UK Rushes 'Emergency' Data Retention LawGovernment Seeks Continuing Call, Text, E-mail Surveillance
The British government has asked Parliament for quick approval of a new, "emergency" blanket data retention law that would require U.K. telecommunications providers to store information relating to their customers' calls, texts and e-mails for 12 months.
See Also: 2021: A Cybersecurity Odyssey
The move follows a European Court of Justice ruling in April that existing, blanket data retention laws breach Europeans' fundamental right to privacy and protection of their personal data, in part because they lack proper, relevant safeguards. The ruling has been widely interpreted as a rejection of unlimited state surveillance.
Britain had previously required that service providers retain for 24 months all communications-related information, including traffic analysis - gleaned from metadata - allowing authorities to see who communicates with whom, for what length of time, and when. "Rather than requiring service providers to freeze data upon request, it was much broader and served as a blanket retention requirement - everybody had to retain it, regardless of whether it was sought by law enforcement agencies," says attorney Dan Cooper, a partner in the data privacy practice at Covington & Burling LLP in London.
Unlike some other European countries that passed their own data retention "primary legislation," including Ireland and Denmark, Britain's data retention law was "secondary," meaning it was based only on U.K. regulations, as opposed to a statute passed by Parliament. As a result, the European Court of Justice ruling "has left telecom companies in the U.K. in a legal gray area where they are retaining customer communications data but with no legal basis to do so," says Dublin-based information security consultant Brian Honan, who heads Ireland's Computer Security Incident and Response Team.
"The ISPs and telecom operators were saying, 'We're going to be challenged on this; we're going to be found to be in violation of the law, so we're going to delete this data,'" Cooper says.
On July 10, the British government introduced the Data Retention and Investigatory Powers Bill, which would create a data-retention law for Britain. According to the U.K. Home Office - which is responsible for immigration, security, and law and order - the bill includes "additional safeguards for the use of investigatory powers," including an oversight board, that's meant to make the legislation comply with the European Court of Justice ruling.
Speaking to Parliament on July 10, Home Secretary Theresa May argued that the European court's ruling also failed to take into account the safeguards provided for people's private information, under Britain's Regulation of Investigatory Powers Act, or RIPA. She said the newly introduced bill, which would be set to expire in 2016, "will merely maintain the status quo ... [and] ensure, for now at least, that the police and other law enforcement agencies can investigate some of the criminality that is planned and takes place online." Otherwise, May warns, "we face the very prospect of losing access to this data overnight, with the consequence that police investigations will suddenly go dark and criminals will escape justice."
The UK issued 2,760 interception warrants in 2013, according to Britain's Interception of Communications Commissioner. Each warrant, according to an ICC report, can cover individuals, as well as "any organization or any association or combination of persons," inside Britain, or for anyone outside Britain.
The new bill covers data interception both inside and outside of the U.K. "One half deals with establishing a power to require service providers to retain communications data, up to 12 months," Cooper says. "The second half deals with provisions in RIPA, which are intended to establish the view that service providers outside the U.K. could be expected to either produce information upon request, under RIPA, or introduce an intercept capability into their service, where requested."
But Open Rights Group, a British privacy rights organization, has argued that there's no reason for the government to attempt to fast-track the bill, which could see it get passed by Parliament less than one week after it was introduced.
"Emergency legislation should only be for a genuine national emergency. We are not currently in an emergency so Parliament should take its time," the Open Rights Group argues. "The only threat is that of legal action as the government wishes to continue with blanket data retention, which the [EU Court of Justice] recently ruled incompatible with human rights."
Steve Peers, a professor of EU law and human rights law at the University of Essex in England, also believes the bill is flawed. "Much of the U.K.'s draft bill would, if adopted, fall within the scope of EU law, and therefore the Charter of Rights," he says. "The government's intention, as manifested by the bill, to re-institute mass surveillance of telecoms traffic data is a clear breach of the EU Charter of Fundamental Rights."
Numerous privacy and civil rights experts have suggested that rather than attempting to maintain the status quo - except for reducing from 24 to 12 months the amount of time service providers must retain data - the government should rethink its approach. "[The] EU court allowed targeted collection of data about suspects, just not blanket retention," says independent UK privacy researcher Caspar Bowden, formerly a chief privacy advisor to Microsoft.
Does Interception Help?
Absent from the government's push for emergency legislation is any discussion of whether blanket data retention serves a useful purpose. "To date we have yet to see any credible evidence that police or intelligence agencies access to retained metadata has helped to combat terrorism and/or serious crime," says Honan, who serves as a special adviser on Internet security to Europol. "In fact, last year the Danish police admitted that data retention did not work."
The process by which the U.K. government has fast-tracked the new data-retention bill has also drawn criticism from some members of Parliament. "Regardless of where you stand on the decision of the European Court of Justice, can you honestly say that you want a key decision about how your personal data is stored to be made by a stitch-up behind closed doors and clouded in secrecy?" Labor MP Tom Watson told Parliament July 10. "None of your MPs have even read this legislation, let alone been able to scrutinize it."
If the bill does get passed next week by the legislators elected to the House of Commons, it must still go to the House of Lords for review, before it could become law. "It will probably get through the House of Commons, but no one is really sure what's going to happen when it gets to the House of Lords," says Covington & Burling's Cooper.