The delayed and modified Home Office "consultation" on Communications Data snooping and retention.
Protecting the Public in a Changing Communications Environment (.pdf) 690Kb
Responses, by Monday 20th July 2009 to:
Nigel Burrowes
Communications Data Consultation
Room P.5.37
Home Office
2 Marsham Street
London SW1P 4DFOr by e-mail to: communicationsdataconsultation@homeoffice.gsi.gov.uk
What have they been working on for at least the last 7 months ? This "public consultation" should set out several, carefully costed, detailed options, but it does not bother to do so.
You are invited to provide some responses to some Questions, but, astonishingly, of the three alleged Options, this "consultation" document has already ruled out two of them !
The false choice being presented, as the only possible proposal, without any alternatives, is referred to as
As we have come to expect from the Home Office,when attempting to deal with complicated technological issues, they do not give any real practical detail about exactly what they proposing to do.
10. Some respondents suggested that more technical detail should be provided within the draft Regulations. However, the Government's experience of working with public communications providers under the ATCSA voluntary code of practice and the first phase implementation of the DRD suggests that it is unhelpful to provide a high level of technical detail in the legislation as terms that might be meaningful to one business area, may be completely inappropriate for another or may already be given meaning within other legislation.To whom, precisely, is specific technical detail "unhelpful" ? Not to the industry, and not to the public.
It is the Home Office's job to state clearly and precisely what technical details are required and which ones are exempt from the regulations.
Unless and until they do state in detail, what exactly is, and what is not to be logged and retained, then all their "cost estimates" in the Impact Assessment are fiction.
This response from the Government is not acceptable.
It seems that the Labour Government / Home Office are continuing with this patronising, arrogant "we know best, but we will not bother to to tell you the details", technologically illiterate attitude, with this latest "consultation" as well:
The "middle (or is it muddle ?) way" option:
Pages 26 - 27
III. A middle way
The Government is therefore consulting on a range of "middle way" options that seek to balance the rights to privacy and security. These options are all based on the model for collecting and retaining data that exists today: the communications service provider would collect the data and store it and allow access by the authorities on a case-by-case basis under RIPA. All the data would therefore continue to be distributed around and held by different communications providers.
As a first step, the Government would legislate to ensure that all the data that public authorities might need, including the third party data, is collected and kept in the UK. Communications service providers based in the UK would therefore continue to collect and retain communications data relating to their own services but also collect and store the additional third party data crossing their networks. This would therefore include communications data which does not come under the scope of the EU Data Retention Directive.
All the data retained by the communications service providers would continue to be accessible on a case-by-case basis to public authorities, subject to the same rigorous safeguards that are now in place.
Not good enough.
The lack of proportionality shown by the "Town Hall Stasi" and various Counter-Terrorism units abusing their RIPA and Data Protection Act powers, is not a "rigorous safeguard".
Remember that, unlike most other civilised countries, there is no independent judicial warrant required for access to this Communications Data, only self authorisation by officials within the organisations demanding the data.
The RIPA Commissioners only audit a tiny sample of the paperwork of the hundreds of thousands of such requests, well after the fact, and then they never give, even anonymised individual details, in their censored annual reports.
This option would put additional demands on industry, especially around the collection and retention of third party communications data not required for the business purposes of communications service providers. The Government is therefore actively seeking the views of industry on these proposals through this consultation.
Hello - what about the general public and business consumers who are the customers of "industry" ?
This option would resolve the problem that some communications data which may be important to public authorities will not otherwise be retained in this country. However, it would not address the problem of fragmentation: as data is increasingly held by a wider range of communications service providers, it might take longer than it does at present to piece together data from different companies relating to one person or communications device. The current capability would therefore diminish.
To mitigate this problem the Government would require communications service providers not only to collect and store data but to organise it, matching third party data to their own data where it had features in common (for example, where it relates to the same person or to the same communications device). This would require additional legislation.
This would "require additional legislation", i.e. the promised Communications Data Bill, only, presumably, because this is currently illegal under the (weak) Data Protection Act.
Does this mean some sort of Phorm like Deep Packet Inspection / Interception Without Permission ?
Organising data together would help to ensure that communications service providers would be better able to respond to a request from public authorities for all the data relevant to a specific communications device or subscriber. It would significantly decrease the turnaround time for requests and in life-threatening situations greatly help public authorities.
In particular, where all the data that a public authority needed for an investigation was held by one communications service provider, this option would mean it was available quickly in a readily understandable form.
Emphasis in the original:
To maintain the capability set out in this document, the Government recommends taking the steps outlined above, specifically: that it legislates to ensure that all data that public authorities might need, including third party data, is collected and retained by communications service providers; and that the retained data is further processed by communications service providers enabling specific requests by public authorities to be processed quickly and comprehensively.
To assist us in complying with Better Regulation requirements this document is intended to stimulate discussion and elicit views both from those likely to be affected and any interested stakeholders. Any legislative provisions brought forward following this consultation will be accompanied by a fully developed and robust Impact Assessment measuring the impact on the public, private and third sectors. Specific impact tests required alongside the Impact Assessment, such as the construction of an Equality Impact Assessment, will also be addressed.
Then there is a vague initial "cost estimate" of £2 billion, but with no actual timescale for the project, and noestimate of its annual running costs.
This could easily equate to tens of millions of pounds per individual terrorist or serious organised criminal that the system will actually catch, over and above the current system.
The Serious Organised Crime Agency (SOCA) only has an annual budget of £400 million - surely this vast electronic snooping project cannot hope to be even as (in)effective as that agency,or any other Police Force ?
IV. Costs
The range of options would offer different levels of benefits to the public authorities, such as the law enforcement and intelligence agencies. Different option among the ranges available would also incur different levels of cost. Initial estimates of the implementation costs of the range of options discussed above are up to £2bn. This figure is a high level budgetary estimate of the economic costs. 14
As provided for in RIPA, the Government is required to ensure arrangements are in place to make reasonable contributions to communications service providers toward the costs incurred by them in complying with the Act's communications data requirements.
14 These estimates cover all the options considered in this paper,
except the 'Do Nothing' option".
What "Different option among the ranges available"
This public consultation document only presents one vague "option".Are there other,more detailed options which have been secretly presented to the Telecommunications and Internet Service Provider companies ?
Previous Home Office "consultations" with "the industry, took over 5 years, before they came out with a detailed "voluntary" code of practice for the retention of Communications Data, following the Anti-terrorism, Crime and Security Act 2001.
The "middle way" plan, it seems, intends to retain all this extra data and extra processed and cross referenced data, for at least 12 months,(something which is currently illegal under the weak Data Protection Act, which would be further weakened by more primary legislation.
Page 28
In addition to these safeguards, a statutory limit would be imposed on the duration for which additional data collected by communications service providers could be retained. This would relate to the data that service providers were required to collect and keep by law from services that were not offered by them, but which crossed their networks. The statutory limit would be set at 12 months, in line with the voluntary code approved under the ATCSA and in line with the UK transposition of the EU Data Retention Directive.
This period might need to be extended in specific cases in certain circumstances - where the data was needed for specific legal proceedings. Any such exemptions would also have to be set out in primary legislation. After the retention period all retained data would be destroyed in line with data protection principles.
Is there any Good News in this latest Labour Government /Home Office policy shift ?
15. The Government therefore established the cross-government Interception
Modernisation Programme (led by the Home Office) to examine how to maintain our communications data capability in the light of the challenge arising from the rapidly changing communications environment.
16. The Government has no plans for a centralised database for storing all communications data. An approach of this kind would require communications service providers to collect all the data required by the public authorities, and not only the data required for their business needs. All of this communications data would then be passed to, retained in, and retrieved from, a single data store. This could be the most effective
technical solution to the challenges we face and would go furthest towards maintaining the current capability; but the Government recognises the privacy implications of a single store of communications data and does not, therefore, intend to pursue this approach.
Reading these words might give you the impression that the never gad ant such evil plans, but all the briefings to the Telecoms and ISP industries and to journalists, tells a different story. They did seem to be seriously hoping to have a centralised system, which would have been open to secret, unaudited snooping, data matching, data mining etc. , not just on the records of actual criminal or national security investigation suspects, but on anybody, including peaceful political demonstrators,opposition politicians, journalists , and even "disloyal" Labour party insiders.
The current "safeguards" are weak and secretive, but if the commercial Telecoms and ISPs remain in the loop, then the financial audit trail, even if the actual sums of money are not prohibitive, should still act as a deterrent to overzealous or inexperienced investigators who might try to demand excessive numbers of records,.
It might keep Data Mining for spurious statistical "patterns" in the vast amount of innocent people's data too expensive to attempt.
See Dr. Ben Goldacre's Bad Science article and informed comments: Datamining for terrorists would be lovely if it worked
HO as usual will not know what they are going to do, or even how to go about doing it. In another govt dept, an excellent civil servant (not entirely in tune with his own dept) had to tell me recently that they could not handle technical...
This consultation document proposes a massive invasion of everybody's privacy. It is not "maintenance of an existing capability".
If allowed to go ahead, this database will allow thousands of public bodies to track your every movement - probably even within your own home.
I have sent a written response, and I urge everyone else do do likewise. My letter is here:
http://www.skills-1st.co.uk/papers/policy/commsdata-200904.pdf
Andrew