UK says comms metadata can kill personal privacy

Post-Snowden Parliamentary inquiry calls for tighter safeguards on spooks' access to metadata

eyeofSauron

The UK's inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata.

The inquiry, which as we've reported finds that mass surveillance capabilities exist in the UK, but are used appropriately.

The inquiry also rejects use of the term "metadata", which it feels is not helpful because it is too vague. Instead the UK prefers the term “Content-Derived Information” because it is felt a more nuanced approach to the collection of data about communications is required.

The report (PDF) therefore offers the four-level definitions of data that can be gleaned from details of an individual's electronic communications:

Type of information Example (ie in relation to a telephone call
Communications Data The numbers and date/time of a telephone call.
Communications Data Plus' Details of the person or organisation called, which could reveal details about a person’s private life (e.g. if it was a call to a particular medical helpline, or a certain type of dating or sex chat line).
Content-derived information The accent of an individual speaking during the call.
Content What was said during the call

The report goes on to say that Communications Data Plus “would encompass details of web domains visited or the locational tracking information in a smartphone” and to make the following observation about how it should be handled:

“However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication.”

A little backfill: the report says it has no problem with UK intelligence agencies collecting communications data through intercepts and does not recommend tighter controls on its collection and use. The call for more safeguards on Communications Data Plus is therefore notable in the Australian context, as the antipodean communications data collection proposal requires no warrant for access.

The UK report says local legislation should therefore define three levels of metadata, under the following definitions:

Communications Data should be restricted to basic information about a communication, rather than data which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.

Communications Data Plus would include a more detailed class of information which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.

Content-Derived Information would include all information which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation.

In your correspondent's Australian home, UK legal opinions and parliamentary activities carry some weight, so this report will almost certainly be read in Canberra. But it's hard to see its suggestions on a finer classification of metadata being followed, if only because the call for “greater safeguards” is vague and therefore hard to follow. Australia also appears to have little appetite for a more nuanced data collection regime. ®




Biting the hand that feeds IT © 1998–2018