Sunday 17 June 2012

The Communications Data Bill (first look)

On Thursday the government announced the Communications Data Bill. The official copy is available as CM8359 but the open rights group have made it available in in an easier to read format. The bill has attracted a lot of interest, so I thought it would be useful if I posted an explanation of what it does and does not do. Bills of this kind benefit from (or suffer, depending on your point of view) considerable amendment while passing through Parliament, so the end product may be very different.

The bill replaces two existing pieces of legislation: chapter I, part II of the Regulation of Investigatory Powers Act 2000 (RIPA) and part 11 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA). For some what will be of interest will be the ways in which the bill changes that existing law, but for others that law is already controversial, so they may see debates on the bill as a chance to re-visit the state we are in.

Communications data

Chapter I, part II of RIPA is all about allowing public bodies to obtain "communications data". The bill and RIPA use essentially identical definitions of communications data (RIPA s22(4) Bill cl.2(9)), which the bill helpfully divides into three parts:

  • traffic data - which includes the identity and location of the communication's end-points and the individuals (if any) sending and receiving it;
  • use data - information which is not traffic data about the use made of a telecommunications service or in connection with the use of a telecommunications service or system;
  • subscriber data - any other information obtained by the provider of a telecommunications system about the people to whom it is provided

But, in both cases, not the content of any communications. Traffic data may include the contents of a communication, in so far as it is "traffic data" but "use data" may not.

The definition is very broad. In RIPA terms a "telecommunications service" is:

any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)

A "telecommunications system" is:

a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy

This definition clearly includes radios and televisions; telephones and mobile telephones and routers. It almost certainly includes mail servers. I am less sure about a server which has multiple roles - since it might be difficult to say that it "exists .. for the purpose", but anyone running a server which acted as a mail transfer agent or on which ran a mail user agent (eg gmail) would surely be running a telecommunications service​ even if the server itself was not a telecommunications system​.

This means that subscriber information and usage patterns of facebook, gmail and so on are already within the scope of RIPA. The bill uses almost identical definitions for telecommunications services and systems, which suggests that exactly the same sets of data will be in scope.

Obtaining communications data

The RIPA regime for obtaining communications data has essentially two parts:

  • authorisations - given by a "designated person" to other members of their organisation or suitably associated organisations (eg collaborating police forces), who are then "authorised officeers". The effect of an authorisation is to make lawful, including removing any civil liability, anything an authorised officer does while obtaining communications data under their authorisation.
  • notices - given by a "designated person" to postal or telecommunications operators, requiring them to obtain (if they are able to) and disclose communications data

Authorisations and notices last up to a month but may be renewed.

The bill has a broadly similar structure with, as far as I can tell, a few changes:

First, an authorisation (given by a designated person) may authorise an authorised officer to give notice to telecommunications operators (cl 9(3)(d)) in contrast to RIPA where it is the designated person who may give notices (s21(4)). In other words the power to force telecommunications operators to obtain and cough up communications data appears to be delegated further down the tree. I do not know enough about how RIPA is operated within police forces to know whether this will make any practical difference.

The second change is more significant. In RIPA a "telecommunications operator" is someone who "provides a postal or telecommunications service" (s25(1)). The definition in the bill (cl 28(1)) extends "operator" to include not only those providing a service but to any person who "controls or provides a telecommunication system".

In theory that means that anyone who owns a mobile telephone (or radio or television) is a "telecommunications operator", so that, in theory, the government could order us all  to keep records of who watches any television we control. While any government doing so would look extremely stupid - and find themselves out of office very fast - the increase in reach has other more usable implications. For instance it extends to manufacturers of communications equipment, who might usefully be asked to install hardware or software to make interception easier. It will be much harder to say that particular data is out of scope.

Retaining data​

The power to obtain communications data from communications operators is only of any use if there is data to obtain. At present the main provision for requiring retention of communications data is the data retention directive. This is directed at "providers of publicly available electronic communications services or of a public communications network" (article 3) who are defined (in the framework directive) in relation to services consisting of the transmission of signals over networks. In particular the obligation does not apply to those (like gmail and facebook) who provide "information society services".

Part 11 of ATCSA, which I mentioned earlier, did give the government a power to pass secondary legislation requiring communications providers (as defined in RIPA) to retain communications data, but only for national security purposes. The power had a sunset clause which meant that if, after two years, the government had not exercised the power it would lapse which it did on December 14 2003.

The bill will change all that. Drastically. Clause 1(1) of the bill states:

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

Other than that, there are no restrictions on what the order may do. All the limitations are procedural (consultation, laying before Parliament). This means that the government may do pretty much anything that is at least rationally connected to ensuring that communications data is available. If there was any doubt about this, the rest of clause 1 spells out just how wide the power is, for instance:

  • requirements ("you must") or restrictions ("you must not") may be imposed on anyone;
  • the Secretary of State may be given a power to impose requirements and restrictions on anyone by notice
  • those requirements may include forcing the use of particular software, equipment or algorithms
  • any requirements may be aimed at a different communication provider's data (eg an out of UK mail provider that does not wish to help the UK government might be targeted by asking ISP's to monitor usage of the site)
  • telecommunications operators can be made to contract out compliance with the government or with private firms, including "on a commercial basis", eg the government could nominate a private contractor that would store data on behalf of ISP's and force ISP's to hire them to do so commercially.

It seems to me that clause 1 is just too wide. It allows far too many things. There are essentially no restraints to stop a determined government doing what it wants. The requirement for Parliamentary approval (for instance) is in practice of little weight. Secondary legislation is almost never refused by Parliament and there is no mechanism for amendment to an order that has been laid before the house.

Filtering

Clause 14 (and following) referring to "filtering arrangements" seems to have caught many people's eyes. The explanatory notes suggest that the government intends to run a great big "Request Filter" which will collate communications data from many different sources and also act as a useful front end for designated officers, for example to work out what questions to ask, what sort of results will be obtained and to extract the communications data required.

As a part of the legal analysis I'm not sure that the provisions concerning "filtering arrangements" are particularly interesting. They make it clear that the Secretary of State can run a system like the "Request Filter", but they don't give the government any more powers to obtain data - those are all to be found in clause 1. Clause 14 etc may be there to ensure that no-one challenges the creation of a Request Filter on the grounds that it is beyond the powers (​ultra vires​) of the Secretary of State's office to maintain it.

But the filtering arrangements are interesting in that they give us a clue of one of the things the government has in mind.

Conclusion

In short the bill is all about increasing the amount of communications data that the authorities can get hold of. It does this in two principle ways: (1) by giving an essentially unlimited power to the government to order anyone to do anything rationally connected with that aim (and presumably proportionate and human rights compliant - though that may result in much time-consuming litigation); and (2) by widening the scope of people who can be asked to give up communications data to anyone who controls any communications equipment - in practice almost everyone old enough to own a mobile telephone.

There are a few other bits and pieces in the bill I have not mentioned, for example a requirement for local authority officers to obtain judicial approval for authorisations and a certain amount of tidying up.

It is almost impossible to have a sane debate about this sort of law because, as always, the government are likely to say "but we will only use our powers for good". What is more the bill, if passed, won't do anything particularly bad itself​ that badness is merely a potential badness that allows for misuse of the power at a later date. Again governments will swear on their mothers' that they will only pass just and sensible secondary legislation.

I hope this short post will inform the debate.

6 comments:

Anonymous said...

Francis how significant do you think it is that it's a "Draft Bill"? Does that men it's not a Bill? Julian Huppert seemed to lay a lot of emphasis on this. William

Francis Davey said...

In this context it means that, yes, it is not yet a bill, in the sense that it has not formally started its progress from first reading.

What it means is that the government has submitted it to pre-legislative scrutiny. The next step will be for an ad-hoc joint committee of both houses to consider it, which may include the taking of evidence. The hope is that the process will produce a better drafted and more robust piece of legislation.

The House of Commons Library has a note (SN/PC/2822) which discusses the process in considerable detail.

Anonymous said...

Great analysis Francis. But, don't you mean Part I Chapter II of RIPA, not Part II?

Francis Davey said...

Anonymous, thank you, I do mean Part I Chapter II. I will amend the blog accordingly.

Anonymous said...

"a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy"
You can add an overhead projector, a video out port on a laptop used for a presentation at a conference or anything printed to the list

Clive D.W. Feather said...

[Yes, I know this is very old.]

You write:
Part 11 of ATCSA [...] had a sunset clause which meant that if, after two years, the government had not exercised the power it would lapse which it did on December 14 2003.

Actually, it didn't. SI 2003 No. 3173 extended it for another two years, and SI 2005 No. 3335 extended it for yet another two. I forget whether the power was used in 2007, or whether the Data Retention Directive made it moot. Richard Clayton will no doubt recall.