The coalition looks likely to forge ahead with the previous government's plans to intercept web communications, despite pre-election pledges from the Conservatives and the Liberal Democrats to reduce surveillance of citizens.
A passage in the newly released Strategic Defence Security Review (SDSR) outlined a plan to monitor messages, with reference to new technology.
The government will "introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework. This programme is required to keep up with changing technology and to maintain capabilities that are vital to the work these agencies do to protect the public", it said in the security review, published on Tuesday.
Specific details of the plans are not immediately available, a Home Office spokeswoman told ZDNet UK on Thursday. She declined to say whether the government planned to monitor all web communications.
"The premise is similar [to the previous government's plans]," she said. "[The SDSR indicates] an intent to take forward a programme of work."
The previous Labour government formulated a plan to have ISPs, social-networking sites and other communications service providers collect traffic data on all web communications under the Interception Modernisation Programme. The scheme aimed to gather information on the sender, recipient, timing and location of every email and other message sent via the web. The data, harvested using deep-packet inspection, was to be stored in a manner to allow law enforcement and the intelligence services to track any individual and to see with whom they were communicating and when.
In January, the Home Office announced that it had fused two of its teams. One was to look at traditional interception such as phone tapping, and the other was to look at the interception of new technologies. The group is called the Communications Capabilities Directorate (CCD).
The SDSR shows that the CCD is being provided with resources, with the level of funding to be announced in the future, the Home Office spokeswoman said on Thursday.
Before the election in May, Conservative Party policy was to reduce government surveillance. In a position paper written in September 2009, called Reversing the rise of the surveillance state, then-shadow home secretary Dominic Grieve pledged to protect personal privacy.
Grieve said in the paper that an incoming Conservative government would set about "immediately submitting the Home Office's plans for the retention of — and access to — communications data to the Information Commissioner for pre-legislative scrutiny".
In September 2009, the Liberal Democrats said that the Conservatives' plans to cut back on surveillance of citizens were not stringent enough.
The Information Commissioner has not been consulted on any interception plans since the coalition government took power in May, according to a spokesman for the Information Commissioner's Office (ICO). The commissioner, Christopher Graham, is concerned that such plans may be disproportionate, he said.
"The Commissioner's... key concern is whether the case has been made for the project," said the spokesman for the UK privacy watchdog. "On the face of it, the proposal seems disproportionate when any perceived benefits that might be gained from retaining this data are set against the risks to privacy involved. He looks forward to meeting with officials at the Home Office to establish whether or not his concerns have been addressed."
Security and forensics expert Peter Sommer said that privacy is extremely difficult to maintain when capturing web communications.
"With analogue communications, you can separate out data [ie. who is speaking to whom] from intercept content," said Sommer. "If you start to capture a multiplicity of web protocols, you have to capture the whole stream before you separate out the details you are entitled to collect."
Police and the intelligence agencies have a system of self-authorisation when it comes to collecting communications-traffic data. However, they need to get authorisation from the Home Secretary if they want to look at the actual content of a communication.
One of the problems with intercepting web protocols is that you cannot tell what is traffic data and what is content before it is intercepted, said Sommer, which leads to the danger of self-authorisation by law enforcement agencies.
Government web-interception plans were likely to revolve around one of two scenarios, said Sommer, who is an observer at Eurim and on the advisory council for the Foundation for Information Policy Research think tank. In the first scenario, communications service providers could capture all traffic from all customers and hold it for a minimum of six months, against receiving a request from law enforcement. In the second scenario, data could be collected by the providers, siphoned off to a database run by GCHQ, and passed out to law enforcement according to specification.