UK's Web monitoring draft bill revealed: What you need to know

UK's Web monitoring draft bill revealed: What you need to know

Summary: The draft "Communications Data Bill" will expand the U.K. government's Web, email, and call monitoring powers. Here's everything you need to know -- and more.

SHARE:

The United Kingdom could soon become a "surveillance superpower" --- more so than it already is --- following today's publication of the draft Communications Data Bill by the U.K. government.

HM the Queen outlined the plan in her annual speech to the U.K. Parliament in May. The plan to monitor data associated with all Web, email and call activity, and give the U.K. intelligence agencies "near-realtime" access, has been met with extreme criticism from privacy advocacy groups and ordinary citizens alike.

Here's everything you need to know.

Nutshell this one for me: What is the bill going to do?

The U.K. government wants the police, intelligence services and other government departments to have access to data relating to citizens Web, email and phone traffic in a bid to prevent terrorism and disrupt major crime.

It would see every shred of "communication data" collected and stored by ISPs and phone companies which could then be accessed in near-realtime speed by U.K. authorities.

OK, so that wouldn't fit in a single tweet, but we're off to a good start.

What is "communication data"?

Basically, it's all the details about everything that's sent and received online --- rather than the actual contents of the data.

Say you send an email to John Smith. Your name will be recorded, John Smith's name will be recorded, the IP addresses and the timestamp of the email being sent and received will be collected. This is "communication data".

If you visit a website, that domain name will be logged along with the IP address, and the date and time data will be collected. Pages within sites will not be logged.

The "contents" of communication data is still under lock and key and can only be accessed by the usual judicial requests --- such as a court order or a search warrant signed by the Home Secretary. Next question explains all.

So, the U.K. government can access my Web activity, emails, and calls?

No, just the details of Web activity, emails, and calls --- rather than the contents of emails and phone call recordings.

(That said, the contents have always been available to the authorities. The way police and intelligence services access the contents of the data will remain vastly unchanged.)

Of course, this means data relating to Web searches, email and phone call traffic --- including landlines and mobile phone calls. But it also includes social media messages and data, Web email, voicemail messages, and Voice-over-IP (VoIP) calls, such as Skype and Google Talk. Gaming websites and instant messaging services will also be monitored.

How the U.K. government will access Skype calls is beyond me. As far as I'm aware, because of the peer-to-peer nature of the system, it's close to impossible to eavesdrop. Authorities who want to access the data will have to ask Microsoft, which now owns Skype. That opens up a whole other can of worms.

U.K. Home Secretary Theresa May told the BBC: "It's not about the content, it's not about reading people's emails or listening to their telephone calls. This is purely about the who, when and where made these communications and it's about ensuring we catch criminals and stop terrorists."

How long will the communication data be stored for?

ISPs and phone companies will continue to hold the data for a period of up to 12 months. This keeps the proposed law in line with the E.U. Data Retention Directive.

And where will all this data be stored? A new "government database"?

Not quite. ISPs and phone companies already collect most data, such as Web traffic, email traffic and call logs --- even details of text messages and voicemails. But this is out of the government's control unless a judicial request --- such as a search warrant from the Home Secretary --- is presented to ISPs or phone companies.

The previous Labour government had plans to centralise all U.K. Internet data in one place, but the plans were scrapped. May said there were "no plans" to resurrect the idea.

The danger is that a series of decentralised databases with single points of access --- and given the ability for police to self-authorise access to the "communication data" --- the effect could be effecitively the same as a centralised database.

ISPs and phone companies will retain hold of the data. It will stay in their respective, secure and non-government controlled datacenters.

Who will have access to the data?

There are four bodies who will have access to the data. The police is an obvious one. The second is the U.K. intelligence services --- including domestic service MI5, foreign service MI6 (SIS), and the electronic eavesdropping service GCHQ.

The Serious Organised Crime Agency (SOCA) will also have access to the data in a bid to prevent serious crime. Also, HM Revenue and Customs (HMRC) --- the U.K.'s tax authority --- will have access to such communication data.

Do police need a warrant for this communication data?

A warrant is required to access the content of communications, but access to communications data does not require a warrant. A senior police officer would have to authorise access to the communications data, however.

“The new bill will set out what the police would be able to do --- they will not be able to access content,” May said. “It requires senior officers authorising this, they can only do this when investigating a criminal and when it is necessary and proportionate,” May said.

Who currently has access to communication data?

ISPs and phone companies of course. But they can't access it unless they are presented with a court order or a search warrant.

Local authorities account for less than 0.5 percent of total annual RIPA requests for communication data. This means that only those with extremely high national security clearance --- such as police officers and even higher, the intelligence services --- can access this highly-sensitive personal data.

At least, on the bright side, though more data is being collected, fewer people can access it.

How do I know the police et al will not access more data than they should?

May said: "The technology will ensure that any extraneous data is filtered out so that the police, or whoever is asking, only get what they are asking for."

This comes under the "reasonable safeguards" element to the E.U.'s concerns. Databases of highly-sensitive personal data, such as the Police National Computer (PNC) and GENESIS, for example, are heavily audited and monitored to ensure staff and vetted officials are not accessing their friends' or family's records.

What's the reasoning behind the bill? Terrorism? Sex offenders? Dare I say it: anti-piracy?

All of the above, though less so on the anti-piracy front.

Theresa May said “ordinary people” had nothing to fear from the proposed law.

"Such data has been used in every security service terrorism investigation and 95 per cent of serious organised crime investigations over the last ten years,” she said. "Only suspected terrorists, paedophiles or serious criminals will be investigated."

The trouble is: even terrorists are "ordinary people" until they are charged with a crime under British law. This middle ground of "suspected" something to actively being arrested and charged for a crime could leave U.K. citizens in legal purgatory.

I've heard a lot about SOPA and PIPA. Is this the same thing?

Not really. This bill does not really dive into the anti-piracy movement. However, the U.K. government "has an app for that," more so in the Digital Economy Act 2010. But that's a whole separate piece of legislation, and as of the time of writing is not 'active'.

Having said that, the U.K. judiciary kicked off the proceedings with the Newzbin2 case. It forced telecoms giant BT to block access to the file-sharing site. A few months later, The Pirate Bay was blocked by a U.K. court order to more than 20 million British citizens.

Does this mean that foreign data could also be collected if it was sent to a U.K. recipient?

Yes. At this point, it does not appear that the U.K. draft bill can access foreign data on foreign soil. However, the implications could be that a U.K.-based company could see a government data request but find the data is stored at a foreign datacenter in Europe.

Also, if a foreign citizen emails a U.K. citizen, it's possible that the sender's communications data may also be subject to access requests. This one needs to be explored in more detail. Amendments to the U.K. draft bill are expected, so this may not be set in stone.

How much is this costing the U.K. taxpayer for the 'privilege' of being spied upon?

The U.K. government says it will spend £1.8 billion ($2.8bn) once the bill passes through Parliament. Critics say it could cost as much as £2 billion ($3.1bn). It's a good job we're not in a double dip recession. Oh, wait.

Having said that, the government was quick to say it could get back between £5--£6.2 billion ($7.7--$9.6bn) in reducing tax fraud and seizing assets from criminals under the Proceeds of Crime Act 2012.

Image credit: Wikimedia Commons, CC.

Related:

Around the network:

 

Topics: Government UK, Government, United Kingdom

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Cannot trust the police and government with our data.

    What is good for the goose is good for the gander. May we have access to all government and police communications as well? We need to protect ourselves from them as they must protect themselves from us.

    It is sad the government and police do not follow the laws they are sworn to uphold. With the capture of our communications how can we trust them?
    BubbaJones_
  • Just plain dumb.

    This is a dumb law: it's only going to catch the stupid and incompetent (who would presumably be caught anyway) and at the cost of the privacy and freedom of an entire country. Utterly stupid.

    For a start, the system is easily defeated by Tor.

    Tor isn't known to be compromised and will provide good privacy in cases like this and if sender and recipient are in different countries (sane ones that that don't have this sort of legislation) I'm probably going to be reasonably immune to statistical traffic analysis. So my communications data is safe: sender and recipient are hidden and contents are obscured but because of this law, my usage of Tor is immediately visible therefore I must have something to hide and so I'm immediately a suspect. Even though I just want to browse the web on my Landlord's wifi without him snooping on me. Am I now a potential suspect or deviant in the eyes of the government?

    Moreover, criminals who were operating in relative openness are now going to take far more care over their privacy. They'll start going underground. How do you catch them then?

    Idiocy.

    I've just signed this http://epetitions.direct.gov.uk/petitions/32400 not that anyone's likely to take much notice...

    There's a slight irony that the act has been introduced by the very same government that introduced tough new laws on cookies and data retention by corporations.
    LettuceLeaf
  • Note to Labour

    If you want to oust, or at least severely embarrass the current Tory-led government, opposition to this bill is a good place to start, particularly since I can't imagine that the LDP ministers and MPs are terribly comfortable with it.
    John L. Ries
  • UK with some level of censorship.

    From what I recall in reading other news articles, United Kingdom is one of the few Westerner countries with strong control on their internet and censorship. Now the citizens may need to monitor more what the government can access. They may tell them that "reasonable filters" are in places in order to protect some citizens' privacy. But in all matters, things can always go very terribly wrong and no system of this large scale and caliber is not perfect. I understand why the U.K. government is trying to do in getting citizens information to prevent crime, but this area is a very gray and slippery slope. Once someone starts in this path, there is very little to turn away from taking total control over personal information. Citizens have a right to protest peacefully to protect their privacy rights and government has the monumental responsibility to ensure that those rights are not violated. The good news is that the article informs the information of what the government will have access to and what information can be revealed to the public. The citizens should probably continue to monitor and show concern with the accessibility the government is going to have during the passage of the bill. Absolute power corrupts absolutely.
    wongcj
  • VPN

    I forsee that a lot of (foreign) VPN's doing well out of this - especially anonymiser VPN's.
    JeremyBoden
  • CAMEL

    Just let my nose into the tent a little. That's all. Just a bit.
    rdbrewer