Respect our data
Whether you have read the entire copy of the Draft Investigatory Powers Bill or just caught snippets in the news, it doesn’t take much to notice the Government is using a lot of complicated terms to legislate for mass surveillance.
On Monday, the Parliamentary Science and Technology Committee published its report on the Bill – concluding that this new law is confusing, even to tech experts. This confusion comes from the vague parameters in the Bill, which allow the security services to define terms however they like.
The Draft Bill is a once-in-a-generation opportunity to shape our spying laws for the better. But the Government can’t even clearly define the necessary terms. Here we’re looking at the need to respect our data by being clear on exactly what is going to happen to it.
First up, some definitions
An internet service provider, or ISP, is an organisation that provides users with access to the internet – for example, BT, EE or TalkTalk.
Internet connection records, or ICRs, are a log of every website and app you use. That is, you visited liberty-human-rights.org.uk – but not this specific blog – at a certain date and time on a particular device.
Communications data is the ‘who, what, where, when, how’ of our internet activity and telephone calls. So: Who emailed you? Where were they – where were you? When was this? What device did they use?
And what does the Government want to do with these?
The Draft Bill will re-legislate for communications data to be retained in the same way as under the Data Retention and Investigatory Powers Act (DRIPA). That Act was declared unlawful by the High Court in a case brought by MPs David Davis and Tom Watson with Liberty’s support.
The High Court was particularly perturbed by the lax rules on access to the data (under the Regulation of Investigatory Powers Act 2000 (RIPA).) The ruling is under appeal and will be reviewed by the Court of Justice of the European Union in Luxembourg in April.
As well as this, the Government wants to force ISPs to keep a record of ICRs for twelve months so that they can be accessed.
Ok, but why should I care about this?
Well there are two main causes for our concern.
You may feel like you have nothing to hide, but that doesn’t mean the Government should be given access to such personal and sensitive information. As our lives increasingly play out online, communications data allows the State to build up a comprehensive view of each of us. For example, if you regularly visited certain websites such as nhs.uk, ukuncut.org.uk or mariestopes.org.uk, the Government can create a very intimate picture of your life.
Further, there are concerns from tech firms that it may not even be possible to separate data out in this way. The Science and Technology Committee chairman, Conservative MP Nicola Blackwood, has warned that there remain questions about the feasibility of collecting and storing ICRs.
All of this leads to the potential for the security services to define their own terms in secret.
And let’s not forget that on top of these new powers, old powers are being reinstated. The retention and access regimes under DRIPA and RIPA violate our fundamental rights - and we anticipate the Luxembourg court will reach the same conclusion.
The USA and a host of European and Commonwealth countries do not compel service providers to retain their customers’ data for inspection by law enforcement, and continuing down this road will place Britain in the company of authoritarian regimes across the world.
As well as breaching our privacy, the Government’s proposals also make us vulnerable to greater threats to our safety.
The Bill states that the population’s ICRs should be stored and protected by their ISPs – ISPs like TalkTalk. We all heard about the teenager who was arrested for hacking TalkTalk – and storing greater amounts of extremely intimate data for long periods of time would create a honeypot for hackers, organised criminals and foreign nation states.
In fact, the thousands of billions of ICRs to be collected are likely to cause serious problems for law enforcement bodies whose job it is to keep us safe. As mentioned in one of our previous blogs, capturing more data doesn’t make us more safe. Rather, it overwhelms the authorities whilst failing to provide additional benefits.
This was the case in Denmark, where similar provisions to those set out in the Draft IP Bill – that service providers were required by law to retain internet session data for twelve months – were implemented between 2007 and 2014.
A self-evaluation report published by the Danish Ministry of Justice in 2012 found that several years of collecting the data had not yielded any significant benefits for law enforcement. Instead, it had “caused serious practical problems” due to the volume and complexity of data hoarded, and in June 2014 the obligation to retain this data was repealed.
What does Liberty recommend?
The obligation on ISPs to retain ICRs must be removed from the Bill. In their current state, the vague requirement on internet companies to keep such vast amounts of data is neither effective nor plausible. It is preferable from both a human rights and law enforcement perspective to employ targeted powers on identified suspects. Mass retention is not the answer.
Please sign up to Liberty’s campaign to show the Government that you agree.