[Adapted from my evidence (PDF) to the Joint Parliamentary Committee scrutinising the Draft Investigatory Powers Bill]
Mandatory
retention of Internet Connection Records - destination IP address, service name (e.g. Facebook or Google), web address (e.g. www.facebook.com or www.google.com) - would engage the right of freedom of
expression.
This may seem a bold claim in the face
of the oft-repeated assertion that ICRs are nothing more than the online
equivalent of an itemised phone bill. The Home Secretary, introducing the draft
Bill, said:
“So, if
someone has visited a social media website, an Internet Connection Record will
only show that they accessed that site, not the particular pages they looked
at, who they communicated with, or what they said. It is simply the modern
equivalent of an itemised phone bill.”
In her oral evidence to the Committee on 13 January 2016 she emphasised that:
“You
are not trying to find out whether they have looked at certain pages of a
website, which is where I think the confusion may arise because of what people
felt was in the draft Communications Data Bill. It is simply about that access
to a particular site or the use of the internet for a communication.”
If a comparison can be drawn with an
itemised phone bill, this would be an itemised phone bill like none ever seen[i].
We can illustrate this by considering the questions that could be answered by
scrutinising an actual itemised phone bill compared with one containing the
destination information that would be logged in an ICR.
Who has
she spoken to?
This is the focus of the traditional
itemised phone bill.
The itemised phone bill shows called
telephone numbers. In pre-online, pre-mobile days it would have been a fair
assumption that whoever was using the telephone was speaking to somebody at the
called number, so that a conversation took place[ii]. That might be somebody at a household
telephone or at a public telephone box.
The number might be a private office switchboard[iii], at
which point the information on the itemised phone bill terminated. It gave no information about which extension
the call was routed to behind the private switchboard, or who took the call at
that extension[iv].
(The former changed to an extent with the advent of DDI numbers.)
A subscriber lookup would provide
information about the householder or organisation to whom the called number was
allocated.
Itemised phone bills have always, with a
few exceptions (e.g. dial-up data calls, recorded message services) essentially
given information (including when the call was made and its duration) about
conversations between human beings.
What
has she been doing?
Our notional ICR itemised phone bill
now starts to part company from an actual itemised phone bill. It is possible
to infer a partial picture of someone's activities by studying a record of whom
she has talked to on the telephone. ICR
logs differ in both degree and kind.
ICRs differ in degree in that we now
speak on mobile phones and send text, e-mail, SMS and all the other varieties
of messages to people in vastly greater volumes than we ever did in the days of
landline telephone conversations. This itself provides a vastly richer and more
detailed map of our activities than ever was possible with an itemised phone
bill.
ICRs differ in kind from an itemised
phone bill in that they are not limited to our conversations (whether voice,
e-mail or messages) with other people. An
ICR is an itemised phone bill that would log not just whom we conversed with
when, but our online journeys: our 'visits' to the bank, the bookshop, the
butcher, the baker, the travel agent, the doctor, the clinic, the hospital, the
therapist, the support group, the hotel, the club, the concert hall, the public
lecture, the political meeting, the trade union office, the ticket agency and
so on without limit.
It would go further, logging not just
our consciously initiated activities but also those initiated by our
smartphones and connected tablets while they are in our pockets, beside our
beds at night and so on.
In this respect ICRs bear little
resemblance to an itemised phone bill.
If anything they are more akin to universal CCTV surveillance when we
step out beyond our front door and venture into public spaces. However that
analogy is itself debatable.
What
has she been reading?
ICRs would create logs of every website
(or equivalent) that we accessed. On my understanding of the draft Bill that
would include blogs and newspaper sites[v].
In this regard ICRs are far removed
from both itemised phone bills and CCTV in public places. They do not resemble any
kind of log that it has been thought appropriate to compel in the offline
world. It is as if, on our notional
itemised phone bill, we were to find a state-mandated list of the titles of the
books, newspapers and magazines that we had read in the last 12 months.
We never used to read books over the
telephone. Now we read blogs remotely. It is a mere accident of technology that
by doing that, instead of reading a physical book in an armchair at home, we
engage in what the draft Bill (and RIPA before it) classifies as a
'communication'.
DRIPA was limited to something that
people would generally regard as an online communication: internet e-mail, SMS
messages and the like. Reading something
remotely, however, is not a communication in the sense of a group of
conspirators discussing criminal plots between themselves. It is a highly personal activity of one
individual alone.
Someone who accessed my own blog could[vi]
trigger the creation of an ICR showing that they had accessed
'cyberleagle.blogspot.co.uk' (the URL up to the first slash - but now see footnote [vi]), or maybe
'www.cyberleagle.com' if they used that address. The ICR might record the name
of the blog: 'Cyberleagle'. It would record the date and time of the access[vii].
It would presumably have to be linked at least to source data identifying (to
the extent possible) the device that accessed the blog.
Mandating that logs of online reading
habits be kept is analogous to being made, in the offline world, to keep a list
of the books, newspapers and magazines that we have read in the last year.
Reading is in the nature of a home
activity. We are far more cautious about the intrusion of general powers into
the home. We treat with greater respect for privacy activity takes place there than
activity that takes place in public or semi-public places[viii].
When considering online activities we
should always consider whether the activity in question is an extension of the
home or an excursion into a public or semi-public place.
State-mandated lists of reading habits also
strike at the heart of freedom of expression. Our freedom to choose what to
read is jealously protected for good reason.
Reading fuels our quest for knowledge. It is emancipatory[ix]. Merely making an officially mandated list of
what we choose to read chills freedom of expression. If the ordinary citizen is
put in the position of worrying about whether reading a controversial website
might excite official suspicion or trip a red flag on some state computer
system, that alone is sufficient to chill freedom of expression whatever the
safeguards and restrictions on access.
A proposed law requiring us to make and
keep a list of physical books, newspapers and magazines that we had read in the
last 12 months could expect to be greeted with public outrage. This aspect of ICRs is an exact parallel.
Reading is also a large part of the
'online visiting' aspect of ICRs. The two are inextricably entangled.
Even if 'reading' websites could somehow
be conceptually separated from 'visiting' websites, it is difficult to envisage
any practicable way in which ICR retention could be implemented for only some
types of website. Either way, the whole proposal would stand or fall with the
'reading' element.
[i] Nor should we forget that when
itemised phone bills first appeared they excited alarm as to how revealing of
people's personal lives they could be.
[ii] Of course other possibilities existed,
such as sending a coded signal by a pre-arranged sequence of calls and
hang-ups. Nevertheless there was still a communication between two people.
[iii] The public telephone number of an
office switchboard is somewhat equivalent in the internet world to an ISP
allocating one public IPv4 address to the household or office router rather
than allocating multiple public IPv4 addresses to individual devices in a household.
An ISP allocating a public IPv4 address to one individual device in the
household or office is a bit like what used to be called a 'direct outside
line'.
[iv] It is somewhat ironic that the example
on page 9 of the ICR Operational Case gives 4 digit extension numbers as an
example of something equivalent to a port number. A private extension number
would never appear on an itemised phone bill. An 'extension' would have
appeared on a bill only if the caller dialled a direct line or a DDI number.
[v] The assumption in the draft Bill appears
to be that all websites would be covered by 'telecommunications service' in
Clause 47(6)(a) (see e.g. the Guide para 44). A scheme that required service providers
subject to a retention notice to determine whether individual websites were or
were not providing a 'telecommunications service' would presumably be
unworkable. If a site were subject to
retention under the (differently worded) Clause 71 but fell outside Clause
47(6)(a), then it would not be subject to the access restrictions of Clause
47(4).
[vi] If
only the destination IP address were logged and not the blog's web address that
might show only that the Blogger platform was accessed. (The Home Office's recent written evidence to the Committee says that subdomains such as "cyberleagle.blogspot.co.uk" would be treated as content, not communications data and so could not form part of an ICR. "www.cyberleagle.com" could still be part of an ICR. This differs from the previously understood position. See my further evidence (PDF) to the Committee.)
[vii] The ICRs Fact Sheet says: "[An ICR]
will involve retention of a destination IP address but can also include a
service name (e.g. Facebook or Google) or a web address (e.g. www.facebook.com
or www.google.com) along with a time/date."