Twitter to UK.gov: Web super-snoop law will trample twits' rights
A little bird
told me scolds me
Twitter has said that government plans to increase the UK intelligence services' communications surveillance capabilities could cause it to breach the privacy rights of individuals based elsewhere in the world.
The micro-blogging company said that complying with the requirements set out in the government's draft Communications Data Bill could place the firm in a "legally untenable position".
Twitter's concerns were outlined in written evidence (449-page/3.18MB PDF) submitted to a Parliamentary committee. The Joint Committee, which is made up of both MPs and peers, is currently scrutinising the bill – which the government published in June.
The US social networking company raised concerns with parts of the bill that could require businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to store "traffic data, use data or subscriber data" relevant to communications sent over their networks for up to a year.
Twitter said that it may inadvertently collect information of non-UK users of its service during the process of complying with the requirement. This, it said, could cause it to break privacy, data protection and data retention laws that apply in other jurisdictions, the company said.
"We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross‐jurisdictional challenges which may arise," Twitter's submission to the Joint Committee said. "For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world."
"Following on from the above, we would welcome some clarity on how the provisions of this bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere," the company added.
The government published the draft Communications Data Bill after police and intelligence agencies complained that existing laws providing powers of surveillance were insufficient to combat criminals' ever-advancing use of technology. However the proposals have been dubbed a "snoopers' charter" by civil liberty campaigners and have also drawn criticism from the Internet Service Providers Association (ISPA).
Under the bill, the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.
Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."
What trumps your right to privacy?
The "permitted purposes" include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.
"Subscriber data" includes information such as the names and addresses of individual users of communication services. "Use data" relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. "Traffic data" is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.
The bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.
Twitter said that the bill may not properly balance the "needs of national security and criminal investigation with public transparency about the extent of online surveillance".
While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators. However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.
The company also raised concerns about the detail and transparency of plans that would enable information about Twitter users to be collected from telecoms firms in circumstances where Twitter itself could not provide the data.
If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data. We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.
"What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Network DDoS protection