FIPR Evidence
APIG Communications Data Inquiry Oral Evidence
Foundation for Information Policy Research
Wed, 11 December 2002
MR. WHITE: I welcome Dr. Ian Brown, who is Director of the
Foundation for Information Policy Research, which for ease I will call
FIPR. Ian, could you explain what FIPR is and make any comments which
you want to start with?
DR. BROWN: The Foundation for Information Policy Research was
set-up in May 1998 specifically because of the evolving legislation at
that time which eventually became FIPR. FIPR did a lot of work as it
was going through Parliament in analysing the implications of various
parts of it. Through advising legislators, especially Peers, it had
some significant effect on the final legislation. FIPR also works in
another technology policy area, such as copyright or electronic voting
and medical privacy, but surveillance has been a big part of what we
have worked on. Just to sum-up our submission to this Inquiry, I guess
the two most important points are, as many people have said, we do not
think there should be a difference in the regime for access to
communications data and access to actual content of data. We think from
the way the Internet works and is evolving, it is virtually impossible
to try and take the previous regime, which was well understood, of
basically looking at telephone records and itemised bills, and to apply
that to Internet data. Internet communications data can provide a lot
more detailed a picture of the content it is describing than itemised
telephone bills do of telephone calls. We think they should be subject
to similar oversight and control.
Subscriber data -- I would not go much further than, basically,
name and address -- is the vast majority of what is being accessed by
various law enforcement agencies today. There is a case that that
should be under a self-authorisation procedure. We probably do not
think that that should apply to other types of communications data. On
forcing ISPs and telephone companies to retain that data longer than
already do for business purposes, we think, is a disproportionate
invasion of privacy. We think that the vast majority of data already
being stored is what law enforcement agencies find useful, and we think
that the powers in the Anti-Terrorism, Crime and Security Act, which
have already got into a real tangle with the Home Office trying to
implement them, should be allowed to lapse.
MR. ALLAN: The point where police investigations come in -- we are
trying to get the balance right between catching the villains and
having privacy -- subscriber data is clearly very useful, and I suspect
there may be general public acceptance that police officers in pursuit
of somebody can find out who the person was they telephoned, or is
using the Internet to access something they did not ought to if it is a
serious offence.
The next level we go to is telephone itemised billing, which you
mentioned. Then beyond that we get into areas to do with every website
visited and every person e-mailed and so on. Would you think that there
is a justification for a three-tier approach or are you suggestion just
a two-tier approach, with subscriber data taken out? Telephone itemised
billing is also, I think, a very important tool. Given the fact that we
have had other evidence to suggest that most of the stuff we are
talking about here is mobile phone data, criminals are far more likely
to be using mobile phones than ever to use the Internet. Do you see a
role for a different regime perhaps for itemised telephone billing, and
then a third regime where we put the Internet data in with normal
interception-type data with those kinds of protections?
DR. BROWN: I can see the distinction that you are trying to make
there. However, there has already been much confusion and difficulty in
delineating the category 21(4)(a), (b)-types of data that to try and
swap that regime around would add more confusion. It sounds appealing
to say that telephone itemised bills is one category and everything
else is another, but does that then encourage criminals to use e-mail
more or what practical effect will it have on the techniques criminals
use to anonymise the mobile phones that they are using, and that type
of information. I think it has proven tricky. I think the clear way
that we have found to do it might be an approach worth taking, but I
would not be sure that you could find that way.
MR. ALLAN: I am thinking that there may be huge resistance amongst
the law enforcement community with public sympathy for taking telephone
itemised billing, which is a useful tool, and putting it into a very
very restrictive regime. There may be more public sympathy for saying
that Internet-type data should be in a more highly restricted regime.
DR. BROWN: Yes.
MR. ALLAN: We will have to test that proposition.
MR. WHITE: You mentioned that you were in favour of self-authorisation. Would you explain what you mean by that?
DR. BROWN: The self-authorisation procedure.
MR. WHITE: Yes.
DR. BROWN: Under RIPA all of this communications data, including
subscriber data, will be able to be accessed just with a notice of an
authorisation from a relatively senior official within the agency that
is accessing the data, and then that procedure is overseen by the
Interception Commissioner and his/her staff.
When you look at the number of the requests which are made at the
moment under previous legislation, such as the Data Protection Act,
there is probably more than a million a year when you take all of the
subscriber communications data. We do not think that that can
effectively be overseen by the Interception Commissioner no matter how
much his budget is increased. The Government have said that they will
resource that office properly because of the problems that the
Intelligence Select Committee has found. For the past two years that
office has had serious resource problems. That is why we think it is
important that you separate out the subscriber data requests, which is
the vast majority of requests being made to a communications service
provider, and have this relatively low level of self-authorisation.
There would be a much smaller percentage of that. You then have an
independent oversight from a judicial party from whom you have to get
authorisation before the access is granted, rather than it being,
maybe, randomly sampled and perhaps picked up.
MR. WHITE: Like a search warrant-type thing?
DR. BROWN: Exactly. We think that the intrusiveness of information
about which web sites you have been using with your mobile phone is
much more serious certainly than the itemised billing and certainly
than simply "What is the name and address of the person who owns this
telephone number?"
MR. ALLAN: On the question about notification of requests to access
communications data, when we looked at the issue during the summer
about the other agencies being involved and we went back and looked at
the provisions of communications data, my understanding is that there
is nothing explicit in the law which prohibits the notification of the
customer that their communications data has been accessed. Whether that
would be desirable or not is another question, but (a) that it is not
legally prohibited and (b) we have the question of whether or not it
would be desirable, do you have a view on that?
DR. BROWN: I am not a lawyer so I could not give you a legal
interpretation. I certainly think it is desirable, just to shore-up
public confidence in the system. The situation at the moment is that
where people feel that their privacy has been invaded, they can appeal
to a tribunal. It is very difficult to know on what basis you would do
that. The way the legislation operates means that what happens would
largely be secretive. It may be the case that the communications
service providers could notify customers, although I am not sure about
that. I think people would be much more confident. When I have spoken
to people in the Home Office about this, they often get frustrated
about the paranoia of people like us and people around the country who
think they are being spied on by various government bodies. I think it
would be much clearer to the paranoid people and to the non-paranoid
people if people did know when data about them had been accessed and,
correspondingly, when it had not. It also acts as a very important
check on the use of the powers. At the moment you are relying on,
basically, one office, which is the Interception Commissioner, to
oversee a vast number of requests. If you notify individuals when data
about them is accessed, it means that the individuals know if something
has happened and they are in the best position to know if it is
probably justified or not. Therefore, it lets them appeal to a court or
to the Investigatory Powers Tribunal.
MR. ALLAN: Let me play Devil's Advocate on that. I think I would be
extremely worried if anybody had a record anywhere that said, "I have
the kind of Internet account or telephone account that people want to
investigate". In other words, I think there is a real threat there. If
somebody had requested my communications data, I would be interested in
the record of that request being destroyed in itself and not then
becoming part of the problem. I may, innocently, have been called by
somebody who had a mobile telephone who was involved in a crime and the
authorities have legitimately asked for my communications data and then
written me out of the inquiry, but I do not want to be associated with
that inquiry any more. I wonder how we get round that problem?
DR. BROWN: I agree that that is another important consideration.
You would not want these notifications to be public. Certainly you
would want the person who had accessed the data and received it -- it
is entirely up to them -- to shred the letter. Yes, you would want to
limit any other disclosure of that information.
MR. WHITE: Is there a time limit when you do that disclosure?
DR. BROWN: That is a point for debate. I think around the six
months or a year figure. Obviously, if the notification would prejudice
an on-going investigation, then, certainly with judicial approval, it
can be postponed for a year, two years or whatever period it was felt
useful. I think the vast majority of them, as Richard said, would not
be involved in an on-going investigation. It would be somebody who was
called entirely innocently.
MR. WHITE: We have had a situation which we have heard about like
September 11th, where the data is preserved. What would you do in those
circumstances?
DR. BROWN: Are you talking about preservation or the notification?
MR. WHITE: Notification, about where the data has been preserved.
DR. BROWN: I think it is the same situation. Six months or a year
later, the vast majority of the data that was looked at would almost
certainly not be part of the on-going investigation, so those people
could then be notified. If the police or the intelligence agencies, or
whichever agency thought they had on-going leads and did not want to
tip-off various people, then with judicial approval they can postpone
that notification.
MR. ALLAN: I want to ask you about data warehouses. In the session
we had earlier we discussed with the ISP various ways in which, if they
were asked to retain data, it could happen. The assumption at the
moment seems to be that the ISPs would have data warehouses rather than
the Government. We have tested this, and both of them seem to be
non-human rights compliant, whether it is an ISP or the Government
doing it. So there is much of a muchness there. Do you have a view as
to which is the worse of the two options? Do you think the Government
is more totalitarian than the ISPs or vice-versa? That is private
versus public. Are both of those options equally horrific?
DR. BROWN: I would say that the Government one is worse.
Practically speaking, the ISPs have access to the data anyway, whatever
happens. So if there is corruption and fraud within the ISPs, then they
have access to that data already. I think it is very important to keep
the communication service providers, as they are the ones who are
holding the data, because it provides an extra level of oversight and
it puts one more barrier in the way of a potential misuse of the data.
MR. ALLAN: So you think the system of notice is far preferable to
that of authorisation? If somebody turns up at an ISP and asks for that
data, then they are carrying out all of those security procedures.
DR. BROWN: Yes.
MR. ALLAN: If it were to go ahead.
DR. BROWN: That is right. On an ancillary point, if communications
service providers are storing it, it means the data is in 6, 7, 8 or 9
separate locations, whereas if you have a central Government warehouse
it is all in the same location and open to abuse.
MR. WHITE: We have talked with other witnesses about whether RIPA
should be just torn up or whether we should make all sorts of
amendments. What is your view?
DR. BROWN: I think you could certainly rank the parts as getting
worse and worse. Part I Chapter I would probably be the least
objectionable level, but quickly going up to Chapter II and Part III,
they have problems. Anyway, I know we are not talking about Part III
today. I am not a Parliamentary draftsman, so whether the best way to
fix the problems with Part 1 Chapter II would be, essentially, to rip
it up and start again or through serious amendment, I am not sure. I am
not sure that it does need serious amendment.
MR. WHITE: You do not think it can be sorted through codes of practice?
DR. BROWN: I do not think it should be. I think it should be
primary legislation. It is such an important subject. We should not be
relying on codes of practice which can be changed relatively easily in
future.
MR. WHITE: Let us assume that we do not have the Parliamentary time
to fix this. What do you think should be the route of the Government to
put primary legislation into place?
DR. BROWN: The easiest thing for them to do on data retention is
nothing, because under section 105 of the Anti-Terrorism, Crime and
Security Act those powers will lapse if they are not used in the first
two years after the Act is passed. So that is quite easy for them to
do. With Part I Chapter II, again, those powers are not actually
switched on, which is incredibly frustrating to the police and other
bodies on the face of the Act. There, I would say that the orders that
need to be made in satisfying the public authorities that can use those
powers should be limited to the agencies on the face of the Act.
Really, to fix the problems with subscriber data as opposed to
communications data, and requiring judicial approval for non-subscriber
communications data, I think we probably need new primary legislation.
MR. ALLAN: Let me ask about the data retention powers. Are you
comfortable with the idea of data preservation, which was suggested to
us as an alternative, which is a targeted form of data and then making
it available?
DR. BROWN: Yes.
MR. ALLAN: To access that preserved data, presumably, we would need Part I Chapter II of RIPA to be implemented?
DR. BROWN: Yes. Whether it would be available under all the
purposes in RIPA or whether you would limit it to specifics such as
national security purposes is a question for debate, but, yes, you
would need those powers.
MR. ALLAN: Part I Chapter II seems to pose a dilemma because there
is pressure from the CSPs and the law enforcement community to say, "We
are very uncomfortable with what we are doing at the moment because it
is illegal under the human rights legislation, so we want something
that looks like Part I Chapter II, but we want it not quite exactly as
it is in Part I Chapter II", which poses a real dilemma because there
would be pressure to implement something urgently which is flawed?
DR. BROWN: In the short term the codes of practice would be
slightly more appropriate in limiting the way that those powers were
used, but I think in the medium to long term they do need primary
legislation.
MR. ALLAN: Your organisation had a very high profile in the summer
over the extension to other agencies. How do you feel about the fact
that other agencies, anyway, are doing a lot of this and have powers in
all sorts of odd bits of legislation to do it, apparently? I am putting
the Government's argument now -- I do not know why -- but is it not
better to have them regulated within the framework of RIPA doing it
rather than doing it in these ad hoc ways. That is the Government's
argument, is it not? How do you respond to that?
DR. BROWN: To some extent I would agree. However, the Government
were slightly disingenuous in saying, "All of this is happening anyway
under these various other Acts." There are additional powers in RIPA.
For example, CSPs can be compelled to start recording data but they
were not before. I think it is better that it comes under the human
rights compliant framework. Whether the powers in those other Acts
would actually survive a legal test is another question. We may find
that out in the passage of time.
MR. ALLAN: So maybe people like trading standards, who are using
legal powers which pre-date the Human Rights Act, are of themselves not
complying with human rights but they have not just been tested yet?
DR. BROWN: Yes.
MR. ALLAN: So just to translate those into RIPA would not make sense?
DR. BROWN: I certainly do not think that the Home Office should
come out with a list, which I think they have, of where all these
powers reside across various other pieces of legislation, and say,
"Everyone who already has these powers, we will automatically put onto
various lists in RIPA". I do not think that is appropriate. I think the
vast majority of what the agencies are using, such as the Trading
Standards Agency, the local councils and various other bodies who
caused so much controversy during the summer in having these powers,
will be subscriber data access. So giving them access to that under
RIPA but then requiring statutory and judicial procedures for them to
access other types of data, I think, would be the way to do it. That is
something that many people in the summer, who had never heard of RIPA
before, found really outrageous, that this long list of agencies could,
potentially, have got access to things like lists of web sites and
where people have been using their mobile phones. If it was limited
strictly to the name and address of an owner of a mobile phone or
e-mail address, I think we would have been a lot more comfortable with
that.
MR. ALLAN: Could that be done in regulation under the current RIPA
format to say that agency A can have a subscriber base but they cannot
have anything else, whereas agency B can have everything?
DR. BROWN: Most of that long list of agencies could be limited to
section 21(4)(c). Section 21(4)(c) is a bit unclear, and it could be
improved. As a stop-gap solution ----
MR. ALLAN: If the Home Office wanted to satisfy their critics in
the Guardian and Daily Telegraph they could come back with something
which says, "We are giving these powers, but we, the Home Office, will
guarantee that these agencies will only as subscriber data and nothing
else"?
DR. BROWN: And how strong that guarantee could be is another question.
MR. ALLAN: Yes; but that may be an approach they wish to take.
MR. WHITE: One of the things you said was that urgency created by
the Anti-Terrorism, Crime and Security Act has effectively disappeared
because we have not had a major incident within a year. Is it not
really the fact that we still are dealing with terrorism and there is
still a major threat and the imperatives for the Act still exist?
DR. BROWN: We were not saying, in retrospect, that the Act was
foolish because there has not been another World Trade Centre attack.
What we were saying was that the ATCS was pushed through very quickly
after September 11th 2001. In retrospect, looking at the powers at the
time which the Government thought were needed, it seems that the
communications service providers were already storing, in reality,
enough data for the law enforcement agencies to do their job, and these
extra powers were not needed. Indeed, Parliament was very determined
about that. They gave the Government a lot of trouble over those
provisions and significantly limited them to national security purposes
as opposed to the full RIPA purposes, which was the Government's
original proposal. With the benefit of perfect hindsight, I think the
Government could look back and say, "This was not as urgent as it
seemed at the time and, actually, we can achieve the vast majority of
our objectives by using data which has already been stored".
MR. WHITE: Reference has been made to the whole issue about passing
information to foreign police forces and we have been discussing the
European warrant this week. We heard earlier that the ISPs are very
wary of giving UK police information on a German user. Is not the whole
point of ATCS and RIPA to tackle international drug pushing,
international terrorism and that kind of organised crime?
DR. BROWN: Certainly that covers some of the purposes of RIPA.
Again, we are not saying that that data should never be accessed by
foreign law enforcement agencies. What we are saying is that it should
be done with the oversight of UK law enforcement officials just to
ensure that UK public policy objectives are being met. One of the
examples we gave was that if data was being requested by agencies in
the US or Saudi Arabia, for example, which have the death penalty, then
Britain generally will not give assistance in those cases because we
disagree with capital punishment. It is vital for that reason and also
to keep the public trust. There would be a real public outcry if people
thought that various police agencies around the world were able to
access this data without oversight from the British law enforcement
agencies.
MR. WHITE: But is there not a fundamental difference between a
Foreign Office official sitting in Whitehall making a judgment in the
real world as opposed to a virtual world where the opportunities are so
much greater? How would a single official in the Foreign Office
actually cope with that amount of data?
DR. BROWN: Bearing in mind the wide range of officials, you would
obviously want people who understood what was being asked for and had
experience in the UK with UK law enforcement agencies accessing the
data. So you would need people who worked as single points of contact
in police forces, for example. You certainly would not want to give it
to a random diplomat sitting in the Foreign Office. It would have to be
people who understood what was being asked for.
MR. WHITE: They would need to understood what the policy imperatives of the Foreign Office were.
DR. BROWN: Yes. The way that mutual legal assistance has worked up
to now is through quite a slow and drawn out procedure. There are a
difficult set of considerations to take. We are saying that they should
not be short-circuited. There should not be ways in which the law
enforcement agencies can bypass that whole well-tested procedure and
get various pieces of data for investigations which might be contrary
to British interests.
MR. ALLAN: We may have to come back to the ISPs on this. I am
thinking about the variance in the regime as well. I do not know if you
have looked at other European regimes. I understand that Belgium is
moving ahead with the data retention policy. The presumption, for
example, is that Germany would be going in a different direction
because of their very strong notion of data protection. They originate
much of the data protection law. As we liberalise our European telecoms
market, there is no reason in the near future why I should not dial
into a German ISP or choose to go for one which offers a different
level of protection. We are coming back to internationalisation. I do
not know whether you have looked at cross-European data at all.
DR. BROWN: It is quite a big area to debate. I think the practical
application of what you were saying about the liberalisation of the
telephone market is that, in practice, there will just be three or four
EU-wide telecom providers. So, really, in reality the UK law
enforcement agencies would not have much trouble because they would
have leverage over Vodophone or if British Telecom expanded much more
significantly across the EU, because those companies would have
exposure to the UK legal system. That is how the US does a lot of this.
They are very determined when foreign telecoms come into the US,
because there have to be all sorts of approvals at the highest level of
US Government. They make sure that they can still do intercepts of
communications.
The situation across Europe, obviously, will be very dependent on
what happens with this draft framework directive in the EU which the
Danish Presidency has canvassed opinion about and actually got interest
from quite a few of the States. I think Austria and Germany were the
only two of the 15 states which had any significant objections to it.
It may be that that will move forward.
MR. ALLAN: What does that do?
DR. BROWN: That was a proposal from the Belgian Presidency, the
previous presidency, that would force a uniform data protection regime
across the EU. They were talking about a period of 12 to 24 months. The
directive would also harmonise a list of 32 offences for which EU
Member States would have to allow access to law enforcement agencies
from other EU Member States to this data.
MR. ALLAN: So the directive would say that every ISP anywhere in
the EU will have to retain the data for 12 months. You would have to be
implementing national law, like all directives, and it would totally
supersede anything which we had on the statute book at the moment?
DR. BROWN: Yes.
MR. ALLAN: And we could blame Brussels for it.
DR. BROWN: Yes. It does sound from the various meetings which went
on in the EU, as though it refers to changing the previous
telecommunications directive which banned this, and then hot on its
heels came this other draft directive then mandating it across the EU.
MR. ALLAN: Presumably, the difficulty there is that what they will
not have done is to look at the implications in terms of the local law
where, for example, the data protection regime in Germany might create
a very different level of protection for that retained data from the UK
common law position where we have heard that even down to civil
proceedings people can go and say "I want the retained data".
DR. BROWN: Exactly.
MR. ALLAN: Even though it looks like a common measure, it has very different implications in each Member state?
DR. BROWN: That is right. The one last thing I would say on your
original question, which was if a UK Internet user subscribes to a
German Internet service provider and is just, basically, making an
international call, at the moment the call itself could be intercepted
as it was going across the UK infrastructure. It may then, of course,
be encrypted, in which case you would have problems. That is a whole
section of RIPA.
MR. ALLAN: But I would not be going through any ISP-type person in
the UK who could actually retain that stuff. The German ISP could
retain that stuff?
DR. BROWN: Yes. It is more of a Part I Chapter I issue rather than Part I Chapter II.
MR. WHITE: As we have come to the end, is there any part that we
have not touched on which you think the Inquiry ought to be looking at?
DR. BROWN: I think you have covered everything.
MR. WHITE: One matter that we have asked other witnesses, although
it is slightly beyond our terms of reference, is the Computer Misuse
Act and the need to up-date it. Do you have concerns about that?
DR. BROWN: I am not an expert on that subject, so I will not pontificate on it.
MR. WHITE: Thank you very much. It has certainly been a different point of view.
(The witness withdrew)
Back to main Oral Evidence Page .
