35.This Chapter addresses the investigatory powers and capabilities that the draft Bill proposes for law enforcement and the security and intelligence agencies. It outlines whether these powers are new and, if not, where they are currently legislated for. It examines the purposes for which these powers are sought and considers whether they are appropriate, legal and technically feasible to deliver.
36.Subsequent chapters discuss the warrant authorisation processes for these powers and the oversight regimes to which they would be subjected.
37.Part 2 of the draft Bill provides for targeted interception to be carried out by law enforcement and the security and intelligence agencies.
38.Interception is described by the Home Office as “the making available of the content of a communication—such as a telephone call, email or social media message—in the course of its transmission or while stored on a telecommunications system.” Targeted interception is an existing power available to law enforcement and the security and intelligence agencies under Part 1 Chapter 1 of RIPA.
39.The Committee was told by law enforcement that interception “is used as a source of intelligence which assists in identifying and disrupting threats from terrorism and serious crime.” They said that their use of interception is “tightly targeted”, provides “significant operational benefits” and “is likely to remain of vital importance”.
40.The evidence received by the Committee supported the continued use of targeted interception. Ray Corrigan said “The government has the right to intercept, retain and analyse personal information, when someone is suspected of a serious crime”, while the Open Rights Group said “Targeted interception of communications under strict conditions has a place in a democratic society.”
41.The concerns raised by witnesses about targeted interception related to the terms of the warrants authorising this activity, which are addressed in Chapter 4, and the term “related communications data”, which is discussed in the section on bulk interception. Additionally, considerations of the admissibility of intercept evidence in legal proceedings and the need for a definition of national security are considered in Chapter 6.
43.Part 3 of the draft Bill provides for the acquisition of communications data by law enforcement and the security and intelligence agencies.
44.Communications data is information about communications. The Home Office describe it as “the ‘who’, ‘where’, ‘when’, ‘how’ and ‘with whom’ of a communication but not what was written or said.”
45.Communication Service Providers (CSPs) can currently be required to keep communications data for up to 12 months under the Data Retention and Investigatory Powers Act 2014 (DRIPA) when it has been deemed necessary and proportionate. Law enforcement and the security and intelligence agencies may acquire that data under the processes set out in RIPA sections 21–25.
46.It is useful to understand how Communications Data has developed. Historically “communications data” was obtained from telephone companies. Companies offering traditional landline based services routinely generate records which show which numbers called each other, when and for how long. These are used as the basis for charging customers and for sharing revenue with other telephone companies where there are inter-connects. Because those companies also have information about their customers through their contracts, the data includes “who was calling whom”.
47.The information generated by the telephone companies is called Call Data Records (CDRs). In the case of mobile phone companies, additional data is routinely collected. As well as which numbers were calling which, when and for how long, the data also includes the hardware identity of the phone—its IMEI—and of the SIM installed within it—the IMSI. More importantly it captures the identity and hence the location of the mast to which the phone is registered. The global mobile phone system needs to know the location of each phone so that incoming calls can be diverted to it via the radio mast that has the strongest signal; registration and re-registration takes place constantly for so long as a mobile phone is powered up. This geo-location data, once in the hands of investigators, can be used to track the movements of the user of a mobile phone in a technique called “cell site analysis”. The main limitation on the value of mobile phone call data records for investigative purposes is that the actual users of the phones may not be the individuals who had originally purchased them. But correlating techniques can, with some success, be deployed to overcome attempts at user anonymity.
48.As communications patterns have moved from primarily calls and SMS text messages to a wide range of internet activity, Government has sought to maintain the capabilities of law enforcement in this new sphere.
49.The Home Office and law enforcement emphasised in their evidence the importance of communications data to criminal investigations and prosecutions. Paul Lincoln, Director, National Security (Office for Security and Counter-Terrorism) at the Home Office told the Committee that:
“It is an essential tool for law enforcement in particular to identify, for example, missing persons or to rule people out of an investigation and try to minimise more intrusive techniques to gain content from that. It is very valuable.”
50.In a similar vein, Assistant Chief Constable Richard Berry from the National Police Chiefs’ Council said:
“It is essential, for example for establishing a lead, a seed upon which to build an inquiry. For example, if we take stalking and harassment, which is a very topical issue, around domestic abuse victims. To be able to establish a particular communication and an evidential line of inquiry around a victim being stalked, would be incredibly useful, in fact—vital, to support and corroborate an allegation.”
51.Statistics about the usage of communications data demonstrate that it is used extensively for such purposes. Jo Cavan, Head of the Interception of Communications Commissioner’s Office (IOCCO), told the Committee that “Around 500,000 requests for communications data are made on an annual basis”. A recent analysis by IOCCO of 100,000 communications data applications provides a breakdown by crime type (see Figure 1).
Figure 1: Breakdown of 100,000 Communications Data Applications submitted under section 22(2)(b) RIPA by Crime Type
Source: Interception of Communications Commissioner’s Office, Senior Responsible Officer Circular (4) Breakdown of communications data applications under s22(2)(b) RIPA by crime type, 20 November 2015.
52.Simon York, Director of the Fraud Investigation Service at Her Majesty’s Revenue and Customs (HMRC), provided an insight into how HMRC used communications data:
“Last year, we made just over 10,000 communications data requests. That supported 560 investigations. I think that those numbers represent the complexity and the conspiracy involved in many of these cases. Almost 100% of our requests were in relation to preventing and detecting crime … This can be in relation to anything from smuggling to tax fraud to trying to criminally exploit HMRC’s repayment systems. Literally billions of pounds are at stake here. Last year, investigations where we used communications data and intercept together prevented around £2 billion loss to the UK Exchequer. That is how important it is to us. “
53.The Crown Prosecution Service emphasised the importance of communications data in pursuing prosecutions, telling the Committee that “It has played a significant role in every Security Service counter-terrorism operation over the last decade and is used in 95% of serious and organised crime prosecutions.”
54.There was support for accessing communications data from beyond the voices of government and law enforcement, with the Information Commissioner’s Office, Liberty, NSPCC, and Lord Carlile of Berriew CBE QC all noting the importance of communications data to modern policing.
55.The Committee did not hear concerns that the existing use of communications data was problematic in principle. The issues raised by witnesses were not that communications data was not useful or important to tackling crime, but that the retention and accessing of such data is intrusive and has considerable privacy implications.
56.Accessing communications data has historically been perceived to be a less intrusive investigative tool than accessing the content of a communication. While interception would expose the content of a message, communications data revealed only that a communication had taken place. As Liberty explained, technological developments have made this distinction less straightforward:
“At one time a firm distinction between communications data and content would have been more credible, for example when much communication was by letter: everything inside the envelope is content, everything on the outside communications data. However, this distinction has been eroded by the scale of modern internet and mobile phone usage.”
57.Witnesses with concerns about communications data argued it was either more intrusive than accessing content or, in the words of Dr Paul Bernal, not less intrusive but “differently intrusive”. The basis for these concerns related to the potential intrusiveness of Internet Connection Records (a new form of communications data) and the potential for bulk analysis of aggregated communications data. These issues will be examined further in the relevant sections later in this Chapter and the appropriate level of authorisation for accessing communications data is considered in Chapter 4.
59.One of the most common concerns among witnesses was the definitions of communications data and content that are proposed in the draft Bill to replace the terminology used in RIPA section 21(4). It is necessary to define categories of communications data so that applications for more intrusive categories of material can be examined and authorised by officials of a higher seniority.
Box 1: Defining Communications Data in RIPA
The challenge of defining communications data first arose during consideration of what became the Regulation of Investigatory Powers Act 2000 and in the versions of the Code of Practice on the Acquisition and Disclosure of Communications Data that followed. These currently define communications data as:
Traffic data includes data identifying a computer file or a computer program to which access has been obtained, or which has been run, by means of the communication—but only to the extent that the file or program is identified by reference to the apparatus in which the file or program is stored. In relation to internet communications, this means traffic data stops at the apparatus within which files or programs are stored, so that traffic data may identify a server or domain name (web site) but not a web page. For example, the fact that a subject of interest has visited pages at http://www.gov.uk/ can be acquired as communications traffic data (if available from the CSP), whereas that a specific webpage that was visited is http://www.gov.uk/government/collections/ripa--forms-2 may not be acquired as communications data (as it would be content). This is sometimes informally referred to as the “up to the first slash” rule.
The Code of Practice highlights two common specific situations: for emails—the “headers” which can include, “from”, “to” and “date” information but not the “subject” and not the message itself; for web-browsing “information to the extent that only a host machine, server, domain name or IP address is disclosed”.
Service Use information “is, or can be, routinely made available by a CSP to the person who uses or subscribes to the service to show the use of a service or services and to account for service charges over a given period of time.” (Code of Practice, paragraph 2.29).
Subscriber information is, essentially, “who owns that phone” and “who had that IP address at that time?”
Almost the only type of Internet activity that is easily interpreted as communications data and captured is conventional email traffic. Here the standards for email headers ensure that the “communications data” will always appear in the same place and can therefore be readily extracted by means of a simple parsing computer program. Almost everything else that investigators are likely to desire comes across the “up to the first slash” limitation. This applies to webmail, bulletin boards, many instant message services and many social networking services as well. Similar difficulties apply to cloud based services, whether these are used simply to store data or to process it. These problems also apply to mobile apps; access to third party and over-the-top services may not take place via a computer that looks like a web-server as with conventional PC operation, but Internet-connected computers are involved which provide a gateway to further communications.
60.Communications data is defined in Clause 193 as “entity” or “events” data about a communication, which does not include the content of that communication. “Entity data” is defined as information about an entity and how it relates to a telecommunications system, while “Events data” is data about events that take place on that system involving entities. The explanatory notes to the Bill provide examples of entity data (phone numbers or IP addresses) and events data (the fact that someone has sent or received an email or text message, a record of the entities involved in a phone call or the location a mobile phone call). Finally, content is defined as “anything of what might reasonably be expected to be the meaning of the communication”.
61.There was support for the new definitions from the British Computer Society (BCS), The Chartered Institute for IT, who said that:
“the terms employed and the process proposed by the draft Bill to capture and where necessary share communication data with the appropriate organisations, and people within those organisations to be well defined and workable … BCS believes the definitions of content and communications data (including the distinction between ‘entities’ and ‘events’) are sufficiently clear and practical for the purposes of accessing such data.”
62.From a legal perspective, the Crown Prosecution Service said that “the new definitions are both sufficiently clear and viable. The draft Bill makes a helpful contribution to clarifying what is currently a complex area.” This view was supported by the Serious Fraud Office.
63.Other witnesses challenged the clarity and effectiveness of these definitions. Privacy International argued that “The definitions of entity and events data are too vague and fail to take into account the distinctions that may arise in the types of data generated by modern technology. For instance, data about a phone call over landline (e.g. two BT numbers shared a connection for 13 minutes) is vastly different than each ‘event’ within a chat session.”
64.Other evidence suggested that separating communications data from content was not feasible. F-Secure said that “From the network technology point of view, the definitions are not practical to allow for different courses of action to take place dependant on whether the data is classed as entity or event. There is a significant amount of crossover between entities and events.”
65.Open Intelligence told the Committee that “On a technical level distinguishing between content and communications data as far as web use is concerned is questionable, not least because an Internet connection is most often being used for multiple services simultaneously, with data packets mixed together.” The ability to distinguish between content and communications data is particularly important because of the separate regimes for authorisation and the fact that interception of content and its associated methods is inadmissible in legal proceedings. This issue is also relevant to Internet Connection Records (paras 89–156).
66.The definition of content was also a concern for witnesses. Dr Paul Bernal questioned the reference to “meaning” in the definition of content, saying “It is possible to derive ‘meaning’ from almost any data—this is one of the fundamental problems with the idea that content and communications can be simply and meaningfully separated. In practice, this is far from the case.” Graham Smith posed a challenging philosophical and technical question, “For a computer to computer communication, what is the meaning of ‘meaning’?”
67.The written evidence provided by the Home Office set out in greater detail types of communications data and content for different forms of communication—postal, mobile telephony, internet access and internet applications. Unfortunately this information arrived too late for many witnesses to give the Committee their views on whether it provided sufficient clarity on the definitions.
68.We acknowledge the difficulty of providing definitions broad enough to capture the variety of ways in which communications are conducted, and may be conducted in the future, while still providing sufficient clarity and precision.
69.We are grateful that the Government has provided further information on the interpretation of communications data and content. We have not had an opportunity to seek views as to whether the definitions are now sufficiently clear. Parliament will need to look again at this issue when the Bill is introduced. We urge the Government to undertake further consultation with communications service providers, oversight bodies and others to ascertain whether the definitions are sufficiently clear to those who will have to use them. (Recommendation 1)
70.LINX explained that the definition of entities had its roots in the “subscriber data” definition in RIPA, which in practice meant “the information that a telecommunications operator held about their customer, such as their name and address, and other relatively unintrusive information regarding the services taken and billing.” They argued that new term “entity data” was “exceptionally broad” as it no longer referred only to customers, but could include anyone interacting over a telecommunications operator’s network. LINX also suggested that the breadth of “entity data” would be wider still due to the new definition of telecommunications operators (which is examined further in the Data Retention section):
“Amongst the types of companies that now fall within the new definition of a telecommunications operator [are] social networking sites and online messaging services. This means that Apple, Facebook, Google, Microsoft, Yahoo! and others will all be considered telecommunications operators within the meaning of the Draft Bill. And everything they know about anyone will be considered “entity data”, other than that which is events data.”
71.Dr Paul Bernal said that communications data “is by nature of its digital form ideal for analysis and profiling. Indeed, using this kind of data for profiling is the heart of the business models of Google, Facebook and the entire internet advertising industry.”
72.Given the sophisticated automated profiling of users that such companies undertake as a core part of their businesses, it is not hard to see how the “entity data” they hold would be considerably more detailed, and thus more intrusive, than the “subscriber information” that was originally envisaged when RIPA received Royal Assent.
73.We are concerned about the potential detail that entity data might encompass in relation to telecommunications providers, such as Facebook and Google, who build detailed automated profiles of their users. The Government should say whether it wishes to acquire such data in principle and, if not, how it will ensure that the entity data it requests and receives is not of that level of detail.
74.Another concern among many witnesses was the definition of “data” in Clause 195, which states that “In this Act “data” includes any information which is not data”. Open Intelligence described this as “obvious paradoxical nonsense” and Graham Smith suggested that it would “surely invite comparisons with the impenetrability of RIPA.”
75.The Home Secretary in her evidence appeared to acknowledge the point:
“I completely understand people raising an eyebrow or two at that particular sentence, which I did when I read it myself. I am happy to look at the wording, but it is an attempt to do something very simple. If you talk about data, a lot of people tend to think only about computer stuff—electronic records. We are saying that when we use the term “data” in the Bill it can cover, for example, paper records as well. It is an attempt to be helpful, which, in its language, it has not been.”
76.The definition of data in Clause 195 is unclear, unhelpful and recursive. The Government must provide a meaningful and comprehensible definition of data when the Bill is introduced. (Recommendation 2)
77.The draft Bill provides for a large number of public bodies to apply to access communications data. These are listed in Schedule 4. Paul Lincoln from the Home Office explained that:
“A wide range of bodies have access to communications data. The Financial Conduct Authority might use it for conducting investigations into insider trading. The Maritime and Coastguard Agency might use it for finding missing people at sea. For local authorities, ways in which to investigate might include rogue traders, environmental offences or benefit fraud. David Anderson said that if you have relevant criminal investigation powers you should have the tools associated with that, and communications data is one of them.”
78.Mr Lincoln also said that local authorities were relatively small users of communications data, accounting for 0.5% of the requests made for communications data overall.
79.Local authorities and trading standards will continue to have the power to request communications data under the draft Bill. The Convention of Scottish Local Authorities (COSLA) explained that:
“local authority access to communications data is vital in ensuring that criminal investigations into serious matters such as illegal money lending, doorstep crime and intellectual property offences can be progressed and brought to a successful conclusion. Local authorities do not make a large number of applications for communications data and the small number of applications that are rejected shows that, when they do so, it is in a proportionate and appropriate manner.”
80.Further evidence from the Local Government Association, National Anti-Fraud Network, Chartered Trading Standards Institute and Association of Chief Trading Standards Officers and from Trading Standards North West also argued strongly for the continued right of local authorities to access communications data.
81.While the Committee is aware that concerns have been raised about the use of communications data by local authorities, the evidence received did not reflect such concerns. We note that local authorities will not have access to the potentially more intrusive Internet Connection Records.
82.We agree that local authorities and trading standards should continue to have access to communications data to support their law enforcement roles, but this intrusive power should not be used for minor infringements.
83.We recommend that Parliament should give further consideration to defining the purposes for which local authorities may be allowed to apply for communications data when the Bill is introduced. (Recommendation 3)
84.Clause 46 (7) of the draft Bill sets out the purposes for which communications data may be obtained by those authorised to do so, where necessary and proportionate.
85.Law enforcement (LE) raised a concern regarding Clause 46 (7)(g) which allows for communications data (CD) (other than Internet Connection Records) to be obtained, where necessary and proportionate, for the purpose of preventing death, injury or damage to a person’s physical or mental health in an emergency:
“It is within this ‘emergency’ category where there may be potential difficulties. Hundreds of people are reported as missing in the UK every year, many of them are classed as vulnerable due to their age or mental or physical health and LE would rightly seek to limit the danger to which such individuals are exposed by locating them as soon as reasonably practicable. Not all instances would be deemed an ‘emergency’ and it is unclear why CD cannot be used as a tool of early consideration rather than meeting the requirements of last resort to prevent harm to an individual. LE believes that ‘saving life’ should be explicitly available as a justification to avoid emergency situations.”
86.The Home Secretary in her evidence said that in her view that saving life constituted an emergency and that there would be no undue restriction of law enforcement’s use of communications data in this regard:
“The definition of an emergency will cover a whole range of circumstances where the police will suspect that somebody is in danger and that there is a requirement for them to access this data. That is why I have been comfortable with using that phrase in terms of the emergency. I have tested with my officials certain circumstances where saving a life might arise, and I think in all those that I have looked at it would be covered by the definition of emergency. Almost by definition, if the police or another authority are trying to intervene to save a life, that is an emergency circumstance.”
87.We believe that law enforcement should be able to apply for all types of communications data for the purposes of ‘saving life’. We recommend that the Home Office should undertake further consultation with law enforcement to determine whether it is necessary to amend Clause 46 (7)(g) to make this explicit on the face of the Bill. (Recommendation 4)
88.A related issue on the purposes for which Internet Connection Records may be accessed is considered in paras 151–156.
89.Clause 47 introduces a new power to collect and access Internet Connection Records (ICRs). Internet Connection Records are an extension of communications data that the Government has said is essential to maintain the investigate capabilities of law enforcement in the digital age. In the words of the Home Office, “Without ICR retention, it remains impossible for law enforcement to identify consistently who has sent a particular communication online.”
90.The Government is seeking to address two problems with ICRs. The first is IP address resolution; identifying which device is communicating with which other device. This is not a straightforward task, as a single public IP address may be used by multiple people at once (for example, people sharing a WiFi connection in a coffee shop) and by different people at different times (using dynamic IP addresses). The shortage of available IPv4 addresses and the techniques used to work around this, such as Carrier-Grade Network Address Translation and Port Address Translation, are also a significant complicating factor.
91.The second problem is that, even with the originating and destination IP addresses, it may not be clear what website or communications service a person is accessing. This can be due to shared webhosting, cloud computing services and content delivery networks. For example, under existing arrangements it is only possible to see that someone has accessed a webmail site such as Gmail or Hotmail, or a social networking site such as Facebook. But further communication will often have taken place from those websites. The same applies to many smartphone applications.
92.For a further discussion of the technical issues, see the report of the House of Commons Science & Technology Committee.
93.The Home Office told the Committee that ICRs would be essential to maintain existing levels of capability for law enforcement, in light of the changing technologies and communications patterns that have been outlined above. Paul Lincoln said that “In terms of the powers and capabilities, a new capability [ICRs] is provided for that in effect restores powers that used to exist.”
94.The Home Office said in their operational case that “Rapid technological change means that law enforcement’s inability to access online CD is significant and will only get worse if it continues to be impossible to require communications companies to retain ICRs. More and more communications are taking place over the internet and as this happens it follows that an increasing proportion of CD will be unavailable when it is needed.”
95.There was support for this position from law enforcement, who said that “full ICR retention is imperative to the ability to enable IP address resolution for retrospective investigations”. The Crown Prosecution Service agreed, saying “the benefits of the contribution ICRs could make in enabling investigators to identify suspects are evident.”
96.Michael Atkinson, Secretary to the National Police Council’s Data Communications Group, told the Committee that:
“I have spent several hours in one of the UK CSPs for mobile phones … What I can say is that they are assuring me that, without the retention of ICRs, they will not be able to solve internet protocol resolutions. They also tell me that we will not get the evidence that we need in order to undertake further investigations of people who may be of interest to us.
97.Other witnesses beyond law enforcement supported the proposal for ICRs. The NSPCC said that “existing evidence suggests that this is a necessary expansion of existing capabilities”, while the BCS said that “accessing ICR is essential for identifying the sender of an online communication, identifying which ISP is being used and where and when illegal content has been accessed.”
98.A number of witnesses opposed ICRs on the basis that they were too intrusive. Big Brother Watch told the Committee that “Analysing our internet history or what sites we have visited can provide a rich source of extremely revealing data which can be used to profile or create assumptions about an individual’s life, connections and behaviour.”
99.Dr Tom Hickman suggested that:
“A key danger in enabling access to ICR is that it could allow authorities to identify suspect web-browsing patterns, perhaps in combination with other communications data, in order to identify suspect categories of person (internet records includes information about the “pattern” of communications). This is different from using such data to identify known (but unidentified) suspects.”
100.Caroline Wilson Palow, Privacy International, discussed privacy concerns about accessing the domain name up to the first slash:
“Potentially, that could be quite intrusive and could reveal a whole lot of information. It is not as innocuous as just bbc.co.uk, which is the example that they gave. For instance, that domain name could be saveyourmarriagelikeme.net or domesticviolenceservices.com. Maybe one of the most interesting ones is crimestoppers-uk.org. This is where you can make anonymous tips to help to solve crimes. Of course, if you had the Internet connection record that said that someone had gone to crimestoppers-uk.org and you also knew the time when the tip had come in—if you were the police, for instance—you could very easily figure out who had put in that tip. That is a real problem, because if you are destroying that anonymity you can undermine the ability to solve crime.”
101.The IT-Political Association of Denmark, said:
“Collection of ICR information will be extremely intrusive to the private lives of British citizens. The destination IP addresses will, in some cases, contain sensitive information about political and religious preferences of citizens through their choices of online news media, visits to websites of political parties and candidates as well as religious groups and societies. The health conditions of citizens could be revealed through the frequency of visits to websites with information about specific diseases and medical conditions, even when the individual web pages (URLs) are not retained.”
102.Similar points were made by Dr Paul Bernal, Daniel Walrond, Scottish Pen, Open Rights Group, F-Secure Corporation, Privacy International, Dr Julian Huppert and Liberty.
103.TalkTalk raised a practical consequence of ICRs with privacy implications. They explained that section 7 of the Data Protection Act 1998 allows individuals to request a copy of the information an organisation holds about them, a process commonly referred to as a subject access request. They said that:
“Privacy issues must also be carefully considered, as the data would relate to each individual who has used an internet connection, not just the account holder. In the case of an internet connection record, this would allow customers to potentially see data relating to the browsing habits of a spouse or housemate, which has significant privacy implications.”
104.TalkTalk also pointed out that providing this information would also be a technical challenge for CSPs, given the volume of data involved.
105.Alongside the objections to ICRs in principle, the Committee received considerable evidence about the practicality of this proposal. These issues are considered below.
106.We consider that, on balance, there is a case for Internet Connection Records as an important tool for law enforcement. We have concerns about the definitions and feasibility of the existing proposal, which the Home Office must address. These are set out in the following sections. It is also important for ICRs to be properly authorised and overseen, and these issues will be considered in subsequent chapters.
107.We recommend that the Government should publish in a Code of Practice alongside the Bill advice on how data controllers should seek to minimise the privacy risks of subject access requests for ICRs under the Data Protection Act 1998. (Recommendation 5)
108.While we recognise that ICRs could prove a desirable tool for law enforcement agencies, the Government must address the significant concerns outlined by our witnesses if their inclusion within the Bill is to command the necessary support. (Recommendation 6)
109.Many witnesses raised concerns with the Committee that the definition of ICRs was vague, both in terms of what information would be collected and who would collect it. Witnesses emphasised that ICRs did not currently exist, were not a recognised term in the industry and did not refer to datatypes recognised by internet engineers. In the view of the Open Rights Group, “they are not properly defined and introduce excessive uncertainty.”
110.The Internet Service Providers’ Association (ISPA) told the Committee that “The Investigatory Powers Bill does not provide a clear definition of ICRs making it difficult to assess what data could fall under the definition and what impact the collection of this data may have on businesses and consumers.”
111.Dr Paul Bernal argued that:
“This definition is vague, and press briefings have suggested that the details would be in some ways negotiated directly with the communications services. This does not seem satisfactory at all, particularly for something considered to be such a major part of the Bill”
112.The Center for Democracy & Technology told the Committee that:
“The definitions in the Draft Bill are insufficiently narrowly defined. Definitions should be drafted to map unambiguously onto current features of Internet architecture and protocols so that communications service providers (CSPs) can understand what they will need to collect, retain and be prepared to produce with the proper legal authorisation. We recognise the importance of ensuring that technological developments do not render the powers detailed in the bill ineffective. However, in our view the terminology is currently so broad that there is not only difficulty in mapping the legislative language to actual features of existing technology, but also real uncertainty created with respect to the scope of the powers sought in the Bill.”
113.Graham Smith, in evidence submitted to the House of Commons Science and Technology Committee, pointed out that the definition of ICRs in part 3 of the draft Bill about communications data (Clause 47) was not the same as that in part 4 of the Bill on data retention (Clause 71(9)). He said:
“While the two provisions contain some similarities, they have significant drafting differences. At its core one is concerned with “data which may be used to identify a telecommunications service”, whereas the other is concerned with “communications data which may be used to identify, or assist in identifying, the internet protocol address or other identifier of … apparatus.”
114.He also pointed out in evidence to the Joint Committee that “Clause 47(4) uses the terms ‘internet service’ and ‘internet communications service’. Neither term is defined.”
115.Ian Batten suggested that the definition of ICRs in Clause 47(6)(b) was such that it would not include data that would be essential for ICRs to have value:
“returning to [Clause] 47(6)(b) of the draft bill, the requirement for Internet Connection Records is that the data used should be “generated or processed by a telecommunications operator in the process of supplying the telecommunications service” But the TCP header, which I suspect is what is intended to be referred to here, is categorically not processed or generated by the telecommunications service. The telecommunications service need only look at the IP header. The IP header does not provide sufficient information to identify particular streams.”
116.CSPs who gave evidence said they had discussed the definition of ICRs with the Home Office but were not yet clear exactly what they would comprise. Adrian Gorham of O2 said “We are nearly there on the clarification of what makes up the record”, while Simon Miller of 3 said “The issue here is that we know that an internet connection record is going to be something like a simplified version of a browser history, but we do not know exactly what it is going to be.”
117.Mark Hughes, President of BT Security, concluded that “In the Internet connection records space, for example, it is difficult for us to comment because we are not defining the purpose for which it is intended.” In their written evidence, BT said “it would be helpful if Government would explain how the new types of data which fall within the ICR provisions are different from those that fall within the current regime. This will allow CSPs properly to scope capability and cost, and to identify what methods we could employ to generate ICRs.”
118.The Home Office in their written evidence provided more detail on the proposed composition of ICRs. This material was only available after the Committee’s oral evidence sessions with CSPs had taken place.
119.The Internet Service Providers’ Association provided us with helpful supplementary written evidence in light of the Home Office’s written evidence and the Home Secretary’s evidence on 13 January. ISPA outlined what it regarded to be a number of significant remaining areas of uncertainty over ICRs, and that the term ICR itself was “imprecise and requiring further work”.
120.We acknowledge that, as with communications data, it is difficult to provide definitions broad enough to capture the variety of ways in which communications are conducted on the internet, and may be conducted in the future, while still providing sufficient clarity, technical detail and precision.
121.We welcome the additional information the Home Office has provided on ICRs, though we are not in a position to assess the extent to which it meets the concerns of witnesses as to a lack of clarity.
122.We recommend that the definition of Internet Connection Records should be made consistent throughout the Bill and that the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’. We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the internet works on a technical level. (Recommendation 7)
123.One issue on which many witnesses were agreed was that the Home Secretary’s description of ICRs as “simply the modern equivalent of an itemised phone bill” was inaccurate. Big Brother Watch said:
“The Home Secretary has stated that this data is “the internet equivalent of a phone bill”; however this is not entirely accurate. A telephone bill reveals who you have been speaking to, when and for how long. Your internet activity on the other hand reveals every single thing you do online.”
124.Professor John Naughton and Professor David Vincent commented that:
“the Secretary of State said that an Internet Connection Record was “simply the modern equivalent of an itemised phone bill”. This is a deeply misleading analogy, because—whatever it turns out to be—an ICR in the current technological context will be significantly more complex and harder to compile than an itemised bill.”
125.Similar points were made by a number of other witnesses, including Dr Paul Bernal, Entanet International Limited, Graham Smith and GreenNet Limited. The Home Secretary said to the Committee that:
“It is, again, another attempt to be helpful in describing. The point of the comparison is to say that at the moment law enforcement and agencies have access to data in relation to telephony, which enables them to identify, if somebody has gone missing, with whom they have been in contact prior to going missing. As people move from telephony to communications on the internet, the use of apps and so forth, it is necessary to take that forward to be able to access similar information in relation to the use of the internet. I would say it is not inaccurate and it was a genuine attempt to try to draw out for people a comparison as to what was available to the law enforcement agencies now—why there is now a problem—because people communicate in different ways, and how that will be dealt with in the future. It is about communications from one device to another.”
127.Irrespective of the clarity of the definition of ICRs, witnesses raised a number of issues about the technical feasibility of the proposal. The issue of costs, in relation to the generation and storage of ICRs, will be considered in the section on Data Retention (see paras 187–197).
128.The Committee was told that many internet communication services, such as Facebook and Twitter, communicate constantly to keep their feeds up to date. This is true of web browsing on a computer, but it is a particularly acute issue for applications on mobile and tablet devices which are likely to be on all day and potentially all night too.
129.Andrews & Arnold Ltd, a small ISP and hardware provider, said that:
“If the mobile provider was even able to tell that [a person] had used Twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to Twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.”
130.The conclusion of a number of witnesses was that ICRs would only tell law enforcement that the Facebook or Twitter app was active, but not whether it was being used nor for what reasons. As Dr Paul Bernal concluded, “the ‘connection’ event has little relationship to the use of the service “.
131.Mobile phone providers explained to the Committee that they face some challenges in implementing the systems necessary for IP resolution, due to the way they route internet traffic to and from smartphones, but were working on developing such systems in order to comply with the requirements of the Counter Terrorism and Security Act 2015.
132.The Committee were told by the IT-Political Association of Denmark that “if the smartphone connects to the internet through a WiFi access point (for example a WiFi hotspot in a hotel or pub), the ISP serving that access point only sees connections coming from the access point device itself.” The result would be that where a mobile user accessed the internet through public WiFi, an ICR would not identify them. The issue of whether small organisations providing WiFi to customers should potentially be required to retain data is covered in the Data Retention section (paras 210–223).
133.A similar issue exists with the use of Virtual Private Network (VPN) connections which mask the IP address of the user and with anonymisation systems such as Tor. The IT-Political Association of Denmark said:
“If the individual uses a VPN connection, the destination address in the ICR will be that of the VPN server, not the real destination of the traffic. Even if VPN providers are subjected to similar ICR retention requirements, it will only apply to UK VPN providers and not foreign ones. Another possibility is to use Tor (a well-known anonymisation network).”
134.F-Secure pointed out that it may also be difficult to obtain meaningful information about the destination IP address using an ICR:
“With Internet Connection Records, it is important to remind the Committee that the access network level logs give a poor signal to noise ratio. For instance, in the case of most of the websites, the only thing logged would be that the user’s computer connected to Akamai’s, Microsoft’s, Amazon’s or Google’s cloud services. These are called Content Delivery Networks (CDNs) and they provide an added level of technology abstraction between the end user and the actual service that the user accesses.”
135.It was also suggested that the increasing use of encrypted communications could render ICRs redundant. Andrews & Arnold said:
“There is also an increasing trend within the industry to encrypt everything. Once confined to on-line banking, secure web sites are now being used for normal everyday business web pages. HTTPS is already extensively used by Facebook and Google and many others, and over the next few years it is likely to become quite rare for a web site to be unencrypted. At present some level of deep packet inspection can find the web site name of an encrypted web site from the initial negotiation, but this loophole is being plugged in the more modern protocols.”
136.Dr Richard Clayton questioned how valuable the destination information might be, due to the way in which internet content is provided to users:
“There is an inherent assumption here that there is a one-to-one correspondence between an ICR and an intentional visit to a website and that is not the case today and will be far less so in the future. Some modern browsers ‘prefetch’ data so that when you click on a link the page will be immediately available. In these circumstances, ICR will record a ‘visit’ to a linked website whether the link is clicked or not. Modern websites can be extremely complex with text, images and adverts being served from dozens of different servers. The ICR data will be unable to distinguish between a visit to a jihadist website and visiting a blog where, unbeknown to the visitor (and the blog owner) the 329th comment (of 917) on the current article contains an image which is served by that jihadist site. So an ICR will never be evidence of intent—it merely records that some data has flowed over the Internet and so it is seldom going to be ‘evidence’ rather than just ‘intelligence”.”
137.The practical impact of this point was made to the Committee by Adrian Kennard of Andrews & Arnold Ltd:
“I did a blog post today, and anyone who reads it will find they have accessed Pornhub because there is a tiny one-pixel image in the corner. They do not know that, but it will appear on the Internet connection record if they access my blog. That was deliberate, but there could be lots of things on websites, advertising networks and so on, that will create all sorts of misleading and confusing data even without someone trying to be misleading.”
138.One of the proposed purposes for which an ICR may be accessed by law enforcement is to identify a communication service that they are using. Given the nature of the internet, it may not always be clear whether someone is using a service to communicate. Dr Paul Bernal said that:
“the information gathered through ICRs would fail to capture a significant amount of the ‘communications’ that can and do happen on the internet—because the interactive nature of the internet now means that almost any form of website can be used for communication without that communication being the primary purpose of the website. Detailed conversations, for example, can and do happen on the comments sections of newspaper websites: if an analysis of ICRs showed access to www.telegraph.co.uk would the immediate thought be that communications are going on?”
139.A number of witnesses suggested that Deep Packet Inspection (DPI) would be required to create ICRs and that this would create a considerable processing and cost burden for CSPs. The IT-Political Association of Denmark said that: “some form of DPI will be required if ICRs include server names, and this will substantially increase the cost of data retention. With the increasing use of encryption for web traffic (HTTPS), it may even be impossible to determine the server name with DPI.”
140.Gareth Kitchen told the Committee that:
“It has also become clear that the CSPs would have to upgrade their networks to enable them to capture communications data utilising Deep Packet Inspection technologies to fulfil the requirements of creating and storing these Internet Connection Records … These Internet connection records can only be ‘manufactured’ at the CSP as a by-product of interception using deep packet inspection technologies.”
141.Daniel Walrond said that “the amount of data the Bill is requiring ISPs to store in the form of Internet Connection Records is staggering. The specialized network equipment required to capture the data, and the data storage required is completely out of line with the turnover of a small ISP.”
142.The Committee were told that this would be possible by Mark Hughes, President of BT Security, although the cost—particularly of storing the data—would be substantial.
“Technically, it is feasible to separate various parts of the packets; we can deploy tools to do that … The capital investment—the deep packet inspection-type equipment that needs to be put in place—has to be factored against the very strong growth, or fast growth, in bandwidth over the period … it is skewed quite heavily towards making sure that there is storage. It is not to say that the initial investment is not insignificant, but the storage is also a significant part of it.”
143.Many witnesses pointed to the experience of Denmark, which previously operated a similar system to ICRs but had subsequently cancelled the project. The Danish system encountered a number of practical problems, many of which have been discussed in the section above.
Box 2: Session logging in Denmark
The Danish system of session logging internet traffic required ISPs to retain the source and destination IP addresses and port numbers, the transmission protocol and timestamps. ISPs could choose to retain the first and last packet of a session or to conduct “sampling” by retaining every 500th packet at the boundaries of their network. Most ISPs chose this latter option.
The system did not require the retention of domain names and did not involve Deep Packet Inspection.
An evaluation by the Danish Ministry of Justice in December 2012 identified challenges for the police in handling the amount of data and technical shortcomings, such as an inability to identify individual customers when Carrier-Grade Network Address Translation was in use. The result was that communications data from session logging has only been used in a limited number of cases and the system was repealed in June 2014.
The Ministry of Justice has indicated that session logging could be re-introduced if the technical problems can be properly addressed.
Source: The IT-Political Association of Denmark
144.There were a number of differences between the Danish system and the proposed ICRs, not least because of compromises in the design of the approach taken. Jesper Lund, of the IT-Political Association of Denmark said:
“The main compromise in Denmark was that communications service providers were allowed to retain internet connection records at the boundary of their network, which is normally not a problem. It was not seen as a problem in 2005 because at that time the sharing of IP addresses was fairly limited. But since we have had more devices using the internet, especially smart phones and tablets which need lots of IP addresses, we have sharing of IP addresses and when the connection is done at the boundary of the network it is sometimes impossible to distinguish between different customers. That was certainly a limitation and was a factor in the limited effect of the Danish system. I should also point out that it affects only roughly half of the customers who were subject to internet connection record retention.”
145.The Home Secretary told the Committee that:
“we have been talking to the Danes about their experience. There are a number of ways in which it is different. One of them is in relation to how information is due to be collected. I would best describe it—as it was described to me—that part of this is about at what point on the network you are accessing the information. We will be accessing it at a different point from the point at which the Danes were accessing it. They were getting a lot of peripheral information that did not enable them to link accounts to users, as I understand it. Another element is what we have already done in relation to IP address resolution through the Counter-Terrorism and Security Act. When you put these together, it gives us that greater capability.
There are some other differences in relation to costs, for example, in the Danish system. As I understand it, the costs were borne largely by the CSPs. We have an arrangement for providing for cost recovery here in the UK. There are a number of differences, but, in talking about the point at the network, it is trying to do it in a simplified way, which shows that there is a technical difference in the way we are doing it.”
146.The Committee acknowledges that there are important differences between the ICR proposal in the draft Bill and the system which was used in Denmark. We believe that the Home Office has learned lessons from the Danish model that will increase the chances of ICRs being effective.
148.Other witnesses were more confident that ICRs were a feasible option. The BCS, The Chartered Institute for IT said that:
“The requirements are feasible but only with the active participation and co-operation of the ISP at a cost which is ultimately recovered from the ISP’s customers. The imposition of a retention order on an ISP is likely to require the reconfiguration of their network and the generation and storage of additional data to comply with the order.”
149.Virgin Media said that “We believe retention of Internet Connection Records (‘ICRs’) may be technically feasible but is likely to be complex and costly.”
150.The Committee is grateful to the many witnesses who submitted detailed consideration of Internet Connection Records. We urge the Government to explain in its response to this report how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice.
151.The Home Office said that ICRs will serve three purposes supporting law enforcement investigations:
“1. To assist in identifying who has sent a known communication online, which often involves a process referred to as internet protocol (IP) address resolution.
2. To establish what services are being used by a known suspect or victim to communicate online, enabling further CD requests to be made to the providers of those online services e.g. to establish who the suspect or victim has been communicating with.
3. To establish whether a suspect has accessed illegal services online e.g. to access illegal terrorist material or for the purposes of sharing indecent imagery of children.”
152.These are set out in the Bill in Clause 47 (4).
153.Keith Bristow, Director General of National Crime Agency, told the Committee that:
“We cannot request data retained on internet connection records unless it is for the specific purposes … If there is a vulnerable missing person—a young person perhaps—and we are concerned about what arrangements they may have put in place to go abroad or to travel, we could not request access to an internet connection record to give us the lead to pursue that point.”
154.Assistant Chief Constable Richard Berry of the National Police Chiefs’ Council, added:
“There are other policing purposes that we would require access to internet connection records for … for example; a banking website or, indeed, a travel website … In a particular case in relation to human trafficking that involves booking flights and the movement of people, we would not be able to obtain that data under the provisions of this Bill. Perhaps I can speak from personal experience having run a large-scale anti-human trafficking operation where 85% of the actionable intelligence came from communications data. That was in the mobile phone era of 2008. We certainly could not repeat that kind of activity now, because the mobile internet communications platforms are where most people now communicate and do those transactions.”
155.We agree that all of the proposed purposes for which access to ICRs could be sought are appropriate. Furthermore, we recommend that the purposes for which law enforcement may seek to access ICRs should be expanded to include information about websites that have been accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation. (Recommendation 9)
156.A related issue on the purposes for which communications data more generally may be sought by law enforcement is considered in paras 84–88.
157.Part 4 of the Bill provides the Secretary of State with a power to require Communication Service Providers to retain communications data, when it is proportionate and necessary, for a range of specified purposes for a maximum period of 12 months. This power will replace the data retention requirements currently set out in Data Retention and Investigatory Powers Act 2014 and the Counter Terrorism and Security Act 2015. This will provide law enforcement with a degree of confidence that the relevant data will be available even when the CSP no longer has a need to process it for their own purposes.
158.Although not new, this was one of the more controversial parts of the Bill, and a number of witnesses were critical of its inclusion. The Center for Democracy and Technology told the Committee that:
“legislation providing for data retention notices that could potentially require the retention of the communications data of every individual in the UK is manifestly incompatible with the rights to privacy and the protection of personal data, as found in the Charter of Fundamental Rights of the European Union (‘the Charter’) and applied by the CJEU in its Digital Rights Ireland judgment.”
159.Paul Lincoln of the Home Office has explained that:
“The Government responded to the Digital Rights Ireland case by passing some fast-track legislation in 2014, the Data Retention and Investigatory Powers Act, which took account of the ruling on Digital Rights Ireland. However, on the back of that, a judicial review was brought against those powers, which Parliament had voted for. That judicial review, in the Divisional Court, found two reasons for which the powers were incompatible with European legislation. Since then, a Court of Appeal ruling has said provisionally that it did not think that Digital Rights Ireland set out a minimum set of standards for Governments to comply with, and on the back of that the Court of Appeal has remitted this to the court in the European Union. Therefore, we have considered that position and the powers and the associated processes for which Parliament voted in 2014.”
160.Not all witnesses were so confident that this part of the Bill complies with European Law. Eric King commented that:
“my position at the moment is that we should not be legislating at all in this area until cases that are going up to the CJEU are resolved, for fear of us all wasting quite a lot of our time and having to re-amend and re-adapt the law, particularly given that we could be waiting to see how the [CTSA 2015] is implemented. I think we should hold back in this area and not include it in the Bill at all.”
161.David Anderson QC, Independent Reviewer of Terrorism Legislation, said that:
“my understanding is that around five constitutional courts and some other courts, in countries such as the Netherlands, Belgium, Slovenia and Austria, have already decided that national laws based on the data retention directive, as ours was, are not valid. The High Court here said the same thing. The Swedes were made of sterner stuff; they asked Luxembourg the question, and so did our Court of Appeal. Trying to predict the results of litigation is a mug’s game and I am not going to succumb to the temptation.”
162.While judgements from the European Court of Justice are outstanding, legislation in this area will remain subject to potential change. Whether ICRs are included or not, we believe that, in light of the ongoing need for communications data (see paras 49–58) and the imminent expiry of DRIPA, a continued policy of some form of data retention is appropriate and that these provisions should accordingly form part of the Bill.
163.Clause 74 requires that the data retained must be kept securely and, once the retention period expires, deleted in a way that ensures access is impossible.
164.Many witnesses were concerned about the security risks that accompanied retaining such large datasets. Andrews & Arnold told the Committee that the:
“retention of details of every web site visited reveals much more about a person. It can be used to profile them and identify preferences, political views, sexual orientation, spending habits, and much more. It is also useful to criminals as it would easily confirm the bank used, and the time people leave the house, and so on. This is plainly sensitive personal information, and it is clearly a huge invasion of privacy to collect and retain this information on innocent people. It is also a valuable target for criminals and so a risk for operators to retain this data.”
165.JISC pointed out that:
“retaining extra communications data will increase the impact of security breaches as well as creating a more attractive target for fraudsters and other hackers; systems to facilitate law enforcement access to communications may be discovered and exploited by criminals, as lawful intercept systems on mobile phone networks and master keys for luggage have been in the past.”
166.Big Brother Watch felt that there was a “Lack of detail in the draft Bill regarding the security of the data and how it will be held is a concern, particularly as cyber hacking and cyber security is a growing problem for all of us. In 2014 90% of large firms and 74% of small firms in the UK suffered a security breach.”
167.Similar concerns were expressed by a number of witnesses, including Eris Industries, Dr Paul Bernal, Mr Ray Corrigan, Dr Glyn Moody, Mozilla, the Tor Project, and the Law Society of Scotland.
168.Professor Michael Clarke, former Director of RUSI, told the Committee that “bulk data is a fact of life”. He said:
“there is a sense out there that only Governments do it, but of course everybody does it. It is part of our digital society. The old phrase is that unless you are one of a very small group of people indeed, Tesco already knows a great deal more about you than MI5 ever will. Data analytics are used by everybody: by retailers, by charities like my own. Everybody uses data analytics. Bulk exploitation of data is part of our society.”
169.The view of CSPs who gave evidence was that the security of such data was important and challenging, but feasible. Hugh Woolford, Director of Operations, Virgin Media explained that:
“We will obviously look to work with the government security advisers to ensure that any processes and systems that we put in place to meet this Bill would meet those requirements and then regular auditing of them. That is the best way we think we could assure that everything was secure and in place. As a matter of course, you have to create a culture and a process around it that brings rigour.”
170.Mark Hughes, President, BT Security explained that:
“It is about creating a layered approach to defence, ensuring that the controls are proportionate, given the sensitivity of the data. We are talking about collecting data for the first time—data we have not collected before—and the key is to ensure that our customers and their rights are protected. That data has to be looked after very carefully, so we have to have a commensurate security wrap around them that takes account of our customers’ human rights and indeed their privacy as well so that we ensure that we maintain and safeguard that.”
171.Adam Kinsley Director of Policy and Public Affairs, Sky, commented that: “We currently work with the Government on standards, but it could benefit from being more joined up on the Government’s side. The Home Office, the ICO and the National Technical Assistance Centre having a single set of standards that we could build to would make a lot of sense.”
172.Richard Alcock of the Home Office assured us that: “The retention systems are built to stringent standards, and those standards are set by the Home Office. Systems do not go live unless they have been independently tested and accredited. We are very confident in the arrangements that we have to maintain security of the data retention systems, and I cannot say more than that. We completely understand the threat, and because of that we put a lot of effort into ensuring that integrity.”
173.The Home Office also assured us that the requirements it will place on operators will work technically. Richard Alcock has explained that:
“We have ongoing discussions with a number of comms service providers, as I mentioned before. Those service-provider systems are constantly changing. We have a good relationship with the service providers on which we are likely to serve notice, and we have a good understanding of their current technical systems. During all the conversations that we have with them, at no point have they said that it is impossible to implement.”
174.The security of retained data, especially such potentially intrusive data, is of great importance. We have received assurances from the Home Office that it is possible to hold such data securely if high standards are set, observed, and regularly scrutinised but data theft remains an ongoing challenge.
175.We urge the Government to consider the suggestion to work with the Information Commissioner’s Office, the National Technical Assistance Centre and the Communications-Electronics Security Group at GHCQ, which has recognised expertise in this area, to draw up a set of standards for CSPs. (Recommendation 10)
176.The draft Bill allows for data retention notices to require data to be held for up to 12 months. This is the same period that currently operates under DRIPA and CTSA.
177.Christopher Graham, the Information Commissioner, said that there was insufficient justification for this 12 month period:
“When I say that little justification has been advanced, I mean that those who are putting forward this Bill are not explaining what 12 months is about—why 12 months? If you are going to say, “We reserve the right to invade your privacy, and by the way this material has to be retained for 12 months”, you have to make the case for that. Nowhere in the Bill or supporting memoranda have I seen the argument for 12 months. It is not for me to say that I think 12 months is wrong or right or that some other figure is appropriate because I am not the one seeking the powers; I am not the one who knows what we want to do with the information; I am not the one who knows how the information has been used. I am realistic; I understand that there has to be some care with which the facts are bruited abroad but nevertheless, nowhere in this 296-page package is the case actually made for 12 months.”
178.Paul Lincoln of the Home Office has explained that:
“the UK decided to adopt a maximum of 12 months when it first introduced its legislation in this area. The 12 months was considered to be the right balance as to the level of intrusiveness in holding that amount of data. It was done on the basis of surveys by looking into the way in which law enforcement used the powers.
The critical reason for going up to 12 months is child sexual exploitation cases. Certainly when a survey was done on this in 2012, 49% of all requests made in child sexual exploitation cases were for data between 10 and 12 months old. That is a very significant period, which is reflected in the position that we have taken.”
179.Chris Farrimond Deputy Director Intelligence Collection, National Crime Agency explained that:
“in a 2012 survey right across policing in the UK, of all crime types within 0 to six months approximately 84% of comms data was applicable: that is to say, when we needed it, 84% fell within the 0 to six months, 13% within the seven to 12 months, and 3% in the 12 months-plus. But that does not give the whole picture. For child abuse, only 42% fell within the 0 to six months, and 52% fell within the seven to 12 months. There are also figures for terrorism offences, sexual offences and financial offences. We can give those figures, but this quite clearly shows that the closer you are to the date, generally speaking as soon as the investigators get hold of the case they are going to want to get the data, but sometimes it takes a bit longer, for whatever reason. For instance, we do not immediately get the referrals that I spoke about a few minutes ago involving child sexual exploitation; sometimes it can take a few months for them to come through, which may be the reason for the 52%. Either way, I think it shows pretty consistently that 12 months is a reasonable point at which to draw the line.”
180.Simon York, Director of the Fraud Investigation Service, HMRC, commented that:
“the position for HMRC is a little different. Our figures show that more than 50% falls into the six to 12 month period. Indeed, quite a lot falls beyond 12 months. We are doing a lot of reactive, or historical, analysis. We have some real-time stuff, perhaps smuggling, but if it is more in the tax evasion area it can be a lot more historical; if it involves the use tax returns, we will not even do that analysis until 12 months after the year ends. We are in quite a different position from that of the National Crime Agency. Overall, we feel that 12 months is a reasonable balance to be struck, but we have a lot of cases that fall within that six to 12 month period.”
181.In written evidence, law enforcement representatives provided additional material to support the 12 month data retention requirement.
182.Some witnesses suggested alternative models for data retention. Dr Julian Huppert has suggested: “the Committee should consider recommending a reduction in the 12 month retention period, possibly associated with data preservation orders where there is suspicion that particular data may be needed later.” A similar point was made by Caroline Wilson Palow, Legal Officer at Privacy International, who explained that: “The US, for instance, does not have a data retention provision, yet it is still able to solve crimes. In fact, it uses mechanisms like data preservation orders, which are much more targeted, are not across the board and can be quite effective.”
183.We are not convinced that targeted retention orders are a viable alternative to a data retention provision, as they do not provide retrospective information and would be of limited value in instances where criminal action had ceased.
184.Some witnesses pointed to other countries, which did not use or had ceased to use data retention. Jim Killock Executive Director, Open Rights Group, said that:
“on data retention in general, we have had a ratcheting back of data retention in a lot of Europe. These apparently essential tools have not been operational for a long time in Germany, the Czech Republic, Slovakia and a number of other places. There are about six or seven countries where these sorts of programmes have essentially been cancelled. There has not been a concomitant outcry from the police that they are no longer able to solve crimes and that there is spiralling dysfunction in the police. That has not occurred. Something to bear in mind is that there are often several routes to solving crimes. Data, through data retention or collection, is only one.”
185.Privacy International made a similar point in their evidence.
187.The issue of the costs of data retention (and ICRs) was raised with the Committee by a number of witnesses.
188.The evidence from CSPs was unanimous that the full costs of the implementation of data retention and ICRs should be met by the Government. TalkTalk said:
“Retaining this data, and storing it securely, represents a significant new cost for CSPs. Whilst the Government has indicated that it accepts the principle of cost recovery (i.e. that the Government reimburses CSPs for costs associated with the data retention requirements in the Bill), these arrangements should be more explicitly outlined in the Bill to provide taxpayers and CSPs with greater clarity about how the cost recovery model will work. Without an effective and clearly defined cost recovery model, consumers face the very real risk of seeing their bills rise to pay for the implementation of the Bill.”
189.Jonathan Grayling of EE said:
“We believe that the Bill should make it explicit that a company impacted by this legislation is fully able to recover the costs incurred. We believe that if there is no cap on costs based on a proportionality aspect, and the obligation and the financial impact is simply passed on to the CSP, this could result in delivering disproportionate solutions. If there is a cost recovery model that places a cap on cost and is based upon proportionality, that provides a far safer investment for taxpayers’ money and the privacy of our customers.”
190.ISPA likewise said: “The final Act should enshrine full cost recovery for providers. The cost recovery provision ensures that providers are not commercially disadvantaged and acts as an important safeguard as it provides for a clear link between public expenditure and the exercise of investigatory powers.”
191.Mark Hughes, of Vodafone, told us that he had been told that there would be full cost recovery:
“The Home Office has always had a policy of 100% cost recovery. They have assured us that this will continue. This is not an area that we make any money out of. We provide the very best service that we can to assist law enforcement.”
192.As to what those costs would be, CSPs said that it was difficult to make an assessment as they were not yet certain of what data they would need to retain. Mark Hughes of Vodafone said that “Until we have been served with a notice, I would be purely speculating as to the cost. I would be uncomfortable giving you any kind of idea until the Home Office has served us with a notice. It would be significant, it is fair to say.”
193.Hugh Woolford of Virgin Media said:
“I would love to give you an exact figure. We are not saying it cannot be done. Anything can be done in this space with enough time and money. We have a broad set of requirements, but to enable us to move forward we need to bring some more specificity to those so that we can start giving more accurate estimations of costs and time. Depending on how much you are trying to capture and across what frequency, one big piece of it is how much of whatever the equipment is you might need to deploy; therefore, you need to find space, power and places to host it all. It is no mean feat.”
194.Richard Alcock of the Home Office said that:
“It is £174 million over a 10-year period in relation to internet connection records. Right now, under existing legislation, in the last financial year we spent around £19 million on data retention, so broadly speaking we are doubling the cost of data retention … We have worked with industry over summer to look at the likely data volumes and the costs associated with that volumetric growth over time, so even though I gave the example of £17 million a year, the reality is that the cost may go up over that time. But, as I say, we have been working very closely with the comms service providers on which we are likely to serve notice to underpin the facts and figures within the impact assessment.”
195.We are not able to make an assessment of the accuracy of the data retention costs provided by the Government. We urge the Government to continue working with CSPs to improve the detail of the cost estimates for data retention to show how it will be deliverable in practice and deliver value for money.
196.As the communications data will be held for purposes that are not related to the CSP’s own business purposes, we agree that the Government should provide CSPs with whatever technical and financial support is necessary to safeguard the security of the retained data. While we do not agree that 100% cost recovery should be on the face of the Bill, we do recommend that CSPs should be able to appeal to the Technical Advisory Board on the issue of reasonable costs. (Recommendation 11)
197.Our view is that the Government should provide statutory guidance on the cost recovery models, and that particular consideration should be given to how the Government will support smaller providers served with data retention notices. (Recommendation 12)
198.Many witnesses were concerned that CSPs would be required to retain “third party data” under the terms of the draft Bill. Third party data refers to data passing over a CSPs network which neither originates nor terminates there.
199.Mobile CSPs were particularly concerned that they should not be obliged to retain communications data relating to third party “over the top” Internet communications services. Vodafone explained their position against such a provision:
“Vodafone believes the responsibility to obtain and retain this data should be held by the provider of such a service—for example Facebook, Google Mail or WhatsApp—and not by the underlying network operator including Vodafone.
Network operators simply act as the “postman” for these services. If network operators were required to obtain and retain data, this would mean installing a complex new array of technology, requiring us to build systems to capture data for which we have no business purpose. We have expertise of the data which we generate in the course of running our own services for our day-to-day business activities, but we have very little knowledge, or reason to know, how any given Internet communications service or OTT service might structure its communications. The potential for this system to be ineffective, inefficient and retain too much or indeed too little data is substantial … Even if an operational case has been made, we consider that any duty to retain communications data should be imposed only on the provider of the service in question: the company which provides the service should retain the data.”
200.The Home Office made clear that CSPs would not be required to retain third party data. Speaking in the House of Commons on 4 November 2015, the Home Secretary said: “Let me be clear: the draft Bill we are publishing today is not a return to the draft Communications Data Bill of 2012. It will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas.”
201.CSPs and others said that the framing of the draft Bill still left them open to retaining third party data. LINX told the Committee that:
“We are concerned that, contrary to direct assurances the Home Secretary gave to Parliament, the terms of this Draft Bill would authorise the Secretary of State to impose requirements on Internet access providers (ISPs) to collect third party data.”
202.EE said that “The Home Office has provided verbal assurance that there will be no requirement for EE to retain third party data. However, on the face of Bill there is very little limitation on what Government could require telecommunications operators to do.”
203.TalkTalk agreed, saying:
“TalkTalk welcomes the exclusion of third party data requirements. The draft Bill, however, would benefit from greater clarity on this point. Clause 71(9) should be modified to make clear that ‘relevant communications data’ exclusively relates to data generated on a CSP’s own network, or data processed by that operator in order to provide a service. This would distinguish it from transit data that may use a CSP network, but is of no relevance to a CSP.”
204.EE suggested a similar amendment in their evidence to the Committee.
205.We agree with the Government’s intention not to require CSPs to retain third party data. The Bill should be amended to make that clear, either by defining or removing the term “relevant communications data”. (Recommendation 13)
206.There were concerns too that CSPs would be required not just to retain data but to generate new data. ISPA said that:
“The Bill goes beyond the current legal framework in that providers will no longer only be required to retain data that is or will be generated for business purposes. Clause 71(8)(b) refers to “collection, generation or otherwise” which suggests that providers may be required to specifically generate data, i.e. it may require providers to change their business operations or make changes to their business model.”
207.EE said “The power to require a provider to “generate” data for the purposes of retention ([Clause] 71(8) (b)) is also of concern (one that also existed with the Draft Communications Data Bill), with fears that it could be used to require a provider to generate data that does not relate to providing a service to our customers. Again, a modification of Clause 71(9) as above would preclude this requirement.”
208.Similar comments were made by Andrews & Arnold Ltd and techUK.
209.We recommend that the Government should clarify the types of data it expects CSPs to generate and in what quantities so that this information can be considered when the Bill is introduced. (Recommendation 14)
210.The Bill extends the range of providers that might receive a retention notice. JISC told the Committee that:
“Under current law, orders to prepare for future investigations (for example by data retention or interception capabilities) can only be made against “public telecommunications operators” (see DRIPA section 1(1) and RIPA section 12(1)(a)). Private networks—such as Janet and networks within universities, colleges and businesses—can be required to disclose specific communications data they already have (RIPA section 22) or to implement targeted interception warrants (RIPA section 5). However they cannot be required to modify their activities or systems in advance so as to facilitate such activities. The new Bill applies all its powers, both preparatory and targeted, to “telecommunications operators”: a term defined in Clause 193 so as to include every organisation and home with any kind of connection to a telecommunications network.”
211.BT also suggested that the inclusion of private networks would be problematic:
“We are therefore concerned that Clause 189 of the IPB extends Government’s power to serve a capability notice on a CSP to cover all the “telecommunications services” it provides, rather than just “public telecommunications services”, as under the current regime. BT offers a significant range of services that do not fall into the “public” category. Examples include services offered under compulsion (Wholesale Line Rental or Local Loop Unbundling offered by BT Openreach) and private networks (a network provided to a large company for internal communications). This change could have significant implications for BT.”
212. ISPA said they were:
“concerned about the unclear and potentially wide-ranging definition of providers and services that are covered by the Bill. The Government has stressed publicly that it has drafted the Bill in consultation with a number of operators that are likely to be served a data retention notice. It is not clear if this has been of a suitably detailed level to enable a full and clear assessment. Moreover, the powers of the Bill could easily be applied to a whole range of other providers and services whose input has not been considered, not least given the new extension to ‘private’ networks.”
213.Similar points were made by the Institute for Human Rights and Business, Mozilla, Chartered Institute of Library & Information Professionals, Open Rights Group and F-Secure. There were concerns that smaller ISPs and others would face significant challenges if they were required to retain communications data.
214.As Entanet International Ltd told the Committee, “The definition of Communications Service Provider is extraordinarily wide—it could extend to a coffee shop offering free Wi-Fi.”
215. This was confirmed by the Home Secretary in her evidence to the Committee, who in response to a question about whether Wi-Fi in coffee shops might be included, said:
“Yes. That is left open—and rightly so. If you look at how people are conducting their business, their interactions and their communications today, they are doing that on the move and in a whole variety of settings. It may very well be that there are circumstances where it is appropriate to have that discussion and, potentially, to ask for information to be retained. It is about having that flexibility.”
216.According to Andrews & Arnold:
“It seems clear from the Home Office that they are intending to only serve notices on those larger ISPs that are already subject to notices, and with which they have already had extensive discussions. They have indicated that they are not intending to target smaller ISPs, and even if they did, that ISPs would not be expected to log and retain data for which they simply do not have such a capability, and that they would not expect any collection of “third party data” or information from “over the top services”.”
217.Similar points were made by the Rev Cecil Ward and Philip Virgo.
218.Clause 72 requires the Secretary of State to take reasonable steps to consult with an operator before giving them retention notices, and Clause 73 enables operators to refer notices to the Technical Advisory Board and the Investigatory Powers Commissioner.
219.Richard Alcock of the Home Office has assured us that: “We make balanced judgments on the service providers on which we serve notices, and we sometimes have to make hard choices about where we put data retention notices. Obviously I cannot go into detail about the organisations that we would intend to serve notices on, but we have been working with every organisation that would be likely to have a notice served on it.”
220.We believe that the definition of telecommunications service providers cannot explicitly rule out smaller providers without significantly compromising the data retention proposals as a whole. We acknowledge that the potential burden of data retention notices, particularly for smaller providers, could be acute. This makes the clarification of cost models, as we have recommended above, essential.
222.The definitions of telecommunications service and telecommunications operator in the draft Bill also cover providers based overseas which supply services to people in the UK. Apple told the Committee that:
“As defined in relevant EU Telecommunications Law, Apple is not an electronic communications service provider. The Investigatory Powers Bill seeks to extend definitions in this area to an extent beyond that provided for in relevant EU law. The draft bill makes explicit its reach beyond UK borders to, in effect, any service provider with a connection to UK consumers.”
223.The issues related to the extraterritorial effect of these provisions are considered in paras 513–518.
224.The Secretary of State will issue relevant CSPs with retention notices specifying what data is required to be retained for what period. Clause 77 prohibits CSPs from disclosing the existence and contents of a retention notice to any other person. This has been challenged by a number of potential recipients of retention notices.
225.Andrews & Arnold Ltd questioned the justification for this prohibition:
“whilst I can understand operation reasons for not revealing targeted intercept warrants, a retention order does not relate to a suspect or a case, and so has no reason to be secret… If an operator wants to discuss the notice with equipment vendors, technical working groups and forums with other ISPs or even their customers they are prohibited from doing so.”
226.Concerns were also raised about the implications for whistle-blowers. Naomi Colvin told the Committee that “An explicit public interest defence should be included in the Bill, which would protect both whistleblowers and security researchers working in the public interest.” The issue of whistle-blowers is considered further later in the report (see paras 560 and 627–630).
227.In her letter to the Committee, the Home Secretary explained the provision in the draft Bill:
“Disclosing the existence of a notice would risk undermining national security and the prevention and detection of crime. For example, criminals might start to use the services of companies that are not subject to a notice. The commercial interests of that company could be prejudiced if the Government made the fact of a notice public and significant numbers of customers transferred their business to companies who are not subject to a notice.”
228.We understand the Government’s position for not allowing the fact that a data retention notice has been served to be referred to in public. We suggest that some forum or mechanism, perhaps through the Technical Advisory Board, is made available so that CSPs subject to such notices can share views on how best to comply with them. (Recommendation 15)
229.We believe that the Intelligence and Security Committee and the Investigatory Powers Commissioner should have access to a list of CSPs served with data retention notices and that their scrutiny will be a valuable check on the appropriate use of this power. We also acknowledge that the Information Commissioner’s Office will scrutinise the information security arrangements of CSPs subject to data retention notices and will therefore need to be informed of the existence and content of relevant notices.
230.Clauses 51 to 53 require the Government to establish filtering arrangements to facilitate the obtaining of communications data by relevant public authorities and to assist a designated senior officer in each public authority to determine whether he or she believes the test for granting an authorisation to obtain data has been met.
231.The Home Office has said that the Request Filter would be used for complex communications data inquiries that cover several CSPs. Rather than a public authority having to submit separate requests to several CSPs, it is proposed that it would submit one request to a specialist unit run by the Home Office. This unit would operate a Request Filter that would interrogate the multiple CSP databases and automatically analyse the returns, providing investigators with only the relevant data and destroying any data once it was no longer needed.
232.The proposals are very similar to those in Clauses 14 to 16 of the Draft Communications Data Bill 2012, which also proposed a Request Filter. The key change from the earlier Bill is that the Secretary of State must now consult the Investigatory Powers Commissioner about the principles on the basis of which the Secretary of State shall establish the filter. Other changes provide that the designated senior officer must consider that what is proposed must be proportionate to what is sought to be achieved and that the Secretary of State may restrict the number people who are cable of acting as a designated senior officer with regard to the Request Filter.
233.The Home Office said that “the filtering arrangements will minimize the interference with the right to privacy, in particular respect for personal correspondence, to which requests for internet based communications data will give rise thereby ensuring that privacy is properly protected.”
234.The Request Filter was broadly supported by the Information Commissioner’s Office, who said:
“If this mechanism is effective this could reduce privacy intrusion such as when trying to resolve IP addresses. However how this would work in practice would require some attention and close review by the Investigatory Powers Commissioner (IPC) to ensure that it is achieving its aims and not being used in inappropriate ways.”
235.The proposal was also welcomed by Virgin Media, though with a note of caution about the need for safeguards:
“we understand that the intention is for a request for data to be passed through the filter to ensure that only the relevant data is passed on to law enforcement. If operated in this way it should help to protect privacy. Clarification around scope, controls, security, oversight and implementation is required either on the face of the Bill or in secondary legislation. It is not clear how exactly concerns expressed by the Joint Committee (Communications Data Bill 2012) will be addressed.”
236.In 2012 the Joint Committee on the Draft Communications Data Bill concluded that:
“The Request Filter will speed up complex inquiries and will minimise collateral intrusion. These are important benefits. On the other hand the filter introduces new risks, most obviously the temptation to go on “fishing expeditions”. New safeguards should be introduced to minimise these risks. In particular the IoCC should be asked to investigate and report on possible fishing expeditions and to test rigorously the necessity and proportionality of Filter requests.”
237.The key changes to the clauses from those in the Draft Communications Data Bill, as outlined in paragraph 232 above, seek to address those concerns. Additionally, Paul Lincoln of the Home Office has explained to us that:
“There is oversight by the Investigatory Powers Commissioner as a starting point in terms of all the powers in the Bill, but in addition to that we have greater defence in the Bill to make sure that in extremis if you are wilfully trying to abuse the system, a criminal sanction is available. There are also administrative and other sanctions available to the Government.”
239.Views differ as to whether the Home Office was right to argue that the Request Filter minimises collateral intrusion and thus is a tool in protecting privacy. Some witnesses see it as a threat to privacy. For example, LINX stated that:
“We do not agree with the government’s characterisation of this portion of the Draft Bill as a safeguard that minimises the intrusive nature of access to communications data by reducing the volume of data that will be released to investigating officers. We think a much more accurate characterisation would be to regard these arrangements as an enormously powerful and intrusive new investigatory tool that brings the power of Big Data analysis to law enforcement investigation on an unprecedented scale.”
240.Eric King argued that “it permits the same sort of data-mining at a scale that so far only our intelligence and security agencies have been undertaking, and provides that to the police, but in the name of a safeguard.” Entanet International told the Committee that “the complex queries such a database allows make the extent of intrusion difficult to quantify or oversee on the face of the bill.”
241.Similar concerns were expressed by the Open Rights Group, Dr Julian Huppert, the Internet Service Providers’ Association, Mcevedys Solicitors & Attorneys Ltd and Liberty.
242.Another issue that was raised was the potential security risk involved in operating the Request Filter. James Blessing, ISPA Chair and Chief Technology Officer of Keycom, told the Committee that:
“In theory, the filter is being described as a way of restricting the information recovered. That means that an automated system must be doing the requesting of the data capture from the service provider and then presenting them to an individual. That means we have to allow third-party access to our systems, which is a potential risk. In theory, it would mean that the data was less open to fishing because you are only getting back specific results, but potentially there is a whole new construction of requests that people could start making… In some ways it is a good thing and in some ways it is a concern, because, again, the details are very limited.”
243.Adrian Gorham of O2 also outlined his concerns about the security aspects of the filtering arrangements:
“A third party will take bulk data from us and analyse it for the police, to make sure the police only see the data they require. My concern there would be that that third party has exactly the same level of security that we deploy ourselves in our businesses. A number of us have international standards; I would expect that third party to have that level of security, if it has my customer data. I would expect the governance that we are putting in place to go and do audits on that third party, and I would—if I am giving them my customer data—expect to be able to go and audit them myself, to ensure that they are living up to our standards as well. We are all very used to looking after security and protecting that data, but we now, with this Bill, have a third party whom we would need to give data to, and we need to be very sure that the same level of security is deployed there as well.”
244.He was supported by Jonathan Grayling of EE: “I would like to see the filter having the same security controls as the ones CSPs are compelled to provide in relation to retained data.”
245.Our general views on privacy risks of large CD datasets are set out in more detail in paras 163–175. They pose very considerable reputational challenges to communication and internet service providers, law enforcement investigators and to individuals if security breaches occur.
246.We welcome the Government’s proposal to build and operate a Request Filter to reduce the amount of potentially intrusive data that is made available to applicants. We believe that the technical and security challenges involved in implementing the Request Filter can be met and would urge the Investigatory Powers Commissioner to examine and report on it to ensure that it is secure.
247.We acknowledge the privacy risks inherent in any system which facilitates access to large amounts of data in this manner. We believe that the requirement upon law enforcement to state the operational purpose for accessing data through the filter will provide an important safeguard that can be assessed by the Investigatory Powers Commissioner and that the oversight of the Commissioner will be sufficient to prevent the Request Filter being used for “fishing expeditions” and ensure that it is used proportionately.
248.Clause 189 allows the Secretary of State to impose obligations on telecommunication service providers and Clause 189 (4) (c) states that these obligations could include “the removal of electronic protection applied by a relevant operator to any communications or data”.
249.Paul Lincoln of the Home Office told the Committee that this was a necessary power and that:
“The Bill itself in effect replicates the existing legislation, which has been in place since 2000, and says in effect that we should be in a similar position to that of the real, physical world, where, as David Anderson says in his report and others have said, you do not want there to be places where people are allowed to go unpoliced and ungoverned. The same should apply in the internet world. So when you have taken the steps with regard to necessity and proportionality, you can place a requirement on companies to provide you with content in the clear.”
250.This position was supported by Ray McClure, who explained that “Without being able to access an unencrypted message the security forces will not be able to tell if the message is a harmless exchange of say a cooking recipe, or a set of terrorist instructions. I fear that in the name of privacy the encrypted services on the internet may lead the internet to become a safe haven for evil.”
251. The provision in Clause 189 on removing electronic protection was the subject of considerable concern among a great many witnesses, who said that its meaning was unclear. The Information Commissioner’s Office told the Committee that:
“The practical application of such requirement in the draft is unclear in the draft bill and the accompanying Guide to Powers and Safeguards does not provide specific details to enable the full extent of the provision to be assessed.”
252.Similarly, techUK said:
“In particular it still remains unclear as to whether the obligation for service providers “relating to the removal of electronic protection”, as stated in Clause 189(4)(c), has any ramifications for encryption technology applied by the user of the services, and not the service provider. If the provision does have ramification for end to end encryption, this would limit companies’ ability to deploy the necessary security to safeguard their customers’ privacy and security, in effect compelling companies to weaken the security of their products.”
253.Deep concerns were expressed that the implications of this provision would undermine encryption and therefore the security of online communications and transactions. Big Brother Watch said “any part of the draft Bill which may have implications for the strength of encryption will have severe consequences for the people and the country as well. Any approach to weaken, create backdoors or simply abandon encryption must be treated with extreme caution.”
254.Article 19 echoed this point and suggested that it could lead to companies being compelled to install “backdoors” into their products and services:
“Despite the Government’s assurances that the draft Bill would not include ‘backdoors’ and that encryption would continue to be protected, it is apparent that the vires of Clause 189(4)(c) are sufficiently broad to enable the Secretary of State to make regulations requiring operators either to remove encryption services upon request, or to reduce the effectiveness of encryption. This would fundamentally undermine the use of end-to-end encryption and therefore the security of our online communications and transactions. In practice, it is equivalent to a government ‘backdoor’.”
255.Similar arguments were made by a large number of witnesses, including Dr Paul Bernal, Apple, Facebook, Google, Microsoft, Twitter, Yahoo, Mozilla, Human Rights Watch and Liberty.
256.A particular issue was raised in relation to end-to-end encryption, where the service provider might have not have the capability to decrypt the contents of a communication passing across its system. Erka Koivunen of F-Secure explained that:
“Some of these providers have designed their systems specifically to employ end-to-end encryption, where the service provider is not in a position to open up the encryption. The encryption goes through the service provider’s systems so that even the provider is not able to see through it. The way I am reading the Bill, it would actually ban the use of strong cryptography and strong encryption and would essentially weaken our ability to use secure online services.”
257.Witnesses were concerned that, despite the Secretary of State needing to take into account “the technical feasibility of complying” (Clause 190 (3) (c)), there was still the potential for technical capability notice to be served that would require encrypted systems to be compromised. Andrews & Arnold Ltd said that “ it appears to effectively ban a provider from offering a service that has proper end-to-end encryption” and Apple said that “Although this is not explicit in the draft bill, our understanding of the government’s intention is that this would require us to remove end to end encryption if that was necessary to give effect to the warrant and considered proportionate.”
258.The evidence from Paul Lincoln, from the Home Office, suggested that this would be the case: “If you are providing a service to UK customers and the Secretary of State and a judicial commissioner think there is necessity and proportionality in order to be able to provide that information, those companies should be required to provide that information in the clear.”
259.Whilst a judicial commissioner would be involved in the authorisation of the warrant to access such material in the clear, they would not be involved in the decision to serve a technical capability notice on a CSP to ensure that encryption could be removed when circumstances required. This is considered further in Chapter 4, paras 498–502.
260.Various witnesses suggested that the provision to require the removal of electronic protection would have a negative economic impact by damaging the competitiveness of UK tech businesses or encouraging them to relocate outside the UK. Adrian Wilkins said that “I have already seen examples of companies that have been put off setting up operations in the UK, just as a result of the proposed legislation” and Eris Industries Ltd said that “Our position is that the draft Bill would impinge vital and legitimate business interests of our company … We have also, disappointingly, taken positive steps to relocate our base of operations out of London in the expectation that this draft Bill will eventually receive Royal Assent.”
261.The Home Secretary in her evidence to the Committee provided some much needed clarity to the intention of the Government in relation to encryption, saying that: “The Government do not need to know what the encryption is or to know the key to the encryption.”
262.She told the Committee that:
“We are not proposing in the Bill to make any changes in relation to the issue of encryption and the legal position around that. The current legal position in respect of encryption will be repeated in the legislation of the Bill. The only difference will be that the current legal position is set out in secondary legislation and it will now be in the Bill. We say that, where we are lawfully serving a warrant on a provider so that they are required to provide certain information to the authorities, and that warrant has gone through the proper authorisation process and is entirely lawful, the company should take reasonable steps to ensure that it is able to comply with the warrant that has been served on it. That is the position today, and it will be the position tomorrow under the legislation.”
263.We agree with the intention of the Government’s policy to seek access to protected communications and data when required by a warrant, while not requiring encryption keys to be compromised or backdoors installed on to systems. The drafting of the Bill should be amended to make this clear. (Recommendation 16)
264.The Government still needs to make explicit on the face of the Bill that CSPs offering end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so. We recommend that a draft Code of Practice should be published alongside the Bill for Parliament to consider. (Recommendation 17)
265.Part 5 of the draft Bill provides for law enforcement and the security and intelligence agencies to undertake targeted Equipment Interference.
266.Equipment interference (EI) is any interference with equipment, conducted for the purposes of gathering intelligence or manipulating the equipment, in order to establish control, compromise functionality or gather further intelligence. Equipment in this context could include personal computers, mobile phones and tablets and large systems owned by organisations. The shorthand “hacking” is often used for EI, although not all EI activities constitute hacking as traditionally defined.
267.Equipment interference has been carried out by the security and intelligence agencies and by law enforcement for some time but this Bill is the first in which it is explicitly recognised.
269.For the security and intelligence agencies, EI is currently mandated by section 5 and section 7 of the Intelligence Services Act, 1994. Law enforcement, until relatively recently, have relied on section 93 of the Police Act 1997, “Authorisations to interference with property”. This has allowed the police to plant audio and video bugs inside homes, offices, vehicles and so on. In other circumstances, section 10 of the Computer Misuse Act 1990 has also been used. Section 44 of the Serious Crime Act 2015 amended section 10 the Computer Misuse Act to allow law enforcement to undertake more intrusive EI activities. The Home Office emphasised in their evidence that the draft Bill does not provide for new powers in respect of EI.
270.Chris Farrimond, Deputy Director Intelligence Collection at the National Crime Agency, said “We use [EI] for a range of purposes, ranging from pretty much every-day relatively routine activities right up to far more high end. The difficulty is that trying to describe any of those techniques in this setting probably would be inappropriate.”
271.The Committee was given an off-the-record presentation by the Metropolitan Police and National Crime Agency where a further explanation was given of the kinds of EI activities that are used.
273.Other witnesses were able to suggest what activities EI might encompass. Erka Koivunen from F-Secure said “The term “equipment interference” is pretty elegant. When I was learning information security at school we used “exploitation”, “vulnerabilities” and “attacks” to describe the same things.”
274.Professor Ross Anderson told the Committee that: “It is basically hacking or the installation of malware, or what the NSA calls implants and what we call remote administration tools in a machine.” The NUJ suggested that equipment interference:
“means the authorities would have control over targeted devices and access to any information stored. This information could include documents, emails, diaries, contacts, photographs, internet messaging chat logs, and the location records on mobile equipment. It would also mean having powers to access anything typed into a device, including login details/passwords, internet browsing histories, other materials and communications. Draft documents and deleted files could also be accessed. In addition, the microphone, webcam and GPS-based locator technology could be turned on and items stored could be altered or deleted.”
275.The Electronic Frontier Foundation gave examples of how equipment interference supported by a telecommunications provider might operate:
“In 2009, a software update was sent to all owners of Blackberry devices using the Etilsat network in the United Arab Emirates. The software required manual agreement by the end-user. If accepted, the new software transformed their mobile phone into a spying device, which, as the manufacturer of Blackberry, Research In Motion (RIM), wrote, “enabl[ed] unauthorised access to private or confidential information stored on the user’s smartphone.” RIM warned its own users about this software, because the update masqueraded as a legitimate upgrade to improve performance of the devices. RIM also had a strong incentive to protect its hardware’s reputation as a high-security device, as Blackberry smartphones had been sold to multiple government and international financial institutions. If RIM had been discovered to be the real author of such an update, it would have destroyed its reputation as a guardian of its customers’ data.”
276.The Home Office told the Committee that in the past, interception powers were sufficient to follow targets, but that “technological advances and the spread of ubiquitous encryption—wrapping information in an impenetrable blanket from sender to receiver—is resulting in an increasing number of circumstances where interception is simply not possible or effective.”
277.Draft Codes of Practice on Equipment Interference were published in February and November 2015, but they were limited to the activities of the Security and Intelligence Agencies. It is understood that the police are operating under the Code of Practice Covert Surveillance and Property Interference, chapter 7 of which covers property interference, which discusses equipment but makes no explicit reference to interference with computer systems.
278.The Draft Code of Practice on Equipment Interference for the security and intelligence agencies identifies the following objectives:
a)obtain information from the equipment in pursuit of intelligence requirements;
b)obtain information concerning the ownership, nature and use of the equipment with a view to meeting intelligence requirements;
c)locate and examine, remove, modify or substitute equipment hardware or software which is capable of yielding information of the type described in a) and b);
d)enable and facilitate surveillance activity by means of the equipment;
“Information” may include communications content, and communications data.
279.The Home Office Factsheet on Targeted Equipment Interference stated that “During 2013 around 20% of GCHQ’s intelligence reports contained information that derived from EI operations; and MI5 has relied on EI in the overwhelming majority of high priority investigations over the past 12 months.”
280.The Home Office argued that:
“It is right that mainstream policing, who are at the forefront of serious crime investigations, have the less intrusive equipment interference techniques available to support their investigations. But it is also important that the use of more specialised techniques is restricted to specialist teams—as is the case across policing now—with the most sensitive capabilities delivered by the National Crime Agency on behalf of wider policing.”
281.Richard Berry, Assistant Chief Constable, National Police Chiefs’ Council, told the Committee that “To give a police perspective on this, we use equipment interference regularly, really for tracing vulnerable and suicidal missing persons.”
282.Beyond Government and law enforcement there was also support for targeted equipment interference. The BCS said there was a “credible argument” for EI and Professor John Naughton and Professor David Vincent said that there was a “reasonable case” for it. The Rt Hon David Davis MP told the Committee that “individual targeted equipment interference is obviously a necessity, particularly in this day of encryption. It is one way of getting around encryption and probably the most effective.”
283.Dr Tom Hickman said that: “It is no doubt necessary for intelligence services to have the capability to hack into computers, telecommunications systems and smart phones, just as it is necessary for them to break and enter, burgle and bug. But such powers are extremely intrusive, potentially much more intrusive than interception of communications.”
284.Privacy International, remarked that the operational case for EI was “weak” and a number of witnesses argued that the EI power was too intrusive. Article 19 said that:
“Equipment interference (i.e. hacking), whether carried out by a government or private actor, is perhaps the most serious form of intrusion into someone’s private life, given that it involves access to private information without permission or notification. It also fundamentally breaches the integrity of the target’s own security measures. Unlike search warrants where the individual would at least be notified that their home or office was being searched, hacking generally takes place without a person’s knowledge. It is the equivalent of the police breaking into someone’s home.”
285.These remarks were echoed by the Electronic Frontier Foundation who said that it was “an extremely intrusive power … [with] a tremendous possibility for abuse”. Similar points were made by Privacy International and Liberty.
287.There is nevertheless a substantive case for the targeted equipment interference power. We believe that, subject to the appropriate authorisation process involving a Judicial Commissioner, such activities should be conducted when necessary and proportionate.
288.We recommend that the Government should produce a Code of Practice on Equipment Interference to cover the activities both of the security and intelligence agencies and of law enforcement. (Recommendation 18)
289.Witnesses argued that the targeted EI power was too broad, in part because definitions of key terms involved were not sufficiently specific. Big Brother Watch told the Committee that:
“Sub-Clause 81(3)(b) allows for the “obtaining of any information” that is “connected” with the equipment covered by the warrant. Given the way the internet works and the myriad of ways in which information and systems can now connect with each other this could potentially enable much broader action than was intended by the original warrant.”
290.Wendy Grossman, a freelance technology journalist, made a similar point in relation to the definition of equipment:
“The bill proposes to allow interference with “electronic devices such as computers and smart phones”. The image this phrasing creates is that of either a self-contained device that is used by one or a few individuals for long-established purposes such as email, word processing, internet browsing, and so on, or perhaps the routers, switches, and other devices that direct data traffic around the internet. This is not the reality of computers today, let alone tomorrow. Modern cars are clusters of computers on wheels—ten to 30 for an ordinary car, as many as 70 for a luxury car. The same or similar is true of other vehicles from tractors to airplanes. Computers are embedded in streetlights in Glasgow, in the smart meters UK electric companies are pledged to roll out by 2020, and in automated vacuum cleaners such as the Roomba and the Dyson 360 Eye, as well as most modern TVs and washing machines.”
291.The Center for Democracy & Technology concluded that:
“The definition of a ‘system’ should also be more clearly defined. Cl 81(2) and 82(3) & (4) note that a system is a relevant system if any communications or private information are held on or by means of the system. In the Australian context, similarly overbroad language has been interpreted as potentially including the entire Internet.”
292.Any definition needs to be drafted in a way that the “scope of the discretion conferred” and the “manner of its exercise” are sufficiently clear that an individual is protected from “arbitrary interference”. In other words, drafting should make clear exactly what the authorities can do when undertaking equipment interference. While a broad definition may assist in future-proofing it could also fall foul of the courts. We note that, if our recommendation for post-legislative review five years after the Bill’s enactment is implemented (see para 710), a tighter definition can be introduced without running the risk of law enforcement and the agencies being left behind by technological advancement.
293.We acknowledge both the concerns of witnesses about the breadth of the definitions and the desire of Government not to inadvertently rule out access to new types of equipment or system in the future.
294.We believe that the involvement of Judicial Commissioners in the authorisation process may ensure that the equipment and systems targeted by EI activities will be proportionate and considered foreseeable.
295.We recommend that the Government should produce more specific definitions of key terms in relation to EI to ensure greater confidence in the proportionality of such activities and that a revised Code of Practice is made available alongside the Bill. (Recommendation 19)
296.A large number of witnesses were concerned about the potential security risks of undertaking EI activities. Most of the evidence received discussed bulk EI and therefore our consideration of this issue is later in this report (see paras 363–374)
297.Mr. Bernard Keenan, Dr. Orla Lynskey and Professor Andrew Murray questioned whether EI was compatible with data protection legislation. “The IP Bill provisions dealing with ‘Equipment Interference’ provide a more explicit legal basis for this hacking. These provisions are unlikely to comply with the data security requirement of the right to data protection.” The Committee is also aware of challenges mounted by Privacy International and others in the Investigatory Powers Tribunal alleging breaches of the Data Protection Act arising from current equipment interference powers.
298.We acknowledge the importance of data protection in relation to EI activities. We recommend that the assessments undertaken by Judicial Commissioners when authorising warrants should give consideration to data protection issues. (Recommendation 20)
299.We further recommend that the Home Office should make clear in the explanatory notes to the Bill or in a Code of Practice how EI activities can be conducted within the constraints of data protection legislation. (Recommendation 21)
300.Unlike intercept evidence, which is inadmissible in legal proceedings, material acquired under EI warrants will be admissible in court under the terms of Clause 103. Matthew Ryder QC told the Committee that this would be “appropriate and desirable. It is consistent with the well-established presumption, that relevant evidence should be admissible in legal proceedings.”
301.Some witnesses were concerned that this would lead to defence lawyers arguing that digital evidence should be excluded for unreliability.
302.Privacy International said:
“hacking involves an active interference with a computer, it raises serious evidentiary concerns. Evidence obtained via equipment interference is admissible in court. Once an agent or officer takes control of a computer by hacking it, however, they have the unfettered ability to alter or delete any information on that device. This raises the risk, in the context of a criminal prosecution, of defence accusations of evidence tampering. The IP Bill currently does not contain any provisions to address this evidentiary concern. Without such safeguards, the efficacy of the use of hacking in investigating and prosecuting crimes is very questionable.”
303.Law enforcement witnesses told us that they believed EI material could be safeguarded sufficiently for use in court:
“LE also recognises the importance of preserving the evidential integrity of equipment that has been the subject of EI. This will continue under the IPB and LE will work closely with prosecutors to ensure the fairness of any prosecution.”
304.Detective Superintendent Paul Hudson, Head of the Metropolitan Police Service Technical Unit, told the Committee that:
“Equipment interference is a covert capability, so nothing that we do under equipment interference would cause any damage or leave any trace, otherwise it would not remain covert for very long. Again, the endgame is to collect evidence to place before a court. If we were causing damage to equipment, that would reduce the ability for the evidence to be alluded to.”
305.We agree that material acquired through targeted equipment interference warrants should be admissible in court, though we share the concerns of witnesses about the risks involved. We believe that law enforcement and the security and intelligence agencies will need detailed codes of practice and appropriate procedures to ensure that evidence is not inadvertently compromised. We urge the Government to consider how it will reconcile the understandable desire of law enforcement and the security and intelligence agencies to keep their techniques secret with the need for evidential use and disclosure regimes in legal proceedings. (Recommendation 22)
306.The draft Bill provides for three types of bulk power for the security and intelligence agencies; bulk interception, bulk acquisition of communications data and bulk equipment interference. These powers would allow for the collection of large volumes of data, including communications data and content. Further warrants are then required before it can be examined. The purpose of such examination may be to pursue more information about known suspects and their associates or to look for patterns of activity that might identify new suspects. These powers are not available to law enforcement.
307.The Home Office have said that all three of these powers are currently available to the security and intelligence agencies in existing legislation. Bulk interception is provided for under section 20 of RIPA, bulk communications data acquisition in section 94 of the Telecommunications Act 1984 and bulk equipment interference by section 5 and section 7 of the Intelligence Services Act 1994.
308.David Anderson QC, the Intelligence and Security Committee and the panel convened by RUSI all concluded that new legislation should make explicit provision for bulk powers. The Home Office claims that the provisions in the Bill provide a clear statutory framework for all of the bulk powers available to the security and intelligence agencies and introduces robust, consistent safeguards across all of those powers.
310.The view of the Home Office that the bulk powers are not new was contested by a number of witnesses. Matthew Ryder QC explained that:
“There is a dispute and lots of litigation about what is or is not currently authorised under the existing legislation. My view would be that there are a large number of new powers that are not properly authorised within existing legislation. … Mass surveillance or bulk interception—whatever you want to call it … is essentially something new. I understand—I was involved in the case and litigated the case in the IPT last year—that the Government say that bulk interception or bulk collection is permitted under Section 8(4) [of the European Convention on Human Rights], but there is a dispute about that. There is a case on its way to Strasbourg. It has been communicated in Strasbourg. There are many of us who would say that it was not set out very clearly, if it was permitted at all, in RIPA … Chapter 2 of Part 6 on bulk communications data acquisition. That is essentially new. In other words, the large collection of communications data in bulk is something that was not clear from any legislation before. That is essentially being regulated for the first time, under this Bill.”
311.Professor Sir David Omand explained how, in his view, the Government position had developed on powers in this area over recent decades:
“The legal regime under which previous Governments operated for the past 20 years, since the 1980s, was what I would describe as legal compliance; in other words, if it could be done lawfully under existing powers that Parliament had passed, Ministers would authorise such activity, after due legal advice, regardless of party—this is not a party political matter—in the interests of national security, the prevention and detection of serious crime, and economic well-being arising from causes outside the United Kingdom. That was the regime.
It was really when the Investigatory Powers Tribunal took the case and reported that the Government’s activity, in particular GCHQ, might be regarded as lawful under the individual statutes but failed the rule of law test because it was not clear, as your question implies, to the public … Or to Parliament. This Government have taken that to heart, and the Bill is in part the result. We have moved into a new era and I am personally very glad of that.
A lot of trouble would have been saved if, say, even five years ago the codes of practice—it would not necessarily have taken new legislation—on equipment interference, investigative powers and so on had all been updated to the modern digital world. For one reason or another that was not done. The shock of discovering what was happening, for very good reason—to defend the public and our security—was all the greater. I think the lesson has been learnt.”
312.A number of witnesses were concerned about the lack of detail as to the scope of bulk powers. Dr Paul Bernal said that “At the moment quite what these bulk powers consist of—and how ‘bulky’ they are—is largely a matter of speculation, and while that speculation continues, so does legal uncertainty.”
313.The UN Special Rapporteurs said that “the provisions on bulk interception warrants are vague and not tied to specified offences, and include ambiguous terms such as “economic well-being”, heightening the risk of excessive and disproportionate interception.” The issue of the definition of “economic well-being is considered in Chapter 6 (see paras 692–696).
314.Article 19 suggested that:
“it is open to the Secretary of State to issue bulk warrants to obtain potentially billions of emails or phone calls, the data relating to billions of communications, or—indeed—release a computer virus by way of a bulk equipment interference warrant that affects billions of computers or mobile phones without any requirement that s/he believes that those affected may be involved in criminal activity (including terrorism).”
315.Big Brother Watch argued that “The intelligence agencies have to be able to demonstrate exactly why they need these powers in bulk and what benefit bulk provides rather than the process of requesting data on a specific target in the course of an operation. To date none of this has happened.”
316.Witnesses suggested that the Government needed to go further and make an operational case for each of the bulk powers, in the same way that an operational case was published for Internet Connection Records. JUSTICE said that the: “bulk powers in the Draft Bill must be subject to particularly close scrutiny by Parliament and an operational case for each subject to debate and test by the Committee.”
317.Apple agreed, saying: “It is extremely difficult to imagine circumstances in which this could be justified, so we believe the bill must spell out in more detail the types of activities required of communications providers and the circumstances in which they are expected to carry them out.”
318.Although the majority of witnesses queried the justification for bulk powers, they, like the Committee, were inevitably commenting on the basis of incomplete information. In reflecting on the case for bulk powers, we bore in mind the fact that the ISC have had access to material which is not in the public domain and that they have found it to make a persuasive case for these powers being maintained.
319.We recommend that the Government should publish a fuller justification for each of the bulk powers alongside the Bill. We further recommend that the examples of the value of the bulk powers provided should be assessed by an independent body, such as the Intelligence and Security Committee or the Interception of Communications Commissioner. (Recommendation 23)
320.The bulk interception and bulk equipment interference powers are limited to collecting information about individuals outside the British Islands. Bulk interception is of overseas-related communications, sent by or received from people outside the British Islands, while bulk equipment interference must be for overseas-related communications, information or equipment data.
321.Liberty questioned how meaningful these definitions would be in practice. They said:
“the ISC has recently confirmed that Government considers that an “external communication” occurs every time a UK based person accesses a website located overseas, posts on a social media site overseas such as Facebook, uses overseas cloud storage or uses an overseas email provider such as Hotmail or Gmail. Searches on Google are counted as an external communication.”
322.Privacy International said similarly that:
““Bulk” hacking under Part 6, Chapter 3 is permitted only where the main purpose of the warrant is to obtain “overseas-related” communications, private information and equipment data. This limitation should provide little comfort for those residing in the UK. For instance, much of our data is stored overseas in servers operated by telecommunications services such as Google and Facebook.”
323.We recognise that, given the global nature of the internet, the limitation of the bulk powers to “overseas-related” communications may make little difference in practice to the data that could be gathered under these powers. We recommend that the Government should explain the value of including this language in the Bill. (Recommendation 24)
324.Many witnesses contested the assertion of the Home Office that these powers could be considered legal, not least because of the level of intrusiveness that they could involve.
325.The Bar Council told us:
“these warrants may be non-specific as to individuals or locations or equipment. The question will be whether applications for such warrants can satisfy the tests of necessity and proportionality. Bulk search warrants or bulk arrest warrants would not. A high level of justification should be required for these bulk warrants to determine why focused warrants with the power to amend and extend in the light of information gathered would not be sufficient in order to satisfy the tests of necessity and proportionality.”
326.Privacy International said that:
“The sheer breadth of a bulk warrant inherently frustrates a substantive review of its necessity and proportionality … bulk warrants need not “specify or target the communications, data or equipment of a particular person, premises or even an organisation.” They need only “state the operational purposes for which data need to be obtained, and the IP Bill expressly notes that these can be ‘general purposes’” (see Clauses 111(4), 125(4), 140(5)). This lack of specificity—i.e. the absence of any assessment of suspicion—is intrinsically disproportionate and runs afoul of explicit guidance from the ECtHR.”
327.Similar points were made by the Institute for Human Rights and Business who said that:
“We believe there are still many outstanding questions as to whether collecting and retaining communications in bulk is compatible with the protection of the right to privacy, as outlined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), Article 8 of the European Convention of Human Rights and Article 8 of the Human Rights Act.”
328.Amnesty International UK said that:
“indiscriminate mass surveillance is never a proportionate interference with the rights to privacy and freedom of expression (articles 8 and 10 ECHR) and can thus never be lawful under the Human Rights Act 1998 and/or ECHR. The interception, analysis or other use of communications in a manner that is neither targeted nor based on a reasonable suspicion that an individual or specific location is sufficiently closely linked to conduct that must legitimately be prevented, is disproportionate.”
329.The Home Secretary, in her evidence to the Committee, said firmly that these powers were not about mass surveillance:
“The UK does not undertake mass surveillance. We have not undertaken, and we do not undertake, mass surveillance. That is not what the Investigatory Powers Bill is about … I would wish to be very clear that mass surveillance is not what we are talking about.”
330.The European Court of Human Rights recently considered the use of surveillance powers and the level of specificity needed to ensure interception powers were not used arbitrarily. It concluded that to ensure the tests of necessity and proportionality had been properly applied the interception authorisation must clearly identify:
“a specific person to be placed under surveillance or a single set of premises as the premises in respect of which the authorisation is ordered. Such identification may be made by names, addresses, telephone numbers or other relevant information.”
331.It is possible that the bulk interception and equipment interference powers contained in the draft Bill could be exercised in a way that does not comply with the requirements of Article 8 as defined by the Strasbourg court. It will be incumbent upon the Secretary of State and judicial commissioners authorising warrants, and the Investigatory Powers Commissioner’s oversight of such warrants, to ensure that their usage is compliant with Article 8.
332.The Committee heard from representatives of the security and intelligence agencies that they believe these powers are useful and necessary. The Home Secretary gave an explanation of the value of the bulk powers in her written evidence. She said that bulk interception was a “vital tool designed to obtain foreign-focused intelligence and identify individuals, groups and organisations overseas that pose a threat to the UK” which had been used to disrupt terrorist attacks in Europe and identify paedophiles. Bulk equipment interference was described as “facilitating target discovery” in the “increasing number of circumstances where interception is simply not possible or effective”, while bulk communications data had proved valuable for MI5 in order to “thwart a number of attacks here in the UK.”
333.A few witnesses supported the powers. The BCS said “in the interests of national security a credible argument can be made for the security and intelligence services to undertake both targeted and bulk equipment interference” and they understood “the operational and technical for need accessing communications data in bulk.”
334.Other witnesses suggested that the powers were counterproductive because the scale of their potential use meant that it would be impossible to assess the data collected adequately. Ray Corrigan argued that:
“The whole Investigatory Powers Bill approach to signals intelligence—giant magic computerised terrorist catching machine that watches everyone and identifies the bad guys—is flawed from a mathematical as well as operational perspective… Because of the base rate fallacy and the fact that terrorists are relatively few in number compared to the population as a whole, mass data collection, retention and mining systems, such as those proposed in the IP Bill, always lead to the swamping of investigators with false positives, when dealing with a large population.”
335.William Binney, a former Technical Director of the United States National Security Agency, told the Committee that the volume of data gathered by the NSA in America led to analysts being “overloaded”, making it impossible for them to focus effectively and identify the real threats. Of bulk collection, he said that:
“it is not helpful to make the haystack orders of magnitude bigger, because it creates orders of magnitude of difficulty in finding the needle. That is really the issue. Using a targeted approach would give you the needles, and anything closely associated with them, right from the start. That is a rich environment to do an analysis on, and it would help the analysts to succeed in predicting intentions and capabilities.”
336.The needle in a haystack analogy was also presented by a number of other witnesses opposed to bulk data collection and analysis. The analogy was challenged by David Wells, a former GCHQ analyst, who said that:
“I would first recommend that the Committee re-consider the needle/haystack analogy typically used when discussing intelligence agency use of bulk datasets. Instead, consider how you and millions of others use the Google search engine, and how much Google—like the ability of intelligence agencies to process big data—has changed over the past 15 years.
Initially, Google only allowed relatively simple search terms. Many businesses had little or no internet presence, while Google’s ‘web-crawling’ technology did not necessarily access all those that did. In short, it lacked a comprehensive dataset to query, and as a result, it was difficult to use with confidence. These data inconsistencies meant that you could not be certain that Google had access to the data you were looking for, or whether the results it pulled back were relevant to your initial query. Like the intelligence analyst described by Mr Binney, you were confronted by too much irrelevant data. Even after clicking through multiple pages of results, you might not find what you were looking for; an alternative, more targeted method (say a local phone book) was often more effective.”
337.Mr Wells went on to explain that, given the growth of the internet and its role in everyday life, the bulk data collected by Google has made it increasingly accurate and facilitates “the ability to ask complex and nuanced questions” which reduces the number of results returned and increases their relevance. He said that the same was true for intelligence analysts and their use of bulk data and that therefore they are not overwhelmed.
338.Paul Bernal argued that the automated processing required to facilitate such big data analysis comes with additional risks:
“Further vulnerabilities arise at the automated analysis stage: decisions are made by the algorithms, particular in regard to filtering based on automated profiling. In the business context, services are tailored to individuals automatically based on this kind of filtering—Google, for example, has been providing automatically and personally tailored search results to all individuals since 2009, without the involvement of humans at any stage. Whether security and intelligence services or law enforcement use this kind of a method is not clear, but it would be rational for them to do so: this does mean, however, that more risks are involved and that more controls and oversight are needed at this level as well as at the point that human examination takes place.”
339.David Wells concluded that bulk and targeted powers, far from being mutually exclusive, were complementary and “mutually beneficial”.
340.We are aware that the bulk powers are not a substitute for targeted intelligence, but believe that they are an additional resource. Furthermore, we believe that the security and intelligence agencies would not seek these powers if they did not believe they would be effective and that the fact that they have been operating for some time would give them the confidence to assess their merits.
341.National security considerations mean that we are not well-placed to make a thorough assessment of the value of the bulk powers. The scrutiny and conclusions of the Intelligence and Security Committee on the Bill will be of significant assistance for Parliamentarians considering these powers.
342.We make a further recommendation on the automated analysis of bulk datasets in para 703.
343.Witnesses also suggested that there were insufficient safeguards for the bulk powers proposed. Article 19 said that:
“Nothing in Part 6 or, indeed, elsewhere in the draft Bill imposes any kind of upper limit on what might be obtained by way of a bulk warrant, subject only to the requirement that the Secretary of State considers that it is “necessary” in the interests of national security or certain other specified interests (Clauses 107(1)(b)), 122(1)(a), and 137(1)(b)).”
344.The Equality and Human Rights Commission called for more attention to “be given to safeguards that clearly limit the basis on which bulk material can be examined and that will ensure safe retention and destruction of material. Such safeguards might include more narrowly defined purposes.”
345.Dr Tom Hickman has suggested that: “At a minimum in my view the Joint Committee should insist on:
(1) Tighter protections for persons in the UK particularly in relation to use of communications data requiring at least operationally independent authorization for use of such data together with JC approval where this would be required for police obtaining communications data.
(2) Requiring warrants to be more narrowly focused as to their purpose and permitted search criteria. The Act could require that the purposes will be specified as tightly as is operationally reasonable.
(3) Bringing safeguards currently in the Code to legislation and other matters on record-keeping and destruction from internal policy to legislation.”
346.In the Guide to Powers and Safeguards accompanying the draft Bill, the Home Office said that the following safeguards exist for bulk powers:
347.In a letter to the Committee, the Home Secretary provided additional information on the safeguards for bulk powers in the draft Bill. We are grateful to the Home Secretary for the additional information she provided on safeguards for bulk powers, but note that her letter arrived too late for other witnesses to give the Committee their views upon it.
348.In general, we are content that the safeguards proposed by the Home Office, buttressed by authorisation by Judicial Commissioners and oversight from the Investigatory Powers Commissioner will be sufficient to ensure that the bulk powers are used proportionately.
349.We acknowledge, though, the call for greater safeguards for the bulk powers. We believe that it is difficult to make a thorough assessment of the effectiveness of further safeguards without a greater understanding of the way in which bulk powers are operated in practice. We recommend that the Investigatory Powers Commissioner, within two years of appointment, should produce a report to Parliament considering the safeguards that exist and making recommendations for improvements if required. (Recommendation 25)
350.Clause 106 (2) provides for the obtaining of “related communications data” from within “overseas-related communications” captured by bulk interception activities. Related communications data is defined as data related to the intercepted communication, its sender or recipient, or the telecommunications service used that can be separated from the content of the communication.
351.A similar provision on related communications data obtained from targeted interception exists in Clause 12.
352.Witnesses who commented on related communications data argued that the term was not sufficiently clear. Privacy International said:
“If content is defined based on the conveyance of meaning, it is unknown to us how ‘related communications data’ could be part of content in the first place. The Home Office needs to be clearer on how these definitions interact with the technical specifications of communications. For instance, intercepting at an ISP on port 25 will give access to a communication (e.g. an email) but the “content” (email body) will include the communications data of the email (email headers).”
353.Graham Smith suggested that:
“The Home Office could usefully produce a comprehensive list of datatype examples, where appropriate with explanations of context, categorised as to whether the Home Office believes that each would be entity data, events data, contents of a communication, data capable of being related communications data when extracted from the contents of a communication and so on.”
354.The written evidence from the Home Office explained that:
“Related communications data and equipment data are non-content data obtained under interception warrants and equipment interference warrants respectively. These data are wider than the categories of data that can be obtained by means of a communications data authorisation (i.e. they include but are not limited to communications data).
Distinguishing these data from content means that appropriate safeguards and handling safeguards can be consistently applied: for example, the Secretary of State may specify that a bulk interception warrant should authorise the obtaining of related communications data only, and that any content acquired under that warrant should not be made available for subsequent examination.
Both related communications data and equipment data can include communications data and any systems data which enables or otherwise facilitates the functioning of any system or service provided by the system. Systems data is not content. It is also possible for certain structured data types to be extracted from the content of a communication or an item of private information under a warrant. All related communications data and equipment data so obtained will be subject to the handling safeguards set out in the draft Bill.
These definitions are a balance between meeting the operational requirements of the intelligence agencies to protect the public from terrorists and serious criminals, while protecting the most private information with stringent safeguards. The definitions are also sufficiently robust and technology neutral to cater for new technologies that come online as the internet adapts and changes.”
355.The Open Rights Group expressed concern about extracting of communications data from intercepted communications, on the basis that such data is more amenable for automated analysis. They said:
“We would also urge caution about the powers … to extract data from content, presumably email addresses or calendar events. Treating such content as data would enable the automated analysis of such materials, and the implications should be explained in more detail.”
356.The report of the Intelligence and Security Committee suggested that such analysis of related communications data was the primary value in undertaking bulk interception:
“We were surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications. This included both Communications Data (CD) as described in RIPA … and other information derived from the content (which we refer to as Content-Derived Information, or CDI), including the characteristics of the communication … While CDI is not what might be most obviously understood to be content, under RIPA it must be treated as content, not CD. Examination of CDI therefore requires the same Ministerial authority as examination of content.”
357.Part 6 Chapter 2 of the draft Bill provides for the security and intelligence agencies to acquire bulk communications data about people in the British Islands for the purposes of preventing or detecting serious crime and the bulk CD of people overseas where it is in the interests of the economic well-being of the UK in so far as it is relevant to national security.
358.Although we note that international practices vary, and that in the USA there have been moves away from bulk acquisition of communications data by US intelligence services, the Intelligence and Security Committee made the case for UK agencies to have this capability.
359.There were particular concerns among witnesses about the intrusiveness of bulk communications data. One of the most common arguments for this was that communications data is more suitable to be aggregated and analysed in bulk, whereas content is harder for computers to reliably process in this way. Dr Tom Hickman said:
“It is now becoming widely accepted that, when aggregated, communications data are more revealing and intrusive then content data—identifying a person’s contacts and associations, websites visited (up to the first slash), providing information about habits and preferences and even tracking a person’s movements.”
360.Dr Glyn Moody explained that:
“The distinction between “content” and “communications data” is meaningless, and again betrays an ignorance of how modern digital systems work. “Communications data” is metadata; the only difference between metadata and data is that metadata is pre-sorted into conceptual categories—sender, date, location, email address etc.—while content is unsorted. As such, metadata is hugely more valuable than content, because it can instantly be combined with other metadata; indeed, the power of computers today is such that it can be combined with billions of other metadata elements. Content, by contrast, is largely useless for this purpose, because computers cannot understand it. Before it can be used, it must be parsed—texts must be “read”, images “seen.” Currently, those are very hard computing tasks; that means content is not useful for scalable analysis (although it is valuable for human-based scrutiny, but does not scale.) So the idea that “communications data” is somehow less intrusive than gathering content is not just wrong, but exactly wrong: it is hugely more intrusive, which is why it should never be gathered routinely, as proposed here.”
361.The Global Network Initiative concluded that:
“bulk collection of communications data—both content and metadata—threatens privacy and freedom of expression rights and undermines trust in the security of electronic communications services provided by companies. This practice is incompatible with the principles of necessity and proportionality that the legal frameworks for communications surveillance must meet to ensure they are consistent with human rights standards.”
362.We agree that bulk communications data has the potential to be very intrusive. As with the other bulk powers, we believe that the fuller justification which we have recommended the Government produces (see para 319) and the conclusions of the Intelligence and Security Committee on the Bill will assist Parliament’s consideration of the necessity and appropriateness of bulk acquisition.
363.The Committee heard concerns about the security risks of undertaking equipment interference, both targeted and bulk. Big Brother Watch said that:
“Given the clear risks involved, the proportionality of the tactic needs to be considered. Equipment interference should not be used as a bulk tactic designed to infiltrate broader systems, networks or organisations.”
364.Wendy Grossman told the Committee that:
“It is not possible to create vulnerability—a hole—in such equipment that only “good guys” or “our side” can use. Adding vulnerabilities to widely used equipment will make Britain’s infrastructure vulnerable and aid those who wish to attack Britain by providing additional paths they can use to do it.”
365.CSPs expressed concern that they would have to weaken their systems in order to comply with EI warrants. The joint evidence submitted by Facebook, Google, Microsoft, Twitter and Yahoo said:
“There are no statutory provisions [in the draft Bill] relating to the importance of network integrity and cyber security, nor a requirement for agencies to inform companies of vulnerabilities that may be exploited by other actors. We urge the Government to make clear that actions taken under authorization do not introduce new risks or vulnerabilities for users or businesses, and that the goal of eliminating vulnerabilities is one shared by the UK Government. Without this, it would be impossible to see how these provisions could meet the proportionality test.”
366.Vodafone similarly pointed out that:
“Operators within the UK (and Europe) have obligations to ensure the security of their networks and services, and the resiliency of their networks and, more importantly, a commercial imperative to do so: it is fundamental that our services are secure and reliable to compete in the market. As such, an obligation to assist with EI must not require an operator to lessen the standard of its general security, or which could adversely impact the resiliency of its network.”
367.CSPs and others were concerned not just at the threat to their systems but the possibility of their employees being required to participate in EI activities. Apple said that “the bill as it stands seems to threaten to extend responsibility for hacking from Government to the private sector”. Virgin Media said:
“The role of CSPs in EI is not made clear in the draft Bill. We believe there needs to be full consultation with CSPs in advance of any EI warrant or technical capability notice being imposed, for example to guard against EI having a negative impact on networks or customers. As drafted, no consultation appears to be required before the imposition of EI warrants. The draft Bill also creates the possibility CSP’s employees may be required to actively assist in EI operations, perhaps to seek out vulnerabilities for exploitation or develop vulnerabilities, which we do not believe is appropriate.”
368.Mozilla told us that, in terms of open source software, such a requirement would not work, as the open source community would identify any attempt to compromise a program.
369.Professor John Naughton and Professor David Vincent warned of the risks of unintended consequences, particularly as technology develops:
“the most worrying concern is that as the ‘Internet of Things’ expands, and billions of devices become networked, bulk EI could have unintended consequences which might prove very counter-productive to the interests of the UK.”
370.Witnesses suggested that involving the private sector in EI activities would have negative consequences. Professor Ross Anderson said:
“if the powers are abused, or seen as capable of being abused, there could be exceptionally serious damage to British industry. If people overseas come to the conclusion that, if they buy a security product from a British firm, it may have a GCHQ mandated back door, they will not buy it; they will buy from a German firm instead.”
371.Similar arguments were put forward in relation to encryption (see para 260).
372.We recommend that applications for targeted and bulk EI warrants should include a detailed risk analysis of the possibilities of system damage and collateral intrusion and how such risks will be minimised. We also recommend that such warrants should detail how any damaged equipment will be returned to its previous state at the point that the authorisation or operational need ceases. (Recommendation 26)
373.We acknowledge the concerns of CSPs and other companies who may be required to be complicit in EI activities. We believe that, on balance, it is necessary, subject to a warrant that has been authorised as necessary and proportionate by the Secretary of State and a Judicial Commissioner.
374.We recommend that the Code of Practice on equipment interference should set out how individuals and companies should be engaged with when conducting authorised EI activities to make the process more transparent and foreseeable. (Recommendation 27)
375.Clauses 150 to166 provide for the security and intelligence agencies to acquire and examine Bulk Personal Datasets (BPDs).
376.BPDs are sets of personal information about a large number of individuals, alive and dead, the majority of whom will not be of any interest to the security and intelligence agencies. The datasets are held on electronic systems for the purposes of analysis by the security and intelligence agencies. The examples provided by the Home Office were the telephone directory, the electoral roll, and data about individuals assessed to have access to firearms.
377.The Security and Intelligence agencies currently have powers under the Security Service Act 1989 and the Intelligence Services Ac 1994 to acquire and use BPDs to help them fulfil their statutory functions, including protecting national security. BPDs may be acquired using investigatory powers, from other public sector bodies or commercially from the private sector.
378.This was not a view shared by Matthew Ryder QC. “Part 7, on bulk data sets, is essentially new, has not been regulated before and is not in the existing legislation in any meaningful way. The power to have access to bulk data sets and how they would be defined is something new.”
379.The Home Office has said that the use of BPDs is already subject to stringent internal handling arrangements and that the regime is overseen by the Intelligence Services Commissioner. The Home Office also said that the Bill will significantly enhance the safeguards that apply to the acquisition and use of BPDs.
380.In her evidence to the Committee, the Home Secretary said that BPDs were “a critical part of [the agencies’] response to the increasingly complicated and challenging task of defending the UK’s interests and protecting its citizens in a digital age.” She identified the value of BPDs in facilitating protection at major events, such as the NATO Summit in Wales in 2014 and London Olympics in 2012, preventing terrorist access to firearms and identifying foreign fighters.
381.There was some support among witnesses for the use of BPDs. The BCS said that they recognise “the need for the use of bulk personal datasets by the security and intelligence services in undertaking their legitimate surveillance role on behalf of national security”, while Amberhawk Training Ltd said that the retention and use of BPDs was workable provided that the full protection of the Data Protection Act be afforded to the personal data of innocent people.
382.The agencies’ use of bulk personal datasets is subject to regular audit and inspection by the Intelligence Services Commissioner. The current Commissioner, Sir Mark Waller, told the Committee that “the present system works very well and provides safeguards.”
383.A number of witnesses argued that the Government had not made the case sufficiently to support BPDs. Liberty said that:
“No argument is even attempted that BPDs are necessary or proportionate for Article 8 HRA purposes. The ISC reported that the Agencies told them that BPDs are an ‘increasingly important investigative tool’ to ‘enrich’ information obtained through other techniques and concludes that BPDs are ‘relevant’ to national security investigations. “Enriching” and “relevant” does not meet the legal threshold for lawfulness.”
384.Eric King said that:
“the Government, in my mind, should make operational cases from first principles for every single one of these powers. Simply because they have already been in use and simply because the agencies have interpreted law in a manner that they feel has made them lawful does not make them lawful. It is right that Parliament should receive a full operational case for each and every one of these powers. It is a matter of assessing not whether they are merely helpful or offer some form of value, but whether, given the scope of everyone’s lives that they touch—after all, that is what bulk powers do—they can be vetted and scrutinised to make sure that they are both necessary and proportionate.”
385.The Institute for Human Rights and Business agreed that “An objective assessment of the necessity and proportionality” was required. The Institute suggested that “the broad use of bulk powers and class based warrants which are likely to collect personal information of individuals not suspected of any crime and in such volume makes the necessary and proportionate test extremely difficult, if not impossible to conduct.” A similar argument was made by the Open Rights Group.
386.In a letter to the Committee, the Home Secretary set out further the case for the bulk powers including BPDs with examples of how they have proved valuable in practice. This information arrived too late in the process for other witnesses to comment upon it.
387.Concerns were also raised about the risks of acquiring and examining BPDs. The Information Commissioner’s Office said that “Given the increasing amounts of personal data generated and held in data sets this could be a particularly far reaching and intrusive provision.”
388.The evidence submitted by Mr. Bernard Keenan, Dr. Orla Lynskey and Professor Andrew Murray suggested that:
“The decisions and risk factors produced by analysis of Bulk Personal Datasets threaten personal autonomy and risk producing systemic discrimination, stereotyping, and biased decisions, both at the policy level and operational level. Individuals at home in the UK or abroad will have no control over the type of processing of their personal information that the agencies carry out for authorized purposes.”
389.We are grateful to the Home Secretary for the additional information provided to the Committee. We believe that that the lack of a formal case for bulk personal datasets (BPDs) remains a shortcoming when considering the appropriateness of this power.
392.Many witnesses who commented on BPDs argued that it was not apparent from the draft Bill what information the datasets might include. Dr Tom Hickman said that it was “far from clear from the Bill’s documents how far this extends—medical records? Immigration histories? Tax returns? Court records?—and what about privately generated data sets such as company employee records or bank account details?”
393.medConfidential agreed that “There is no clarity on the use of bulk personal datasets by the security and the intelligence agencies. There is only a description that they may be collected, and kept for as long as the agencies believe they may be useful, and that they be used as warranted.”
394.The Information Commissioner’s Office complained that the examples provided in the supporting material for the draft Bill were unhelpful because they were already available to the security and intelligence agencies:
“The examples given in the Guide to Powers and Safeguards refer to telephone directories and the electoral roll. These datasets are already available to various agencies often under specific statutory provisions. For example, Schedule 1 of the Counter-Terrorism Act 2008 amends the Representation of the People (England and Wales) Regulations 2001 to require the supply of the full electoral register to the security services.”
395.The Information Commissioner Christopher Graham, expressed his misgivings when giving oral evidence:
“In the Explanatory Memorandum—the guide to powers and safeguards—the authors of the Bill have chosen some very inapt examples of the sorts of bulk data sets they want to access for reasons of law and order, by giving the telephone directory and the electoral register as the two examples. This is bizarre, because that information is already available. Explicitly, legislation was amended to make sure that that information is available to the security services. It does not require this Bill to provide that. That begs the question of what are these data sets that are so necessary, and we are not told, which then begs the question that if the authorities are not going to tell us what data sets they are going to be accessing, are they prepared to say what data sets they would not be prepared to access?”
396.Witnesses offered competing suggestions as to what BPDs the security and intelligence agencies might or might not have. For example, Professor Ross Anderson said:
“For starters, we know that the police have access to things like credit reference and DVLA records. That is public knowledge. Secondly, they have access to medical stuff … Thirdly, in any case, hospital medical records were sold on a wide scale in the care.data scandal last year, and it would have been rather negligent if GCHQ had not grabbed a copy on its way past. Fourthly, it is well known that some kinds of bank records, in particular all international financial transactions, are harvested on their way through the SWIFT system.”
397.Speaking on the same panel, Professor Sir David Omand took issue with this point:
“it is important not to allow fantasy to intrude at this point. The central bank governors responsible for the SWIFT system agreed that that system could be searched for specific transactions of known criminals and terrorists. That is public knowledge. All SWIFT data is not scooped up.”
398.David Davis MP told the Committee that:
“they have all the communications data. They have flight data. They almost certainly gave financial data. They may well have ANPR data. This is very intrusive information for a state to hold … Yes, you are right that warranting is good, but frankly the extent to which much of this database should exist is very debateable.”
399.Baroness Jones of Moulsecoomb suggested that “There are also, of course, medical records and financial asset records, and so on, in those data sets. It is a very wide scope.”
400.A number of witnesses proposed that certain types of dataset should be explicitly excluded from collection. The most common suggestion was that medical records should not be part of BPDs, a point made by medConfidential, Amberhawk Training Ltd, Open Intelligence and Mark Dziecielewski.
401.The Information Commissioner explained that:
“There is very great public concern about various initiatives in the health sector around the care.data project. Patients were very concerned that their most personal and most sensitive information was going to be uploaded into a health service information centre and then shared around rather freely with the insurance companies and heaven knows what. People were very concerned about that. That scheme has now been rethought and that is very good news. But are we being invited to give a blank cheque to the authorities to access everyone’s most sensitive health data? I suspect not, but it does not say that in either the legislation or the guide to powers and safeguards.”
402.The Committee sought further clarity from the Home Office as to the types of information BPDs might or might not include. In a letter to the Committee, the Rt Hon John Hayes MP, Minister of State for Security, wrote:
“there is a need to ensure any publication of guidance, or the types of data that the agencies hold, does not jeopardise national security … Further detail as to what is held, or how they are used, could incite behaviour change and reduce the utility of the information itself.” He further explained that it is also not possible “to make public the types of datasets that currently the agencies do not hold; this may provide those that wish to do us harm greater insight as to the limits of the agencies’ capabilities and thus how to avoid detection or disruption.”
403.While the Committee acknowledges the case made by the Home Office for not providing detailed information as to the contents of bulk personal datasets (BPDs), the lack of that detail makes it hard for Parliament to give the power sufficient scrutiny.
404.Some witnesses suggested areas where the proposals on BPDs could be improved. Amberhawk Training pointed out that the Government was not taking the opportunity to repeal existing powers to acquire BPDs:
“All existing powers (i.e. other [than] in the Bill) that could be used by the national security agencies to obtain a bulk personal dataset or communications personal data should be negated. For example, Schedule 1 of Counter-Terrorism Act 2008 which modifies the “Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)” is not repealed. This modification includes Regulation 108A which is entitles the “Supply of full register etc to the security services”. Not to close down existing powers would mean that there may be a secondary access route that could allow access to personal data outwith the protections in this Bill.”
405.Various witnesses suggested that further safeguards were needed for BPDs. Amberhawk Training pointed out that “in Schedule 6 which concerns all Codes of Practice, there is no detail as to what should appear in the BPD Code of Practice. The Committee may wish to press for detail as to the content of the BPD Code as the safeguards appear to be no more than a blank canvass to be completed by the Secretary of State once a future Bill becomes law.”
406.The safeguards for BPDs are not sufficiently explained in the Bill. We have not seen a draft Code of Practice on BPDs, and we therefore do not know whether BPDs will, in practice, be treated differently from the communications datasets that are referred to in parts 4 and 6 of the Bill (and which also appear to fall under the definition of a BPD).
407.We believe that a draft Code of Practice on BPDs should be published when the Bill is introduced to provide greater clarity on the handling of BPDs, not least in relation to the provisions of the Data Protection Act 1998. To the greatest extent possible, the safeguards that appear in the Data Protection Act 1988 should also apply to personal data held by the security and intelligence agencies. (Recommendation 30)
408.We also agree that existing powers for acquiring BPDs should be consolidated in this Bill and that any other powers for the security and intelligence agencies to acquire BPDs should be repealed. (Recommendation 31)
14 Home Office, Draft Investigatory Powers Bill: Guide to Powers and Safeguards, Cm 9152, November 2015, p.8
15 Written evidence from law enforcement ()
17 See, for example, written evidence from Howard Clark () and Liberty ()
18 Written evidence from Mr Ray Corrigan (I)
19 Written evidence from Open Rights Group ()
20 Home Office, Draft Investigatory Powers Bill: Guide to Powers and Safeguards, Cm 9152, November 2015, p.12
21 We are particularly grateful for the input of our specialist advisers for this section.
22 (Paul Lincoln, Home Office)
23 (Assistant Chief Constable Richard Berry, National Police Chiefs’ Council)
24 (Jo Cavan, Interception of Communications Commissioner’s Office)
25 (Simon York, HMRC)
26 Written evidence from the Crown Prosecution Service ()
27 Written evidence from Lord Carlile of Berriew CBE QC (), the NSPCC (), the Information Commissioner’s Office () and Liberty ()
28 Written evidence from Liberty ()
29 Written evidence from Dr Paul Bernal ()
30 Home Office, Acquisition and Disclosure of Communications Data Code of Practice, March 2015
31 Written evidence from BCS, The Chartered Institute for IT ()
32 Written evidence from the Crown Prosecution Service ()
33 Written evidence from the Serious Fraud Office ()
34 Written evidence from Privacy International ()
35 Written evidence from F-Secure Corporation ()
36 Written evidence from Open Intelligence ()
37 Written evidence from Dr Paul Bernal ()
38 Written evidence from Graham Smith ()
39 Written evidence from the Home Office () Annex A
40 Written evidence from LINX ()
43 Written evidence from Dr Paul Bernal ()
44 Written evidence from Open Intelligence ()
45 Written evidence from Graham Smith ()
46 (Theresa May MP)
47 (Paul Lincoln, Home Office)
48 (Paul Lincoln, Home Office)
49 They will not, however, have access to Internet Connection Records. See Clause 47(5).
50 Written evidence from the Convention of Scottish Local Authorities (COSLA) ()
51 Written evidence from the Local Government Association (LGA), National Anti-Fraud Network (NAFN), Chartered Trading Standards Institute and Association of Chief Trading Standards Officers () and Trading Standards North West ()
52 Written evidence from law enforcement ()
53 (Theresa May MP)
54 Home Office, Operational Case for the Retention of Internet Connection Records, 4 November 2015
55 This issue may be ameliorated by the adoption of IPv6, although progress has so far been limited and widespread deployment and usage is not imminent.
56 See, for example, written evidence from Christopher Lloyd (), Ian Batten () and Electronic Frontier Foundation ()
58 (Paul Lincoln, Home Office)
59 Home Office, , 4 November 2015
60 Written evidence from law enforcement ()
61 Written evidence from the Crown Prosecution Service ()
62 (Michael Atkinson, National Police Council’s Data Communications Group)
63 Written evidence from the NSPCC ()
64 Written evidence from BCS, The Chartered Institute for IT ()
65 Written evidence from Big Brother Watch ()
66 Written evidence from Dr Tom Hickman ()
67 (Caroline Wilson Palow, Privacy International)
68 Written evidence from the IT-Political Association of Denmark ()
69 Written evidence from Dr Paul Bernal (), Daniel Walrond (), Scottish PEN (), Open Rights Group (), F-Secure Corporation (), Privacy International (), Dr Julian Huppert () and Liberty ().
70 Written evidence from TalkTalk ()
72 See, for example, written evidence from Andrews & Arnold Ltd (), the IT-Political Association of Denmark () and GreenNet Ltd (), (Hugh Woolford, Virgin Media) and (Jonathan Grayling, EE)
73 Written evidence from Open Rights Group ()
74 Written evidence from ISPA ()
75 Written evidence from Dr Paul Bernal ()
76 Written evidence from the Center for Democracy & Technology ()
77 See, also, written evidence from techUK () and Virgin Media ()
78 Graham Smith, , November 2015
79 Written evidence from Graham Smith ()
80 Written evidence from Ian Batten ()
81 (Adrian Gorham, O2)
82 (Simon Miller, 3)
83 (Mark Hughes, BT Security)
84 Written evidence from BT ()
85 Written evidence from the Home Office ()
86 Written evidence from ISPA ()
87 HC Deb, 4 November 2015,
88 Written evidence from Big Brother Watch ()
89 Written evidence from Professor John Naughton and Professor David Vincent ()
90 Written evidence from Dr Paul Bernal (), Entanet International Ltd (), Graham Smith () and GreenNet Ltd ()
91 (Theresa May MP)
92 Written evidence from Andrews & Arnold Ltd ()
93 Written evidence from Dr Paul Bernal ()
94 (Jonathan Grayling, EE)
95 Written evidence from IT-Political Association of Denmark ()
96 See, for example, written evidence from Brass Horn Communications () and The Tor Project ()
97 Written evidence from the IT-Political Association of Denmark ()
98 Written evidence from F-Secure Corporation ()
99 See, for example, written evidence from the ADS Group ()
100 Written evidence from Andrews & Arnold Ltd ()
101 Written evidence from Dr Richard Clayton ()
102 (Adrian Kennard)
103 Written evidence from Dr Paul Bernal ()
104 Written evidence from the IT-Political Association of Denmark ()
105 Written evidence from Gareth Kitchen ()
106 Written evidence from Daniel Walrond ()
107 (Mark Hughes, BT Security)
108 See, for example, (David Anderson QC), (Eric King), and written evidence from Andrews & Arnold Ltd (), Big Brother Watch (), Dr Paul Bernal (), Simon Pooley (), Daniel Walrond (), techUK (), Ian Batten (), Digital-Trust CIC () and Privacy International ()
109 Written evidence from the IT-Political Association of Denmark () and (Jesper Lund, IT-Political Association of Denmark)
110 (Jesper Lund, IT-Political Association of Denmark)
111 (Theresa May MP)
112 Written evidence from BCS, The Chartered Institute for IT ()
113 Written evidence from Virgin Media ()
114 Home Office, Operational Case for the Retention of Internet Connection Records, 4 November 2015
115 (Keith Bristow)
116 (Richard Berry)
117 Written evidence from the Center for Democracy & Technology ()
118 (Paul Lincoln, Home Office)
119 (Eric King)
120 (David Anderson QC)
121 Written evidence from Andrews & Arnold Ltd ()
122 Written evidence from JISC ()
123 Written evidence from Big Brother Watch ()
124 See, for example, written evidence from Adrian Wilkins (), Eris Industries (), Dr Paul Bernal (), Giuseppe Sollazzo (), Mr Ray Corrigan (), Dr Glyn Moody (), Mozilla (), the Chartered Institute of Library and Information Professionals (), Open Rights Group (), Center for Democracy & Technology (), the Tor Project () and Law Society of Scotland ()
125 (Professor Michael Clarke)
127 (Hugh Woolford, Virgin Media)
128 (Mark Hughes, BT Security)
129 (Adam Kinsley, Sky)
130 (Richard Alcock, Home Office)
131 (Richard Alcock, Home Office)
132 (Christopher Graham, Information Commissioner)
133 (Paul Lincoln, Home Office)
134 (Chris Farrimond, National Crime Agency)
135 (Simon York, HMRC)
136 Written evidence from law enforcement ()
137 Written evidence from Dr Julian Huppert ()
138 (Caroline Wilson Palow, Privacy International)
139 (Jim Killock, Open Rights Group)
140 (Caroline Wilson Palow, Privacy International)
141 See, for example, (Mark Hughes, BT Security), and written evidence from Andrews & Arnold Ltd (), Entanet International Ltd (), Vodafone ( GreenNet Ltd (), EE (), BT () and Virgin Media ()
142 Written evidence from TalkTalk ()
143 (Jonathan Grayling, EE)
144 Written evidence from ISPA ()
145 (Mark Hughes, Vodafone)
146 See, for example, (Adrian Kennard, Andrews & Arnold Ltd) and (Jonathan Grayling, EE)
147 (Mark Hughes, Vodafone)
148 (Hugh Woolford, Virgin Media)
149 (Richard Alcock, Home Office)
150 Written evidence from Vodafone ()
151 Written evidence from the Home Office ()
152 HC Deb, 4 November 2015,
153 Written evidence from LINX ()
154 Written evidence from EE ()
155 Written evidence from TalkTalk ()
156 Written evidence from EE ()
157 Written evidence from ISPA ()
158 Written evidence from EE ()
159 Written evidence from Andrews & Arnold Ltd () and techUK ()
160 Written evidence from JISC ()
161 Written evidence from BT ()
162 Written evidence from ISPA ()
163 Written evidence from the Institute for Human Rights and Business (), Mozilla (), the Chartered Institute of Library & Information Professionals (), Open Rights Group () and F-Secure Corporation ()
164 Written evidence from Entanet International Ltd ()
165 (Theresa May MP)
166 Written evidence from Andrews & Arnold Ltd ()
167 Written evidence from Rev Cecil Ward () and Philip Virgo ()
168 (Richard Alcock, Home Office)
169 Written evidence from Apple Inc. and Apple Distribution International ()
170 Written evidence from Andrews & Arnold Ltd ()
171 Written evidence from Naomi Colvin ()
172 Written evidence from Theresa May MP ()
173 Clause 51(5)
174 Clause 52(5)
175 Clause 53(4)
177 Written evidence from the Information Commissioner’s Office ()
178 Written evidence from Virgin Media ()
180 (Paul Lincoln, Home Office)
181 Written evidence from LINX ()
182 (Eric King)
183 Written evidence from Entanet International Ltd ()
184 Written evidence from Open Rights Group (), Dr Julian Huppert (), Internet Service Providers’ Association (), McEvedys Solicitors & Attorneys Ltd () and Liberty ()
185 (James Blessing, ISPA)
186 (Adrian Gorham, O2)
187 (Jonathan Grayling, EE)
188 (Paul Lincoln, Home Office)
189 Written evidence from Mr Ray McClure ()
190 Written evidence from the Information Commissioner’s Office ()
191 Written evidence from techUK ()
192 Written evidence from Big Brother Watch ()
193 Written evidence from Article 19 ()
194 See, for example, (Caroline Wilson Palow, Privacy International), (Renate Samson, Big Brother Watch) and written evidence from Dr Paul Bernal (), Ms Susan Morgan (), Martin Kleppmann (), Open Intelligence (), Mr. Bernard Keenan, Dr. Orla Lynskey and Professor Andrew Murray (), the Information Commissioner’s Office (), Scottish PEN (), the Global Network Initiative (), New America’s Open Technology Institute (), techUK (), Apple Inc. and Apple Distribution International (), Mozilla () Access Now (), and Facebook Inc., Google Inc., Microsoft Corp., Twitter Inc. and Yahoo Inc. (), F-Secure Corporation (), Human Rights Watch (), Dr Julian Huppert () and Liberty ()
195 See, for example, (Professor Bill Buchanan), and written evidence from Dr Paul Bernal (), Giuseppe Sollazzo (), Martin Kleppmann (), the Center for Democracy & Technology () and F-Secure Corporation ()
196 (Erka Koivunen, F-Secure Corporation)
197 Written evidence from Andrews & Arnold Ltd ()
198 Written evidence from Apple Inc. and Apple Distribution International ()
199 (Paul Lincoln, Home Office)
200 See, for example, written evidence from Cryptomathic Ltd () and ISPA ()
201 Written evidence from Adrian Wilkins ()
202 Written evidence from Eris Industries Ltd ()
203 (Theresa May MP)
205 Written evidence from the Home Office ()
206 (Chris Farrimond, National Crime Agency)
207 (Erka Koivunen)
208 (Ross Anderson)
209 Written evidence from the National Union of Journalists (NUJ) ()
210 Written evidence from Electronic Frontier Foundation ()
211 Written evidence from the Home Office ()
212 Home Office, Equipment Interference Code of Practice, Draft for public consultation, February 2015 and Home Office, Equipment Interference Draft Code of Practice, November 2015
213 Home Office, Covert Surveillance and Property Interference: Revised Code of Practice, 2010
215 Home Office, Investigatory Powers Bill: Factsheet—Targeted Equipment Interference, 4 November 2015, p. 1
216 Written evidence from the Home Office ()
217 (Richard Berry)
218 Written evidence from BCS, The Chartered Institute for IT (); Professor John Naughton and Professor David Vincent ()
219 (David Davis MP)
220 Written evidence from Dr Tom Hickman ()
221 Written evidence from Privacy International ()
222 Written evidence from Article 19 ()
223 Written evidence from Electronic Frontier Foundation ()
224 Written evidence from Privacy International () and Liberty ()
225 Written evidence from Big Brother Watch ()
226 Written evidence from Wendy Grossman ()
227 Written evidence from the Center for Democracy & Technology ()
228 European Court of Human Rights, Malone v United Kingdom, (1984) 7 EHRR 14 and Weber and Saravia v Germany, (2008) 46 EHRR SE5
229 See, for example, written evidence from Andrews & Arnold Ltd (), Big Brother Watch (), Mr Ray Corrigan (), New Americas Open Technology Institute (), Apple Inc. and Apple Distribution International (), LINX (), Privacy International () and Dr Julian Huppert ().
230 Written evidence from Mr. Bernard Keenan, Dr. Orla Lynskey and Professor Andrew Murray ()
231 Investigatory Powers Tribunal, Privacy International vs Secretary of State for Foreign and Commonwealth Affairs and GCHQ, (2015) IPT 14/85/CH
232 Written evidence from Matthew Ryder QC ()
233 See, for example, written evidence from Liberty ()
234 Written evidence from Privacy International ()
235 Written evidence from law enforcement ()
236 (Detective Superintendent Paul Hudson)
237 Home Office, Draft Investigatory Powers Bill: Guide to Powers and Safeguards, Cm 9152, November 2015, para 38
238 (Matthew Ryder QC)
239 (Professor Sir David Omand)
240 Written evidence from Dr Paul Bernal () and (Dr Paul Bernal)
241 Written evidence from the UN Special Rapporteurs ()
242 Written evidence from Article 19 ()
243 Written evidence from Big Brother Watch ()
244 Written evidence from JUSTICE ()
245 Written evidence from Apple Inc. and Apple Distribution International ()
246 Intelligence and Security Committee (ISC), Privacy and Security: A modern and transparent legal framework, 12 March 2015, HC 1075
247 Written evidence from Liberty ()
248 Written evidence from Privacy International ()
249 Written evidence from the Bar Council ()
250 Written evidence from Privacy International ()
251 Written evidence from the Institute for Human Rights and Business ()
252 Written evidence from Amnesty International UK ()
253 (Theresa May)
254 European Court of Human Rights, Zakharov v Russia (2015) application no. 47143/06, para. 264
255 Written evidence from Theresa May MP ()
258 Written evidence from BCS, The Chartered Institute for IT ()
259 Written evidence from Mr Ray Corrigan ()
260 Written evidence from William Binney ()
261 (William Binney)
262 For example, written evidence from Eris Industries Limited (), Giuseppe Sollazzo (), Krishan Bhasin (), Mr Eric King (), Privacy International () and Dr Julian Huppert ()
263 Written evidence from David Wells ()
265 Written evidence from Dr Paul Bernal ()
266 Written evidence from David Wells ()
267 Written evidence from Article 19 ()
268 Written evidence from the Equality and Human Rights Commission ()
269 Written evidence from Dr Tom Hickman ()
270 Home Office, Draft Investigatory Powers Bill: Guide to Powers and Safeguards, Cm 9152, November 2015, p.22
271 Written evidence from Theresa May MP ()
272 Written evidence from Privacy International ()
273 Written evidence from Graham Smith ()
274 Written evidence from the Home Office ()
275 Written evidence from Open Rights Group ()
276 Intelligence and Security Committee (ISC), Privacy and Security: A modern and transparent legal framework, 12 March 2015, HC 1075, para 80
277 Intelligence and Security Committee (ISC), Privacy and Security: A modern and transparent legal framework, 12 March 2015, HC 1075
278 Written evidence from Dr Tom Hickman ()
279 Written evidence from Dr Glyn Moody ()
280 Written evidence from Global Network Initiative ()
281 Written evidence from Big Brother Watch ()
282 Written evidence from Wendy M. Grossman ()
283 Written evidence from Facebook Inc., Google Inc., Microsoft Corp., Twitter Inc. and Yahoo Inc. ()
284 Written evidence from Vodafone Ltd ()
285 Written evidence from Apple Inc. and Apple Distribution International ()
286 Written evidence from Virgin Media ()
287 Written evidence from Mozilla ()
288 Written evidence from Professor John Naughton and Professor David Vincent ()
289 (Professor Ross Anderson)
290 Written evidence from the Home Office ()
291 (Matthew Ryder QC)
292 Home Office, Draft Investigatory Powers Bill: Guide to Powers and Safeguards, Cm 9152, November 2015, para 71
293 Ibid., para 72
294 Written evidence from Theresa May MP ()
296 See, for example, written evidence from Professor Anthony Glees ()
297 Written evidence from BCS, The Chartered Institute for IT ()
298 Written evidence from Amberhawk Training Ltd ()
299 (Sir Mark Waller)
300 For example, written evidence from Privacy International ()
301 Written evidence from Liberty ()
302 (Eric King)
303 Written evidence from the Institute for Human Rights and Business ()
304 Written evidence from Open Rights Group ()
305 Written evidence from Theresa May MP ()
306 Written evidence from the Information Commissioner’s Office ()
307 Written evidence from Mr. Bernard Keenan, Dr. Orla Lynskey and Professor Andrew Murray ()
308 Written evidence from Dr Tom Hickman ()
309 Written evidence from medConfidential ()
310 Written evidence from the Information Commissioner’s Office ()
311 (Christopher Graham, Information Commissioner)
312 (Professor Ross Anderson)
313 (Professor Sir David Omand)
314 (David Davis MP)
315 (Baroness Jones of Moulsecoomb)
316 Written evidence from medConfidential (), Amberhawk Training Ltd (), Open Intelligence () and Mark Dziecielewski ()
317 (Christopher Graham, Information Commissioner) See, also, written evidence from the Information Commissioner’s Office ()
318 Written evidence from the Home Office ()
319 Written evidence from Amberhawk Training Ltd ()
320 See, for example, written evidence from Simon Pooley (), Privacy International () and Dr Julian Huppert ()
321 Written evidence from Amberhawk Training Ltd ()