I’ve written extensively about the wider issues around the Draft Communications Data Bill already, but in this post I’m collecting some of my thoughts on the details of its individual clauses. My view of the more general perspective is summed up in Walking: it’s time to take action on this major terrorist threat.
By all means add in your own comments on specific clauses in the comments, or for a more general debate on the Bill’s purpose and existence I’d recommend Julian Huppert’s piece.
These are my initial and working notes, so watch out both for rough edges and updates as time passes and I get more to grips with the details.
Well, it certainly lives up to the Home Secretary’s name as the clause pretty much says the government May do what it likes. To call Clause 1 broad is to play down its immense breadth. It’s enormous. (As Zoe O’Connell has also commented.)
More specifically, the problems are:
- It kicks off with saying the Secretary of State may by order… and continues in that vein. In other words, it gives the government huge scope to take future powers without requiring further primary legislation. It is a massive enabling step rather than a carefully controlled detailing of powers.
- It also gives broad powers for the Secretary of State to decide in future how data should be gathered and then to require others to obey that. In other words, the draft Bill does not directly address the many debates over black boxes snooping on all internet traffic and the like. Instead, it lets future governments come up with the details of what and how information should be recorded (though see Clauses 14-16).
- Even where safeguards are mentioned, they are left vague and for future decision. The Secretary of State shall have power to order destruction of data that has been gathered, but the why (destroying data to protect privacy or hide wrongdoing by the state?) is left unprotected and undefined, with details to be filled in by future governments without primary legislation.
- Clause 1 is also where we get the first mention of the Bill applying to the postal service. In itself, the idea of bringing together different monitoring and interception provisions into one piece of legislation has merit but the inclusion of posted items highlights the draft Bill’s problems. It means that the Bill covers postcards – where you can only get the communications data (name and address of receiver and possibly of sender) by looking at a postcard in a way that also reveals the content of the message itself. The Bill says access to the former would be done in a way that keeps the latter secure and private. How? The Bill is silent on this, as it is on the more technical but similar issues with various forms of electronic communication where the two sorts of data are similarly intermingled.
The Bill is therefore side-stepping one of the big issues by treating it as a matter of detail to be sorted out subsequently by the Secretary of State.
This is hopefully proceeded by a subheading “Safeguards”, but that primarily means consulting Ofcom, a Technical Advisory Board and firms affected by any orders under the Bill. That is okay as far as it goes – but it only goes as far as trying to ensure orders don’t distort the communications market or bring firms to their knees with impossible demands. Nowhere in that list features consultation and advice coming from a civil liberties perspective nor independent advice on the efficacy of measures for law enforcement.
Requires data to be held securely and then destroyed. Data has to be kept for a year unless required to be held for longer for legal proceedings. That limit on how long data can be kept, and hence how long data can be abused, is some consolation.
Gives the Technical Advisory Board a role in commenting on proposed orders by the Secretary of State. However, the Board can be over-ruled. Moreover, there is no requirement for publicity, transparency or Parliamentary accountability – and the record of the Home Office at deciding what should be kept secret (including arguing that even naming the communications firms currently covered by RIPA orders would endanger national security and the fight against crime) means that in practice these safeguards would be operated in secret and without the protection of wider accountability or knowledge.
Makes a wide range of actions legal if carried out in accordance with the Bill. Requires close legal scrutiny as to whether these exemptions from other laws are only to the minimum extent required to avoid someone being legally bound both to do and not to do something, which would be highly invidious.
Clause 1 rides again. Once more broad powers for the Secretary of State to do things by order in future. These clauses set out the framework for the police and other public authorities to authorise collection of data when they believe they need it, but despite already listing 10 purposes for which data can be used, it still lets the Secretary of State to add others in future by order.
Even the ten themselves are not limited to serious crimes only as they include “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department”.
Most access to data will not require judicial authorisation (see Clauses 9-10), but local authorities – the culprits in many of the complaints over misuse of RIPA – will need judicial authority. The dividing line between the Clause 9-10 process and the Clause 11 one is likely to be closely examined in the pre-legislative scrutiny process.
Administrative details about authorisations for access to data, including that they will be valid for a month – but can be repeatedly renewed.
Here the arrangements for “filtering” are set out. As Francis Davey puts it:
The explanatory notes suggest that the government intends to run a great big “Request Filter” which will collate communications data from many different sources and also act as a useful front end for designated officers, for example to work out what questions to ask, what sort of results will be obtained and to extract the communications data required.
As a part of the legal analysis I’m not sure that the provisions concerning “filtering arrangements” are particularly interesting. They make it clear that the Secretary of State can run a system like the “Request Filter”, but they don’t give the government any more powers to obtain data – those are all to be found in clause 1. Clause 14 etc may be there to ensure that no-one challenges the creation of a Request Filter on the grounds that it is beyond the powers (ultra vires) of the Secretary of State’s office to maintain it.
But the filtering arrangements are interesting in that they give us a clue of one of the things the government has in mind.
As Frances says, this part of the draft Bill throw some light on how the Home Office would like to implement the Bill. It means the Home Office has much more detailed plans about what they would like to do than the broad powers requested in places such as Clause 1. However, despite that detail of planning, Clause 1 and others have not been narrowed down to the minimum required scope but instead left very broad.
Update – what clause 14-16 highlights is how the Bill involves gathering and storing data which currently is not. It is the rough equivalent of saying ‘let’s record all phone calls in case we later discover we want to listen to one of them’ rather than the current situation of recording calls only when there is a case to do so.
Contains some minor safeguards over the use of powers in the Draft Bill, which pale into insignificance compared to the fact that it leaves the failed and complacent Interception of Communications Commissioner in charge and unreformed.
Same points as for Clause 8 apply.
Ditto, save that in here the list of public bodies able to access data is specified – and again it is a list that is easily amendable by the Secretary of State in future.
Update: that relatively easy amendment undermines any comfort from the list being rather shorter than the comparable one under RIPA.
Gives the Interception of Communications Commissioner the remit to cover powers exercised under this Bill but does nothing to make the Commissioner any less of a failed regulator. Dreadfully complacent and inadequate.
The Investigatory Powers Tribunal, part of the same failed regulatory structure but without the same responsibility for its failings, also gets roped in.
More detail on the inclusion of postal services in the scope of the Bill.
Provides power for the costs of telecommunications and postal operators in complying with the Bill to be met.
Worth nothing that the Home Office has decided that the current annual expenditure on such costs for complying with RIPA must be kept secret else it would endanger national security and the fight against crime. The same applies to expenditure levels in past. Therefore quite how Parliament is meant to judge the value for money of the new arrangements when the costs of the existing ones are secret is a bit of a mystery.
Clause 27 onwards
More administrative details. Looks like the definitions in Clause 28 are so broad the someone who has a mobile phone which contains call records is therefore a telecommunications provider and the government could deploy the legal requirements under the Bill on a person and their own phone rather than simply on the sorts of firms that come to mind when you say “telecommunications provider”.
The technical definitions of terms such as “traffic data” are in here and will need careful study.