Feeds

Twitter to UK.gov: Web super-snoop law will trample twits' rights

A little bird told me scolds me

3 Big data security analytics techniques

Twitter has said that government plans to increase the UK intelligence services' communications surveillance capabilities could cause it to breach the privacy rights of individuals based elsewhere in the world.

The micro-blogging company said that complying with the requirements set out in the government's draft Communications Data Bill could place the firm in a "legally untenable position".

Twitter's concerns were outlined in written evidence (449-page/3.18MB PDF) submitted to a Parliamentary committee. The Joint Committee, which is made up of both MPs and peers, is currently scrutinising the bill – which the government published in June.

The US social networking company raised concerns with parts of the bill that could require businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to store "traffic data, use data or subscriber data" relevant to communications sent over their networks for up to a year.

Twitter said that it may inadvertently collect information of non-UK users of its service during the process of complying with the requirement. This, it said, could cause it to break privacy, data protection and data retention laws that apply in other jurisdictions, the company said.

"We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross‐jurisdictional challenges which may arise," Twitter's submission to the Joint Committee said. "For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world."

"Following on from the above, we would welcome some clarity on how the provisions of this bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere," the company added.

The government published the draft Communications Data Bill after police and intelligence agencies complained that existing laws providing powers of surveillance were insufficient to combat criminals' ever-advancing use of technology. However the proposals have been dubbed a "snoopers' charter" by civil liberty campaigners and have also drawn criticism from the Internet Service Providers Association (ISPA).

Under the bill, the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.

Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."

What trumps your right to privacy?

The "permitted purposes" include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.

"Subscriber data" includes information such as the names and addresses of individual users of communication services. "Use data" relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. "Traffic data" is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.

The bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.

Twitter said that the bill may not properly balance the "needs of national security and criminal investigation with public transparency about the extent of online surveillance".

It added:

While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators. However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.

The company also raised concerns about the detail and transparency of plans that would enable information about Twitter users to be collected from telecoms firms in circumstances where Twitter itself could not provide the data.

If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data. We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.

"What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
US Supreme Court supremo rakes Aereo lawman in oral arguments
Antenna-array content streamers: 'Ruling against us could dissipate the cloud'
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.