Dr Ian Walden Evidence
APIG Communications Data Inquiry Oral Evidence
Dr. Ian Walden
Wed, 11 December 2002
MR. WHITE: I welcome our second witness, who is Dr. Ian Walden, who
is Head of the Institute of Computer and Communications Law in the
Centre for Commercial Law Studies, Queen Mary, University of London.
Dr. Walden, thank you very much for coming at short notice. As you
know, we are conducting this investigation. Is there anything you would
like to say by way of introduction?
DR. WALDEN: I was going to say a few things which have arisen from
points which have already been made this morning. As Clive pointed out,
there is a morass of legislation in this area. Of course, the most
uncertain area is that of the Human Rights Act and how the Human Rights
Act applies. Clearly, one of the big questions which has been trying
all sides of the debate in this area is the extent to which the
Anti-Terrorism, Crime and Security Act is in itself complaint with the
European Convention on Human Rights. I suggest that the trend is in
favour of finding that whilst the Act itself may not be in breach of
the European Convention, the Act, in conjunction with other
legislation, most particularly the Regulation of Investigatory Powers
Act, does render serious questions in respect of European Convention
compliance. Again, this question of what does RIPA do. RIPA, clearly,
provides for an exclusive competence for interception. It lays down the
circumstances and the only circumstances where interception is lawful,
whereas in respect of access that is not the case. RIPA does not
provide for an exclusive legal basis upon which access can take place.
As Clive pointed out, there are numerous other pieces of legislation
which continue to exist which make this a very difficult area to see
the wood for the trees, so to speak. Finally, there is the point about
the need for reform of computer misuse. Part of the remit of this
Committee is to examine whether there is a need for a general reform of
all of these pieces of legislation to try and make greater sense. With
the Council of Europe's Cybercrime Convention, which was adopted in the
latter part of last year, the Government has an excuse, if you like, to
look at these areas again. I only hope that they review legislation
relating to computer-related investigations to try and tie all of these
things down into a much more coherent framework.
MR. WHITE: Are you suggesting that we rip up RIPA? I did not mean
that to sound flippant, but to re-word the myriad of existing Acts into
a single piece of legislation? Would that help or just complicate
matters?
DR. WALDEN: I think it would help. Clearly, from the point of the
view of the recipients of the requests, i.e., communication providers
having a single statutory instrument which describes the circumstances
under which it is lawful to request communications data would be
helpful. It has been achieved in respect of interception. So I feel it
should have been attempted in respect of access to communications data.
MR. ALLAN: I am thinking about the way in which we got to where we
are now. RIPA, essentially, came out of subsequent Communications Acts
and then an adverse human rights judgment, which the Government had to
respond to. The way in which we seem to have legislated in RIPA is to
take what applied to telephones and stretch it to the Internet. I am
thinking, from what you are saying, whether that stretching is entirely
wrong. We ought to have started again understanding that the real area
of interest in criminal investigations, which was not working and was
still developing was the Internet stuff. The telephone thing was okay.
It seems that the difficulties in implementation are not on the
telephone, because they are fine and they carry on working as ever, but
on the Internet bit. Is that a reasonable assessment?
DR. WALDEN: Yes. I think there is the concern that this is reactive
legislation rather than legislation that started with a green field
site, so to speak. Even the European Court of Human Rights, I think,
has in its judgments in respect of interception has somewhat lagged
behind in the developments in communication, as a number of submissions
have stated. Historically, access to the content of the communications
was seen as some serious breach of privacy over and above access to
communications data because communications data was not perceived to be
as fundamental to our privacy as the actual content. I think the nature
of communications technology has changed that balance. I think that
communications data in the sense of traffic data and usage data reveals
as much about our personal life as the content of the communication. I
think the onus is upon Government and policymakers to justify why the
treatment of those two types of data is so different.
MR. ALLAN: On the specific point of a voluntary data retention
scheme, which we have just discussed with the ISPA, they clearly
expressed their concerns about the difficult position they are put in
in respect of holding that data and other requests which may then come
in. Is it your view from a legal perspective that those fears are
justified? Do you support the fact that they should be afraid of people
making requests? For example, the one which is cited is if a civil law
request comes in against data which, ostensibly, has been held for
anti-terrorism purposes. Do you think that does expose them to a suit
under, I guess, article 8 of the European Convention on Human Rights,
that the customer feels their rights to have been breached in a way
that was not necessary or proportionate?
DR. WALDEN: Yes. Because it is human rights legislation it is,
inevitably, unclear, but I believe that the way in which the
anti-terrorism and RIPA legislation interacts is not so much in respect
of retention but in the access component that renders the provisions in
breach of the European Convention on Human Rights. The question whether
that gives rise to potential liability upon communications providers is
much more uncertain. For example, one of the questions is would a
communications provider be considered to be a public authority for the
purposes of human rights legislation? That is a very uncertain area. I
would, probably, personally, tend to believe not, that they would not
be perceived to be a 'public authority'. However, were they perceived
to be a public authority in that respect, then their acts are not
unlawful if what they are doing is simply complying with
anti-terrorism, crime and security provisions which are themselves
incompatible. There are so many complex steps in imposing liability
upon a communications provider that I tend to think that the risk is
relatively low, but the risk does exist.
MR. ALLAN: And presumably the only way to find out would be the
person who feels aggrieved, the ISP customer who has gone to court,
that the other side is using his or her communications data and then
says, "I am suing my ISP" and we trundle all the way up through the
courts.
DR. WALDEN: A person who felt aggrieved would have a choice of
litigants. Would you choose to litigate a small ISP or the Government?
I think you would pursue the Government as having the deepest pockets.
MR. ALLAN: So taking a case directly against the Government?
DR. WALDEN: Yes. Even if the communication provider was perceived
to be in breach of article 6 of the Human Rights Act, the requesting
party, the law enforcement officer, would also be liable for breach
under article 6 of the Human Rights Act. Therefore, you would have a
choice of litigants. You could pursue both, but you are probably more
likely to pursue the Government rather than the communication provider.
MR. WHITE: There has been a strong debate in the ISP community
about whether it should be a mandatory or voluntary scheme, and the
balance has shifted over time. What is your view?
DR. WALDEN: I think the question of whether compliance with a
voluntary or directed scheme is compliance with the human rights
legislation is much of a muchness. I think the failure of the
legislation is, again, not whether it is voluntary or mandatory but the
interaction with the data access provisions under RIPA. The concern
about voluntary is whether that exposes them to greater liability. I do
not believe it does expose them to greater liability. The liability
exists under a voluntary or a mandatory regime.
MR. ALLAN: If we were to stick to the spirit of the ATCS, which
said you could have a scheme for retaining data for the purposes of
fighting terrorism, national security and so on, if you wanted to
enforce that, you are saying that we would have to go back and re-write
the access provisions in RIPA to say, "From an access point of view,
the data is retained for these purposes and it can only be accessed for
these purposes". That would be one way round?
DR. WALDEN: Section 25(3)(b) of RIPA does give the Secretary of
State the right to limit the purposes for which law enforcement can use
their powers under section 22. The Secretary of State could make a
request, and I would recommend this if they are not intending to reform
the whole legislation. One way to limit the rights of law enforcement
to get access under section 22 would be some form of order under the
provision I mentioned. That does not solve the problem of civil
parties. As Clive said, it may be one or two at the moment, but I think
most lawyers recognise now that much useful evidence can be found in
e-mails and related communications activity. If we look to the US as an
example, these are now constant sources of valuable data about
government activities as well as of other parties.
MR. ALLAN: Once you have got the data there itself, then that is where the problem starts, as it were?
DR. WALDEN: Indeed.
MR. ALLAN: As soon as you have stored that data, whether you have
stored it for a very limited range of purposes or not, its existence
may cause you problems because all of the other bits of legislation
that can get in?
DR. WALDEN: Yes. You could not re-write RIPA to say "This data is
not accessible to a civil litigant who has a perfectly legitimate
right". I think the courts would find such provision in breach of human
rights in the sense of a right to a fair trial, because that data
exists and it could be accessed to be used in my defence against a
legal action. Legislation preventing me to gain access to that data, I
think, would be a breach of the Human Rights Act. They cannot close the
gap. So there is a problem both ways. Because civil litigants have the
right to access it, I believe the provisions are in breach of the
European Convention on Human Rights. To try and plug that gap would,
essentially, give rise to another breach of the Human Rights
Convention, so it is the data retention provision per se which again
cause the problems.
MR. WHITE: If the ISPs were simply to dump all of that information
onto the State and say, "Here are your 36,000 CDs. You have these CDs,
and we are scrapping all of our information because we do not have any,
apart from normal commercial usage", would that still apply to the
State?
DR. WALDEN: Yes. Such an action would clearly be disproportionate.
Even at the most general level, Norman Baker MP applied for information
from the security services and he was denied access under a blanket
Ministerial certificate issued under the Data Protection Act. The
blanket certificate was held to be in breach of human rights
legislation. So any blanket approach is always, in my opinion, a
disproportionate approach.
MR. ALLAN: So whichever agency held that data would be getting a
deluge of requests from people for that data, and you are saying they
could not just say, "We are MI5 and we are not going to give it to
you", but that they would have to deal with every case individually and
issue the data to the civil litigant in the same way the ISP would have
done if that was appropriate?
DR. WALDEN: Yes. The UK Government have been found liable under the
European Convention on that sort of issue previously. An example is the
Gaskin case in 1988. One of the changes to the Data Protection Act 1998
was to render English law compliant in that respect. There can be no
blanket refusal.
MR. ALLAN: "Just having this data around is a problem. We don't
want it". Can we ask about the section 29(3) of the Data Protection Act
method of access. This is what I understand they do at the moment, as
we heard from the ISPs. Do you have a view on whether that is Human
Rights Act compatible or not?
DR. WALDEN: I find looking at the legislation it hard to believe
that it would fall foul of human rights legislation. The legislative
provisions clearly make it foreseeable to an individual that their data
could be accessed for the purpose of a criminal investigation. The
certificates which have been agreed between the industry and law
enforcement agencies, I think, probably give greater credence to this
process rather than rendering it less compliant with human rights
legislation. I understand that certain authorities do believe that
there is a question there, but my personal view is that I do not think
it is, by any means, clear that the 29(3) approach is unlawful.
MR. ALLAN: Would it not depend on the individual case and whether
or the ISP agents had properly carried out their function? In other
words, if I were a complainant and I believe that the ISP has breached
my data protection rights, what I would be seeking to do would be to
prove that because they get 300 of these things coming across their
desks, they do not really make an individual judgment and, therefore,
they are not properly respecting the legislation principles. Is that
the kind of area that I could be in?
DR. WALDEN: Yes. In terms of any legal action under the Data
Protection Act, essentially, apart from a few offences of strict
liability, a data controller has to show as a defence that they have
taken reasonable care. By not disclosing data except in accordance with
a section 29(3) certificate, so if the police come without a section
29(3) certificate and they only agree to disclose if they go through
this procedure which has been agreed between the industry and law
enforcement, then that is some level of care. At the same time, every
single request should be checked to show it has been appropriately
completed, that it is appropriately authorised and all the other
procedures. They cannot just say, "Here is the certificate. Let's open
the doors". Everything has to be subject to some application scrutiny.
MR. ALLAN: So if they are being rubber stamped and automatically processed, that would be a problem?
DR. WALDEN: I think that is the area of concern, yes.
MR. WHITE: Is not one of the problems that the SPOCs -- I love that
term as a way of asking for data -- are having a backlog at the moment
and that they are not actually dealing with all the requests which they
receive, and therefore people are finding other ways of getting round
that?
DR. WALDEN: As has already been said, there are a variety of
legislative means by which you can ask for data. As the section 29(3)
mechanism comes into some disrepute or uncertainty, then agencies will
rely on other routes. The police have powers under the Police and
Criminal Evidence Act. Clive has mentioned a number of other routes,
which are myriad, by which such data can be accessed.
MR. ALLAN: Is there a problem in human rights terms if you have
somebody else accessing data on your behalf? Clearly, one of the
proposals from an ISP point of view is that a small number of very well
informed SPOCs is the best way for them to deal with these requests.
Obviously, when we had a discussion about the other agencies coming up
in the summer, the suggestion was "Why don't they all go through a
police SPOC?" My understanding is that that has some legal doubt around
it because it is not the agency themselves asking for the data but
through a third party. Do you think there is a legal problem there?
DR. WALDEN: I do think there is a legal problem. I am not sure that
that problem resides in human rights legislation. It certainly is a
very specific problem in RIPA. RIPA says that a notice of authorisation
must be to disclose data to somebody within that organisation. To then
disclose it to a third party, the original requesting party, would,
essentially, be in breach of the spirit and, I believe, the letter of
the law. So in RIPA there is, I believe, a problem with the SPOCs
acting as clearing houses. Whether that is in breach of human rights
legislation, again, is much less clear. If it had appropriate
procedural safeguards and codes of practice which were published, then
I do not think it would innately be in breach of human rights
legislation.
MR. ALLAN: But if we want to come back and say, "There may be
limited circumstances under which local authorities, for example, may
need to access communications data", which could be quite proper and
receive public acceptance, but if we wanted to come back and say, "This
is silly. This is nonsense. For every local authority" -- I do not know
how many there are -- "we want to have a local authority SPOC, perhaps
linked into a police SPOC", we would have, really, to go back and look
at RIPA again to make that lawful.
DR. WALDEN: Indeed.
MR. ALLAN: Yes. At the moment, every local authority, if they were
to be given these general powers, would have to have their own SPOC?
DR. WALDEN: Yes. Clearly, the legislation, from my interpretation
of it, requires that the authority that requests the data is the
authority to whom the data should be disclosed and no further. Whilst
you could be creative in your lawyering to allow further disclosures, I
do not think the interpretation of the provision would allow that.
MR. WHITE: Section 22 of RIPA applies both for notices and
authorisations. The ISPs are a bit wary of the authorisations, are they
not, because they look like licenses to hack?
DR. WALDEN: The explanatory report for RIPA suggests that there are
particular reasons why law enforcement agencies may need to have direct
access to communications data. The example they give is because the
communications provider is not able to do that themselves. So, for
example, a PABX within a company may contain data that the company
itself may not feel able to gain access to. Again, there are provisions
within section 22(5) which requires any such authorisation to be
proportionate. I think the designated person, the person granting
authorisation, would essentially have, first, to ask the question, "Can
this be provided by the communication provider?" The point is that if
they do not ask that question, I think they fall at the hurdle of
necessity and proportionality. If they ask that question and the
question is answered in the negative, "No, communication providers are
not, in this circumstance, capable of providing the data as requested",
then an authorisation is the appropriate response, but I think it has
to be justified in that way. I can understand the concerns of
communication providers, but at the same time I think that the
legislation, were it to be fleshed out in a code of practice, should be
able to mitigate those concerns.
MR. WHITE: So there should be a code of practice?
DR. WALDEN: I think there needs to be a code of practice for
communications providers to know what the difference between a notice
and an authorisation is, in terms that there is no clear explanation,
or there is no explanation at all in the legislation itself, and one
has to ask whether, in order to ensure human rights compliance, there
has to be a greater procedural detail about how those things operate.
MR. ALLAN: Can I ask you about the practice, which I understand has
been going for some time, of the terminal into the BT billing system.
It comes up from time to time and there are questions about whether
that sort of arrangement is legal. Going back to the ISP situation,
whether by analogy it would be legal for the law enforcement agencies
to have a terminal into communications data systems. Do the
authorisations cover that or is that dubious?
DR. WALDEN: To be honest, I think that is somewhat dubious. Such
authorisation has to be necessary. Clearly, it may be desirable in
terms of facilitating investigations for law enforcement to have direct
access to BT's database. Under European human rights law something may
be desirable but it certainly does not show that it is necessary.
MR. ALLAN: So if the company themselves is technically able to
provide the information, that should always be the route which has
preference over the route of direct access? Is that what you are saying
in legal terms?
DR. WALDEN: To my interpretation, I think that makes sense.
Otherwise, what does the concept of proportionality mean? I can imagine
if you said, "Nobody else can provide this", or "We do not trust the
provider", or there could be circumstances where this communications is
data is held by a communications provider and the police can show
reason why, giving them a notice, would not be the appropriate way to
get hold of this data.
MR. ALLAN: So an untrusted third party?
DR. WALDEN: An untrusted communications provider. If those
circumstances do not exist, I cannot see any need for law enforcement
to go via the authorisation route as opposed to the notice route.
MR. WHITE: Is there a difference between the big companies and the little companies?
DR. WALDEN: In respect of that answer?
MR. WHITE: Yes.
DR. WALDEN: I do not believe there is. I think the current
arrangements are merely desirable for law enforcement rather than
necessary.
MR. WHITE: We come on to the definitions of "communications data".
It has been suggested to us that the full definition of "traffic data"
should be split into four different definitions, and there have been
problems with the way the section 22 notices have been specified. Is
that a problem?
DR. WALDEN: It is a potential problem. With notices and
authorisations you have to specify the communications data that you
want to have access to. It does not say that you have to say that the
communications data is from category A, category B or category C. It
just says that you have to describe the communications data. Were any
code of practice to say "The police should specify whether the data
falls within category A, B or C of the definition", then I think
problems will arise. You rely on law enforcement to get it right about
defining those categories. So there is only a problem depending on the
procedure which relates to those notices. If the notices just require,
as the legislation seems to imply, some general description of the
communications data that you want, i.e. "I want to match this IP
address to a subscriber" -- you do not have to say "This is section
21(4)(c) data" but it is just "I want to find this sort of data -- then
that should not cause a problem.
MR. WHITE: One ISP suggested that 99% of their requests are, "Give
us the subscriber's name and address". Is there a case for having that
as a separate procedure?
DR. WALDEN: Returning to my earlier point, I do not see the legal
or moral justification for distinguishing access to communications data
and access to content. I do see a case for saying that subscriber data
is something different. It is something different from communications
data and content. The former should be subject to one legal regime and
the other should be subject to another legal regime. So my personal
opinion is that there should be a distinction between the two. My
concern with the current definition of RIPA is that it is so broad.
"Anything held by a service provider" is extraordinarily broad.
MR. ALLAN: Let me ask you about the common practice of dealing with
urgent issues, such as interrupted 999 calls on telephone contacts that
can go through and pick up information through an "urgent" procedure. I
do not know if you have looked at that at all and have a view on
whether one can have "urgent" procedures which are lawful? There may be
huge public support for that. I do not think that anyone would want
anybody not to give information on an interrupted 999 call where it may
save a life, but there are questions about whether or not that can be
done lawfully under the current legal regime or whether we need any
amendments. I do not know if you have a view on that.
DR. WALDEN: I think the current regime seems fairly clear. It talks
about a "notice of authorisation in writing or given in a manner which
produces a record of it having been given". So if I was to note down
contemporaneously or if I made an oral request which would be followed
up, I think that satisfies the requirements.
MR. ALLAN: So an oral request followed up by something in writing, you think, would normally meet the requirements?
DR. WALDEN: Yes. It is very broadly drafted. The important thing is
to produce a record of that authorisation. It does not say that it just
has to be in writing, so some sort of oral record, bearing in mind that
oral records can be kept in one way or another, should be satisfactory.
MR. WHITE: One of the things which has been suggested to us is that
Part I Chapter II of RIPA is so fundamentally flawed that we should
just rip the whole thing up and start again. Is that a view which you
subscribe to or is the modifications route a better route to go down?
DR. WALDEN: I am a lawyer, so I must come up with two answers. The
first answer is that I do not think it is fundamentally flawed. I think
it could be amended to be workable. However, because of the initiatives
under the Cybercrime Convention, European initiatives and the Framework
decision, I think there is an opportunity that the Government have or
will have to try and rationalise this legislation governing law
enforcement powers. RIPA has not achieved that successfully. As a piece
of legislation, I have seen many worse.
MR. WHITE: If we did go down this route to try and sort out some of
these issues, should we leave the legislative powers around for the
other agencies to use or should we wrap them up into a new piece of
legislation?
DR. WALDEN: I think the approach taken with regard to interception
is the correct one. RIPA, Part I Chapter I, says that interception is
lawful under this legislation or recognises other legislative bases. To
try and wrap them all up in a single piece of legislation is going to
be, I think, a nightmare for legislators. I think the more appropriate
way will be to say that RIPA, Part I Chapter II, details all of the
circumstances where access to communications data lie, but it does not
have to detail all of the circumstances in the legislation itself, but
it should clearly indicate other pieces of legislation where those
rights exist.
MR. WHITE: But is not one of the reasons why RIPA came into
existence because people did not know all of those other things existed?
DR. WALDEN: RIPA came into existence for a range of reasons.
Bearing in mind the needs of law enforcement agencies and the needs of
the Human Rights Act. Again, as has already been mentioned, I think
that shows in the interception provisions. As to the interception
provisions, I have arguments with interception capability issues, but
the actual rules governing interception, I think, are fairly clear.
What RIPA Part I Chapter II does not achieve is the clarity that Part I
Chapter I has. You know what I mean.
MR. ALLAN: The final point from me is on this question of whether
there is a need for new legislation, reform or a revision of
legislation. It was interesting to hear about things like "denial of
service attacks" not being considered, or even on the horizon, the last
time we legislated in this area.
The other point I am interested in is whether anyone is looking at
the implications of work arounds for RIPA, which is something we raised
at the Committee Stage. An obvious response is to create a market for
work around systems, as in anonymous e-mailers -- e-mail forwarders --
where the communications data is entirely unidentifiable. You can do
the same for web sites. I picked up a magazine a few weeks after we had
all of this fuss in the summer (I forget the exact title, but I think
it was Net Magazine) and on the front it said: "Here is your anonymous
IP address package". I was wondering if anyone was looking at that from
a legal perspective, whether those involved with cybercrime start to
look at some of these forward thinking things, where if somebody wanted
to work around RIPA currently there probably are some very good legal
routes to do that?
DR. WALDEN: Yes. It is an issue which has arisen in the Cybercrime
Convention and has arisen in respect of copyright law at the moment.
There is the whole issue of circumvention devices. You can create
circumvention devices. Is the use of such devices and the manufacture
of such devices legal? I think it is a very difficult area to legislate
for. I think we have to be very wary about trying to prevent such
technology developing, because I think there is a knock-on effect to
the broader scientific research community, which I think we have to be
very wary of.
I do not think there is evidence that people have started using
these things on any significant scale. In the same way that digital
signatures and certification services were hailed as the great vanguard
mechanism for authentication, but they have not taken off as a
mechanism for authentication to date. I think we have to be wary of
law-makers preceding technology. As a modest lawyer, that is always my
first response.
MR. ALLAN: So you do not want to be too far behind or too far ahead?
DR. WALDEN: Never too far ahead.
MR. WHITE: As we come to an end, is there anything that we have not
talked about which you think we ought to be focusing on in this inquiry?
DR. WALDEN: No. That is all I wanted to say.
MR. WHITE: I thank you for coming. Again, it has been valuable to
have a slightly different view to confirm and challenge some of the
previous evidence we had. Thank you very much.
(The witness withdrew)
Back to Oral Evidence Page.
