Saturday 16 January 2016

An itemised phone bill like none ever seen

[Adapted from my evidence (PDF) to the Joint Parliamentary Committee scrutinising the Draft Investigatory Powers Bill]
Mandatory retention of Internet Connection Records - destination IP address, service name (e.g. Facebook or Google), web address (e.g. or - would engage the right of freedom of expression.
This may seem a bold claim in the face of the oft-repeated assertion that ICRs are nothing more than the online equivalent of an itemised phone bill. The Home Secretary, introducing the draft Bill, said:
“So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”
In her oral evidence to the Committee on 13 January 2016 she emphasised that:
“You are not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise because of what people felt was in the draft Communications Data Bill. It is simply about that access to a particular site or the use of the internet for a communication.”
If a comparison can be drawn with an itemised phone bill, this would be an itemised phone bill like none ever seen[i]. We can illustrate this by considering the questions that could be answered by scrutinising an actual itemised phone bill compared with one containing the destination information that would be logged in an ICR.
Who has she spoken to?
This is the focus of the traditional itemised phone bill.
The itemised phone bill shows called telephone numbers. In pre-online, pre-mobile days it would have been a fair assumption that whoever was using the telephone was speaking to somebody at the called number, so that a conversation took place[ii].  That might be somebody at a household telephone or at a public telephone box.  The number might be a private office switchboard[iii], at which point the information on the itemised phone bill terminated.  It gave no information about which extension the call was routed to behind the private switchboard, or who took the call at that extension[iv]. (The former changed to an extent with the advent of DDI numbers.)
A subscriber lookup would provide information about the householder or organisation to whom the called number was allocated.
Itemised phone bills have always, with a few exceptions (e.g. dial-up data calls, recorded message services) essentially given information (including when the call was made and its duration) about conversations between human beings.
What has she been doing?
Our notional ICR itemised phone bill now starts to part company from an actual itemised phone bill. It is possible to infer a partial picture of someone's activities by studying a record of whom she has talked to on the telephone.  ICR logs differ in both degree and kind.
ICRs differ in degree in that we now speak on mobile phones and send text, e-mail, SMS and all the other varieties of messages to people in vastly greater volumes than we ever did in the days of landline telephone conversations. This itself provides a vastly richer and more detailed map of our activities than ever was possible with an itemised phone bill.
ICRs differ in kind from an itemised phone bill in that they are not limited to our conversations (whether voice, e-mail or messages) with other people.  An ICR is an itemised phone bill that would log not just whom we conversed with when, but our online journeys: our 'visits' to the bank, the bookshop, the butcher, the baker, the travel agent, the doctor, the clinic, the hospital, the therapist, the support group, the hotel, the club, the concert hall, the public lecture, the political meeting, the trade union office, the ticket agency and so on without limit.
It would go further, logging not just our consciously initiated activities but also those initiated by our smartphones and connected tablets while they are in our pockets, beside our beds at night and so on.
In this respect ICRs bear little resemblance to an itemised phone bill.  If anything they are more akin to universal CCTV surveillance when we step out beyond our front door and venture into public spaces. However that analogy is itself debatable.
What has she been reading?
ICRs would create logs of every website (or equivalent) that we accessed. On my understanding of the draft Bill that would include blogs and newspaper sites[v].
In this regard ICRs are far removed from both itemised phone bills and CCTV in public places. They do not resemble any kind of log that it has been thought appropriate to compel in the offline world.  It is as if, on our notional itemised phone bill, we were to find a state-mandated list of the titles of the books, newspapers and magazines that we had read in the last 12 months.
We never used to read books over the telephone. Now we read blogs remotely. It is a mere accident of technology that by doing that, instead of reading a physical book in an armchair at home, we engage in what the draft Bill (and RIPA before it) classifies as a 'communication'.
DRIPA was limited to something that people would generally regard as an online communication: internet e-mail, SMS messages and the like.  Reading something remotely, however, is not a communication in the sense of a group of conspirators discussing criminal plots between themselves.  It is a highly personal activity of one individual alone.
Someone who accessed my own blog could[vi] trigger the creation of an ICR showing that they had accessed '' (the URL up to the first slash - but now see footnote [vi]), or maybe '' if they used that address. The ICR might record the name of the blog: 'Cyberleagle'. It would record the date and time of the access[vii]. It would presumably have to be linked at least to source data identifying (to the extent possible) the device that accessed the blog.
Mandating that logs of online reading habits be kept is analogous to being made, in the offline world, to keep a list of the books, newspapers and magazines that we have read in the last year.
Reading is in the nature of a home activity. We are far more cautious about the intrusion of general powers into the home. We treat with greater respect for privacy activity takes place there than activity that takes place in public or semi-public places[viii].  When considering online activities we should always consider whether the activity in question is an extension of the home or an excursion into a public or semi-public place.
State-mandated lists of reading habits also strike at the heart of freedom of expression. Our freedom to choose what to read is jealously protected for good reason.  Reading fuels our quest for knowledge. It is emancipatory[ix].  Merely making an officially mandated list of what we choose to read chills freedom of expression. If the ordinary citizen is put in the position of worrying about whether reading a controversial website might excite official suspicion or trip a red flag on some state computer system, that alone is sufficient to chill freedom of expression whatever the safeguards and restrictions on access.
A proposed law requiring us to make and keep a list of physical books, newspapers and magazines that we had read in the last 12 months could expect to be greeted with public outrage.  This aspect of ICRs is an exact parallel.
Reading is also a large part of the 'online visiting' aspect of ICRs. The two are inextricably entangled.  
Even if 'reading' websites could somehow be conceptually separated from 'visiting' websites, it is difficult to envisage any practicable way in which ICR retention could be implemented for only some types of website. Either way, the whole proposal would stand or fall with the 'reading' element.  

[i]           Nor should we forget that when itemised phone bills first appeared they excited alarm as to how revealing of people's personal lives they could be.
[ii]           Of course other possibilities existed, such as sending a coded signal by a pre-arranged sequence of calls and hang-ups. Nevertheless there was still a communication between two people.
[iii]          The public telephone number of an office switchboard is somewhat equivalent in the internet world to an ISP allocating one public IPv4 address to the household or office router rather than allocating multiple public IPv4 addresses to individual devices in a household. An ISP allocating a public IPv4 address to one individual device in the household or office is a bit like what used to be called a 'direct outside line'.
[iv]          It is somewhat ironic that the example on page 9 of the ICR Operational Case gives 4 digit extension numbers as an example of something equivalent to a port number. A private extension number would never appear on an itemised phone bill. An 'extension' would have appeared on a bill only if the caller dialled a direct line or a DDI number.
[v]           The assumption in the draft Bill appears to be that all websites would be covered by 'telecommunications service' in Clause 47(6)(a) (see e.g. the Guide para 44).  A scheme that required service providers subject to a retention notice to determine whether individual websites were or were not providing a 'telecommunications service' would presumably be unworkable.  If a site were subject to retention under the (differently worded) Clause 71 but fell outside Clause 47(6)(a), then it would not be subject to the access restrictions of Clause 47(4).
[vi]              If only the destination IP address were logged and not the blog's web address that might show only that the Blogger platform was accessed. (The Home Office's recent written evidence to the Committee says that subdomains such as "" would be treated as content, not communications data and so could not form part of an ICR. "" could still be part of an ICR. This differs from the previously understood position. See my further evidence (PDF) to the Committee.)    
[vii]         The ICRs Fact Sheet says: "[An ICR] will involve retention of a destination IP address but can also include a service name (e.g. Facebook or Google) or a web address (e.g. or along with a time/date."
[ix]              "TheresaMay's Threat to the Privacy of Reading" John Naughton, the Guardian, 8 November 2015

Saturday 2 January 2016

Internet legal developments to look out for in 2016

A preview of some of the UK internet legal developments that we can expect in 2016, [updated with actual developments to 17 September 2016]. Some topics are perennial (see 2015 and 2014), some are new.

EU copyright reform In December 2015 the European Commission published, as part of its Digital Single Market initiative, a proposal for a Regulation on cross-border portability of online content services. In parallel it published a ‘political preview’ of proposals to amend copyright law, for which more detailed legislative proposals and policy initiatives will be worked up during 2016. This process will incorporate the pending review of the Satellite and Cable Broadcasting Directive, which has ventilated the possibility of extending the country of origin copyright rule for TV and radio programmes from satellite to the internet. Other areas of likely interest include copyright exceptions, enforcement (probably against a broader variety of intermediaries) and news aggregation services. [On 14 September 2016 the Commission published proposals for a Directive on Copyright in the Digital Single Market, regarded as internet-unfriendly overall, and a Regulation extending the country of origin provisions of the Satellite and Cable Broadcasting Directive to broadcasters' ancillary online transmissions.] 

Online consumer contracts In another strand of the Digital Single Market initiative the Commission in December 2015 published proposals for two Directives on online consumer contracts, one applicable to digital content and the other to goods. Member States would be prohibited from enacting either higher or lower levels of consumer protection than specified in the Directives.

Copyright and linking Three more linking cases are on their way to the CJEU, all from Dutch courts: C-160/15 GS Media (a reference from the Dutch Supreme Court concerning a link to an infringing copy of a photograph), C-527/15 Filmspeler (a site blocking case referred by the Central Netherlands District Court; the target site is alleged to have provided a downloadable media player with an add-on containing refreshable lists of links to infringing material; cf Popcorn Time) and C-610/15 Pirate Bay (a site blocking case with linking aspects, referred by the Dutch Supreme Court). [The CJEU issued its judgment in GS Media on 8 September 2016.]

Copyright and temporary copies The C-527/15 Filmspeler reference asks the CJEU whether the transient copies that a user makes when viewing an infringing movie can be excepted from infringement under the EU Copyright Directive’s temporary copies exception. The questions specifically address lawful use and the three step test (which were not covered in the Meltwater/PRCA ‘right to browse’ case).

Site blocking orders The Dutch Supreme Court has referred a site blocking question to the CJEU in C-610/15 Pirate Bay. Meanwhile in the UK the ISPs’ appeal to the Court of Appeal in Cartier v BSkyB (three judgments here, here and here) is pending. This was the first UK trade mark site blocking case and is the first site blocking case since Newzbin 2 to be contested by the ISPs. [The Court of Appeal issued its Cartier judgment on 6 July 2016, upholding the jurisdiction to grant a site blocking injunction in a trade mark case.]

Intermediary liability The mere conduit and injunction provisions of the Electronic Commerce Directive are the subject of a German reference to the CJEU in Case 484/14 McFadden. It concerns injunctions against providers of open wi-fi networks to prevent copyright infringement by users.  [The judgment was issued on 15 September 2016.]  The European Commission has been conducting a public survey on the “regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy” including the intermediary liability provisions of the Electronic Commerce Directive. The survey closes on 6 January 2016. There is crossover with the Commission Communication "Towards a modern, more European copyright framework" issued on 9 December 2015.

The Investigatory Powers Bill Following the Anderson, ISC and RUSI reviews the draft Investigatory Powers Bill has been published and is undergoing formal pre-legislative scrutiny by a Joint Parliamentary Committee. The Committee is expected to report by 11 February 2016. The House of Commons Science and Technology Committee, the Joint Parliamentary Committee on Human Rights and the Intelligence and Security Committee of Parliament are also considering the draft Bill. The Bill itself is expected to be introduced in Parliament in March 2016. [The progress of the Bill can be tracked here.]

Questions arising out of David Davis and Tom Watson MPs’ legal challenge to the data retention provisions of DRIPA have been referred to the CJEU by the Court of Appeal. A reference from the Swedish courts (C-203/15 Tele2 Sverige) is also pending. [The Advocate General's Opinion issued on 19 July 2016. The judgment is expected in Autumn 2016.]

Interception and surveillance complaints to the European Court of Human Rights
 include a case taken by Big Brother Watch, the Open Rights Group, English PEN and Dr Constanze Kurz and one by the Bureau of Investigative Journalism. Amnesty International, Liberty, Privacy International and others have lodged a complaint following the decision of the Investigatory Powers Tribunal on bulk interception and receipt of US PRISM and UPSTREAM interception product. 

Investigatory Powers Tribunal challenges brought by Privacy International and seven ISPs around the world to equipment interference and by Privacy International to use of bulk personal datasets are pending. The latter includes a challenge to the use of national security directions under S.94 Telecommunications Act 1984. 

Mindmap of legal challenges (interactive PDF with links to key documents):

AVMS Directive Review The European Commission is reviewing the Audiovisual Media Services Directive. This raises once again the appropriateness (or not) of extending TV-like regulation to the internet.  [The proposal adopted on 25 May 2016 includes some extensions to on-demand providers and internet platforms.]

EIDAS Regulation The replacement for the Electronic Signatures Directive comes into force on 1 July 2016. As well as electronic signatures it covers ‘electronic identification schemes’ and ‘electronic trust services’.

Data Protection Political agreement on the new General Data Protection Regulation was reached at the end of 2015. The Regulation should be formally ratified early in 2016 and come into force in 2018 [Confirmed] . Google’s appeal in Vidal-Hall is pending before the UK Supreme Court [but is reported to have been subsequently withdrawn]. Permission to appeal was granted on all points other than whether the claim was a tort.

Net neutrality Revisions to EU telecoms legislation will impose net neutrality rules from 30 April 2016.

[Updated 3 January 2016 to include net neutrality; and 2 February 2016 to include CJEU hearing date in Davis/Watson case. Surveillance litigation mindmap updated 8 August 2016. Further updates 17 September 2016.]