Feeds

Twitter to UK.gov: Web super-snoop law will trample twits' rights

A little bird told me scolds me

The Power of One Infographic

Twitter has said that government plans to increase the UK intelligence services' communications surveillance capabilities could cause it to breach the privacy rights of individuals based elsewhere in the world.

The micro-blogging company said that complying with the requirements set out in the government's draft Communications Data Bill could place the firm in a "legally untenable position".

Twitter's concerns were outlined in written evidence (449-page/3.18MB PDF) submitted to a Parliamentary committee. The Joint Committee, which is made up of both MPs and peers, is currently scrutinising the bill – which the government published in June.

The US social networking company raised concerns with parts of the bill that could require businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to store "traffic data, use data or subscriber data" relevant to communications sent over their networks for up to a year.

Twitter said that it may inadvertently collect information of non-UK users of its service during the process of complying with the requirement. This, it said, could cause it to break privacy, data protection and data retention laws that apply in other jurisdictions, the company said.

"We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross‐jurisdictional challenges which may arise," Twitter's submission to the Joint Committee said. "For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world."

"Following on from the above, we would welcome some clarity on how the provisions of this bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere," the company added.

The government published the draft Communications Data Bill after police and intelligence agencies complained that existing laws providing powers of surveillance were insufficient to combat criminals' ever-advancing use of technology. However the proposals have been dubbed a "snoopers' charter" by civil liberty campaigners and have also drawn criticism from the Internet Service Providers Association (ISPA).

Under the bill, the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.

Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."

What trumps your right to privacy?

The "permitted purposes" include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.

"Subscriber data" includes information such as the names and addresses of individual users of communication services. "Use data" relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. "Traffic data" is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.

The bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.

Twitter said that the bill may not properly balance the "needs of national security and criminal investigation with public transparency about the extent of online surveillance".

It added:

While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators. However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.

The company also raised concerns about the detail and transparency of plans that would enable information about Twitter users to be collected from telecoms firms in circumstances where Twitter itself could not provide the data.

If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data. We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.

"What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.