Communications Data Retention Bill Too Broad, Needs Extensive Rewrite, Report Says
A proposal to allow the U.K. Home Secretary to order the storage of any kind of communications data “is too sweeping, and goes further than it need or should,” the Joint Committee on the Draft Communications Data Bill said in a report published Tuesday. While there’s a case for giving law enforcement authorities some further access to communications data, the current version must be “significantly amended” to deliver only necessary data, Lords and Commons members said. Their scathing report (http://xrl.us/bn5u5q) brought cheers from ISPs and privacy advocates.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The previous government announced plans in May 2008 to require communications data to be stored for a year in a purpose-built database, the report said. That and other plans were strongly criticized and the plan was withdrawn. New regulations require communications services providers (CSPs) notified by the secretary of state for the home office to retain certain categories of data for 12 months.
In April 2009, the government sought feedback on a revised plan which examined three approaches. One was a centralized database of communications data, which officials said they wouldn’t pursue, the report said. The second option was to do nothing, which the government said would cause it to fail its duty to protect the public. That left one option: force CSPs based in the U.K. to collect and keep all data public authorities might need, including third-party data crossing their networks, and to make the information accessible on a case-by-case basis to public authorities subject to existing “rigorous safeguards.” The only choice for those who backed that approach was whether compulsory retention and availability of data should be supplemented by requiring CSPs to process the data, it said. No legislation was proposed before the 2010 election, but the 2012 Queen’s Speech announced a draft communication data bill, which the joint committee was directed to review.
There is a case for legislation to give law enforcement bodies more access to the data, but the government must come up with a more proportionate approach, lawmakers said. The government believes new powers are needed to ensure that law enforcement keeps up with technological change, and that around 25 percent of communications data required by investigators is unavailable, the report said. But lawmakers rejected the argument, saying the 25 percent data gap is “an unhelpful and potentially misleading figure.” Part of the gap is due to the inability of police agencies to make effective use of the information available, it said. Another part of the problem is that there has been a huge increase in the overall amount of communications data generated and potentially available, but whether all of that is needed to keep the public safe is a key question, it said.
The government wants access to Internet Protocol addresses, Web logs (anything before the first “/” in a website address) and data generated for business purposes but not retained by overseas CSPs, the report said. The Home Office wants to keep the definition of communications data as broad as possible to take into account other data types that may emerge, but lawmakers recommended that the provisions be narrowed to allows CSPs to be served with notices requiring them to generate and retain subscriber data relating to IP addresses. Whether that notice should also mandate retention of Web logs “is a key issue,” and a “fundamental question which is at the heart of this legislation,” it said. Safeguards can protect against abuse of communications data or inadvertent error by public authorities, but storing Web log data, however securely, risks hacking or having the information fall into the wrong hands, allowing potentially damaging inferences about people’s activities or interests to be drawn, it said.
Another contentious issue is the “request filter” to be used to facilitate the acquisition of communications data, the report said. It would be used for complex data inquiries covering several CSPs. The Home Office said the filter isn’t a centralized database, but in fact it will store the same data about the same people in a government-owned and operated data mining device which will require every CSP to maintain its own database of all its communications data in a common format, the panel said: “The differences therefore are not as great as the Home Office suggests.” The filter will speed up complex inquiries and minimize collateral intrusion, but it also introduces new risks, such as the “temptation to go on ‘fishing expeditions,'” it said. New safeguards are needed to lessen those risks, it said.
Lawmakers also worried that government cost estimates “are not robust.” The numbers were prepared without any consultation with the telecom industry on which they largely depend, the report said. Given the government’s poor record of bringing information technology projects in on budget, and the general lack of detail about how the powers under the measure will be used, “there is a reasonable fear that this legislation will cost considerably more than the current estimates,” they said. The figure for estimated benefits is “even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading,” the report said. Any revised bill should contain a new cost-benefit analysis based on wider consultation and narrower powers, it said.
"The breadth of the draft Bill as it stands appears to be overkill,” said Joint Committee Chairman Lord Blencathra. He urged the government to “reconsider its zeal to future-proof legislation and concentrate on getting the immediate necessities right."
The Internet Services Providers’ Association praised the report, saying it backed its contentions that cost recovery should be made explicit in the legislation, and that massive retention of communications data could harm innovation and investment in the U.K. digital economy. Small ISPs could be unduly affected by the proposals, it said. It urged the government to update and narrow definitions such as subscriber data.
"Two things should happen now,” said the Open Rights Group, which dubbed the bill the “snoopers’ charter.” It’s time to “drop these dangerous plans” and for the government to go back to the drawing board, it said. In addition, “we need a fundamental, public review of digital surveillance,” the only way to come up with reasonable, proportionate proposals.
While highly critical of the proposal, the report is “too accepting” of its central premise that existing surveillance isn’t too much and is not enough, said No2ID, which campaigns against what it calls the database state. The question raised by the consultation, “What problem does it solve that cannot be handled already?” remains unanswered, it said.