The Joint Committee on the UK government’s Draft Communications Data Bill, which aims to expand existing internet snooping laws by forcing ISPs into logging a much bigger and more accessible slice of your online activity, has published a full summary of all the written evidence submitted to its inquiry.
The existing law requires internet providers to maintain a very basic log of their customers internet and email accesses (times, dates and IP addresses) for 12 months, which does NOT include the content of your communication and only occurs after a specific request is made to the ISP (most ISPs already keep simple short-term logs).
By comparison the new law threatens to expand those access logs to collect even more detail (e.g. chat logs for online games, skype call logs etc.) and would also aim to make them more accessible to “the police and others with powers to intercept“. This could result in security services being given almost real-time access to the ISPs database, though a court order / police warrant would still be required (full summary of the new bill).
Sadly there are far too many responses for an easy summary of the colossal 447 page long document and in any case most will be more interested in the Inquiry’s eventual conclusions. So, with a focus on the feedback from ISPs, here are a few choice quotes from the various replies.
We believe that the current regime performs fairly well … [but] a great deal of uncertainty surrounds the [new] proposals and the main changes should be viewed as significant extensions to current capabilities.
Industry needs clearer and more detailed information on what the proposals will actually mean in practice for different CSPs. They will have a significant impact on how the UK Internet is run and our members need to fully understand how this will affect them.
The draft Bill contemplates the collection of a large amount of personal communications data. Both the volume and range of data to be collected are unprecedented in the UK, and probably in the world.
The collection and processing of “third party” communications data by network operators is substantial extension of their duties that is, in our opinion, materially distinct from existing sata retention requirements, amounting to a complete novelty.
In our analysis the “filtering arrangements” provided for in clauses 14‐16 are best understood as a “profiling engine” which creates detailed profiles on all users of electronic communications systems and makes those profiles available for sophisticated data mining.
In our opinion this profiling engine amounts to an enormously powerful tool for public authorities. Its mere existence significantly implicates privacy rights, and its extensive use would represent a dramatic shift in the balance between personal privacy and the capabilities of the State to investigate and analyse the citizen.
Telefónica UK (O2) Statement
TUK takes the privacy and security of its customer’s data extremely seriously and has always responded responsibly and in a timely fashion to lawful, authorised disclosure requests regarding its own customers. The widening of the scope to include TUK’s own customer’s data that may not currently be held for business purposes appears to be a reasonable extension of today’s powers. Widening the scope to ANY data that happens to traverse our network does not.
TUK is currently not convinced that all providers of UK communications will be treated equally and fear that UK based providers may find themselves disadvantaged by this Bill.
Virgin Media Statement
At this stage, our primary concern with the draft Bill as it stands relates to the retention requirements on providers not previously caught by data retention requirements and the requirement for UK providers to retain data of these providers. Virgin Media currently enjoys good working relationships with a range of third parties, both domestically and internationally. In many cases, Virgin Media makes their applications and services available to its customers through, for example its TiVo service. If Virgin Media is legally obliged to provide data from such third parties, this may well damage its commercial relationship with those parties and other third parties, particularly those based overseas who may be reluctant to make their services available to Virgin Media.
Virgin Media is also concerned to ensure that there is a level playing field for all data holders covered under the legislation. The legislation must be underpinned by a robust Code of Practice which sets out the process that is required for all third party data requests. Virgin Media and other UK based communications providers’ obligations to supply third party data should be seen as a last resort, only exercised once the third party in question has rejected the request. Once the Code of Practice is in operation Virgin Media recommends that it is kept under review and regular Parliamentary scrutiny to ensure the appropriate checks and balances remain effective.
It’s well worth reading through all of the responses if you have the time, we especially recommend the UK Internet Service Providers Association (ISPA) feedback as they break all of the various points down into constructive and manageable chunks.
Similarly it was interesting to see Virgin Media raise a somewhat unique point about the bills impact on their commercial relationships (above).
Draft Communications Data Bill Written Evidence (PDF)