Feeds

Twitter to UK.gov: Web super-snoop law will trample twits' rights

A little bird told me scolds me

Security for virtualized datacentres

Twitter has said that government plans to increase the UK intelligence services' communications surveillance capabilities could cause it to breach the privacy rights of individuals based elsewhere in the world.

The micro-blogging company said that complying with the requirements set out in the government's draft Communications Data Bill could place the firm in a "legally untenable position".

Twitter's concerns were outlined in written evidence (449-page/3.18MB PDF) submitted to a Parliamentary committee. The Joint Committee, which is made up of both MPs and peers, is currently scrutinising the bill – which the government published in June.

The US social networking company raised concerns with parts of the bill that could require businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to store "traffic data, use data or subscriber data" relevant to communications sent over their networks for up to a year.

Twitter said that it may inadvertently collect information of non-UK users of its service during the process of complying with the requirement. This, it said, could cause it to break privacy, data protection and data retention laws that apply in other jurisdictions, the company said.

"We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross‐jurisdictional challenges which may arise," Twitter's submission to the Joint Committee said. "For example, it is possible and indeed highly likely that this type of monitoring would result in the collection and retention of data on users who are outside of the United Kingdom. This has the potential to place us in a legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world."

"Following on from the above, we would welcome some clarity on how the provisions of this bill work in concert with other requirements placed on global companies with respect to user privacy and data retention. These could include EU Data Retention and Data Protection Directives as incorporated into domestic laws in member states, human rights legislation as well as privacy and data retention legal frameworks in the United States, and elsewhere," the company added.

The government published the draft Communications Data Bill after police and intelligence agencies complained that existing laws providing powers of surveillance were insufficient to combat criminals' ever-advancing use of technology. However the proposals have been dubbed a "snoopers' charter" by civil liberty campaigners and have also drawn criticism from the Internet Service Providers Association (ISPA).

Under the bill, the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.

Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."

What trumps your right to privacy?

The "permitted purposes" include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.

"Subscriber data" includes information such as the names and addresses of individual users of communication services. "Use data" relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. "Traffic data" is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.

The bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.

Twitter said that the bill may not properly balance the "needs of national security and criminal investigation with public transparency about the extent of online surveillance".

It added:

While the provisions in the draft bill authorise the Secretary of State to issue orders to compel communications operators to generate and store data, it envisages that this will be done in consultation with communications operators. However, there does not appear to be a process for disclosure to or input from the public on this issue. Nor does there appear to be any provision for user notification when requests for their personal data have been made by law enforcement.

The company also raised concerns about the detail and transparency of plans that would enable information about Twitter users to be collected from telecoms firms in circumstances where Twitter itself could not provide the data.

If companies like Twitter do not establish ready access to such data or generate data that British authorities believe is necessary, there is authorization in the bill for authorities to compel telecommunications operators to obtain that data. We may not be privy to such orders. We may not know when requests to obtain our user data are being made to other telecommunications operators.

"What is the mechanism for informing overseas companies that its data is being sought or collected? How do we reflect such lack of knowledge in our own Terms of Service with respect to our users, where we typically describe and are held accountable by regulators in the US for the privacy and security features of our service?

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.