Saturday, 16 January 2016

An itemised phone bill like none ever seen

[Adapted from my evidence (PDF) to the Joint Parliamentary Committee scrutinising the Draft Investigatory Powers Bill]
Mandatory retention of Internet Connection Records - destination IP address, service name (e.g. Facebook or Google), web address (e.g. www.facebook.com or www.google.com) - would engage the right of freedom of expression.
This may seem a bold claim in the face of the oft-repeated assertion that ICRs are nothing more than the online equivalent of an itemised phone bill. The Home Secretary, introducing the draft Bill, said:
“So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”
In her oral evidence to the Committee on 13 January 2016 she emphasised that:
“You are not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise because of what people felt was in the draft Communications Data Bill. It is simply about that access to a particular site or the use of the internet for a communication.”
If a comparison can be drawn with an itemised phone bill, this would be an itemised phone bill like none ever seen[i]. We can illustrate this by considering the questions that could be answered by scrutinising an actual itemised phone bill compared with one containing the destination information that would be logged in an ICR.
Who has she spoken to?
This is the focus of the traditional itemised phone bill.
The itemised phone bill shows called telephone numbers. In pre-online, pre-mobile days it would have been a fair assumption that whoever was using the telephone was speaking to somebody at the called number, so that a conversation took place[ii].  That might be somebody at a household telephone or at a public telephone box.  The number might be a private office switchboard[iii], at which point the information on the itemised phone bill terminated.  It gave no information about which extension the call was routed to behind the private switchboard, or who took the call at that extension[iv]. (The former changed to an extent with the advent of DDI numbers.)
A subscriber lookup would provide information about the householder or organisation to whom the called number was allocated.
Itemised phone bills have always, with a few exceptions (e.g. dial-up data calls, recorded message services) essentially given information (including when the call was made and its duration) about conversations between human beings.
What has she been doing?
Our notional ICR itemised phone bill now starts to part company from an actual itemised phone bill. It is possible to infer a partial picture of someone's activities by studying a record of whom she has talked to on the telephone.  ICR logs differ in both degree and kind.
ICRs differ in degree in that we now speak on mobile phones and send text, e-mail, SMS and all the other varieties of messages to people in vastly greater volumes than we ever did in the days of landline telephone conversations. This itself provides a vastly richer and more detailed map of our activities than ever was possible with an itemised phone bill.
ICRs differ in kind from an itemised phone bill in that they are not limited to our conversations (whether voice, e-mail or messages) with other people.  An ICR is an itemised phone bill that would log not just whom we conversed with when, but our online journeys: our 'visits' to the bank, the bookshop, the butcher, the baker, the travel agent, the doctor, the clinic, the hospital, the therapist, the support group, the hotel, the club, the concert hall, the public lecture, the political meeting, the trade union office, the ticket agency and so on without limit.
It would go further, logging not just our consciously initiated activities but also those initiated by our smartphones and connected tablets while they are in our pockets, beside our beds at night and so on.
In this respect ICRs bear little resemblance to an itemised phone bill.  If anything they are more akin to universal CCTV surveillance when we step out beyond our front door and venture into public spaces. However that analogy is itself debatable.
What has she been reading?
ICRs would create logs of every website (or equivalent) that we accessed. On my understanding of the draft Bill that would include blogs and newspaper sites[v].
In this regard ICRs are far removed from both itemised phone bills and CCTV in public places. They do not resemble any kind of log that it has been thought appropriate to compel in the offline world.  It is as if, on our notional itemised phone bill, we were to find a state-mandated list of the titles of the books, newspapers and magazines that we had read in the last 12 months.
We never used to read books over the telephone. Now we read blogs remotely. It is a mere accident of technology that by doing that, instead of reading a physical book in an armchair at home, we engage in what the draft Bill (and RIPA before it) classifies as a 'communication'.
DRIPA was limited to something that people would generally regard as an online communication: internet e-mail, SMS messages and the like.  Reading something remotely, however, is not a communication in the sense of a group of conspirators discussing criminal plots between themselves.  It is a highly personal activity of one individual alone.
Someone who accessed my own blog could[vi] trigger the creation of an ICR showing that they had accessed 'cyberleagle.blogspot.co.uk' (the URL up to the first slash - but now see footnote [vi]), or maybe 'www.cyberleagle.com' if they used that address. The ICR might record the name of the blog: 'Cyberleagle'. It would record the date and time of the access[vii]. It would presumably have to be linked at least to source data identifying (to the extent possible) the device that accessed the blog.
Mandating that logs of online reading habits be kept is analogous to being made, in the offline world, to keep a list of the books, newspapers and magazines that we have read in the last year.
Reading is in the nature of a home activity. We are far more cautious about the intrusion of general powers into the home. We treat with greater respect for privacy activity takes place there than activity that takes place in public or semi-public places[viii].  When considering online activities we should always consider whether the activity in question is an extension of the home or an excursion into a public or semi-public place.
State-mandated lists of reading habits also strike at the heart of freedom of expression. Our freedom to choose what to read is jealously protected for good reason.  Reading fuels our quest for knowledge. It is emancipatory[ix].  Merely making an officially mandated list of what we choose to read chills freedom of expression. If the ordinary citizen is put in the position of worrying about whether reading a controversial website might excite official suspicion or trip a red flag on some state computer system, that alone is sufficient to chill freedom of expression whatever the safeguards and restrictions on access.
A proposed law requiring us to make and keep a list of physical books, newspapers and magazines that we had read in the last 12 months could expect to be greeted with public outrage.  This aspect of ICRs is an exact parallel.
Reading is also a large part of the 'online visiting' aspect of ICRs. The two are inextricably entangled.  
Even if 'reading' websites could somehow be conceptually separated from 'visiting' websites, it is difficult to envisage any practicable way in which ICR retention could be implemented for only some types of website. Either way, the whole proposal would stand or fall with the 'reading' element.  



[i]           Nor should we forget that when itemised phone bills first appeared they excited alarm as to how revealing of people's personal lives they could be.
[ii]           Of course other possibilities existed, such as sending a coded signal by a pre-arranged sequence of calls and hang-ups. Nevertheless there was still a communication between two people.
[iii]          The public telephone number of an office switchboard is somewhat equivalent in the internet world to an ISP allocating one public IPv4 address to the household or office router rather than allocating multiple public IPv4 addresses to individual devices in a household. An ISP allocating a public IPv4 address to one individual device in the household or office is a bit like what used to be called a 'direct outside line'.
[iv]          It is somewhat ironic that the example on page 9 of the ICR Operational Case gives 4 digit extension numbers as an example of something equivalent to a port number. A private extension number would never appear on an itemised phone bill. An 'extension' would have appeared on a bill only if the caller dialled a direct line or a DDI number.
[v]           The assumption in the draft Bill appears to be that all websites would be covered by 'telecommunications service' in Clause 47(6)(a) (see e.g. the Guide para 44).  A scheme that required service providers subject to a retention notice to determine whether individual websites were or were not providing a 'telecommunications service' would presumably be unworkable.  If a site were subject to retention under the (differently worded) Clause 71 but fell outside Clause 47(6)(a), then it would not be subject to the access restrictions of Clause 47(4).
[vi]              If only the destination IP address were logged and not the blog's web address that might show only that the Blogger platform was accessed. (The Home Office's recent written evidence to the Committee says that subdomains such as "cyberleagle.blogspot.co.uk" would be treated as content, not communications data and so could not form part of an ICR. "www.cyberleagle.com" could still be part of an ICR. This differs from the previously understood position. See my further evidence (PDF) to the Committee.)    
[vii]         The ICRs Fact Sheet says: "[An ICR] will involve retention of a destination IP address but can also include a service name (e.g. Facebook or Google) or a web address (e.g. www.facebook.com or www.google.com) along with a time/date."
[ix]              "TheresaMay's Threat to the Privacy of Reading" John Naughton, the Guardian, 8 November 2015

No comments:

Post a Comment

Note: only a member of this blog may post a comment.