Feeds

Twitter to UK.gov: Web super-snoop law will trample twits' rights

A little bird told me scolds me

Intelligent flash storage arrays

Twitter has said that government plans to increase the UK intelligence services' communications surveillance capabilities could cause it to breach the privacy rights of individuals based elsewhere in the world.

The micro-blogging company said that complying with the requirements set out in the government's draft Communications Data Bill could place the firm in a "legally untenable position".

Twitter's concerns were outlined in written evidence (449-page/3.18MB PDF) submitted to a Parliamentary committee. The Joint Committee, which is made up of both MPs and peers, is currently scrutinising the bill – which the government published in June.

The US social networking company raised concerns with parts of the bill that could require businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to store "traffic data, use data or subscriber data" relevant to communications sent over their networks for up to a year.

Twitter said that it may inadvertently collect information of non-UK users of its service during the process of complying with the requirement. This, it said, could cause it to break privacy, data protection and data retention laws that apply in other jurisdictions, the company said.

"We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross‐jurisdictional challenges which may arise," Twitter's submission to the Joint Committee said. "For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world."

"Following on from the above, we would welcome some clarity on how the provisions of this bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere," the company added.

The government published the draft Communications Data Bill after police and intelligence agencies complained that existing laws providing powers of surveillance were insufficient to combat criminals' ever-advancing use of technology. However the proposals have been dubbed a "snoopers' charter" by civil liberty campaigners and have also drawn criticism from the Internet Service Providers Association (ISPA).

Under the bill, the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.

Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."

What trumps your right to privacy?

The "permitted purposes" include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.

"Subscriber data" includes information such as the names and addresses of individual users of communication services. "Use data" relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. "Traffic data" is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.

The bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.

Twitter said that the bill may not properly balance the "needs of national security and criminal investigation with public transparency about the extent of online surveillance".

It added:

While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators. However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.

The company also raised concerns about the detail and transparency of plans that would enable information about Twitter users to be collected from telecoms firms in circumstances where Twitter itself could not provide the data.

If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data. We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.

"What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.