UPDATE6 Government Recycles UK ISP Internet and Phone Snooping Law

The government will today announce emergency legislation that many fear could be an amended version of its controversial RIPA or Communications Data Bill (CDB) which, before it was shelved for a second time, aimed to extend the United Kingdom’s existing internet snooping powers by requiring ISPs to log a much bigger slice of everybody’s online activity; regardless of whether or not you’ve ever committed a crime.

At present the existing laws (RIPA) already allow Internet providers to maintain a basic voluntary log of their customers website and email accesses (times, dates and IP addresses) for up to 12 months (this doesn’t include the content of your communication), which usually becomes active following a specific request to the ISP (e.g. a demand from the police).

But it’s feared that the new/recycled bill could mark a revival of an unpopular policy that seeks to expand ISP access logs by making them mandatory and collecting data for more services (but not the content of your communication), while potentially also making them easily accessible to both the police / security services and others with powers to intercept.

The original bill was shelved by the previous Labour government after stiff opposition and the second attempt by the current coalition Government, which was similarly criticised by privacy campaigners, politicians, Internet content giants (e.g. Google), the media and a pre-legislative scrutiny committee for being “overkill” and in need of a “substantial re-writing” (here), ended up being blocked by the Liberal Democrats (here).

Never the less the Home Secretary, Theresa May, believes that opponents of the CDB were “putting politics before people’s lives” and has long worked to bring it back to life. Indeed last year’s State Opening of Parliament, which followed the collapse of the previous bill, saw the Queen say, “In relation to the problem of matching internet protocol addresses, my government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace” (here). However the situation this time around is a little bit more complex.

So what’s changed?

Crucially a recent ruling this year by the European Court of Justice (ECJ) found that the EU’s Data Retention Directive, which requires member states and their phone / Internet providers to keep a basic access log of all website, email and phone call activity for up to 2 years (similar to the UK’s RIPA law), was now considered “invalid” (here and here) because it breached the “fundamental right to respect for private life and the fundamental right to the protection of personal data” (i.e. Charter of Fundamental Rights of the EU).

The ruling effectively requires even the UK’s older Regulation of Investigatory Powers Act 2000 (RIPA) to be redrafted, although at the time of the ECJ’s decision the Government’s advice was for everybody to continue as though RIPA was still effective (a shaky position). But it now looks as if the ECJ’s ruling, coupled with the usual but sometimes legitimate scare tactics surrounding the threat of terrorism, is being used as a mechanism to keep RIPA alive and, possibly, to extend its remit by the backdoor and with only minimal debate.

David Cameron, UK Prime Minister, said:

“I’ll be explaining today why emergency legislation is needed to maintain powers to help keep us safe from those who would harm UK citizens.”

The previous attempts to introduce tougher snooping laws than RIPA have all failed due to the weight of opposition and so it’s not without some cynicism that we see the announcement of a new emergency law taking place today, the same day that the Chamber of the House of Commons will be quite sparse because MPs are on a “one line whip” and can return to their constituencies. A fortuitous coincidence for the Government, perhaps.

Tom Watson, Labour Party MP for West Bromwich East, said:

“Imagine how outrageous it would be [if] the government were to announce emergency legislation to an empty chamber. Imagine if that emergency legislation was to be introduced on Monday or Tuesday, with the intention of it slipping through the Commons and the Lords in a single day. Imagine if that Bill was the deeply controversial Data Retention Bill.

It’s a Bill that will override the views of judges who have seen how the mass collection of your data breaches the human rights of you and your family. Regardless of where you stand on the decision of the European Court of Justice, can you honestly say that you want a key decision about how your personal data is stored to be made by a stitch up behind closed doors and clouded in secrecy?

None of your MPs have even read this legislation, let alone been able to scrutinise it. The very fact that the Government is even considering this form of action, strongly suggests that they have an expectation that the few people on the Liberal Democrat and Labour front benchers who have seen this legislation, are willing to be complicit.”

A separate report in The Guardian further indicates that the Labour party has quietly agreed to allow the new or recycled legislation through, so long as there’s a future review of RIPA and it doesn’t go any further than to keep the existing laws alive. But this is perhaps beside the point since Labour was the first to table tougher legislation than RIPA. The bigger question is whether or not Cameron can persuade the leader of the Liberal Democrats and Deputy Prime Minister, Nick Clegg, to agree and most seem to expect that he will.

In fairness most of RIPA is reasonably balanced but many will still be watching to see how the redrafted text (if that’s what it ends up being) copes with the more recent question of mass surveillance by the security services. Last year the UK’s Government Communications Headquarters (GCHQ) was revealed by ex-NSA man Edward Snowden to have been tapping some of the world’s 10Gbps transatlantic fibre optic cable links (here and here), with the help of BT, Vodafone and others, in order to snoop on phone and Internet traffic.

Apparently GCHQ were only able to achieve this feat because of an obscure clause in RIPA that allows the government’s home or foreign secretary to approve related activity so long as one end of the snooped communication is abroad (i.e. international traffic). The ECJ ruling was particularly scathing of mass surveillance and so it will be interesting to see how the Government, which has shown no sign of stopping the activity, will adjust its wording.

We will update again later once the announcement is made (the Home Secretary is due to speak on communications data and interception before midday), although the full details aren’t anticipated to surface until next week. The law itself may only last until 2016 when permanent legislation may be needed to keep it going, which is of course after the next General Election.

UPDATE 9:36am

Downing Street has just released the following statement to confirm that the new emergency legislation, which is to be called the Data Retention and Investigation Powers Bill, will be announced today by both the Prime Minister and Deputy Prime Minister, apparently with “cross party agreement“. The update states that without these new rules ISPs would have been poised to start deleting their logs.

David Cameron, Prime Minister, said:

“It is the first duty of government to protect our national security and to act quickly when that security is compromised. As events in Iraq and Syria demonstrate, now is not the time to be scaling back on our ability to keep our people safe. The ability to access information about communications and intercept the communications of dangerous individuals is essential to fight the threat from criminals and terrorists targeting the UK.

No government introduces fast track legislation lightly. But the consequences of not acting are grave. I want to be very clear that we are not introducing new powers or capabilities – that is not for this Parliament. This is about restoring 2 vital measures ensuring that our law enforcement and intelligence agencies maintain the right tools to keep us all safe.”

The PM and DPM has also announced new measures to “increase transparency and oversight“, including the aforementioned sunset clause after 2 years.

The Additional Oversight and Transparency Measures:

• The Bill includes a termination clause that ensures the legislation falls at the end of 2016 and the next government is forced to look again at these powers

• Between now and 2016 we will hold a full view of the Regulation of Investigatory Powers Act, to make recommendations for how it could be reformed and updated

• We will appoint a senior diplomat to lead discussions with the American government and the internet companies to establish a new international agreement for sharing data between legal jurisdictions

• We will establish a Privacy and Civil Liberties Oversight Board on the American model, to ensure that civil liberties are properly considered in the formulation of government policy on counter-terrorism. This will be based on David Anderson’s existing role as the Independent Reviewer of Terrorism Legislation.

• We will restrict the number of public bodies that are able to approach phone and internet companies and ask for communications data. Some bodies will lose their powers to access data altogether while local authorities will be required to go through a single central authority who will make the request on their behalf.

• Finally, we will publish annual transparency reports, making more information publicly available than ever before on the way that surveillance powers operate.

UPDATE 12:07pm

The Government has posted a copy of the new Draft Bill (PDF). The form is very much about keeping RIPA alive and doesn’t appear to go beyond it, but we’ll need time to examine the text in full first.

Meanwhile the ISPA said in a tweet, “For our view, we support the clarity the Bill provides, but are worried about parliamentary time and want proper scrutiny of the issue.”

UPDATE 11th July 2014

It’s interesting to note that the DRIP Bill (we wonder if they knew that would be the short-hand?), appears to extend the definition of telecommunications services over RIPA by including this bit: “the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.” You could apply that to a lot of things, not just telecoms (network HDD storage, perhaps?).

DRIP also extends RIPA to non-UK entities, although it could be argued that RIPA’s original caveat for international traffic did much the same. Otherwise we note that the bill appears to be broadly rewritten in a way to limit the potential of EU legal challenges, which is of course no surprise given the context of its existence.

UPDATE 14th July 2014

The Government has just uploaded an Impact Assessment for the DRIP Bill, which naturally says more or less what they’d want it to say.

UPDATE 17th July 2014

The House of Lords Constitution Committee has accepted “the need urgently to legislate” but questions why it has taken so long for the Government to decide that it suddenly needed to fast-track the legislation and questions the Government’s claim that their bill “does not enhance data retention powers“. The committee notes that the bill actually appears to extend the existing powers (as above) and states that the situation is a “matter of concern“.

UPDATE 18th July 2014

As expected the DRIP Bill passed through the House of Lords without a vote and yesterday evening achieved Royal Assent, which means that it is now law (DRIP Act 2014). The act still contains a sunset clause, which means it will be repealed by the end of 2016, although by then there should be some sort of replacement and, given the recent events, we’d predict that the future law may be even stricter. Clearly nobody is too bothered about the ECJ ruling much of it illegal.

One very apt comment we picked up on from yesterday’s Lords debate came via the founder of Lastminute.com, Baroness Lane-Fox of Soho (Martha Lane-Fox).

Martha Lane-Fox said:

“Putting aside whether it is proper parliamentary process, this rush seems to highlight an issue of growing importance which we, as parliamentarians, face. I consider myself fairly digitally literate and yet I have struggled to understand the nuances that are informing this legislation. Whatever our political persuasion and whatever we feel about the subjects, we can all agree that these are complex areas which are understandably unfamiliar to many parliamentarians who are being asked to consider them. I felt as if I had a head start, yet I struggled to assimilate the different areas addressed in the Bill. As the noble Lords, Lord Knight and Lord Hodgson, demonstrated so effectively, even the meaning of metadata is complicated. Contrary to popular belief, it can very easily and quickly lead to individual identification.

Through no fault of their own, parliamentarians may well be making judgments on areas which are rapidly evolving and where technology is changing the art of the possible. For example, ways of intercepting and recording data that do not exist today will undoubtedly be invented. There are many products launching right now which will change the boundaries again. How do wearable technologies, such as Google Glass, which collect data fit into this new picture? It therefore makes me extremely nervous that Bills which require such deep technical expertise are given so little time.

The digital capability of the other place and of your Lordships’ House is something that will become more and more profoundly significant. All pieces of legislation will soon have aspects of technology at their core and our ability to scrutinise effectively will rely on a deeper understanding than currently exists. As someone from the digital sector, it is also disappointing to watch as legislation that directly affects that sector is so cursorily debated. It only goes to further people’s belief that neither House understands the modern world nor cares about their digital lives. It is a tough problem to crack, but may I suggest to the Minister that it would be interesting to consider a review of our own skills which might lead to some actions to improve them?”

In related news the chairman of BT, Sir Michael Rake, has told a London telecoms conference that the operator will not be releasing a Vodafone style transparency report on issues of surveillance. “We are not going to compare ourselves to Vodafone, which is an entirely different company, operating in different countries,” said Rake.