Privacy watchdog bashes UK.gov net snoop plan

'Case yet to be made'

3 Big data security analytics techniques

Whitehall plans to order ISPs and mobile operators to gather massive quantities of data on every customer's internet use are vague, misleading, risky and possibly unnecessary, according to the Information Commissioner.

In forthright comments on the Interception Modernisation Programme (IMP), Christopher Graham said the Home Office's proposals represented "a step change in the relationship between the citizen and the state".

"Prior to this, police and intelligence services would have access to information which was already collected and held... for the first time this proposal is asking [communication service providers] to collect and create information they would not have previously held."

The independent data protection watchdog said he was not convinced that IMP - which aims to insert deep packet inspection probes in access networks to harvest details of who contacts whom, when, where and how online - is even needed.

"The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive," his submission to a Home Office consultation said.

Since news of IMP broke, the Home Office, law enforcement and intelligence agencies have repeatedly stated it will merely "maintain capability" to access communications histories when investigating serious crime and terrorism.

Apparently reflecting comments made by academics and other observers, Graham, who took over from Richard Thomas at the end of June, disputed that line. "It is important to note that while the consultation presents this as maintaining a capability, this will in effect involve the collection and processing of a significant amount of additional information not previously available to [communications service providers] and police and intelligence services," he said.

Graham also agreed with observers such as the London School of Economics' Professor Peter Sommer, who has argued the current distinction in law between communications data (who contacts whom, etc) and content (what they say) is meaningless when applied to the internet via deep packet inspection. The government has sought to maintain the distinction, with former Home Secretary Jacqui Smith emphasising that no content would be intercepted without a warrant under RIPA.

Graham however said: "All communications over the internet involve packets of data, with the traffic data at the beginning and end of the data packet. But if an individual is using a third party communications provider [eg Facebook]... then the traffic data will only show the recipient as being the third party provider."

The Information Commissioner was responding to the Home Office consultation "Protecting the Public in a Changing Communications Environment", which closed as Parliament rose for summer recess last week.

IMP will monitor website visits, instant messenger and social networking contacts, along with email and VoIP use. Once probes are deployed, sources say they will be remotely configured by technicians at GCHQ in Cheltenham, to keep up with new applications and changes in how communications data is transmitted by existing internet services.

In its consultation document, the Home Office said it then wants ISPs and mobile operators to store and process the resulting terabytes of data, linking usage to individual customers.

The government's plan to have private companies do much of the work of IMP - at a cost of £2bn over ten years - also raised worries at the Information Commissioner's Office.

Graham said the system must have "strict and specific" legislation to prevent providers spying on their customers for commercial purposes, and to guard against "well-meaning but misguided function creep".

Referencing the Information Commissioner's Office's role in the controversy over BT and Phorm's secret tests of interception technology in 2006 and 2007, he echoed the European Commission's concerns over the UK's implementation of privacy laws in relation to interception.

"Effectively... where the private sector, either through their own provision of services or through being placed under a legal obligation, are intercepting communications of services' users, there are gaps in the regulatory regime.

"Arguably there is a need for an empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."

Graham concluded that gaps in the current interception regulatory regime would mean IMP would carry "an inbuilt risk of non-compliance" and not only privacy risks but also commercial risks. Documents seen by The Register show ISPs have serious doubts about the proposed system.

The Home Office's preferred option - presented in its consultation as the only option between the two extremes of doing nothing and building a massive state-run central warehouse of internet communications data - would see ISPs and mobile operators store data on all customers. The Information Commisioner's Office doubted whether this was the only option.

It suggested collection of extra communications data on a targeted basis, acting on suspicion or intelligence gathered through other means.

"Has the Government considered bringing forward legislation that would allow specified public authorities to request that this further communications data be collected only in relation to specified individuals, and possibly their associates, who have come to the attention of those authorities by other means?" it asked.

"Or have they considered only collecting communications data from the media where there is greatest risk?

"Another option could be that specific phone numbers or circumstances could be targeted. These and other alternatives would be less intrusive than obliging all [communciations service providers] to collect this further communications data on all subscribers and more justifiable as it would be targeted and collect a narrower range of information about fewer individuals."

The Home Office made no mention of such a targeted approach in its consultation.

Civil servants are now digesting the Information Commissioner's document and other responses to their plans for IMP. The next announcement is expected when Parliament returns in Autumn.

The Home Office consultation is here and the Information Commissioner's response is here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story


Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.