Draft Communications Data Bill

Not to be confused with Investigatory Powers Act 2016, passed legislation that has also been nicknamed the "Snooper's Charter".

The Draft Communications Data Bill (nicknamed the Snoopers' Charter or Snooper's Charter^[1]) was draft legislation proposed in 2012 by then Home Secretary Theresa May in the United Kingdom which would have required Internet service providers and mobile phone companies to maintain records of each user's internet browsing activity (including social media), email correspondence, voice calls, internet gaming, and mobile phone messaging services and store the records for 12 months. Retention of email and telephone contact data for this time was subsequently required by the Data Retention Regulations 2014.^[2] The anticipated cost was £1.8 billion.

May originally expected the bill to be introduced in the 2012–13 legislative session, carried over to the following session, and enacted as law in 2014.^[3] However, the former Deputy Prime Minister Nick Clegg withdrew his support for this bill in April 2013,^[4] saying "a law which means there would be a record kept of every website you visit, who you communicate with on social media sites ... it is certainly not going to happen with Liberal Democrats in government",^[5] and his Liberal Democrat party blocked it from being reintroduced during the 2010–2015 Parliament.^[6] As a result the draft bill was not taken forward into legislation.^[7]

Shortly after the Conservative victory in May 2015, May vowed to introduce the Communications Data Bill in the next parliament.^[8] In November 2015, May announced a new Investigatory Powers Bill similar to the Draft Communications Data Bill, although with more limited powers and additional oversight.^[9][10]

History

Intercept Modernisation

Main articles: Interception Modernisation Programme and Communications Data Bill 2008

The powers and intent of the Bill were preceded by plans under the previous Labour administration to improve access to communications traffic data, under the Interception Modernisation Programme.^[11] The plans did not become a firm legislative proposal and were strongly opposed by both Conservative and Liberal Democrat opposition parties.^{[citation needed][12]}

The new coalition agreement in 2010 committed to ending the storing of email and Internet records "without good reason". The IMP was not entirely abandoned however, and the Home Office under the new coalition committed to examining the problem of access to communications data under the Communications Capabilities Development Programme.^[13][14][15]

Queen's Speech

The government announced its intention to legislate in order to "maintain capability" of law enforcement access to communications traffic data in 2012.^[16]

Joint Committee

As the result of public reaction to the proposed Bill and internal Liberal Democrat opposition to the Bill, Nick Clegg asked for the Bill to be referred to a Joint Committee to scrutinise the proposal. The Committee reported in December 2012.^[17]

Counter Terrorism Bill 2015

In 2015 a cross-party group of lords — Tom King, Baron King of Bridgwater, former Conservative Defence Secretary; Ian Blair, Baron Blair of Boughton, former Commissioner of Police of the Metropolis and crossbench peer; Alex Carlile, Baron Carlile of Berriew, former Independent Reviewer of counter-terrorism legislation and Lib Dem peer; and Alan West, Baron West of Spithead, former Labour Minister for Security and Counter-Terrorism — attempted to add the text of the Communications Data Bill to the Counter-Terrorism and Security Bill, which became the Counter-Terrorism and Security Act 2015.^[18][19] However this was dropped before going to a vote due to opposition.^[20]

Powers

The bill would have amended the Regulation of Investigatory Powers Act 2000 (RIPA).

Data collection

The bill would have created a wide-ranging power to compel any 'communications service provider' to collect and retain additional information about their users. Existing data retention obligations required ISPs to retain data collected for business purposes for longer than normal. Under the new bill, any organisation that interacted with users and produced or transmitted electronic communications could have been compelled to collect and retain information about them, even if it was entirely irrelevant to their business needs.^{[citation needed][21]}

Deep packet inspection

One technique that could have been used to collect user data is deep packet inspection.

According to Office for Security and Counter-Terrorism Charles Farr, formerly of MI6, so-called "black boxes" – DPI – probes were not the "central plank" of the 2012 Communications Data Bill. The boxes would have been used when communications service providers refused to submit data, but he anticipated that most would maintain data about users in unencrypted form, from which contact information could readily be separated from content. This would circumvent SSL encryption during transmission. He said that the DPI boxes were already "used as a matter of course" by ISPs.^[22] The Mastering the Internet system was described in 2009 by The Register and The Sunday Times as the replacement for scrapped plans for a single central database, involving thousands of DPI "black boxes" at ISPs in association with the GCHQ base in Cheltenham, funded out of a Single Intelligence Account budget of £1.6 bn, including a £200m contract with Lockheed Martin and a contract with BAE Systems Detica.^[23] In 2008 the black box infrastructure was operated by Detica, which had been expected to win additional contracts for its proposed expansion in the Communications Data Bill 2008.^[24]

Filtering arrangements

The bill proposed arrangements to interrogate and match data from different data sources. The justification was that only relevant data would be returned, thus improving personal privacy. Additionally, police cited problems matching data from, for instance, different cell phone masts.

However, the bill was said to provide the legislative basis for a "giant database" that would allow "quite complicated questions" about "communications behaviors and patterns" which could become a "honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states", as Lord Strasburger described it, as the bill was scrutinised by the Joint Committee of MPs and peers.^[3][25]

The BBC reported that the Home Office stressed that the bill was intended for targeted surveillance rather than "fishing expeditions", but quoted opponent Nick Pickles, director of Big Brother Watch: "The filtering provisions are so broadly worded and so poorly drafted that it could allow mining of all the data collected, without any requirement for personal information, which is the very definition of a fishing trip."

Open Rights Group campaigner Jim Killock told the BBC that officials 'would be able to build up a complex map of individuals' communications by examining records of "their mobile phone, their normal phone, their work email, their Facebook account and so on",' which 'could compromise journalistic sources, deter whistleblowers and increase the risk of personal details being hacked'.^[26] The human rights organisation Liberty also called for rejection of what was being called the "Snoopers' Charter".^[27]

Changes to oversight

The bill would have changed the authorisations given to police officers under RIPA. Instead of individual data requests being granted by a senior officer, the senior officer would grant powers once a month to investigating officers to conduct data requests on a topic they were investigating.

Additional changes to the role of Interception of Communications Commissioner and Information Commissioner were argued to improve oversight to the existing arrangements under RIPA.

Justification

Cory Doctorow talks at the Open Rights Group event ORGCon 2012 about the bill

The basic justification was that communications traffic data was needed for investigations into serious crime, but access was declining. The Home Office said that they expected access to decline from about 80% to around 60% of traffic data over the following decade if no action was taken. They also stated, however, that the quantity of traffic data available was expected to grow by around 1000% in the same decade.

May stated that police had made urgent requests for communications data in 30,000 cases during the previous year and between 25% and 40% of them had resulted in lives being saved. She said that "There is a limited scope for the data we want to have access to. We have been very clear about that at every stage. The police would have to make a clear case for requesting access to data when there was an investigation that required it.... The aim of this is to ensure our law enforcement agencies can carry on having access to the data they find so necessary operationally in terms of investigation, catching criminals and saving lives".^[25]

Though the bill had been mentioned in the context of terrorism and child sexual abuse, the powers could have been used against minor crimes such as fly tipping.^[28]

Reactions

A survey by YouGov, commissioned by Big Brother Watch, found that 71% of Britons "did not trust that the data will be kept secure", and half described the proposal as "bad value for the money" as opposed to 12% calling it "good value". At the RSA Conference Europe 2012, Jimmy Wales said the bill "will force many relatively small companies to hang on to data that they would not otherwise retain, which puts the data at risk".^[29] Wales told MPs that Wikipedia would take action to hinder monitoring of users' interests by encrypting all communication to the UK by default if UK ISPs were mandated to track which pages on the site were visited.^[30]

Speaking at the launch of the World Wide Web Foundation's Web Index, Tim Berners-Lee (inventor of the World Wide Web) talking about the bill, stated "In Britain, like in the US, there has been a series of Bills that would give government very strong powers to, for example, collect data. I am worried about that." He added, "If the UK introduces draconian legislation that allows the Government to block websites or to snoop on people, which decreases privacy, in future indexes they may find themselves farther down the list".^[31]

Controversy

There were several main areas of controversy.

Patient and doctor private communication

As of November 2015, no ISP had announced or made public how they would handle and store information securely.

Physical limitations

From costs to how to power the machines, there were incredibly tough technical issues facing ISPs including some they might not be able to overcome. The sheer volume of data would have pushed hardware, software and network technologies beyond their design.

ISPs to retain logs for 12 months

The bill proposed that the obligation imposed on ISPs to retain data about their clients' online activities would be vastly expanded.^[32] The existing legislation allowed ISPs to retain information on clients for business purposes with a maximum time limit of 12 months. The proposed legislation would have obliged communication service providers (CSPs) to retain a variety of information for 12 months and make this information available to state authorities upon request. The UK Internet Services Providers' Association (ISPA) issued a statement raising concerns about the impact on the competitiveness of UK CSPs as it would have created a less attractive and more onerous environment in which the companies would have to work.^[33] The ISPA also questioned whether there was a need to expand the scope of data retention requirements and requested a more detailed explanation of what, in practice, would be required of them.^[33]

Weakening encryption

The UK Prime Minister at the time, David Cameron, expressed a desire for encryption to be weakened or encrypted data to be easily accessible to legal forces in order to tackle terrorism and crime. This idea has been widely described as uninformed and very dangerous to the privacy and information of the general public because of the dangers that this initiative would have entailed.^[34]

A ban on encryption would have resulted in all information stored online being openly visible to anyone. This information included data such as bank details that might be input on online shopping websites, addresses, personal details as well as private messages sent on messaging services such as iMessage and WhatsApp that used encryption in order to protect the identity and information of their users.

The existing encryption measures worked on the basis that no third party would be able to access the data and banning this practice would have meant that it would open the data not only to the government but also to anyone interested in it, because encryption measures are not set to be sensitive to certain access requests, but instead fully protective of all data stored under those measures.

Experts made it clear that weakening or banning encryption would be extremely dangerous and damaging to the safety of the economic Internet environment and could have had great repercussions on the information stored online and how it was used.^[35]

Oversight

The UK is unusual in the arrangement that Ministers sign off on warrants when the inspection of bulk collected data is requested by the security services. Just under three thousand warrants were requested and authorised in 2014 by the Secretary of State. Typically, in most democracies, independent judges decide and sign off police warrants in the cases where surveillance is of an intrusive nature.^[36]

An Independent Review of Terrorism Legislation published in 2015 called for UK to adopt the judicial authorisation as it is practised by other developed democracies.^[37]

There was a concern that the Prime Minister's Office would disregard the request for the reform of the oversight and the call for independent judges handling the sign off in the cases of highly intrusive surveillance.^[38]

Costs

Costs were estimated at £1.8bn over the following ten years. However the basis of the calculations used to reach this figure was not made public.^[39]

See also

• Anti-terrorism, Crime and Security Act 2001 § Part 11 (Retention of communications data)
• Internet censorship in the United Kingdom
• Mass surveillance in the United Kingdom
• Telecommunications data retention § United Kingdom