The Joint Committee responsible for conducting pre-legislative scrutiny of the UK government’s Draft Communications Data Bill, which threatens to expand internet snooping laws by forcing ISPs into logging a bigger and more accessible slice of your online activity, has today described the proposed new laws as “overkill” and called for it to be “significantly amended“.
The existing laws already require broadband ISPs to maintain a basic log of their customers website and email accesses (times, dates and IP addresses) for up to 12 months, which does NOT include the content of your communication and only occurs after a specific request is made to the ISP (most ISPs already keep simple logs). In other words, the data collected covers who was contacted, for how long and how often but not what was said.
But the new Communications Capability Development Program (CCDP), which could cost £1.8bn to implement over a 10 year period and is initially expected to be imposed on six or seven of the markets biggest ISPs, threatens to expand the logs to collect access details for more services (e.g. skype calls and online chat logs but not the content itself). The new rules would also aim to make such logs more accessible to “the police and others with powers to intercept” via a “Request Filter” (this suggests some form of central database might still be needed), which could be done on a potentially real-time basis.
The government has pledged to help compensate ISPs for introducing the scheme but many doubt their sincerity and others fear that any cost overruns would end up being burdened by broadband subscribers (a Lib Dem lawyer, Lord Marks QC, recently warned that it could potentially overrun from £1.8bn up to £9.3bn), which could push internet service bills through the roof. Meanwhile the Home Secretary, Theresa May, courted controversy last week after suggesting that the Bill’s opponents were “putting politics before people’s lives“.
Thankfully a court order or police warrant is still required and none of this would include the actual content of your communication. But civil liberties campaigners, ISPs and politicians alike have all expressed concern about the scope of the updated proposals, its cost and their practicality, which is reflected in the new report.
Lord Blencathra, Chair of the Joint Committee, said:
“There needs to be some substantial re-writing of the Bill before it is brought before Parliament as we feel that there is a case for legislation, but only if it strikes a better balance between the needs of law enforcement and other agencies and the right to privacy.
There is a fine but crucial line between allowing our law enforcement and security agencies access to the information they need to protect the country and allowing our citizens to go about their daily business without a fear, however unjustified, that the state is monitoring their every move.
Whilst the Joint Committee realise that there are specific data types which are not currently available, and which would aid the work of law enforcement bodies and the security services, we are very concerned at how wide the scope of the Bill is in its current form.”
The report specifically calls for Clause 1 of the draft bill, which currently gives the Home Secretary “sweeping powers to order the retention of any kind of communications data by any [ISP]“, to be “narrowed” and supported by additional “safeguards” to prevent abuse.
Lord Blencathra added:
“We can see only three types of data that are not currently being collected which we know could aid the work of law enforcement and other agencies: data matching IP addresses to specific users, data showing which internet services a user has accessed and data from overseas [ISPs] providing services in the UK.
A new Bill should also be drafted in such a way as to give Parliament the opportunity to vote on issues such as whether [ISPs] should have to collect subscriber data relating to IP addresses and data showing which internet services a user has accessed.”
Blencathra also called for a second and “much better consultation” with industry, technical experts, civil liberties groups, public authorities and law enforcement bodies, which should take place before any new bill is introduced. It also warned that “fewer public authorities should be able to access communications data“.
The Committee’s Other Key Recommendations
* The Bill should include new definitions of communications data, that are narrower in scope, draw a clearer line between data and content and will stand the test of time; the current internal authorisation process for accessing communications data should be strengthen and enshrined in primary legislation, a specialist, centralised service should be established;
* The Interception of Communications Commissioner should scrutinise more closely the use of communications data, his annual reports should be more thorough and he should have more resources at his disposal. He should have a special role in supervising the operation of the new Request Filter which is essentially a federated database of all UK citizens’ communications data;
* Wilful or reckless misuse of communications data [should become] a specific offence that is punishable, where appropriate, by a prison term; and
* The costs of implementing the draft Bill are likely to be significant, the current estimates are not robust and a new cost benefit analysis must be published at the same time as any redrafted Bill, based on the Committee’s recommendations for wider consultation and narrower powers of the Bill.
Committee member, Dr Julian Huppert (Liberal Democrat), warned during September 2012 that the report was expected to “kill the bill” because it “simply can’t work” (here). However today’s report doesn’t go quite that far, although it does make a surprisingly balanced case for the proposals to be scaled back and re-considered in a number of crucial areas.
The government’s deputy PM, Nick Clegg (Liberal Democrat), today supported the need for a new bill but warned that “the balance between security and liberty” must be got right first. Meanwhile the Home Office, which has previously put its full support behind the current bill, suggested that it was willing to “accept the substance of [all today's proposals]” but warned that the legislation itself could not be delayed; a somewhat conflicting position (some delay would surely be required in order to make any tangible changes).
A Home Office spokesman said:
“This legislation is vital to help catch paedophiles, terrorists and other serious criminals and we are pleased both scrutiny committees have recognised the need for new laws.
We have now considered the committees’ recommendations carefully and we will accept the substance of them all. But there can be no delay to this legislation. It is needed by law enforcement agencies now.”
Jim Killock, Executive Director of the OpenRightsGroup, said:
“The Committee heard extremely damning evidence criticising the draft Bill. The Home Office have behaved in a misleading fashion, exaggerating the evidence. We now need a complete review of surveillance law before any new legislation is considered.”
Many of the ISPs that we have spoken with continue to remain in the dark about precisely what would be required of them and have repeatedly called for more clarification. At the same time some ISPs, such AAISP (Adrian Kennard), have warned that “anyone doing something they do not want seen can easily bypass any new laws“.
Indeed the new rules won’t impact the growing population of technically savvy criminals as they could simply mask their activities through encrypted VPN’s or other methods (How to Keep Your Data Private and Browse the Internet Anonymously), which have become very easy to use. In other words the people most likely to be affected are ordinary innocent internet users.
It’s important to note that there were only two LibDem’s on the cross party committee, with the rest being largely Labour and Conservative MP’s. As a result it will be considerably harder for the government to simply ignore today’s report and thus some degree of amendment must surely now be inevitable.
Draft Communications Data Bill Joint Committee – First Report
The Intelligence and Security Committee (ISC) has also completed its own inquiry into the related bill, which perhaps unsurprisingly appears to welcome the proposals. One choice quote we came across was this one, which talks about requiring UK ISPs to adopt Deep Packet Inspection (DPI) technology to grab the needed data.
ICS Comment on ISP Data Collection
“The data which would be most useful to criminals and terrorists, and which therefore is most sensitive, relates to the individual data retention notices. These must not be made public, since they would reveal which companies’ services or applications can be used with the least risk of detection.
It is important for the Agencies that there is some means of accessing communications data from uncooperative overseas [ISPs]. The Government’s proposed solution appears capable of performing this role.
Whilst we recognise the UK [ISPs] concerns, we believe they would be willing to co-operate in deploying Deep Packet Inspection technology to obtain third-party data. We are however sympathetic to their argument that the Home Office should have to demonstrate due diligence before resorting to the use of Deep Packet Inspection to collect communications data from overseas Communications Service Providers, and we recommend that this should be reflected on the face of the Bill.
We believe the Government has adopted a pragmatic approach to the issue of encrypted material. In the first instance, agreement should be sought with the [ISP] holding the communications data to provide it in an unencrypted form.”
ISPs certainly will “co-operate“, if given no other choice by law, although that doesn’t mean to say it’s something they are happy about doing.
Nicholas Lansman, UK ISPA Secretary General, said:
“ISPA gave written and oral evidence to the committee and agrees with the findings of the inquiry that the lack of detail around scope, safeguards, cost and lack of consultation mean that the Draft Bill needs to be looked at again to address these fundamental concerns. In its current form the lack of detail means that the Draft Bill falls short of balancing law enforcement requirements with the impact on business and privacy of users.”
Paul Heritage-Redpath, Entanets Product Manager, added:
“We welcome the recommendation that before further legislation is introduced there should be consultation with communication service providers – such as Entanet – of what is intended, why it is necessary and the specifics of how it will be done. We completely agree with the Joint Committee that “the Government, in imposing obligations on CSPs, should bear in mind the importance of preserving their competitiveness, and minimising damage to the reputation of the United Kingdom as an attractive base for conducting business.”
We do not agree that the proposal that we retain web logs up to the first “/” is necessary or proportionate for the detection of crime, on the basis that it can still show a pattern of behaviour of the end user, but do welcome the report’s acknowledgement that this is a controversial issue worthy of wider debate.”
The London Internet Exchange (LINX) has also given its reaction.
Malcolm Hutty, Head of Public Affairs for LINX, said:
“The Joint Committee has upheld criticisms that go to the heart of the draft Bill and told the government to go back to the drawing Board. They have said clearly that next time the government should work much more openly with industry about their requirements and work closely with us. Any new legislation must be much more tightly scoped“.
The Prime Minister’s official spokesman has now pledged to “look at how we can redraft the legislation to take account of [the recommendations]“.