Wraps come off UK super-snooper draft plans

Legislation relating to communications data will be yanked out of the existing Regulation of Investigatory Powers Act (RIPA) and brought under a new regulatory framework if the Home Office's plans to step up the monitoring of internet traffic passes through Parliament.

Home Secretary Theresa May unveiled her proposals for the UK's rehashed internet super-snoop law today, which immediately led to the Home Office's website collapsing.

At time of writing, the draft 117-page Communications Data Bill was unavailable online.

The Home Office proposed that the bill, which will now be scrutinised by a joint committee of MPs and peers as well as by the Intelligence and Security Committee (ISC), would "replace the dozens of currently available powers with a single piece of legislation".

The ISC said: "We will take evidence and examine the rationale behind the proposals and how rigorous the safeguards are to ensure the privacy of individuals.”

On RIPA, the Home Office said in its draft bill:

Law enforcement agencies – the police, the Serious and Organised Crime Agency and Her Majesty’s Revenue and Customs – account for the overwhelming majority of annual requests for access to communications data under the Regulation of Investigatory Powers Act ('RIPA') 2000.

They have access to the full range of communications data. Other authorities with investigative or public protection responsibilities are able to access communications data, but most do not have access to more sensitive forms of communications data, for example data regarding the location of a mobile phone.

Local authorities account for less than 0.5 per cent of total annual RIPA requests for communications data. Following the implementation of the Protection of Freedoms Act, they will only be able to access this data if approved by a magistrate.

Communications technologies and services are changing fast with more communications taking place on the internet using a wider range of services, including voice over internet, online gaming and instant messaging.

Communications data from these technologies is not as accessible as data from older communications systems like ‘fixed line’ telephones. Although some internet data is already stored by communication service providers, other data is neither generated nor obtained because providers have no business need for it.

This means that the police are finding it increasingly hard to use some types of communications data to investigate crime. To address this growing gap, the proposals set out here will require some communications service providers to obtain and store some communications data which they may have no business reason to collect at present.

Nothing in these proposals will authorise the interception of the content of a communication. Nor will it require the collection of all internet data, which would be neither feasible, necessary nor proportionate. We will extend existing safeguards regarding data retention, access and oversight. And we will remove other statutory powers with weaker safeguards under which communications data can currently be accessed by public authorities.

The proposed regime would replace Part 1 Chapter 2 of the RIPA and Part 11 of the Anti-Terrorism Crime and Security Act 2001. A move that would represent a major rejig of current surveillance law.

As The Register reported earlier, ISPs will be expected to retain communications data by logging every website visit, as well as any access made by its customers to email accounts, Facebook and difficult-to-tap tech like peer-to-peer communications such as Skype for a minimum of 12 months.

But the Home Office will foot the bill, which it estimates will cost at least £1.8bn over the course of 10 years.

It added: "Benefits from this investment are estimated to be £5bn – 6.2bn over the same period."

The £1.8bn figure is only marginally less than the one floated by the previous Labour government - prior to it abandoning its own Internet Modernisation Programme (IMP) in light of protests against such an unloved legislative overhaul.

ISPs will be able to appeal to a technical advisory board under dispute procedures if they complain that such requests for data are "unnecessarily onerous".

Secretary General of UK ISP trade group, ISPA, Nicholas Lansman told El Reg:

ISPA has concerns about the new powers to require network operators to capture and retain third party communications data. These concerns include the scope and proportionality, privacy and data protection implications and the technical feasibility.

Under the proposals, the police, the National Crime Agency, spooks and the taxman would be able to "apply for access" to such data, the Home Office said.

It added:

"Hundreds of public bodies – including local authorities – currently have access to communications data, but will not be covered by the new laws unless Parliament agrees their use is vital to tackling crime and protecting the public."

However, only a tiny number of comms data requests originate from local councils - so such a proposed change is likely to have a minimal impact. May confirmed this morning that 500,000 such requests from all British authorities are made each year. Arguably, that figure will balloon under any Communications Data Act.

The Home Secretary, in a canned statement, said:

Communications data saves lives. It is a vital tool for the police to catch criminals and to protect children.

If we stand by as technology changes we will leave police officers fighting crime with one hand tied behind their backs.

Checking communication records, not content, is a crucial part of day-to-day policing and the fingerprinting of the modern age – we are determined to ensure its continued availability in cracking down on crime.

The Information Commissioner's Office (ICO) "will keep under review the security and integrity of the communications data retained," the Home Office said.

The ICO noted such a move would be a burden placed upon its already swamped staff. It said:

If the Information Commissioner is to be in a position to ensure compliance with the Data Protection Act, in respect of security of retained personal information and its destruction after 12 months, the ICO will need appropriately enhanced powers and the necessary additional resources.

Clauses were added to the draft bill and confirmed in the Queen's Speech, following opposition to May's proposals from junior Coalition members, the LibDems. They include measures such as consultation requirements, data security and integrity, destruction of data and other safeguards.

LibDem MP Julian Huppert, who led his party's charge against May's initial plans, welcomed the opportunity to debate the draft bill out in the open, but he remains worried about certain aspects of the proposals.

"My immediate concern is Clause 1. As written, it gives the Secretary of State far too broad a power. It allows data collection exercises that are perfectly reasonable – but would also allow pervasive black boxes that would monitor every online information flow, an idea which is clearly unacceptable.

"This must be tightened up urgently. The accompanying text is much better – but I don’t think we should pass broad laws on a promise from government that they will never abuse them.

"This absolutely must be changed: it is unacceptable as it currently stands."

A copy of the draft bill isn't currently available via the Home Office website, which we're informed suffered some technical difficulties. Readers can get their mitts on it here [PDF]. ®