foundation for information policy research
> Home
> About
> Policy Work
> Trust in E-commerce and E-government
> Surveillance and security
> Intellectual property and the public domain
> International law and the Internet
> Academic freedom
> Achievements
> Friends of FIPR
> Events
> Contact FIPR

FIPR response to the access to communications data consultation

  1. The Foundation for Information Policy Research [http://www.fipr.org/] is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers.

  2. Our views on the key issues identified by the consultation document are as follows:

    3. Authorisation

  3. Appropriate authorisation requirements for access to communications data are vital for public trust in the system. Existing legislation contains some of the mechanisms that could provide these requirements. But others will require new primary legislation.

  4. Access to subscriber data (such as the name and address of the owner of a telephone number or e-mail address) is the least intrusive of the access powers. It is also extremely common. Although precise figures are not published, we estimate that over one million such requests are made every year in the UK. The regime under the Regulation of Investigatory Powers Act (RIPA) for access to this data therefore seems reasonably appropriate.

  5. Access to other types of communications data is far more intrusive. Information on a person's contacts, reading habits and even mobile phone location all provide a detailed picture of that person's private life. This traffic and usage data should therefore only be available upon issuance of a judicial warrant.

  6. However, the cost recovery mechanisms contained in RIPA are an important financial constraint on the actions of law enforcement agencies and help to ensure that their use of the powers is proportionate to what can be gained from them. The requirement to liaise with Communications Service Providers (CSPs) through a Single Point of Contact (SPoC) is also vital to the smooth provision of service by CSPs.

  7. New primary legislation should therefore be brought forward to provide for judicial authorisation of access to the traffic and usage data defined in s.21(4)(a) and (b) of RIPA with mandatory cost recovery and use of SPoCs. For clarity, these two subsections should be merged into a simpler definition of traffic data. s.21(4)(c) should be rewritten as a clearer definition of subscriber data.

  8. With or without new primary legislation, additional agencies should only be provided with access to traffic and usage data after presenting the strongest case. The emergency services and police agencies identified in s.46 of the consultation document are the only bodies that appear to have such a case.

  9. Other agencies should conduct joint investigations with the police where traffic or usage data is required. They do not have, and will not obtain, the experience necessary to properly identify, request and analyse traffic and usage data given the low volume of their requests.

  10. This joint approach is already being taken by bodies such as the Department for Environment, Food and Rural Affairs. It should be expanded by only giving access to subscriber data to these other agencies.

  11. Several other pieces of legislation give powers to demand records to agencies such as the Department for Work and Pensions. As with interception, new primary legislation should make clear that communications data may only be accessed through properly human rights-compliant RIPA procedures.

  12. Although outside the subject of this consultation, the interception of communications is clearly the most invasive type of access power. It should require explicit judicial rather than ministerial authorisation. A set of security-cleared judges should deal with national security cases; the rest of the judiciary are already experienced in dealing with sensitive material in serious crime cases.

    13. Usage

  13. The consultation document suggests an additional safeguard for access powers: a certification scheme that could verify the procedures used and actions taken within agencies when requesting communications data. We would suggest that this should already be part of the Interception Commissioner's function. The involvement of the Information Commissioner might increase public confidence in the rigour of the certification process.

    14. Oversight

  14. We do not believe that one centralised office (of the Interception Commissioner) can provide proper oversight of more than one million requests per year. Even when properly resourced, the office will only be able to examine a tiny fraction of the total requests made.

  15. It is therefore vital that the subjects of requests should be notified of the access at some later point. This would provide much greater transparency in the use of these powers, and an important check on abuse by the state or corrupt agency staff. A judicial warrant should allow notification to be delayed if it would prejudice an ongoing investigation.

  16. The Interception Commissioner should continue to oversee the system, but publish far more detailed statistics on its operation, including the material necessary to enable outsiders to make an informed appreciation of the justifiability of the use of invasive powers. These could include the number of specific devices covered by notices, and cases brought to trial and successfully prosecuted per notice.

  17. The Commissioner should make a much greater effort to engage with the public, whose interests he is supposed to represent, and explain how the system is working and any faults he has uncovered.

    18. Sanctions

  18. There is no point in proposing rules for access to communications data without effective sanctions for breaking those rules. The prospect of officials able to abuse rules without fear of sanction can be guaranteed to erode public trust in law enforcement and in public services generally.

  19. Illegally obtained data should be inadmissible in evidence.

    20. Wider debate

  20. The consultation document asks whether a wider public debate is needed on privacy. The furore caused by last summer's RIPA Statutory Instruments makes clear that it is. This is an issue that will only become more pressing as more and more details of our lives are captured online.

  21. One step that would encourage an ongoing debate would be an annual discussion in Parliament. The Commons Committee on the Lord Chancellor's Department might like to scrutinise the annual reports of the Interception, Surveillance and Information Commissioners in a session that also examined other privacy issues that had arisen during the year.

    22. Summary

  22. Public confidence in the communications surveillance system requires impartial control and oversight, along with credible sanctions for abuse. Judicial authorisation should therefore be required for access to traffic and usage data. Agencies without the strongest case for access to such sensitive data should instead conduct joint investigations with the police when necessary. Other legislative powers to access records should exclude communications data. Subjects of requests should be later notified, and detailed statistics published annually by the Interception Commissioner.

  23. With these safeguards in place, government may start to earn public trust in its activity online. Without them, trust in law enforcement and in government more generally will be further eroded. This is not a situation that anyone should wish to come about.

Valid XHTML 1.0
Problems viewing this site?