28 March 2012
Government leaves the communications industry open to legal challenge if they retain traffic data for the purpose of "national security" and then pass it over for other purposes, for example, for crime, public order or taxation
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
UK: Government trying to slip through "voluntary" data retention rejected by consultation process
Tony Bunyan, Statewatch editor, comments:
"The government's consultation process showed that nearly everyone, except the law enforcements agencies, are against the plan for the voluntary retention of communications data. Industry and civil society are united in their concern that communications data retained for the purpose of "national security" under the ATCS Act 2001 cannot be legally passed over for other purposes such as crime in general and public order.
Limiting the purpose of data retention to national security was the express will of parliament. Yet the government has confirmed that hundreds of agencies which have nothing to do with national security are going to have access this data.
This is a classic case of the misuse of power and lawless decision-making"
The government has produced two sets of measures: 1) setting out which state agencies are to get access to communications data and 2) on data retention. The measures relate to two main Acts - the Regulation of Investigatory Powers Act 2000 (RIPA) and the Anti-Terrorism, Crime and Security Act 2001 (ATCS). The data to be retained, and accessed by a host of agencies, is traffic data for phone-calls, faxes, e-mails, mobile phone calls and internet usage.
The initial proposal to use powers under at ATCS 2001 to introduce data retention caused a public outcry both from the industry and civil society. In March 2003 the Home Office issued a consultation paper and the responses are summarised in a Home Office document also released on 11 September 2003.
Despite the recorded opposition (see below) by the industry, civil society and the Information Commissioner the draft Statutory Instrument - Retention of Communications Data (Code of Practice) Order 2003 - was laid before parliament on 11 September 2003 (like the other four related draft Order made public at the same time). This means that the draft code of practice entitled "Voluntary Retention of Communications Data" could come into effect after a minimum of 21 days unless sufficient MPs are able to raise the issue on the floor of the House - this is extremely rare as such a move would interrupt the business already planned by the government. The clock is already ticking but due to the parliamentary recess, for the party conference season, there are probably a little time left to raise this issue.
The responses to the consultation on data retention
Earlier this year there was a 12 week consultation process and 57 responses were received by the Home Office. The "Summary" of the responses - which is written by Home Office officials who naturally try to put the government's proposal in the best possible light - struggles to find any support at all for the proposal. On the central issue of whether communications data held for the purpose of "national security" could be used for other purposes no less that 25 of the 35 responses on this question said that:
"the approach was not appropriate or proportionate"
The "validity of data retention under the code.. provoked comments from 27 respondents" of these 22 "believed that the regime would be inappropriate".
Communications service providers (CSPs) were looking for a "clear lawful basis for data retention" and not one which left them having to decide whether it was necessary or proportionate to comply with the code. Asked whether the "industry" would comply with a voluntary code there was little comfort for the government - as it was "voluntary" some CSPs might take part and others not. This would led to a "voluntary tax" on those participating. Moreover, the costs would be substantial as the retention of data for more than a short periods (days or a few weeks) is not built into CSPs infrastructure - "data processed for business purposes are not retained in a way that is usable by LEAs". Even if the government helps with some of the costs it would "consume engineering resources" which could be used for more profitable purposes - overall it would be "immensely expensive".
Overall 22 of the respondents were "against the concept of retention, whilst 14 favoured such a regime". The law enforcement agencies were in favour but the Information Commissioner would prefer "greater reliance to be placed on data preservation" ("data preservation" refers to retaining data on a specific person/target after a warrant has been issued by the Home Secretary to intercept communications). Nineteen out of 26 responses said that the period for retention was "not reasonable".
On the question the "disparity between the retention and access regimes" 24 of the 25 respondents who addressed this "considered the matter as a problem that needed to be resolved". One respondent said:
"There is a legal view that while the retention may not in itself be unlawful, there was a significant risk that the collateral use of such retained data beyond investigations relating to national security would infringe an individual's right".
The Home Office's own conclusion from the consultation is that there was a consensus that a voluntary approach was unable to resolves matters such as human rights implications, competitive neutrality, costs and particularly the issue "national security requires" resolution. Not the least because the industry wants a "firm lawful basis" to work on. There was a "disparity" between collecting data for purposes of national security and then giving access to data crime, public order or tax purposes - and, they might have added, to agencies which have nothing whatsoever to do with national security.
The Home Office's Explanatory Memorandum
The Explanatory Memorandum produced with the draft statutory Order simply ignores the results of the consultation and blandly states that the Order is "compatible with" the European Convention on Human Rights. Section 103.1.b. (RIPA 2000) says that the Home Secretary shall "consider any representations made to him about the draft" code during the consultation - in reality the government has simply ignored the consultation process whose results were not to its liking.
The Memorandum states that the code of practice is admissible in court and that its scope is as defined in Section 102.3 (ATCS 2001) namely to safeguard national security and to crimes which "relate directly or indirectly to national security".
The link between the retention of communications data and access to it
There is a direct link between the retention of data - which is only allowed for purposes related to "national security" (under ATCS 2001) - and access to the data held by service providers to state agencies (under Part I Chapter II of RIPA 2000) for the purposes of national security, preventing or detecting crime or preventing disorder, the economic well-being of the UK, public safety, public health, taxes and customs duties.
The limitation of Section 102 of the ATCS 2001 to national security is a direct result of changes forced on the government by parliament and civil society. The government's draft ATCS Bill sought to allow data retention for purposes of "national security" and for "the prevention or detection of crime or the prosecution of offenders." Parliament deliberately limited the scope of data retention to national security and crimes related to it. It is for this reason that service providers and civil society maintain that to give access to the retained data for other purposes is probably unlawful and would leave CSPs open to legal challenge.
Put simply the government is asking service providers to retain communications data for the purpose of "national security" under ATCS Act 2001 and at the same time is authorising access to this data by hundreds of agencies which have nothing whatsoever to do with national security.
Who will get access and for what purpose?
In August 2001 the government issued "Accessing Communications Data Draft Code of Practice". An updated Code of Practice to take into account the changes in the Statutory Order has not yet been produced or laid before parliament.
There was an outcry last year when it was admitted by the government that 1,039 public authorities would have the right to request access to communications and the list was withdrawn. The list, set out in the new Order, shows that only one of the 24 categories of bodies has been dropped (the Department of Work and Pensions which anyway has its own legal legislation). Rural councils have been dropped from the list of local authorities but three new bodies have been added - the Charity Commission, the Serious Fraud Office and the Gaming Board of Great Britain. The government has not released the total number of bodies, instead of being just over 1,000 it is now under 1,000.
What is interesting about the new list are the purposes for which agencies can get access to communications data. These purposes are set out in Section 22.2 of RIPA 2000 and are: (a) national security; (b) crime or preventing disorder; (c) the economic well-being of the UK; (d) public safety; (e) public health; (f) taxes and duties and (g) emergencies, preventing death or injury.
The only agencies on the list whose role directly concerns "national security" are Government Communications Headquarters (GCHQ), the Security Service (MI5) and the Secret Intelligence Service (MI6) who are allowed access under (a), (b) and (c) - which exactly fits their statutory roles. This means that these agencies, in addition to gathering intelligence through formal warrants for interception of telecommunications, can on their own authority request access to communications data.
However to extend "national security" to all police forces, including the British Transport Police, stretches the limits of their role and assumes a very broad-ranging definition of "national security". This same tendency applies to emergency services whom one would have thought would come under (d) and (e) all of whom apparently qualify under (b) crime and disorder. Moreover, the most voluminous list (Part III) including local and district councils plus NHS bodies and agencies all qualify under (b) rather than more obvious categories such as public safety and public health. Overall there has been a clear attempt to ensure that the categories of access are set out on the broadest - some would say extreme - boundaries.
Only those authorised on the grounds of (a) can legitimately request access to data limited to, or related to, national security.
The government proposals seek to allow access under the headings of "national security" and of crime to many agencies which do not naturally fall under these definitions.
"Sunset clause" invoked
Due to the delays and controversy on bringing in these Orders the "sunset clause" which dates from 14 December 2001 and last for two years has had to be renewed by the Home Secretary for another two years (Extension of Initial Period Order). This begs the obvious question: In December 2001 the ATCS Act was rushed through parliament on the grounds that the new powers were urgently needed to combat "terrorism" - does this mean that the security, intelligence and police agencies are still waiting for access to communication data to combat "terrorism" or does it mean they already had access?
Does delay of nearly two years not tell us that data retention is not to cope with terrorism but with crime and social control?
Legitimating existing practices
Perhaps the reason that the Home Secretary is prepared to ride rough-shod over all the objections by much of the industry and civil society and the law is that he is keen to put in place a measure which will legitimate, and make lawful, the long-standing practice of those "longer-established" communications providers who have been retaining data at the request of the law enforcement agencies well prior to 11 September 2001. This is confirmed in a submission by the National Criminal Intelligence Service to the Home Office on 21 August 2000:
"From a commercial perspective, the longer-established CSPs wish to ensure that an obligation to retain communications data for an appropriate period is placed equally on every CSP. Otherwise, some of the newer companies may be tempted to delete valuable data and exploit a competitive edge through reduced overheads. Examples of this are already appearing with certain CSPs proposing to delete data after very short periods. This will rapidly undermine the voluntary agreements achieved so far which now appear to have an increasingly fragility." (Source: Recommendation 3.3.3. in the NCIS submission on Communications Data Retention Law to Home Office, 21 August 2000 - NCIS submission - full text)
While the law enforcement agencies may have been accessing communications data lawfully the same cannot be said of the communications providers who have been retaining data for periods longer than is necessary for billing purposes (ie: a few weeks) under "voluntary agreements" for years.
The same NCIS submission cited above says:
"Most Police Forces and HM Customs and Excise retain such data obtained electronically on their own individual databases, in particular subscriber identities and itemised billing"
An on-going practice of the law enforcement agencies (police, customs etc) plus MI5 to themselves retain communications data gathered on their own databases for periods well in excess of the proposed 12 months limit is not covered by any legislation. The submission from the NCIS cited above says that in the 12 months prior to August 2000 the Metropolitan Police Service alone had required access to 63,590 subscriber details and 4,256 billing accounts. This data is said to have been gathered lawfully for intelligence or investigation purposes and is only indicative of the amount of data gathered nationally - in this period there were around 2,500 interception warrants in force for all the law enforcement agencies in England and Wales. The NCIS submission said that: "LEAs need the statutory authority to maintain their own communications data intelligence database" to hold data for up to seven years. Again it can be seen that the law enforcement agencies have exceeding their lawful powers and are waiting for this practice to be legitimised.
Where are the controls over databases held by the police, security and intelligence agencies?
Summary of conclusions
1. The government has simply ignored the consultation process whose results were not to its liking.
2. The government is asking service providers to retain communications data for the purpose of "national security" under ATCS Act 2001 and at the same time is authorising access to this data by hundreds of agencies which have nothing whatsoever to do with national security.
3. The government proposals seek to allow access under the headings of "national security" and of crime to many agencies which do not naturally fall under these definitions.
4. A number of big communications providers have been retaining data, and giving law enforcement agencies access to it, under quite unlawful "voluntary agreements" for years.
5. Where are the controls over databases held by the police, security and intelligence agencies?
Documentation
1. Consultation paper on: Data retention (ATCS 2002) (pdf)
2. Consultation paper on: Access to communications data (RIPA 2000) (pdf, 1.2 MB)
3. Consultation paper on: Access to communications data (RIPA 2000) (Word, 291k)
4. Summary of responses to consultation paper on data retention: Responses reject data retention (pdf)
5. Summary of responses to consultation paper on access to communications: Responses on access to communications (pdf)
6. Retention of Communications Data (Code of Practice) Order 2003, dated 11 September 2003: Statutory Order (pdf)
7. Explanatory Memorandum - data retention: Memorandum (pdf)
8. Code of Practice on data retention issued in August 2001 which has to be revised: Draft Code of Practice (pdf)
9. Access to Communications Order 2003: Statutory Order (pdf)
10. Explanatory Memorandum - access to communications: Memorandum (pdf)
11. UK: Data retention and access consultation farce:
Government to allow access for crime purposes to records which can only be held for “national security”
EU issues updated list of "terrorist organisations and persons" (27.6.03)
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.