As I mentioned back in October, the Joint Parliamentary Committee that has been considering the Draft Communications Data Bill, aka Snooper's Charter, seemed to be doing a rather splendid job. It asked witnesses extremely perceptive questions, and seemed unwilling simply to accept the UK government's line that we needed these draconian powers because "terrorism"...
So I was expecting a rather punchy report from them, and they haven't disappointed. It's quite long – about 100 pages – but is extremely well written, with lots of ancillary explanations about related areas that make it fascinating if you're into that sort of thing. And it seems to have had an effect already: Number 10 has said that the bill will be redrafted in the light of the Committee's comments.
These start off by querying one of the key claims of the government about why we desperately need to carry out 24x7 surveillance of the entire online world in the UK:
The Government assert that the powers contained in the draft Bill are necessary to ensure that the powers of law enforcement, national security agencies and other public authorities keep pace with technological change. Communications technologies and services are constantly evolving and the Government are concerned that "the ability of the police and others to use this vital tool is disappearing because communications data from new technologies is less available and often harder to access". The Government state that at present approximately 25% of communications data required by investigators is unavailable and that without intervention this will increase to 35% within two years. The aim of the Bill is to bring availability back to around 85% by 2018.
The Committee is rightly sceptical:
It is acknowledged on all sides that the volume of communications data now available is vastly greater than what was available when RIPA [Regulation of Investigatory Powers Act] was passed. The much quoted figure of a 25% communications data gap purports to relate to data which might in theory be available, but currently is not. The 25% figure is, no doubt unintentionally, both misleading and unhelpful.
Part of the gap is down to a lack of ability on behalf of law enforcement agencies to make effective use of the data that is available. Addressing this should be a priority. It does not require fresh legislation but will involve additional expenditure.
This is absolutely crucial: it means that even with the present laws, the amount of data that the authorities can access is soaring. Moreover, better training would allow them to use even more of it. That, in its turn, means that there is simply no pressing need to extend surveillance in the way the UK government proposes. The police may want it to make their life easier, but that doesn't mean it's a proportionate request – something I discuss further at the end of this post.
The Committee spends much of its time discussing Clause 1 of the Bill, because it is so open-ended – it essentially allows the Home Secretary to update the Act on the fly, without consultation. As the Committee writes:
The Home Office has argued that there is a case for keeping clause 1 wide because there may be other data types that emerge from time to time which will be important to law enforcement but will not be routinely retained by CSPs [Communication Service Providers] for business purposes. We do not accept that this is a good reason to grant the Secretary of State such wide powers now. We do not think that Parliament should grant powers that are required only on the precautionary principle. There should be a current and pressing need for them.
This is absolutely right, and should be applied to everything in the Bill. One of the key issues is whether "Web logs" should be retained. This is something that I wrote about in my submission to the Committee: the problem is that retaining such Web logs actually provides a huge amount of information about the content – in fact, even the Web site name does that. This is an unacceptable intrusion into people's lives. On this topic, the Committee wrote:
Whether clause 1 should allow notices that require CSPs to retain web logs up to the first "/" is a key issue. The Bill should be so drafted as to enable Parliament to address and determine this fundamental question which is at the heart of this legislation.
The Home Office and law enforcement agencies and (so far as we know) the intelligence and security services think that access to weblogs is essential for a wide range of investigations. The civil liberties organisations argue that web logs are potentially a highly intrusive form of communications data and that generating and storing web logs gives rise to unacceptable risks to the privacy of individuals.
There follows a great discussion of two crucial areas: encryption and Deep Packet Inspection. Google basically said it would not decrypt anything without a court order in the US, and others pointed out that trying to spy inside traffic streams is likely to push even more people to use encryption, making things worse, not better than they are. It was also questioned whether DPI could scale if it were used widely.
Another key area is the issue of the "Request Filter": basically, this would turn the distributed databases held by each ISP into a single, centralised database that can be searched. Here's what the Committee wrote about this important aspect:
The Request Filter would make it technically possible to perform profile searches on individuals. If it was used in this way there is a risk that it could amount to general monitoring, but there are safeguards to prevent this. Every request to the Request Filter will have to go through the same authorisation process set out in Chapter 2. This includes a requirement to explain why the request is necessary and proportionate, and needs the authorisation of a Designated Senior Officer. In addition the draft Bill puts obligations on the IoCC to monitor the operation of the Request Filter and examine the audit trails produced. This safeguard is key, as Professor Peter Sommer told us: "If these safeguards are not rigorously applied and fully examined by the Interception of Communications Commissioner there is a risk that that what is described as "request filtering" becomes large-scale data mining; the necessity and proportionality tests need to be applied not to just the individual data streams as supplied by CSPs but to the likely effect when they are assembled together."
In other words, the technical capability is definitely there, only the "safeguards" would prevent it being deployed – hardly very reassuring.
Finally, there is the question of what communications data should include:
The definitions of use, subscriber and traffic data are particularly problematic. Subscriber data should not be a catch-all for data that does not meet the other definitions. Currently the definition of subscriber data could be read to cover all sorts of data that social networks and other services keep on their customers which can be highly personal and is not traditionally thought of as communications data. A new definition of subscriber data is needed that simply covers the basic subscriber checks that are the most commonly used. How to define subscriber data should be a key element of the consultation, but the evidence we have received leads us to suggest that the definition should include checks on the name, date of birth, addresses and other contact information held on the subscriber to a communication service; for each service the customer's unique ID (e.g. mobile number, e-mail address or username); the activation, suspension and termination dates of an account and payment and billing information.
That's well and good, but the trouble is, this fails to address the issue of Web content being implicit in Web addresses.
The Committee rightly seizes on the UK government's cost estimates:
We are concerned that the Home Office's cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments' poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.
That's putting it mildly: if these plans go ahead, they likely to cost nearer £10 billion than £1.8 billion given past overspends and the huge complexity of the task. The government even has the temerity to present savings that the snooper's charter will provide, but the Committee is having none of it:
The figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.
The Committee's conclusion is as follows:
Our overall conclusion is that there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should. We believe that, with the benefit of fuller consultation with CSPs than has so far taken place, the Government will be able to devise a more proportionate measure than the present draft Bill, which would achieve most of what they really need, would encroach less upon privacy, would be more acceptable to the CSPs, and would cost the taxpayer less.
Of course, everyone wants safety, but the issue is how much extra safety is obtained by sacrificing progressively more privacy online. In this context, Theresa May's famous article in The Sun recently is a sad piece of work:
In an exclusive interview with The Sun, the Home Secretary insists "we could see people dying" if a new law to authorise online probing is blocked.
She's quite right of course; but she would have been equally right had she said we could see people dying if we don't install CCTVs in everyone's home, and implant chips in everyone to allow people to be tracked 24x7. If Theresa May does not bring in those measures, then by her own logic, she is clearly in favour of terrorism and paedophiles, since they would obviously help combat both.
But the point is that like the massive online surveillance she wants, both of those approaches are disproportionate. We accept that yes, crimes may happen without CCTVs and chip implants because the price we would be paying for that security would be a massive loss of liberty. What May refuses to acknowledge is that storing all online communications is an equally high price to pay – very similar to putting CCTVs in our homes, in fact, since it would effectively record our every action online, just as CCTV would record it offline.
It is this issue of proportionality that has been missing from the debate. Instead, the 7/7 terrorist attacks in London, and the recent deaths of two policewomen, are invoked to call forth an immediate emotional response that covers up the massive void at the heart of her arguments. The fact that the Home Secretary could stoop to such a level is a sad sign of how desperate she is: she clearly does not have any cogent reasons why we should all give up our online privacy, and allow digital CCTVs to be installed at our ISPs, and has to resort to such cheap rhetorical tricks instead.
It's yet another reason why we must not go down this route of installing the kind of massive, pervasive surveillance the current Bill would introduce: the Home Secretary and UK government simply can't be trusted not to play the terrorism and paedophile cards against us once more in order to allow unrestricted, real-time access to the data about our online activities.
Instead the police and security forces should be aiming to use their current interception powers better, and asking for exceptional ones to be approved by a judge on a case-by-case basis. That approach offers both security and freedom.
Find your next job with computerworld UK jobs