The new law, which may be announced in the forthcoming Queen’s Speech in May, will require Internet firms to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. Civil liberties groups including Big Brother Watch have condemned this move as an unacceptable invasion of privacy.
At present Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.
This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database.
Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.
The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself. Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.
Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.
At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.
It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian” to say the least. The potential for abuse would be massive.
Updating the Law
The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.
At present the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.
If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.
There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.
The Government needs to think carefully about its plans. If these new proposals are enacted there is a massive potential for misuse. It will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of trust in the police and Government. Of course “the Devil is in the detail” and we wait to see how the Government will address these concerns.
We have a series of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.
See also our RIPA Forms Guidance Document.