Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Tempus fugit …..

Where does the time go? It seems only just a few weeks ago that we were discussing the ramifications of the proposal for a European Data Retention Directive. The reality is that this was now five years ago and the major discussions took place during the UK Presidency of the European Union in the second half of 2005.

We are now fast approaching the date set within the Directive for the European Commission to report to the European Parliament and the Council on the working of the Directive and its impact on the economic operators and consumers. The date for the submission of the evaluation is 15th September 2010 - just 6 months away now. As a result of the evaluation, the Commission will determine whether it is necessary to amend the provisions, particularly in relation to the nature of the data to be retained and the period of retention. The results of evaluation must be made public.

In the background to the imminent evaluation there are some interesting developments and it is clear that the Directive has not yet been applied across all member states of the European Union.

On March 2nd, the German Constitutional Court ruled that the implementation of the Directive in Germany was in contravention of the German Constitution. Der Spiegel reported on Wednesday 3rd March that the Court had ruled that data collected and retained under the (now unconstitutional) law was to be deleted with immediate effect and that strict controls were to be brought into place before the law could be re-introduced. The case has taken some two years to progress but was brought as a class action on behalf of some 35,000 German citizens who argued that the new law went too far.

The court agreed and said that there was insufficient clarity in the reasons for the retention of data and that there were insufficient safeguards on the data once retained. A key point here is that the Constitutional Court has struck down the German implementation of the Data Retention Directive, not the Directive itself. The German government must now look at the decision of the Court and consider the safeguards that must be put into place before it can draft a new law and introduce that. It is certain that there will now be intense public scrutiny.

Belgium also faces an interesting period, particularly as it is scheduled to take over the rotating Presidency later in the year and will be ‘in the hot seat’ when the evaluation of the Directive is due to be presented. The transposition of the Directive into national (Belgian) law has taken some time and there has been considerable and vocal opposition to the Government proposals. The proposals went much further than provided for within the Directive including banking data and use of the data beyond what may be determined as ’serious crime’. The Belgian proposals also called for the retention of data at the maximum period (24 months) provided for within the Directive. The initial proposals attracted a negative response from the Belgian data protection agency, an almost unheard of situation - although that eventually was turned around to a more positive response when the proposals were watered down time scales pulled back to a more standard 12 months.

The Belgian proposals have not yet completed the parliamentary process. In the last couple of months, Belgian ministers have been trying to reach consensus with stakeholder groups to see if they can bring forward a new law before June. That is an important date - the rotating Presidency comes to Belgium on 1st July and the government wants to prevent the country from critiscism about their failure to implement whilst they are also supposed to be leading discussions on evaluation.

It is clear that some Belgian politicians had been awaiting the outcome of the case before the German constitutional court. That is now clear - it remains to be seen how this may affect the Belgian transposition.

IMP - an overview

A significant paper from the LSE provides an overview and substantial critique of the Government plans for review of the interception of communications traffic data - currently under consultation.

The paper, which can be downloaded here provides a review of UK intercept law, changes in communications and the technological limitations of the proposals for high levels of deep packet inspection (DPI). This is a paper that is informative and a useful contribution to the debate. It notes that there are significant privacy issues although these are for others to discuss. What it does do is to point out the limitations of the core technology concepts behind the Intercept Modernisation Programme (IMP) and ‘Mastering the Internet’, the GCHQ programme aimed at collecting and analysing data within the UK’s Internet traffic.

Every MP and member of the House of Lords should read this - and should then be made to sit an examination on its contents with passage to permission to debate only granted on being able to demonstrate a satisfactory understanding of the content. Well, pigs might fly!

The Home Office Consultation, ‘Protecting the Public in a Changing Communications Environment’ can be downloaded here.

Emergency, which service ……..?

Most people are familiar with the process for making an emergency call - whether it is to the Police, Fire Service, Ambulance or Coastguard. Pick up a phone and dial 999 - or 112 as the pan-European common emergency call number.

When the call is answered by the emergency service operator at the telco, the operator will ask you which service you require and will ask you to confirm the number you are calling from. No problems there.

The operator will see the calling line number displayed in front of them and can immediately cross-reference with reverse look up to identify the location. OK, no problems there - but hold on a minute, what happens if you are not using a land-line?

Technology has moved on and there can no longer be an assumption that all users are calling from a fixed land-line. Emergency calls can be made from a mobile number and, increasingly, from a Voice over IP phone (VoIP). Now, these latter two present something of a problem. Mobile numbers are not geographic (they do not have a specific regional location exchange code) and can be made from pretty much anywhere (except in my house where the mobile does not work!). Emergency operators can access data from the mobile providers to locate the cell where the call is being made from - and triangulation from a number of base stations can provide a fairly accurate geographic location of the calling phone. That’s what law enforcement do when they want to track a criminal or suspect target - the mobile phone is a very effective piece of electronic tracking gadgetry sitting in your pocket. You don’t have to make a call, the phone will register itself with the local cell whenever it is switched on and will thereby giveaway its position.

OK, again, no real problems there. Problems arise with VoIP. There may be a number associated with a VoIP call but it may be a geographic number and the geographic number assigned to the call may bear no relevance to the actual geographic location of the VoIP handset or software. This may be connecting through any IP link - perhaps a fixed line broadband circuit or perhaps a WiFi connection in a public place (cafe, pub, airport etc.).

The Ofcom General Conditions of Service require providers to make details of callers available to emergency service operators. For fixed line and for mobile calls that is fine - the provider has all the data and can cross-reference databases. For VoIP there is a problem - the VoIP service is likely to be provided by a different service provider to the underlying IP transport. The VoIP provider may have a record of the geographic number associated with the call and may be able to reference that to a customer - but cannot tell whether or not the customer is at the location they have. The IP address used for the call and included within the packet data will be allocated by the ISP providing the transport layer - there may be no quick look-up between the VoIP provider and the ISP to determine the location and user of the IP address. It is quite possible that the VoIP user could log in from a range of IPs during a single day - particularly if they are connecting using WiFi access points.

The problem can have tragic consequences. A Canadian family called the emergency services using a VoIP service - the trackback from their initial service registration indicated a location in Toronto so that was where the medical team was sent. Unfortunately the family were hundreds of miles away in Calgary and had not updated the location information held by the VoIP provider.

To overcome the problem the emergency services want to be able to make a quick look up request to ISPs to determine the telephone line reference (CBUK record) for the line on which the VoIP call originated. That might seem straightforward but the practicalities are much less so. There is no standard format for ISP customer service records and there is no standard interface that will allow an external agency to access and requues information from those databases. Emergency service developers have suggested that ISPs should install systems that will allow real-time look-up requests from the emergency service operator. The operator would identify the call as a VoIP origin, identify the associated IP address, refer that to a central look-up registry to identify the ISP (RIPE?) and then pass the request to the ISP who would be expected to return the CBUK reference for the line. All this in real-time and in no longer than it has taken you to read this last paragraph.

The implementation of the Data Retention Directive at a European level has meant that there have been developments to create a standardised form of data request - ETSI standards. Implementing these may be fine for the larger operators who have teams of developers and can bear the costs. But for the medium and smaller level ISPs there will be a real problem - substantial development costs and quite likely whole changes to back end and Internet facing systems. It is quite likely that the smaller ISPs will simply not have the resources to be able to comply.

The Crusher can see another problem here. Once an interface system is in place then a remote operator will be able to input an IP address and return a telephone line reference which can be used to determine a location. That is exactly the type of information that typical Section 22 notices issued under the Regulation of Investigatory Powers Act (RIPA) often require - law enforcement agencies can issue a notice requiring an ISP to provide details of a user. Requests often cite a date, time and IP address - and require the ISP to identify the user. If that can be done automatically by the emergency operator then it will not be long before other parts of law enforcement agencies (LEAs) identify the route as a rapid way to investigative data. Politicians will trot out the tired old lines about importance for public safety, citizens have nothing to fear etc. And will then introduce legislative changes that permit LEAs to process automatic data requests.

Any development for emergency use will have to be developed with extensive safeguards and strict controls. These must ensure that access can only be made in genuine emergency situations and that it is not possible to investigators to access for alternate purposes. Equally, it must not be possible for other organisations to attempt to access data - for example, for rights owners to try to identify end users flagged up as potential copyright infringers.

The emergency request is fairly self-explanatory. The problem is the likelihood and the inevitability of mission creep.

Article 8 again ….. and the UK loses another case!

A few months ago we heard the outcomes of the case of ‘Marper and S v United Kingdom’ brought before the European Court of Human Rights. Now, you may remember this one - something of a landmark. The court opined that the storage of DNA profiles in England was contrary to the privacy requirements enshrined under Article 8 of the European Convention on Human Rights.

Just in case you had missed the Article, it states:

ARTICLE 8
1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The problem for the UK, and for England in particular, was that the claimants in the case were innocent persons who had not been charged or convicted of any offence. It was, said the Court, an infringment of their privacy for their DNA records to be retained within a national criminal database. Now, interestingly Scotland applies the law in a different way to England (of course!) and the Scottish model was approved by the European Court. The Conservatives have given a commitment to implementing the Scottish model when (not if!) then win the next election. We’ll hold them to that. The Government in London has now announced a revision of rules to apply in England - rules that have all the sublety of a two fingered salute to Europe - and has indicated that it will change the rules to allow law enforcement to retain data for 6 or 12 years. No intention there to remove the data as required by the Europen court.

But - along comes another case and again the Courts find that the actions of law enforcement in the UK go against the requirements of Article 8. Andrew Wood had his photograph taken by police surveillance units when (perfectly legitimately) he attended the AGM of a company in which he had shares. The police photographs were stored on file and were potentially available for use in investigation of other acts. The Appeal Court has now rules (2 to 1) in the case and has instructed the Metropolitan Police to destroy copies of photographs of Mr Wood.

The implications here are interesting. The police must now destroy Mr Wood’s images - but must also now look to identifying, removing and destroying images of other perfectly law abiding persons who happened to come in front of their surveillance photographers - perhaps at football matches, demonstrations etc. Taking photographs is a legitimate practice the court held - but the police should identify those who were of good character and should destroy the images. The implication of that opinion by Lord Justice Dyson is that images should only be retained of those who are nicked - and they will be photographed at the police station anyway so facial recognition should be able to locate, and identify them in surveillance image databases. Anyone else should then deleted.

Naturally the police were not too happy and may now consider an appeal to the House of Lords (note - there was one dissenting opinion in which Lord Justice Laws argued that the police were ‘operating within the margin of operational discretion in keeping the photos’.

The Crusher senses the wind of change blowing - the surveillance society created under New Labour is unravelling before the courts. With an increasingly lame duck administration and an imminent election (which the PM has tacitly recognised that Labour will lose) we may be seeing a few steps back from the oppressive nature of surveillance. Where next - data retention and the Communications Data Bill?

Not so centralised database ……

So, after all the speculation, the Home Office have now published the consultation paper on ‘Protecting the Public in a Changing Communications Environment’ and it now makes clear that the idea of a single centralised database containing records of all telephone calls, Internet login/logout, email, web access etc. has been kicked into touch. Page 25 of the paper makes clear, ‘The Government has no plans to create a centralised database to store all communications data.’

However, it is also clear that this would be the preferred option, ‘This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.’ But, Government is clearly aware of the sensitive politics of any implementation in this manner and has accepted that this wqould be a step too far and a massive intrusion into privacy. Richard Thomas, Information Commissioner, had made it quite clear that a single centralised database would be seen as an infringement of data privacy legislation and this advice seems to have been taken on board, ‘The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.’

So, the remaining option is to require communications service providers (CSPs) to retain data themselves and to release to national security and law enforcement authorities on receipt of the appropriate (RIPA) authority. That is similar to the current provision and the requirements of the Data Retention Regulations. However, the proposed plans go further than the requirements of the European Data Retention Directive (DRD) - law enforcement agencies have advised government that they require access to a broader range of data than that required under DRD. “We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.”

So what would this additional data retention requirement include. Web access for certain - but again, not the content, only the access to the server (to the domain rather to internal pages), volume of data transferred (download/upload), access to third party services.

Ah, this last is interesting. Acccess to third party services. Government is clearly aware of the limitations of the DRD and is now looking to close loopholes. DRD does not include web access and does not include access to services that are not hosted in the UK. Now, we know that a large number of users use webmail and that the major services (Hotmail, Gmail etc.) are hosted in the US. There is no provision under DRD for retention of any data relating to mail sent via these services - nor for any retention of data sent via other means including social networking sites, game sites, forums etc. Govt. now wants to close this loophole, ‘This would include third party data relating to internet-based services and communications services provided from outside the UK.’

Now that leaves some interesting questions. If CSPs are to be required to retain data relating to access to systems and servers outside of their network (and outside of the UK and EU) then they are going to have to collect the data by analysing the traffic flow on their own network. In practice this means deep packet inspection (DPI) of ALL traffic. DPI imposes some overheads - in order to undertake analysis and extraction of data without impacting on user experience will require real-time inspection with substantial processing demands. That is expensive. Well, at least the Govt. recognise this as the potential costs are estimated in the consultation as £2 Billion (yes, that’s right, 2 BILLION pounds).

The technical limitations are not the only concern. For CSPs to effectively read each and every packet will require substantial changes to current legislation. In effect, what will be required will be the electronic equivalent of opening mail, checking the contents and storing data. It is illegal to intercept the post, it is illegal to intercept traffic in a communications environment. Clearly the intention of the Government is to change the legal position to allow CSPs to analyse traffic and to retain data.

At present, there may be some inspection going on at CSP level in order to identify traffic types and to prioritise traffic flow - packet shaping. This is used to control use of high volume services such as peer to peer transfer. What is currently done is relatively simple compared to what may be required - traffic packets are checked to see what the type of data is and automatically routed or controlled as a result. The plan is for data to be read and then recorded and retained - and for the data to be retained for 12 months.

Now we can see an advantage for the Govt. in making CSPs retain the data. If there is a leak of data then it will be the CSPs at fault and not the Govt. Govt. agencies (national security, law enforcement etc.) will only become involved when they request data to be transferred from the CSP store.

The single centralised database has become a decentralised, distributed store of data. Once you set those up, the next step is to look to see how they could all be linked. We know that the Govt. views the single database as being the best option (and the cheapest). What they are going to do is to plan a distributed store that may circumvent privacy concerns, will be more expensive but will still store the same information. And that is going to be far more than is currently retained.

Privacy watchdogs will just be sharpening their claws - they will need them.

May we live in interesting times ……!

The next week (week beginning 27th April 2009) appears to have the makings of a rather interesting time. Perhaps the ancient Chinese proverb was indeed close to the truth.

Later this week we expect the Home Office to publish details of the Intercept Modernisation Programme and the Communications Data Bill. Readers will remember that the Bill was originally trailed in the Government’s Draft Legislative Programme published in summer 2008 but was quietly dropped from the Queen’s Speech later in the year for ‘ additional public consultation.’

Well, it seems that time for consultation is here and we now expect the Home Office to publish the consultation document and details of the Intercept Modernisation Programme (IMP). The Daily Telegraph today (Saturday 25th April) printed a front page story to indicate that the consultation will resurrect the ideas of a single centralised database to hold details of all telephone calls, emails, web access etc. The Telegraph reports (in print - it does not appear on their web site - why not?) that the Information Commissioner has reiterated his opposition to the database, indicating that he considers this to be a major intrusion into privacy.

The Government, of course, appear to be trotting out the same old story - we need to monitor web access, email etc. in order to track terrorists and serious organised crime. And, if recent performance is anything to go by, also those sending their children to school and those ‘allowing’ their dogs to foul the pavement.

There are fundamental issues of privacy and rights of the individual at stake here. The current authoritarian and nanny obsessed government simply cannot be allowed to rail-road this legislation through. Remember the sentient words of Benjamin Franlink in 1775, ‘Those who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.’

What we need is a little real risk assessment and some real truths - not the one-sided ‘business case’ that we have seen with other consultations. This is a fundamental issue of rights and the ability of the Government to spy on its own citizens. Levels of control as are being suggested have only existed in the most heinous totalitarian regimes - we cannot sleep walk into allowing a British government to overturn centuries of hard won reforms for a short term gain. As Franklin suggests, the cost to the people is just too great.

DNA retention - Sir Alec speaks out

An interesting piece on BBC Radio 4 today - 15th April. Martha Kearney interviewed Professor Sir Alec Jefferies on the ‘World at One’ about the Home Office response to the recent S and Marper judgement in the European Court of Human Rights.

Now that judgement was unequivocal - in a judgement delivered unanimously (17-0) the judges of the ECHR held that the retention of the applicants fingerprints, cellular samples and DNA profiles was in violation of Article 8 of the European Convention on Human Rights (Article 8 deals with the right to privacy). The full judgement makes interesting reading and is recommended.

Now, Sir Alec Jefferies should know a thing or two. He developed the DNA fingerprint technique whilst working at the University of Leicester in the early 1980s. It is interesting that he is very concerned about the expansion of the UK DNA database and, in particular, its inclusion and retention of data relating to innocent persons (ie those not convicted of any crime). Today he condemned the Govt. for branding innocent people as criminals by not destroying their DNA profiles.

The Home Office recognise that the UK database is the largest of its kind in the world - to quote their own website: ‘The UK’s database is the largest of any country: 5.2% of the UK population is on the database compared with 0.5% in the USA. The database has expanded significantly over the last five years. By the end of 2005 over 3.4 million DNA profiles were held on the database – the profiles of the majority of the known active offender population.’.

The Home Office goes on to note that other police forces are keen to emulate the crime solving success of the database. OK, so the database can help to solve crime. But it contains the records of people unconnected with any crime and may serve to stigmatise those. Anecdotal evidence suggests that the database contains disproportionate records of certain groups within the population - it has been suggested that the database contains the DNA profiles of some 40% of the black youth population of the UK.

It was the retention of data relating to innocent persons and the disproprortionate nature of data in the database that attracted the dismay of the European judicial process. Today the Home Office told the BBC that it was their intention to bring forward an amendment to the Policing and Crime Bill to allow them to retain DNA and that the new regulations would be subject to full public consultation. An interesting response from the Home Office and somewhat at odds to the response to the ECHR judgement shown on their website, ‘The Government recognises the importance of the Judgment and will publish its response and timeline to the Court’s findings as soon as possible.’ Bringing forward regulations to allow the retention of DNA data hardly seems to recognise the important and significant comments made in the judgement, in fact, it flies in the face of the judgement and suggests that the Government intend to plough ahead and to ignore the advice of learned judges in Strasbourg.

The ECHR judgement indicated that retention was blanket and indiscriminate - and there are suggestions that there may be up to 800,000 records of people who have no criminal conviction. The BBC reported that the Govt. had suggested that it would be prepared to remove profiles from the database but would retain the original DNA samples - this matches up with the suggested changes to the Police and Crime Bill.

Removing the DNA profiles of innocent people is what the judgement indicates. Retaining the original DNA samples makes a mockery of the judgement - it is simply easy to re-profile the samples at a later date and to re-populate the database. Quite simply this is sticking two fingers up to the ECHR.

The Home Office and law enforcement agencies and officials must realise and must be made to realise that nothing short of complete removal and destruction of all records and samples relating to those not convicted or charged with any offence will do. The data relating to innocent persons must be removed from the database and there must not be work arounds or variations to allow DNA to be retained. Retaining DNA is an infringement of individual privacy and there must be no process to allow retention where there is no crime.

This is all about proportionality. The risk of crime and the demands of crime detection do not override the risks of damage to those concepts that we hold dear - the right of a democratic approach where a person is held to be innocent unless proven guilty beyond all reasonable doubt and where individual privacy is respected.

This Government steps out against the ECHR at its own peril. The population can and are seeing the results.

[Note: The Police and Criminal Evidence Act (PACE) and the PACE Code of Practice 'D' set out the manner of collection of fingerprints, DNA samples etc. It is important to note that fingerprints or DNA samples taken on a 'speculative' basis must be destroyed unless the subject has given permission for the data to be retained. Once permission is granted it cannot be revoked. It would be sensible to refuse permission for data to be retained.]

Contents - 89

Just a week ago (24th March to be exact) the House of Lords had their chance to debate the Draft Data Retention Regulations. Lord West moved that the Draft Regulations be approved - but Baroness Neville-Jones introduced an amendment which provided the opportunity for some interesting debate and comment.

The noble Baroness attempted to insert a clause into the motion to approve the regulations, “but notes with regret the intrusions into privacy that would result from their implementation, in that the regulations substantially extend the range of communications data that must be collected to include information on personal e-mails and internet activity, and that the regulations allow hundreds of different public bodies access to information on personal e-mails and internet activity; and therefore calls upon the Government to withdraw the regulations, and to introduce primary legislation on the retention of communications data that will enable detailed parliamentary scrutiny of such proposals.”

A full transcript of the Lords discussion can be found in Hansard. The transcript is worth reading - but there are some particular comments by Baroness Neville-Jones, by Baroness Miller and by the Earl of Northesk that show that their noble Lordships are well informed and knowledgeable on the subject of technical intervention, data protection and privacy. Perhaps more so than some in another place!

Lord West (Parliamentary Under Secretary of State, Home Office) gave the by now fairly standard government position - use of data for serious crime (referring to the Soham murders etc.), importance for anti-terrorism investigations etc. and noted that the new regulations would introduce notice to service providers, reimbursement of costs (the UK is the only member state to have provided this) and the setting up of an implementation group to oversee provisions.

Introducing her amendment, Baroness Neville-Jones posed a number of questions. She made it clear that there was no opposition to the need to obtain data to prevent serious crime (quite right, I have no objections to that) but that there were questions relating to access (RIPA) and to the relationship with the Intercept Modernisation Programme.

Firstly, “The instrument could very well be extended to cover a much wider range of communications than those outlined by the Minister…. the truth is that it is very difficult with internet communications to separate the content from the who, what, where, when and how.”

Secondly, “On the instrument’s relationship with RIPA, as it stands that Act has abusively wide scope which will certainly extend the use of communications data of this kind to many other different bodies for many reasons, some of them very trivial.”

Thirdly, “Setting all this in the context of the interception modernisation programme that the Minister mentioned, it is not at all clear to this side of the House how this regulation fits into this programme. We fear that we are moving on auto pilot to a stage where there is no longer a meaningful distinction between content and communications data, and one which may well involve a huge centralisation of data by Government.”

The noble Baroness pointed out that differentiating between traffic and content data was quite easy in relation to telephone calls, not so for Internet traffic. Guidance would be forthcoming but only after the regulations became effective - suggested as rather putting the cart before the horse! The Earl of Northesk noted, “my noble friend’s excellent and devastating critique” before continuing “it is a source of regret to me that the Government’s justifications for their data retention policy—and, it has to be said, various other IT fields—seem to be riddled with intellectual and technological vacuity.” You do get a better class of comment in the Lords! The real point that the Earl was making was that whilst it is possible for investigators “to generate whole life profiles on individuals who may be engaged in terrorist or criminal activities” it is equally possible to use globally retained data to build “detailed whole-of-life profiles of every single citizen in a member state ….. The stark reality is that, on the Government’s own admission, the communications data on their own are more than adequate to define the individual and the minutiae of his or her life.”

When the Minister (Lord West) replied he was to make an interesting comment. At various times the industry had queried the retention of data relating to junk mail or SPAM. Now, spam accounts for some 94% of the mail going through a typical ISP servers on a daily basis and is often filtered and deleted without being delivered. As such it us in much the same position as ‘unconnected calls’ as cited within the Directive. There is no requirement to retain data about unconnected calls - if you apply the logic then there should not be any requirement to retain data about spam with a substantial impact on the storage capacity for retained email data. There is no provision within the Directive nor within the Regulations to exempt spam. Yet, in responding, Lord West said, “spam is not retained. ISPs already deal with spam and are able to tell the difference between that and other data.” There is a clear indication here by the Minister that there is no need to retain data relating to spam mail. As a statement by the Minister in Parliament it must be assumed that this may be cited as precedent and indicating the will of Parliament in a case before the Courts.

Baroness Neville-Jones has some experience of the European process (Deputy to Commissioner Tugendhat) and noted that it was unlikely that the Govt. would face legal proceedings if they failed to transpose within the deadline set by the Directive. Of course, discussions in both Commons and Lords were already beyond the deadline so there was already a failure to meet the precise requirement. “I am not impressed by the notion that we have to pass this piece of legislation now in order to avoid infringement proceedings. Given the importance of the matters we are scrutinising, I repeat that I beg the Government to withdraw these regulations and produce at the earliest opportunity proper, primary legislation on communications data.”

So, the motion was put before the House. The Lords divided and the result was a much closer thing than the Govt. may have wished. 89 voted ‘Content’ (ie for the amendment) with 93 ‘Not Content’. Interestingly, 182 Lords present in the House to vote - in the Commons the vote in committee was just 8 ‘Ayes’ and 6 ‘Noes’ - a total of 14. Don’t you just love those Lords!

Back again to the decision by the Administrative Court in Wiesbaden, Federal Republic of Germany: ““data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance … The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid”.

The German situation is now to be reviewed by the European Courts - taking that as a starting point, Baroness Neville-Jones put down a question for the Government to answer, “To ask Her Majesty’s Government whether the bringing into force of the Data Retention (EC Directive) Regulations 2009 will be delayed until the European Court of Justice rules in respect of the conformity of the data retention directive with the European Convention on Human Rights in the case brought before it by the German Working Group on Data Retention.”

Somehow I think the answer from HMG will just be, No! The answer from the ECJ will be much more interesting and, if it follows the precedent of the DNA database in S and Marper v United Kingdom, may well be that the provisions of the Directive are indeed not compliant with Article 8 and the right to privacy. May we live in interesting times.

One final comment from the Lords debate. Lord Willoughby de Broke noted, “The final sentence of the amendment calls upon the Government to, ‘withdraw the Regulations, and to introduce primary legislation on the retention of communications’, and so on. Does that mean amending the regulations or withdrawing them, and would that be acceptable to the real Government in this case—the unelected and unsackable Government in Brussels?” ……..[my italics]

A better standard of debate than in the other place? Yes, it would seem so. Perhaps the noble Lords are less inclined to worry about claiming for kitchen sinks and bath plugs and second homes. All they can claim is an allowance to pay for meals, hotels, taxis and other expenses associated with their roles. Peers expenses in 2006 totalled some £17Million - in 2007, 646 MPs claimed £93Million.

Next target - social networking

When the Minister of State at the Home Office with responsibility for Policing, Vernon Coaker, introduced the Draft Data Retention Regulations before the Delegated Legislation Committee, he was asked whether the regulations would apply to Social Networking sites such as Facebook, Bebo etc. The Minister’s reply was that they would not. There is no provision within the underlying European Directive for such and to introduce within the Regulations would be seen as a clear example of ‘gold plating.’ Not that the UK has been shy of such provisions in the past of course. Social networking sites fall within the description of Information Society services and outside the obligations on public electronic communicatons services and public communications networks as provided for within Art. 2 of the Directive.

Members of the committee noted that there was some, possibly anecdotal, evidence of criminal usage of social networking. Now there’s a surprise! And criminals use the telephone, write letters, send texts and actually talk to each other.

Now it seems that Ministers are looking to close what they perceive as a gap. Vernon Coaker said, “Social networking sites, such as MySpace or Bebo, are not covered by the directive. That is one reason why the Government are looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive.” To introduce retention for social networking will require inclusion within primary legislation - and that may well be within the Communications Data Bill as it eventually appears. That was initially trailed within the Draft Legislative Programme but was dropped in the face of mounting critiscism. Dropped then but, of course, not forgotten by one of the most authoritarian governments we have ever seen. We do now anticipate ‘consultation’ on the Communications Data proposals in the near future and it is now likely that there will be elements to extend the provisions of the Data Retention Directive. The key areas will be the introduction of primary legislation to underpin the Intercept Modernisation Programme (IMP) and the likely ‘discussion’ of the ‘benefits’ of incorporating all traffic data within a single national database. Watch the Ministerial announcements over the next few weeks!

The single database has already been roundly critiscised by privacy campaigners and by the Information Commissioner. Not that any of this is likely to deflect ministerial opinion from the ‘benefits’ of accessing data in the ‘fight’ against terrorism. That may just be acceptable for many of the population but it is the provision of access to hundreds of national and local governmental bodies and organisations that worries the majority. Once you have a single point of access to combined data relating to phone calls, email traffic, internet access, use of social networking etc. you can build a profile. That profile could then be accessible to a very broad range of ‘officials’ and, as commented by Isabella Sankey at Liberty, “would turn millions of innocent Britons into permanent suspects.”

When the Iron Curtain collapsed in 1989 the profiles collected by the East German Stasi were uncovered - not only collected on their own population but also on others. No surprises then that Germans and other Eastern Europeans have a marked reluctance to return to this kind of retention.

Watch the announcements - they will all focus on terrorism. The actuality will be access for ’serious crime’ - and the definition of what may be considered as serious crime will be rather wide. Dog fouling is a matter of public health - and thereby potentially a serious crime. Enter all those Winston Smith’s in public offices across the land.

Back to the Minister, “It is absolutely right to point out the difficulty of ensuring that we maintain a capability and a capacity to deal with crime and issues of national security, and where that butts up against issues of privacy.”

Yes Mr Coaker, we need to look at where national security butts up against privacy. There are already provisions that allow monitoring - but a single centralised database accessible by a wide range of ‘officials’ remains a step too far.