An official announcement

The following official statement was issued this morning.

“A temporary ceasefire has been agreed among combatants in the Semantic Wars. 

A list of banned words and phrases has been drawn up including ‘Itemised Phone Bill’, ‘The Outside of an Envelope’ and ‘We only want to do what [named Silicon Valley company] does’.

Any permutation of (indiscriminate, blanket, mass, dragnet, random, uncontrolled, at will) and (surveillance, trawling, snooping, browsing, monitoring) is also prohibited, whether accusations or denials thereof. 

Use of the term 'Snoopers Charter' will be regarded as grounds for immediate termination of the accord.”

Early indications are that the truce is unlikely to hold.

[BREAKING NEWS, 10.45 am. Unconfirmed reports suggest that teams of inspectors are in the process of being deployed to eliminate stockpiles of unused non-denial denials.]

Woe unto you, cryptographers!

A hitherto unknown translation of the Bible has been found in a Cheltenham safe deposit. So far it has been possible to decipher only a few verses:

Matthew 7:16: "Ye shall know them by their metadata".

Job 31:4: "Does not GCHQ see my ways, and count all my hops?" 

Revelation 20:13: "And they were judged all according to the pattern of their communications."

Revelation 3:8: "Behold, I have set before thee an open door, and no man can shut it: for thou hast a little strength, and hast kept my word, and hast not installed end-to-end encryption".

Psalm 139: 1-2 (To Wearable Tech): "Thou knowest my sitting down and my rising up, thou understandest my thought afar off."

Luke 11:52: "Woe unto you, cryptographers! for ye have taken away the key of knowledge: ye entered not in yourselves, and them that were entering in ye hindered."

All about the metadata

If it is true that granularity of language reflects the importance of the subject matter then metadata, not content, is at the heart of the Investigatory Powers Bill.

For content the Bill provides a few definitions: Content, Relevant Content, Intercepted Content and Protected Material. 

For metadata we have a richer set: Communications Data, Relevant Communications Data, Internet Connection Records, Entity Data, Events Data, Systems Data, Related Systems Data, Equipment Data, Secondary Data and Identifying Data.

The emphasis on metadata is perhaps unsurprising, since the Intelligence and Security Committee told us in its March 2015 report that metadata is indeed more valuable than content to the intelligence agencies in their mission to join up the dots and spot potential malefactors:

The plethora of definitions (not to mention the proliferation of cross-linked sub-definitions) does not make for easy understanding. 

In an attempt to untangle the spaghetti heap I have been experimenting with flowchart visualisations of the more significant and complex data definitions. More of that anon. 

The table below shows where the major varieties of telecommunications data fit in the scheme of the Bill. For simplicity it focuses mainly on bulk powers and also omits definitions of overseas-related communications, overseas-related equipment data and overseas-related information in the bulk equipment interference part of the Bill.  

In general terms the types of metadata obtainable under the bulk interception and interference warrants are broader than those under the powers and bulk warrant for acquisition of communications data.

Power	Subject matter
Communications data retention notice (78(1))	Relevant Communications Data (78)(9) Communications Data (223(5))
Communications data acquisition - authorisation and notice (53)	Communications Data (223(5)) Entity Data (223(3)) Events Data (223(4))
Restrictions on use of S.53  power to access or process internet connection records (54(4))	Internet Connection Records (54(6)) Communications Data (223(5))
Bulk communications data acquisition warrant (138)	Communications Data (223(5)) Entity Data (223(3)) Events Data (223(4))
Bulk interception warrant (119)	Communications (223(2)) Content (223(6)) Intercepted Content (137(1)) Relevant Content (134(5)) Secondary Data (120(3)) Systems Data (225(4)) Identifying Data (225(2) and (3)) Related Systems Data (119(6)) Systems Data (225(4))
Bulk equipment interference warrant (154)	Communications (223(2)) Protected Material (170(9)) [not] Equipment Data (155(5)) Private Information (173(1)) Equipment Data (155(5)) Systems Data (225(4)) Identifying Data (225(2) and (3)) Information
Warrant for retention or examination of bulk personal datasets (175)	Bulk Personal Dataset (174)

It can be seen that around half a dozen different kinds of power or authority provide routes for the compulsory retention and acquisition of various kinds of metadata. They all have in common that the Bill’s restrictions on selecting and accessing bulk content (an individual located within the British Islands at the time of selection cannot normally be targeted without a further warrant) do not apply.

This is a diagram of the overall metadata ingestion scheme of the Bill.

Turning to the definitions, the Clause 78 power to direct retention of communications data rests on the definition of Relevant Communications Data. Internet Connection Records are a subset of Relevant Communications Data to which Clause 54 applies some access restrictions (although fewer in the Bill than the draft Bill). 

Relevant Communications Data in turn depends on the dividing line between Content and Communications Data. The definition of content interfaces separately with Systems Data. The draft Codes of Practice released with the Bill suggest that it is possible for communications to consist entirely of Systems Data and so contain no content.

What the definition of content lacks in companions it makes up for in conceptual difficulty.  The Parliamentary Joint Committee scrutinising the draft Bill remarked:

Communications Data consists of either Entity Data or Events Data, to which different levels of authorisation apply under the targeted communications data access regime in Part 3 of the Bill. This is the equivalent of the current RIPA communications data access regime under which over 500,000 access demands are made on communications service providers annually.

Turning to bulk powers, the bulk communications data acquisition warrant authorises the obtaining of Communications Data. A bulk interception warrant authorises the interception of Secondary Data in addition to content. Secondary Data is the Bill’s version of what under RIPA is known as Related Communications Data. Secondary Data consists of either Systems Data (as before) or Identifying Data. Unlike with RIPA, the Bill will allow metadata contained within the content of a communication to be scraped and be no longer treated as content. 

Similarly a bulk equipment interference warrant authorises the obtaining of Equipment Data, a close cousin of Secondary Data.

Last, a bulk interception warrant also authorises the obtaining of Related Systems Data from telecommunications operators. 

That's all about the metadata.

The chief remaining omission from the visualisations is Protected Material in S.170(9). This is the bulk equipment warrant equivalent of Content. As such it defines the material for which a targeted examination warrant is necessary if it is to be selected for examination by reference to an individual known to be located in the British Islands. 

The definition contains a triple negative that presents a considerable challenge to parse and represent graphically. Instead, here is the unadorned raw text to ponder:

“protected material” means any material obtained under the warrant other than material which is -

(a) equipment data;
(b) information (other than a communication or equipment data) which is not private information.”

Relevant Content crops up in relation to targeted examination warrants in Part 1. It means 'any content of communications intercepted by an interception authorised or required by a bulk interception warrant'. 

Intercepted Content, in relation to a bulk interception warrant in Part 6, is defined almost identically: 'any content of communications intercepted by an interception authorised or required by the warrant'.

20 points on the Investigatory Powers Bill, from future proofing to triple negatives

Relevant Communications Data revisited

One of the more critical definitions in the Investigatory Powers Bill is 'relevant communications data'. This determines the scope of the Secretary of State's power under Section 78 to direct telecommunications operators (both public and private networks) to generate, obtain and retain communications data including (but by no means limited to) so-called internet connection records (site browsing histories).

It is also one of the most complex definitions in the Bill. The draft Bill version consisted of 14 interlinked definitions and sub-definitions.  If anything it has become even more complex in the Bill itself, now expanded to 16 definitions and sub-definitions.  On the upside at least we now have only one definition of internet connection records.

For the draft Bill I attempted a visualisation of the web of definitions that make up 'Relevant communications data'.  

Here is my updated version for the Bill, accompanied by a colour-coded reference list of the definitions: all 985 words of them.

Reference list of definitions

78(9): In this Part “relevant communications data” means communications data

which may be used to identify, or assist in identifying, any of the following—

(a) the sender or recipient of a communication (whether or not a person),

(b) the time or duration of a communication,

(c) the type, method or pattern, or fact, of communication,

(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted, or

(e) the location of any such system,

and this expression therefore includes, in particular, internet connection records.

54(6): In this Act “internet connection record” means communications data which -

(a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and

(b) comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).

223(2): “Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—

(a) anything comprising speech, music, sounds, visual images or data of any description, and

(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

223(13): “Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

223(11) and (12): “Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

For the purposes of subsection (11), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.

223(10): “Telecommunications operator” means a person who—

(a) offers or provides a telecommunications service to persons in the United Kingdom, or

(b) controls or provides a telecommunication system which is (wholly or partly)—

(i) in the United Kingdom, or

(ii) controlled from the United Kingdom.

223(5): “Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data—

(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—

(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,

(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or

(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,

(b) which is available directly from a telecommunication system and falls within sub paragraph (ii) of paragraph (a), or

(c) which—

(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,

(ii) is about the architecture of a telecommunication system, and

(iii) is not about a specific person,

but does not include any content of a communication or anything which, in the absence of subsection (6)(b), would be content of a communication.

225(1): “data” includes data which is not electronic data and any information (whether or not electronic),

223(3): “Entity data” means any data which—

(a) is about—

(i) an entity,

(ii) an association between a telecommunications service and an entity, or

(iii) an association between any part of a telecommunication system and an entity,

(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and

(c) is not events data.

223(4): “Events data” means any data which identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.

223(7): “Entity” means a person or thing.

225(1): “person” (other than in Parts 2 and 5) includes an organisation and any association or combination of persons

223(6): “Content”, in relation to a communication and a telecommunications operator, telecommunications service or telecommunication system, means any element of the communication, or any data attached to or logically associated with the communication, which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication, but—

(a) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded, and

(b) anything which is systems data is not content.

225(4): In this Act “systems data” means any data that enables or facilitates, or identifies or describes anything connected with enabling or facilitating, the functioning of any of the following—

(a) a postal service;

(b) a telecommunication system (including any apparatus forming part of the system);

(c) any telecommunications service provided by means of a telecommunication system;

(d) a relevant system (including any apparatus forming part of the system);

(e) any service provided by means of a relevant system.

225(5): For the purposes of subsection (4), a system is a “relevant system” if any communications or other information are held on or by means of the system.

225(1): “apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable

The draft Investigatory Powers Bill - start all over again?

[Now updated (28 March 2016) with comments on the Bill as published on 1 March 2016]

No-one expected much from the Intelligence and Security Committee’s Report on the draft Investigatory Powers Bill last Monday. The main event was supposed to be the Joint Committee’s Report on Thursday.

But after the ISC's unexpected fusillade – "surprising", "inconsistent", "could not provide any specific examples", "a curious approach", "must be clarified", "not appropriate", "missed opportunity", "simply unacceptable", "lack of transparency", "misleading", "largely incomprehensible", "unnecessarily confusing and complicated", "completely unsatisfactory", "seemingly open-ended and unconstrained power", "disappointed" – anything short of verbal meltdown on the part of the Joint Committee was likely to seem a bit of a damp squib.

And so it proved.  "Unclear, unhelpful and recursive” was about as feisty as it got, reserved for the notorious “Data includes any information which is not data” definition. A sitting duck duly picked off, but not a calamity.

[Bill comments: Now replaced with: “data” includes data which is not electronic data and any information (whether or not electronic).]

Nevertheless the overall moderation of the Joint Committee's language – much of it, one suspects, carefully crafted to accommodate a spectrum of opinions within the Committee – should not distract from the substance of what the Committee had to say. At 200 pages and 86 recommendations the Report is a significant piece of work, all the more so given the time pressure under which it was produced.

The three Parliamentary Committee reports (the Commons Science and Technology Committee Report completes the trilogy) together amount to a substantial body of analysis and criticism of the draft Bill. The Home Office has to pick itself up and dust itself off. Whether it will start all over again we shall see in the coming weeks.

This selective commentary on the Joint Committee Report concentrates mainly on data retention (including Internet Connection Records) and bulk powers. (Numbered references are to the list of conclusions and recommendations at page 7 of the Report.)

Internet Connection Records and data retention

Not another word about itemised phone bills

“We do not believe that ICRs are the equivalent of an itemised phone bill. However well-intentioned, this comparison is not a helpful one.” [18] Why is this a significant conclusion? For some time the refrain has been that ICRs are just like an itemised phone bill – something to which we are quite accustomed and don’t need to worry about. The Home Secretary used it in her speech introducing the draft Bill in Parliament.

The effect of the analogy is to downplay both the reach of ICRs and their privacy implications. The reality is quite different from an itemised phone bill.  ICRs are more like a combination of universal online CCTV and a mandatory list of our reading habits.  They could (if they can be made to work as intended) help answer not just the question Who has she been speaking to? (the itemised phone bill question) but Where has she been? and What has she been doing? The intrusiveness involved in compelling the generation and retention of ICRs is on that score alone significantly greater than a real itemised phone bill.

Furthermore, ICRs could answer the question What has she been reading? This bears no relation at all to an itemised phone bill - unless your bill happens to list the titles of all the books, newspapers and magazines that you have read in the last year. It is not even a communication in any sense that would be understood for a telephone call. We never used to read books over the telephone. Now we read remotely. By a mere accident of technology reading has become a 'communication', treated in the same way as if we were speaking to or e-mailing another human being.

Officially compelled logs of reading habits are firmly in freedom of expression territory, regardless of what queries the legislation might allow to be made on the databases. Reluctance to read a controversial website for fear that doing so might trigger an official red flag is of itself sufficient to chill freedom of expression. As a matter of human rights law, if that contravened the ‘essence of the right’ that would be a violation, regardless of necessity or proportionality.

Thanks to the Joint Committee's firmly stated conclusion the debate over ICRs can now take place in its proper context: that, as a rolling map of our online lives, ICRs would be vastly more intrusive than an itemised phone bill and in some significant respects impinge on freedom of expression.

[Bill comments: The Second Reading debate steered clear of itemised phone bills, albeit new metaphors were in evidence: 'initial point of contact' (Theresa May) and 'front door' of a site: 'They are closer to an itinerary, revealing places that people have visited.' (Andy Burnham).  

The same cannot be said of the National Crime Agency when giving evidence to the Bill Committee on 24 March 2016:

]

Once more from the top and clearly this time

Lack of clarity around ICRs is a recurrent theme. 

“We recommend that the definition of Internet Connection Records be made consistent throughout the Bill” [17]. “…the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’” [17]. 

“We welcome the additional information the Home Office has provided on ICRs, though we are not in a position to assess the extent to which it meets the concern of witnesses as to a lack of clarity”[16].  

The call for clarity is more than lawyers’ pedantry.  Clarity is a requirement of the rule of law.  Intrusive powers should be sufficiently clear to enable someone to foresee with reasonable certainty the circumstances in which they might be used. 

Like ‘Internet Connection Records’ itself, none of the undefined terms is common currency or has a generally accepted meaning. Yet they underpin the proposed regime for generation, retention and access to ICRs. The Home Office explanatory documents that touch on the term ‘internet communications service’ are inconsistent.

As the Home Office has provided more information, its concrete illustrations have raised new questions (see my further evidence to the Joint Committee). In any event whilst providing examples is certainly helpful in shedding light on the government's intentions that does not render unclear definitions clear.

[Bill comments: We do now have one consistent definition of internet connection records. 

As to the Home Office's concrete illustrations, in its evidence to the Joint Committee it suggested that a sub-domain - such as news.bbc.co.uk - would count as content and therefore could not be an ICR. Previous understanding was that everything to the left of the first slash was communications data (of which ICRs are a subset). Now the draft Code of Practice appears to have reverted to the original understanding:

The Home Office could now usefully publish updated lists of what it considers to be content and metadata including, crucially, its reasoning underlying each categorisation. Without that it is difficult to see how either MPs or the general public can be expected to comprehend what is being debated.

The critical terms 'internet service' and 'internet communications service' remain resolutely undefined in the Bill. Some loose quasi-definitions have been footnoted in the Communications Data Draft Code of Practice:

  




Question: If, as seems to be suggested by draft CoP footnote 46 and para 7.3 2nd bullet, 'internet communications services' are intended to be restricted to human to human messaging, why should this not be made explicit on the face of the Bill?]

Come back when you have fully addressed intrusiveness, definitions and feasibility

“..The government must address the significant concerns outlined by our witnesses if [ICRs’] inclusion within the Bill is to command the necessary support” [14]  

“We have concerns about the definitions and feasibility of of the existing proposal, which the Home Office must address.” [12]  

Although preceded by some support for the idea of ICRs (“on balance, there is a case for [ICRs] as an important tool for law enforcement” [12], “could prove a desirable tool” [14]), the Committee's emphasis is on the need to address the concerns. They are significant. One batch of concerns is around intrusiveness. But how the government can address the intrusiveness inherent in ICRs other than by scrapping them (a course recently advocated by the Financial Times) is a ticklish problem. 

The intrusiveness issue is intensified by the Joint Committee’s recommendation that law enforcement access to ICRs should be extended beyond the three specific purposes set out in Clause 47(4) of the draft Bill and discussed in the Home Office Operational Case. The Committee recommends that access should be possible in order to obtain “information about websites that have been accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation” [22]. At first blush this would seem to put access to ICRs for an investigation on a broadly comparable footing to other communications data requests.  

[Bill comments: the purposes for which ICRs can be accessed have indeed been extended:

The degree of potential intrusion to be weighed in the balance has correspondingly increased. The undefined term 'internet service' has again been used. The draft Communications Code of Practice suggests that it includes websites, applications and internet communications services (see above).]

The second set of witnesses’ concerns is about technical feasibility. “We urge the Government to explain in its response to this report how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice” [21] Technical feasibility is bound up with the lack of clarity over the ambit of ICRs.  At the most fundamental level, how can a convincing case be made for the feasibility and effectiveness of records whose composition is not fully understood? The Committee cannot have been satisfied that the Operational Case published with the draft Bill covered all the feasibility issues raised. 

[Bill comments: The government has published a revised Operational Case including additional material seeking to address criticisms made during pre-legislative scrutiny and seeking to justify the extended access purposes included in the Bill in response to the Joint Committee Report.]

That brings in the Danish experience with session logging. “The Government should publish a full assessment of the differences between the ICR proposal and the Danish system alongside the Bill” [20] The ultimately abandoned Danish system was not mentioned in the original Operational Case, but emerged in the course of evidence.  The Home Secretary commented on it in her oral evidence on 13 January 2016. The differences that she identified were whereabouts on the network the information would be collected, the existing IP address resolution provisions of the CTSA, the availability of cost recovery and  a more targeted approach involving recording individual internet connections or sessions rather than sampling every 500th packet s in the Danish system. A full assessment would no doubt have to develop this explanation.

[Bill comments: The government has published a comparison with the Danish session logging experience. Since then it has been reported that the Danish proposal to reintroduce session logging has been shelved on cost grounds.]

Is this 3^rd party data which I see before me?

A related area of confusion is over the extent to which the draft Bill could, contrary to the government’s stated policy, require ISPs to capture and retain 3^rd party data travelling across their systems. “We agree with the Government’s intention not to require CSPs to retain third party data. The Bill should be amended to make that clear, either by defining or removing the term ‘relevant communications data.” [32]. Only in the Home Office written evidence was it acknowledged that some ICR destination data could amount to 3^rd party data. The evidence also says that only ICRs that are already generated and processed by a CSP should be subject to retention. Giving effect to that intention would certainly require Clause 71, which contains the power to require data retention, to be amended.

[Bill comments: The draft Communications Data Code of Practice is adamant that the data retention power cannot be used to require retention of third party data:

However clause 78 (as it now is) has not been amended to give effect to this.

Question: Where is this important restriction on use of data retention powers stated on the face of the Bill? If it is not stated, why not?]

Any further evaluation of the feasibility of ICRs would presumably have to consider the effect on the Operational Case of this restriction on availability of non-IP address destination data.

[Bill Comments: The effect of variable data availability on assumptions as to effectiveness is not specifically addressed in the revised ICR Operational Case.]

DRIPA or DRIPA Plus?

Clause 71 of the draft Bill covers the existing data retention requirements of DRIPA and adds ICRs. But it doesn’t stop there. It empowers the Home Secretary to issue notices requiring generation, obtaining and retention of a range of communications data broad enough to cover virtually any communications data capable of being generated on any network up to and including the future internet of things. It also appears to be wide enough to compel operators to obtain information such as identity details from their customers.

The Joint Committee says: “Whether ICRs are included or not, we believe that in the light of the ongoing need for communications data and the imminent expiry of DRIPA, a continued policy of some form of data retention is appropriate and that these provisions should accordingly form part of the Bill.” [24] What does the Committee mean by “these provisions”? Does it mean just the existing DRIPA provisions, with or without the addition of ICRs? Or is it referring to the rest of Clause 71 as well? The uncertainty is increased by the Committee’s comment in para 158 that the data retention provision in the Bill is "not new".  The extension of data retention to include ICRs is clearly new (indeed it is the only power that the government has acknowledged to be new), even without the greatly extended ambit of the rest of Clause 71.

If the Committee means simply that the imminent expiry of DRIPA should be addressed, then Clause 71 could be rewritten in the same terms as DRIPA leaving for debate only the question of whether or not to add ICRs.

[Bill Comment: Clause 78 (as it now is) remains as broad as in the draft Bill.

Question: Given that the only case that has been put forward for extension of data retention beyond DRIPA/CTSA relates to ICRs, why does Clause 78 go further than that?]

Overall the Home Office has a formidable, perhaps an impossible, task to meet the demands of the Joint Committee in respect of ICRs, certainly in the short time that the government has given itself before introducing the Bill itself in March.

You there with your private network, don’t think we’ve forgotten you

The current data retention powers in DRIPA can be applied only to a public service provider.  The draft Bill would extend that to any telecommunications operator, public or private. That could include not only internet cafes and the like (which may in any case already be within DRIPA) but private offices, schools, universities and even home networks.  

The Joint Committee concludes that: “the definition of telecommunications service providers cannot explicitly rule out smaller providers without significantly compromising the data retention proposals as a whole. We acknowledge that the potential burden of data retention notices, particularly for smaller providers, could be acute. This makes the clarification of cost models, as we have recommended above, essential.” However it does not explicitly address whether a case for extension to private networks (as opposed to smaller public networks) has been made out.

[Bill comments: Not only does the Bill replicate the draft Bill's application to private networks, it goes further. It adds equipment interference warrants to the list of powers that can be exercised against private networks.   

Most of the Bill’s powers apply not just to public communications operators (internet providers, ISPs, public WiFi spots and the like) but to all telecommunications operators.  That includes anyone who provides a telecommunications service (not just commercial services) or controls a telecommunication network. A home router or domestic WiFi setup, a network within an office, school or university, or a private network of any sort would all be caught.

This is a significant change from existing legislation, in which very few of the powers apply to non-public services or networks (see table below).  All the examples of proposed use of powers given in the draft Codes of Practice are of networks that provide access to the public or are quasi-public (such as hotels). The Home Office has made no attempt to justify the extension to all private networks.  Nor has there been any explanation of the decision to extend equipment interference powers to private networks following the pre-legislative scrutiny of the draft Bill.

Question: If there is no intention to use the powers against private networks, why are the powers that broad? If it is intended, where is the justification?

Green highlighting indicates explicit application to non-public services or networks

Filter that communications data request

The Joint Committee’s comments on the so-called Request Filter for communications data access: “We welcome the Government’s proposal to build and operate a Request Filter to reduce the amount of potentially intrusive data that is made available to applicants. …” [39]

If this facility only rendered more focused and less intrusive the making of complex searches already conducted manually, then the description of ‘filter’ could be appropriate. However if it rendered possible searches that currently are not feasible to carry out manually due to the volume of data involved, then the facility would look more like a powerful new query tool. The Committee says: “We acknowledge the privacy risks inherent in any system which facilitates access to large amounts of data in this manner…” It believes that the safeguards would be sufficient to prevent the filter being used for fishing expeditions.

Bulk Powers

“We recommend that the Government should publish a fuller justification for each of the bulk powers alongside the Bill.” [56] The Committee appears not to be satisfied that the full case for the bulk powers has been made out, although it is in general content that the proposed safeguards, authorisation regime and oversight "will be sufficient to ensure that the bulk powers are used proportionately." [62].  We can see the emergence of a common theme where bulk powers are concerned: deference to bodies with access to classified material: “We further recommend that the examples of the value of the bulk powers provided should be assessed by an independent body, such as the Intelligence and Security Committee or the Interception of Communications Commissioner.” [56] and “National security considerations mean that we are not well-placed to make a thorough assessment of the value of the bulk powers. The scrutiny and conclusions of the Intelligence and Security Committee on the Bill will be of significant assistance for Parliamentarians considering these powers.”  The ISC, with the benefit of security clearance, took evidence from the three security services (GCHQ, MI5 and SIS) as well as the Home Secretary.

Bulk communications data

The Committee repeats these sentiments specifically for bulk acquisition of communications data: “We agree that bulk communications data has the potential to be very intrusive. As with the other bulk powers, we believe that the fuller justification which we have recommended the Government produces and the conclusions of the Intelligence and Security Committee on the Bill will assist Parliament’s consideration of the necessity and appropriateness of bulk acquisition.” [65]

This appears to be a reference to the new bulk warrant for acquisition of communications data.

Related communications data

Although the Committee mentions the topic of related communication data (RCD) obtained as a by-product of bulk interception, it makes no specific recommendation.  That contrasts with the ISC, which devotes a section to RCD. The ISC points out the lack of restrictions on examination of RCD for people in the British Islands compared with bulk intercepted content, also as compared with non-bulk communications data acquisition notices. 

It comments: “the Agencies may choose to apply the same processes in both circumstances as a matter of policy and good practice, but this is not required by the draft Bill. To leave the safeguards up to the Agencies as a matter of good practice is simply unacceptable: this new legislation is an opportunity to provide clarity and assurance and it fails to do so in this regard.” It goes on to conclude, on the draft Bill’s approach to communications data generally: “The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.”

The use of RCD (and, similarly, equipment data under bulk equipment interference warrants) is potentially one of the more significant issues raised by the ISC.  It was the ISC that in March 2015 commented on GCHQ’s use of RCD:

The ISC also commented on communications data generally:

Questions arise as to what can be done with RCD, what has been done with it and what the government intends that the agencies should able to do with it. A particular issue is the extent to which it may or may not be intended to be possible to build RCD databases including domestic data on the back of overseas-related powers (see paragraphs 115 to 137 of my evidence to the Joint Committee, including reference to the usefulness of the alleged KARMA POLICE events database as a hypothetical touchstone by which to test these provisions of the draft Bill).

The Joint Committee comments: “We recognise that, given the global nature of the internet, the limitation of the bulk powers to “overseas-related” communications may make little difference in practice to the data that could be gathered under these powers. We recommend that the Government should explain the value of including this language in the Bill.” [57] If this were to lead to abandonment of the “overseas-related” restriction that would be a radical departure from wording that, in its current ‘external communications’ form, has limited the purpose for which bulk interception can be performed since S.4 of the Official Secrets Act 1920.

RCD is an area in which some of the most impenetrable provisions of RIPA have been carried over into the draft Bill.  The potentially far-reaching nature of the power to intercept and use RCD becomes apparent only by daisy-chaining a series of collateral powers – effectively by navigating through the back alleys of the statute.

The potential reach of RCD powers is further expanded by the new power in the draft IP Bill to extract communications data from the content of communications and treat it as RCD.

[Bill comments: Related Communications Data is now replaced by new terminology, Secondary Data, reflecting the fact that RCD is wider than Communications Data. There are also other changes to the metadata definitions - see 'All about the metadata'.

Questions:  Would a hypothetical KARMA POLICE database be possible under the Bill? Given the new power to extract secondary data from content, would a hypothetical 'KARMA POLICE PLUS' be possible? Is either of these intended?  If not, should the Bill be amended to prevent that? If yes, is it appropriate for such a universal database of internet browsing profiles (domestic and foreign) to be capable of being built as a by-product of powers whose overall purpose is the interception of overseas-related communications?  Should the purposes for which such a database could be accessed be more limited, at least for persons located in the British Islands?]

More light may be shed on these issues in the future. In the meantime, here is my diagram illustrating the draft Bill’s provisions on communications data. [Replaced with revised diagram reflecting the Bill's terminology and including Bulk Personal Datasets.]