Wraps come off UK super-snooper draft plans

Attempt to log everyone who cares foiled by duff website

Business security measures using SSL

Legislation relating to communications data will be yanked out of the existing Regulation of Investigatory Powers Act (RIPA) and brought under a new regulatory framework if the Home Office's plans to step up the monitoring of internet traffic passes through Parliament.

Home Secretary Theresa May unveiled her proposals for the UK's rehashed internet super-snoop law today, which immediately led to the Home Office's website collapsing.

At time of writing, the draft 117-page Communications Data Bill was unavailable online.

The Home Office proposed that the bill, which will now be scrutinised by a joint committee of MPs and peers as well as by the Intelligence and Security Committee (ISC), would "replace the dozens of currently available powers with a single piece of legislation".

The ISC said: "We will take evidence and examine the rationale behind the proposals and how rigorous the safeguards are to ensure the privacy of individuals.”

On RIPA, the Home Office said in its draft bill:

Law enforcement agencies – the police, the Serious and Organised Crime Agency and Her Majesty’s Revenue and Customs – account for the overwhelming majority of annual requests for access to communications data under the Regulation of Investigatory Powers Act ('RIPA') 2000.

They have access to the full range of communications data. Other authorities with investigative or public protection responsibilities are able to access communications data, but most do not have access to more sensitive forms of communications data, for example data regarding the location of a mobile phone.

Local authorities account for less than 0.5 per cent of total annual RIPA requests for communications data. Following the implementation of the Protection of Freedoms Act, they will only be able to access this data if approved by a magistrate.

Communications technologies and services are changing fast with more communications taking place on the internet using a wider range of services, including voice over internet, online gaming and instant messaging.

Communications data from these technologies is not as accessible as data from older communications systems like ‘fixed line’ telephones. Although some internet data is already stored by communication service providers, other data is neither generated nor obtained because providers have no business need for it.

This means that the police are finding it increasingly hard to use some types of communications data to investigate crime. To address this growing gap, the proposals set out here will require some communications service providers to obtain and store some communications data which they may have no business reason to collect at present.

Nothing in these proposals will authorise the interception of the content of a communication. Nor will it require the collection of all internet data, which would be neither feasible, necessary nor proportionate. We will extend existing safeguards regarding data retention, access and oversight. And we will remove other statutory powers with weaker safeguards under which communications data can currently be accessed by public authorities.

The proposed regime would replace Part 1 Chapter 2 of the RIPA and Part 11 of the Anti-Terrorism Crime and Security Act 2001. A move that would represent a major rejig of current surveillance law.

As The Register reported earlier, ISPs will be expected to retain communications data by logging every website visit, as well as any access made by its customers to email accounts, Facebook and difficult-to-tap tech like peer-to-peer communications such as Skype for a minimum of 12 months.

But the Home Office will foot the bill, which it estimates will cost at least £1.8bn over the course of 10 years.

It added: "Benefits from this investment are estimated to be £5bn – 6.2bn over the same period."

The £1.8bn figure is only marginally less than the one floated by the previous Labour government - prior to it abandoning its own Internet Modernisation Programme (IMP) in light of protests against such an unloved legislative overhaul.

ISPs will be able to appeal to a technical advisory board under dispute procedures if they complain that such requests for data are "unnecessarily onerous".

Secretary General of UK ISP trade group, ISPA, Nicholas Lansman told El Reg:

ISPA has concerns about the new powers to require network operators to capture and retain third party communications data. These concerns include the scope and proportionality, privacy and data protection implications and the technical feasibility.

Under the proposals, the police, the National Crime Agency, spooks and the taxman would be able to "apply for access" to such data, the Home Office said.

It added:

"Hundreds of public bodies – including local authorities – currently have access to communications data, but will not be covered by the new laws unless Parliament agrees their use is vital to tackling crime and protecting the public."

However, only a tiny number of comms data requests originate from local councils - so such a proposed change is likely to have a minimal impact. May confirmed this morning that 500,000 such requests from all British authorities are made each year. Arguably, that figure will balloon under any Communications Data Act.

The Home Secretary, in a canned statement, said:

Communications data saves lives. It is a vital tool for the police to catch criminals and to protect children.

If we stand by as technology changes we will leave police officers fighting crime with one hand tied behind their backs.

Checking communication records, not content, is a crucial part of day-to-day policing and the fingerprinting of the modern age – we are determined to ensure its continued availability in cracking down on crime.

The Information Commissioner's Office (ICO) "will keep under review the security and integrity of the communications data retained," the Home Office said.

The ICO noted such a move would be a burden placed upon its already swamped staff. It said:

If the Information Commissioner is to be in a position to ensure compliance with the Data Protection Act, in respect of security of retained personal information and its destruction after 12 months, the ICO will need appropriately enhanced powers and the necessary additional resources.

Clauses were added to the draft bill and confirmed in the Queen's Speech, following opposition to May's proposals from junior Coalition members, the LibDems. They include measures such as consultation requirements, data security and integrity, destruction of data and other safeguards.

LibDem MP Julian Huppert, who led his party's charge against May's initial plans, welcomed the opportunity to debate the draft bill out in the open, but he remains worried about certain aspects of the proposals.

"My immediate concern is Clause 1. As written, it gives the Secretary of State far too broad a power. It allows data collection exercises that are perfectly reasonable – but would also allow pervasive black boxes that would monitor every online information flow, an idea which is clearly unacceptable.

"This must be tightened up urgently. The accompanying text is much better – but I don’t think we should pass broad laws on a promise from government that they will never abuse them.

"This absolutely must be changed: it is unacceptable as it currently stands."

A copy of the draft bill isn't currently available via the Home Office website, which we're informed suffered some technical difficulties. Readers can get their mitts on it here [PDF]. ®

Business security measures using SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
ISPs' post-net-neutrality world is built on 'bribes' says Tim Berners-Lee
Father of the worldwide web is extremely peeved over pay-per-packet-type plans
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Google+ GOING, GOING ... ? Newbie Gmailers no longer forced into mandatory ID slurp
Mountain View distances itself from lame 'network thingy'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.