UK web snoop charter: Just how much extra info do spooks need?
Influential parliamentarians sniffs around packet-sniffing draft law
Analysis MI5 makes the most requests for information on Brits' phone calls and internet activities, according to a panel of MPs and peers scrutinising Home Secretary Theresa May's draft communications surveillance law. The controversial bill calls for much wider spying on online activity.
The Home Office, in pushing for these extended snooping powers, claimed there is a 25 per cent "shortfall" in the communications data that authorities want and what they can currently get. The Intelligence and Security Committee of MPs and peers looked at this supposed gap, apparently caused by people using technology that pushes messages and chats out of spooks' reach, but concluded that the figure was "immaterial".
The panel said in a report:
What is important is whether there is a gap, whether the gap is causing a problem, and - most importantly - how significant that problem is.
The head of the MI5, Sir Jonathan Evans, admitted to the committee that the 25 per cent figure rested on some "pretty heroic assumptions".
Critics of May's surveillance bill, dubbed a Snooper's Charter, have repeatedly brought into question the Home Office's comms data shortfall claim - in part because police and spooks have failed to provide any specifics to ISPs and web services.
However, the report - which was partially redacted on the grounds of protecting national security - noted that while police and other law enforcement agencies were most "acutely affected" by that apparent gap in the availability of communications data, the same wasn't currently true of security agencies:
At present, the intelligence and security Agencies are able, to some extent, to work around the problem of declining communications data by obtaining intelligence using other national security capabilities which are not, in most cases, available to the police.
This means that the Agencies are not facing as immediate a problem as that currently faced by the police and other authorities. Nevertheless, we believe that the decline of available communications data will begin shortly to have a serious impact on the intelligence and security Agencies.
However, the report did not reveal what workarounds the MI5 and other spook agencies were using to counteract the problem of being unable to access, for example, data from overseas comms providers or the information transported by an ISP from, say, Facebook to the subscriber.
The committee, chaired by Tory MP Sir Malcolm Rifkind, explored different ways of tackling the issue of communications data by considering investigatory tools used by the Security Service as well as the possibility of a collaborative agreement with communications service providers. It concluded that those ideas failed to offer a solution, either on the basis of costs or because of a lack of cooperation from some, if not all, CSPs.
The MPs and peers agreed that legislation, while "not a perfect solution", was the best option available.
Cops cop costs
Data retention costs got very little airtime in the report, but the matter has been batted around Parliament recently.
Late last month, Tory MP Dominic Raab asked May's department how much the Home Office "currently remunerates (a) telephone companies, (b) internet service providers and (c) others annually for data storage; and what estimate she has made of such figures if the draft Communications Data Bill was passed."
Minister James Brokenshire, minister for crime and security at the Home Office, explained that "the police and other operational agencies requesting the data" normally reimbursed CSPs for the costs of retaining comms data under current legislation in RIPA (The Regulation of Investigatory Powers Act 2000).
80 per cent of this expenditure is through a pilot project established by the Home Office to ensure value for money and auditing of payments to industry. Under this pilot, a subset of providers are reimbursed directly by the Home Office, with the money then recharged to operational agencies.
Brokenshire also revealed that the total estimate for such payments made last year to comms providers stood at £15m.
That's an interesting figure when one considers what that could mean for the already budget-squeezed bobbies if the draft Communications Data Bill had passed through Parliament in its current form.
Charles Farr, who is Director General of the Office for Security and Counter Terrorism, is leading the charge for more powers to snoop on British netizens. He has previously told politicos that around 50 per cent of the highly-questioned £1.8bn price tag placed on the Communications Capabilities Development Programme (CCDP) would be used to pay CSPs for storage of the data.
The report highlights this by pointing out the Home Office has estimated compensation costs of £859m over a 10-year period.
Ultimately that suggests the police could be faced with much higher costs - with today's £15m figure creeping up to anything as high as £85m each year.
That said, as CSPs have repeatedly complained, those estimations of payment are full of assumptions because the Home Office failed to seek the advice of comms providers when drawing up the draft bill.
Costs being plucked out of thin air was one of the reasons why May's bill so spectacularly failed to pass the pre-legislative select committee scrutiny test and it's also why those figures are now being picked apart and reassembled by the Home Office.
But the fact remains that the police could end up footing a hugely expensive bill to cover the costs of data retention in order that they can access the supposed 25 per cent shortfall of information that they apparently need to catch criminals and terrorists online.
The Register asked the Home Office to explain more about the pilot scheme mentioned by Brokenshire. It told us:
The Home Office is running a pilot scheme where cost recovery for certain communications service providers is managed by the Home Office itself.
One advantage of the scheme is that a single body examines claims for reimbursement on behalf of all law enforcement, ensuring greater scrutiny and value for money.
The Home Office does not comment on specific charges and services made by communications providers.
How to make DPI fly
Returning to the ISC's report, the committee took evidence from BAE-owned Detica, which provided information about Deep Packet Inspection (DPI) probes that could be used in cases where CSPs had declined to allow spooks to access communications data and the government made the decision not to take civil action against those providers.
Detica, which supplies DPI to the government, described the technology as "flexible" and told the committee that it was regularly used for commercial purposes.
But the committee noted that the Home Office had "a presentational issue to address in terms of the amount of DPI that may be used, what companies it may be targeted against, and how soon UK network CSPs may be asked to use it."
CSPs are said to be nervous about creating frosty relationships with overseas companies if DPI were used to extract communications data from those outfits not willing to cooperate. They only want DPI to be used as a "last resort", the report found.
We are... sympathetic to their argument that the Home Office should have to demonstrate due diligence before resorting to the use of Deep Packet Inspection to collect communications data from overseas Communications Service Providers, and we recommend that this should be reflected on the face of the Bill.
The ISC also touched on websites and online services moving to encrypt their pages with the HTTPS protocol, saying that the government has "[redacted] options in dealing with the challenge encryption poses." Further information about that method was also kept secret.
Critics have suggested that encryption would render DPI pointless.
The notion of developing a "filtering tool" to bring together fragmented communications data from any number of CSPs was also looked at by the committee, which apparently failed to consider such a collection eventually morphing into a central database for police and spooks that might possibly be managed by Detica.
The ISC considers that a filtering mechanism would offer considerable benefits to the Agencies. It would save many hours of analysis, and reduce the amount of collateral intrusion from complex communications data requests.
The technology seems to exist to provide this. It will be a significant challenge to integrate the numerous data sets from different Communications Service Providers to make the filter work, as well as to manage the expectations of the various departmental and Agency stakeholders. The record of government in managing such complex IT projects is mixed at best.
The ISC report broadly welcomed May's draft bill as it reads today, but with some important caveats.
More thought is needed, the committee concluded, in relation to the order-making power laid out in the draft bill to help convince Parliament and the public that the legislation is necessary.
It called for more consultation with CSPs and a better, more detailed explanation of how communications data would be used and what safeguards might be put in place.
Behind the scenes, the Home Office is understood to be busy with a rewrite. This comes after Deputy Prime Minister Nick Clegg said the government had to go "back to the drawing board" because some of the proposals were considered unpalatable in their current form.
As for the much-contended costs floated by the Home Office, a source close to the situation has suggested to El Reg that the CCDP price tag could hit close to £5bn over the course of 20 years if the legislative overhaul does take flight. ®