Wednesday, 3 December 2014

Another round of data retention

[Updated 4 December 2014]

Four months after DRIPA and 18 months after putting down a marker in the May 2013 Queen’s Speech, the UK government has embarked on a new round of legislation for mandatory retention of communications data. This time it is under the banner of IP address matching.

The Counter-Terrorism and Security Bill had its Second Reading yesterday and is expected to go into Committee on 9 December. Clause 17 will extend DRIPA to new categories of communications data.

DRIPA’s existing data retention obligations, rushed through Parliament in four days in July, are of course controversial. They are the subject of a threatened legal challenge by David Davis MP and Tom Watson MP.  The proposal to add IP address matching dates back to a recommendation of the Joint Committee on the draft CommunicationsData Bill in December 2012.

What new categories of communications data would have to be retained?

Clause 17, like so much UK legislation in this field, is difficult to understand. The Explanatory Notes and the Impact Assessments are more detailed, but still confusing. (The Home Office has subsequently issued a Factsheet.) MPs suggested in the Second Reading that the drafting of Clause 17 needs to be examined critically.  They are right.

The overall aim seems to be to mandate retention of data that can link a given communication made via a simultaneously shared public IP address to one of many devices or connections that may have been using that IP address at a given time.  Clause 17 labels this “relevant internet data”. We might call it linking data.

This appears to break down something along the following lines (the first two of these are illustrated in the useful diagram in the Home Office Factsheet).
  • Some ISP and mobile operator systems don’t allocate one public IP address to one customer device or connection, but have many customers sharing an IP address simultaneously. They could be required to retain linking data such as port numbers.
  • Even if an ISP retains IP address and (say) port number records, it cannot be sure of identifying a single device or connection unless law enforcement can provide it with a both a port number and an IP address to look up. So a cloud storage or web e-mail provider accessed by the user could also be required to retain logs of linking data visible to it, such as port numbers.
  • Operators such as public Wi-Fi hotspots could be required to log MAC addresses.
Weblog data (records of websites accessed by customers) would be excluded from mandatory retention by internet access providers such as ISPs and mobile operators.

The Overarching Impact Assessment provides this summary:

“IP Resolution: Allow for a power to require communications service providers to retain the data necessary to attribute an IP address to an individual.”

Taken literally, that is a power to require the impossible. We don’t have IP addresses tattooed on our foreheads. Even if we did that would not identify us, as opposed to someone else, as the user of the device at any given time. An IP address at best identifies a device or a connection. The ISP may then be able to link that with the identity of its subscriber customer, but no more. The subscriber may or may or not be the user. The Factsheet diagram, unfortunately, perpetuates the myth that an IP address identifies a user.

DRIPA in fact already covers retention of subscriber data for IP addresses (both where the IP address is static and where it is dynamically allocated in sequence to different customer devices and connections). What it doesn’t cover is the single public IP address simultaneously shared among many of an ISP’s customers.

The Bill is meant to be only about IP address matching. So it is not immediately obvious why the Impact Assessments say that the Bill will expand DRIPA to cover a wider range of internet services. On the other hand Clause 17 does not seem to do this, since it only amends the categories of data to be retained. DRIPA has already adopted an extremely broad underlying definition of telecommunication services.

The new obligations would be subject to the same 31 December 2016 sunset clause as DRIPA. As with DRIPA itself, mandatory retention will apply only to data generated or processed in the UK by public providers in the process of providing the telecommunications services concerned; and then only to those on whom the government serves a notice. The Impact Assessment says that the service providers most likely to be affected by the Bill have been consulted.

That is my current stab at what Clause 17 is trying to do.  However it is a puzzling piece of drafting. Here are some questions worth considering.

What is ‘relevant internet data’?
Clause 17(3)(b) defines this as communications data relating to an internet access service or an internet communications service which:

“may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.

This is the most curious part of Clause 17. The problem is surely not identifying which IP address ‘belongs’ to a given sender or recipient of the communication, but identifying which device or connection (of many) was used to make a given communication via a given shared public IP address. Is it drafted the wrong way round?

What is an ‘identifier’?
The Clause says that “identifier” means “an identifier used to facilitate the transmission of a communication”.  More helpfully, Clause 17(3)(b) tells us that an IP address is an identifier. The Explanatory Notes seem to conflate linking data and the shared identifier that we are trying to tie to a device or connection:

“…  An IP address can often be shared by hundreds of people at once – in order to resolve an IP address to an individual other data ("other identifier" in this clause) would be required.”

Whatever the ‘other data’ may be, surely it is not the ‘other identifier’ in Clause 17(3)(b)?

What else might be covered by ‘identifier’? A MAC address, although it operates at a lower (physical) layer than an IP address, would seem to qualify. But Clause 17 is not avowedly about retention of new categories of identifiers, only retention of data capable of linking shared identifiers (such as IP addresses) to an individual device or connection. If a MAC address is itself an identifier, does that prevent it being linking data? The Explanatory Notes suggest that a MAC address could also be linking data:

“Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses.

Are there circumstances in which a MAC address could be used to identify the particular device that sent a communication via a shared IP address? Public Wi-Fi hotspots seem a likely candidate. However a MAC address would presumably be less useful than a port number, assuming that the MAC address is not visible from outside the hotspot and so could not be logged at the other end of the communication.

What are an internet access service and an internet communications service? 
These are the foundation stones of Clause 17. Communications data cannot be required to be retained unless it relates to an internet access service or an internet communications service. These terms are also critical to the scope of the weblog data exclusion. Many will be surprised, therefore, to find that neither term is defined.

What do the terms mean? The glib answer is ‘whatever they meant in the EU Data Retention Directive’. That is their origin. They were used (but not defined) in the Directive.

The 2009 Data Retention Regulations, which implemented the Directive, followed its terminology. When the Directive was invalidated DRIPA re-enacted the datatypes that were in the Schedule to the 2009 Regulations. So the 2014Data Retention Regulations that were made under DRIPA again used the two terms, notably in the definition of ‘User ID’: “a unique identifier allocated to persons when they subscribe to, or register with, an internet access service or internet communications service.” Perhaps unsurprisingly given the government’s commitment to re-enact the 2009 datatypes identically, the 2014 Regulations again left the terms undefined. 

That is a plausible historical reason why the terms have been left undefined in Clause 17. But even though there is a breadcrumb trail back to the Directive, the lack of definitions in the Directive means that uncertainty remains particularly over ‘internet communications service’. Does it relate to any type of communication, or is it more limited, for instance to e-mail, messaging or telephony providers? The diagram in the Factsheet uses the example of an e-mail provider. However the Impact Assessment suggests that the government believes it has a broad meaning, covering for instance cloud storage services:

“For example w[h]ere a user uploads an illicit file to a cloud server that server provider, if subject to a data retention notice, would be required to retain sufficient information to enable the internet access provider to identify the user.”

We look forward to illumination of these and no doubt other points as the Bill proceeds. Meanwhile, the bigger question of whether any of this is compatible with the European Convention on Human Rights and the EU Charter of Fundamental Rights remains to be fought out. 

[Updated 4 December 2014 with references to the Home Office Factsheet and minor clarifications and edits.]

Saturday, 15 November 2014

Of straws and haystacks

Much post-Snowden attention has been directed to GCHQ’s TEMPORA programme, authorised (so it is thought) by a rolling series of external interception warrants under section 8(4) of RIPA. (See foot of this post for an explanation of Section 8(4) warrants and the restrictions, particularly for communications of persons within the British Isles, on their use.)

TEMPORA captures communications in bulk from transatlantic fibre optic cables, then filters them by computer leaving a residue of sifted material that GCHQ and NSA analysts can examine. It is said to process 40 billion items a day.

The often repeated justification for bulk collection and sifting is that we have no method of identifying and separating individual communications at the point of collection, so we must gather the straws and sift the resulting haystack. The usual metaphor is looking for needles, implying objective distinctions. It may be better to think of looking for straws.

What kind of straws can be looked for? The haystack can, within the restrictions laid down by RIPA, be sifted to detect the straws of pre-existing persons of interest. However Section 8(4) warrants go beyond that.  The captured material can also be searched and analysed to form new suspicions.   Home Office official Charles Farr said of RIPA in his witness statement in the current Investigatory Powers Tribunal proceedings:
“Other information that is obtained via interception is used to identify other previously unknown communications of existing targets, and to identify new targets for investigation. Indeed, a significant proportion of initial intelligence leads derive from interception operations.” (emphasis added)
We do not know what proportion of initial leads are false positives, casting suspicion on blameless people. We do not know how many true positives the system misses. Moreover suspicion is a highly subjective matter.

History suggests that general collection and subject matter analysis was an established approach to external communications long before today’s separation problems arose.

The ancestor of RIPA Section 8(4) was Section 4 of the Official Secrets Act 1920, legislated in the immediate aftermath of the First World War following the lapsing of wartime powers.  It empowered the Secretary of State to issue a warrant requiring a telegraph operator to hand over telegrams entering or leaving the country:
“Where it appears to a Secretary of State that such a course is expedient in the public interest, he may, by warrant under his hand, require any person who owns or controls any telegraphic cable or wire, or any apparatus for wireless telegraphy, used for the sending or receipt of telegrams to or from any place out of the United Kingdom, to produce to him, or to any person named in the warrant, the originals and transcripts, either of all telegrams, or of telegrams of any specified class or description, or of telegrams sent from or addressed to any specified person or place, sent or received to or from any place out of the United Kingdom by means of any such cable, wire, or apparatus, and all other papers relating to any such telegram as aforesaid.”
The Attorney General Sir Gordon Hewart introduced the provision in Parliament as a measure for detecting foreign spies:
“The postal and cable censorship which we had during the War, and which was of the greatest possible value and importance, was removed shortly after the Armistice. That being so, it is necessary that there should be power at least to compel the production of the originals and the transcripts of certain telegrams. It is not a power to stop telegrams. It is merely a power to compel the production of the originals and transcripts sent to, or received from, any place out of the United Kingdom; and the main purpose of that provision is to enable the authorities to detect and deal with attempts at spying by foreign agents.”
Earl Winterton invoked a familiar mix of foreign threats and ‘nothing to hide, nothing to fear’:   
“Everyone knows we do not live in ordinary times. Everyone knows there are plots and conspiracies against this Realm which are being carried out in foreign countries and some parts of the British Empire, and that, however one may dislike the idea of imposing additional restrictions on the subject, it is necessary for the Government to have that power. I suggest there is nothing to interfere with a person going about his legitimate business. The right hon. Gentleman, for example, made great play with Clause 4 of the Bill. … Surely he does not suggest that in the critical time in which we are living to-day a Secretary of State should not have power, if it seem desirable in the opinion of the Government that he should exercise that power, to find out what is being cabled to and from this country. Of course, it is a most necessary power, which every government ought to have.”
John Thorpe MP put the State firmly ahead of the individual:
“… In my view the State is in great danger, and no power which would tend to protect it should be withheld from the Government. We heard something from the same right hon. Gentleman of the liberty of the subject. In my view, the subject has no liberty when it is in conflict with the good-being of the State. When the liberty of the individual conflicts in any way with the well-being of the State, then it becomes license.  
… The law-abiding citizen, the man who says that his country is his first consideration, need have nothing to fear whatever from the Clauses of this Bill. … The only man who has anything to fear is the man who puts self before country, the man who says, "I want liberty, and the State can look after itself." He is a danger, and I congratulate the Government on the efficient manner in which they propose to deal with him.”
The legislation duly passed. For nearly 50 years Section 4 did its work in obscurity. The 1957 Birkett Inquiry into interception of communications did not mention it. (The Birkett Committee’s terms of reference were limited to the executive power to intercept, which was different and separate from the statutory power to issue warrants under Section 4.)

Things changed in February 1967.  Section 4 came to public notice when journalist Chapman Pincher revealed in the Daily Express that cablegrams sent out of Britain were being collected from the Post Office and private cable companies for scrutiny. This incident is most famous for sparking the ensuing D-Notice row. But the substance of Pincher’s ‘Cable Vetting Sensation’ story is of interest here. He revealed that:
“There is no hold-up or censorship of the cables. But on the morning after they have been sent or received they are collected and sifted by a Post Office department concerned with security. Then any cables believed to be of special interest are passed to the Security Services. 
They are studied there, copied if necessary, and returned to the Post Office and cable offices after being held for 48 hours. 
Most of the original cables and telegrams go out through the Post Office, which owns the former Cable and Wireless Company. Cables passed through private companies—mainly branches of foreign concerns operating in Britain—are collected in vans or cars each morning and taken to the Post Office security department. 
The probe is conducted under a special warrant, signed by a Secretary of State under Section 4 of the Official Secrets Act and regularly renewed to keep it valid.”
A week later Alan Watkins in the Spectator wrote:
“Indeed, sources confirm that a Ministry of Works van regularly takes cables—it is not clear whether they form a random sample, or come from a particular sender or class of senders—along to the Ministry of Defence for examination. The authority for such action is section 4(1) of the Official Secrets Act, 1920.”
The Radcliffe Report on the D-Notice affair confirmed the substantial accuracy of Pincher’s story:
“It does involve a regular collection of copies of messages transmitted by the Post Office and other cable offices with a view to the total collected being sorted and certain defined categories of them being set aside for inspection by the intelligence agents of Her Majesty’s Government. … 
The practice is authorised in law by section 4 of the Official Secrets Act, 1920 … . According to the information given to us, this power has been regularly exercised against transmitting companies since the coming into operation of the Act. … 
In fact only a small percentage of the total telegrams handled is put aside [by the sorters for inspection]. … The Daily Express article was … not inaccurate in any sense that could expose it to hostile criticism on that score.”
The Government White Paper published simultaneously with the Radcliffe Report said it would be contrary to the public interest to say in what detailed respects the article was misleading. It also said:
“It was precisely because national security was threatened that, from the outset, the Government regarded the publication of certain information in the Daily Express of 21 February as a matter of the utmost gravity. … It is the duty of the government, in the light of all the advice they have received and the information they possess, to record that the effect on national security of that publication has been to cause damage, potentially grave, the consequences of which cannot even now be fully assessed.”
The White Paper complained that the article created:
“the sensational impression that the Government were responsible for introducing new and sinister procedures.  There were, and are, no such new and sinister procedures. The activities involve no element of prying into the private affairs of the citizen. Such activities are, in fact, carefully controlled and confined and the article was misleading when it inferred the Government might use them improperly.”
Although the government denied (supported by the Report) that any new practice had recently been introduced, the possibility that routine vetting was a long established practice was left open.

Several themes from this episode resonate today:
  • Bulk collection, sifting and examination
  • Periodically renewed warrants
  • Revelations about the extent of use of powers, answered by denials that the powers are abused
  • Assertions, to be taken on trust, that publicity has caused damage to national security
  • Intrusion into privacy rebutted on the basis of close control over the intrusion
  • Bulk collection defended on the basis that only a small percentage of the items collected is inspected

Like the 1957 Birkett Report, the Home Office and Diplock Interception Reports of 1980 and 1981 made no mention of the Section 4 powers.  The reports were limited to statistical information about non-statutory warrants.  

The reports recognised the invasion of privacy involved in interception warrants. Lord Diplock said:
“The exercise by the State of any power to read or listen to communications taking place between private citizens involves an invasion of their privacy which has always been looked upon by the public with suspicion and distaste.”
The 1920 powers lasted until 1985, when they were replaced by the Interception of Communications Act (IOCA). The preceding White Paper had promised that the legislation would include provisions “along the lines currently covered by the Official Secrets Act 1920.” Whilst IOCA folded interception of external communications into the new statutory system for issuing warrants, the warrantry power for external communications continued to be broader than for internal communications.

So what is now the Section 8(4) warrant trod its own quiet path from 1920 to 1985, exposed to public scrutiny only once as a result of the Chapman Pincher cable vetting story – to which the Government of the day reacted almost identically as did the government of today to Edward Snowden’s TEMPORA disclosures.

A vanload of cables is on a smaller scale than 40 billion items of data per day, but the principle and method is the same: general capture, selection, examination. Long before any technical argument that targeted interception is impossible, the 1920 legislation enabled the government to engage in suspicionless bulk capture followed by subject-matter analysis of external communications.

In Chapman Pincher’s day collected telegrams and cables were evidently sorted manually. Human beings looked at them all and decided which were worthy of further examination. Now the initial capture, sift and discard is computerised.  The government argues that capture involves only a technical interference with privacy compared with a human being examining intercept material:
"The Respondents accept that the interception of a communication under a s. 8(4) warrant may be regarded as giving rise to a technical interference with the Art. 8 rights of the parties to the communication even if that communication is not and/or cannot be read, looked at or listened to by any person." (Open Response, IPT proceedings)
Going back further than 1920, in 1765 Lord Camden, the judge in Entick v Carrington, held that general search warrants had no legal basis. It is perhaps idle to speculate how he might have reacted had Lord Halifax (the then Secretary of State) said:
“Fear not, Mr Entick.  True we have ransacked your home, broken the locks on your desks and cupboards and seized your papers and correspondence.  But, since we have not yet examined any of them, that is a merely technical breach of privacy.  We have strict safeguards in place to ensure that we will only look for material about that renegade Wilkes who is outside the British Isles, skulking in Paris.”

Footnote: How does a Section 8(4) warrant work?

The Foreign Secretary can issue a RIPA warrant for purposes of national security; for preventing or detecting serious crime; for safeguarding the economic well-being of the United Kingdom (if related to national security); or, in relation to serious crime, mutual legal assistance treaties with other countries. He must believe the warranted interception and disclosure to be proportionate to what it seeks to achieve; and must take into account whether the information he thinks it necessary to obtain could reasonably be obtained by other means.

A Section 8(4) warrant, unlike an ordinary RIPA Section 8(1) warrant, does not have to be targeted at the communications of a particular person or premises. It can authorise general bulk collection at the level of the cable. But while a targeted Section 8(1) warrant can be used to intercept internal communications (those sent and received within the British Isles), the overall purpose of a Section 8(4) warrant must be the collection of external communications (sent or received outside the British Isles). So external communications are those where both ends of the communication, or only one end, are outside the British Isles.

Internal and external communications tend to be inseparably mingled within a single fibre-optic cable. So RIPA allows a S.8(4) warrant to authorise the capture not only of external communications, but any internal communications unavoidably swept up with them.

After capture of the communications come selection and examination. RIPA constrains these in different ways.

Captured communications (whether internal or external) can be examined if they are within a description certified by the Secretary of State in the warrant. That description could be very broad. However they can be selected for examination only in a way permitted by RIPA’s selection rules. These govern the automated filtering down of the captured communications to a database of material and also the queries made by analysts against the database.

The rules restrict the use of selection factors targeting the communications of people known for the time being to be in the British Isles. But despite this there are several gateways via which a communication sent or received by someone in the British Isles and captured under a S8(4) warrant could end up being examined by a GCHQ analyst.

Foreign Secretary Philip Hammond touched on two of the gateways in a clarification of his recent evidence to the Intelligence and Security Committee of Parliament. He posited a communication (say an e-mail) between someone in the British Isles and someone abroad. In general terms it could not be selected where the subject of interest is the person in the British Isles. That would require a further step such as the Secretary of State’s modification of the S.8(4) warrant under the exception in RIPA S.16(3). However the e-mail could be selected for examination if the person outside the British Isles is the subject of interest.

Sunday, 9 November 2014

A Catechism of Privacy

Q. What is the State’s duty?
A. To protect us.

Q. How does the State protect us?
A. Through watchfulness.

Q. Whom does the State watch?
A. All who present a threat.

Q. Who watches the State?
A. We do.

Q. What may we see?
A. That which the State, which is wise, permits.

Q. May the State watch us?
A. We have nothing to hide.

Q. Must we obey the State?
A. The law must be observed.

Q. Does the State obey the law?
A. The State acts as necessary and proportionate in accordance with the law.

Q. Does the law protect privacy?
A. Privacy is not absolute.
Q. Should we fear the State?
A. The servants of the State are conscientious and dedicated.

Q. What does the State require of us? 
A. That we obey the law and act responsibly.

Q. What is our responsibility?
A. To enable the State to perform its duty.

Q. What is the State’s duty?
A. To protect us.

Friday, 10 October 2014

Submissions to the Investigatory Powers Review

David Anderson QC (@terrorwatchdog) is the UK's Independent Reviewer of Terrorism Legislation. He is tasked under the Data Retention and Investigatory Powers Act 2014 (DRIPA) with conducting a review of investigatory powers. This includes interception of communications (e.g. by GCHQ and law enforcement) and powers to compel retention and production of communications data. His Call for Evidence closed on 3 October 2014.  Here are some of the submissions to the Review now being made public.


Bingham Centre for the Rule of Law

Centre for Democracy and Technology

Dr Andrew Defty and Professor Hugh Bochel (University of Lincoln)

Equality and Human Rights Commission

Global Network Initiative

Human Rights Watch

Interception of Communications Commissioner


The Law Society of England and Wales

The Newspaper Society


And although not strictly speaking a submission to the Review, GCHQ Director Sir Iain Lobban's valedictory speech.

More to follow.

Saturday, 6 September 2014

Whose domain space is it anyway?

Governments shouldn’t get in the way of the people who run the internet. Fine sentiments reported by the Guardian from UK Culture Minister Ed Vaizey at the Internet Governance Forum in Istanbul this week.  They echo his speech to the ICANN meeting in London in June: "What governments shouldn’t be doing is attempting to manage how the internet is run."
Fine sentiments, but does the UK government live up to them?
Regrettably the UK government has not been immune from the temptation to take powers over internet governance institutions.  Sections 19 to 21 of the Digital Economy Act 2010 gave it power to take direct control of the .uk domain by putting a manager into Nominet.  The sections have not been brought into force, let alone the powers exercised.  But the government hardly needs to once the potential exists.
In the current interstate tug-of-war over global internet governance every State accuses every other State of donning fig leaves to conceal self-interest.  Here is an opportunity for the UK government to plant a flag in the high ground, to say ‘We mean what we say.  We have backed off, how about you?’
So make the bold move, repeal Sections 19 to 21 and issue the challenge. 
Or would the government backpedal? We can hear it now. “Reserve powers, only to be deployed in the last resort in the interests of UK plc, the Secretary of State cannot use them unless there is a serious failure in limited circumstances…” (See here the reasons put forward at the time the powers were legislated). 
That won't wash.  If failings are for a national government, not the internet governance community to sort out then fine sentiments are just so much vapour.  Letting go of powers is more than desirable, it is a litmus test.

Sunday, 20 July 2014

The other side of communications data

[Updated 4 October 2014 with an additional mistaken action.]
Now that the dust has settled for the moment on DRIPA (the Data Retention and Investigatory Powers Act 2014) we should perhaps not forget that, even though many will regard it as worth paying, a tangible price attaches to the authorities’ use of communications data for the investigation and prosecution of crime.

This is a human, not a money price.  Mistakes are made with communications data and can have (in the words of the Interception Commissioner’s Report for 2008) catastrophic consequences for members of the public.

Calculated as a percentage of requests for communications data, the proportion of errors is arithmetically small – in the region of .2%, or 1 in 500.  But when the police arrive at an innocent front door to execute a warrant, that is not an arithmetical event. Since 2008 that, or something equally serious such as the arrest of an innocent person or a wrong accusation, has happened eleven times. [Now 12 times. See IOCCO Circular 1 September 2014.]

The errors are set out in the Interception Commissioner’s Annual Reports.  These are the statistics since formal oversight of communications data requests began in 2005, covering requests by all public authorities. 
Total communications data requests
Arrests, accusations, warrants executed
2005-6 (15 months)
2006 (9 months)
- (from Oct 2007 only privacy-intrusive errors are included in statistics)
(The Report separates 640 overall errors and a further 1061 arising from two technical faults in an intelligence agency's systems, treated in the Report as one error.)

The first reported catastrophic incident was in 2008.  That was the result of confusion over interpretation of international time zone information relating to an IP address. The then Interception Commissioner Sir Paul Kennedy reported it thus:

“In this particular example the police took swift action when information from a reliable source suggested that a number of very young children were at immediate risk of falling into the hands of a paedophile ring. Subscriber information relating to an Internet Protocol (IP) Address was obtained in order to locate an address for the children but unfortunately it would appear this was not correct. The police entered the address and arrested a person who was completely innocent and further enquiries are continuing. This was a very unfortunate error and the whole process of obtaining data relating to IP addresses has been re-examined.”
No incidents of this nature were reported for 2009 and 2010, but in 2011 two occurred.  Sir Paul Kennedy again:

“Unfortunately in two separate cases where a CSP disclosed the incorrect data, the mistakes were not realised and action was taken by the police forces on the data received. Regrettably, these errors had very significant consequences for two members of the public who were wrongly detained / accused of crimes as a result of the errors. I cannot say more about these two instances at this time as investigations are ongoing. … I am pleased to say that this CSP has since put in place some very sensible measures which will hopefully prevent recurrence of similar errors in future. Fortunately errors with such severe consequences are rare.”
The next year, 2012, saw a rise in the number of errors that had severe consequences.

“Regretfully in six separate cases this year, the mistake was not realised and action was taken by the police forces / law enforcement agencies on the data received. In four of the cases the mistake was made by the public authority (either the applicant or SPoC acquiring data on either the incorrect communications address or time period) and in the remaining two the mistake was made by the CSP (disclosing data on the incorrect communications address). All of these cases were requests for internet data (Internet Protocol or node name resolutions). Regrettably, five of these errors had very significant consequences for six members of the public who were wrongly detained/accused of crimes as a result of the errors. The remaining one error also caused an intrusion into the privacy of an individual, as an address was mistakenly visited by police looking for a child who had threatened to commit self harm.”
2013 saw two such incidents, described in the first Report of the current Interception Commissioner Sir Anthony May:

“I have to report that 7 errors with very serious consequences have occurred this year. Regrettably these errors resulted in police action relating to wrongly identified individuals. In 5 of these cases the mistakes caused a delay in the police checking on young persons who were intimating suicide or on an address where it was believed that someone had been the victim of a serious crime. Fortunately the police were able to identify quickly in these instances that the persons visited were not connected with their investigation. In the remaining instances warrants were executed at the homes of innocent account holders and this is extremely regrettable. [The report does not state how many such homes or people were involved. We have assumed two.]
4.52 All but one of these errors occurred in relation to requests for Internet Protocol (IP) data to identify the account that was accessing the internet at a particular date and time. There were 3 specific causes for the errors: data applied for over the wrong date or time, the incorrect time zone conversion or a transposition error in the IP address.”
In all, since 2008 accountholders have mistakenly been the subject of arrests, accusations or search warrants on 11 occasions. This does not include the five 2013 cases in which people were visited by the police, since the Interception Commissioner’s Report does not state that anyone was wrongly accused.

[The IOCCO Circular of 1 September 2014 to Senior Responsible Officers reports a further instance:
"Regrettably one of these errors led to executive action being taken against a member of the public who had no connection to the investigation being undertaken."]
A point of subsidiary interest is where the responsibility for errors may lie as between the CSPs producing communications data information and the requesting public authorities. The Interception Commissioner’s statistics split overall errors into those attributable to the CSP and those to the requesting authority. 

This graph is based on the figures in the Annual Reports.


The split for 2010 is as reported by the Interception Commissioner, based on an overall figure of 640 errors and excluding a further 1061 errors treated as one error. If those had been treated as individual errors the split for 2010 would have been 7% CSPs and 93% public authorities.

The 2013 Interception Commissioner's Report states that the overall figures for communications data requests in 2011, 2012 and 2013 exclude urgent oral applications, which in 2013 totalled 42,293. It does not comment on whether the same is true for previous years.

Saturday, 12 July 2014

Dissecting DRIP - the emergency Data Retention and Investigatory Powers Bill

[Update: DRIP became law on Thursday 17 July 2014. The Act is available here. Post-Act analysis here.]

Three months after the EU Court of Justice invalidated the EU Data Retention Directive, the UK government has burst into feverish action with emergency legislation to replace the 2009 Data Retention Regulations.  Those Regulations, made under the European Communities Act, are nominally still in place but highly vulnerable to judicial review following the demise of the Directive.

What does DRIP (the inevitable acronym with which the Data Retention and Investigatory Powers draft Bill has been saddled) do? With so much material appearing at such short notice, considered analysis is difficult.  Here are some first impressions.
DRIP, now with its accompanying provisional draft regulations which appeared on the Home Office website yesterday afternoon, has to square a circle.  Ideally it should make a plausible attempt to address the 15 or so fundamental rights grounds on which the ECJ held that the Data Retention Directive was invalid.  But at the same time DRIP has to deliver on Theresa May’s 10 July statement to the House of Commons that it maintains the status quo until 31 December 2016, when the sunset clause kicks in.

In reality DRIP cannot square the circle. Indeed the newly published Impact Assessment recognises that the legislation does not overcome all the ECJ stumbling blocks, claiming only to address the ECJ judgment “where possible” and “to the extent practicable”.  It also acknowledges the “Risk of being perceived as ignoring the ECJ judgment”.

[Update: The Home Office Human Rights Memorandum published by the Joint Committee on Human Rights on 16 July 2014 says in paragraph 33 (p. 8) that the Bill, together with existing domestic legislation, addresses "the majority of the criticisms of the Directive set out in the ECJ's judgment". The Committee has written to the Home Secretary asking her to provide the Committee with "a further detailed memorandum setting out in full the Government's analysis of precisely how UK law satisfies, or will satisfy, each of the requirements set out in paras 54 to 68 of the CJEU's judgment.]

We can frame two simple questions.
  1. Does DRIP merely maintain the status quo?
  2. If so, how far is maintaining the status quo permissible in the light of the ECJ decision?
First, however, we should recognise that DRIP does far more than replace the 2009 Data Retention Regulations.  It makes substantive changes to the interception warrants, interception capability and communications data access provisions of the Regulation of Investigatory Powers Act (RIPA).  The Home Secretary has justified these amendments on a different basis from the data retention legislation: an urgent need to clarify, in particular, the territorial scope of RIPA's interception and communications data acquisition provisions.
These are the non-data retention aspects of DRIP.
  • Clause 4 addresses the government’s concern that it should be able to apply RIPA to non-UK companies that provide communications services to the UK public.
  • Clause 5 broadens the RIPA definition of telecommunications services. The Explanatory Note says this is so that webmail providers are clearly caught.  The change will also have implications for data retention because of crossover into DRIP.
  • Clause 3 places a further restriction on the general purposes for which interception warrants and communications data acquisition notices can be issued.  This will bring RIPA into line with the existing codes of practice.
Whatever the merits of the non-data retention amendments (more on that below), it is debatable why any of them requires emergency legislation to be fast-tracked through Parliament at such breakneck speed.  They seem to be taking a piggy-back ride on the government’s urgent need for primary legislation in the wake of the ECJ’s data retention decision.

In relation to data retention, does DRIP merely maintain the status quo?
Putting Clauses 3 to 5 aside, let us focus on the claim that for data retention DRIP merely maintains the status quo.  This splits into three questions:
  • Are the same providers as before required to retain data?  
  • Are they required to retain the same data?
  • Are the retention periods the same?
Are the same providers as before required to retain data?
This is difficult to answer, as the government is shifting from one existing set of definitions to another and then amending them for good measure.  Conspiracy theorists will smell a rat. Even the more generous may chalk up another example of the obscurantist law-making for which this field is notorious.

The 2009 Data Retention Regulations were based on EU definitions of publicly available electronic communications services and networks in the EU communications Framework Directive, implemented in the UK by the Communications Act 2003.
DRIP, however, abandons those EU definitions and instead adopts the homegrown RIPA definitions of public telecommunications systems and service.  It then amends the latter, which has been in place for 14 years.

Why, if the intention is to continue the status quo, does DRIP not simply continue to use the definitions in the Communications Act 2003?  The Explanatory Note (para 53) says that this is to "ensure uniform definitions across access and retention regimes".  

It is anyone's guess at this stage whether these changes will cast a wider net than the existing 2009 Regulations.  That would require detailed comparison of the two sets of definitions and a truckload of hypotheticals.  What is quite clear, however, is that they broaden the RIPA definitions.
The existing RIPA definition of telecommunication service is framed in terms of a service consisting in the “provision of access to, and of facilities for making use of, a telecommunications system”: two discrete elements related to the telecommunications system. 
DRIP Clause 5 says that the RIPA definition is now to cover a service that “consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.”

The Explanatory Note (para 71) says that this is in order to ensure that companies who provide internet-based services, such as webmail, are caught.  Although para 18 of the Explanatory Note says that the amendment is “for the purposes of communications data and interception requests”, it also applies to the new mandatory data retention regime under DRIP.  
On the face of it the amendment could apply not just to webmail, but to any remote storage service (bearing in mind that the meaning of “communication” under RIPA is effectively anything capable of being transmitted). The word “facilitating” is a red flag for broad interpretation.  There is obvious potential for this to cover a very broad spectrum of activities.  It is exactly the type of provision that deserves the fullest Parliamentary scrutiny. 

The Home Office is reported in the Sunday Times (13 July 2014, subscription) as saying, in relation to this amendment to RIPA: "The bill clarifies how the current definition should be interpreted, but this cannot change or extend the meaning of the definition in RIPA to capture new services." This is twaddle.  In effect the amendment says "A shall be taken to include B." To the extent that B covers anything not within A, new services are captured.  Even if different views might exist on whether B does in fact cover things not within A, to suggest that the amendment 'cannot' capture new services is nonsense.  
Are they required to retain the same data?
The Explanatory Notes stress that a DRIP notice (i.e. a notice by the Secretary of State to a public telecommunications operator) cannot require retention of data types additional to those specified in the existing legislation. This is achieved by defining 'relevant communications data' by reference to the Schedule to the 2009 Regulations, which sets out the specific types of communications data that a CP could be required to retain.

The definition also carries through the important qualification that such data is caught only so far as it is generated or processed in the UK by public telecommunications operators in the process of supplying the telecommunications services concerned.  In other words, a PTO  cannot be required to create data if it does not generate or process it in the course of supplying those services. 
Generally, this appears faithfully to replicate the 2009 Regulations.  However the adoption and amendment of the RIPA definitions of telecommunications services and systems (see above) could conceivably affect the scope of data falling within "relevant communications data".

Are the retention periods the same?
The existing 2009 Regulations mandate retention for 12 months. DRIP (subject to an apparent drafting defect) provides for a maximum retention period of 12 months, while enabling shorter periods to be specified for different purposes. 

The defect is that if no regulations were in place specifying a maximum retention period under S1(4)(b), then the Secretary of State could apparently issue a notice under S1(2)(c) requiring retention for longer than 12 months. It is hard to believe that the government intends this to be a possibility.  The provisional draft regulations do specify a maximum period of 12 months.
Is maintaining the status quo for data retention permissible after the ECJ judgment?
The extent to which the government will in the new legislation address the grounds on which the ECJ invalidated the Data Retention Directive was initially unclear, since much is to be implemented through secondary legislation requiring affirmative resolutions of the Commons and the Lords.  DRIP and the now published provisional draft regulations go some way to addressing the ECJ judgment, although it was always difficult to see how any form of general mandatory data retention could comply with some of the more fundamental issues identified in the ECJ judgment. 

There may be room for debate about whether the ECJ intended to lay down that every objection identified in the judgment is a self-standing issue that has to be overcome independently in national legislation; and if so how each one should be overcome.  It does have to be remembered that:
  • The ECJ was assessing the compatibility of EU legislation with the EU Charter of Fundamental Rights and Liberties.
  • The question of whether national legislation also has to comply with the EU Charter was not before the Court (although following the subsequent Pfleger decision of the ECJ it is very likely that national legislation does have to comply with the Charter, for reasons explained by Professor Steve Peers here).
  • National legislatures may have a certain degree of latitude (margin of appreciation) in how they comply with the Charter.
  • The ECJ judgment may in some respects have applied stricter standards under the Charter than the European Court of Human Rights in Strasbourg has done in respect of the Convention.  If so, that could open up the possibility that a Minister might certify DRIP compliance with the European Convention on Human Rights while not complying with all aspects of the ECJ judgment.
In any event the main Impact Assessment now makes tolerably clear that the government has not tried to comply with the full implications of the ECJ judgment. 

With all this in mind, it is instructive to list the ECJ's specific grounds for invalidating the Data Retention Directive and consider how DRIP does and does not address them. [Update: the government has now published a Note making its own comparison.]

Issue [paragraph number in ECJ judgment]
National legislation
          Applies to all means of electronic communication (use widespread and of growing importance in people’s everyday lives) [56]
          All subscribers and registered users [56]
          Interference with fundamental rights of practically the entire European population [56]
          All persons, all means of electronic communication without any differentiation, limitation or exception [57]
The ECJ's comments on generality referred specifically to the datatypes listed in Article 5 of the Directive.  Those were replicated in the Schedule to the 2009 Regulations.
No change in DRIP, which replicates the 2009 Schedule/Article 5 list.  
          Applies even to persons for whom no evidence capable of suggesting a link, even indirect or remote, with serious crime [58]
          No relationship required between data retained and a threat to public security: not restricted to:
         data pertaining to:
-           particular time period
-           particular geographical zone
-           circle of particular persons likely to be involved in serious crime [59]
         persons whose data for other reasons could contribute to prevention, detection or prosecution of serious offences [59]
These objections all go to the very heart of a requirement on communication service providers to retain communications data of all users.  It is difficult to see how DRIP could address these (as a matter of retention, rather than access) without fundamentally altering the nature of the retention to something targeted at specific categories of communications relating to likely suspects and associates.

Not addressed.
Specific rights
      Applies to persons whose communications are subject to professional secrecy [58]
Again, it is difficult to see how this could be addressed (as a matter of retention) without moving to some kind of targeted scheme.

Not addressed [Update: Not addressed as a matter of retention. Intention is that Communications Data Code of Practice will be amended regarding access (See Comms Data Factsheet)].
Access and use
      No objective criterion to determine limits of access to data and subsequent use for prevention, detection or prosecution of sufficiently serious offences [60]
      Leaves serious crime definition to national law [60]
      No substantive and procedural conditions relating to access and subsequent use
         Left to member States to define procedures and conditions in accordance with necessity and proportionality [61]
         In particular no objective criteria re restriction of number of persons authorised to access and subsequently use to that strictly necessary [62]
Should be capable of being addressed in national legislation. 

The government is relying in part on the provisions of RIPA governing access to communications data to satisfy these requirements. 
RIPA is not the only legislation that can be used to require access to communications data.  The use of other powers is discouraged in the Communications Data Code of Practice, but not forbidden. The government addresses this under DRIP S1(6) by limiting access to mandatorily retained data to RIPA authorisations and notices, court orders or other judicial authorisation or warrant, or regulations under DRIP. (See 'Joining DRIP to RIPA', below)
Independent supervision
      Above all, access not dependent on prior review by court or independent administrative body following a reasoned request
         No obligation on MS to establish such limits [62]
Capable of being addressed in national legislation.

But this requirement for prior review by a court or independent body is contrary to the scheme of RIPA, whose communications data acquisition notices are not (save for local authorities) subject to any such requirement.  Nothing in DRIP or the provisional draft regulations addresses this objection. The government may perhaps seek to suggest that the ECJ has set a higher threshold than applies under the European Convention on Human Rights.
Retention period
      No distinction between categories of data on basis of:
         possible usefulness
         persons concerned [63]
      No objective criteria limited to strict necessity on which to base determination of retention period [64]
Capable of being addressed in national legislation.

The government's intention appears to be to leave this aspect to the terms of individual retention notices issued by the Secretary of State, who is required in general terms to act in a way that he considers to be necessary and proportionate.  DRIP itself and the provisional draft regulations do no more than set an overall maximum 12 months retention period.
Data protection issues
Various issues raised by the ECJ concerning matters such as data security and destruction of data are addressed in the provisional draft regulations, which also introduce oversight of these aspects by the Information Commissioner.

Joining DRIP to RIPA
The government is relying on the necessity, proportionality and safeguards provisions of RIPA that govern access to communications data in order to address some of the implications of the ECJ judgment. 

However, RIPA is not the only legislation that can be used to access retained communications data.  Other powers exist which do not enjoy RIPA's safeguards. The use of other non-specific powers is deprecated in the Communications Data Code of Practice (para 1.3), but not forbidden.
The draft Communications Data Bill proposed in 2012 would have prevented such powers being used to acquire communications data.  The draft Explanatory Note to Clause 24 stated:

"123. This clause introduces Schedule 2 to the Bill which contains repeals of certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. Clause 24 therefore ensures that operators are not required by law to obtain and disclose communications data other than in cases where the relevant statutory framework expressly guarantees the substantive protections of Article 8 and Directive 2002/58/EC (Directive on privacy and electronic communications)."
The powers specifically earmarked for abolition were under the Trade Descriptions Act 1968, The Health and Safety at Work Act 1974, the Criminal Justice Act 1987, the Consumer Protections Act 1987, the Environmental Protection Act 1990, the Social Security Administration Act 1992, the Competition Act 1998, the Financial Services and Markets Act 2000 and the Enterprise Act 2002.

The argument that in assessing compliance with the ECJ judgment DRIP should be read together with RIPA’s safeguards is difficult to maintain if other powers exist that may not have similar safeguards.  DRIP therefore addresses this in S1(6) by limiting access to mandatorily retained data to RIPA authorisations and notices, court orders or other judicial authorisation or warrant, or regulations under DRIP.  Part 3 of the provisional draft regulations also applies this limitation to data retained voluntarily under S.102 ACSA 2001.
DRIP's RIPA provisions

The new provisions in DRIP include Clauses 4 and 5, outlined briefly above. According to the Explanatory Note, these measures are only intended to clarify the intent of the current legislation and therefore were subject to Parliamentary scrutiny when RIPA was enacted in 2000. 
RIPA extra-territoriality
Clause 4 attempts to address the government’s concern that it should be able to apply RIPA interception capability notices, interception warrants and communications data acquisition notices to non-UK companies that provide communications services to the UK public.

18 months ago this issue was addressed in some detail, as regards communications data notices, in the report of the Joint Committee on the draft Communications Data Bill (paras 230 to 243) published in December 2012.

The DRIP clarification has two distinct aspects. One is whether, as a matter of interpretation, the warrantry and communications data acquisition provisions of RIPA can apply to conduct outside the UK. The second is how a RIPA warrant or a notice can be served on an entity outside the UK and the entity made subject to the relevant duty under RIPA.  This is important since no-one is obliged to do anything under these RIPA provisions unless they are served with or given the appropriate warrant or notice.

As to the first aspect, none of the existing RIPA provisions contain any clear territorial limitation on the location of conduct that can be authorised or required under a warrant or communications data notice.  That contrasts with the criminal offence of unauthorised interception which is explicitly confined to conduct within the United Kingdom.
However location of conduct is only part of the issue.  A person located outside the UK may engage in conduct within the UK.  A person located within the UK may engage in conduct outside the UK; and a person located outside the UK may engage in conduct outside the UK.  How these different scenarios map onto the different aspects of RIPA is, and always has been, fearfully difficult to understand.
The Joint Committee said:
"The terms in which RIPA is drafted appear to impose no limits on the telecommunications operators which may be required to disclose communications data, as long as they operate in the United Kingdom i[t] does not matter where they may be based."
As to location of conduct, now DRIP states explicitly that a warrant, a capability maintenance notice and a communications data acquisition notice may each relate to conduct outside the UK.

DRIP then provides that the duties to comply with such warrants and notices apply whether or not the person is within the United Kingdom. In the case of interception warrants knowing failure to comply with the duty can give rise to criminal liability under RIPA S11(7).

DRIP then goes to great lengths to devise ways of serving warrants and notices within the UK on non-UK entities.  For communications data acquisition notices this can even include oral notification.  Whether this elaboration is simply a question of practicality or perhaps reflects a deeper concern that serving government warrants and notices outside the UK might be regarded as executive acts violating the territorial sovereignty of another State is a matter for speculation. 
As for data retention notices, DRIP provides that they can be given to an operator (or description of operators) by giving or publishing it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator or description of operators to whom it relates.
Telecommunications services
As explained above, the amended definition of telecommunications services under DRIP Clause 5 applies both to data retention under DRIP and to RIPA. 

[Updated with minor amendments 21.40 12 July 2014, 10.50 13 July 2014; and 12.17 13 July 2014 to take account of Home Office statement on telecommunications services reported in The Sunday Times; 14:42 15 July 2014 regarding professional secrecy. Further updated 23:11 16 July 2014 to take account of Home Office Human Rights Memorandum; and 09:48 22 July 2014 to include the government's point by point Note on compliance with the ECJ judgment and a reference to the enacted legislation.]