Monday, 14 May 2012

Government Snoopers charter announced, many questions left unanswered

Last week's Queen's Speech showed the Coalition's wish list of law proposals and reforms for this Parliamentary legislative agenda. This included a little bit more information on the government plans for updating law enforcement access to communications data that have been circulating under the Communications Capabilities Development Program (CCDP) name since late 2011/early 2012.

We now know it's called the draft Communications Data Bill and it "intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses"

Luckily, the Bill was moved out of the fast stream "Home Office/Ministry of Justice crime and courts bill" to be considered on it's own merits as a standalone bill.

This is good news because extensive scrutiny and public consideration of draft clauses are essential to fully understanding the implications of this 'Snooper's Charter'. 

Nick Clegg has promised the Bill won't be 'rammed through Parliament' and the Home Office pledge to include strong safeguards.

Nevertheless, the very existence of this proposal is curious given the 2010 Coalition pledge to "end the storage of internet and email records without good reason".

Current System

It's important to remember that communications data is not actual content, but the metadata about phone and Internet communications.

This includes the email addresses of sender and recipient, user location, phone numbers, equipment used, the time and duration of a phone call.

Since 2009, UK ISPs and Telcos have retained communications data collected in the course of business (for billing etc) for 1 year under powers derived from the EU Data Retention Directive.

Under the Regulation of Investigatory Powers Act 2000, law enforcement agencies and other authorised bodies can already access this data, for many reasons including fighting crime and maintaining the economic well being of the country.

So how will this new bill change the current system? It will:

1) Update the framework for collection and retention of communications data by communication service providers (CSPs)

2) Update the framework on lawful access to such data for authorised government bodies including the police and intelligence agencies.

3) Create 'strict safeguards' including:
        - A 1-year limit on data held by CSPs
        - Measures to protect data from unauthorised access or disclosure.
        - Extension of the Interception of Communications Commissioner oversight
        - Provide an independent Technical Advisory Board for CSPs
        - Extend powers of the Investigatory Powers Tribunal for investigating individual complaints

4) Remove communications data laws that have lower standards of protection.

Problematically, this outline doesn't really provide much detail on the nuts and bolts of the new Bill.

There are many key practical areas I think have to be addressed including: What additional powers will be provided for oversight bodies? Do CSPs have to install dedicated 'black box' deep packet inspection technology? Who will pay for this infrastructure and maintenance of interception algorithms? How will the new law handle encrypted communications?

Requiring data from third party services, often outside the UK, raise many questions too: How will US third parties, like Google, Microsoft or Facebook, fit in with UK police seeking social networking and instant messaging comms data? How will CSPs accurately separate the content of communications from the metadata? And how will real time access to data work in practice?

The current EU Data Retention laws have often been criticised for creating a system of mass surveillance.

Yet, instead of rolling back these powers, this Bill wants to further expand and entrench this culture of storing everything 'just in case' it becomes useful.

Whilst it's claimed 'modernisation' is needed to stop terrorism, paedophile rings and other organised criminal activity, these criminal groups will doubtless use encryption technologies and anonymised networks keeping them off the grid anyway.

This just leaves the general population unjustifiably under the gaze of a decentralised network of private surveillance.

Until specific details of the plans are released the many questions outlined above will remain unanswered, preventing any real debate.

However, even when more information becomes available, it remains impossible to envision how treating the entire UK population as a 'nation of suspects' is necessary and proportionate in a democratic society.


  1. The government feels it is necessary and proportionate because distributed communication in general is outgrowing the state's eavesdropping reach and possible policing powers. The mere threat that the government can reach out and control the population is the underlying need and design. People need to know that someone may be watching so that a sense of centralised control persists on the chaotic cyber seas.

  2. thanks for the posts. good stuff.