FAQ: The Communications Capabilities Development Programme
What do we know?
Very little. The Communication Capabilities Development Programme (CCDP) is going to be included the Queen's Speech next month and we still haven't had public confirmation of the details. What we do know is that there have been secret briefings to MPs designed to scare them into compliance, and secret briefings to industry that were originally designed to calm their fears (but in fact have only served to increase their outrage).
What was previously proposed?
In 2009 the Home Office held a consultation on the possibility of requiring internet service providers (ISPs) and telecommunications companies (telcos), who are qualified as 'Communications Service Providers' under UK law, to install black boxes that would monitor all internet communications streams to collect and store communications data.
Many of the frontbenchers in today’s government opposed the 2009 policy. The Home Office will therefore try to persuade MPs that the CCDP is drastically different from the previous government's proposals. They will say that it won't involve a centralised database run by GCHQ; instead, ISPs and telcos will store the data locally. The reality is that the previous government abandoned the idea of a central database long before it went public with its plans, so very little of substance has changed - though MPs can't be expected to realise this.
See the briefing from the London School of Economics and Political Science (that we helped advise) regarding the 2009 proposals (in PDF). Much of it remains valid, and even underestimates the new challenges to what is being proposed.
Why is this happening now?
In the days of the old internet, when we used email addresses provided by ISPs like BT, who tended to have servers in the UK, government authorities were able to grab information on who we were emailing and when with ease. Growth in interactivity and international services has meant that new 'third party providers' are enabling our email. Simply put, we now use Gmail and Hotmail to communicate with other people, not a BT address. Gmail and Hotmail are run by companies outside of the UK (Google and Microsoft respectively) and so don't have to automatically comply with UK government requests. The British government doesn't want to have to go through the process of making requests to providers every time it wants information about someone, so it is seeking novel solutions. In 2009, the Labour government proposed a system that would require ISPs and telcos to record all your interactions with these 'third party providers' using black boxes. Black boxes are pieces of kit that perform 'deep packet inspection' on internet communications. They open up all the packets of internet communications streams and read them to identify which services you are using. If communications are being sent to a third party provider, e.g. a social networking site, the boxes will dig deeper and find out what the user is doing there. If there is a chat session in progress, the boxes will record who is speaking to who. Black boxes placed at key points in each communications network monitor all traffic so that people and their communications can be identified and opened up accordingly.
What is being proposed?
The Government wants to compel (and pay) ISPs and telcos to collect more information on our internet use. Based on our conversations with MPs and leading experts, we understand that there are two prongs to this new policy.
1. Place burdens upon 'third party services'
UK law regards our telcos and ISPs as 'communications service providers' (for instance under the Regulation of Investigatory Powers Act, or RIPA). CSPs have duties under law (mostly under RIPA) to provide government agencies with information that they hold, upon request. The RIPA regulatory regime is remarkably weak (do an internet search for RIPA + abuse and you'll see what we mean). This proposal will require that Google, Facebook and other providers grant government agencies the same type of access to data that CSPs provide. This is something that we expect these companies to vehemently dislike - it places significant new regulatory burdens upon them and could set a dangerous precedent for other governments.
2. Black boxes at ISPs
There remains a problem in that only friendly 'third party services' will agree to the first approach. The government's solution is a rehash of the 2009 proposal; black boxes will be installed to monitor and store all communications data.
What about security?
There are two security nightmares involved here. Firstly, the security of the black boxes at ISPs is suspect. Analagous capabilities have been abused before - for example, Vodafone's backdoors in Greece were abused by malicious (and still unknown) individuals to gain access to the voice communications of Greek and US government officials around the time of the Athens Olympics. Secondly, a lot of internet traffic is encrypted using SSL/TLS. This is how your bank ensures that no-one is watching your financial transactions, but the use of SSL generates significant problems for these black boxes - they know which service provider you are connecting to, but are unable to access your transactional information. This can be circumvented, but such a step on the government's part would be difficult, controversial and potentially illegal.
It's not about communications content, right?
Yes and no. The government is doing all of this in order to obtain communications data because they can already get communications content by ordering third party providers to hand over information, or ordering your ISP and telco to intercept your communications (under a very weak ministerial warrant regime). However, the black boxes must intercept all communications streams in order to access the communications data, and these streams are classed as 'content' by law. The boxes may have to reconstruct your entire browsing session in order to identify who you're emailing.
Legal niceties aside, communications data alone is highly sensitive information1, even without the content. It represents a list of all your interactions in a modern world. The government can already request every location you've been to over the past twelve months (or longer) from your telco, but CCDP would also make available records of every friend you've had on Facebook, every interaction you've had with people on your landline, mobile, smartphone, computer and other devices. This is a mine of data that can reveal all your interests, relationships and habits. Google and other internet companies reliant on targeted advertising can only dream of having access to this amount of data.
Doesn't RIPA protect us from abuse?
No. RIPA enables government access to information, with barely any real restrictions. The authorisation regime under RIPA is amongst the weakest in the world, with no requirement of independent authorisation. Interception of content is enabled through a warrant signed by the Home Secretary (or a few other Secretaries of State). Access to communications data is enabled through self-authorisation - a police officer simply asks a senior member of the police to authorise access to the data. In most other countries, this kind of access would require a judicial warrant, court order or similar form of independent authorisation.
Will this help prevent terrorism?
No. In a terrorism investigation, the police will already have access to all the data they could want. This is about other investigations - it is about the millions of requests made every year by local law enforcement and other authorities in the investigation of serious - and less serious - crime.
What’s the big deal?
It is rare for governments to compel a company to actively monitor its customers. Yes, banks may require ID, but they only collect what is necessary. The government is proposing to force companies to collect information they have no business collecting in the first place - information on everyone's comunications, all of the time. No democratic country has pursued a similar policy to date - the UK will find itself aligned with China and Iran if this proposal goes ahead. There is also a danger that the CCDP will create a 'blueprint' and the policy will spread abroad, meaning that the Internet could be a very different place in five years' time. Any promises that the Home Office makes now are merely politically expedient -- in fact, every previous surveillance law was promoted with the promise that they would not mandate the collection of new information2 -- which they are now about to do.
Once the government is allowed to install these black boxes at ISPs, there’s basically no limit on future actions. Could this data be used to track file-sharing and monitor who is visiting specific websites? Absolutely. Could this system be used to restrict access to services? Absolutely. Once this line is crossed, the government will have enormous scope to monitor and control the internet.
1. To see an article about this issue, please see our piece in Communications of the ACM.
2. As an example, see Hansard from 2001 for instance where the Minister argues "The provisions apply only to communications data that are already held by providers. We have no intention of asking them to retain data that are not collected in the normal course of their business. They are being asked to do nothing new."