Draft Data Communications Bill attracts critisism that it may uncover wrong targets

October 21, 2012 |

The BBC reports in Draft Communications Data Bill: Powers may uncover ‘wrong targets’.  The bill was introduced to Parliament in June 2012.  It is found here.

It provides:

 Civil liberties campaigners describe the proposals as a “snooper’s charter”

Plans to monitor all Britons’ online activity risk uncovering “incompetent criminals and accidental anarchists” rather than serious offenders, the information commissioner has warned.

Ministers want to strengthen the law on internet data retention to help the police tackle security threats.

Christopher Graham said the “really scary people” could simply avoid detection by changing their behaviour.

But another leading watchdog said the proposed new powers were “essential”.

Under the government’s plans, currently being scrutinised by Parliament, service providers will have to store details of internet use in the UK for a year to allow police and intelligence services to access it.

Records will include people’s activity on social network sites, webmail, internet phone calls and online gaming.

Ministers argue law enforcement agencies need to keep pace with the changing technology used by offenders but critics have called the proposals a “snooper’s charter”.

Christopher Graham told a committee of MPs and peers set up to scrutinise the legislation that it may end up only applying to the six largest companies – which control about 94% of the market.

The really scary people will have worked it out for themselves”Christopher Graham Information Commissioner

There was a danger that the most serious criminals, including terrorists, would simply use a smaller provider or an overseas network that permitted encrypted communications and take the view they were “home free”.

“The really scary people will have worked that out for themselves,” he said.

It was up to Parliament to decide on the merits of the proposals, he added, but there were “important data protection principles at stake”, such as the length of time material was retained, the risk of unauthorised access and whether it was fully disposed off at the end of the period.

“There is a judgement to be made between the security community saying ‘we have to have this stuff’ and the civil liberties community which says this is a gross intrusion of privacy and of citizens’ rights.”

The legislation, if approved, should be kept under consistent review to ensure it was working as intended, Mr Graham said.

“It really is for Parliament to keep a watch on these things,” he added. “You can have commissioners to chase up on this and that. But this will not be one to legislate and forget.”

He said there needed to be detailed discussions about how the new compliance regime would work and the information commissioner would need more powers and resources to keep track of all the material stored.

Sir Paul Kennedy, the data interception watchdog, said it was “essential” for the law to be strengthened, although he believed the proposed new powers would be used sparingly.

He told the committee the police and security services could only obtain about 75% of the information they needed to help secure convictions and disrupt potential terrorist activity and this gap was “very dangerous”.

Offenders were far harder to trace than ever before, he added, since they were now communicating through the internet and social media, rather than by phone, and sometimes leaving “no footprint”.

“We are unsighted in one section of the market and we are in a world which is still extremely volatile.

“Against this background, what is now being sought is not about the amount of information in the public domain but it is about requiring service providers to retain certain information – which can only be accessed in a proper way and when it is shown to be necessary and proportionate to access it.”

Sir Paul was asked by Liberal Democrat MP Julian Huppert whether he agreed with recent comments by Chief Constable of Derbyshire Mick Creedon that the powers could be used to corroborate if someone had been sending a text while driving at 80mph.

“I have hesitations about that. I am doubtful about the serious crime frontier if you are in that territory…It\ must depend entirely on the context.”

Twitter opposes the Bill, providing a detailed submission which is found here.

It stated:

We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross?jurisdictional challenges which may arise,” Twitter’s submission to the Joint Committee said. “For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world.

Following on from the above, we would welcome some clarity on how the provisions of this Bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere.

While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators,” Twitter said. “However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.
If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data.
We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.


What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?.



Leave a Reply