The draft Communications Bill is a wasted opportunity

The Home Office has been planning a grab for new communications surveillance powers since 2006; today, the Draft Communications Data Bill established in legislative language their ambitions.

Yes, as they will point out, it isn't their the full scope of their ambitions. In 2008, under Labour, they proposed the idea of a vast centralised database of the nation's communications data. In 2009 they abandoned the idea of a central database. Since then, a new government has been elected, consisting of two political parties that opposed both the 2008 and 2009 versions.  In the Coalition Agreement, the Conservatives and the Lib Dems promised: "We will end the storage of e-mail and internet records without good reason."

But that didn't work out so well. Today the government announced an enormous expansion of the communications surveillance regime, a project that will cost approximately £1.8bn over 10 years and is almost identical to Labour's 2009 proposals.

When the story of these plans first broke at the beginning of April, there was a huge controversy and as a result, it is claimed, significant safeguards were introduced. We've searched hard in the draft bill, but all we see is a surveillance state wish-list with a press release that labels any privacy concern a 'conspiracy theory'.

• Service providers in the UK will be required to systematically collect information that isn't relevant to their business purpose, i.e. they will be required by default to monitor all users' activities and retain this information for up to a year.
• The Home Secretary can mandate to specific internet providers the type of technology that they must deploy to collect information, i.e. black boxes installed at ISPs as decided by the Home Secretary
• Authorisation to access this information is still self-authorised by senior members of the police, intelligence agencies, and tax agency, though other departments will require judicial authorisation
• They plan on placing requirements on foreign service providers as well.

Other interesting facts:

• The system will cost at a minimum £1.8bn over 10 years, but they claim that the benefits to the UK will amount to £5bn over that period.
• Despite concerns about it being infeasible, the Home Office is adamant "it is technically feasible".
• This will also apply to the post (yes, snail mail). 
• There is a power of 'filtering' that would allow searches against large data sets to identify comms data, e.g. 'who uploaded this 129MB file at 8.03pm?'.
• The Home Office states that, so long as it is impossible to work out in advance who will go on to commit a crime, it is necessary to retain information on all citizens in the UK, and then asserts that this is compliant with Article 8, ignoring the inconvenient fact that this type of calculation can only be done 'on occasion', not by default.

Meanwhile, what is missing? The answers to a lot of important questions about how the police will be using new surveillance technologies, including:

• When do the police have the right to hack your computer? When can they introduce a trojan? 
• When can the police remotely turn on the camera or microphone in your laptop or mobile phone?
• When can the police use IMSI-catchers to identify phones in a specific area?
• What kind of datamining techniques can the police and intelligence agencies use on communications data?

This would be a great opportunity to have a democratic debate about wishlists and ambitions for both mass surveillance and covert targeted surveillance using advanced technologies. We could talk about when these types of interferences are appropriate and when they are completley inappropriate; we could question the surveillance of 'collection' versus 'access'; we could discuss the future of Mutual Legal Assistance Treaties, the challenges of placing ownership/jurisdiction over user data in other countries, and whether individuals should be notified when their sensitive data is accessed by government authorities.

But sadly today was not a good start.  It was, in fact, a terrible day for global communications privacy because UK policy sets a precedent for dozens of other countries around the world. It's a shame we don't seem to be able to set a better example. 

Excerpts from draft Communications Bill and briefing

"Introducing prior judicial authorisation for communications data requests in the UK would be expensive, logistically challenging, affect police and intelligence agency investigations and be a significant change to our criminal justice system and the relationship between police, intelligence agencies and the judiciary."

"It is technically feasible."

The Bill will:

"Enable the Home Secretary, when necessary, to require Communications Service Providers to retain data where they would not otherwise retain it for business reasons."

"In principle this legislation will cover overseas operators where they provide communications services in this country. We will therefore be working with providers in the UK and overseas as we do already. For security and commercial reasons we do not comment on relationships with specific providers."

"It is impossible to know in advance of a crime or a criminal investigation whose data will need to be investigated and whether those people are suspects or victims."

"Public websites, including public Facebook pages, are open to all to browse and are not affected by this legislation; this legislation only covers access to communications data, including for example, data regarding e-mails and instant messaging. This legislation can apply to all providers of telecommunications services. For security and commercial reasons we cannot comment on obligations which have been or may be placed on specific providers."

"At present, for business reasons, communications providers store some of the data to which we may need access. In future, under this legislation, we will only ask communications providers to store any additional data (beyond that provided for at present) if there is reason to believe that the services from which it derives are being used by terrorists, people engaged in serious crime or other people under investigation by the police or other authorised agencies. A maximum time limit of 12 months will be placed on storage, consistent with the terms of the EU Data Retention Directive. In short: there will have to be good reason for Government to require both the collection and storage of communications data."

"The Government set out its intention to legislate on this issue in the Strategic Defence and Security Review (SDSR) which was published in 2010. The SDSR made clear that we would legislate as soon as parliamentary time allowed, ensuring that the use of communications data is compatible with the Government's approach to civil liberties."

"We are not proposing a single Government database to store all communications data to which the police would then have access."

"The IMP included plans for the widespread deployment across UK communications networks of technical probe equipment (sometimes loosely described as black boxes) to collect communications data generated from communications services. This would have involved the collection of communications data about certain types of services by UK network providers – who may have provided the connection to the internet, but not the specific service itself. Under this programme, the emphasis is to work with industry to determine the best solution on a case by case basis, examining services used by people under investigation by the police or other authorised agencies. Probes would only be used when this approach did not provide the communications data required. Any communications data collected by such probes would, as with other data, be stored by the industry."

"We are confident that the technology we and CSPs would be using can distinguish between communications data and content. We are not proposing to legislate to obtain communications content."

"Any attempt to create a system that bypasses the existing legal framework for interception would be unlawful."

"The Bill states explicitly that nothing in the provisions in Part 1 “authorises any conduct consisting in the interception of communications”."

"The estimated economic cost of the programme in the period from FY2011/12 until 2015/16 is up to £800 million. Our current estimates are that the economic costs of this programme over ten years from 2011 could be up to £1.8 billion."

"But communications data plays a key role in the investigation and prosecution of all types of crime. Over ten years, we assess that this work will give measurable benefits of approximately £5–6 billion. "

"Requests for data will need to be approved by senior designated officers in the applying agency. Necessity and proportionality will be the key criteria that must be met in each case."

"Only four bodies – the police, Serious and Organised Crime Agency/National Crime Agency, Her Majesty‟s Customs and Revenue and the intelligence agencies – will be granted access to communications data through this bill."

"It will be necessary for certain companies to collect communications data for some overseas services."

"Technical aspects of some communication services can make it harder to obtain the communications data about a single communications event. Data about a single event can be distributed across a number of communications service providers who collaborate together to deliver a service. Moreover, subscribers very often have no need to register with a service in their own names: anonymous communications are common. The effect of these issues is that greater analysis of communications data can be required to identify the key facts about a communication."

"These filtering arrangements will initially assist a public authority (mainly the police) to determine what data might be needed to identify key facts about a communication and to enable the authority to consider if the request for such data remains necessary and proportionate. If the request is then authorised, the filtering arrangements will obtain communications data from companies, process and then filter it to the point where the key facts about a communication have been established. At that point these key facts will be disclosed to the public authority making the request and all other data will be immediately destroyed. An audit log will be generated for inspection by oversight authorities."

"These may include: ensuring that communications data can be disclosed without undue delay to relevant public authorities; compliance with specified standards; acquiring, using or maintaining specified equipment or systems; or using specified techniques."

"Nothing in this Part authorises any conduct consisting in the interception of communications in the course of their transmission by means of a telecommunication system."