Draft Communications Data Bill - Draft Communications Data Bill Joint Committee Contents

8  Conclusion, and summary of recommendations.

Overall conclusion

278.  It is the duty of government—any government—to maintain the safety and security of law-abiding citizens, so that they may go about their lives and their business as far as possible in freedom from fear. This is not only in the public interest; it is in the interest of law-abiding members of the public. For this the law enforcement authorities should be given the tools they need. Reasonable access to some communications data is undoubtedly one of those tools.

279.  Government also has a duty to respect the right of law-abiding citizens to privacy and their ability to go about their lawful activities, including their communications, without avoidable intrusions on their privacy.

280.  These duties have the potential to conflict. The law enforcement agencies, including for this purpose the Home Office, tend not unnaturally to give greater weight to the requirements of safety and security. Most of the other people and organisations who have given evidence to us have formally recognised, sometimes with little more than a perfunctory nod, the need for the law enforcement agencies to have limited access to at least some communications data, but have placed greater weight on the need to respect privacy. Where and how the balance should be struck between these conflicting duties in a mature Parliamentary democracy Parliament has to decide; indeed perhaps only Parliament can in the end decide. It has been our purpose in scrutinising this draft Bill to help Parliament in the challenging task of reaching its decisions when it comes to deal with proposals for legislation dealing with these matters.

281.  Our overall conclusion is that there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should. We believe that, with the benefit of fuller consultation with CSPs than has so far taken place, the Government will be able to devise a more proportionate measure than the present draft Bill, which would achieve most of what they really need, would encroach less upon privacy, would be more acceptable to the CSPs, and would cost the taxpayer less. We make detailed recommendations accordingly on the content of a revised Bill.

Summary of recommendations for the way forward

Is there a need to access more communications data?

282.  Part of the data gap is down to a lack of ability on behalf of law enforcement agencies to make effective use of the data that is available. Addressing this should be a priority. It does not require fresh legislation but will involve additional expenditure.

283.  We accept that IP addresses and web logs and data generated for business purposes but not retained by overseas CSPs are three data types which the law enforcement and other agencies cannot always access. We discuss in this report whether access to these data categories is necessary and if it is to be enabled, the additional safeguards which will need to be introduced.

Failure to consult

284.  Before re-drafted legislation is introduced there should be a new round of consultation with technical experts, industry, law enforcement bodies, public authorities and civil liberties groups. This consultation should be on the basis of the narrower, more clearly defined set of proposals on definitions, narrower clause 1 powers and stronger safeguards which are recommended in this report. The United Kingdom and overseas CSPs should be given a clear understanding of the exact nature of the gap which the draft Bill aims to address so that those companies can be clear about why the legislation is necessary.

285.  Even though many of them are prepared to cooperate on a voluntary basis, they should also be told what obligations might be imposed on them. For many, their willingness to cooperate voluntarily will be reinforced if there is a statutory basis for the requirement.

286.  Meaningful consultation can take place only once there is clarity as to the real aims of the Home Office, and clarity as to the expected use of the powers under the Bill. CSPs should be consulted on the basis of drafts of the specific notices which will be served on them; these will have the detail of the obligations to be imposed on them, and enable them to undertake a better assessment of feasibility and of the resources and timescales involved.

The breadth of clause 1

287.  The Home Office was able to tell us of specific types of data that are currently not routinely retained for business purposes by United Kingdom (and many overseas) CSPs and which would be useful to law enforcement and other investigations. It is the Home Office's intention to issue notices under the Bill to ensure that an unknown number of CSPs retain these specific types of data. The Home Office has however made clear that it does not currently need the power under this legislation to require other types of data be retained, and does not for the present intend to issue notices going more widely (except to CSPs which are not covered by the EU Data Retention Directive, which might be asked under this legislation to retain for 12 months data which they already create for business purposes). Clause 1 therefore should be re-drafted with a much narrower scope, so that the Secretary of State may make orders subject to Parliamentary approval enabling her to issue notices only to address specific data gaps as need arises.

288.  The Home Office has argued that there is a case for keeping clause 1 wide because there may be other data types that emerge from time to time which will be important to law enforcement but will not be routinely retained by CSPs for business purposes. We do not accept that this is a good reason to grant the Secretary of State such wide powers now. We do not think that Parliament should grant powers that are required only on the precautionary principle. There should be a current and pressing need for them.

289.  We do however accept that, depending on how the communications world develops, the Home Office may in future need the power to require the retention of other data types. Parliament and government both need to accept that legislation that covers the internet and other modern technologies may need revisiting and updating regularly. We have considered how the Secretary of State might be given powers in the future to allow her to address new and significant data gaps if and when they emerge. The alternatives seem to be either primary legislation on each occasion, or a power to amend clause 1 by order subject to a super-affirmative procedure which would guarantee fuller Parliamentary consideration than a standard affirmative order.

290.  We attach in Appendix 7 a consideration of the relative advantages and disadvantages of each course. On balance our preference is for an order subject to the super-affirmative procedure. We recognise that this will impose obligations on Parliament which it will have a duty to discharge effectively.

291.  We recommend that a narrower clause 1 should allow notices to be served on CSPs requiring them to generate and retain subscriber data relating to IP addresses.

292.  Whether clause 1 should allow notices that require CSPs to retain web logs up to the first "/" is a key issue. The Bill should be so drafted as to enable Parliament to address and determine this fundamental question which is at the heart of this legislation.

293.  The Home Office and law enforcement agencies and (so far as we know) the intelligence and security services think that access to web logs is essential for a wide range of investigations. The civil liberties organisations argue that web logs are potentially a highly intrusive form of communications data and that generating and storing web logs gives rise to unacceptable risks to the privacy of individuals.

294.  We are confident that the safeguards in the draft Bill, together with the recommendations we make to strengthen those safeguards, can provide a high degree of protection against abuse of communications data or inadvertent error by public authorities. We acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people's interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.

295.  In 2003, Parliament considered the Code of Practice for the Acquisition and Disclosure of Communications Data which included the guidance that web addresses up to the first "/" should be considered to be communications data. The presentation of this Bill provides an opportunity for Parliament to review this controversial issue.

296.  We also recommend that the Home Office should examine whether it would be technically and operationally feasible, and cost effective, to require CSPs to keep web logs only on certain types of web services where those services enable communications between individuals.

297.  The Home Office knows that not all overseas CSPs will comply with retention notices. It is for this reason that the notices issued under clause 1 may require United Kingdom CSPs to keep third party data traversing their networks. United Kingdom CSPs are rightly very nervous about these provisions. The Home Office has given an oral commitment to United Kingdom CSPs that the Home Secretary will invoke the third party provisions only after the original data holder has been approached and all other avenues have been exhausted. The Home Office has also given a commitment that no CSP will be asked to store or decrypt encrypted third party data. These commitments should be given statutory force.

The Request Filter

298.  Whoever operates the Request Filter will need significant expertise and staff at their disposal. If CSPs update their systems and the Request Filter is not adjusted there is a risk that results will be incomplete, rendering them useless. The Bill should be amended to say that the Secretary of State may transfer her responsibilities for operating the Request Filter to the soon to be established National Crime Agency but not to other bodies. The National Crime Agency will need appropriate resources and this should be reflected in the revised cost/benefit analysis.

299.  The Request Filter will speed up complex inquiries and will minimise collateral intrusion. These are important benefits. On the other hand the Request Filter introduces new risks, most obviously the temptation to go on "fishing expeditions". New safeguards should be introduced to minimise these risks. In particular the IoCC should be asked to investigate and report on possible fishing expeditions and to test rigorously the necessity and proportionality of Filter requests.

Who should be able to access communications data?

300.  Any public authorities which make a convincing business case for having access to communications data should, like the six we have specified in paragraph 25, be listed on the face of the Bill. We expect this to be a greatly reduced number when compared to the authorities currently listed in the Regulation of Investigatory Powers (Communications Data) Order 2010.

301.  Any necessary changes to this list should be made by order subject to the super-affirmative procedure which includes the opportunity of scrutiny by the appropriate Select Committee.

For what purposes should communications data be used?

302.  Of the ten permitted purposes in clause 9(6) of the draft Bill, seven were in RIPA originally, two were added by order in 2006, and one is new. We think it unlikely that there are any other as yet unidentified purposes which could properly be added. The House of Lords Delegated Powers and Regulatory Reform Committee recommended that any additions to this list should require primary legislation. We agree. Clause 9(7), which allows the Secretary of State to add further permitted purposes by order, should be deleted.

303.  We are concerned that the long list of permitted purposes for which communications data can be requested adds to public disquiet about the breadth of the Bill. While we do not make specific recommendations about how this list could be shortened, we recommend that the Government should consult on whether all the permitted purposes are really necessary.

Definitions of communications data

304.  The language of RIPA is out of date and should not be used as the basis of new legislation. The Bill should be re-drafted with new definitions of communications data. The challenge will lie in creating definitions that will stand the test of time. There should be an urgent consultation with industry on changing the definitions and making them relevant to the year 2012.

305.  The definitions of use, subscriber and traffic data are particularly problematic. Subscriber data should not be a catch-all for data that does not meet the other definitions. Currently the definition of subscriber data could be read to cover all sorts of data that social networks and other services keep on their customers which can be highly personal and is not traditionally thought of as communications data. A new definition of subscriber data is needed that simply covers the basic subscriber checks that are the most commonly used. How to define subscriber data should be a key element of the consultation, but the evidence we have received leads us to suggest that the definition should include checks on the name, date of birth, addresses and other contact information held on the subscriber to a communication service; for each service the customer's unique ID (e.g. mobile number, e-mail address or username); the activation, suspension and termination dates of an account and payment and billing information.

306.  A new hierarchy of data types needs to be developed. Data should be divided into categories that reflect how intrusive each type of data is. The following principles could be useful to determine and measure the degree of privacy intrusion of communications data: public attitudes about the extent to which a certain type of communications data is private; the risk of identifying details of an individual's life, behaviour, beliefs, that they would reasonably consider personal; the risk of data being misused (i.e. used in a way not set out by the legislation) or accessed by third parties, either intentionally or not.

307.  It is imperative that everything is done to make clear that content cannot be requested under the provisions of this legislation. Content is not defined in the draft Bill. Although it may not be possible to define content clearly beyond the fact that it is the "what" of a communication, it is nevertheless important that the content should be expressly excluded from all categories of communications data.

The authorisation process

308.  The SPoC process should be enshrined in primary legislation. A specialist centralised SPoC service should be established modelled on the National Anti-Fraud Network service which currently offers SPoC expertise to local authorities. The Home Office should consider allowing police forces to bid to run this service. This new service should be established by statute, and all local authorities and other infrequent users of communications data should be required to obtain advice from this service.

309.  Although approval by magistrates of local authority authorisations is a very recent change in the law, we think that if our recommendations are implemented it will be unnecessary to continue with different arrangements applying only to local authorities.

The Interception of Communications Commissioner

310.  The IoCC should carry out a full review of each of the large users of communications data every year. While sampling is acceptable as a way of dealing with large users, the requests of users making fewer than 100 applications in a year should be checked individually. The annual report of the IoCC should include more detail, including statistics, about the performance of each public authority and the criteria against which judgements are made about performance. It should analyse how many communications data requests are made for each permitted purpose. For this the IoCC will need substantial additional resources, both as to numbers and as to technical expertise. There should be full consultation with him on this. His role should be given more publicity.

311.  The IoCC's brief should explicitly cover the need to provide advice and guidance on proportionality and necessity, and there should be rigorous testing of, and reporting on, the proportionality and necessity of requests made.

312.  The IoCC will be key to public confidence in the Request Filter. The IoCC will need the necessary expertise properly to examine the operation of the Request Filter. He will have to report on the scale of searches via the Request Filter and rigorously test the necessity and proportionality of requests put to the Filter. All this information should be included in the public section of his annual report so that if there are any signs that the Filter is resulting in more intrusive requests Parliament can review the legislation.

The Information Commissioner

313.  Clause 22(5) should be reviewed. If the Government believe that additional safeguards can be provided by the Information Commissioner, they should undertake detailed discussions with him as to what such safeguards might be, how they might be undertaken, and what additional powers and resources he might need. The Bill should make clear that the Information Commissioner will need to be shown all notices issued under clause 1.

Other Surveillance Commissioners

314.  Work should be done to rationalise the number of commissioners with responsibility for different areas of surveillance. This work should aim to simplify the situation and make it easier for the public to understand, while ensuring that all surveillance powers are subject to rigorous oversight. Consideration should be given to a new unified Surveillance Commission reporting to parliament with multi-skilled investigators and human rights and computer experts.

Security and destruction of data

315.  We consider the Home Office's cost estimates may underestimate the cost of security and destruction of data. Since the cost of security and destruction will ultimately be borne by the taxpayer, the Home Office will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts that the companies that stand to earn money from devising secure storage solutions.

Offence of misuse of communications data by a public authority

316.  The House of Commons Justice Committee recommended that the power under section 77 of the Criminal Justice and Immigration Act 2008 should be exercised "without further delay". Nearly a year later the Home Affairs Committee reached the same conclusion. We agree with the Information Commissioner and with both these Committees that this power to allow custodial sentences to be imposed in appropriate cases should be exercised without delay.

317.  The Bill should provide for wilful or reckless misuse of communications data to be a specific offence punishable in appropriate cases by imprisonment.

Jurisdictional issues

318.  We have heard from the Home Office and some of the overseas CSPs that relations between them are generally good, and that data is routinely provided on request without the need for legislation. The Bill should not jeopardise these good relations.

319.  The Government has no legal authority to require overseas providers to generate or retain information for which they have no business purpose. If, following proper consultation with overseas providers, it is thought necessary to have a legal basis for the Government to ask overseas providers to retain more data, and a legal basis to allow the Government to help with the costs of doing so, it may be sensible to retain the extra-territorial provisions of the legislation, even if they are of doubtful effectiveness. But this should not be done unless consultation demonstrates that it will not jeopardise cooperation with overseas CSPs.

320.  It does not require legislation for the United Kingdom, when it is the requesting State, to minimise the bureaucratic delays in this country in the operation of the MLAT process, and to prioritise its own requests. This is something the Home Office, as the United Kingdom central authority, should address forthwith. Given that many of the overseas CSPs are based in the United States, the Government should take advantage of the special relationship with United States to ensure that bilateral arrangements with them are expedited.

Costs and benefits

321.  We are concerned that the Home Office's cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments' poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.

322.  The Government's commitment to reimburse CSPs the necessary cost to them of complying with the requirements which would be imposed on them by this legislation should appear on the face of the Bill.

323.  The figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.

324.  A new cost benefit analysis should be presented alongside any redrafted Bill. It should be based on the wider consultation and narrower powers. It should contain significantly more detail than the current impact assessment and should separate monetary benefits from other unquantifiable benefits such as potential lives saved and refer to past evidence.

325.  We believe that the Government, in imposing obligations on CSPs, should bear in mind the importance of preserving their competitiveness, and minimising damage to the reputation of the United Kingdom as an attractive base for conducting business.

326.  Before imposing any obligations on smaller CSPs, the Government should consider whether these are strictly necessary, bearing in mind the real burden this may impose on resources. They should discuss with the company how they can best cooperate to cause the least disruption to the business.

previous page contents next page

© Parliamentary copyright 2012
Prepared 11 December 2012