ZDNet takes a look at the 'Snoopers' Charter' and what businesses need to know about the legislation that proposes to give the authorities access to data about the UK's online communications
The media are calling the Communications Data Bill a 'Snoopers' Charter' — but what do they mean by that?
The Communications Data Bill (CDB), which was laid before parliament on Thursday, will give police, intelligence agencies and HM Revenue and Customs officials access to data about web communications made by UK citizens. The idea is for the authorities to be able to build up an intelligence picture of who is talking to whom, when, and where in the UK.
Such information, according to the Home Office, will give the police access to data about communications to counter serious crimes like terrorism and child abuse.
What is 'communications data'?
In the bill itself, 'communications data' is defined as "traffic data, use data or subscriber data". 'Traffic data' is information used to transmit the communication, including the address on an envelope or the location of a phone; 'use data' relates to itemised records of connections to internet services, and phone records; while 'Subscriber information' includes names and addresses, the bill says.
What's in the Communications Data Bill, aka. the 'Snoopers' Charter'? And what does it mean for businesses?Image credit: Shutterstock
The Home Office meanwhile sums up 'communications data' as information about the sender and recipient of a piece of communication such as an email, text, or instant message, rather than the content of the communication.
A potential problem with this reasoning is that 'communications data' and 'content' in new web communications can be difficult to separate. For example, webmail is transmitted as html, making it difficult to separate the 'to' field from the 'subject' field. To filter the data, communications services providers (CSPs) may have to use 'black boxes' — deep packet inspection (DPI) equipment — which can have an impact on privacy.
The CDB also covers physical communications sent via the postal service. It's unclear how physical letters in the postal service can be attributed to the sender without steaming open the mail — which the UK intelligence services have been known to request.
Under present interception law, the police have to get sign-off from the home secretary to look at the content of communications, but can self-authorise to look at communications data, by getting permission from a senior police officer. The Home Office has said that the police will still need sign-off from the home secretary to look at the content of electronic communications that fall under the remit of the bill.
How could the bill affect businesses?
The bill is likely to have an effect on internet service providers (ISPs). ISPs currently have to log details about email communications and keep those details for 12 months, under the Regulation of Investigatory Powers Act (RIPA).
However, ISPs face having to collect orders of magnitude more data, including details of Facebook communications, webmail and instant messaging, Twitter direct messages, and messages on gaming platforms, and to keep all such details for a year.
Any organisation could be ordered to collect information about communications made using webmail, internet telephony, or instant messaging over its networks, and to retain it for 12 months.
The taxpayer will pick up the estimated £1.8bn cost of the new programme over the next 10 years, but some costs may also be passed on to business and consumer customers by ISPs.
The CDB could have broad implications for many businesses, on top of its effects on ISPs. At present, only public communications services are covered by RIPA, while the CDB could potentially see private companies faced with similar obligations.
The way the CDB is worded means the home secretary has powers to order all network telecommunications providers — potentially all businesses and organisations — to retain data on web communications. In effect, any organisation could be ordered to collect information about communications made using webmail, internet telephony, or instant messaging over its networks, and to retain it for 12 months.
Another potential cost burden on businesses could potentially come from clause 14, which states that the home secretary can order "any person" to hand over information to facilitate data-mining, which involves comparing datasets to identify a person of interest to the authorities. The government envisages CSPs giving automated access to comms data for data-mining purposes, opening up possible security risks and costs for organisations, who will be responsible for protecting that data under UK privacy laws.
Are there any technical issues for businesses around the CDB?
There are a lot of unanswered questions about how organisations will be expected to comply with technical challenges posed by the proposed legislation. For starters, communications services such as Gmail, Twitter, and Skype use encryption by default, making network-level monitoring costly and undesirable. People legitimately use encrypted communications within business to transmit data such as financial details, and to break that encryption by necessity breaks trust in that communication.
For unencrypted communications, service providers regularly update communications protocols, meaning organisations would have to update interception algorithms as soon as the protocols were updated. Every time Google changed its algorithms, for example, CSPs would have to scramble to keep up.
Separating the content from the comms data in web communications would also pose severe challenges for organisations. Service providers see an undifferentiated stream of data in web communications, and would have to look at all of the data using deep packet inspection to be able to filter comms data from content.
Another challenge for organisations could be individuals who don't want their data to be logged: there are a number of well-known and simple methods available to the public to do so.
It sounds like there are some significant challenges surrounding this bill. What's its history?
Under the previous Labour government, the plan was known as the Interception Modernisation Programme (IMP), but was kicked into the long grass after fierce criticism, including from the Conservatives and Liberal Democrats who form the current government. The Home Office quietly continued developing the plan, however, and it was resurrected under the new coalition government as the Communications Capabilities Development Programme (CCDP).
Some of the criticism of the IMP was around a plan for the government to store the data in a centralised database. While there is no centralised database this time around, with the government seeking access 'in near real-time' to a series of decentralised databases maintained by service providers, the net effect could be the same.
Where next for the legislation?
The government has appointed two committees to look at the bill before its starts to go through parliament. The Intelligence and Security Committee will scrutinise the bill from an intelligence standpoint, and a separate, cross parliamentary committee of 12 under Lord Blencathra will also review the bill.
