Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

The retention and disclosure of data represents a continuing threat to privacy if it is accidentally disseminated or misused. A government that has made so little law went into overdrive on Thursday 10 May and published an emergency measure, the Data Retention and Investigatory Powers B ill, to be rushed through the legislative process in less than a week.

This bill, which requires the retention of data by internet service providers and phone companies for use by the police and security services, was announced by a joint press conference of the prime minister and deputy prime minister who explained that their adversaries in the Labour Party were also in agreement to this measure.

So what was the emergency? David Cameron pointed to t he terrorist threat from Syria in particular. We were also reminded, as if we need reminding given the recent media coverage, of the danger posed by paedophiles. It is difficult to argue that the state should not have extensive powers to protect us and our children from both of these threats.

But the real trigger for this bill is the impact of the European Court of Justice judgment of 8 April 2014 in the joined cases of C-293/12 Digital Rights Ireland and C-59 4/12 Seitlinger. That judgment found that the Data Retention (EC Directive) Regulation 2009 (SI 2009/859), which the UK had up to now relied upon for these powers, was unlawful.

It is easy to understand why independent-minded b ackbenchers on both sides of the House of Commons such as David Davies MP and Tom Watson MP were concerned that the nature of the emergency was overstated, given the three months since the decisive judgment (which will have been anticipa ted in any event), and the potential consequences of a failure to scrutinise and debate the important issues at stake in this bill.

Director of Liberty Shami Chakrabarti summed the position up as follows: ?We are promised great er scrutiny and debate but not until 2016, as it seems that all three party leaders have done a deal in private. No privacy for us and no scrutiny for them.?

Putting the birth of the bill to one side for the moment, what is its effect? It is accepted that the bill does not provide for powers the government did not previously have. This bill is a case of clinging on to powers whilst trying not to fall foul of the obligations imposed by European law. The bill me ans that the state retains the power to compel any company providing communications services to UK customers to retain data for a period of up to 12 months and comply with requests from the secretary of state for the interception of that data.

By data, the bill does not refer to the content of the communications but the context: e.g. who communicated with who and when.

So whilst we are not referring to recordings of phone calls or the text of emails, this data remains sensitive and can demonstrate a range of nefarious, or merely private, communications and behaviors. There can be no doubt that the retention and disclosure of this data represents a continuing threat to privacy if it is accidentally disseminated or misused, and neither communications companies nor the state have a terrific record in this respect.

So, is there any good news for those, like me, concerned with the protection of privacy? Potent ially, there is. We are promised the following:

  • A new Privacy and Civil Liberties Oversight Board established to scrutinise the impact of the law on privacy and civil liberties;
  • Annual government transparency re ports on how these powers are being used;
  • A restriction on the number of public bodies, including Royal Mail, able to request communications data under the controversial Regulation of Investigatory Powers Act (RIPA); an d
  • A termination clause ensuring these powers expire at the end of 2016 a wider review of the powers needed by government during the next parliament.

Whether these safeguards satisfy privacy campaigners wil l remain to be seen, and the operation of these safeguards will be closely monitored.

Unless they are sufficiently robust the bill will be vulnerable to further challenges within the ECJ. It is certainly a more measured step th an the so-called ?snoopers? charter? that was previously on this government?s agenda. It is also true that many of the communications companies caught by the bill retain data for this period for their own purposes in any event ? but if s o, the question arises once more: why the urgency?

The data footprint we leave as communications and information technology develops is increasingly illustrative.

The value in this data for security and law enforcemen t purposes is obvious. But the vast majority of this data is of no use for this purpose, it belongs to you and I, and we should all be concerned as to who holds it and why.

Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

The retention and disclosure of data represent a continuing threat to privacy if it is accidentally disseminated or misused.

A government that has made so little law went into overdrive on Thursday 10 May and published an emergency measure, the Data Retention and Investigatory Powers Bill, to be rushed through the legislative process in less than a week.

This bill, which requires the retention of data by internet service providers and phone companies for use by the police and security services, was announced by a joint press conference of the prime minister and deputy prime minister who explained that their adversaries in the Labour Party were also in agreement to this measure.

So what was the emergency? David Cameron pointed to the terrorist threat from Syria in particular. We were also reminded, as if we need reminding given the recent media coverage, of the danger posed by paedophiles. It is difficult to argue that the state should not have extensive powers to protect us and our children from both of these threats.

But the real trigger for this bill is the impact of the European Court of Justice judgment of 8 April 2014 in the joined cases of C-293/12 Digital Rights Ireland and C-594/12 Seitlinger. That judgment found that the Data Retention (EC Directive) Regulation 2009 (SI 2009/859), which the UK had up to now relied upon for these powers, was unlawful.

It is easy to understand why independent-minded backbenchers on both sides of the House of Commons such as David Davies MP and Tom Watson MP were concerned that the nature of the emergency was overstated, given the three months since the decisive judgment (which will have been anticipated in any event), and the potential consequences of a failure to scrutinise and debate the important issues at stake in this bill.

Director of Liberty Shami Chakrabarti summed the position up as follows: ?We are promised greater scrutiny and debate but not until 2016, as it seems that all three party leaders have done a deal in private. No privacy for us and no scrutiny for them?

Putting the birth of the bill to one side for the moment, what is its effect? It is accepted that the bill does not provide for powers the government did not previously have. This bill is a case of clinging on to powers whilst trying not to fall foul of the obligations imposed by European law. The bill means that the state retains the power to compel any company providing communications services to UK customers to retain data for a period of up to 12 months and comply with requests from the secretary of state for the interception of that data.

By ?data?, the bill does not refer to the content of the communications but the context: e.g. who communicated with who and when.

So whilst we are not referring to recordings of phone calls or the text of emails, this data remains sensitive and can demonstrate a range of nefarious, or merely private, communications and behaviors. There can be no doubt that the retention and disclosure of this data represents a continuing threat to privacy if it is accidentally disseminated or misused, and neither communications companies nor the state have a terrific record in this respect.

So, is there any good news for those, like me, concerned with the protection of privacy? Potentially, there is. We are promised the following:
  • A new Privacy and Civil Liberties Oversight Board established to scrutinise the impact of the law on privacy and civil liberties;
  • Annual government transparency reports on how these powers are being used;
  • A restriction on the number of public bodies, including Royal Mail, able to request communications data under the controversial Regulation of Investigatory Powers Act (RIPA); and
  • A termination clause ensuring these powers expire at the end of 2016 a wider review of the powers needed by government during the next parliament.
Whether these safeguards satisfy privacy campaigners will remain to be seen, and the operation of these safeguards will be closely monitored.

Unless they are sufficiently robust the bill will be vulnerable to further challenges within the ECJ. It is certainly a more measured step than the so-called ?snoopers? charter? that was previously on this government?s agenda. It is also true that many of the communications companies caught by the bill retain data for this period for their own purposes in any event ? but if so, the question arises once more: why the urgency?

The data footprint we leave as communications and information technology develops is increasingly illustrative.

The value in this data for security and law enforcement purposes is obvious. But the vast majority of this data is of no use for this purpose, it belongs to you and I, and we should all be concerned as to who holds it and why.