Monday, 14 May 2012

Government Snoopers charter announced, many questions left unanswered

Last week's Queen's Speech showed the Coalition's wish list of law proposals and reforms for this Parliamentary legislative agenda. This included a little bit more information on the government plans for updating law enforcement access to communications data that have been circulating under the Communications Capabilities Development Program (CCDP) name since late 2011/early 2012.

We now know it's called the draft Communications Data Bill and it "intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses"

Luckily, the Bill was moved out of the fast stream "Home Office/Ministry of Justice crime and courts bill" to be considered on it's own merits as a standalone bill.

This is good news because extensive scrutiny and public consideration of draft clauses are essential to fully understanding the implications of this 'Snooper's Charter'. 

Nick Clegg has promised the Bill won't be 'rammed through Parliament' and the Home Office pledge to include strong safeguards.

Nevertheless, the very existence of this proposal is curious given the 2010 Coalition pledge to "end the storage of internet and email records without good reason".

Current System

It's important to remember that communications data is not actual content, but the metadata about phone and Internet communications.

This includes the email addresses of sender and recipient, user location, phone numbers, equipment used, the time and duration of a phone call.

Since 2009, UK ISPs and Telcos have retained communications data collected in the course of business (for billing etc) for 1 year under powers derived from the EU Data Retention Directive.

Under the Regulation of Investigatory Powers Act 2000, law enforcement agencies and other authorised bodies can already access this data, for many reasons including fighting crime and maintaining the economic well being of the country.

So how will this new bill change the current system? It will:

1) Update the framework for collection and retention of communications data by communication service providers (CSPs)

2) Update the framework on lawful access to such data for authorised government bodies including the police and intelligence agencies.

3) Create 'strict safeguards' including:
        - A 1-year limit on data held by CSPs
        - Measures to protect data from unauthorised access or disclosure.
        - Extension of the Interception of Communications Commissioner oversight
        - Provide an independent Technical Advisory Board for CSPs
        - Extend powers of the Investigatory Powers Tribunal for investigating individual complaints

4) Remove communications data laws that have lower standards of protection.

Problematically, this outline doesn't really provide much detail on the nuts and bolts of the new Bill.

There are many key practical areas I think have to be addressed including: What additional powers will be provided for oversight bodies? Do CSPs have to install dedicated 'black box' deep packet inspection technology? Who will pay for this infrastructure and maintenance of interception algorithms? How will the new law handle encrypted communications?

Requiring data from third party services, often outside the UK, raise many questions too: How will US third parties, like Google, Microsoft or Facebook, fit in with UK police seeking social networking and instant messaging comms data? How will CSPs accurately separate the content of communications from the metadata? And how will real time access to data work in practice?

The current EU Data Retention laws have often been criticised for creating a system of mass surveillance.

Yet, instead of rolling back these powers, this Bill wants to further expand and entrench this culture of storing everything 'just in case' it becomes useful.

Whilst it's claimed 'modernisation' is needed to stop terrorism, paedophile rings and other organised criminal activity, these criminal groups will doubtless use encryption technologies and anonymised networks keeping them off the grid anyway.

This just leaves the general population unjustifiably under the gaze of a decentralised network of private surveillance.

Until specific details of the plans are released the many questions outlined above will remain unanswered, preventing any real debate.

However, even when more information becomes available, it remains impossible to envision how treating the entire UK population as a 'nation of suspects' is necessary and proportionate in a democratic society.

Roundup of my Naked Security Articles 20 March to 14 May

20/03/2012 - Cyberwar: Hype or reality? - Is "cyberwar" really upon us? Is a "digital Pearl Harbour" imminent? And is an international agreement on "cyberarms" a plausible solution? These are just some of the questions I address in this piece.

29/03/2012 - Stopping the Zombies: Introducing the new Federal Communications Commission anti-botnet code - A new voluntary code of conduct for ISPs in the US creates new measures for addressing botnets. Does it go far enough?

10/03/2012 - A New Cookie Recipe: The International Chamber of Commerce Cookie Code - As of next month, the ICO will be enforcing new(ish) rules on cookies and consent, but is the business world ready? And if not, will the International Chamber of Commerce's UK Cookie Guide provide the tools to help them comply?

18/04/12 - New Bill in UK wants Internet to be censored from porn by default - A new Bill wants to protect children by requiring all users to opt-in if they want to access porn. This would create a system of censorship by default. Is this necessary when parents already have access to porn-management tools?

30/04/12 - ACTA Update the Fight goes on - ACTA has received considerable criticism from a number of high-profile sources, but don't write it off just yet. there is still a chance it could become law.