» ISP News » 

Government Responds to UK Internet Snooping Law Consultation

Wednesday, July 11th, 2018 (1:36 pm) - Score 2,420

The Government has today published its response to the recent consultation on proposed amendments to the controversial 2016 Investigatory Powers Act, which among other things would force broadband ISPs to log the Internet Connection Records (ICR) of all their customers for up to 12 months.

Interestingly today’s response and proposed amendments consider the outcome of three rulings against related legislation. This includes a 2016 ruling by the Court of Justice of the European Union (CJEU), which found that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime” (here).

On top of that the Government said it has now also considered two recent rulings, which includes an April 2018 verdict by the High Court of Justice (Queen’s Bench Division) that found part of the new IPAct to be unlawful (here and here).

The High Court essentially agreed that Part 4 of the IPAct is incompatible with fundamental rights in EU law because in the area of criminal justice: (1) access to retained data is not limited to the purpose of combating “serious crime“; and (2) access to retained data is not subject to prior review by a court or an independent administrative body.

At the time the court told the government to amend its law by 1st November 2018. As part of that they were told to change the law to require prior review by a court or independent administrative body and – in the context of crime-fighting – to only allow access to data for purposes of combating “serious crime.” Sadly this doesn’t stop the data collection itself due to the case only focusing upon access to the data (a separate case may challenge that).

The new document, which was published today but dated for June 2018, provides both an overview of the representations received during the consultation period and the Government’s response to them, and outlines the changes that will be made as a consequence of these comments, and the next steps. The key paragraphs are as follows.

Restriction to serious crime

We received a number of responses to the consultation that were supportive of our proposed definition of serious crime for use solely in the communications data context, including the proposed removal of three statutory purposes. There was also recognition of the essential role communications data plays in a broad range of investigations, for instance domestic abuse cases, where offending may quickly escalate in terms of seriousness and risk of harm to the victim. However, the majority of respondents who commented on that proposal considered that an offence for which an adult was capable of being sentenced to six months imprisonment was not sufficiently serious to merit being described as ‘serious crime’, and therefore did not meet the requirements of the judgement.

Some respondents misinterpreted the existing regime, believing that all communications data requests must already be for serious crime purposes, and that our proposal would therefore lower the existing threshold. The Act currently permits communications data to be retained and acquired for the purpose of preventing or detecting crime or preventing disorder, rather than being restricted to serious crime. The intention we laid out in the consultation document is to introduce an additional serious crime threshold which is relevant solely in the context of the retention and acquisition of communications data. This remains our intention. It is recognised that communications data is a less intrusive capability than others provided for by the Act, such as interception of communications, and the types of investigations in which it plays a vital role can carry shorter lengths of prison sentence. As was stated in the consultation document, in some circumstances, such as where the criminality takes place online, communications data may be the only way to progress an investigation. This change does not affect the serious crime threshold for other powers in the Act as some respondents feared.

Respondents made suggestions for how the proposed serious crime definition could be tightened, for instance by defining the exact type of crimes covered, or by increasing the minimum prison sentences available for certain crimes to the three year threshold provided in section 263 of the IPA. It would not be right to inflate sentencing thresholds in this way, as each sentencing threshold should be an appropriate punishment for the crime, not appropriate to the use of a particular investigative technique. In addition to this, as sentencing for different crimes are set out in the relevant statutory framework, to increase the minimum sentences for each offence would require each piece of legislation to be amended. This is not a feasible approach.

We have, though, listened to the concerns expressed by respondents that our proposed serious crime threshold in the communications data context was too low.

Therefore in the regulations that have been laid before Parliament, we have increased the crime threshold for which events data can be acquired to crimes for which a person is capable of receiving 12 months in prison. This will means data cannot be acquired for the investigation of crimes where a person is not capable of being sentenced to 12 months imprisonment. Depriving a person of their liberty by handing down a prison sentence is, of course, a serious issue.

We also understand the concerns that respondents expressed about the broad spectrum of seriousness that could be captured within the serious crime definition we are proposing for communications data acquisition. For example the offence of theft carries a maximum sentence of 14 years but also includes more low level offences such as shoplifting. To address such cases we have set out explicitly in the code of practice the considerations that must be addressed by public authorities when considering whether the crime is sufficiently serious to justify the acquisition of such data. This makes clear that relevant public authorities should also consider factors such as the particular circumstances of the case, the offender, the impact on the victim, the harm suffered, and the motive of the crime in order to demonstrate that the acquisition of communications data is proportionate.

Of course it will still only be possible to acquire communications data on a case-by-case basis, and only where the officer authorising the application considers that it is necessary and proportionate in that specific case. In the future this decision will, in the vast majority of cases, be made by the independent Office for Communications Data Authorisations once it is established.

One respondent was concerned that removing ‘for the purpose of protecting public health’ might affect the investigation of infectious diseases, including where there is a serious epidemic. The Government is content that in such circumstances where it is necessary and proportionate to acquire communications data, the ‘purpose of preventing death or injury or any damage to a person’s mental or physical health, or of mitigating any injury or damage to a person’s physical or mental health’ would be sufficient and that there will not, therefore, be damage to public health resulting from this change.

One respondent expressed concern at removing ‘tax evasion from the list of reasons for the collection of data’. It is important to be clear that criminal offences relating to tax evasion attract a maximum sentence above the proposed 12 month threshold and therefore the removal of the tax purpose will have no impact on HMRC serious criminal investigations into tax evasion.

Scope and permissibility of the regime

There was general consensus amongst respondents that an EU Member State’s data retention regime should not be general and indiscriminate, in accordance with the requirements of the CJEU judgment. For the reasons laid out in the consultation document, we believe that our existing regime meets the requirements of the judgment in this area, and we will be making no further amendments to our proposals in this respect.

In the recent challenge to Part 4 of the IPA, the High Court ruled that “it could not possibly be said that the legislation requires, or even permits, a general and indiscriminate retention of communications data”, rejecting the claim that it is inconsistent with EU law because it provides for the general and indiscriminate retention of communications data. The High Court was therefore clear that the existing regime is consistent with EU law in this regard and is not general and indiscriminate.

Broadly speaking the government appears to stick to their earlier proposed amendments to the IPAct and makes a few more tweaks, although it’s not yet clear whether this will be enough to satisfy opponents. In any case the revised regulations and code of practice have now been laid before Parliament for debate and approval.

Future legal challenges are also being proposed by Liberty in order tackle the rules that allow the state to hack our computers, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality (here).

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
6 Responses
  1. Avatar NE555

    Has anyone defined what an “Internet Connection Record” actually is?

    Is it just a record of when your broadband router connected to the Internet and what IP address you were assigned? Is it DNS query logs? Logs of individual TCP or UDP sessions (like Netflow)? Deep packet inspection, revealing things like TLS SNI hostname?

    Of those, only the first (in the form of RADIUS accounting logs) is something the ISP might already be collecting for operational and billing reasons. Everything else would require additional and explicit capturing and logging of traffic.

    • Avatar timeless

      lm pretty sure it was along the lines of every domain we visited, and that they were also calling for a back door into encrypted services like whatsapp etc that end to end encrypt communications.

      l believe l remember one MP who really wants the snoopers charter to go ahead said something along the lines of “the public shouldnt be able to communicate using services we cant access”, but lets be honest here, its not about not having anything to hide its about privacy, if a crime were committed by all means investigate, if not it doesnt matter how boring ones internet history is.. if you have done nothing wrong you shouldnt be spied upon, after all the more information ones acquires the more likely it is to be hacked from central databases.. and weakening encryption so the government has a back door… thats just beyond stupid, thats just asking to be hacked.

    • Avatar Mike

      I’m just going to continue using a VPN, it’s obvious to me what their intentions are, they want everything.

    • Avatar NE555

      My point is: unless the law defines what an “Internet Connection Record” actually is, then it’s ridiculous. There is no technical definition of such thing (with the possible exception of the RADIUS accounting record). Does it mean whatever the Home Secretary of the day wants it to mean? In that case it’s a licence to collect everything, down to individual packets if they want.

  2. Avatar Mark Edgar

    We should look it this issue another way.

    We need accountability, tractability & security in society.

    Let everyone using the internet us U2F security tokens linked to our UK passports.
    This way we can be secure and at the same time protect our self & society.

    Every transaction of any value would need this digital signature provided by the security token.
    Age proof, etc would be covered here also as this would work for all ages.
    All access control could use this even banks and doors.

    Then we don’t have to say what is in our parcel at the post office, it is accountable to us. If any law is broken regarding the package then you are accountable.

    To date no one has broken U2F hardware remotely.

    So it’s not snooping we should think about, its a log of all transactions with tractability in society.

    This would change society & security for all benifit.

    When we cannot get away from big brother, we must embrace it 100%

    If all are accountable , this would include the 1%

    The end of the black market.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.50 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Onestream £22.99 (*34.99)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2740)
  2. FTTP (2668)
  3. FTTC (1768)
  4. Building Digital UK (1722)
  5. Politics (1630)
  6. Openreach (1591)
  7. Business (1403)
  8. FTTH (1330)
  9. Statistics (1223)
  10. Mobile Broadband (1195)
  11. Fibre Optic (1048)
  12. 4G (1027)
  13. Wireless Internet (1009)
  14. Ofcom Regulation (1004)
  15. Virgin Media (991)
  16. EE (678)
  17. Sky Broadband (662)
  18. TalkTalk (653)
  19. Vodafone (651)
  20. 5G (487)
New Forum Topics
Oppo 5G CPE T1 for UK?
Author: daleski
Author: Neilv
Data speeds - o2
Author: Hagz1990
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact