The events of 11 September provoked a new urgency in the need for powers that would allow law enforcement officers to retain traffic data for anti-terrorist investigations. Within a matter of weeks, the privacy rights of British citizens had been hugely compromised by emergency legislation, which allowed the automated surveillance of all electronic communications.
Now at the start of 2002, British surveillance laws are at risk of infringing what are seen by some as basic human rights. Huge demands have been placed on Internet Service Providers (ISPs) to stockpile traffic data on customers under the new Anti-Terrorism, Crime and Security Bill (ATCS), and the Information Commissioner has characterised the requirements as "disproportionate general surveillance".
Traffic data collected under the voluntary Code of Practice within the ATCS would provide a "complete map of a person's private life" according to the Foundation for Information Policy Research (FIRP). Records will include an individual's geographical location determined through their mobile phone, the sender and recipient information from emails, a complete log of a person's Internet sessions including their IP address, and the address of all Web sites visited.
The Data Protection Act 1998 states that a communications provider must only retain traffic data for the length of time necessary for legitimate billing purposes. But contained within the Act is a provision for cases of national security, where personal data may be stored for longer periods of time in order to assist in the prevention or detection of crime.
In her scrutiny of the ATCS, Elizabeth France, information commissioner, warned that the Act might pose difficulties for data protection and human rights compliance. "Although recent events have prompted these measures to be brought forward," she said, "law enforcement agencies will make use of them on a day-to-day basis for a variety of matters. Careful consideration must be given to ensure that the provisions are appropriate to addressing these more routine needs."
Before the publication of ATCS, the home secretary, David Blunkett, stated that traffic data obtained under the new arrangements would be used "strictly in the case of a criminal investigation against suspected terrorists." This promise was broken within the Act's report stage, when part 11 endorsed the stockpiling of traffic data for minor criminal investigations. But Blunkett u-turned his decision a matter of hours before the Act received royal assent, and accepted a proposal tabled by the Liberal Democrats to separate out data that is relevant to terrorists, as opposed to organised criminals. The Code of Practice now makes the ambiguous requirement that in order for surveillance powers to apply, the investigation must relate "directly or indirectly to national security."
Data retention powers included in ATCS will be regulated under the terms of the Regulation of Investigatory Powers Act (RIPA). This Act allows access to traffic data for broader reasons than national security, including public order, minor crime, health and safety and tax. Any ISP can be required to install a "black box" capable of relaying intercepts back to a central monitoring facility at MI5. Content and traffic data can be directly collected by the black boxes, without the need for a content warrant or traffic notice on the ISP. A superintendent is able to request access to all traffic data stored by an ISP, and a single interception officer has sole responsibility for overseeing all interceptions conducted under RIPA.
Chapter II of Part I of RIPA, which makes it possible for law enforcement to access traffic data without a court order is still to come into force. The Home Office has set no date for its passage, but hopes that it will become law "shortly".
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.