The law needs to change

 

There are (at least) two aspects to everything we do when we make a phone call, send an email, post something online or visit a web site. One is what we say or the action we take. That is the content of the communication.

The other is who we communicate with, when, with what, where we were at the time and how long the communication lasted. This is information about communications. It is called communications data, or alternatively metadata.

Working well in some cases but not in others

Communications content and communications data matter when the cops or the security services are trying to prevent crime or they are investigating it after the event.

Obviously in many circumstances what is actually said or done in a communication will be the most important thing to uncover. It seems that by and large in the UK the arrangements which allow the authorities to do that are working reasonably well. The broad rules are set out in the Regulation of Investigatory Powers Act, 2000.

However, there are big issues with communications data.

A near-laboratory test

Communications data can be incredibly valuable to the authorities when they are investigating all kinds of criminal activity. How do we know? Because we have a near-laboratory experiment which shows what happens in the 21st Century when you can’t obtain communications data. The details can be found in a report prepared by the European Union’s DG Home: Evidence for the necessity of data retention in the EU.

In March, 2010, the German Constitutional Court in effect suspended parts of the EU’s Data Retention Directive. For these purposes their reasoning is less interesting than the real world consequences:

According to the German federal police (Bundeskriminalamt) and state police (Landeskriminalämter)

(in) 44.5% of the cases involving requests for historical data traffic data, there was no other means of conducting the investigation. They reported that 30% of criminal cases have collapsed since the judgment of the Constitutional Court. According to the Lower Saxony Landeskriminalamt, between the judgement of the Constitutional Court and summer 2011, traffic data would have been requested had they been available; in 257 cases (or 75% of all cases) investigations could not be solved, while for 32 cases (9%) investigations were only solved by investing significant additional resources.(p6)

 OK. This is a limited sample but in the same report information on and around the issue was supplied  by a total of 23 EU Member States. It contains lots of examples showing why communications data are important in different types of cases.

Finland reported (p7) that 56% of all requests for communications data proved important or essential to the outcome of criminal investigations or prosecutions. France and Poland claimed that communications data are needed for most criminal investigations. In Britain seemingly an average murder investigation might result in between 500 and a 1,000 requests for communications data.

Apparently most requests for communications data concern mobile telephony (c.75%) although please note that means 25% relate to other sources. Approximately 67% of requests are made within 3 months of the discovery of an incident and 89% within six months. A not insignificant 11% involve transactions between six and 12 months old.

Communications data form the “backbone” of many investigations 

In a document published by the UK Parliament’s Intelligence and Security Committee (ISC Report) in February, 2013 the Director General of GCHQ  said

… access to communications data of one sort or another is very important indeed. It’s part of the backbone of the way in which we…approach investigations. I think I would be accurate in saying there are no significant investigations that we undertake across the service that don’t use communications data because of its ability to tell you the who and the when and the where of your target’s activities. It tends to be relatively reliable. It’s relatively accessible at the moment in a number of areas, and from our point of view it’s a very, very important capability…

The case for the cops and other parts of the security services needing to be able to obtain communications data is therefore obvious and overwhelming. However, in the post- Snowden furore the type of individual targeting which is implied by communications data requests, in the minds and mouths of some commentators and politicians, seems to have become conflated with anxieties around mass surveillance. Yet even the sternest critics of mass surveillance such as Julian Assange do not contest the need for targeted investigations. Conceptually they are quite distinct and they ought to be kept that way.

But here’s the thing

The problem arises, and the reason we need new laws, is because of the huge changes in the way communications companies work. These changes mean, in effect, not every electronic service provider (esp) now has the physical capability to collect communications data. Worrying gaps have therefore opened up in the communications firmament and in the ISC Report (p11) esps agreed the gap is going to grow in time. In other words unless we take steps now the bad guys are going to find it ever easier to do their worst and it will get ever harder for the cops and others to stop them or catch them afterwards.

Some esps don’t even try to collect and store communications data and they boast about it or use it as part of their marketing. Alternatively some esps collect communications data in such a way as to make extracting what is needed for an investigation unnecessarily complicated, or the processes become extremely time-consuming and expensive. Think about the way IP addresses are allocated dynamically. They can change within milliseconds but each one would need to be the subject of a separate data request, yet what probably matters more in the context of a criminal investigation is what an individual is doing with a range of devices over perhaps an extended period.

Basic rule of data collection and retention

The basic rule of data  protection is that personally identifiable information should only be collected and retained if and for as long as there is a justifiable business purpose. That sounds perfectly reasonable. In the context of communications that normally relates to one of two things: traffic management and billing. The problem is nowadays both of these can be quite transient or completely non-existent. For example, if a subscriber has an unlimited deal, if they pay a flat sum and get “all you can eat”, why would anyone need to record anything unless the account holder steps outside the area covered by or the terms of their package?

Overseas esps 

Then there’s the question of esps that are based overseas. There is nothing the UK authorities can say or do to compel them to collect or store data or do anything at all for that matter. However, in most cases were there to be a clear expectation that under UK law esps should behave in a certain way many overseas esps would want to comply and would arrange their services accordingly.

The current law enables UK police to ask overseas esps for communications data they hold, but there is nothing that would enable the UK Government to encourage esps to hold on to data for the same length of time as their UK based counterparts. Absent such a clear legal basis it is harder or impossible for them so to do, particularly in the case of US companies.

The need for a change in the law is clear

The present Coalition Government published a Communications Bill which sought to address the problems outlined above. Earlier this year the Bill had to be withdrawn because of opposition from within Government ranks. The arguments which sank the Bill were about the over broad nature of the language used in some parts of the text but when the whole Bill died so did the sections which would have closed the harmful growing gaps.

I hold no brief either for the Government or that particular Bill but I do know that, one way or another, Parliament is going to have to return to this problem. Let’s hope it is sooner rather than later.

Abuse of anonymity: the root of the internet’s enduring problems

The abuse of anonymity – the way in which technology can make it easy to disguise your true identity for evil purposes – lies at the root of most of the enduring problems which the internet has thrown up. If that problem did not exist the debate about communications data would be very different. But the fact is the illegitimate use of anonymity is not going to go away in a hurry and that’s why everyone should be concerned that we sort this out just as quickly as we can.

What we must never do is roll over and accept that there is nothing that can be done or that this is the inevitable and permanently unavoidable price we must pay in order to receive all of the massive benefits which the internet has brought. That way madness lies. Moreover it is a madness which, in the end, no Government anywhere in the democratic world, and the people whom they represent, will be able to live with or accept.

The challenge of how we create proper accountability for our security services and the police when using their surveillance powers is an important one. No doubt about that. But I cannot see what anyone gains by standing by and allowing a situation to develop where, in reality, unquestionably lawful investigations of specific individuals are rendered impossible or impracticable.

About John Carr

John Carr is a member of the Executive Board of the UK Council on Child Internet Safety, the British Government's principal advisory body for online safety and security for children and young people. In the summer of 2013 he was appointed as an adviser to Bangkok-based ECPAT International. Amongst other things John is or has been a Senior Expert Adviser to the United Nations, ITU, the European Union, a member of the Executive Board of the European NGO Alliance for Child Safety Online, Secretary of the UK's Children's Charities' Coalition on Internet Safety. John has advised many of the world's largest internet companies on online child safety. In June, 2012, John was a appointed a Visiting Senior Fellow at the London School of Economics and Political Science. More: http://johncarrcv.blogspot.com
This entry was posted in Default settings, Internet governance, Location, Privacy, Regulation, Self-regulation. Bookmark the permalink.