Foundation for Information Policy Research
MR. WHITE: I welcome Dr. Ian Brown, who is Director of the Foundation for Information Policy Research, which for ease I will call FIPR. Ian, could you explain what FIPR is and make any comments which you want to start with?
DR. BROWN: The Foundation for Information Policy Research was set-up in May 1998 specifically because of the evolving legislation at that time which eventually became FIPR. FIPR did a lot of work as it was going through Parliament in analysing the implications of various parts of it. Through advising legislators, especially Peers, it had some significant effect on the final legislation. FIPR also works in another technology policy area, such as copyright or electronic voting and medical privacy, but surveillance has been a big part of what we have worked on. Just to sum-up our submission to this Inquiry, I guess the two most important points are, as many people have said, we do not think there should be a difference in the regime for access to communications data and access to actual content of data. We think from the way the Internet works and is evolving, it is virtually impossible to try and take the previous regime, which was well understood, of basically looking at telephone records and itemised bills, and to apply that to Internet data. Internet communications data can provide a lot more detailed a picture of the content it is describing than itemised telephone bills do of telephone calls. We think they should be subject to similar oversight and control.
Subscriber data — I would not go much further than, basically, name and address — is the vast majority of what is being accessed by various law enforcement agencies today. There is a case that that should be under a self-authorisation procedure. We probably do not think that that should apply to other types of communications data. On forcing ISPs and telephone companies to retain that data longer than already do for business purposes, we think, is a disproportionate invasion of privacy. We think that the vast majority of data already being stored is what law enforcement agencies find useful, and we think that the powers in the Anti-Terrorism, Crime and Security Act, which have already got into a real tangle with the Home Office trying to implement them, should be allowed to lapse.
MR. ALLAN: The point where police investigations come in — we are trying to get the balance right between catching the villains and having privacy — subscriber data is clearly very useful, and I suspect there may be general public acceptance that police officers in pursuit of somebody can find out who the person was they telephoned, or is using the Internet to access something they did not ought to if it is a serious offence.
The next level we go to is telephone itemised billing, which you mentioned. Then beyond that we get into areas to do with every website visited and every person e-mailed and so on. Would you think that there is a justification for a three-tier approach or are you suggestion just a two-tier approach, with subscriber data taken out? Telephone itemised billing is also, I think, a very important tool. Given the fact that we have had other evidence to suggest that most of the stuff we are talking about here is mobile phone data, criminals are far more likely to be using mobile phones than ever to use the Internet. Do you see a role for a different regime perhaps for itemised telephone billing, and then a third regime where we put the Internet data in with normal interception-type data with those kinds of protections?
DR. BROWN: I can see the distinction that you are trying to make there. However, there has already been much confusion and difficulty in delineating the category 21(4)(a), (b)-types of data that to try and swap that regime around would add more confusion. It sounds appealing to say that telephone itemised bills is one category and everything else is another, but does that then encourage criminals to use e-mail more or what practical effect will it have on the techniques criminals use to anonymise the mobile phones that they are using, and that type of information. I think it has proven tricky. I think the clear way that we have found to do it might be an approach worth taking, but I would not be sure that you could find that way.
MR. ALLAN: I am thinking that there may be huge resistance amongst the law enforcement community with public sympathy for taking telephone itemised billing, which is a useful tool, and putting it into a very very restrictive regime. There may be more public sympathy for saying that Internet-type data should be in a more highly restricted regime.
DR. BROWN: Yes.
MR. ALLAN: We will have to test that proposition.
MR. WHITE: You mentioned that you were in favour of self-authorisation. Would you explain what you mean by that?
DR. BROWN: The self-authorisation procedure.
MR. WHITE: Yes.
DR. BROWN: Under RIPA all of this communications data, including subscriber data, will be able to be accessed just with a notice of an authorisation from a relatively senior official within the agency that is accessing the data, and then that procedure is overseen by the Interception Commissioner and his/her staff.
When you look at the number of the requests which are made at the moment under previous legislation, such as the Data Protection Act, there is probably more than a million a year when you take all of the subscriber communications data. We do not think that that can effectively be overseen by the Interception Commissioner no matter how much his budget is increased. The Government have said that they will resource that office properly because of the problems that the Intelligence Select Committee has found. For the past two years that office has had serious resource problems. That is why we think it is important that you separate out the subscriber data requests, which is the vast majority of requests being made to a communications service provider, and have this relatively low level of self-authorisation. There would be a much smaller percentage of that. You then have an independent oversight from a judicial party from whom you have to get authorisation before the access is granted, rather than it being, maybe, randomly sampled and perhaps picked up.
MR. WHITE: Like a search warrant-type thing?
DR. BROWN: Exactly. We think that the intrusiveness of information about which web sites you have been using with your mobile phone is much more serious certainly than the itemised billing and certainly than simply “What is the name and address of the person who owns this telephone number?”
MR. ALLAN: On the question about notification of requests to access communications data, when we looked at the issue during the summer about the other agencies being involved and we went back and looked at the provisions of communications data, my understanding is that there is nothing explicit in the law which prohibits the notification of the customer that their communications data has been accessed. Whether that would be desirable or not is another question, but (a) that it is not legally prohibited and (b) we have the question of whether or not it would be desirable, do you have a view on that?
DR. BROWN: I am not a lawyer so I could not give you a legal interpretation. I certainly think it is desirable, just to shore-up public confidence in the system. The situation at the moment is that where people feel that their privacy has been invaded, they can appeal to a tribunal. It is very difficult to know on what basis you would do that. The way the legislation operates means that what happens would largely be secretive. It may be the case that the communications service providers could notify customers, although I am not sure about that. I think people would be much more confident. When I have spoken to people in the Home Office about this, they often get frustrated about the paranoia of people like us and people around the country who think they are being spied on by various government bodies. I think it would be much clearer to the paranoid people and to the non-paranoid people if people did know when data about them had been accessed and, correspondingly, when it had not. It also acts as a very important check on the use of the powers. At the moment you are relying on, basically, one office, which is the Interception Commissioner, to oversee a vast number of requests. If you notify individuals when data about them is accessed, it means that the individuals know if something has happened and they are in the best position to know if it is probably justified or not. Therefore, it lets them appeal to a court or to the Investigatory Powers Tribunal.
MR. ALLAN: Let me play Devil’s Advocate on that. I think I would be extremely worried if anybody had a record anywhere that said, “I have the kind of Internet account or telephone account that people want to investigate”. In other words, I think there is a real threat there. If somebody had requested my communications data, I would be interested in the record of that request being destroyed in itself and not then becoming part of the problem. I may, innocently, have been called by somebody who had a mobile telephone who was involved in a crime and the authorities have legitimately asked for my communications data and then written me out of the inquiry, but I do not want to be associated with that inquiry any more. I wonder how we get round that problem?
DR. BROWN: I agree that that is another important consideration. You would not want these notifications to be public. Certainly you would want the person who had accessed the data and received it — it is entirely up to them — to shred the letter. Yes, you would want to limit any other disclosure of that information.
MR. WHITE: Is there a time limit when you do that disclosure?
DR. BROWN: That is a point for debate. I think around the six months or a year figure. Obviously, if the notification would prejudice an on-going investigation, then, certainly with judicial approval, it can be postponed for a year, two years or whatever period it was felt useful. I think the vast majority of them, as Richard said, would not be involved in an on-going investigation. It would be somebody who was called entirely innocently.
MR. WHITE: We have had a situation which we have heard about like September 11th, where the data is preserved. What would you do in those circumstances?
DR. BROWN: Are you talking about preservation or the notification?
MR. WHITE: Notification, about where the data has been preserved.
DR. BROWN: I think it is the same situation. Six months or a year later, the vast majority of the data that was looked at would almost certainly not be part of the on-going investigation, so those people could then be notified. If the police or the intelligence agencies, or whichever agency thought they had on-going leads and did not want to tip-off various people, then with judicial approval they can postpone that notification.
MR. ALLAN: I want to ask you about data warehouses. In the session we had earlier we discussed with the ISP various ways in which, if they were asked to retain data, it could happen. The assumption at the moment seems to be that the ISPs would have data warehouses rather than the Government. We have tested this, and both of them seem to be non-human rights compliant, whether it is an ISP or the Government doing it. So there is much of a muchness there. Do you have a view as to which is the worse of the two options? Do you think the Government is more totalitarian than the ISPs or vice-versa? That is private versus public. Are both of those options equally horrific?
DR. BROWN: I would say that the Government one is worse. Practically speaking, the ISPs have access to the data anyway, whatever happens. So if there is corruption and fraud within the ISPs, then they have access to that data already. I think it is very important to keep the communication service providers, as they are the ones who are holding the data, because it provides an extra level of oversight and it puts one more barrier in the way of a potential misuse of the data.
MR. ALLAN: So you think the system of notice is far preferable to that of authorisation? If somebody turns up at an ISP and asks for that data, then they are carrying out all of those security procedures.
DR. BROWN: Yes.
MR. ALLAN: If it were to go ahead.
DR. BROWN: That is right. On an ancillary point, if communications service providers are storing it, it means the data is in 6, 7, 8 or 9 separate locations, whereas if you have a central Government warehouse it is all in the same location and open to abuse.
MR. WHITE: We have talked with other witnesses about whether RIPA should be just torn up or whether we should make all sorts of amendments. What is your view?
DR. BROWN: I think you could certainly rank the parts as getting worse and worse. Part I Chapter I would probably be the least objectionable level, but quickly going up to Chapter II and Part III, they have problems. Anyway, I know we are not talking about Part III today. I am not a Parliamentary draftsman, so whether the best way to fix the problems with Part 1 Chapter II would be, essentially, to rip it up and start again or through serious amendment, I am not sure. I am not sure that it does need serious amendment.
MR. WHITE: You do not think it can be sorted through codes of practice?
DR. BROWN: I do not think it should be. I think it should be primary legislation. It is such an important subject. We should not be relying on codes of practice which can be changed relatively easily in future.
MR. WHITE: Let us assume that we do not have the Parliamentary time to fix this. What do you think should be the route of the Government to put primary legislation into place?
DR. BROWN: The easiest thing for them to do on data retention is nothing, because under section 105 of the Anti-Terrorism, Crime and Security Act those powers will lapse if they are not used in the first two years after the Act is passed. So that is quite easy for them to do. With Part I Chapter II, again, those powers are not actually switched on, which is incredibly frustrating to the police and other bodies on the face of the Act. There, I would say that the orders that need to be made in satisfying the public authorities that can use those powers should be limited to the agencies on the face of the Act. Really, to fix the problems with subscriber data as opposed to communications data, and requiring judicial approval for non-subscriber communications data, I think we probably need new primary legislation.
MR. ALLAN: Let me ask about the data retention powers. Are you comfortable with the idea of data preservation, which was suggested to us as an alternative, which is a targeted form of data and then making it available?
DR. BROWN: Yes.
MR. ALLAN: To access that preserved data, presumably, we would need Part I Chapter II of RIPA to be implemented?
DR. BROWN: Yes. Whether it would be available under all the purposes in RIPA or whether you would limit it to specifics such as national security purposes is a question for debate, but, yes, you would need those powers.
MR. ALLAN: Part I Chapter II seems to pose a dilemma because there is pressure from the CSPs and the law enforcement community to say, “We are very uncomfortable with what we are doing at the moment because it is illegal under the human rights legislation, so we want something that looks like Part I Chapter II, but we want it not quite exactly as it is in Part I Chapter II”, which poses a real dilemma because there would be pressure to implement something urgently which is flawed?
DR. BROWN: In the short term the codes of practice would be slightly more appropriate in limiting the way that those powers were used, but I think in the medium to long term they do need primary legislation.
MR. ALLAN: Your organisation had a very high profile in the summer over the extension to other agencies. How do you feel about the fact that other agencies, anyway, are doing a lot of this and have powers in all sorts of odd bits of legislation to do it, apparently? I am putting the Government’s argument now — I do not know why — but is it not better to have them regulated within the framework of RIPA doing it rather than doing it in these ad hoc ways. That is the Government’s argument, is it not? How do you respond to that?
DR. BROWN: To some extent I would agree. However, the Government were slightly disingenuous in saying, “All of this is happening anyway under these various other Acts.” There are additional powers in RIPA. For example, CSPs can be compelled to start recording data but they were not before. I think it is better that it comes under the human rights compliant framework. Whether the powers in those other Acts would actually survive a legal test is another question. We may find that out in the passage of time.
MR. ALLAN: So maybe people like trading standards, who are using legal powers which pre-date the Human Rights Act, are of themselves not complying with human rights but they have not just been tested yet?
DR. BROWN: Yes.
MR. ALLAN: So just to translate those into RIPA would not make sense?
DR. BROWN: I certainly do not think that the Home Office should come out with a list, which I think they have, of where all these powers reside across various other pieces of legislation, and say, “Everyone who already has these powers, we will automatically put onto various lists in RIPA”. I do not think that is appropriate. I think the vast majority of what the agencies are using, such as the Trading Standards Agency, the local councils and various other bodies who caused so much controversy during the summer in having these powers, will be subscriber data access. So giving them access to that under RIPA but then requiring statutory and judicial procedures for them to access other types of data, I think, would be the way to do it. That is something that many people in the summer, who had never heard of RIPA before, found really outrageous, that this long list of agencies could, potentially, have got access to things like lists of web sites and where people have been using their mobile phones. If it was limited strictly to the name and address of an owner of a mobile phone or e-mail address, I think we would have been a lot more comfortable with that.
MR. ALLAN: Could that be done in regulation under the current RIPA format to say that agency A can have a subscriber base but they cannot have anything else, whereas agency B can have everything?
DR. BROWN: Most of that long list of agencies could be limited to section 21(4)(c). Section 21(4)(c) is a bit unclear, and it could be improved. As a stop-gap solution —-
MR. ALLAN: If the Home Office wanted to satisfy their critics in the Guardian and Daily Telegraph they could come back with something which says, “We are giving these powers, but we, the Home Office, will guarantee that these agencies will only as subscriber data and nothing else”?
DR. BROWN: And how strong that guarantee could be is another question.
MR. ALLAN: Yes; but that may be an approach they wish to take.
MR. WHITE: One of the things you said was that urgency created by the Anti-Terrorism, Crime and Security Act has effectively disappeared because we have not had a major incident within a year. Is it not really the fact that we still are dealing with terrorism and there is still a major threat and the imperatives for the Act still exist?
DR. BROWN: We were not saying, in retrospect, that the Act was foolish because there has not been another World Trade Centre attack. What we were saying was that the ATCS was pushed through very quickly after September 11th 2001. In retrospect, looking at the powers at the time which the Government thought were needed, it seems that the communications service providers were already storing, in reality, enough data for the law enforcement agencies to do their job, and these extra powers were not needed. Indeed, Parliament was very determined about that. They gave the Government a lot of trouble over those provisions and significantly limited them to national security purposes as opposed to the full RIPA purposes, which was the Government’s original proposal. With the benefit of perfect hindsight, I think the Government could look back and say, “This was not as urgent as it seemed at the time and, actually, we can achieve the vast majority of our objectives by using data which has already been stored”.
MR. WHITE: Reference has been made to the whole issue about passing information to foreign police forces and we have been discussing the European warrant this week. We heard earlier that the ISPs are very wary of giving UK police information on a German user. Is not the whole point of ATCS and RIPA to tackle international drug pushing, international terrorism and that kind of organised crime?
DR. BROWN: Certainly that covers some of the purposes of RIPA. Again, we are not saying that that data should never be accessed by foreign law enforcement agencies. What we are saying is that it should be done with the oversight of UK law enforcement officials just to ensure that UK public policy objectives are being met. One of the examples we gave was that if data was being requested by agencies in the US or Saudi Arabia, for example, which have the death penalty, then Britain generally will not give assistance in those cases because we disagree with capital punishment. It is vital for that reason and also to keep the public trust. There would be a real public outcry if people thought that various police agencies around the world were able to access this data without oversight from the British law enforcement agencies.
MR. WHITE: But is there not a fundamental difference between a Foreign Office official sitting in Whitehall making a judgment in the real world as opposed to a virtual world where the opportunities are so much greater? How would a single official in the Foreign Office actually cope with that amount of data?
DR. BROWN: Bearing in mind the wide range of officials, you would obviously want people who understood what was being asked for and had experience in the UK with UK law enforcement agencies accessing the data. So you would need people who worked as single points of contact in police forces, for example. You certainly would not want to give it to a random diplomat sitting in the Foreign Office. It would have to be people who understood what was being asked for.
MR. WHITE: They would need to understood what the policy imperatives of the Foreign Office were.
DR. BROWN: Yes. The way that mutual legal assistance has worked up to now is through quite a slow and drawn out procedure. There are a difficult set of considerations to take. We are saying that they should not be short-circuited. There should not be ways in which the law enforcement agencies can bypass that whole well-tested procedure and get various pieces of data for investigations which might be contrary to British interests.
MR. ALLAN: We may have to come back to the ISPs on this. I am thinking about the variance in the regime as well. I do not know if you have looked at other European regimes. I understand that Belgium is moving ahead with the data retention policy. The presumption, for example, is that Germany would be going in a different direction because of their very strong notion of data protection. They originate much of the data protection law. As we liberalise our European telecoms market, there is no reason in the near future why I should not dial into a German ISP or choose to go for one which offers a different level of protection. We are coming back to internationalisation. I do not know whether you have looked at cross-European data at all.
DR. BROWN: It is quite a big area to debate. I think the practical application of what you were saying about the liberalisation of the telephone market is that, in practice, there will just be three or four EU-wide telecom providers. So, really, in reality the UK law enforcement agencies would not have much trouble because they would have leverage over Vodophone or if British Telecom expanded much more significantly across the EU, because those companies would have exposure to the UK legal system. That is how the US does a lot of this. They are very determined when foreign telecoms come into the US, because there have to be all sorts of approvals at the highest level of US Government. They make sure that they can still do intercepts of communications.
The situation across Europe, obviously, will be very dependent on what happens with this draft framework directive in the EU which the Danish Presidency has canvassed opinion about and actually got interest from quite a few of the States. I think Austria and Germany were the only two of the 15 states which had any significant objections to it. It may be that that will move forward.
MR. ALLAN: What does that do?
DR. BROWN: That was a proposal from the Belgian Presidency, the previous presidency, that would force a uniform data protection regime across the EU. They were talking about a period of 12 to 24 months. The directive would also harmonise a list of 32 offences for which EU Member States would have to allow access to law enforcement agencies from other EU Member States to this data.
MR. ALLAN: So the directive would say that every ISP anywhere in the EU will have to retain the data for 12 months. You would have to be implementing national law, like all directives, and it would totally supersede anything which we had on the statute book at the moment?
DR. BROWN: Yes.
MR. ALLAN: And we could blame Brussels for it.
DR. BROWN: Yes. It does sound from the various meetings which went on in the EU, as though it refers to changing the previous telecommunications directive which banned this, and then hot on its heels came this other draft directive then mandating it across the EU.
MR. ALLAN: Presumably, the difficulty there is that what they will not have done is to look at the implications in terms of the local law where, for example, the data protection regime in Germany might create a very different level of protection for that retained data from the UK common law position where we have heard that even down to civil proceedings people can go and say “I want the retained data”.
DR. BROWN: Exactly.
MR. ALLAN: Even though it looks like a common measure, it has very different implications in each Member state?
DR. BROWN: That is right. The one last thing I would say on your original question, which was if a UK Internet user subscribes to a German Internet service provider and is just, basically, making an international call, at the moment the call itself could be intercepted as it was going across the UK infrastructure. It may then, of course, be encrypted, in which case you would have problems. That is a whole section of RIPA.
MR. ALLAN: But I would not be going through any ISP-type person in the UK who could actually retain that stuff. The German ISP could retain that stuff?
DR. BROWN: Yes. It is more of a Part I Chapter I issue rather than Part I Chapter II.
MR. WHITE: As we have come to the end, is there any part that we have not touched on which you think the Inquiry ought to be looking at?
DR. BROWN: I think you have covered everything.
MR. WHITE: One matter that we have asked other witnesses, although it is slightly beyond our terms of reference, is the Computer Misuse Act and the need to up-date it. Do you have concerns about that?
DR. BROWN: I am not an expert on that subject, so I will not pontificate on it.
MR. WHITE: Thank you very much. It has certainly been a different point of view