Snooper’s Charter via the back door

The Counter-Terrorism and Security Bill[1] is currently going through the Lords Committee stage[2] of parliamentary scrutiny. The stage allows interested parties to comment and provide feedback on the bill, and a line by line examination of the bill. The general purpose is to tweak and amend the bill such that it is consistent, coherent, and actually meets the stated aims for the bill.

A number of amendments often result from this process. These are generally quite small, technical tweaks to clarify wording or include missing features. What they generally aren’t are massive changes which attempt to re-introduce other bills via the back door. An amendment proposed this week though does just that, attempting to sneak in the much maligned Snooper’s Charter.

Why should I care?

The powers being requested are, in my opinion, over-broad, with insufficient oversight and controls, confusingly drafted in places, and ultimately represent great potential danger to civil liberties. They’ll be expensive to implement, potentially harmful to your data security and privacy, and may not actually make you any safer.

And furthermore the powers are being sneaked in at the eleventh hour, circumventing a lot of parliamentary processes.

Who is moving the amendment?

The following Lords have moved this amendment:-
      Lord King of Bridgwater: Conservative member who served as Secretary of State for Defence, Northern Ireland, and others, under Thatcher. Chaired the Intelligence and Security Select Committee 1994-2001.
      Lord Blair of Boughton: Crossbench (i.e. of no specific party) was previously the Commissioner of the Met Police.
      Lord West of Spithead: Labour member, was Minister for Security and Counter-Terrorism.
      Lord Carlile of Berriew: Liberal Democrat, was the Independent Reviewer of Anti-Terrorism laws, succeeded by David Anderson QC. Was generally deemed ineffectual and pro-establishment when in this post, being in favour of control orders and 42 day detention periods.

These Lords are all ‘establishment’ members, whose backgrounds may imply their being more in favour of security controls rather than civil liberties. Personally I find it inconcievable that the government, and Theresa May MP, were not involved in the production of this amendment.

What is the amendment?

Essentially it’s a reintroduction of the Snooper’s Charter, vastly expanding retention beyond that provided for in the Data Retention and Investigatory Powers Act. For the text, see paragraphs 79-99 of [8].

It allows the Secretary of State to require that telecommunications operators (e.g. ISPs and mobile phone operators) must retain an assortment of data related to communications data for up-to 12 months, and provide the data to certain public authorities when requested. It also allows the Secretary of State to require that telecoms operators use specific techniques, equipment, and systems.

As ever, the devil is in the detail for all these powers and requirements – and there are some serious devils in there. Please see the section “Criticism and Comments” for more information on this.

Why is it an amendment

This is an excellent question, if I do say so myself. The Draft Communications Data Bill (aka Snooper’s Charter) was drafted by the government in 2012 but introduction to parliament was blocked by the Deputy PM Nick Clegg (Lib Dem).

Since then the government rushed through the Data Retention and Investigatory Powers Act 2014, ostensibly to fix data retention notices (from RIPA 2(1)) which had been ruled against by the ECJ. DRIP was very contentious for assorted reasons (see [3],[4]) but was successfully pushed through. A sunset clause of December 2016 was included, and it is expected that the whole subject of data retention and interception will be re-examined early next parliament.

So, the government couldn’t pass the Draft Communications Data Bill due to the Lib Dems blocking it, and couldn’t do too much in the Data Retention and Investigatory Powers Bill as that was emergency legislation and was controversial enough as it was. Theresa May has repeatedly asserted that she wants to pass the Communications Data Bill, and more recently David Cameron has signaled his renewed support in the light of the terrorist incidents in France (despite the fact that France already has something like the Communications Data Bill, which didn’t stop the attacks).

It seems to me therefore that this is an opportunistic attempt to reintroduce a long-standing policy of the Conservative party, taking advantage of the recent terrorist incidents around the world.

Why now?

As mentioned, the recent events in France and elsewhere provides a veneer of justification and shielding, and allows defenders of the amendment to brand opponents as leaving the UK vulnerable to such attacks, despite the evidence that such assertions are wrong.

Interestingly, during the debates on DRIP, one issue was why the sunset clause was so far in the future, and indeed why DRIP was urgent (it was pushed through in just a few days). The government, and supporters, claimed that there was urgency due to the ECJ ruling, and that the sunset clause date was to allow sufficient consideration of an upcoming review by David Anderson QC (and others, see “Reviews of RIPA and DRIP” in [4]).

“I recognise that a number of Members have suggested that this sunset clause should be at an earlier stage. I say to them that the reason it has been put at the end of 2016 is that we will have a review by David Anderson which will report before the general election.” Theresa May [6]

“If Members think about the processes that we want to go through to ensure a full and proper consideration of the capabilities and powers that are needed to deal with the threat that we face and then about the right legislative framework within which those powers and capabilities would be operated, they will realise that that requires sufficient time for consideration and then for legislation to be put in place. That explains the need for the sunset clause at the end of 2016.” Theresa May [6]

“My feeling is that a great deal of work could be done during those 12 months and a set of recommendations could be made available to an incoming Government in May to June 2015.” Lord Hodgson of Astley Abbots [5]

See also comments by Lord Taylor of Holbeach (Hansard HL Deb, 16 July 2014, c600 and c659)

The question therefore is why include the amendment now, before David Anderson’s review has been completed, and before there has been “sufficient time for consideration”.

To be fair, Lord Hodgson did state that “It is important to remember that the presence of a sunset clause, while it is absolute in its end date, does not mean that legislation could not be considered before that time if a Government decided that they were in a position to present it in Parliament.” [7] But I believe the point still stands – what is the urgency?

Furthermore the amendment has a sunset clause built in of December 2016 – the same as DRIP. So even if passed, this amendment will only survive for less than two years. The amendment allows the Secretary of State to require telecommunications providers to use specific equipment and systems, and provide remuneration, with an estimated cost of £1.8 billion (from the equivalent requirements in the Draft Communications Data Bill). There are also requirements to secure the data and systems sufficiently, and secondary legislation needs to be prepared before all this can happen. Surely therefore there is a significant risk that vast amounts of money and time will be invested into something which will expire, and may not be reintroduced, in less than 2 years time. Maybe the government believes that this money, once spent, would provide additional justification to reintroduce the bill in the future – this amendment playing the egg to the Communications Data Bill’s chicken?

Criticism and Comments

Process and timing

Before commenting on the substance of the amendment, I wanted to comment on the process of using an amendment in House of Lords Committee stage. In short, it’s despicable. The HL Committee stage is one of the last stages for the bill – it has already been through the majority of stages which could have considered and commented on this amendment – the House of Commons Second Reading, Committee and Report stage, and Third Reading stages, and House of Lords Second Reading. The only remaining stages are the House of Lords Third Reading and the final Consideration of amendments.

Sneaking in such a large amendment, which would be large enough to be a separate Bill on its own, at such a late stage doesn’t allow parliament the proper time to consider and comment on the proposed powers. It doesn’t allow proper time for the public and interested parties to review the powers, and communicate with their MPs – in fact all the stages at which an MP would normally propose changes to an amendment have already been passed.

Waiting so long to propose such a large amendment with such an impact on civil liberties can be nothing but an attempt to game the system and sneak in an unpopular policy via the back door.

Blanket retention

The amendment does not specifically require blanket retention, however it does provide for the Secretary of State to issue notices which would result in blanket retention. Conceptually I’m torn on this subject – I can see the usefulness of having long-term records of communications data, which can be queried after the fact, by authorised officials. However it’s also very dangerous having such a large amount of sensitive data collected, and there’s a real danger from the fishing expeditions that can be performed on such data.

Ultimately, the acceptability of such retention is reliant on how securely the data is stored, and the quality of the safeguards and oversight on access to the data by both the authorities and the telecoms operators themselves. Unfortunately this amendment is very weak regarding oversight and safeguards, and provides no limits on what the telecoms operator may themselves do with the data.

On the latter point, retention is normally governed by the Data Retention (EC Directive) Regulations 2009, implementing Directive 2006/24/EC of the EU Parliament, together with the Data Protection Act 1998 (DPA). I am assuming that the telecoms operators will not be allowed to use data retained due to this amendment, for their own purposes no related to the amendment. Doing so would be contrary to Data protection principle #2 “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” of the DPA.

It should be noted that Communications Data could be “Sensitive personal data” as defined in the DPA, for example information that a user is using Grindr would classify as sensitive personal data under subsection (2)(f) “personal data consisting as to […] his sexual life”. As such any processing done with that data in accordance with Schedule 3 of the DPA [15] – I think section 7 of that schedule allows this processing, but I’m not sure.

Amendment – Terms

It will be useful to be familiar with certain terms – described below. References to the amendment will be to the PDF of the amendments [9]. Note that I’m not covering the parts relating to postal services.

  • Communications Data: The set of all traffic data, use data, and subscriber data. Defined in pp14 section 1.
  • Authorisation Data: Communications data which is data obtained in order to gain authorisation to obtain communications data. This is defined under “Filtering arrangements”, wherein communications data can be obtained and processed without an authorisation, in order to provide evidence for an authorisation to be sought. Defined on pp 11 subsection (1).
  • Traffic Data: Data to do with the addressing, protocols, timestamps, and related information. See “Traffic Data” for some comments. Defined on pp17 subsections (2), (3).
  • Use Data: Data about how, when, where, etc a user uses the telecommunications service. Explicitly doesn’t include contents of the communication. Defined on pp17 subsection (4).
  • Subscriber Data: Information held by the telecoms service provider which isn’t Use Data or Traffic Data, about the user of the telecoms service. Defined on pp17 subsection (5).
  • Part 3B Data: Seems to be another word for Communications Data, but maybe specifically just the communications data which is being obtained/requested by a public authority. Defined pp 6 section 1.
  • Interception: Has the same meaning as in RIPA (sections 2 and 81), but see “Interception” below.
  • Relevant public authority: The police (and similar), National Crime Agency, and intelligence services. Defined on pp12.
  • Technical Oversight Board: Board established by section 13 of RIPA, which “shall consider the technical requirements and the financial consequences, for the person making the reference, of the notice referred to them and shall report their conclusionts on those matters to that person and to the Secretary of State” RIPA 12(6)(b) [11]

Traffic Data

The Traffic Data, defined on pp 17, may be extremely broad. I believe it may include data that would traditionally be considered content, with subsections (2)(a) and (2)(b)(v) especially broad.

Subsection (3) is one of the most opaque sentences I’ve ever read – I still don’t know what it means or is trying to say: “Data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication is not “traffic data” except to the extent that the file or program is identified by reference to the apparatus in which it is stored.”

Retention Period

By default data will need to be retained for 12 months ((Period for which data is to be retained) pp 3), but optionally may be shorter if the Secretary of State so desires. However, this can be extended indefinitely if a public authority informs the telecoms provider that the data is or may be required for the purpose of legal proceedings.

Given that all data may be required, then this could result in public authorities requiring permanent storage of data. Furthermore the clause doesn’t specify that only the subset of data which is needed, should be retained. For example, if there’s possibly legal proceedings regarding subscriber X, and an extension is needed, should only user X’s data be retained beyond the 12 months, or all data.

Subsection (4) does require that a public authority inform the telecoms provider as soon as reasonably practicable when the data is no longer needed, which may be a sufficient safeguard against indefinite storage of all or most data.

One question I have is why the data needs to be retained after it has been provided to the public authority. The only reason I can think of is if the defence in legal proceedings is entitled to access to the data direct from the telecoms provider – nothing in the amendment directly allows for this, although there is the standard “otherwise as authorised by law” ((Access to data) subsection (1)(b) on pp 4).

Authorisation for Test Purposes

In addition to being able to get authorisation to communications data for specific investigations and purposes, subsection (1)(b)(ii) of (Authorisations by police and other relevant public authorities) on pp 6 allows authorisation to be given for “the purposes of testing, maintaining or developing equipment, systems or other capabilities”.

While I can see the need for access to live data in order to test equipment, this should very much be the exception rather than the rule. This subsection is the only mention of such authorisation or use for test purposes, and there are no additional safeguards to ensure this is a rare event and that privacy and proportionality is considered. For example, while I can understand if my subscriber data is accessed in pursuance of an investigation into some criminal behaviour, I would be incensed if it is accessed without my knowledge to test some equipment, especially as such testing may take several weeks and lead to a protracted attack on my privacy.

Interception

Subsection (4) of (Power to ensure or facilitate availability of data) on pp2 states that “Nothing in this Part authorises any conduct consisting in the interception of communications in the course of their transmission by means of a telecommunication system.” This is further restated in (Authorisations by police and other relevant public authorities) subsection (5)(a) on pp7. Interception is defined according to sections (2) and (81) of RIPA.

Interception normally would require a RIPA section 8(1) warrant. However, as stated in a witness statement [13] by Charles Farr of the Home Office, communications which terminate or originate outside the UK only need the very broad 8(4) warrant.

In the appeal between Coulson/Kuttner v Regina [12], the Lord Chief Justice ruled that despite court rulings such as R v E [14], where the court said that “”interception” denotes some interference or abstraction of the signal, whether it is passing along wires or by wireless telegraphy, during the process of transmission.” (para 20) that listing to voicemails stored on a server still counts as interception. Thus the courts seem to think that even temporary caching and storing in intermediary servers still counts as transmission, and hence accessing these would count as “interception”.

In that appeal, the Crown submitted that “The Crown does not maintain that the course of transmission necessarily includes all periods during which the transmission system stores the communication. However, it does submit that it does apply to those periods when the system is used for storage ‘in a manner that enables the intended recipient to collect it or otherwise have access to it’.” (para 11)

The question remains from the Crown contention – what “periods during which the transmission system stores the communication” do not count as the “course of transmission” and hence access to would not count as interception?

Furthermore, while subsection (4) of the amendment doesn’t authorise interception, neither does the amendment disallow interception. How, therefore, do the requirements for retention in subsection (3)(b) tally with a RIPA 8(4) warrant. Can a (3)(b) requirement in a retention notice be used to facilitate access to data under a RIPA 8(4) warrant?

Filtering Arrangements

Several pages of the amendment deal with “Filtering arrangements” – see pages 9-13. Even after having read these sections several times I’m still not sure what exactly they mean. But if they mean what I think they mean – the ability to go fishing for data without any warrant or per-case authorisation being needed – then I’m not happy at all.

(Filtering arrangements for obtaining data) subsection (2) states that these “filtering arrangements” may “involve the obtaining of Part 3B data in pursuance of authorisation – i.e. obtaining communications data, in order to get authorisation to get communications data. The data will be obtained (subsection (2)(b)(i)), processed ((2)(b)(ii)) then disclosed to a designated senior officer ((2)(b)(iii)).

Now this may mean that a designated senior officer ((1)(a)) may be able to do a limited query to verify whether a request for authorisation is valid. For example, a police force requests authorisation to request details about subscriber X for IP address Y, so a designated senior officer does a quick check by querying the subscriber data for IP address Y, to verify that it does belong to subscriber X. This appears to be a use of the filtering arrangements on pp 9/10 (Use of filtering arrangements in pursuance of an authorisation). If this is the purpose for the section then I can see the usefulness of it, as long as it is secure and limited, and has good oversight.

It may however mean that a designated officer can grep for specific information, for example all subscribers which are using Tor, and use this as justification to provide authorisation against these subscribers. If this is the purpose, then I’m very much not happy. This sort of fishing trip when there’s no definitive evidence of a crime having happened or being planned, is a big no-no.

As drafted, I honestly don’t know what the purpose or mechanism for these “filtering arrangements” is. This whole set of clauses needs to be reworked to be more precise IMHO.

As an aside, some parts of these sections seem to imply that the Secretary of State themselves must do the querying etc.

Requirements on Telecoms Service Providers

The Secretary of State can impose an assortment of requirements on telecoms operators when serving them with a retention notice. These are defined on pp 2 (Power to ensure or facilitate availability of data) subsection (3), as part of an under under subsection (2)(b).

Also under (2)(b) the Secretary of State can impose ‘restrictions’. What ‘restrictions’ may be imposed is not defined.

The most critical of the requirements is that the secretary of state can mandate that telecoms operators must “acquire, use or maintain specified equipment or systems” (subsection (3)(b)(ii)).

Essentially the government can order telecoms providers to put a black box on their network, which may provide the government a back door into their system. The telecom provider may not know what the box does, and may not be allowed to test it. The government can just say “trust us” and the telecoms operator must accept it. The government is also not liable for any losses if the black box goes wrong.

While the box cannot be used for “any conduct consisting in the interception of communications in the course of their transmissions” (subsection (4)), the actual definition of “interception” is rather fluffy – as discussed in the “Interception” section above.

If I was a telecoms operator I would be extremely unhappy with this, and as a user of such services I’m not comfortable either.

Confidentiality

It’s interesting to note that nowhere in the amendment is there a requirement for the telecoms provider to maintain the confidentiality of any request(s) for data by public authorities. So a telecoms provider could a) tell the subject of such a request that the police have asked for their data, b) provide summary information to the public about how many such requests there have been, and/or c) detail publicly what information they collect and retain and so what information relevant public authorities could query for.

It’s possible that such a requirement of confidentiality may be raised according to (Power to ensure or facilitate availability of data) (subsection (3)), but I’m not sure this is covered in that section. Or confidentiality may be deemed a restriction, according to subsection (2)(b) – the allowed scope of such restrictions isn’t defined anywhere.

Personally I’m a fan of transparency where possible – I think ISPs should report what data they’re retaining, and provide summary information on what is being requested (such as # of users per year) – although this can and should also be reported by the IOCCO or similar – but I can also understand why they should not be allowed to tell their customers that they specifically are being targetted.

Oversight

Speaking of the IOCCO, the subject of oversight is incompletely covered – specifically it is only covered where it relates to “Filtering Arrangements”.

The Secretary of State is required to give the Interception of Communications Commissioner certain information (pp 9, (Filtering arrangements for obtaining data) subsection (4)), provide an annual report (pp 11, (Duties in connection with operation of filtering arrangements) subsection (5)(b)) and report any significant contravention of the rules (subsection (7)). Whether the annual report will provide sufficient information for the IOCCO, I don’t know, but at least the subsection (4) requirements seem sufficient for the IOCCO.

There is not, however, any discussion of judicial oversight, appeals, or complaints other than by the telecoms provider, for retention orders or ‘Part 3B’ requests for the retained data. The IOCCO does not appear to have the power to investigate complaints nor impose penalties as the data retention from the amendment doesn’t derive from a RIPA warrant. It’s possible that other bodies may be able to investigate complaints by citizens, but this isn’t specifically called out – the situation is very complex as shown by the Surveillance Roadmap [10] (I especially recommend the table toward the back).

Telecoms providers can refer the retention notice to the “Technical Oversight Board” but they’re only providing oversight on the technical requirements and financial consequences (subsection (6)(b) of [11]), not the legality etc of the request. Furthermore, the Secretary of State can ignore the feedback from the Technical Oversight Board, and once ignored the subject cannot be referred again to the Technical Oversight Board.

There is also a requirement for the Secretary of State to consult OFCOM, the Technical Advisory Board, and the telecoms providers, before issuing a retention notice (pp 2 (Consultation Requirements)), but what a consultation means isn’t defined, nor is there any requirement for the Secretary of State to actually pay any attention to any feedback from such consultation, nor that such consultation should be public.

There are at least two stages where safeguards should apply, retention notices from the Secretary of State, and authorisation for and the obtaining of data by relevant public authorities of data that has been retained. Currently there is a requirement for the former to be “in writing” (pp 4 (Other Safeguards) subsection (1)(a)). For the latter, authorisation must be documented as described in pp 7 (Form of authorisation and authorised notices).

It should be noted though that the amendment doesn’t say who, if anyone, can review or comment upon any of this documentation.

So, in summary, the oversight in this amendment is not fit for purpose.

Part 3B requests against People

Normally it would be expected that telecoms operators would be the recipients of both retention notices, and requests for communications data (Part 3B data) which has been retained. However, (Authorisations by police and other relevant public authorities) subsections (3)(b) and (3)(c) allow for the latter to be served against individuals – “any person whom the authorised officer believes is, or may be in possession or Part 3B data” or “is capable of obtaining it”. So, rather than serving the notice against an ISP who would have a legal team to investigate the legality of the request, and may fight it in the courts if they desire, an authorised officer could serve it against one of the people who work as a system administrator at the ISP.

That seems dangerous to me – there are undoubtedly reasons why an individual rather than a company may need to be served, but this is ripe for misuse, especially if such a notice can have any such confidentiality clause, such that the individual may be required ((Duties of telecommunications operators in relation to authorisations) subsection (2), pp 8) to provide such data without the knowledge or permission of their employer.

Liability and Compensation

People acting in accordance with Part 3A (i.e. retention notices) are protected from any civil liability according to (Enforcement and protection for compliance) subsection (4), pp 5. There does not, however, seem to be any such protection for Part 3B (i.e. public authorities obtaining data). Furthermore given that there is an obligation in Part 3A (Data security and integrity) on pp 3 to secure the data, I do wonder if such protection from civil liability would exist if, for example, a user’s communication data was stolen due to security shortcomings in their system.

Furthermore, who would be liable for civil suit if data was stolen from equipment, or due to standards or practices, which the Secretary of State has mandated ((Power to ensure or facilitate availability of data) subsection (3)(b).

This issue of liability needs further clarification.

(“Operators” costs of compliance with Parts 3A and 3B) states that the government must recompense operators for the costs incurred, or likely to be incurred, to do with this amendment. The amendment obviously doesn’t estimate how much this may cost HMG, but it should be noted that estimates for the Draft Communications Data Bill were £1.8 billion.

Part 3C

There is no Part 3C. However it’s mention on pages 2, 13, 14, and 18. I wonder what it was, and why it’s missing.

Obviously this is a well drafted amendment…

Conclusions

This amendment is a shocking attempt to circumvent opportunities for comment and railroad an unpopular policy through parliament. This is just the latest in a series of such attempts by the government.

The amendment is badly drafted and is confusing. It solves a problem that doesn’t exist – retention is already required by DRIP. There is absolutely insufficient oversight and no judicial involvement, with no way for individuals or telecoms companies to complain.

References

[1] Counter Terrorism and Security Bill homepage
[2] House of Lords Committee stage
[3] DRIP Introduction (Blog)
[4] Update on DRIP (Blog)
[5] Hansard HL Deb, 17 July 2014, c726
[6] Hansard HC Deb, 15 July 2014, c714
[7] Hansard HL Deb, 17 July 2014, c736
[8] Counter-Terrorism and Security Bill, Amendments (HTML) (Note: Different order to PDF)
[9] Counter-Terrorism and Security Bill, Amendments (PDF)
[10] Surveillance Roadmap
[11] RIPA 200 Section 12
[12] Coulson v R Appeal
[13] Charles Farr Witness Statement
[14] Regina v E appeal
[15] Data Protection Act Schedule 3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s