I’ve made a Janet submission to the joint Parliamentary Committee considering the draft Communications Data Bill. It’s actually quite hard to predict what the effect of the Bill would be, as the Bill creates extremely wide powers for both the Home Secretary and Law Enforcement and the impact will depend on how those powers are used. However there does seem to the possibility of significant disruption to the operation of networks and to the current processes for obtaining communications data, as well as a couple of definitions that make the scope of the draft Bill a lot wider than the Government’s accompanying notes suggest is intended. Since this is a draft Bill I hope that those will be fixed before the actual proposal for legislation is published.
The draft Bill would allow the Home Secretary to order pretty much any action to “facilitate the availability of communications data”. From the little that has been said by the Government, the intention seems to be to use the powers to add equipment into ISPs’ networks to collect information about the use of other communications services such as webmail that aren’t covered by the current Data Retention Regulations. I’ve pointed out that networks such as Janet are designed to provide very high reliability and speed and inserting new equipment (whose reliability is unknown) or requiring changes to network designs to facilitate that could have a significant effect on that important design goal. Since the aim of the Bill is to increase the amount of communications data available for investigating crimes, it seems inevitable that it will result in larger collections of data and that those collections will themselves be targets for criminals especially if, as some of the Government’s comments in evidence to Parliament’s Joint Committee seem to imply, the systems will be storing information about traffic that would otherwise be encrypted. So network operators will not only be faced with new requirements to re-engineer their networks, they’ll also be faced with new security challenges. That seems likely to require staff effort to be diverted away from the operators’ main business.
The Bill would create a single piece of legislation covering both data retention and access by law enforcement to the retained data. At the moment those are separate (in the Data Retention (EC Directive) Regulations and the Regulation of Investigatory Powers Act respectively) which has caused problems where the two acts don’t line up. However rather than the current single process for data access under RIPA s.22, the new Bill seems to permit the creation of as many processes as senior officers can think of. That is likely to make data access slower, since it will be much harder for those receiving requests or orders to disclose information to set up standard processes to handle them. It is also likely to create more opportunities for unauthorised people to impersonate legitimate processes, as the Information Commissioner highlighted in his report “What Price Privacy Now?” a few years ago. The Home Office’s current code of practice for accessing communications data strongly discourages the use of any process other than RIPA s.22 for both these reasons.
Finally a couple of definitions have been simply copied from the existing Acts into this new one, with unfortunate effects. At the moment Data Retention only applies to public networks, and RIPA data access to all networks. The draft bill applies the RIPA definition to both retention and access, which means that it would give the Home Secretary the power to order collection of communications data from the internal networks of any company and most houses. There’s nothing in the notes on the draft Bill to suggest that that is actually what is intended! Second, and definitely not what the Government intend, is that the definition of Subscriber Data seems to have been copied from the existing Data Retention Regulations. In Regulations that only apply to Internet Access Providers it may have been acceptable to have a definition of “everything else that the organisation holds about the user”, but in a Bill that is intended to cover webmail and social network providers it clearly isn’t. Subscriber Data needs to be defined positively as something like “the identity and contact details of the subscriber”.