8 Conclusion, and summary of recommendations.
Overall conclusion
278. It is the duty of governmentany governmentto
maintain the safety and security of law-abiding citizens, so that
they may go about their lives and their business as far as possible
in freedom from fear. This is not only in the public interest;
it is in the interest of law-abiding members of the public. For
this the law enforcement authorities should be given the tools
they need. Reasonable access to some communications data is undoubtedly
one of those tools.
279. Government also has a duty to respect the
right of law-abiding citizens to privacy and their ability to
go about their lawful activities, including their communications,
without avoidable intrusions on their privacy.
280. These duties have the potential to conflict.
The law enforcement agencies, including for this purpose the Home
Office, tend not unnaturally to give greater weight to the requirements
of safety and security. Most of the other people and organisations
who have given evidence to us have formally recognised, sometimes
with little more than a perfunctory nod, the need for the law
enforcement agencies to have limited access to at least some communications
data, but have placed greater weight on the need to respect privacy.
Where and how the balance should be struck between these conflicting
duties in a mature Parliamentary democracy Parliament has to decide;
indeed perhaps only Parliament can in the end decide. It has been
our purpose in scrutinising this draft Bill to help Parliament
in the challenging task of reaching its decisions when it comes
to deal with proposals for legislation dealing with these matters.
281. Our overall conclusion is that there is
a case for legislation which will provide the law enforcement
authorities with some further access to communications data, but
that the current draft Bill is too sweeping, and goes further
than it need or should. We believe that, with the benefit of fuller
consultation with CSPs than has so far taken place, the Government
will be able to devise a more proportionate measure than the present
draft Bill, which would achieve most of what they really need,
would encroach less upon privacy, would be more acceptable to
the CSPs, and would cost the taxpayer less. We make detailed recommendations
accordingly on the content of a revised Bill.
Summary of recommendations for
the way forward
Is there a need to access more communications
data?
282. Part of the data gap is down to a lack of
ability on behalf of law enforcement agencies to make effective
use of the data that is available. Addressing this should be a
priority. It does not require fresh legislation but will involve
additional expenditure.
283. We accept that IP addresses and web logs
and data generated for business purposes but not retained by overseas
CSPs are three data types which the law enforcement and other
agencies cannot always access. We discuss in this report whether
access to these data categories is necessary and if it is to be
enabled, the additional safeguards which will need to be introduced.
Failure to consult
284. Before re-drafted legislation is introduced
there should be a new round of consultation with technical experts,
industry, law enforcement bodies, public authorities and civil
liberties groups. This consultation should be on the basis of
the narrower, more clearly defined set of proposals on definitions,
narrower clause 1 powers and stronger safeguards which are recommended
in this report. The United Kingdom and overseas CSPs should be
given a clear understanding of the exact nature of the gap which
the draft Bill aims to address so that those companies can be
clear about why the legislation is necessary.
285. Even though many of them are prepared to
cooperate on a voluntary basis, they should also be told what
obligations might be imposed on them. For many, their willingness
to cooperate voluntarily will be reinforced if there is a statutory
basis for the requirement.
286. Meaningful consultation can take place only
once there is clarity as to the real aims of the Home Office,
and clarity as to the expected use of the powers under the Bill.
CSPs should be consulted on the basis of drafts of the specific
notices which will be served on them; these will have the detail
of the obligations to be imposed on them, and enable them to undertake
a better assessment of feasibility and of the resources and timescales
involved.
The breadth of clause 1
287. The Home Office was able to tell us of specific
types of data that are currently not routinely retained for business
purposes by United Kingdom (and many overseas) CSPs and which
would be useful to law enforcement and other investigations. It
is the Home Office's intention to issue notices under the Bill
to ensure that an unknown number of CSPs retain these specific
types of data. The Home Office has however made clear that it
does not currently need the power under this legislation to require
other types of data be retained, and does not for the present
intend to issue notices going more widely (except to CSPs which
are not covered by the EU Data Retention Directive, which might
be asked under this legislation to retain for 12 months data which
they already create for business purposes). Clause 1 therefore
should be re-drafted with a much narrower scope, so that the Secretary
of State may make orders subject to Parliamentary approval enabling
her to issue notices only to address specific data gaps as need
arises.
288. The Home Office has argued that there is
a case for keeping clause 1 wide because there may be other data
types that emerge from time to time which will be important to
law enforcement but will not be routinely retained by CSPs for
business purposes. We do not accept that this is a good reason
to grant the Secretary of State such wide powers now. We do not
think that Parliament should grant powers that are required only
on the precautionary principle. There should be a current and
pressing need for them.
289. We do however accept that, depending on
how the communications world develops, the Home Office may in
future need the power to require the retention of other data types.
Parliament and government both need to accept that legislation
that covers the internet and other modern technologies may need
revisiting and updating regularly. We have considered how the
Secretary of State might be given powers in the future to allow
her to address new and significant data gaps if and when they
emerge. The alternatives seem to be either primary legislation
on each occasion, or a power to amend clause 1 by order subject
to a super-affirmative procedure which would guarantee fuller
Parliamentary consideration than a standard affirmative order.
290. We attach in Appendix 7 a consideration
of the relative advantages and disadvantages of each course. On
balance our preference is for an order subject to the super-affirmative
procedure. We recognise that this will impose obligations on Parliament
which it will have a duty to discharge effectively.
291. We recommend that a narrower clause 1 should
allow notices to be served on CSPs requiring them to generate
and retain subscriber data relating to IP addresses.
292. Whether clause 1 should allow notices that
require CSPs to retain web logs up to the first "/"
is a key issue. The Bill should be so drafted as to enable Parliament
to address and determine this fundamental question which is at
the heart of this legislation.
293. The Home Office and law enforcement agencies
and (so far as we know) the intelligence and security services
think that access to web logs is essential for a wide range of
investigations. The civil liberties organisations argue that web
logs are potentially a highly intrusive form of communications
data and that generating and storing web logs gives rise to unacceptable
risks to the privacy of individuals.
294. We are confident that the safeguards in
the draft Bill, together with the recommendations we make to strengthen
those safeguards, can provide a high degree of protection against
abuse of communications data or inadvertent error by public authorities.
We acknowledge that storing web log data, however securely, carries
the possible risk that it may be hacked into or may fall accidentally
into the wrong hands, and that, if this were to happen, potentially
damaging inferences about people's interests or activities could
be drawn. Parliament will have to decide where the balance between
these opposing considerations should be struck.
295. In 2003, Parliament considered the Code
of Practice for the Acquisition and Disclosure of Communications
Data which included the guidance that web addresses up to the
first "/" should be considered to be communications
data. The presentation of this Bill provides an opportunity for
Parliament to review this controversial issue.
296. We also recommend that the Home Office should
examine whether it would be technically and operationally feasible,
and cost effective, to require CSPs to keep web logs only on certain
types of web services where those services enable communications
between individuals.
297. The Home Office knows that not all overseas
CSPs will comply with retention notices. It is for this reason
that the notices issued under clause 1 may require United Kingdom
CSPs to keep third party data traversing their networks. United
Kingdom CSPs are rightly very nervous about these provisions.
The Home Office has given an oral commitment to United Kingdom
CSPs that the Home Secretary will invoke the third party provisions
only after the original data holder has been approached and all
other avenues have been exhausted. The Home Office has also given
a commitment that no CSP will be asked to store or decrypt encrypted
third party data. These commitments should be given statutory
force.
The Request Filter
298. Whoever operates the Request Filter will
need significant expertise and staff at their disposal. If CSPs
update their systems and the Request Filter is not adjusted there
is a risk that results will be incomplete, rendering them useless.
The Bill should be amended to say that the Secretary of State
may transfer her responsibilities for operating the Request Filter
to the soon to be established National Crime Agency but not to
other bodies. The National Crime Agency will need appropriate
resources and this should be reflected in the revised cost/benefit
analysis.
299. The Request Filter will speed up complex
inquiries and will minimise collateral intrusion. These are important
benefits. On the other hand the Request Filter introduces new
risks, most obviously the temptation to go on "fishing expeditions".
New safeguards should be introduced to minimise these risks. In
particular the IoCC should be asked to investigate and report
on possible fishing expeditions and to test rigorously the necessity
and proportionality of Filter requests.
Who should be able to access communications
data?
300. Any public authorities which make a convincing
business case for having access to communications data should,
like the six we have specified in paragraph 25, be listed on the
face of the Bill. We expect this to be a greatly reduced number
when compared to the authorities currently listed in the Regulation
of Investigatory Powers (Communications Data) Order 2010.
301. Any necessary changes to this list should
be made by order subject to the super-affirmative procedure which
includes the opportunity of scrutiny by the appropriate Select
Committee.
For what purposes should communications data
be used?
302. Of the ten permitted purposes in clause
9(6) of the draft Bill, seven were in RIPA originally, two were
added by order in 2006, and one is new. We think it unlikely that
there are any other as yet unidentified purposes which could properly
be added. The House of Lords Delegated Powers and Regulatory Reform
Committee recommended that any additions to this list should require
primary legislation. We agree. Clause 9(7), which allows the Secretary
of State to add further permitted purposes by order, should be
deleted.
303. We are concerned that the long list of permitted
purposes for which communications data can be requested adds to
public disquiet about the breadth of the Bill. While we do not
make specific recommendations about how this list could be shortened,
we recommend that the Government should consult on whether all
the permitted purposes are really necessary.
Definitions of communications data
304. The language of RIPA is out of date and
should not be used as the basis of new legislation. The Bill
should be re-drafted with new definitions of communications data.
The challenge will lie in creating definitions that will stand
the test of time. There should be an urgent consultation with
industry on changing the definitions and making them relevant
to the year 2012.
305. The definitions of use, subscriber and traffic
data are particularly problematic. Subscriber data should not
be a catch-all for data that does not meet the other definitions.
Currently the definition of subscriber data could be read to cover
all sorts of data that social networks and other services keep
on their customers which can be highly personal and is not traditionally
thought of as communications data. A new definition of subscriber
data is needed that simply covers the basic subscriber checks
that are the most commonly used. How to define subscriber data
should be a key element of the consultation, but the evidence
we have received leads us to suggest that the definition should
include checks on the name, date of birth, addresses and other
contact information held on the subscriber to a communication
service; for each service the customer's unique ID (e.g. mobile
number, e-mail address or username); the activation, suspension
and termination dates of an account and payment and billing information.
306. A new hierarchy of data types needs to be
developed. Data should be divided into categories that reflect
how intrusive each type of data is. The following principles
could be useful to determine and measure the degree of privacy
intrusion of communications data: public attitudes about the extent
to which a certain type of communications data is private; the
risk of identifying details of an individual's life, behaviour,
beliefs, that they would reasonably consider personal; the risk
of data being misused (i.e. used in a way not set out by the legislation)
or accessed by third parties, either intentionally or not.
307. It is imperative that everything is done
to make clear that content cannot be requested under the provisions
of this legislation. Content is not defined in the draft Bill.
Although it may not be possible to define content clearly beyond
the fact that it is the "what" of a communication, it
is nevertheless important that the content should be expressly
excluded from all categories of communications data.
The authorisation process
308. The SPoC process should be enshrined in
primary legislation. A specialist centralised SPoC service should
be established modelled on the National Anti-Fraud Network service
which currently offers SPoC expertise to local authorities. The
Home Office should consider allowing police forces to bid to run
this service. This new service should be established by statute,
and all local authorities and other infrequent users of communications
data should be required to obtain advice from this service.
309. Although approval by magistrates of local
authority authorisations is a very recent change in the law, we
think that if our recommendations are implemented it will be unnecessary
to continue with different arrangements applying only to local
authorities.
The Interception of Communications Commissioner
310. The IoCC should carry out a full review
of each of the large users of communications data every year.
While sampling is acceptable as a way of dealing with large users,
the requests of users making fewer than 100 applications in a
year should be checked individually. The annual report of the
IoCC should include more detail, including statistics, about the
performance of each public authority and the criteria against
which judgements are made about performance. It should analyse
how many communications data requests are made for each permitted
purpose. For this the IoCC will need substantial additional resources,
both as to numbers and as to technical expertise. There should
be full consultation with him on this. His role should be given
more publicity.
311. The IoCC's brief should explicitly cover
the need to provide advice and guidance on proportionality and
necessity, and there should be rigorous testing of, and reporting
on, the proportionality and necessity of requests made.
312. The IoCC will be key to public confidence
in the Request Filter. The IoCC will need the necessary expertise
properly to examine the operation of the Request Filter. He will
have to report on the scale of searches via the Request Filter
and rigorously test the necessity and proportionality of requests
put to the Filter. All this information should be included in
the public section of his annual report so that if there are any
signs that the Filter is resulting in more intrusive requests
Parliament can review the legislation.
The Information Commissioner
313. Clause 22(5) should be reviewed. If the
Government believe that additional safeguards can be provided
by the Information Commissioner, they should undertake detailed
discussions with him as to what such safeguards might be, how
they might be undertaken, and what additional powers and resources
he might need. The Bill should make clear that the Information
Commissioner will need to be shown all notices issued under clause
1.
Other Surveillance Commissioners
314. Work should be done to rationalise the number
of commissioners with responsibility for different areas of surveillance.
This work should aim to simplify the situation and make it easier
for the public to understand, while ensuring that all surveillance
powers are subject to rigorous oversight. Consideration should
be given to a new unified Surveillance Commission reporting to
parliament with multi-skilled investigators and human rights and
computer experts.
Security and destruction of data
315. We consider the Home Office's cost estimates
may underestimate the cost of security and destruction of data.
Since the cost of security and destruction will ultimately be
borne by the taxpayer, the Home Office will have to carry out
a careful cost/benefit analysis and obtain advice and assurances
from a wider body of experts that the companies that stand to
earn money from devising secure storage solutions.
Offence of misuse of communications data by
a public authority
316. The House of Commons Justice Committee recommended
that the power under section 77 of the Criminal Justice and Immigration
Act 2008 should be exercised "without further delay".
Nearly a year later the Home Affairs Committee reached the same
conclusion. We agree with the Information Commissioner and with
both these Committees that this power to allow custodial sentences
to be imposed in appropriate cases should be exercised without
delay.
317. The Bill should provide for wilful or reckless
misuse of communications data to be a specific offence punishable
in appropriate cases by imprisonment.
Jurisdictional issues
318. We have heard from the Home Office and some
of the overseas CSPs that relations between them are generally
good, and that data is routinely provided on request without the
need for legislation. The Bill should not jeopardise these good
relations.
319. The Government has no legal authority to
require overseas providers to generate or retain information for
which they have no business purpose. If, following proper consultation
with overseas providers, it is thought necessary to have a legal
basis for the Government to ask overseas providers to retain more
data, and a legal basis to allow the Government to help with the
costs of doing so, it may be sensible to retain the extra-territorial
provisions of the legislation, even if they are of doubtful effectiveness.
But this should not be done unless consultation demonstrates that
it will not jeopardise cooperation with overseas CSPs.
320. It does not require legislation for the
United Kingdom, when it is the requesting State, to minimise the
bureaucratic delays in this country in the operation of the MLAT
process, and to prioritise its own requests. This is something
the Home Office, as the United Kingdom central authority, should
address forthwith. Given that many of the overseas CSPs are based
in the United States, the Government should take advantage of
the special relationship with United States to ensure that bilateral
arrangements with them are expedited.
Costs and benefits
321. We are concerned that the Home Office's
cost estimates are not robust. They were prepared without consultation
with the telecommunications industry on which they largely depend,
and they project forward 10 years to a time where the communications
landscape may be very different. Given successive governments'
poor records of bringing IT projects in on budget, and the general
lack of detail about how the powers under the Bill will be used,
there is a reasonable fear that this legislation will cost considerably
more than the current estimates.
322. The Government's commitment to reimburse
CSPs the necessary cost to them of complying with the requirements
which would be imposed on them by this legislation should appear
on the face of the Bill.
323. The figure for estimated benefits is even
less reliable than that for costs, and the estimated net benefit
figure is fanciful and misleading. It ought not to be used to
influence Parliament in deciding on the relative advantages and
disadvantages of this legislation. Whatever the benefits of the
Bill, they are unlikely to be financial.
324. A new cost benefit analysis should be presented
alongside any redrafted Bill. It should be based on the wider
consultation and narrower powers. It should contain significantly
more detail than the current impact assessment and should separate
monetary benefits from other unquantifiable benefits such as potential
lives saved and refer to past evidence.
325. We believe that the Government, in imposing
obligations on CSPs, should bear in mind the importance of preserving
their competitiveness, and minimising damage to the reputation
of the United Kingdom as an attractive base for conducting business.
326. Before imposing any obligations on smaller
CSPs, the Government should consider whether these are strictly
necessary, bearing in mind the real burden this may impose on
resources. They should discuss with the company how they can best
cooperate to cause the least disruption to the business.
|