Lawyer Kathryn Wynn explains why, although the furore surrounding the Government’s Communications Data Bill is probably misjudged, there are devils in the detail the Government should consider.
The furore surrounding the proposed UK Communications Data Bill (“CDB”) has been loud and extensive. You’d be forgiven for thinking that this “snooper’s charter” will allow the Government access to all our online activity, reading emails and analysing our innermost thoughts through our searches.
Worse, the media frenzy has been led by the Government itself, with Theresa May speaking of sweeping changes to pre-empt “crimes enabled by email and the internet”. News of the proposal was met with such outrage as to suggest a nation terrified of prying eyes. What are people writing in their emails that they are so desperate to hide?
In reality, these are minor amendments to existing laws rather than a sea change endangering the very concept of privacy itself. But hidden in the details, there are some very real dangers which need to be recognised.
Access to online communications data is currently governed by the Data Retention Directive 2002/24/EC (the “DRD”) and the Regulation of Investigatory Powers Act 2000 (“RIPA”). The DRD demands telecommunications providers retain billing records of customers for 12 months, which must be shared with the police and intelligence agencies if asked in relation to the prevention or detection of crime. They don’t record any content, just a record that the communication of data occurred.
RIPA is the contentious one. It allows police or intelligence agencies to intercept communications data to analyse the content, provided they have a specific and legitimate warrant.
The Communications Data Bill combines these two existing laws. The only change it makes is to widen the DRD, so that all ISPs must retain all forms of communications data. The content will only be accessed with a legitimate warrant. What this means is that, in real time, the Government won’t be intercepting communications, but they will know that they have happened.
This is not necessarily a bad thing. Content is still protected. Yet, in a state of emergency, warrants can be given within a margin of discretion due “necessary” and “proportionate” conditions. So, given that our data will be automatically retained, the swift handing out of warrants will allow the Government to get to it much faster than before.
Why is this important? The riots. The riots revealed that the Government had no way of tracking social media, which was blamed for exacerbating an already unstable situation. This panicked the Government; the CDB is its reaction, which faces up to social media and puts in place the ability to track social activity. But this comes at a cost.
Upon closer inspection, there are significant grey areas to the proposals. The current laws are used to investigate crimes that have already happened. Suspects are identified and their online communications data is then accessed with a warrant.
Accessing data in real time leaves the law vulnerable to abuse during a state of emergency. In such a situation, the Government could theoretically argue a need to err on the side of speed over privacy to justify warrants. But where do you draw the line? What constitutes a state of emergency? How can you identify a suspect during an event? How can you use online content to predict someone’s criminal intentions?
Ultimately, the CDB doesn’t intrinsically violate our privacy, but it does have the potential to do so. But before we even get to that stage there are more practical problems. For me, these fall into three categories: Europe, technology and security.
The CDB expands the remit of the DRD. But the DRD is a European directive, so any changes should occur at a European level. Changes to European laws are very slow, but the UK Government clearly wants to appear proactive. This means the UK could find itself having to overhaul this legislation in order to comply with the proposed European Union Data Protection Regulation and Directive, due to be implemented in 2014. In fact, an ISP could ignore the CDB with the strong argument that they are remaining within European law.
On a practical level, for a company to record all the data from a user’s communications creates an enormous amount of information. The government has offered to help companies meet the cost of complying with the Bill, but, even with this help, the cost of compliance could be prohibitive. And that’s assuming that the technology even exists to store this sheer quantity of data, let alone provide the filter systems to analyse it and to disclose it in a way that the law enforcement agencies do not find themselves searching for the proverbial needle.
The final problem lies in the danger of keeping this data secure. There is a significant risk of cyber-crime, or simply carelessness, in the disclosure of retained information. The CDB doesn’t explain how this weight of information is going to be protected beyond a general duty to implement appropriate security measures. Records of communications data tracking online banking, IP addresses and telephone activity will all be stored, creating a goldmine for identity theft.
The Government has been making a lot of noise about these proposals. With the riots still haunting the public mind, such legislation seems designed to make Theresa May look tough on crime. However, as the unanswered questions and potential pitfalls mount up, the CDB is starting to look like another example of a Government struggling to use legislation to deal with rapid changes in social media and technology.