Privacy watchdog bashes UK.gov net snoop plan

'Case yet to be made'

The Power of One Infographic

Whitehall plans to order ISPs and mobile operators to gather massive quantities of data on every customer's internet use are vague, misleading, risky and possibly unnecessary, according to the Information Commissioner.

In forthright comments on the Interception Modernisation Programme (IMP), Christopher Graham said the Home Office's proposals represented "a step change in the relationship between the citizen and the state".

"Prior to this, police and intelligence services would have access to information which was already collected and held... for the first time this proposal is asking [communication service providers] to collect and create information they would not have previously held."

The independent data protection watchdog said he was not convinced that IMP - which aims to insert deep packet inspection probes in access networks to harvest details of who contacts whom, when, where and how online - is even needed.

"The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive," his submission to a Home Office consultation said.

Since news of IMP broke, the Home Office, law enforcement and intelligence agencies have repeatedly stated it will merely "maintain capability" to access communications histories when investigating serious crime and terrorism.

Apparently reflecting comments made by academics and other observers, Graham, who took over from Richard Thomas at the end of June, disputed that line. "It is important to note that while the consultation presents this as maintaining a capability, this will in effect involve the collection and processing of a significant amount of additional information not previously available to [communications service providers] and police and intelligence services," he said.

Graham also agreed with observers such as the London School of Economics' Professor Peter Sommer, who has argued the current distinction in law between communications data (who contacts whom, etc) and content (what they say) is meaningless when applied to the internet via deep packet inspection. The government has sought to maintain the distinction, with former Home Secretary Jacqui Smith emphasising that no content would be intercepted without a warrant under RIPA.

Graham however said: "All communications over the internet involve packets of data, with the traffic data at the beginning and end of the data packet. But if an individual is using a third party communications provider [eg Facebook]... then the traffic data will only show the recipient as being the third party provider."

The Information Commissioner was responding to the Home Office consultation "Protecting the Public in a Changing Communications Environment", which closed as Parliament rose for summer recess last week.

IMP will monitor website visits, instant messenger and social networking contacts, along with email and VoIP use. Once probes are deployed, sources say they will be remotely configured by technicians at GCHQ in Cheltenham, to keep up with new applications and changes in how communications data is transmitted by existing internet services.

In its consultation document, the Home Office said it then wants ISPs and mobile operators to store and process the resulting terabytes of data, linking usage to individual customers.

The government's plan to have private companies do much of the work of IMP - at a cost of £2bn over ten years - also raised worries at the Information Commissioner's Office.

Graham said the system must have "strict and specific" legislation to prevent providers spying on their customers for commercial purposes, and to guard against "well-meaning but misguided function creep".

Referencing the Information Commissioner's Office's role in the controversy over BT and Phorm's secret tests of interception technology in 2006 and 2007, he echoed the European Commission's concerns over the UK's implementation of privacy laws in relation to interception.

"Effectively... where the private sector, either through their own provision of services or through being placed under a legal obligation, are intercepting communications of services' users, there are gaps in the regulatory regime.

"Arguably there is a need for an empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."

Graham concluded that gaps in the current interception regulatory regime would mean IMP would carry "an inbuilt risk of non-compliance" and not only privacy risks but also commercial risks. Documents seen by The Register show ISPs have serious doubts about the proposed system.

The Home Office's preferred option - presented in its consultation as the only option between the two extremes of doing nothing and building a massive state-run central warehouse of internet communications data - would see ISPs and mobile operators store data on all customers. The Information Commisioner's Office doubted whether this was the only option.

It suggested collection of extra communications data on a targeted basis, acting on suspicion or intelligence gathered through other means.

"Has the Government considered bringing forward legislation that would allow specified public authorities to request that this further communications data be collected only in relation to specified individuals, and possibly their associates, who have come to the attention of those authorities by other means?" it asked.

"Or have they considered only collecting communications data from the media where there is greatest risk?

"Another option could be that specific phone numbers or circumstances could be targeted. These and other alternatives would be less intrusive than obliging all [communciations service providers] to collect this further communications data on all subscribers and more justifiable as it would be targeted and collect a narrower range of information about fewer individuals."

The Home Office made no mention of such a targeted approach in its consultation.

Civil servants are now digesting the Information Commissioner's document and other responses to their plans for IMP. The next announcement is expected when Parliament returns in Autumn.

The Home Office consultation is here and the Information Commissioner's response is here. ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.