Data Retention and Investigatory Powers Bill

The leaders of the three main parties in the UK parliament are in the process of railroading a bill through parliament which supporters claim are vital for public safety and national security, and detractors claim is an unnecessary and undemocratic power grab by the security agencies.

The truth, as ever, lies somewhere between these two extremes. Most of the reporting on this is very much of the he-say-she-say type, with little or no actual referral to actual facts. I thought it may be worthwhile to look at this myself.

My position

I believe that wiretaps, monitoring, and the like are absolutely vital powers, but there must be excellent oversight, and these powers must only be used in a proportionate manner.

I think it’s disgusting that this bill is being rushed through. Yes, it likely took a while for civil servants to review what the ECJ ruling meant, and then draft the bill, but that’s no a good enough justification. I do agree that part of the delay in this was due to incompetence, rather than malice, however that’s no excuse for the power grab that’s enshrined in this bill.

Furthermore, the bill does a lot more than just meet the issues arising from the ECJ ruling, and in fact it alone doesn’t even meet those issues – some future regulations will be needed first, and these will need to be passed by parliament. So it doesn’t even meet it’s stated aims.

The bill as written has a number of areas that concern me. The Secretary of State gets a lot of extra powers in the form of regulations, which given the current views of the Home Office are likely to be abusive and expansive. The assertion that only metadata is covered is potentially false. The expansion beyond UK borders is very troubling, badly drafted, and when combined with the existing shortcomings in RIPA clarifies that any UK citizen using a non-UK-based server has essentially zero protections against their data being queried by the UK government without a warrant.

Many of the assertions being made by the government are false, and I think it’s disgusting that they are willing to lie in this manner. Protections being lauded by some politicians, such as oversight boards and the like, are not enshrined in the Bill.

This bill doesn’t address the shortcomings highlighted in the ECJ ruling, and so it would inevitably be over-ruled in the future.

Overall, this Bill shouldn’t be passed in its current form – the fact that it likely will is a sad indictment of the lack of  backbone amongst current politicians when faced with privacy or security concerns.

 

DRIP

What is it?

One big source of confusion is that the bill addresses two different things. Firstly, it addresses retention notices – this is what the ECJ ruled on. The second is warrants for obtaining the information. These two are different, and relate to different data.

On the retention front, the government can issue a retention notice to a public telecommunications operator to retain relevant communications data.

A public telecommunications operator is anyone who operates a public telecoms service (DRIP 2(1)), which is (RIPA 2(1)) any system which exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy. [amended by DRIP 5 to include:  any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.] i.e. anything which moves data from one place/person to another, or does any storage of such. So this includes not just ISPs, and internet pipes, but also the likes of Facebook and Google.

The key word above was “relevant”. There’s a big difference between “relevant communications data” and “communications data”. It appears that “relevant communications data” is used when referring to retention, and “communications data” for obtaining the information – the latter is much broader than the former.

Relevant communications data is the metadata “of the kind” currently specified in the 2009 EC Data Retention Directive schedule. The schedule data is basically addressing, date/time, and duration of communications. A big area of danger is the “of the kind” phrase – that’s seriously vague and could be used for a lot.

Communications data is concretely much broader, from RIPA 21(4):

  1. any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any telecommunication system by means of which it is being or may be transmitted; i.e. this is horrendously drafted and could mean anything. I think it’s supposed to mean addresses etc, but also includes hashes, routing info, etc.
  2. any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person (i)of any postal service or telecommunications service; or (ii)in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system; i.e. Basically anything other than content. This includes subscriber information, billing addresses and details, etc. Any service which does analysis of message contents, for example Google and Facebook extracting data for advertising purposes, may also be fair game, although a case could be made that this includes the contents of comms.
  3. any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service. i.e. essentially a catch-all which includes absolutely everything _except_ message data.

It expressly doesn’t include “data revealing the content of a communication” (DRIP 2(2)).

What data will be covered?

See the previous section for details, but basically it depends on whether you’re talking about retention, or what the government can request.

Retention: Definitely addresses, dates, times, and durations for any communication, and possibly much more.

Acquisition and Disclosure: Absolutely everything to do with internet comms and data, except the contents of the comms data itself. This includes who talks to whom, when, and how much is said. It also includes any details the service provider may keep about you, including billing information, addresses, etc. For ISPs this may not sound too bad, but things get more complicated with services such as Facebook and Google. They build up analyses of your behaviour for advertising – that may be in scope. They keep track of who you ‘Like’, groups you join, websites you visit, and so on. So, pretty much everything is fair game. Note though that this is broadly an already existing power under RIPA.

Where is covered?

Everywhere. Or more specifically, every service that offers any service to the UK public.

DRIP 4(6) can also be used to require a foreign person/company to maintain an interception capability, including for conduct outside the UK. So, the very equipment and capabilities which the EU and UK have an embargo on for Syria (and others), can be mandated (and subsidized (DRIP 1(4(g)), RIPA 14)) in other countries by the UK government.

DRIP extends or clarifies this extra-territoriality for interception, requiring that an interception capability be maintained, and also for retention and disclosure.

Who is covered?

Everyone, of any nationality. Nothing has changed there since RIPA/Data Retention Directive. Under DRIP section (4) this has been expanded (or clarified, as the government would have you believe) to include non-UK people, not in the UK, on non-UK servers.

Other powers and regulations?

One of the areas of concern relates to DRIP 1(3), which allows “The Secretary of State [to] by regulations make further provision about the retention of relevant communications data.”  DRIP 1(4) does call out the restrictions on what may be in these regulations, and these don’t look too broad at a first glance, but I’m not holding my breath. One concern is that these regulations can be used to require telecoms operators to give retained data to the government without needing a warrant (DRIP 1(6)(b)), although to be fair that was already the case under RIPA section 22.

The regulations “may refer to communications data that is of the kind mentioned in Schedule to the 2009 Regulations”, which to my mind also means that it may be able to refer to other data.

DRIP 2(5) does at least require that any such regulations must be passed by parliament, however there have been no assurances provided that these won’t also be rushed through. Such regulations will have to be passed soon, and I wouldn’t be surprised if they are also rushed through: DRIP 1(4)(h) states that the regulations may include a provision that “the 2009 Regulations ceasing to have effect and the transition to the retention of data by virtue of this section.” – given that that is the stated aim of this Bill being rushed through, as the ECJ ruling has overruled the 2009 Regulations.

Extraterritorial extensions

Section 4 of DRIP expands (or clarifies) how the retention notices and RIPA may be used outside the UK. Much of section 4 details who to address the notices to, etc. Basically, section 4 states that retention notices and warrants may be issued to non-UK companies and people, with no UK presence, if they offer a public service on the internet.

DRIP 4(4) does give some protection to foreign companies/people who receive a retention notice/warrant – local laws can be taken into account when deciding whether implementing such a warrant/notice is ‘reasonable’ and hence whether they have to comply.

RIPA 1(1) and 1(2) expressly state that it is only illegal to perform interception without warrant within the UK.

Therefore, interception can be performed on UK citizens using non-UK-based servers without a warrant, retention notices need to be issued by a Secretary of State, and access to retained and other non-interception data needs to be requested by one of a long list of designated persons.

 

Government Assertions

Home secretary Theresa May has stated that lives will be lost if the legislation does not go through.

David Cameron repeatedly saying that it was essential to track and catch “terrorists, paedophiles and criminals” and warned that the “consequences of not acting are grave”.

“I want to be very clear that we are not introducing new powers or capabilities – that is not for this parliament. This is about restoring two vital measures ensuring that our law enforcement and intelligence agencies maintain the right tools to keep us all safe.

“As events in Iraq and Syria demonstrate, now is not the time to be scaling back on our ability to keep our people safe. The ability to access information about communications and intercept the communications of dangerous individuals is essential to fight the threat from criminals and terrorists targeting the UK.”

Simon Hughes MP asserted, on Murnaghan, Sky News, “We are limiting the number of people who can ask for data, fourteen bodies are no longer able to ask for data at all, all the councils in the country, every council in Britain at the moment can ask for data and that’s been consolidated into only one place for request.  David Anderson, a really good guy, who is there making sure that our terrorism legislation is working, has been given additional powers, we have a new scrutiny committee – those are Lib Dem gains.”

My response

At no point has the government explained why they need 12 months of data. Why not 11, or 13? Or 6? The ECJ ruling called out this shortcoming in the EC Directive, and it still hasn’t been addressed.

Using Iraq and Syria as examples of why this is needed is disingenuous at best, and outright attempt to play on our fears at the worst. The government can already use warrants to target collection of both data and metadata against individuals and groups involved in both of these conflicts. Why, therefore, do they need these extra powers?

The assertion that they are not introducing new powers is demonstrably false. The bill allows the Secretary of State (which actually means any one of a number of individuals) to create regulations which may vastly broaden current law – the scope allowed under section 1(3)-1(7) and 2(4), although with the caveat that such regulations would need to be approved by parliament (2(5)). Note however that such approval is often rather pro-forma.

Furthermore, while DRIP is allegedly just targeted at fixing the retention law issues resulting from the ECJ ruling, it does much more. While sections 1 and 2 of DRIP deal with retention notices, sections 3-5 deal with warrants under RIPA.

The largest power grab relates to extra-territorial aspects of RIPA. The argument is that this was implicit already in RIPA, and that’s possibly accurate. However, the specific area of concern is 4(8) amendment (5A) – this seems to allow retention/disclosure requests, on foreign companies who have any offices or offer any services in the  UK, but covering conduct that occurs outside the UK by non-UK nationals. So can the UK government make a request against Facebook for the monitoring of a US citizen in the US, and punish Facebook if they don’t comply?

As for Simon Hughes’s claims, absolutely none of these are detailed in DRIP. While they may be good in theory, these are currently paper tigers against threats to privacy.

 

ECJ Ruling

ECJ ruling is all about proportionality:-

  1. No “differentiation, limitation or exception” on types of traffic data
  2. No “objective criterion” to ensure that authorities only have access as needed
  3. No “objective criteria” on basis of period of retention
  4. “Risk of abuse” – not sufficient safeguards, nor ensure that data destroyed at end of retention period
  5. No requirement that data be “retained within the EU”

So how does DRIP measure up?

  1. DRIP refers to “relevant communications data”, by which it means the Data Retention Regulations 2009 Schedule. This specifically calls out what metadata should be retained. So the type of data is limited. In theory DRIP 1(1) also limits collection to only that which is proportionate under RIPA 22(2). However, the list of grounds are so broad that I wouldn’t be surprised if retention notices are issued against all users, “in the interests of national security” or similar. So DRIP probably passes the ECJ test, but it’s hardly reliable.
  2. Within the UK, access is limited under RIPA 22(2), and may only be granted by a “designated person” (of which there are rather a lot). This is probably sufficient, although as noted in (1) these are so broad that they can apply to a lot of situations.
  3. There is still no objective criteria for period of retention, so this is a fail. This may be coming in the regulations mentioned in DRIP 1(3) and 1(4).
  4. The protections in RIPA may be sufficient for the “Risk of abuse”, although there is no mention of oversight. There’s currently nothing ensuring destruction, although this may be coming in the future regulations, so currently this is a fail.
  5. There’s still no requirement that data be retained within the EU, although this may be clarified in the future regulations.

For (1), (2), and (4), the important question is one of oversight. The justifications for retention and disclosure are so broad that anyone can be caught up with them – any oversight body must ensure the proportionality of both retention and disclosure.
For (3), (4), and (5), the future regulations are vital – and we’ve no idea what they say until they are published.

So, overall, DRIP does not currently address the issues within the ECJ ruling, although it may do so in the future, when the Secretary of State publishes some new regulations, which are allowed under DRIP, but which must also be passed by parliament. Given this, it makes you wonder why the rush to pass DRIP, if the ECJ issues won’t be addressed until the regulations are published, at some future date.

 

Relevant Links

Data Retention and Investigatory Powers Bill – the draft bill being proposed by the government https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/328939/draft-drip-bill.pdf

Regulation of Investigatory Powers Act 2000 – the act being amended by this bill http://www.legislation.gov.uk/ukpga/2000/23/contents

Anti-terrorism, Crime and Security Act 2001 (Part 11) – Required retention of communications data, and in section 102 defines “communications data” http://www.legislation.gov.uk/ukpga/2001/24/part/11

ECJ Ruling – This is the ruling which ruled that blanket collection was illegal, and which allegedly forced the government to push this bill through http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf

Data Retention (EC Directive) Regulations 2009 Schedule – Lists the data to be retained http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule

Afterword

FYI, I have just sent my MP the below email.

Dear Paul Burstow,

RE: Data Retention and Investigatory Powers Bill

I am writing to ask you to consider voting against the upcoming Data
Retention and Investigatory Powers Bill, or as a minimum vigorously
participating in the debate against it.

I think it is highly undemocratic and frankly disgusting that the Bill
is being rushed through in this manner. The government has been aware
of the issue arising from the ECJ ruling since April and have done
nothing to address them – although maybe this should be ascribed to
incompetence rather than malice. The Bill as drafted will not even
address all the current shortcomings highlighted by the ECJ ruling –
rather a Secretary of State will need to create, and parliament pass,
additional regulations, so there should be no need to push through the
retention parts of the Bill so urgently, without also making the
proposed regulations available even in draft form.

Liberal Democratic MPs have been trumpeting additional protections they
have wrestled from the Tories, however only two of these are actually
present in the Bill – that of a maximum twelve month retention period
and an expiry in 2016. For the former, as this is something the ECJ
ruling had already hinted at, it was hardly a major win. For the
latter, that’s a valid win, although also not a major one – the Bill
may be reinstated in the future without any guarantee of a larger
debate on privacy versus security, and the roles of RIPA, CMA, DRIP,
the Anti-terrorism, Crime and Security Act, and others. As stated, any
other protections are not in the Bill, and so could be dropped,
amended, or varied as desired by the whim of any government.

Contrary to claims being made by both LD and Tory MPs, the Bill does do
more than just deal with the retention issues arising from the ECJ
ruling. Three of the five main sections deal with investigatory powers,
and not retention. The Bill is rather confusing because of this, as it
contains and doesn’t clearly differentiate between retention,
acquisition of retained (or other) data, and interception, nor
differentiate between the different data (“relevant communications
data” versus “communications data”) which may be requested for each,
plus it uses vague terms such as “data of the kind mentioned”.

To summarise, the Bill doesn’t just do what the government says it
does, and doesn’t fully do what the government says it does. The
protections being trumpeted cannot be relied upon. And finally, even if
there is need for an urgent Bill to meet the ECJ ruling, this isn’t it.

For more details on my thoughts, please feel free to see my blog post
at http://goo.gl/HT1PkW or  contact me via email or telephone.

Yours sincerely,

Ian

Advertisements

2 thoughts on “Data Retention and Investigatory Powers Bill

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s