Privacy watchdog bashes UK.gov net snoop plan
'Case yet to be made'
Whitehall plans to order ISPs and mobile operators to gather massive quantities of data on every customer's internet use are vague, misleading, risky and possibly unnecessary, according to the Information Commissioner.
In forthright comments on the Interception Modernisation Programme (IMP), Christopher Graham said the Home Office's proposals represented "a step change in the relationship between the citizen and the state".
"Prior to this, police and intelligence services would have access to information which was already collected and held... for the first time this proposal is asking [communication service providers] to collect and create information they would not have previously held."
The independent data protection watchdog said he was not convinced that IMP - which aims to insert deep packet inspection probes in access networks to harvest details of who contacts whom, when, where and how online - is even needed.
"The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive," his submission to a Home Office consultation said.
Since news of IMP broke, the Home Office, law enforcement and intelligence agencies have repeatedly stated it will merely "maintain capability" to access communications histories when investigating serious crime and terrorism.
Apparently reflecting comments made by academics and other observers, Graham, who took over from Richard Thomas at the end of June, disputed that line. "It is important to note that while the consultation presents this as maintaining a capability, this will in effect involve the collection and processing of a significant amount of additional information not previously available to [communications service providers] and police and intelligence services," he said.
Graham also agreed with observers such as the London School of Economics' Professor Peter Sommer, who has argued the current distinction in law between communications data (who contacts whom, etc) and content (what they say) is meaningless when applied to the internet via deep packet inspection. The government has sought to maintain the distinction, with former Home Secretary Jacqui Smith emphasising that no content would be intercepted without a warrant under RIPA.
Graham however said: "All communications over the internet involve packets of data, with the traffic data at the beginning and end of the data packet. But if an individual is using a third party communications provider [eg Facebook]... then the traffic data will only show the recipient as being the third party provider."
The Information Commissioner was responding to the Home Office consultation "Protecting the Public in a Changing Communications Environment", which closed as Parliament rose for summer recess last week.
IMP will monitor website visits, instant messenger and social networking contacts, along with email and VoIP use. Once probes are deployed, sources say they will be remotely configured by technicians at GCHQ in Cheltenham, to keep up with new applications and changes in how communications data is transmitted by existing internet services.
In its consultation document, the Home Office said it then wants ISPs and mobile operators to store and process the resulting terabytes of data, linking usage to individual customers.
The government's plan to have private companies do much of the work of IMP - at a cost of £2bn over ten years - also raised worries at the Information Commissioner's Office.
Graham said the system must have "strict and specific" legislation to prevent providers spying on their customers for commercial purposes, and to guard against "well-meaning but misguided function creep".
Referencing the Information Commissioner's Office's role in the controversy over BT and Phorm's secret tests of interception technology in 2006 and 2007, he echoed the European Commission's concerns over the UK's implementation of privacy laws in relation to interception.
"Effectively... where the private sector, either through their own provision of services or through being placed under a legal obligation, are intercepting communications of services' users, there are gaps in the regulatory regime.
"Arguably there is a need for an empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."
Graham concluded that gaps in the current interception regulatory regime would mean IMP would carry "an inbuilt risk of non-compliance" and not only privacy risks but also commercial risks. Documents seen by The Register show ISPs have serious doubts about the proposed system.
The Home Office's preferred option - presented in its consultation as the only option between the two extremes of doing nothing and building a massive state-run central warehouse of internet communications data - would see ISPs and mobile operators store data on all customers. The Information Commisioner's Office doubted whether this was the only option.
It suggested collection of extra communications data on a targeted basis, acting on suspicion or intelligence gathered through other means.
"Has the Government considered bringing forward legislation that would allow specified public authorities to request that this further communications data be collected only in relation to specified individuals, and possibly their associates, who have come to the attention of those authorities by other means?" it asked.
"Or have they considered only collecting communications data from the media where there is greatest risk?
"Another option could be that specific phone numbers or circumstances could be targeted. These and other alternatives would be less intrusive than obliging all [communciations service providers] to collect this further communications data on all subscribers and more justifiable as it would be targeted and collect a narrower range of information about fewer individuals."
The Home Office made no mention of such a targeted approach in its consultation.
Civil servants are now digesting the Information Commissioner's document and other responses to their plans for IMP. The next announcement is expected when Parliament returns in Autumn.
Sponsored: The Nuts and Bolts of Ransomware in 2016