UPD UK Government Publishes Details of its Draft ISP Internet Snooping Law

The government has today published a first draft of the Home Office’s revived Communications Data Bill, which seeks to expand the United Kingdom’s existing internet snooping laws (data retention) and force ISPs into logging a much bigger slice of everybody’s online activity (e.g. Skype access); irrespective of whether or not you’ve committed a crime.

The existing Regulation of Investigatory Powers Act 2000 (RIPA) and EU Data Retention Directive already requires broadband providers to maintain a very basic log of their customers internet and email accesses (times, dates and IP addresses) for 12 months, which does NOT include the content of your communication and only occurs after a specific request is made to the ISP (though most ISPs already keep simple short-term logs). The Home Office currently claims to receive half a million requests to intercept communications data every year.

By comparison the new bill (aka – Communications Capabilities Development Programme) has been widely expected to expand this by requiring ISPs to develop real-time access for logs of activity on social networking sites (e.g. Facebook, Twitter), online video games (e.g. World of Warcraft chat logs), Instant Messaging (e.g. MSN) and internet phone services (e.g. Skype). These logs would effectively be mandatory and not voluntary.

What does the new bill actually say?

The 123 page long bill itself replaces the dozens of currently available powers with a single piece of legislation and is thus a complex and extensive document that covers many areas. It is “estimated to lead to an increase in public expenditure of up to £1.8 billion over 10 years,” although some recent reports suggested that it might actually run into hundreds of millions, instead of close to the £2bn originally estimated. Regardless the bill itself continues to mention a figure of £1.8bn and anticipates that this will ultimately be outweighed by a benefit of £5bn – £6.2bn over the same period (it’s not clear how that was calculated).

ISPs can apparently expect to be “reimbursed for any costs of complying with [the] legislation“, yet few expect the government to fully honour this commitment. Similarly the government will not require every ISP to maintain the logs and an obligation would only be imposed “after detailed discussion and ministerial sign-off” (i.e. the biggest ISPs, such as BT, will have to comply but smaller ones might escape.. for now). It will be interesting to see whether or not people simply swap to smaller providers (many people already know how to avoid the snooping anyway).

Crucially ISPs can appeal to a technical advisory board under dispute procedures “if they feel requests made of them are unnecessarily onerous,” although in reality most ISPs would be poorly placed to make a judgement about such requests and thus it will be interesting to see whether this makes any tangible difference.

Home Secretary, Theresa May, said:

“Communications data saves lives. It is a vital tool for the police to catch criminals and to protect children.If we stand by as technology changes we will leave police officers fighting crime with one hand tied behind their backs.

Checking communication records, not content, is a crucial part of day-to-day policing and the fingerprinting of the modern age – we are determined to ensure its continued availability in cracking down on crime.”

Restrictions

Theresa May has also been quick to point out that the new bill “will not enable unfettered access by the police to data about everyone’s communications“, require the creation of a new central government database to store all of its data (this idea was dropped three years ago anyway) or “provide the police and others with powers to intercept and read your emails, phone calls or check your contacts lists” (i.e. content of the communication).

Indeed the government are adamant that their bill will NOT “weaken current safeguards or checks in place to protect communications data” or “allow local authorities greater powers“. But clearly not everybody agrees.

ISPAs Secretary General, Nicholas Lansman, said:

“ISPA has concerns about the new powers to require network operators to capture and retain third party communications data. These concerns include the scope and proportionality, privacy and data protection implications and the technical feasibility.

Whilst we appreciate that technological developments mean that Government is looking again at its communications data capabilities, it is important that powers are clear and contain sufficient safeguards.

We welcome the additional scrutiny the Bill will face in parliament and we will be seeking to address our key points during this process. ISPA will be working closely with its members over the coming months to ensure that the full breadth and range of industry is heard. We want to ensure that the proposals are clear, proportionate and fit for purpose.”

Jim Killock, Executive Director of Open Rights Group, said:

“The government’s notes confirm that this is exactly what we expected: black boxes to intercept people’s traffic data, and poorly supervised police powers to get access to it.

Bluntly these are as dangerous as we expected, and represent unprecedented surveillance powers in the democratic world. China and Iran will be delighted.”

Access to the data

The bill states that communications data held by an ISP can only be accessed when authorised in law under the Data Protection Act 1998 or in pursuance of a court order / police warrant. Crucially it’s stated that senior “local authority” figures can no longer grant an authorisation for obtaining Traffic Data or “any communications data generated by a telecommunications operator“, unless the ISP specifically consents to it (note: the authority will usually still need to gain judicial approval first).

This still leaves access rights in the hands of Theresa May and the UK security services, which gives the government quite a bit of power to snoop.

What content will it cover?

At this point the bill starts to get a little more complicated and becomes difficult to simplify, although it defines three primary types of communications data – Traffic Data, Subscriber Data and Use Data. Suffice to say that the bill’s explanation for all of this covers many areas, largely as alluded to in the opening paragraphs, although they are still broadly focused on access logs rather than the content of your communication.

Naturally “Subscriber Data” is simply the personal details of an ISP or telephone operator’s related customer / client. The others are defined as follows.

“Traffic data” means data—

(a) which is comprised in, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, and
(b) which—
(i) identifies, or purports to identify, any person, apparatus or location to or from which the communication is or may be transmitted,
(ii) identifies or selects, or purports to identify or select, apparatus through which, or by means of which, the communication is or may be transmitted,
(iii) comprises signals for the actuation of apparatus used for the purposes of a telecommunication system for effecting (in whole or in part) the transmission of the communication,
(iv) identifies, or purports to identify, the time at which an event relating to the communication occurs, or
(v) identifies data as comprised in, attached to or logically associated with the communication. The references in this subsection to a telecommunication system by means of which a communication is being or may be transmitted include, in relation to data comprising signals for the actuation of apparatus, any telecommunication system in which that apparatus is comprised.

(3) Data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication is not “traffic data” except to the extent that the file or program is identified by reference to the apparatus in which it is stored

“Use data” means information—

(a) which is about the use made by a person—
(i) of a telecommunications service, or
(ii) in connection with the provision to or use by any person of a telecommunications service, of any part of a telecommunication system, but
(b) which does not (apart from any information falling within paragraph (a) which is traffic data) include any of the contents of a communication.

Readers of ISPreview.co.uk are likely to be most interested in Traffic Data as that covers most of what the new bill will log in terms of your online activity. The coverage is fairly broad, albeit once again avoiding the actual content of your communication (e.g. the subject line of an e-mail or the email message itself).

However the bill does mention that it considers “website addresses” to be part of its remit, yet does not clearly define whether this is just an IP address, domain or includes full URLs (the latter is unlikely but not fully ruled out). This could be highly controversial because web addresses can contain sensitive personal data like names and phone numbers (e.g. http://example.com/signup.php?name=bob_riley&phone=12345), which would normally occur as part of a private process but could be logged.

Overall the new bill, which will be debated by ministers and peers prior to a report in November 2012, still risks running contrary to the coalition governments own May 2010 commitment to “end the storage of internet and email records without good reason“, which has now become a somewhat ironic reference to the previous Labour government’s seemingly identical (Interception Modernisation Programme).

Not to mention that the now Prime Minister, David Cameron, said before the general election that “if we want to stop the state controlling us, we must confront this surveillance state“. Perhaps “confront” was a mistype for “expand“.

Draft Communications Data Bill (PDF)
http://www.official-documents.gov.uk/document/cm83/8359/8359.asp

UPDATE 15th June 2012

Some new comments have come in that are worth reading, added below.

Chris Rogers, Operations Director at ISP Fluidata, said:

“Since the Queen’s Speech last month we’ve heard a lot of complaints from ISPs about how much the proposed Communications Bill is going to cost them and how it’s going to invade privacy. The draft legislation released today makes it clear the government will fund the work that needs to be carried out to comply with the legislation, so ISPs shouldn’t be out of pocket, but the taxpayer will be.

The draft also has a lot of content about safeguards, and these are more robust than those afforded by the 2000 RIPA legislation and shouldn’t represent any more of a threat to most online users or their privacy. But we have to wonder how effective it will be in catching serious criminals, as there will always be ways for determined people to get around the system. People will seek to encrypt their activities online, or hack into other networks in order to communicate from there, making themselves untraceable.

Of course the draft does bring the existing snooping powers into the current day, tackling data communications over a wide range of methods including social messaging, VoIP and gaming platforms. In the fight against crime most people would agree that is a sensible update to the law, but the government hasn’t done a very good job in allaying public fears or dispelling the rumours and misconceptions so far.

Obviously police forces need to be able to investigate effectively, but the question remains will what is being proposed actually help catch serious crime or will it instead alienate the majority of innocent users? There is also the nagging fear that powers granted are the ‘thin end of the wedge’. Once the systems are in place to collect, log and analyse data then it is easier to later relax safeguards, or revisit the centralised government database plan. As an industry we need to watch the situation closely and ensure that none of the safeguards are watered down or dropped by parliament in the new legislation. But regardless, once powerful snooping systems have been deployed they could end up being the building blocks for all-seeing snooping in the future.”

John Wotton, Law Society President, said:

“The proposals are highly intrusive and raise important legal and technical concerns. The plans, if enacted, will mean organisations being compelled to collect information about their users that they wouldn’t have previously had a reason to capture, using technology mandated by and for the purposes of the Home Office.

There are practical concerns with the provisions as well. They must be workable and proportionate. However, the Information Commissioner’s Office has, for example, already pointed out that in order to ensure the security and destruction of retained personal information it will need enhanced powers and additional resources. Such practical considerations are fundamental to making a reality of legal rights.

There are some aspects of the Draft Communications Data Bill that we welcome. It is encouraging to see the recognition of the principle that prior judicial approval should be obtained before certain authorisations to obtain the data take effect. This safeguard may need to be extended and further thought given to ensuring that confidential communications between solicitors and their clients are protected from disclosure.

We agree with the Home Secretary’s comment that the provisions in the Bill need to be “fully considered and understood” before the formal legislative process begins and we are therefore encouraged that it will be subject to pre-legislative scrutiny by a Joint Committee of both Houses. We hope that this will be a rigorous and wide-ranging exercise to which the Law Society and its members can contribute.”