Privacy watchdog bashes UK.gov net snoop plan

'Case yet to be made'

Security for virtualized datacentres

Whitehall plans to order ISPs and mobile operators to gather massive quantities of data on every customer's internet use are vague, misleading, risky and possibly unnecessary, according to the Information Commissioner.

In forthright comments on the Interception Modernisation Programme (IMP), Christopher Graham said the Home Office's proposals represented "a step change in the relationship between the citizen and the state".

"Prior to this, police and intelligence services would have access to information which was already collected and held... for the first time this proposal is asking [communication service providers] to collect and create information they would not have previously held."

The independent data protection watchdog said he was not convinced that IMP - which aims to insert deep packet inspection probes in access networks to harvest details of who contacts whom, when, where and how online - is even needed.

"The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive," his submission to a Home Office consultation said.

Since news of IMP broke, the Home Office, law enforcement and intelligence agencies have repeatedly stated it will merely "maintain capability" to access communications histories when investigating serious crime and terrorism.

Apparently reflecting comments made by academics and other observers, Graham, who took over from Richard Thomas at the end of June, disputed that line. "It is important to note that while the consultation presents this as maintaining a capability, this will in effect involve the collection and processing of a significant amount of additional information not previously available to [communications service providers] and police and intelligence services," he said.

Graham also agreed with observers such as the London School of Economics' Professor Peter Sommer, who has argued the current distinction in law between communications data (who contacts whom, etc) and content (what they say) is meaningless when applied to the internet via deep packet inspection. The government has sought to maintain the distinction, with former Home Secretary Jacqui Smith emphasising that no content would be intercepted without a warrant under RIPA.

Graham however said: "All communications over the internet involve packets of data, with the traffic data at the beginning and end of the data packet. But if an individual is using a third party communications provider [eg Facebook]... then the traffic data will only show the recipient as being the third party provider."

The Information Commissioner was responding to the Home Office consultation "Protecting the Public in a Changing Communications Environment", which closed as Parliament rose for summer recess last week.

IMP will monitor website visits, instant messenger and social networking contacts, along with email and VoIP use. Once probes are deployed, sources say they will be remotely configured by technicians at GCHQ in Cheltenham, to keep up with new applications and changes in how communications data is transmitted by existing internet services.

In its consultation document, the Home Office said it then wants ISPs and mobile operators to store and process the resulting terabytes of data, linking usage to individual customers.

The government's plan to have private companies do much of the work of IMP - at a cost of £2bn over ten years - also raised worries at the Information Commissioner's Office.

Graham said the system must have "strict and specific" legislation to prevent providers spying on their customers for commercial purposes, and to guard against "well-meaning but misguided function creep".

Referencing the Information Commissioner's Office's role in the controversy over BT and Phorm's secret tests of interception technology in 2006 and 2007, he echoed the European Commission's concerns over the UK's implementation of privacy laws in relation to interception.

"Effectively... where the private sector, either through their own provision of services or through being placed under a legal obligation, are intercepting communications of services' users, there are gaps in the regulatory regime.

"Arguably there is a need for an empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."

Graham concluded that gaps in the current interception regulatory regime would mean IMP would carry "an inbuilt risk of non-compliance" and not only privacy risks but also commercial risks. Documents seen by The Register show ISPs have serious doubts about the proposed system.

The Home Office's preferred option - presented in its consultation as the only option between the two extremes of doing nothing and building a massive state-run central warehouse of internet communications data - would see ISPs and mobile operators store data on all customers. The Information Commisioner's Office doubted whether this was the only option.

It suggested collection of extra communications data on a targeted basis, acting on suspicion or intelligence gathered through other means.

"Has the Government considered bringing forward legislation that would allow specified public authorities to request that this further communications data be collected only in relation to specified individuals, and possibly their associates, who have come to the attention of those authorities by other means?" it asked.

"Or have they considered only collecting communications data from the media where there is greatest risk?

"Another option could be that specific phone numbers or circumstances could be targeted. These and other alternatives would be less intrusive than obliging all [communciations service providers] to collect this further communications data on all subscribers and more justifiable as it would be targeted and collect a narrower range of information about fewer individuals."

The Home Office made no mention of such a targeted approach in its consultation.

Civil servants are now digesting the Information Commissioner's document and other responses to their plans for IMP. The next announcement is expected when Parliament returns in Autumn.

The Home Office consultation is here and the Information Commissioner's response is here. ®

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.