Communications surveillance briefing

The House of Lords added significant safeguards to legislation on communications surveillance (wiretapping and related activities) during 2000 and 2001. But the Home Office caused great controversy last summer when it proposed secondary legislation that would have allowed hundreds of central and local government bodies — down to the smallest parish meeting — self-authorised access to "communications data" (records of individuals’ contacts, mobile phone location and website visits).

Public and parliamentary pressure forced the withdrawal of that draft Statutory Instrument. The Home Office instead recently concluded two public consultations on the retention of and access to this information. This briefing sets out FIPR’s views on which parts of the surveillance legislation need updating.

Public confidence in the surveillance system requires impartial control and oversight, along with credible sanctions for abuse. Judicial authorisation should therefore be required for access to communications data. Agencies without sufficient case for access to such sensitive data should instead conduct joint investigations with the police when necessary. Other legislative powers to access records should exclude communications data. Subjects of requests should later be notified, and detailed statistics published annually by the Interception Commissioner. With these safeguards in place, government may start to earn public trust in its activity online. Without them, trust in law enforcement and in government more generally will be further eroded. This is not a situation that anyone should wish to come about.

Legislative summary

Surveillance of communications (the use of telephone systems, the Internet, mobile phones etc.) comes under two separate regimes in UK law. Interception of content (what is said in a phone call or e-mail) is authorised by the Home Secretary under Part I Chapter I of the Regulation of Investigatory Powers Act 2000 (RIPA). This Chapter also gives the Home Secretary the power to force phone companies and Internet Service Providers (ISPs) to install interception devices in their network. Interception may be requested by the Security Service, Secret Intelligence Service, GCHQ, National Criminal Intelligence Service, the police, Customs and Excise, Defence Intelligence or other national government bodies under a treaty obligation.

Access to "communications data" — records of calls made and received, e-mails sent and received, websites access, the location of mobile phones — will be regulated under Part I Chapter II of RIPA once it is activated using secondary legislation. Currently, this data is accessed by a wide variety of agencies using powers from the common law and various pieces of legislation, including the Data Protection Act 1998.The Anti-Terrorism, Crime and Security Act 2001 gives the Home Secretary the power to force the retention of communications data by phone and Internet companies for periods specified by secondary legislation.

Interception

The interception of communications is clearly the most invasive type of surveillance. It should require explicit judicial rather than ministerial authorisation. A set of security-cleared judges should deal with national security cases; the rest of the judiciary are already experienced in dealing with sensitive material in cases of serious crime. This is how surveillance is regulated in the United States.

Communications data access

We strongly agree with Elizabeth France, the former Information Commissioner, that privacy can be seriously compromised by access to communications data as well as to intercepted content. Mrs. France commented in a Parliamentary briefing that "[b]oth sets of data provide insight into the private lives of individuals and should therefore be subject to equivalent controls and safeguards."

Appropriate authorisation requirements for access to communications data are vital for public trust in the system. Existing legislation contains some of the mechanisms that could provide these requirements. But others will require new primary legislation.

Access to subscriber data (such as the name and address of the owner of a telephone number or e-mail address) is the least intrusive of the access powers. It is also extremely common. Although precise figures are not published, we estimate that over one million such requests are made every year in the UK. The regime under RIPA for access to this data therefore seems reasonably appropriate.

Access to other types of communications data is far more intrusive. Information on a person’s contacts, reading habits and even mobile phone location all provide a detailed picture of that person’s private life. This traffic and usage data should therefore only be available upon issuance of a judicial warrant.

However, the cost recovery mechanisms contained in RIPA are an important financial constraint on the actions of law enforcement agencies and help to ensure that their use of the powers is proportionate to what can be gained from them. The requirement to liaise with Communications Service Providers (CSPs) through a Single Point of Contact (SPoC) is also vital to the smooth provision of service by CSPs.

New primary legislation should therefore be brought forward to provide for judicial authorisation of access to the traffic and usage data defined in s.21(4)(a) and (b) of RIPA with mandatory cost recovery and use of SPoCs. For clarity, these two subsections should be merged into a simpler definition of traffic data. s.21(4)(c) should be rewritten as a clearer definition of subscriber data.

With or without new primary legislation, additional agencies should only be provided with access to traffic and usage data after presenting the strongest case. The emergency services and specialised police agencies are the only bodies that appear to have such a case.

Other agencies should conduct joint investigations with the police where traffic or usage data is required. They do not have, and will not obtain, the experience necessary to properly identify, request and analyse traffic and usage data given the low volume of their requests.

This joint approach is already being taken by bodies such as the Department for Environment, Food and Rural Affairs. It should be expanded by only giving access to subscriber data to other agencies. Several other pieces of legislation give powers to demand records to agencies such as the Department for Work and Pensions. As with interception, new primary legislation should make clear that communications data may only be accessed through properly human rights-compliant RIPA procedures.

Usage

The Home Office consultation suggested an additional safeguard for access powers: a certification scheme that could verify the procedures used and actions taken within agencies when requesting communications data. We would suggest that this should already be part of the Interception Commissioner’s function. The involvement of the Information Commissioner might increase public confidence in the rigour of the certification process.

Oversight

We do not believe that one centralised office (of the Interception Commissioner) can provide proper oversight of more than one million requests per year. Even when properly resourced, the office will only be able to examine a tiny fraction of the total requests made. A central record of requests is not planned; the Interception Commissioner will need to visit hundreds of bodies around the country annually under current government proposals.

It is therefore vital that the subjects of requests should be notified of the access at some later point. This would provide much greater transparency in the use of these powers, and an important check on abuse by the state or corrupt staff. A judicial warrant should allow notification to be delayed if it would prejudice an ongoing investigation. The Interception Commissioner should continue to oversee the system, but publish far more detailed statistics on its operation, including the material necessary to enable outsiders to make an informed appreciation of the justifiability of the use of invasive powers. These could include the number of specific devices covered by notices, and cases brought to trial and successfully prosecuted per notice.

Sanctions

There is no point in proposing rules for access to communications data without effective sanctions for breaking those rules. The prospect of officials able to abuse rules without fear of sanction can be guaranteed to erode public trust in law enforcement and in public services generally. Illegally obtained data should be inadmissible in evidence.

Wider debate

The Home Office has asked whether a wider public debate is needed on privacy. The furore caused by last summer’s RIPA Statutory Instruments makes clear that it is. This is an issue that will only become more pressing as more and more details of our lives are captured online. One step that would encourage an ongoing debate would be an annual discussion in Parliament. The Commons Committee on the Lord Chancellor’s Department or the Joint Committee on Human Rights might like to scrutinise the annual reports of the Interception, Surveillance and Information Commissioners in a session that also examined other privacy issues that had arisen during the year.

Communications data retention

The compulsory storage of communications data has great potential for enabling the invasion of privacy. The Lords insisted, even after substantial government pressure, on limiting the Home Secretary’s powers to require data retention under the Anti-Terrorism, Crime and Security Act 2001 to situations "directly or indirectly related to national security".

This important safeguard, particularly appropriate in an emergency bill rushed through Parliament in the aftermath of the 11 September 2001 tragedy, is already under attack by the government. The consultation document asking for the public’s views on data retention stated that: "The Home Office do not consider that the fact that data is held by a communication service provider under the Code of Practice for national security purposes, and not for any other reason, should prevent the police or other public authorities having access to that data when they can demonstrate a proportionate need for it." (s.11.8)

The Lords also inserted a sunset clause on these supposed "emergency" provisions: if not used by the Home Secretary within two years, the data retention powers lapse. Even now, within four months of this deadline, we have not seen draft orders to impose retention. This suggests that the government was over-hasty in demanding the powers, and a more considered debate might be appropriate at this point.

FIPR would highlight three pertinent facts:

1. The European Data Protection Commissioners have repeatedly emphasized that mandatory blanket data retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights (ECHR), as further elaborated by the European Court of Human Rights (see Opinion 4/2001 of the Article 29 Working Party established by Directive 95/46/EC; the Declaration of Stockholm of April 2000; and most recently, the Statement issued in Cardiff in September 2002). Law enforcement authorities should only be permitted to require Communications Service Providers to retain ("preserve") data beyond the normal time needed for contractual (billing) and other business purposes in specific cases, in which the need for such data preservation was clearly demonstrated, subject to adequate legal safeguards.

   As the European Data Protection Commissioners make clear, data preservation in an individual case can only be allowed if there is a "demonstrable need" in that particular case (i.e. the authorities cannot require preservation of traffic data relating to a particular subscriber "just in case" the data may be useful later). Even in such individual cases, the period of retention must be as short as possible. Most importantly, under both the ECHR (and thus the Human Rights Act) and the EU data protection directives, "the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse. Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case."

2. Legal opinions given to the Office of the Information Commissioner and elsewhere have concluded that retention would be unlawful given the disparity of purpose between access to traffic data under the Regulation of Investigatory Powers Act and retention only for national security-related purposes under the Anti-Terrorism Crime and Security Act. This is a barrier to retention that could only be addressed through new primary legislation.

3. Internet Service Providers have repeatedly made clear, individually and through their trade association ISPA, that the Home Office has not provided a justification for retention. The examples given by the Home Office concerning the use of communications data are entirely unconvincing. They largely concern time periods that are longer than those proposed for retention in existing plans. They do not attempt any cost/benefit analysis based on cases lost due to missing communications data. They certainly do not justify the very high cost that larger ISPs have estimated for retention mechanisms. ISPs are therefore not willing to implement retention voluntarily.

We have therefore strongly urged that the Home Office drop all plans for retention and allow the powers to require it to lapse on 13 December 2003 under s.105 of the Anti-Terrorism, Crime and Security Act. They should follow the lead of the US Federal Bureau of Investigation and rely instead on data preservation powers.

The failure of the government to address preservation issues over the past two years has been a lost opportunity. We feel sure that the issues involved could even now be addressed by relatively brief discussions. No further time should be wasted on inevitably doomed attempts to implement data retention.

Ian Brown, 18 August 2003.