The Wrong Number!
Ibrahim Hasan from Act Now offers an expert legal take on the new Government communications surveillance proposals
The Coalition Agreement states that the government "will end the storage of internet and e mail records without good reason." More recently Theresa May, the Home Secretary, when announcing the Protection of Freedoms Bill, said:
"The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples' private lives. Snooping on the contents of families' bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them."
These pious commitments are now in tatters as, according to recent media reports, the Government wants the power to be able to monitor the calls, emails, texts and website visits of everyone in the UK. Whilst we are still waiting for the details, some have suggested that the proposals are directed not only at monitoring the use of new instant communication tools (e.g. Twitter, Blackberry Messenger etc.) but also at loosening the current restrictions on accessing communications data.
A new law, which may be announced in the forthcoming Queen's Speech in May, will require communications service providers (CSPs) to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. At present CSPs are obliged to keep details of users' web access, email and phone calls for 12 months, under the EU Data Retention Directive 2009. While they also keep a limited amount of other data on their own subscribers for billing and commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.
Civil liberties groups, including Liberty and Big Brother Watch, have condemned this move as an unacceptable invasion of privacy. This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme (IMP), at a cost of £2billion. This was a rehash Labour's abandoned proposal (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database. This latest announcement seems to be the same IMP project but renamed "the Communications Capabilities Development Programme (CCDP)".
Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.
The definition of "communications data" includes information relating to the use of a communications service (e.g. telephone, internet and postal service) but does not include the contents of the communication itself. Such data is broadly split into three categories: "traffic data" i.e. where a communication was made from, to whom and when; "service data" i.e. the use made of the service by any person e.g. itemized telephone records; "subscriber data" i.e. any other information that is held or obtained by an operator on a person they provide a service to.
Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.
At present access to communications data is granted through a system of self authorisation. There are forms to complete (signed by a senior officer) and tests of necessity and proportionality to satisfy. Notices have to be served on the CSP requesting the data. From time to time, the Interception of Communications Commissioner inspects public authorities that use these powers. There is no system of judicial oversight.
It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The internal authorisation forms still have to be completed and written notices have to be served on the CSP later on. Maybe the Government wants GCHQ to have carte blanche direct access into CSPs systems. This would be unprecedented and certainly "Orwellian" to say the least. The potential for abuse would be massive.
Updating the Law
The Home Office Minister says they are updating the law "in terms of social media and new devices". If this means GCHQ knowing when an individual visits these sites, this is already allowed under the current regime known as traffic data (web browsing information). If the proposals go further and would allow GCHQ to look at actual webpages visited within a domain (e.g. Facebook) and calls made (e.g. from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone's lifestyle, their movements, contacts, interests etc.; potentially a vast amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.
At present the checks and balances are very weak as discussed above (self authorisation followed by a notice to the CSP). The proposals, which talk of access in "real time" and "on demand", require much stronger checks and balances.
If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one, which councils will be subject to as a result of the changes to the RIPA regime to be made by the Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier article in LGL for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.
There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing the same powers the Government is now seeking to extend, to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.
The Government needs to think carefully before proceeding. If these new proposals are enacted there is a massive potential for misuse. They will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of public trust in the law enforcement agencies and Government. Of course "the Devil is in the detail" and we wait to see how the Government will address these concerns.
Ibrahim Hasan is a solicitor and director of Act Now Training. Act Now provides Expert Training in Data Protection, Freedom of Information and Surveillance Law.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.
Manchester Cryptoparty with FSFE