« Green Paper on Communications Bill cancelled
ICANN reveals new gTLD applications »

Draft Communications Data Bill published

Data Retention, RIPA - Access

The draft Communications Data Bill was introduced into Parliament today, bringing with it major proposed changes to the UK’s regime for the acquisition and release of communications data.

The draft Bill includes controversial measures to require network operators to acquire communications data relating to third party services – for example, requiring an ISP to discover and record when its customers post a message on a social networking site, and to which other user of the site that message was addressed. The Bill does not specify what data ISPs are to acquire, nor provide any limits; the requirements for ISPs are to be set out in Orders made by the Home Secretary at a later date.

As with the existing data retention arrangements, the plan is to apply the requirements only to selected ISPs, so that the smallest operators are exempt from obligations the cost of which would be disproportionate to any benefit thereby obtained. The government will continue to meet the costs incurred by network operators who are required to comply.

The draft Bill replaces the whole of Part I Chapter 2 of the Regulation of Investigatory Powers Act, which provides the existing legal powers for public authorities to access communications data. It also repeals and/or limits a series of obsolete, legacy powers, the effect of would be to ensure that if a public authority can get access to communications data under the powers in this Bill, they can only access it by following the provisions of the Bill.

Writing in The Sun, Home Secretary Theresa May said “I just don’t understand why some people criticise these proposals” and

“People have a right to privacy. But unless you are a criminal, then you’ve nothing to worry about from this new law. This isn’t a snoopers’ charter, it’s a criminals’ nightmare.” — Home Secretary Theresa May

The Bill was published the same day the Prime Minister testified to the Leveson enquiry.

Comparison with IMP

Although the government claims that the draft Bill is different to the late, unlamented Interception Modernisation Programme promoted and then abandoned by the previous, Labour, government, as far as network operators are concerned the key defining features of IMP have remained intact:

  • Acquisition and retention of third party data
    • Under existing arrangements, ISPs are required to retain communications data relating to the use and traffic on access and e-mail services they provide, as well as subscriber details. In practice, this mainly means that ISPs must be capable doing a “subscriber check” on an IP address: that is, being supplied with an IP address and a time, they should be able to respond with the name and address of the customer to whom the IP address in question was assigned at that time. If the ISP runs an SMTP mail server they should also be able to identify the list of e-mail addresses to whom a given customer sent e-mails through that server, and similar out-bound e-mail communications data, and if the ISP runs a POP or IMAP mail server they should also be able to identify the IP addresses of the mail servers that sent e-mail to a particular customer, and related data. However there is currently no requirement for an access provider to monitor the use by their customers of third party e-mail services such as Google Mail and Microsoft Hotmail.
    • Under IMP, it was proposed that network access providers would have to obtain communications data relating to the use of third party communications services, including third party e-mail services, social networking sites, instant messaging services and computer games.
    • Under the draft Communications Data Bill (CCDB), it is likewise proposed that network access providers would have to obtain communications data relating to the use of third party communications services. It is intended, as a matter of policy, that the law enforcement agencies would normally obtain communications data from the major third party services (such as Google, Facebook, Twitter etc) directly, with the cooperation of such services; in such cases, ISPs would not be required to acquire and retain the communications data relating to the use of those specific sites. However where a third party service operator is unable or unwilling to comply with law enforcement agencies’ requirements, then ISPs will be notified that they need to start acquiring and retaining the relevant data by monitoring the traffic passing over their networks. This would also be the case where the third party operator is willing to co-operate, but is unable to do so sufficiently rapidly.
  • Extensible list of data types to be retained
    • Under existing arrangements, the list of data types to be retained are set out in Regulations that implement a European Directive. Adding to the list of data types (for example, to add the requirement to monitor which web sites a user visits) would require primary legislation, either in the UK Parliament or at the European level.
    • Under IMP, the precise requirements were unspecified. Given the highly ambitious nature of the government’s expectations it was anticipated that the government would start with a relatively small and achievable sub-set of the data types to which it wished to have access, and take a broad general power to expand at will the list of services that would be monitored.
    • Under CCDB, the Bill provides that list of services to be covered shall be updated and extended from time to time without recourse to primary legislation. It is not yet clear whether this would be done by a Ministerial Order, which would be confirmed by a single vote in Parliament, or simply by a written notice to the ISP without any further legislative process at all.
      • The Secretary of State will remain under a legal duty under the Human Rights Act to consider whether she believes that any extension of monitoring is “necessary and proportionate”. In theory her opinion could be challenged in court – although it seems unlikely that anybody would ever be able to do so (apart from the government, only the network operator itself would know precisely what was being done) or that a court would ever seek to override the Home Secretary’s judgement of what the interests of national security required.
  • Specified equipment
    • Under existing arrangements, ISPs are free to choose whatever equipment they wish to satisfy the much more limited data retention requirements to which they are subject, and there is no statutory power to impose the selection of particular equipment (although there is such a power in respect of the interception of the content of communications; but note that interception requirements are scaled to meet targeted interceptions not the entirety of the ISP’s customer base). Because the government has a policy of compensating ISPs for the costs incurred in carrying out data retention, in practice ISPs negotiate with the Home Office a contract specifying precisely what will be done and how, in order to agree a price (in short, this process is analogous to a commercial contract for the supply of services, except that the ISP is not permitted to make a profit). This would give the Home Office the capacity to influence the selection of equipment, although it is not thought that this happens in respect of data acquisition.
    • Under IMP, ISPs would have been required to install specific devices for deep packet inspection directly on their networks. It was never clear whether the intention was that these would be supplied and controlled by the intelligence community, or whether they would have been operated by the ISP but chosen only from a list of devices the government had approved.
    • Under CCDB, the powers taken by government would include the power to require that a specific device is used and installed directly on the network.
  • National but distributed communications data database
    • Under existing arrangements, the databases of retained data are created and managed by the network operators themselves and there are no requirements for direct interoperability. The Home Office has been specifying, through the cost-recovery contract, that some network operators should provide online access to law enforcement via a secure extranet, and there is an ETSI standard for the hand-over format of communications data enquiries; there is, however, no existing capability to conduct relational searches across the databases held by different providers.
    • Under IMP, it was originally proposed that the network operators should transfer their communications data to a single national database, at the time of acquisition. This idea was quickly dropped due to widespread criticism, and by the time that IMP was sent out for formal public consultation the government’s preferred option was that network operators would run their own databases, but that there should be a requirement for interoperability to support cross-database searches. This was sometimes described as a “distributed” database.
    • Under CCDB, clauses 14-16 provide for what are called “filtering powers”, that could be used to require network operators to co-operate to reduce a large dataset resulting from a law enforcement enquiry down to a more limited set of more relevant results (“filtering”), that could only be obtaining by matching records in one operators database with those in that held by another. In effect, this also amounts to a power to require that searches can be conducted across different databases, a.k.a. a distributed database.

The draft Communications Data Bill proposes a number of other measures not consider under the Interception Modernisation Programme, especially in the form of additional safeguards for privacy. For example, a range of legacy legal powers for a wide range of public authorities to access communications data are repealed or limited, so that all public authorities wishing to access this data must use the modernised legal process. The government hopes that this may make the Bill more palatable to those with concerns that the balance between individual privacy and the needs of law enforcement are being tipped too far in favour of the surveillance state. However, from the point of view of the network operator wondering what it is going to have to do to comply with the new requirements, CCDB appears similar to IMP in its main essentials.

Welcome to the new boss, just the same as the old boss.

Further reading

  • Zoe O’Connell speculates about how the Home Office might require ISPs to employ man-in-the-middle attacks to access encrypted communications
Posted by malcolm on Thursday, June 14th, 2012 at 12:37 pm. RSS feed for comments on this post.Both comments and pings are currently closed.

Comments are closed.

« Green Paper on Communications Bill cancelled
ICANN reveals new gTLD applications »
Choose from Full RSS or comments RSS feeds.
LINX Public Affairs is powered by WordPress and delivered to you in 0.169 seconds.
Designed by Matthew and built from Kubrick. Administrator login and new user registration.