Communications Data Bill Committee report

The Joint Committee on the Draft Communications Bill has published its report, concluding that while there is “a case for legislation which will provide the law enforcement agencies with some further access to communications data” the current proposal needs “substantial re-writing”. The Committee address three of the four concerns raised in our Janet evidence.

They are concerned that clause 1 “goes much further than it need or should”, in giving the Secretary of State “sweeping powers to issue secret notices to communications service providers (CSPs) requiring them to retain and disclose potentially limitless categories of data”. Instead they recommend that any Bill brought to Parliament should be limited to the categories of data for which a case can be made now, specifically:

1. Information to allow the subscriber using a particular IP address to be identified. This information ought to be already covered by the Data Retention Regulations, so it’s not clear whether the concern is information from networks using NAT or networks that do not log their allocation of IP addresses to subscribers. However the Committee seem persuaded that this information should be covered by a new law;
2. The Home Office identified “data identifying which services or websites are used on the internet” as information that may be important for investigations. The Committee interpret this as “what websites a person has accessed, and also contacts with other internet services, such as smart phone applications”. They note that requiring an ISP to collect this information “would place massive storage demands on CSPs and would be costly” and that even a list of websites visited can be highly sensitive. They consider that Parliament is the right place to debate and decide how to balance these costs against the benefit to law enforcement;
3. Information from overseas providers of webmail and social networks to users in the United Kingdom. According to the Home Office evidence many of these services already provide information voluntarily in cases of emergencies or serious crimes; there would also be a jurisdiction problem in trying to compel retention or disclosure as it is unlikely that UK law could formally be enforced against a foreign service provider. The draft Bill therefore contains options both to obtain communications data directly from such foreign services and to require UK access networks to collect the information (presumably using deep packet inspection though this is technically challenging and would be expensive to keep up to date). The Committee conclude that the latter option “makes CSPs rightly nervous” and say that rules limiting when the option would be used must be given statutory force.

Rather than the draft Bill allowing the Home Office to add new data types or authorities allowed to access them, the Committee consider that any extension should be subject to effective Parliamentary scrutiny.

On the system for obtaining access to stored data, the Committee consider that current best practice under the Regulation of Investigatory Powers Act should be made a statutory requirement. Authorities that make frequent use of data access powers should have trained Single Points of Contact (SPoCs) to check that requests are correct, authorities that use their powers less often should be required to use shared SPoCs such as the current National Anti-Fraud Network (NAFN) who can maintain the required expertise. Inspections of SPoCs should be used to build public confidence that powers are being used correctly and that any invasion of privacy is necessary and proportionate. Other supervisory powers and processes should also be strengthened and a specific criminal offence of misusing communications data be created.

The Committee quote, and agree with, our view that the current definition of “communications data” is flawed and even go further, concluding that the “language of RIPA is out of date” and that the classes of communications data “should be re-drafted” in a way that reflects the different levels of privacy sensitivity of different data types. However they make no comment on the other definitional change – that data retention requirements currently only applicable to public electronic communications services could in future be imposed on any “telecommunications operator”, a term defined in the draft Bill so as to include any person or organisation who connects two computers together. The Home Office seem to have admitted this broadened scope by saying that they might issue notices to “CSPs which are not covered by the EU Data Retention Directive”. The draft Bill places no limit on such notices, but the Home Office suggested private networks might only “be asked ... to retain for 12 months data which they already create for business purposes” (in other words to behave according to the current Data Retention Regulations). If the restriction to public networks were to be removed then such a notice might cover Janet though we have no information about individual users of university or college networks.

The Intelligence and Security Committee has also reported on the draft Bill, and from the summary that has been published it seems they have similar concerns. News reports suggest the Government has agreed that the Bill will need to be re-written in the light of the Committees’ reports. Since the Joint Committee strongly recommended a further consultation before it is brought to Parliament, we should have the opportunity to provide further comments on any revised version.