The Report of the Joint Select Committee on the Draft communications Data Bill was issued this morning at one minute past midnight. It’s been in the news this morning with the deputy Prime Minister Nick Clegg calling on ministers to rip up their plans and go to “back to the drawing board“.
The 105 page Report concludes that “there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should.”
I have always said that the right balance between our personal security and our personal privacy needs to be maintained when considering this subject area and this is the tenet of the Joint Select Committee’s recommendations.
Unfortunately some of the basic conclusions of the report do not put the Home Office in a good light. There would appear to be a widespread failure to consult with many of the stakeholders involved, notably on the costs of the project and what might reasonably be achievable in terms of Communications Data capture and storage. In particular it is recommended that the HO will have to carry out a careful cost/benefit analysis and obtain advice and assurances from a wider body of experts than the companies that stand to earn money from devising secure storage solutions.
The committee recommends that the scope of the Bill be significantly reduced to cover only the retention of IP address data and “web logs” although regarding the latter they also “acknowledge that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn. Parliament will have to decide where the balance between these opposing considerations should be struck.”
There is also a concern that web log data also contains content, which due to privacy concerns was specifically excluded from the Draft Bill. The committee has asked the Home Office to review whether it is operationally and technically feasible to only retain web logs of certain types of service where those services enable communications between individuals.
Regarding the storage of third party data traversing a CSP’s network it is recommended that the requirement to store such data only after attempts to retrieve the data from the third party be given statutory force. The effectiveness of this considering the overall objective must be questionable historical data is unlikely to be available in a timely manner for specific crime stopping targets.
The recommendations continue with the suggestion that the Home secretary should not have the power to extend the scope of “permitted purposes” of the bill and that indeed this list of purposes should be examined with a view to shortening it.
It is also recommended that the definitions for communications data under RIPA should be reviewed following consultation with industry with a particular focus on what is subscriber data (ie info on me and you) and what is traffic data.
A specialised SPoC (Single Point of Contact) team should be established that provides a central expertise for the approval of RIPA requests. This in theory should prevent misuse of the system – although Local Authorities are not specifically mentioned amongst the authorities that should be able to access the data under discussion here the committee recommends that bodies over and above the six in the Draft Bill should be considered for inclusion based on their case – notably the Financial Services Authority and the UK Border Agency. Local Authorities, although representing a fairly small proportion of the nearly half a million RIPA requests each year and 20 times more likely to put in a non-compliant request.
Coming back to costs the committee is being polite when it says “that the Home Office’s cost estimates are not robust. They were prepared without consultation with the telecommunications industry on which they largely depend, and they project forward 10 years to a time where the communications landscape may be very different. Given successive governments’ poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is a reasonable fear that this legislation will cost considerably more than the current estimates.”
It was nice to get a mention myself in para 276 regarding the effect on small CSPs of having to meet the requirements of this Bill.
The commitment to reimburse CPs the necessary cost of complying with the requirements of legislation should also be written into law and not left in any doubt.
Finally “the figure for estimated benefits is even less reliable than that for costs, and the estimated net benefit figure is fanciful and misleading. It ought not to be used to influence Parliament in deciding on the relative advantages and disadvantages of this legislation. Whatever the benefits of the Bill, they are unlikely to be financial.”
The cost aspects of the recommendations are pretty damning. It would be nice to think that as much effort is put into all legislation as this committee has put into the Draft Communications Data Bill. I’m thinking specifically of the Digital Economy Act but I’m sure there must be others.
I’m not totally comfortable that any safeguards built into the Bill will really work, especially when it is noted that nobody can 100% guarantee the security of the storage of the data. At least on this occasion the Government is being sent away and told to get their homework right and the subject of security versus proportionality is highlighted as being central to the debate.
That’s all for now. You can read the whole report here. I’m sure I will have missed something. You can also read my other stuff on this subject – use the search box at the top right hand corner of this page. There is a lot of material.