Protecting the Public in a Changing Communications Environment
This is a formal response to the Home Office consultation entitled “Protecting the Public in a Changing Communications Environment”. It may be reproduced in whole or part provided attribution is given.
On the basis of this evidence and subject to current safeguards and oversight arrangements, do you agree that communications data is vital for law enforcement, security and intelligence agencies and emergency services in tackling serious crime, preventing terrorism and protecting the public?
Clearly, communications data is a vital tool in both fighting and solving crime in general, and protecting the national security of any nation—the UK included. This has been the case for many years, if not decades, and will doubtless continue to be the case for the foreseeable future.
However, it is not clear that the safeguards and oversight arrangements which currently exist to ensure the privacy of both individual and commercial lawful communications are sufficient and proportionate given the level of access that central and local Government bodies and their contractors currently have to private communications data.
Is it right for Government to maintain this capability by responding to the new communications environment?
It is right and proper that Government should periodically assess the impact that emerging technologies and trends have upon existing operational frameworks, legislation and guidelines. It is not necessarily the case that any assessment would require changes to be made—legislative or otherwise.
Do you support the Government’s approach to maintaining our capabilities?
Which of the solutions should it adopt?
Fundamentally, any solution requiring service providers to capture and retain communications data solely on the basis of future investigations which may take place are catastrophically flawed. This is amplified if the data retention requirements go well beyond those needed for business operational purposes.
While the Home Secretary has stated that “Doing nothing is not an option”, it is nonetheless presented as a solution in this consultation; however, I do not believe that doing nothing is an adequate solution: while it is closest to the correct solution, additional safeguards are required before the concerns of both the public and industry can be allayed.
A single-store approach has been discounted by the Government itself, and its myriad problems—technical, political and financial—have been widely documented.
The third option—“a middle way” has broad and undesirable implications. Communications service providers must install and maintain deep-packet inspection (DPI) hardware and software—whose effectiveness has not been proven in this context—and additionally provide secure storage facilities for the collected data. While some ISPs have been variously trialling and operating DPI systems for the purposes of traffic management, successful outcomes have been by no means universal and have more often than not been a hindrance to consumers in the face of more appropriate solutions—Government policy mandating such systems’ use will clearly make it more difficult for consumers to argue against them, although this is one of the least concerning aspects of the proposal.
The Internet is, by nature, open and flexible. As a point of comparison, the Internet is more readily flexible in many respects than radio spectrum as administered in the UK by Ofcom: application-layer protocols exist solely through convention, and modifying many of them (covering a broad range of applications, from virtual-private networks to voice telecommunications) for specialised purposes is a relatively trivial task for any Software Engineering student.
DPI systems rely in no small part on these conventions and potential inaccuracy is mitigated by the fact that any such “false negatives” generally form the minority and so for traffic-management or behavioural-advertising purposes are an acceptable casualty. For example, a DPI system can identify a packet exchange from a well-known instant messaging application, but it wouldn’t be able to identify the packet exchange produced by a modified version of that same application making use of different protocols, perhaps “tunnelling” through completely different protocols.
Thus, repurposing DPI systems in order to protect our national security interests only works if the targets of security operations falls within the majority user-base. By definition, the purpose of a communications interception framework is to help prevent acts committed by those who are on the fringes of society, and while they will make use of commodity technologies, to discount the possibility that they will use anything other than conventional protocols and applications would put the security of our nation at grave risk.
This presents three choices: either capture high-level data about all Internet traffic passing through the UK, perform complete packet captures of all Internet traffic passing through the UK, or only perform selective capturing and monitoring of traffic targeted at or originating from specific individuals based on other collected evidence.
The first option is of little practical aid to the Police or Security Services for either investigative or preventative purposes, and so must be discounted. The second option raises harrowing privacy concerns and is logistically unfeasible. The only remaining option—targeted monitoring as and when it is required—is therefore the preferable course of action.
Targeted monitoring has several key benefits:
- only those who are under suspicion or are for some reason (innocently or otherwise) communicating with them will have their traffic monitored;
- the risk of “false positives” falls in line with other aspects of evidence- and intelligence-gathering;
- there is no reliance on heuristics not designed for this purpose in determining which packets to capture and which to ignore—the solution is protocol- and application-neutral;
- there is no store of data which must be secured and audited in a commercial environment not necessarily conducive to this;
- the cost (both to business and the taxpayer) of targeted monitoring is in line with other evidence- and intelligence-gathering mechanisms.
Do you believe that the safeguards outlined are sufficient for communications data in the future?
In the case of “the middle way” or “single store”—no, I do not believe that the presented safeguards are sufficient and that breaches of privacy of both individuals’ and commercial data will inevitably result.
In the case of “doing nothing”, which would more accurately be described as “maintaining the existing framework”, there is a requirement for ‘tightening up’ the safeguards that are already present.
Therefore, I propose that:—
requests for access to communications data may only be made by Police serious crime and terrorism investigation departments, and by the Security Services—the same constraints as applied to the “content” of communications today—and such requests must be authorised by the Home Secretary;
the distinction between “communications data” and “content of communications” be discarded in the context of Internet communications as it is technically vague in an environment where protocol layering and tunnelling is commonplace;
clear guidance be issued to the electronic communications provider industries (Internet, telephone, etc.) describing a proper request and explaining what must be present in order for it to be acted upon legally, and what action those in receipt of an improper request should take;
the emergency services (Police, Fire, Ambulance, Coastguard, Cave and Mountain Rescue) be granted specific exemptions to allow expedited access to certain data with the authorisation of a senior officer; such requests must be audited by the Home Office and the legislation permitting this must be renewed by Parliament after each 24 month period, wherein the Secretary of State for the Home Department shall provide Parliament with details of the conducted audit for the preceding period;
audit powers be granted for all RIPA requests to the Office of the Information Commissioner;
the Commissioner shall have the power to perform “spot audits” as required, and to make specific recommendations to the Crown with respect to prosecutions for misuse of RIPA requests;
the Commissioner shall be required to perform regular audits of RIPA requests (both those authorised by the Home Secretary, and those, if any, which were not) and report the audit findings to the public and Parliament;
if necessary in order to properly audit those requests from the Security Services, an official shall be appointed to the Office of the Information Commissioner who is independent from the Security Services and the Joint Intelligence Committee but who shall have necessary clearance in order to carry out these duties, a summary of the findings with—if necessary—specific recommendations would then be relayed to the Commissioner;
the Commissioner shall be tasked with investigating individuals or companies who disclose communications data without a proper RIPA request and without the express advance authorisation of the individuals concerned; with respect to this, the Commissioner shall be granted the resources necessary to properly carry out these duties;
in the absence of specific legislation to the contrary, the advice of the Information Commissioner with respect to the disclosure of communications data without a RIPA request shall supersede any advice given by the Home Office to individuals or corporations.
