It was always a good bet that the draft Investigatory Powers Bill would broaden data retention obligations to cover more categories of communications data. That was at the core of the Communications Data Bill, blocked in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.
The draft Bill has duly delivered, accompanied by a blizzard of commentary about the propriety of forcing communications service providers to retain users’ browsing histories.
But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined the label ‘internet connection records’ to describe the new datatypes that it plans should be retained for up to 12 months. These records, it stresses, could include websites and services visited but not individual pages or other content. This is in line with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).
Internet connection records and the proposed restrictions on accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion: not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.
The focus on internet connection records is understandable. The Home Office’s Guide to the powers in the draft Bill focuses on internet connection records. The estimated cost increase in the Data Retention Impact Assessment mentions only internet connection records as a new category of retained data.
However the draft Bill casts the retention net wider than just internet connection records. Clause 71 of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.
According to the draft Bill’s Explanatory Notes, one of those six categories (71(9)(f)) corresponds to internet connection records. That leaves five categories which, on the face of them, seem to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act 2015 (CTSA).
For internet communications the current DRIPA data retention categories cover internet access services, internet e-mail and internet telephony. Those categories replicate the 2009 Data Retention Regulations, which implemented the now invalidated EU Data Retention Directive. The CTSA extended DRIPA to include so-called IP address resolution data.
We can get an idea of the scope of ‘relevant communications data’ by appreciating that it covers any type of communication on a network, expressly including communications where the sender or recipient is not a human being. This sweeps up not only background interactions that smartphone apps make automatically with their supplier servers, but probably the entire internet of things.
The type of data about these communications that could be required to be retained goes beyond the relatively familiar sender, recipient, time and location information to data such as the ‘type, method or pattern’ of communication (clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not data’ (clause 195(1)).
In another departure from existing retention laws, providers could be required to generate data specifically for retention (71(8)(b)(i)). At present they can only be required to keep data that they already generate or process in the course of providing their service.
Another change from existing law is that retention notices could be given to any kind of telecommunications operator, not just those providing services to the public as under the existing legislation. Finally, providers could be given a notice requiring them to install specific technical capabilities to support communication data access and retention requirements.
Although the current Home Office Guide and the Impact Assessment talk only about retention of internet connection records by public telecommunication service providers, that would not prevent future changes of policy whereby broader retention notices could be served on a wider variety of communications service providers. There is no obvious mechanism to bring a change of policy to the attention of the public, since service providers would be obliged not to disclose to anyone else the existence and contents of a retention notice.
All this suggests that it is fairly important to understand what ‘relevant communications data’ might consist of. That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions that go to make it up.
And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.
“relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following—
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern, or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.
In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.
“Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.
“person” (other than in Part 2) includes an organisation and any association or combination of persons,
“Communications data”, in relation to a telecommunications operator, telecommunications service or telecommunication system, means entity data or events data—
(a) which is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision of the service,
(ii) is comprised in, included as part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes of a telecommunication system by means of which the communication is being or may be transmitted, or
(iii) does not fall within sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication system,
(b) which is available directly from a telecommunication system and falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(i) is (or is to be or is capable of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about the architecture of a telecommunication system, and
(iii) is not about a specific person,
but does not include the content of a communication.
“Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description, and
(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.
“apparatus” includes any equipment, machinery or device (whether physical or logical) and any wire or cable,
“Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is (wholly or partly)—
(i) in the United Kingdom, or
(ii) controlled from the United Kingdom.
“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).
“Entity data” means any data which—
(a) is about—
(i) an entity,
(ii) an association between a telecommunications service and an entity, or
(iii) an association between any part of a telecommunication system and an entity,
(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity’s location), and
(c) is not events data.
“Events data” means any data which identifies or describes an event (whether or not by reference to its location) on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.
“Entity” means a person or thing.
The content of a communication is the elements of the communication, and any data attached to or logically associated with the communication, which reveal anything of what might reasonably be expected to be the meaning of the communication but—
(a) anything in the context of web browsing which identifies the telecommunications service concerned is not content, and
(b) any meaning arising from the fact of the communication or from any data relating to the transmission of the communication is to be disregarded.
“data” includes any information which is not data.