It was always a good bet that the draft Investigatory Powers
Bill would broaden data retention obligations to cover more categories of
communications data. That was at the core of the Communications Data Bill, blocked
in 2012 during the Coalition government and vowed after the May 2015 election to be resurrected.
The draft Bill has duly delivered, accompanied by a blizzard
of commentary about the propriety of forcing communications service providers to retain
users’ browsing histories.
But what exactly are the categories of data that communications providers could be made to keep? The Home Office has coined
the label ‘internet connection records’ to describe the new datatypes that it
plans should be retained for up to 12 months. These records, it stresses, could include websites
and services visited but not individual pages or other content. This is in line
with what the Home Office had previously said to the Anderson Review about ‘weblog data’ (the then current jargon for browsing histories).
Internet connection records and the proposed restrictions on
accessing them (clause 47 of the draft Bill) have become a lightning rod for the ensuing discussion:
not just the rights and wrongs of requiring browsing data to be retained, but whether internet connection records as defined in the draft Bill can be matched to real categories of data processed by service providers.
The focus on internet connection records is understandable.
The Home Office’s Guide to the powers in the draft Bill focuses on internet
connection records. The estimated cost increase
in the Data Retention Impact Assessment mentions only internet connection
records as a new category of retained data.
However the draft Bill
casts the retention net wider than just internet connection records. Clause 71
of the Bill would empower the Home Office to issue retention notices covering six categories of what the draft Bill calls ‘relevant communications data’.
According to the draft Bill’s Explanatory Notes, one of
those six categories (71(9)(f)) corresponds to internet connection records.
That leaves five categories which, on the face of them, seem to go wider than
the existing data retention categories under the Data Retention and Investigatory
Powers Act 2014 (DRIPA) as amended by the Counter Terrorism and Security Act
2015 (CTSA).
For internet communications the current DRIPA data retention
categories cover internet access services, internet e-mail and internet
telephony. Those categories replicate the 2009 Data Retention Regulations,
which implemented the now invalidated EU Data Retention Directive. The CTSA extended DRIPA to include so-called
IP address resolution data.
We can get an idea of the scope of ‘relevant communications
data’ by appreciating that it covers any type of communication on a network, expressly
including communications where the sender or recipient is not a human being.
This sweeps up not only background interactions that smartphone apps make
automatically with their supplier servers, but probably the entire internet of
things.
The type of data about these communications that could be
required to be retained goes beyond the relatively familiar sender, recipient, time
and location information to data such as the ‘type, method or pattern’ of communication
(clause 71(9)(c)). ‘Data’ is defined to include ‘any information which is not
data’ (clause 195(1)).
In another departure from existing retention laws, providers
could be required to generate data specifically for retention (71(8)(b)(i)). At
present they can only be required to keep data that they already generate or
process in the course of providing their service.
Another change from existing law is that retention notices
could be given to any kind of telecommunications operator, not just those
providing services to the public as under the existing legislation. Finally,
providers could be given a notice requiring them to install specific technical
capabilities to support communication data access and retention requirements.
Although the current Home Office Guide and the Impact Assessment
talk only about retention of internet connection records by public
telecommunication service providers, that would not prevent future changes of
policy whereby broader retention notices could be served on a wider variety of communications
service providers. There is no obvious
mechanism to bring a change of policy to the attention of the public, since
service providers would be obliged not to disclose to anyone else the existence and contents
of a retention notice.
All this suggests that it is fairly important to understand what
‘relevant communications data’ might consist of. That requires an informed conversation between legislators, lawyers and technical experts. As a discussion aid, here is my map of the 14 interlinked definitions
that go to make it up.
And here are the 14 definitions. Where a definition uses another defined term I have italicised it for ease of reference.
“relevant
communications data” means communications
data which may be used to identify, or assist in identifying, any of the
following—
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
(c) the type, method or pattern,
or fact, of communication,
(d) the telecommunication system (or any part of it) from, to or through
which, or by means of which, a communication
is or may be transmitted,
(e) the location of any such
system, or
(f) the internet protocol
address, or other identifier, of any apparatus to which a communication is transmitted for the
purpose of obtaining access to, or running, a computer file or computer
program.
In this subsection “identifier”
means an identifier used to facilitate the transmission of a communication.
“Telecommunication
system” means a system (including the apparatus
comprised in it) that exists (whether wholly or partly in the United Kingdom or
elsewhere) for the purpose of facilitating the transmission of communications by any means involving
the use of electrical or electromagnetic energy.
“person” (other
than in Part 2) includes an organisation and any association or combination of persons,
“Communications data”,
in relation to a telecommunications
operator, telecommunications service
or telecommunication system, means entity data or events data—
(a) which is (or is to be or is
capable of being) held or obtained by, or on behalf of, a telecommunications operator and—
(i) is about an entity to which a telecommunications service is provided and relates to the provision
of the service,
(ii) is comprised in, included as
part of, attached to or logically associated with a communication (whether by the sender or otherwise) for the purposes
of a telecommunication system by
means of which the communication is
being or may be transmitted, or
(iii) does not fall within
sub-paragraph (i) or (ii) but does relate to the use of a telecommunications service or a telecommunication
system,
(b) which is available directly
from a telecommunication system and
falls within sub-paragraph (i), (ii) or (iii) of paragraph (a), or
(c) which—
(i) is (or is to be or is capable
of being) held or obtained by, or on behalf of, a telecommunications operator,
(ii) is about
the architecture of a telecommunication
system, and
(iii) is not
about a specific person,
but does not include the content
of a communication.
“Communication”,
in relation to a telecommunications
operator, telecommunications service
or telecommunication system,
includes—
(a) anything comprising speech,
music, sounds, visual images or data
of any description, and
(b) signals serving either for
the impartation of anything between persons,
between a person and a thing or
between things or for the actuation or control of any apparatus.
“apparatus”
includes any equipment, machinery or device (whether physical or logical) and
any wire or cable,
“Telecommunications
operator” means a person who—
(a) offers or provides a telecommunications service to persons in the United Kingdom, or
(b) controls or provides a telecommunication system which is
(wholly or partly)—
(i) in the
United Kingdom, or
(ii)
controlled from the United Kingdom.
“Telecommunications
service” means any service that consists in the provision of access to, and
of facilities for making use of, any telecommunication
system (whether or not one provided by the person providing the service).
“Entity data”
means any data which—
(a) is about—
(i) an entity,
(ii) an
association between a telecommunications
service and an entity, or
(iii) an association between any
part of a telecommunication system
and an entity,
(b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to
the entity’s location), and
(c) is not events data.
“Events data” means any data
which identifies or describes an event (whether or not by reference to its
location) on, in or by means of a telecommunication
system where the event consists of one or more entities engaging in a specific activity at a specific time.
“Entity” means a person or thing.
The content of a
communication is the elements of the communication,
and any data attached to or logically
associated with the communication,
which reveal anything of what might reasonably be expected to be the meaning of
the communication but—
(a) anything in the context of web
browsing which identifies the telecommunications
service concerned is not content, and
(b) any meaning arising from the
fact of the communication or from any
data relating to the transmission of
the communication is to be disregarded.
“data” includes
any information which is not data.
“data” includes any information which is not data.
ReplyDeleteThis is clearly a very well-written bill!