beyond those that are in the draft Bill."[101]

144.  We sought the views of the House of Lords Delegated Powers and Regulatory Reform Committee on clause 9(7), and their conclusion was that "were a Bill to be introduced containing the same power as in the draft, we would not necessarily find it acceptable just because it derives from existing legislation." We agree. We believe that any additions of further permitted purposes should be by primary legislation, and that clause 9(7) should be deleted.

145.  The fact that there are ten permitted purposes does not mean that relevant public authorities should have access to communications data for all those purposes. Currently no authority, not even any of the four core authorities, is permitted access for all these purposes. The police do not need, and do not have, permission to access data for tax purposes or to investigate miscarriages of justice. Only HMRC need, and have, access for tax purposes; only the Criminal Cases Review Commission, and its Scottish equivalent, need and have access to investigate miscarriages of justice, and they have access for no other purpose. The fire and ambulance services routinely have access only in the case of life-threatening emergencies. These are important limitations. Scrutiny of draft orders which would add public authorities to the list of those permitted access to communications data should ensure that access is permitted only for those purposes which are strictly necessary.

146.  Of the ten permitted purposes in clause 9(6) of the draft Bill, seven were in RIPA originally, two were added by order in 2006, and one is new. We think it unlikely that there are any other as yet unidentified purposes which could properly be added. The House of Lords Delegated Powers and Regulatory Reform Committee has recommended that any additions to this list should require primary legislation. We agree. Clause 9(7), which allows the Secretary of State to add further permitted purposes by order, should be deleted.

147.  We are concerned that the long list of permitted purposes for which communications data can be requested adds to public disquiet about the breadth of the Bill. While we do not make specific recommendations about how this list could be shortened, we recommend that the Government should consult on whether all the permitted purposes are really necessary.


49   Q 421. See also the replies of Simon McCready (Virgin) (Q419), Jonathan Grayling (Everything Everywhere) (Q421), Bob Hughes (Telefónica/O2) (Q422), and Mark Hughes (BT) (Q423). Back

50   QQ 548-549 See also the evidence of Stephen Collins (Hotmail) and Sarah Hunter (Google) (Q547). Back

51   This evidence was given on 6 September. Back

52   QQ 603-608 Back

53   QQ 841-847 Back

54   QQ 841-842 Back

55   QQ 843 Back

56   In the Explanatory Notes to the draft Bill Back

57   Q 553 Back

58   Q 865 Back

59   Q 869 Back

60   Q 919 Back

61   Q 869 Back

62   Q 1096 Back

63   Ibid. Back

64   See Appendix 4. Back

65   Q 595 Back

66   Q 438 Back

67   Q 435 Back

68   Charles Farr, Q 933 Back

69   Q 628 Back

70   Q 26 Back

71   Stephen Collins, Q 632 Back

72   Evidence given in private; this reply cleared for publication. Back

73   Stephen Collins, Q 634 Back

74   Q 500 Back

75   e.g. Virgin Q 420, LINX written Back

76   e.g. see Vodafone and BT Q 452 Back

77   e.g. Everything Everywhere, Q 422 Back

78   Q 883 Back

79   Q 933 Back

80   Ibid. Back

81   Written evidence, paragraph 113 Back

82   Ibid. Back

83   Written evidence, paragraph 118 Back

84   Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ L178 of 17 July 2000). Article 15(1) provides: "Member States shall not impose a general obligation on providers … to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity." Back

85   Q 94 Back

86   Paragraph 117 Back

87   Q 819 Back

88   Supplementary written evidence Back

89   Q 689 Back

90   Home Office Business Cases for Public Authorities not currently listed in the draft Communications Data Bill. Back

91   2011 Annual Report of the Interception of Communications Commissioner, HC 496. Back

92   The Regulation of Investigatory Powers (Communications Data) Order 2010, SI 2010/480. Back

93   Home Office Business Cases for Public Authorities not currently listed in the draft Communications Data Bill. Back

94   2011 Annual Report of the Interception of Communications Commissioner, HC 496. Back

95   This has to be distinguished from a similar case of a local authority using directed surveillance powers under Part II of RIPA, and not powers under Chapter II of Part I (Jenny Paton and others v Poole Borough Council (2010) IPT/09/01/C) http://adam1cor.files.wordpress.com/2010/08/investigatory_powers_tribunal_ruling.pdf  Back

96   Q 678 Back

97   by Article 3 of the Regulation of Investigatory Powers (Communications Data) Order 2003, SI 2003/3172. Back

98   Chapter 4: Communities and Local Government. Back

99   The Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006, SI 2006/1878 which is now consolidated by the Regulation of Investigatory Powers (Communications Data) Order 2010, SI 2010/480. Back

100   QQ 1158-1159 Back

101   Q 1158 Back


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 11 December 2012