The UK government has introduced an amendment to the Investigatory Powers Bill currently going through Parliament, to make ensure that data
retention orders cannot require ISPs to collect and retain third party data. The Home Office had previously said that they didn't need powers to force ISPs to collect third party data, but until now refused to provide guarantees in law.
Third party data is defined as communications data (sender, receiver, date, time etc) for messages sent within a website as opposed to messages sent by more direct methods such as email. It is obviously a bit tricky for ISPs to try and decode what is
going on within websites as messaging data formats are generally proprietary, and in the general case, simply not de-cypherable by ISPs.
The Government will therefore snoop on messages sent, for example via Facebook, by demanding the communication details from Facebook themselves.
The Investigatory Powers Bill is one step closer to becoming law after it was passed by the House of Lords yesterday.
Open Rights Group's Executive Director, Jim Killock, responded:
The UK is one step closer to having one of the most extreme surveillance laws ever passed in a democracy.
Despite attempts by the Lib Dems and Greens to restrain these draconian powers, the Bill is still a threat to the British public's right to privacy.
The IP Bill is a comprehensive surveillance law that was drafted after three inquiries highlighted flaws in existing legislation. However, the new Bill fails to restrain mass surveillance by the police and security services and even extends their powers.
Once passed, Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that could be used for
profiling. The Bill will also allow the security services to continue to collect communications data in bulk and could see Internet security weakened by allowing mass hacking.
The European Court of Justice has passed judgement on several linked cases in Europe requiring that ISP retain extensive records of all phone and internet communications. This includes a challenge by Labour's Tom Watson. The court wrote in a press
The Members States may not impose a general obligation to retain data on providers of electronic
EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime,
provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national
authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.
In today's judgment, the Court's answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.
The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by
all persons other than users, whether by private persons or bodies, or by State bodies.
Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular
to the prohibition on storage of data laid down by that directive, becoming the rule.
Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly
necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.
The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.
The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic
communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying
The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia,
providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and
cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data
to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide
for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope
of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious
criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.
As regards the access of the competent national authorities to the retained data, the Court confirms that the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in the directive, even
if that objective is to fight serious crime, but must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. That legislation must be based on objective criteria in order
to define the circumstances and conditions under which the competent national authorities are to be granted access to the data. Access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals
suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are
threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific case, make an effective contribution to combating such
Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities to whom
access to retained data has been granted must notify the persons concerned of that fact.
Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end
of the retention period.
The view of the authorities
David Anderson, the Independent Reviewer of Terrorism Legislation gives a lucid response outlining the government's case for
mass surveillance. However the official justification is easily summarised as it clearly assists in the detection of serious crime. He simply does not mention that the government having justified grabbing the data on grounds of serious crime detection,
will share it willy nilly with all sorts of government departments for their own convenience, way beyond the reasons set out in the official justification.
And when the authorities talk about their fight against 'serious' crime, recent governments have been updating legislation to redefine practically all crimes as 'serious' crimes. Eg possessing a single spliff may in practice be a trivial crime, but the
law on possession has a high maximum sentence that qualifies it as a 'serious' crime. It does not become trivial until it goes to court and the a trivia punishment has been handed down. So using mass snooping data would be easily justified to track down
trivial drug users.
The judgment relates to a case brought by Deputy Leader of the Labour Party, Tom Watson MP, over intrusive data retention powers. The ruling says that:
- Blanket data retention is not permissible
- Access to data must be authorised by an independent body
- Only data belonging to people who are suspected of serious crimes can be accessed
- Individuals need to be notified if their data is accessed.
At present, none of these conditions are met by UK law.
Open Rights Group intervened in the case together with Privacy International, arguing that the Data Retention and Investigatory Powers Act (DRIPA), rushed through parliament in 2014, was incompatible with EU law. While the Judgment
will no longer affect DRIPA, which expires at the end of 2016, it has major implications for the Investigatory Powers Act.
Executive Director Jim Killock said:
The CJEU has sent a clear message to the UK Government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.
The Government knew this judgment was coming but Theresa May was determined to push through her snoopers' charter regardless. The Government must act quickly to re-write the IPA or be prepared to go to court again.
Data retention powers in the Investigatory Powers Act will come into effect on 30 Dec 2016. These mean that ISPs and mobile phone providers can be obliged to keep data about our communications, including a record of the websites we
visit and the apps we use. This data can be accessed by the police but also a wide range of organisations like the Food Standards Agency, the Health and Safety Executive and the Department of Health.
No matter how much governments spout bollox about mass snooping being used onlt to detect the likes of terrorism, the authorities end up sharing the data with Tom, Dick and Harry for the most trivial of reasons
Liberty is launching a landmark legal challenge to the extreme mass surveillance powers in the Government's new Investigatory Powers Act -- which lets the
state monitor everybody's web history and email, text and phone records, and hack computers, phones and tablets on an industrial scale.
Liberty is seeking a High Court judicial review of the core bulk powers in the so-called Snoopers' Charter -- and calling on the public to help it take on the challenge by donating v
ia crowdfunding platform CrowdJustice
Martha Spurrier, Director of Liberty, said:
Last year, this Government exploited fear and distraction to quietly create the most extreme surveillance regime of any democracy in history. Hundreds of thousands of people have since called for this Act's repeal because they see it for what it is -- an
unprecedented, unjustified assault on our freedom.
We hope anybody with an interest in defending our democracy, privacy, press freedom, fair trials, protest rights, free speech and the safety and cybersecurity of everyone in the UK will support this crowdfunded challenge, and make 2017 the year we
reclaim our rights.
The Investigatory Powers Act passed in an atmosphere of shambolic political opposition last year, despite the Government failing to provide any evidence that such indiscriminate powers were lawful or necessary to prevent or detect crime.
Liberty will seek to challenge the lawfulness of the following powers, which it believes breach the public's rights:
Bulk hacking -- the Act lets police and agencies access, control and alter electronic devices like computers, phones and tablets on an industrial scale, regardless of whether their owners are suspected of involvement
in crime -- leaving them vulnerable to further attack by hackers.
Bulk interception -- the Act allows the state to read texts, online messages and emails and listen in on calls en masse, without requiring suspicion of criminal activity.
Bulk acquisition of everybody's communications data and internet history -- the Act forces communications companies and service providers to hand over records of everybody's emails, phone calls and texts and entire web
browsing history to state agencies to store, data-mine and profile at its will. This provides a goldmine of valuable personal information for criminal hackers and foreign spies.
Bulk personal datasets -- the Act lets agencies acquire and link vast databases held by the public or private sector. These contain details on religion, ethnic origin, sexuality, political leanings and health problems,
potentially on the entire population -- and are ripe for abuse and discrimination.
In a challenge to the Data Retention and Investigatory Powers Act (DRIPA) by MP Tom Watson, represented by Liberty, the CJEU ruled the UK Government was breaking the law by indiscriminately collecting and accessing the nation's internet activity
and phone records.
DRIPA forced communications companies to store records of everybody's emails, texts, phone calls and internet communications and let hundreds of public bodies grant themselves access with no suspicion of serious crime or independent sign-off.
Judges ruled the regime breached British people's rights because it:
Allowed indiscriminate retention of all communications data.
Did not restrict access to the purpose of preventing and detecting precisely defined serious crime.
Let police and public bodies authorise their own access, instead of requiring prior authorisation by a court or independent body.
Did not require that people be notified after their data had been accessed.
Did not require that the data be kept within the European Union.
DRIPA expired at the end of 2016 -- but its powers are replicated and vastly expanded in the Investigatory Powers Act, with no effort to counter the lack of safeguards found unlawful in the case.
Senior police officers are to lose the power to self-authorise access to personal phone and web browsing records under a series of late changes
to the snooper's charter law proposed by ministers in an attempt to comply with a European court ruling on Britain's mass surveillance powers.
A Home Office consultation paper published on Thursday also makes clear that the 250,000 requests each year for access to personal communications data by the police and other public bodies will in future excluded for investigations into minor
crimes that carry a prison sentence of less than six months.
But the government says the 2016 European court of justice (ECJ) ruling in a case brought by Labour's deputy leader, Tom Watson , initially with David Davis, now the Brexit secretary, does not apply to the retention or acquisition of personal
phone, email, web history or other communications data by national security organisations such as GCHQ, MI6 or MI5, claiming that national security is outside the scope of EU law.
The Open Rights Group has been campaigning hard on issues of liberty and privacy and writes:
This is major victory for ORG, although one with dangers. The government has conceded that independent authorisation is necessary for communications data requests, but refused to budge on retained data and is pushing ahead with the Request Filter,
to enable rapid interrogation and analysis of the stored communications data.
Adding independent authorisation for communications data requests will make the police more effective, as corruption and abuse will be harder. It will improve operational effectiveness, even if less data is used during investigations and trust in
the police should improve.
Nevertheless the government has disregarded many key elements of the judgment
It isn't going to reduce the amount of data retained
It won't notify people whose data is used during investigations
It won't keep data within the EU, instead it will continue to transfer it, presumably specifically to the USA
The Home Office has opted for a six month sentence definition of serious crime rather than the Lords' definition of crimes capable of sentences of at least one year.
These are clear evasions and abrogations of the judgment. The mission of the Home Office is to uphold the rule of law. By failing to do what the courts tell them, the Home Office is undermining the very essence of the rule of law.
If the Home Office won't do what the highest courts tell it to do, why should anybody else? By picking and choosing the laws they are willing to care about, they are playing with fire.
There was one final surprise. The Code of Practice covers the operation of the Request Filter . Yet again we are told that this police search engine is a privacy safeguard. We will now run through the code in fine detail to see if any such
safeguards are there. On a first glance, there are not.
If the Home Office genuinely believe the Request Filter is a benign tool, they must rewrite this section to make abundantly clear that it is not a mini version of X-Keyscore (the NSA / GCHQ'S tool to trawl their databases of people linked to their
email and web visits) and does not operate as a facility to link and search the vast quantities of retained and collected communications data.