APIG Communications Data Inquiry Oral Evidence

MR. WHITE: I welcome our second witness, who is Dr. Ian Walden, who is Head of the Institute of Computer and Communications Law in the Centre for Commercial Law Studies, Queen Mary, University of London. Dr. Walden, thank you very much for coming at short notice. As you know, we are conducting this investigation. Is there anything you would like to say by way of introduction?

DR. WALDEN: I was going to say a few things which have arisen from points which have already been made this morning. As Clive pointed out, there is a morass of legislation in this area. Of course, the most uncertain area is that of the Human Rights Act and how the Human Rights Act applies. Clearly, one of the big questions which has been trying all sides of the debate in this area is the extent to which the Anti-Terrorism, Crime and Security Act is in itself complaint with the European Convention on Human Rights. I suggest that the trend is in favour of finding that whilst the Act itself may not be in breach of the European Convention, the Act, in conjunction with other legislation, most particularly the Regulation of Investigatory Powers Act, does render serious questions in respect of European Convention compliance. Again, this question of what does RIPA do. RIPA, clearly, provides for an exclusive competence for interception. It lays down the circumstances and the only circumstances where interception is lawful, whereas in respect of access that is not the case. RIPA does not provide for an exclusive legal basis upon which access can take place. As Clive pointed out, there are numerous other pieces of legislation which continue to exist which make this a very difficult area to see the wood for the trees, so to speak. Finally, there is the point about the need for reform of computer misuse. Part of the remit of this Committee is to examine whether there is a need for a general reform of all of these pieces of legislation to try and make greater sense. With the Council of Europe’s Cybercrime Convention, which was adopted in the latter part of last year, the Government has an excuse, if you like, to look at these areas again. I only hope that they review legislation relating to computer-related investigations to try and tie all of these things down into a much more coherent framework.

MR. WHITE: Are you suggesting that we rip up RIPA? I did not mean that to sound flippant, but to re-word the myriad of existing Acts into a single piece of legislation? Would that help or just complicate matters?

DR. WALDEN: I think it would help. Clearly, from the point of the view of the recipients of the requests, i.e., communication providers having a single statutory instrument which describes the circumstances under which it is lawful to request communications data would be helpful. It has been achieved in respect of interception. So I feel it should have been attempted in respect of access to communications data.

MR. ALLAN: I am thinking about the way in which we got to where we are now. RIPA, essentially, came out of subsequent Communications Acts and then an adverse human rights judgment, which the Government had to respond to. The way in which we seem to have legislated in RIPA is to take what applied to telephones and stretch it to the Internet. I am thinking, from what you are saying, whether that stretching is entirely wrong. We ought to have started again understanding that the real area of interest in criminal investigations, which was not working and was still developing was the Internet stuff. The telephone thing was okay. It seems that the difficulties in implementation are not on the telephone, because they are fine and they carry on working as ever, but on the Internet bit. Is that a reasonable assessment?

DR. WALDEN: Yes. I think there is the concern that this is reactive legislation rather than legislation that started with a green field site, so to speak. Even the European Court of Human Rights, I think, has in its judgments in respect of interception has somewhat lagged behind in the developments in communication, as a number of submissions have stated. Historically, access to the content of the communications was seen as some serious breach of privacy over and above access to communications data because communications data was not perceived to be as fundamental to our privacy as the actual content. I think the nature of communications technology has changed that balance. I think that communications data in the sense of traffic data and usage data reveals as much about our personal life as the content of the communication. I think the onus is upon Government and policymakers to justify why the treatment of those two types of data is so different.

MR. ALLAN: On the specific point of a voluntary data retention scheme, which we have just discussed with the ISPA, they clearly expressed their concerns about the difficult position they are put in in respect of holding that data and other requests which may then come in. Is it your view from a legal perspective that those fears are justified? Do you support the fact that they should be afraid of people making requests? For example, the one which is cited is if a civil law request comes in against data which, ostensibly, has been held for anti-terrorism purposes. Do you think that does expose them to a suit under, I guess, article 8 of the European Convention on Human Rights, that the customer feels their rights to have been breached in a way that was not necessary or proportionate?

DR. WALDEN: Yes. Because it is human rights legislation it is, inevitably, unclear, but I believe that the way in which the anti-terrorism and RIPA legislation interacts is not so much in respect of retention but in the access component that renders the provisions in breach of the European Convention on Human Rights. The question whether that gives rise to potential liability upon communications providers is much more uncertain. For example, one of the questions is would a communications provider be considered to be a public authority for the purposes of human rights legislation? That is a very uncertain area. I would, probably, personally, tend to believe not, that they would not be perceived to be a ‘public authority’. However, were they perceived to be a public authority in that respect, then their acts are not unlawful if what they are doing is simply complying with anti-terrorism, crime and security provisions which are themselves incompatible. There are so many complex steps in imposing liability upon a communications provider that I tend to think that the risk is relatively low, but the risk does exist.

MR. ALLAN: And presumably the only way to find out would be the person who feels aggrieved, the ISP customer who has gone to court, that the other side is using his or her communications data and then says, “I am suing my ISP” and we trundle all the way up through the courts.

DR. WALDEN: A person who felt aggrieved would have a choice of litigants. Would you choose to litigate a small ISP or the Government? I think you would pursue the Government as having the deepest pockets.

MR. ALLAN: So taking a case directly against the Government?

DR. WALDEN: Yes. Even if the communication provider was perceived to be in breach of article 6 of the Human Rights Act, the requesting party, the law enforcement officer, would also be liable for breach under article 6 of the Human Rights Act. Therefore, you would have a choice of litigants. You could pursue both, but you are probably more likely to pursue the Government rather than the communication provider.

MR. WHITE: There has been a strong debate in the ISP community about whether it should be a mandatory or voluntary scheme, and the balance has shifted over time. What is your view?

DR. WALDEN: I think the question of whether compliance with a voluntary or directed scheme is compliance with the human rights legislation is much of a muchness. I think the failure of the legislation is, again, not whether it is voluntary or mandatory but the interaction with the data access provisions under RIPA. The concern about voluntary is whether that exposes them to greater liability. I do not believe it does expose them to greater liability. The liability exists under a voluntary or a mandatory regime.

MR. ALLAN: If we were to stick to the spirit of the ATCS, which said you could have a scheme for retaining data for the purposes of fighting terrorism, national security and so on, if you wanted to enforce that, you are saying that we would have to go back and re-write the access provisions in RIPA to say, “From an access point of view, the data is retained for these purposes and it can only be accessed for these purposes”. That would be one way round?

DR. WALDEN: Section 25(3)(b) of RIPA does give the Secretary of State the right to limit the purposes for which law enforcement can use their powers under section 22. The Secretary of State could make a request, and I would recommend this if they are not intending to reform the whole legislation. One way to limit the rights of law enforcement to get access under section 22 would be some form of order under the provision I mentioned. That does not solve the problem of civil parties. As Clive said, it may be one or two at the moment, but I think most lawyers recognise now that much useful evidence can be found in e-mails and related communications activity. If we look to the US as an example, these are now constant sources of valuable data about government activities as well as of other parties.

MR. ALLAN: Once you have got the data there itself, then that is where the problem starts, as it were?

DR. WALDEN: Indeed.

MR. ALLAN: As soon as you have stored that data, whether you have stored it for a very limited range of purposes or not, its existence may cause you problems because all of the other bits of legislation that can get in?

DR. WALDEN: Yes. You could not re-write RIPA to say “This data is not accessible to a civil litigant who has a perfectly legitimate right”. I think the courts would find such provision in breach of human rights in the sense of a right to a fair trial, because that data exists and it could be accessed to be used in my defence against a legal action. Legislation preventing me to gain access to that data, I think, would be a breach of the Human Rights Act. They cannot close the gap. So there is a problem both ways. Because civil litigants have the right to access it, I believe the provisions are in breach of the European Convention on Human Rights. To try and plug that gap would, essentially, give rise to another breach of the Human Rights Convention, so it is the data retention provision per se which again cause the problems.

MR. WHITE: If the ISPs were simply to dump all of that information onto the State and say, “Here are your 36,000 CDs. You have these CDs, and we are scrapping all of our information because we do not have any, apart from normal commercial usage”, would that still apply to the State?

DR. WALDEN: Yes. Such an action would clearly be disproportionate. Even at the most general level, Norman Baker MP applied for information from the security services and he was denied access under a blanket Ministerial certificate issued under the Data Protection Act. The blanket certificate was held to be in breach of human rights legislation. So any blanket approach is always, in my opinion, a disproportionate approach.

MR. ALLAN: So whichever agency held that data would be getting a deluge of requests from people for that data, and you are saying they could not just say, “We are MI5 and we are not going to give it to you”, but that they would have to deal with every case individually and issue the data to the civil litigant in the same way the ISP would have done if that was appropriate?

DR. WALDEN: Yes. The UK Government have been found liable under the European Convention on that sort of issue previously. An example is the Gaskin case in 1988. One of the changes to the Data Protection Act 1998 was to render English law compliant in that respect. There can be no blanket refusal.

MR. ALLAN: “Just having this data around is a problem. We don’t want it”. Can we ask about the section 29(3) of the Data Protection Act method of access. This is what I understand they do at the moment, as we heard from the ISPs. Do you have a view on whether that is Human Rights Act compatible or not?

DR. WALDEN: I find looking at the legislation it hard to believe that it would fall foul of human rights legislation. The legislative provisions clearly make it foreseeable to an individual that their data could be accessed for the purpose of a criminal investigation. The certificates which have been agreed between the industry and law enforcement agencies, I think, probably give greater credence to this process rather than rendering it less compliant with human rights legislation. I understand that certain authorities do believe that there is a question there, but my personal view is that I do not think it is, by any means, clear that the 29(3) approach is unlawful.

MR. ALLAN: Would it not depend on the individual case and whether or the ISP agents had properly carried out their function? In other words, if I were a complainant and I believe that the ISP has breached my data protection rights, what I would be seeking to do would be to prove that because they get 300 of these things coming across their desks, they do not really make an individual judgment and, therefore, they are not properly respecting the legislation principles. Is that the kind of area that I could be in?

DR. WALDEN: Yes. In terms of any legal action under the Data Protection Act, essentially, apart from a few offences of strict liability, a data controller has to show as a defence that they have taken reasonable care. By not disclosing data except in accordance with a section 29(3) certificate, so if the police come without a section 29(3) certificate and they only agree to disclose if they go through this procedure which has been agreed between the industry and law enforcement, then that is some level of care. At the same time, every single request should be checked to show it has been appropriately completed, that it is appropriately authorised and all the other procedures. They cannot just say, “Here is the certificate. Let’s open the doors”. Everything has to be subject to some application scrutiny.

MR. ALLAN: So if they are being rubber stamped and automatically processed, that would be a problem?

DR. WALDEN: I think that is the area of concern, yes.

MR. WHITE: Is not one of the problems that the SPOCs — I love that term as a way of asking for data — are having a backlog at the moment and that they are not actually dealing with all the requests which they receive, and therefore people are finding other ways of getting round that?

DR. WALDEN: As has already been said, there are a variety of legislative means by which you can ask for data. As the section 29(3) mechanism comes into some disrepute or uncertainty, then agencies will rely on other routes. The police have powers under the Police and Criminal Evidence Act. Clive has mentioned a number of other routes, which are myriad, by which such data can be accessed.

MR. ALLAN: Is there a problem in human rights terms if you have somebody else accessing data on your behalf? Clearly, one of the proposals from an ISP point of view is that a small number of very well informed SPOCs is the best way for them to deal with these requests. Obviously, when we had a discussion about the other agencies coming up in the summer, the suggestion was “Why don’t they all go through a police SPOC?” My understanding is that that has some legal doubt around it because it is not the agency themselves asking for the data but through a third party. Do you think there is a legal problem there?

DR. WALDEN: I do think there is a legal problem. I am not sure that that problem resides in human rights legislation. It certainly is a very specific problem in RIPA. RIPA says that a notice of authorisation must be to disclose data to somebody within that organisation. To then disclose it to a third party, the original requesting party, would, essentially, be in breach of the spirit and, I believe, the letter of the law. So in RIPA there is, I believe, a problem with the SPOCs acting as clearing houses. Whether that is in breach of human rights legislation, again, is much less clear. If it had appropriate procedural safeguards and codes of practice which were published, then I do not think it would innately be in breach of human rights legislation.

MR. ALLAN: But if we want to come back and say, “There may be limited circumstances under which local authorities, for example, may need to access communications data”, which could be quite proper and receive public acceptance, but if we wanted to come back and say, “This is silly. This is nonsense. For every local authority” — I do not know how many there are — “we want to have a local authority SPOC, perhaps linked into a police SPOC”, we would have, really, to go back and look at RIPA again to make that lawful.

DR. WALDEN: Indeed.

MR. ALLAN: Yes. At the moment, every local authority, if they were to be given these general powers, would have to have their own SPOC?

DR. WALDEN: Yes. Clearly, the legislation, from my interpretation of it, requires that the authority that requests the data is the authority to whom the data should be disclosed and no further. Whilst you could be creative in your lawyering to allow further disclosures, I do not think the interpretation of the provision would allow that.

MR. WHITE: Section 22 of RIPA applies both for notices and authorisations. The ISPs are a bit wary of the authorisations, are they not, because they look like licenses to hack?

DR. WALDEN: The explanatory report for RIPA suggests that there are particular reasons why law enforcement agencies may need to have direct access to communications data. The example they give is because the communications provider is not able to do that themselves. So, for example, a PABX within a company may contain data that the company itself may not feel able to gain access to. Again, there are provisions within section 22(5) which requires any such authorisation to be proportionate. I think the designated person, the person granting authorisation, would essentially have, first, to ask the question, “Can this be provided by the communication provider?” The point is that if they do not ask that question, I think they fall at the hurdle of necessity and proportionality. If they ask that question and the question is answered in the negative, “No, communication providers are not, in this circumstance, capable of providing the data as requested”, then an authorisation is the appropriate response, but I think it has to be justified in that way. I can understand the concerns of communication providers, but at the same time I think that the legislation, were it to be fleshed out in a code of practice, should be able to mitigate those concerns.

MR. WHITE: So there should be a code of practice?

DR. WALDEN: I think there needs to be a code of practice for communications providers to know what the difference between a notice and an authorisation is, in terms that there is no clear explanation, or there is no explanation at all in the legislation itself, and one has to ask whether, in order to ensure human rights compliance, there has to be a greater procedural detail about how those things operate.

MR. ALLAN: Can I ask you about the practice, which I understand has been going for some time, of the terminal into the BT billing system. It comes up from time to time and there are questions about whether that sort of arrangement is legal. Going back to the ISP situation, whether by analogy it would be legal for the law enforcement agencies to have a terminal into communications data systems. Do the authorisations cover that or is that dubious?

DR. WALDEN: To be honest, I think that is somewhat dubious. Such authorisation has to be necessary. Clearly, it may be desirable in terms of facilitating investigations for law enforcement to have direct access to BT’s database. Under European human rights law something may be desirable but it certainly does not show that it is necessary.

MR. ALLAN: So if the company themselves is technically able to provide the information, that should always be the route which has preference over the route of direct access? Is that what you are saying in legal terms?

DR. WALDEN: To my interpretation, I think that makes sense. Otherwise, what does the concept of proportionality mean? I can imagine if you said, “Nobody else can provide this”, or “We do not trust the provider”, or there could be circumstances where this communications is data is held by a communications provider and the police can show reason why, giving them a notice, would not be the appropriate way to get hold of this data.

MR. ALLAN: So an untrusted third party?

DR. WALDEN: An untrusted communications provider. If those circumstances do not exist, I cannot see any need for law enforcement to go via the authorisation route as opposed to the notice route.

MR. WHITE: Is there a difference between the big companies and the little companies?

DR. WALDEN: In respect of that answer?

MR. WHITE: Yes.

DR. WALDEN: I do not believe there is. I think the current arrangements are merely desirable for law enforcement rather than necessary.

MR. WHITE: We come on to the definitions of “communications data”. It has been suggested to us that the full definition of “traffic data” should be split into four different definitions, and there have been problems with the way the section 22 notices have been specified. Is that a problem?

DR. WALDEN: It is a potential problem. With notices and authorisations you have to specify the communications data that you want to have access to. It does not say that you have to say that the communications data is from category A, category B or category C. It just says that you have to describe the communications data. Were any code of practice to say “The police should specify whether the data falls within category A, B or C of the definition”, then I think problems will arise. You rely on law enforcement to get it right about defining those categories. So there is only a problem depending on the procedure which relates to those notices. If the notices just require, as the legislation seems to imply, some general description of the communications data that you want, i.e. “I want to match this IP address to a subscriber” — you do not have to say “This is section 21(4)(c) data” but it is just “I want to find this sort of data — then that should not cause a problem.

MR. WHITE: One ISP suggested that 99% of their requests are, “Give us the subscriber’s name and address”. Is there a case for having that as a separate procedure?

DR. WALDEN: Returning to my earlier point, I do not see the legal or moral justification for distinguishing access to communications data and access to content. I do see a case for saying that subscriber data is something different. It is something different from communications data and content. The former should be subject to one legal regime and the other should be subject to another legal regime. So my personal opinion is that there should be a distinction between the two. My concern with the current definition of RIPA is that it is so broad. “Anything held by a service provider” is extraordinarily broad.

MR. ALLAN: Let me ask you about the common practice of dealing with urgent issues, such as interrupted 999 calls on telephone contacts that can go through and pick up information through an “urgent” procedure. I do not know if you have looked at that at all and have a view on whether one can have “urgent” procedures which are lawful? There may be huge public support for that. I do not think that anyone would want anybody not to give information on an interrupted 999 call where it may save a life, but there are questions about whether or not that can be done lawfully under the current legal regime or whether we need any amendments. I do not know if you have a view on that.

DR. WALDEN: I think the current regime seems fairly clear. It talks about a “notice of authorisation in writing or given in a manner which produces a record of it having been given”. So if I was to note down contemporaneously or if I made an oral request which would be followed up, I think that satisfies the requirements.

MR. ALLAN: So an oral request followed up by something in writing, you think, would normally meet the requirements?

DR. WALDEN: Yes. It is very broadly drafted. The important thing is to produce a record of that authorisation. It does not say that it just has to be in writing, so some sort of oral record, bearing in mind that oral records can be kept in one way or another, should be satisfactory.

MR. WHITE: One of the things which has been suggested to us is that Part I Chapter II of RIPA is so fundamentally flawed that we should just rip the whole thing up and start again. Is that a view which you subscribe to or is the modifications route a better route to go down?

DR. WALDEN: I am a lawyer, so I must come up with two answers. The first answer is that I do not think it is fundamentally flawed. I think it could be amended to be workable. However, because of the initiatives under the Cybercrime Convention, European initiatives and the Framework decision, I think there is an opportunity that the Government have or will have to try and rationalise this legislation governing law enforcement powers. RIPA has not achieved that successfully. As a piece of legislation, I have seen many worse.

MR. WHITE: If we did go down this route to try and sort out some of these issues, should we leave the legislative powers around for the other agencies to use or should we wrap them up into a new piece of legislation?

DR. WALDEN: I think the approach taken with regard to interception is the correct one. RIPA, Part I Chapter I, says that interception is lawful under this legislation or recognises other legislative bases. To try and wrap them all up in a single piece of legislation is going to be, I think, a nightmare for legislators. I think the more appropriate way will be to say that RIPA, Part I Chapter II, details all of the circumstances where access to communications data lie, but it does not have to detail all of the circumstances in the legislation itself, but it should clearly indicate other pieces of legislation where those rights exist.

MR. WHITE: But is not one of the reasons why RIPA came into existence because people did not know all of those other things existed?

DR. WALDEN: RIPA came into existence for a range of reasons. Bearing in mind the needs of law enforcement agencies and the needs of the Human Rights Act. Again, as has already been mentioned, I think that shows in the interception provisions. As to the interception provisions, I have arguments with interception capability issues, but the actual rules governing interception, I think, are fairly clear. What RIPA Part I Chapter II does not achieve is the clarity that Part I Chapter I has. You know what I mean.

MR. ALLAN: The final point from me is on this question of whether there is a need for new legislation, reform or a revision of legislation. It was interesting to hear about things like “denial of service attacks” not being considered, or even on the horizon, the last time we legislated in this area.

The other point I am interested in is whether anyone is looking at the implications of work arounds for RIPA, which is something we raised at the Committee Stage. An obvious response is to create a market for work around systems, as in anonymous e-mailers — e-mail forwarders — where the communications data is entirely unidentifiable. You can do the same for web sites. I picked up a magazine a few weeks after we had all of this fuss in the summer (I forget the exact title, but I think it was Net Magazine) and on the front it said: “Here is your anonymous IP address package”. I was wondering if anyone was looking at that from a legal perspective, whether those involved with cybercrime start to look at some of these forward thinking things, where if somebody wanted to work around RIPA currently there probably are some very good legal routes to do that?

DR. WALDEN: Yes. It is an issue which has arisen in the Cybercrime Convention and has arisen in respect of copyright law at the moment. There is the whole issue of circumvention devices. You can create circumvention devices. Is the use of such devices and the manufacture of such devices legal? I think it is a very difficult area to legislate for. I think we have to be very wary about trying to prevent such technology developing, because I think there is a knock-on effect to the broader scientific research community, which I think we have to be very wary of.

I do not think there is evidence that people have started using these things on any significant scale. In the same way that digital signatures and certification services were hailed as the great vanguard mechanism for authentication, but they have not taken off as a mechanism for authentication to date. I think we have to be wary of law-makers preceding technology. As a modest lawyer, that is always my first response.

MR. ALLAN: So you do not want to be too far behind or too far ahead?

DR. WALDEN: Never too far ahead.

MR. WHITE: As we come to an end, is there anything that we have not talked about which you think we ought to be focusing on in this inquiry?

DR. WALDEN: No. That is all I wanted to say.

MR. WHITE: I thank you for coming. Again, it has been valuable to have a slightly different view to confirm and challenge some of the previous evidence we had. Thank you very much.