It appears that I am not alone in being concerned about the recent announcement from Home Secretary Theresa May suggesting it was the government’s intention to provide facilities to monitor everyone’s emails and other electronic communications. In addition to the usual groups who one would expect to kick up a fuss, a significant number of back benchers have indicated disquiet, particularly as the coalition apparently arrived with the intention of reducing recent erosions of ‘freedom’ or ‘privacy’. Nick Clegg is clearly uneasy and has stated “We’re prepared to look at any safeguards that make sure people feel comfortable these are not the draconian proposals they have been portrayed as being,” Hmm.
Essentially the government wants to extend the existing capability to obtain details of who is contacting whom so that it is available in real time. Although GCHQ has been implicated in the reports, we don’t actually yet know who will be able to monitor as the draft proposals have yet to emerge. Internet service providers (ISPs) will have to facilitate the process by installing extra equipment.
It is not helpful that the original announcement was not a model of clarity and rather suggested that email content and online telephone conversations could also be monitored in real time. This, of course, was found to be extremely concerning and set all kinds of hares running. The immediate reaction (including my own) was that this kind of proposal is exactly the kind of thing that a number of thoroughly odious states would be proud to be able to do (if they don’t already) and the sort of thing that we and some other vaguely civilized countries have gone to war to prevent happening. History shows that unfettered access to mass personal communication is about the easiest way there is for a state to control its people, at the same time instilling apprehension in the minds of the population that it is being ‘monitored’. No need, I think, to dwell on where all that could lead.
At the moment information about who is contacting whom must by law be retained by ISPs for a year, and this contains a surprising amount of detail. There are a number of bodies who can access this by virtue of a formal request on a specific basis. To give some idea of the scale of requests for existing data, the ‘Interception of Communications Commissioner’ reported that in 2009, there was just over half a million requests for information kept by ISPs, some 21,000 more than during the previous year. This somehow feels a lot more than one might have expected. It included 661 ‘errors’ in seeking information (apparently largely due to telephone numbers being transcribed incorrectly, perhaps mildly suggestive of a lack of attention to detail that may have other worrying implications). ‘Error’ doesn’t quite explain a number of covert operations that were not authorized in any way, the longest uncovered was for 23 days. These numbers bear comparison with ordinary communications intercept warrants, numbering about 1500 during the same year. There were 1000 active instances of monitoring at year end, so assuming that requests were made broadly evenly it rather looks as though quite a lot of the monitoring goes on for months at a time. Presumably quite a lot of this would convert to real time monitoring if it were available (and we can be sure there is already a limited amount of this). For some reason the 2010 figures are not available yet. The message here is that this kind of monitoring already goes on on a large scale. Half a million requests in the context of a nation of 60 million or so, in fact.
So what did Theresa say?
- Ordinary people would not be targeted. I wonder what an ordinary person looks like and who decides whether somebody with differing political views might be ordinary or not?
- The new powers “will be vital in catching terrorists, paedophiles and serious criminals”. Right, so the powers will not be confined to anti-terrorist action, but to lots of crimes. This suggests all kinds of people will be very interested in having access, just in case. I assume ‘serious criminal’ might mean someone committing a serious crime, but we don’t yet know the limits. Why now? Who is actually asking for it? The same civil servants who tried to get it through before?
- GCHQ will be able to access information in real time without a warrant. Just GCHQ? Why without a warrant – even phone taps need one of them? Implies ability to go on fishing expeditions.
- The Internet and phone companies will have to install equipment to facilitate this. Just in UK? What about stuff passing through? What about diplomatic traffic (I bet there’s some dodgy stuff there – probably already monitored though).What about access to ‘cloud’ (online) data storage systems?
Downing Street (whatever that means) has apparently responded by insisting only data – times, dates, numbers and addresses – not content would be accessible (Clegg later repeated this). This appears to contradict the original statement, but in any case this kind of potentially sinister announcement should really have been communicated more professionally. It was, after all bound to be controversial. One notes that Home Secretaries who get things into a muddle usually fail and disappear into obscurity (often well deserved); maybe this one won’t detain us much longer (actually she hasn’t had a good week).
Obviously the stated justification for this sudden announcement was the need to counteract terrorism; extreme elements around the planet clearly use modern electronic communications to plan and co-ordinate unsavoury activity. The government always uses the ‘T word’ to discourage criticism as people won’t want to appear to condone such serious crimes.
My initial concern was that, like so many other laws that we were told related to ‘terrorism’, we then found that they were being applied in all kinds of strange circumstances. Motoring offences, checking the arrangements for putting bins out and impeding legitimate photography are three that come to mind. We were told these were ‘mistakes’ or ‘misunderstandings’ or ‘over-zealousness’ or the like. The point is that the purpose of legislation was not made clear on its face and the various state and local government organisms were not properly briefed, or supervised. It took until 2009 for the government that introduced the anti-terror legislation to begin to issue ‘guidance’, to discourage local authorities using powers inappropriately, such as to check up on bin misuse and dog fouling. Hence the suspicion that whilst this extremely intrusive move is justified on one basis, it won’t be long before state monitoring begins to be found a handy source of information for all kinds of other things. It would be naïve merely to accept a minister’s word that it’s all OK really; they would say that, wouldn’t they.
I’m sure that we all think the present home secretary is a delightful person deeply immersed in the long traditions of the country and its continual fights for freedom (for which we have done more than some others). She probably means well. But suppose after a few more scandals a government falls and we find a party wielding power that might be rather less palatable, and they are about. Suppose that in order to further their own interests that it is discovered that there is all kinds of legislation available to them that without raising an eyebrow can be deployed for their own purposes, to snoop on individuals, for example, that might be expressing a legitimate opinion, or may be promoting voting in a way that doesn’t suit the state, or is doing the ‘wrong kind’ of business deal. Those are the things that could happen (and in other countries at various times can happen and are still happening) when levers are put in place that didn’t anticipate such possible use (or misuse). Now we all know there are bad people out there, and I’m simply arguing that legislation must be very clear as to purpose and use, and properly debated and thought through so that these risks can be minimized. I’m afraid that the days when a government minister says ‘trust me it’s for your own good’ are long gone and leave a trail of evidence behind to prove such mistrust is well founded.
Beyond the possibility of fishing expeditions, I think I would also be looking for assurances about who else might have access. There are agreements, some quite old, about other governments who are empowered to snoop on our shores. We cannot always legally do things ourselves that another government can (when we ‘don’t know’ about it), and information is exchanged later. Quite a lot of that happens in North Yorkshire, apparently. I think I’d be very careful to ensure that the new measures, if pursued, are confined to British bodies governed by British law, irrespective of any really valuable information being shared as part of a normal multi-national enquiry. We were of course told such monitoring was now ‘essential’, and that there would be ‘safeguards’, and that parliament would have to debate it first, so that’s all right then! Incidentally, quite a lot on online data storage is held on American servers and I understand that US authorities already have powers of access, though I haven’t looked into the detail.
Presumably all this will invoke massive development of technologies that cannot be tracked so easily (like face to face meetings in parts of the country without CCTV and with phones switched off)? Or use of foreign satellites to relay messages, Or more and better encryption. Or writing a letter? Or leaving coded messages under stones? And so on. The really nasty criminals are surely bound to adapt?
These initial thoughts were somewhat derailed over Easter 2012 when I happened to hear the ever-entertaining UKIP leader, Nigel Farage, a sad loss to the diplomatic service, suggest that this measure was going to happen anyway because the Europeans wanted it — they apparently now make more than half of our laws for us with no commensurate reduction in the cost of our government. As Nigel seeks to blame all ills on the EU I thought I’d look into it, and concluded that this is simply not so. It is true that the EU has been heavily involved in regulating record retention, but that stops well short of mandating real time monitoring. There is a counter terrorism framework requiring governments to have appropriate measures in place, but this seems much too vague to be the cause of the present fuss and in any case goes back to 2002. I set out at the end what I have identified as the EU involvement.
In fact it appears that the EU is revisiting its 2006 directive on electronic data retention following comment on its operation by a number of states, some of whom have found the requirements unsatisfactory or have had a hostile reception. Fancy that! In any event the present measure appears to be home spun from the UK Home Office, unless we believe any of the conspiracy theories about other possible motives. There are large numbers of people deeply unhappy about all this (me being one), and left wondering if giving the state access to what will include really private and confidential information this is both a step too far and whether this kind of action is more harmful to us that anything it is supposed to prevent.
One really doesn’t want to appear paranoid about these things, but no-one who has read 1984, or who has looked into the operation of a number of certain other states can watch all this stuff happening without at least saying ‘is everyone comfortable with this’?
It has taken centuries to extract from the state the freedoms that we have now. If we just hand them away, we are either doing the terrorists’ job for them or we risk sinking into the kind of unpleasant third-world country where government apparatchiks, and maybe even your neighbours, are feared and people very, very gradually become no longer free. Don’t take my word for it; there are plenty of twentieth century examples. We will have to see what the proposals actually say, but I would caution on the basis of past practice that these very serious proposals will be misused, later, or sooner.
Background to the EU involvement if Electronic Data Retention
The sequence of events appears to be as follows.
In 2000 the government passed the Regulation of Investigatory Powers Act (RIPA). This codified who could do what and included setting out the arrangements for telephone tapping. This was followed up by the Anti-terrorism, crime and Security Act 2001, when a voluntary code was entered into with the ISPs about the provision of information about use of other electronic communications. A number of fairly obvious government and law enforcement agencies agencies had powers to pursue these avenues, including HMRC. Whether it was intended that this should happen I couldn’t say, but SI 2000/2417 extended the list of authorized agencies to include local authorities, the Food Standards Agency and the NHS. To me, this doesn’t feel quite right and in fact has caused some trouble, with subsequent back-tracking.
The voluntary code entered into (one wonders about that word voluntary) effectively gave government access to all kinds of detailed communications data from 2001, though only if specifically requested. The voluntary code required the following information to be kept::
Subscriber Information – retention period 12 months
- Subscriber details relating to the person e.g. Name, date of birth, installation and billing address, payment methods, account/credit card details
- Contact information (information held about the subscriber but not verified by the CSP) e.g. Telephone number, email address
- Identity of services subscribed to (information determined by the communication service provider)
- Customer reference/account number, list of services subscribed to
- Telephony: telephone number(s), International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI)
- Email: email address(es), IP at registration
- Instant messaging: Internet Message Handle, IP at registration
- ISP – dial-in: Log-in, Caller Line Identification at registration (if kept)
- ISP – always-on: Unique identifiers, MAC address (if kept), ADSL end points, IP tunnel address
Telephony Data – retention period 12 months
- All numbers (or other identifiers e.g. name@bt) associated with call (e.g. physical/presentational/network
- Assigned CLI, DNI, IMSI, IMEI, exchange/divert numbers)
- Date and time of start of call
- Duration of call/date and time of end of call
- Type of call (if available)
- Location data at start and/or end of call, in form of lat/long reference.
- Cell site data from time cell ceases to be used.
- IMSI/MSISDN/IMEI mappings.
- For GPRS & 3G, date and time of connection, IMSI, IP address assigned.
- Mobile data exchanged with foreign operators; IMSI & MSISDN, sets of GSM triples, sets of 3G quintuples, global titles of equipment communicating with or about the subscriber.
There are (as yet) unconfirmed reports about other things that government agencies are apparently able to do under circumstances I cannot identify but presumably (touching faith) only with special and specific authority. These include listening to or recording mobile phone calls, identifying location of a mobile phone to within a few yards, and (believe it or not) with the connivance of telephone service providers to download software to a phone (if of modern type) enabling it to be used as a secret listening device (but only if actually switched on).
Shortly after this, the EU got interested and decided that this kind of activity needed to be harmonized; they worked towards production of a directive on the matter. The directive (Directive 2006/24/EC), incidentally, is claimed to be necessary not because it is a more efficient way of tackling very serious crime (though it might be), but because having each state doing its own thing was inconvenient for the ISPs and was felt to be a trade barrier within the telecommunications market! The content of the directive caused much excitement in the run up to its promulgation. It has been suggested that it was sped through the various final processes of the EC by the holders of the EU presidency at the time. Who was that, I hear you asking, as no doubt it has slipped your mind? It was the UK. Great interest was taken in the measure by Charles Clarke MP, Labour home secretary at the time, whose department provided great encouragement and support to hurry it through. It will be recalled that labour was very keen on measures such as this. For what was essentially a measure justified in part for its trade value, it is interesting to see Charles Clarke, who was not trade minister, pushing for it. Two countries, incidentally, have been taken to court over its implementation where it was found unconstitutional. Germany was one of them.
Following the promulgation of the Directive, the UK Government generated a statutory instrument (SI 2007/2199, coming into force 1st October 2007). This required Telecommunication Service Providers to retain information by law, but only implemented the telephony aspects, the internet followed on later.
The regulations required ‘specified’ data to be retained for 12 months.
The specified data comprises in the cases of all telephones:
- the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;
- the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred, and the name and address of the subscriber and registered user of such telephone;
- the date and time of the start and end of the call; and
- the telephone service used.
In the case of mobiles the following additional is required:
- the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;
- the IMSI and the IMEI of the telephone dialled;
- in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;
- the cell ID at the start of the communication; and
- data identifying the geographic location of cells by reference to their cell ID.
The data retained is required to include details of unsuccessful calls. The Regulations themselves do not specifically place a duty on the companies, or constraints on requesters, about the way data may be used by government agencies. That lies elsewhere.
Presumably because it was harder to do, data retention of email traffic didn’t get statutory coverage until 2009 (SI 2009/859 – The Data Retention (EC Directive) Regulations), and came into force on 6 April. It repealed the previous regulations (reciting identical terms) and added a section on internet.
The latter includes:
- The user ID allocated;
- The user ID and telephone number allocated to the communication entering the public telephone network;
- The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
- In the case of internet telephony, the user ID or telephone number of the intended recipient of the call;
- in the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication;
- In the case of internet access—
- the date and time of the log-in to and log-off from the internet access service, based on a specified time zone,
- the IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and
- the user ID of the subscriber or registered user of the internet access service;
- in the case of internet e-mail or internet telephony, the date and time of the log-in to and logoff from the internet e-mail or internet telephony service, based on a specified time zone;
- in the case of internet e-mail or internet telephony, the internet service used.
- in the case of dial-up access, the calling telephone number;
- in any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.
This time the regulations made clear that “access to the data retained in accordance with these regulations may be obtained only:
- in specific cases, and
- in circumstances in which disclosure of the data is permitted or required by law.