The draft Communications Data Bill was announced in the May 2012 Queen's Speech. As of December 2013, the Home Office was still committed to redrafting this legislation in response to criticisms, and final proposals had not been drawn up. Given the revelations by Edward Snowden of GCHQ's existing digital surveillance, the delay may continue until the extent of GCHQ's current capabilities has been established. The LibDems have said they will block the bill as long as they are part of the coalition government. However, there is still pressure for legislation that gives UK police greater access to data.
Rumours of aHome Office Interception Modernisation Programme surfaced in 2008. In 2009 the Labour government released a consultation paper. The proposals were dropped after significant public opposition. (You can read the joint ORG and FIPR response to this consultation here.)
In forming the coalition government in 2010, the Conservatives and Liberal Democrats (who in 2009 called IMP "incompatible with a free country") promised "to end the storage of Internet and email records without good reason". Less than two years later, they reinstated it as the Communications Capabilities Development Programme. The draft Communications Data Bill was the first attempt at the necessary legislation.
The Home Office argues that the programme gives law enforcement the same ability to track whom you are contacting on your computer or smartphone (over email, Skype, instant messaging, or social networks) that was available with earlier forms of communications (by checking your telephone bill). Under EU data retention rules, ISPs must keep records of when you go online or you use the ISP’s email system.
As drafted, the CDB would require communications service providers also to collect third-party data transiting their networks, data that, until now, has seldom been monitored, let alone recorded for twelve months on the off-chance it will be useful. ISPs would need, at a price, to install "black boxes" on their networks that use a relatively new technology called deep packet inspection (DPI) that reconstructs the web pages you are viewing. A regime like this is surveillance – wiretapping – of the whole population by default without any court's having considered whether it is appropriate in a particular case.
The data to be intercepted and stored would include websites visited, the names of email and instant messaging correspondents, lists of social networking "friends", and the time, size, and length of Internet phone calls. While the content of messages is not supposed to be included, the 2009 LSE report (PDF) on the last set of proposals notes that separating communications data and content is no longer straightforward. We will have to trust that the systems for picking out communications data (the names of correspondents, dates, and times) from systems like Hotmail or Facebook, will ignore the rest of the content.
The price of deploying these systems will run into billions and the technical feasibility of operating at scale is uncertain. The official Home Office estimate is £1.8bn. An independent LSE study called off-the-record briefings of £12 billion "quite realistic". Either amount would be a substantial expense with uncertain benefits at this time of recession and austerity.
Lacking implementation details, the technical burden on CSPs is unclear, as is how distant companies offering services to UK consumers would be forced to comply. However, the increasing use of encryption will mean that much of the intercepted data is unreadable. In addition, the black box software will have to be updated frequently as commonly used sites like Facebook or Gmail are tweaked and redesigned.
The draft Bill was scrutinised by a Joint Committee of MPs and peers. Open Rights Group executive director Jim Killock gave evidence at two of the oral evidence sessions, and ORG also answered the call for written evidence. The final report was highly critical of the Bill as presented. The Prime Minister has announced that the recommendations of the the committee will be examined, and that the Bill will be rewritten. The next step for the proposed legislation is back in the hands of the Home Office.
Experience shows that surveillance technologies are subject to function creep. Once the system is in place, even if the original purpose is limited to the most serious crimes, demand to extend access to those investigating minor offences will grow. Data collection continues to expand: first came legal access to data collected in the ordinary course of business, then a requirement to retain that data, now the government is seeking access to third-party data. For these reasons, the Open Rights Group contends that under any reasonable understanding of human rights, interception and surveillance should be targeted at those suspected of crimes, not at the general population.
What you can do:
- Download our short briefing (PDF), or see our response to the Joint Committee call for evidence for more detail
- Read the transcripts of the oral evidence and the written submissions at the Joint Committee's website
- Join ORG and help us continue to campaign and lobby against this and other damaging internet laws