It felt a bit like I was having one of those *slaps head* kind of days yesterday when it was revealed the current UK coalition government – who combined to vote down, the previous Labour government’s stupid plans to extend current data retention rules to allow the intelligence services to monitor in ‘real time’ all our personal browsing, email and call data interactions, are now about to bring forward plans to do exactly the same thing. Amazing what a little bit of power does, isn’t it.
Now the Labour government’s plans – announced back in May 2008, were for a Communications Data bill the purpose of which was to “allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology by providing for the collection and retention of such data – including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.”
The then government claimed the bill was essentially just to implement those parts of the EU Data Retention Directive that it had yet to implement. The Data Retention (EC Directive) Regulations 2007 were the UK’s implemented the EU Data Retention Directive with respect to fixed network and mobile telephony. However the UK made use of a derogation to postponed the application of that Directive to the retention of communications data relating to internet access, internet telephony and internet e-mail until 2009 (indeed the Data Retention (EC Directive) Regulations 2009 were published and replaced the 2007 regs in 2009). This bill was meant to achieve that. However, it was noticeable for the fact that it was a bill and not just a statutory instrument. Had their intention been to merely extend those aspects of retention already covered in the 2007 regulations to cover email and the internet, they need merely have introduced amending regulations. The fact that they were choosing not to, signalled to many that they planned to push well beyond what is required by the Directive. And it soon became clear that their master plan included creating a central database to store all this information.
The plans were eventually shelved, thanks to the efforts of large numbers of Tory and Lib Dem MPs.
It sounds like we are about to head down that very same road.
So, what are we actually talking about?
The 2009 regulations cover fixed, mobile and e-mail telephony, communications over the internet and email data , and oblige ‘notified’ communication service providers (CSPs) to retain ‘location’ and ‘traffic’ data for 12 months from the date of communication. This is any electronic and traffic data that might identify the sender and recipient of the communication, the date and time of the call or e-mail, and the geographical location (and direction of travel) of users. [The Directive allows for retention for periods of not less than six months and not more than two years from the date of the communication – so the UK government has a extra year they can extend current obligations under the Directive]
So does this apply to all UK ‘communications service providers’ ?
No one knows. Well, when I say no one, the government knows but they wont share this information. Under the Regs, section 10 states that the Secretary of State must give ‘communications service providers’ written notice and this can be given or published in a manner the Secretary of State considers appropriate :
Data retained by another communications provider (1) These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation. (2) The Secretary of State must give a written notice to a public communications provider under paragraph (1) unless the communications data concerned are retained in the United Kingdom in accordance with these Regulations by another public communications provider. (3) Any such notice must specify— (a) the public communications provider, or category of public communications providers, to whom it is given, and (b) the extent to which, and the date from which, the provisions of these Regulations are to apply. (4) The notice must be given or published in a manner the Secretary of State considers appropriate for bringing it to the attention of the public communications provider, or the category of providers, to whom it given.
Now, the manner appropriate is ‘in secret’ it seems. Back in 2009 the excellent UK FOIA requests – Spy Blog sent a Freedom of Information request to the government asking for a list of who had been sent notices. The Home Office duly declined to reveal any name and said they didn’t have to under the exceptions in Section 31(1) and (2) that disclosure under this Act would, or would likely to, prejudice- the prevention or detection of crime; the apprehension or prosecution of offenders; or the operation of the immigration controls; and Section 43(2), that the information, if disclosed ,would be likely to, prejudice the commercial interests of any person (including the public authority holding it). ” The Blog appealed but the Information Commissioner agreed that this latter argument was a valid one concluding that the Home Office had demonstrated a real or significant likelihood of prejudice resulting to the commercial interests of third parties – the USPs and telecoms companies etc – through the disclosure of the information in question.
Which brings us back to the Current government’s new proposal – the details of which, it seems, will not be fully revealed until the Queen’s speech. This comes at a time when countries such as Germany, Romania and the Czech Republic have had their attempt to implement the directive declared unconstitutional by their courts and whilst the European Commission is still reviewing the effectiveness of the Data Retention Directive. Back in April of last year it published an Evaluation Report on the Directive where it concluded that retained telecommunications data play an important role in the protection of the public against the harm caused by serious crime, and that despite needing a few tweeks, the directive was fine. It found :
• Most Member States take the view that EU rules on data retention remain necessary for law enforcement, the protection of victims and the criminal justice systems. As criminal investigation tools, the use of data related to telephone numbers, IP address or mobile phone identifiers have resulted in convictions of offenders and acquittals of innocent persons. • Member States differ in how they apply data retention. For example, retention periods vary between 6 months and 2 years, the purposes for which data may be accessed and used, and the legal procedures for accessing the data, vary considerably. • Given that the Directive only seeks to partially harmonise national rules, it is not surprising that common approach has not emerged in this area. The overall low level of harmonisation can however create difficulties for telecommunication service providers and in particular smaller operators. Operators are reimbursed differently across the EU for the cost of retaining and giving access to data. The Commission will consider ways of providing more consistent reimbursement of the costs. • Data retention represents a significant limitation on the right to privacy. Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place. The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data.
However, a closer reading of the actual report showed that the Commission neither sought nor was provided with any evidence by member states that the extra data retained under the Data Retention Directive was either necessary or useful. No questions were asked about if cases would have been solved anyway regardless of the access to the data. The report states ‘reliable quantitative and qualitative data are crucial in demonstrating the necessity and value of security measures such as data retention’. It then goes on to say how the data they received was different from every member state, some breaking down the data, others just proving numbers of requests for data, some providing no data at all, essentially making any real assessment of the usefulness and effectiveness of the Directive impossible.
What the figures did show was that even from the high level data received 90% of data requested was from six months or less, with 70% for three months or less
Peter Hustinx, the European Data Protection Supervisor (EDPS), in turn responded to this in May 2011 stating that the commission’s own evaluation demonstrated their own failures to demonstrate the necessity for retaining data on such a large scale in view of the rights to privacy and data protection, that such a measure is necessary and proportionate, and that the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive.
A further leaked letter in December last year showed that the Council of Ministers were looking to find any means to demonstrate the effectiveness of the regime and possible areas for expansion such as bringing instant messaging, chat, uploads and downloads into the scope of the directive.
The Current governments will likely avoid the stupidity of Labour’s suggestion of a central database and will instead just increase the burden and potential costs of the communications service providers themselves. It will likely push for 2 years retention of data and will also likely extend the scope of data covered and who can access it – this in another mess of a law, the Regulation of Investigatory Powers Act (RIPA) that has suffered from so much function creep that it should have been renamed the FCIPA.
The proposal, when it comes, will also need to be addressed in the light of the Coalition Agreement – essentially the current government’s manifesto. In that they stated: “We will implement a full programme of measures to reverse the substantial erosion of civil liberties and roll back state intrusion” And ” We will end the storage of internet and email records without good reason”
If what we are told about the upcoming proposal is true, then it would seem to be an erosion of civil liberties and an increase in the storage of internet and email records for exactly the same reason the last government had.
If the proposals do attempt to give the intelligence services enfettered access to all out communications, without a warrant, and in real time, what we would have is a police state.
I will probably come back to this topic in the coming months. For now, I’ll end with former shadow home secretary, and Conservative MP, David Davies.
“It is not focusing on terrorists or on criminals, it is absolutely everybody,” he told the BBC this morning. “Historically governments have been kept out of our private lives. Our freedom and privacy has been protected by using the courts by saying ‘If you want to intercept, if you want to look at something, fine, if it is a terrorist or a criminal go and ask a magistrate and you’ll get your approval’. You shouldn’t go beyond that in a decent, civilised society but that is what is being proposed.”
He is right.