The Communications Data Bill (first look)

On Thursday the government announced the Communications Data Bill. The official copy is available as CM8359 but the open rights group have made it available in in an easier to read format. The bill has attracted a lot of interest, so I thought it would be useful if I posted an explanation of what it does and does not do. Bills of this kind benefit from (or suffer, depending on your point of view) considerable amendment while passing through Parliament, so the end product may be very different.

The bill replaces two existing pieces of legislation: chapter I, part II of the Regulation of Investigatory Powers Act 2000 (RIPA) and part 11 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA). For some what will be of interest will be the ways in which the bill changes that existing law, but for others that law is already controversial, so they may see debates on the bill as a chance to re-visit the state we are in.

Communications data

Chapter I, part II of RIPA is all about allowing public bodies to obtain "communications data". The bill and RIPA use essentially identical definitions of communications data (RIPA s22(4) Bill cl.2(9)), which the bill helpfully divides into three parts:

• traffic data - which includes the identity and location of the communication's end-points and the individuals (if any) sending and receiving it;
• use data - information which is not traffic data about the use made of a telecommunications service or in connection with the use of a telecommunications service or system;
• subscriber data - any other information obtained by the provider of a telecommunications system about the people to whom it is provided

But, in both cases, not the content of any communications. Traffic data may include the contents of a communication, in so far as it is "traffic data" but "use data" may not.

The definition is very broad. In RIPA terms a "telecommunications service" is:

any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)

A "telecommunications system" is:

a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy

This definition clearly includes radios and televisions; telephones and mobile telephones and routers. It almost certainly includes mail servers. I am less sure about a server which has multiple roles - since it might be difficult to say that it "exists .. for the purpose", but anyone running a server which acted as a mail transfer agent or on which ran a mail user agent (eg gmail) would surely be running a telecommunications service​ even if the server itself was not a telecommunications system​.

This means that subscriber information and usage patterns of facebook, gmail and so on are already within the scope of RIPA. The bill uses almost identical definitions for telecommunications services and systems, which suggests that exactly the same sets of data will be in scope.

Obtaining communications data

The RIPA regime for obtaining communications data has essentially two parts:

• authorisations - given by a "designated person" to other members of their organisation or suitably associated organisations (eg collaborating police forces), who are then "authorised officeers". The effect of an authorisation is to make lawful, including removing any civil liability, anything an authorised officer does while obtaining communications data under their authorisation.
• notices - given by a "designated person" to postal or telecommunications operators, requiring them to obtain (if they are able to) and disclose communications data

Authorisations and notices last up to a month but may be renewed.

The bill has a broadly similar structure with, as far as I can tell, a few changes:

First, an authorisation (given by a designated person) may authorise an authorised officer to give notice to telecommunications operators (cl 9(3)(d)) in contrast to RIPA where it is the designated person who may give notices (s21(4)). In other words the power to force telecommunications operators to obtain and cough up communications data appears to be delegated further down the tree. I do not know enough about how RIPA is operated within police forces to know whether this will make any practical difference.

The second change is more significant. In RIPA a "telecommunications operator" is someone who "provides a postal or telecommunications service" (s25(1)). The definition in the bill (cl 28(1)) extends "operator" to include not only those providing a service but to any person who "controls or provides a telecommunication system".

In theory that means that anyone who owns a mobile telephone (or radio or television) is a "telecommunications operator", so that, in theory, the government could order us all  to keep records of who watches any television we control. While any government doing so would look extremely stupid - and find themselves out of office very fast - the increase in reach has other more usable implications. For instance it extends to manufacturers of communications equipment, who might usefully be asked to install hardware or software to make interception easier. It will be much harder to say that particular data is out of scope.

Retaining data​

The power to obtain communications data from communications operators is only of any use if there is data to obtain. At present the main provision for requiring retention of communications data is the data retention directive. This is directed at "providers of publicly available electronic communications services or of a public communications network" (article 3) who are defined (in the framework directive) in relation to services consisting of the transmission of signals over networks. In particular the obligation does not apply to those (like gmail and facebook) who provide "information society services".

Part 11 of ATCSA, which I mentioned earlier, did give the government a power to pass secondary legislation requiring communications providers (as defined in RIPA) to retain communications data, but only for national security purposes. The power had a sunset clause which meant that if, after two years, the government had not exercised the power it would lapse which it did on December 14 2003.

The bill will change all that. Drastically. Clause 1(1) of the bill states:

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

Other than that, there are no restrictions on what the order may do. All the limitations are procedural (consultation, laying before Parliament). This means that the government may do pretty much anything that is at least rationally connected to ensuring that communications data is available. If there was any doubt about this, the rest of clause 1 spells out just how wide the power is, for instance:

• requirements ("you must") or restrictions ("you must not") may be imposed on anyone;
• the Secretary of State may be given a power to impose requirements and restrictions on anyone by notice
• those requirements may include forcing the use of particular software, equipment or algorithms
• any requirements may be aimed at a different communication provider's data (eg an out of UK mail provider that does not wish to help the UK government might be targeted by asking ISP's to monitor usage of the site)
• telecommunications operators can be made to contract out compliance with the government or with private firms, including "on a commercial basis", eg the government could nominate a private contractor that would store data on behalf of ISP's and force ISP's to hire them to do so commercially.

It seems to me that clause 1 is just too wide. It allows far too many things. There are essentially no restraints to stop a determined government doing what it wants. The requirement for Parliamentary approval (for instance) is in practice of little weight. Secondary legislation is almost never refused by Parliament and there is no mechanism for amendment to an order that has been laid before the house.

Filtering

Clause 14 (and following) referring to "filtering arrangements" seems to have caught many people's eyes. The explanatory notes suggest that the government intends to run a great big "Request Filter" which will collate communications data from many different sources and also act as a useful front end for designated officers, for example to work out what questions to ask, what sort of results will be obtained and to extract the communications data required.

As a part of the legal analysis I'm not sure that the provisions concerning "filtering arrangements" are particularly interesting. They make it clear that the Secretary of State can run a system like the "Request Filter", but they don't give the government any more powers to obtain data - those are all to be found in clause 1. Clause 14 etc may be there to ensure that no-one challenges the creation of a Request Filter on the grounds that it is beyond the powers (​ultra vires​) of the Secretary of State's office to maintain it.

But the filtering arrangements are interesting in that they give us a clue of one of the things the government has in mind.

Conclusion

In short the bill is all about increasing the amount of communications data that the authorities can get hold of. It does this in two principle ways: (1) by giving an essentially unlimited power to the government to order anyone to do anything rationally connected with that aim (and presumably proportionate and human rights compliant - though that may result in much time-consuming litigation); and (2) by widening the scope of people who can be asked to give up communications data to anyone who controls any communications equipment - in practice almost everyone old enough to own a mobile telephone.

There are a few other bits and pieces in the bill I have not mentioned, for example a requirement for local authority officers to obtain judicial approval for authorisations and a certain amount of tidying up.

It is almost impossible to have a sane debate about this sort of law because, as always, the government are likely to say "but we will only use our powers for good". What is more the bill, if passed, won't do anything particularly bad itself​ that badness is merely a potential badness that allows for misuse of the power at a later date. Again governments will swear on their mothers' that they will only pass just and sensible secondary legislation.

I hope this short post will inform the debate.

Trolls and the defamation bill 2012

The Defamation Bill 2012 had its second reading in the House of Commons today. One aspect of the bill which did not (as far as I can see) appear in the draft bill is a rather peculiar defence for website owners. In characteristic style, the BBC picked it up under the title websites to be forced to identify trolls under new measures and mangled the story completely.

The BBC's report mentions the case of Nicola Brookes, who appears to have been the victim of vicious trolling on facebook. It is reported that she obtained a court order forcing facebook to reveal the IP addresses of its users who harassed her anonymously using the site. I have no further details of that case, but it would seem to be an entirely conventional Norwich Pharmacal order used by Nicola Brookes in order to bring a prosecution for breach of the Protection from Harassment Act 1997. Her case has nothing (much) to do with defamation which is not a crime as implied by the BBC.

Her case is an illustration of the fact that there is already a fairly well tested power to force intermediaries, including social networking sites, to reveal the identity of wrongdoers (criminal or civil) by court order. There is no new power to do this under the defamation bill.

What the defamation bill has done is introduce a new defence for some intermediaries - "website operators". In the current draft of the bill, clause 5 applies where "an action for defamation is brought against the operator of a website in respect of a statement posted on the website." The operator has a defence is they are able to show that it was not them that posted the statement on the website.

I'm not exactly sure what "posted" means in this context. Does it include (say) the FOI responses of public authorities on www.whatdotheyknow.com? The public authority is the immediate cause of the appearance of a statement on the site, but the actual transfer from incoming email to web page is done by the site's own software. This does matter. It would be great if sites like whatdotheyknow had a defence against material they manage, but they are unlikely to want to test the matter in court.

In my experience these kinds of semantic difficulties are often sharpened up later on in a bill's passage. I hope that happens in this case.

The defence is not an absolute one. It an be defeated if three conditions hold:

• the claimant could not identify the person making the complaint
• the claimant gave the operator a notice of complaint relating to the statement
• the operator failed to respond to the notice of complaint in time
  

Where the content of the notice, what is "in time" and what an operator is required to do in response are to be specified in a regulations made later with an inevitably reduced level of parliamentary scrutiny, although the notice will be required to specifically point to "where on the website the statement was posted". Surprisingly many "take down" requests my clients receive don't even go this far.

So, lets be clear, there's nothing here that requires the website owner to do anything unless they want to. The sanction for non-compliance is that they lose a defence to a libel claim. But website owners already have a number of common law and statutory defences. In particular they are protected by Article 14 of the e-commerce directive. This is an absolute defence against almost any liability a website owner might have for information supplied by a third party provided that either:

• they don't know about the illegality or
• once they do know they act "expeditiously" to remove the information

This has never been a very good defence since the host has to make up their mind whether or not they know about the illegality, but of course, how can they know? If it is information supplied by a third party they may have no idea. The European Court of Justice has been relatively generous about "knowledge" in this context - being well aware of the difficulties the host may have - but in the context of defamation it is always going to be a tough call. The fact that something looks defamatory ought to be obvious in most cases just by reading it.

So the proposals in clause 5 might have the effect of persuading website owners to give up the identity of anonymous users of their site as a result of general fear, uncertainty and doubt. On the other hand there will be nothing to stop them removing the material if they prefer to do so.

My views of the bill roughly echo those of the Inform Blog. Some of the "reforms" may even make things worse since they copy (into statute) things the courts are doing already, but none of us will be entirely sure whether that copy was, or was intended to be, perfect, so there may be yet more litigation to sort that out. Why we need to enact reforms the courts have already worked out for themselves seems puzzling to me, but I am not a politician.

As things stand the proposed clause 5 has a number of oddities.

First, there's nothing that penalises false use of a notice of complaint, nor is there anything allowing the regulations to impose sanctions on a claimant who misuses the procedure. In my view that should be fixed.

Second, if the claimant can already find out the identity of an anonymous troll (via the Norwich Pharmacal procedure), why do we need to qualify the website owner's defence at all? Sure, a Norwich Pharmacal order is expensive, but then so is a libel claim. 

Third, and most odd of all, the new clause 5 would give an absolute defence for any comment which was from an identifiable individual. As it stands if I, under my own name, post the most unpleasant libel to a website hosted in the UK, the victim of the libel can sue me but cannot sue the website. But suing me may not be what the victim wants - I might be dead, have no money or have run away to another country where they cannot catch me.

What a victim will often want in such cases is for the libel to go away and/or be corrected. They want some way of having the libel taken down. As it stands clause 5 may take away the victims power to do that since the website owner will have no liability in defamation at all. In some cases (eg blog comments) even I may not be able to remove a publication I have made, so a court order against me (the guilty party) may also be useless. 

I am not sure that is what intended and expect that the wording will be tidied up considerably if the clause goes forward but I still doubt very much that it is the right approach.