Surveillance powers giving law enforcement agencies access to consumers' mobile phone and Internet data may be illegal, according to the information commissioner, Elizabeth France.
The powers, introduced by an upcoming provision of the controversial Regulation of Investigatory Powers Act (RIPA), passed two years ago, may violate human rights laws because of a loophole under which law enforcement agencies may access data that has been retained specifically for use in cases involving national security. The information commissioner warned the Home Office of this conflict in a legal opinion issued this week.
RIPA has long been attacked by privacy advocates and those who maintain that its provisions will prove to be a huge burden on Internet service providers (ISPs). A provision coming into force on Thursday will require ISPs to be able to intercept and store electronic communications including emails, faxes and Web surfing data, but the Home Office has not yet detailed how the companies involved will be reimbursed. ZDNet UK has also unveiled a glaring loophole in the provision that makes it much less effective in stopping organised crime.
The information commissioner's legal opinion, from Ben Emmerson QC, advised that RIPA's data access provision could break the law because of conflict with anti-terrorism legislation hurriedly introduced by the Home Office following last September's terrorist attacks on the World Trade Center. Under this legislation, businesses are directed to voluntarily retain data for longer than they ordinarily would for billing purposes, in case the data is needed for national security investigations.
The problem arises when data retained specifically for national security purposes is accessed under RIPA's broader powers, according to Emmerson.
"RIPA enables a wide variety of bodies to allow access to the data for a variety of purposes, not just national security, although it was retained for national security purposes," said a representative of the information commissioner.
There is a "significant risk" that any body accessing data under RIPA that is not related to national security could be breaking human rights law, according to a summary of the legal opinion.
The Office initially commissioned the report because of concerns about the data retention provisions of the anti-terrorism legislation, which Emmerson did not deem problematic in itself. However, the report could create more complications for the Home Office, which has already faced a public outcry over the data access provision of RIPA.
In June, the Home Office was compelled to withdraw a plan to extend RIPA's data access provisions to cover a wide range of bodies, from the National Health Service to local councils, after the move was widely condemned. The Home Office is now planning a consultation on the issue over the summer and autumn.
"This will be an opportunity to look at the issue from afresh, and hopefully to tighten it up," the representative of the information commissioner said. "It will probably require a change in the primary legislation, but whether the Home Office will go that far, I don't know."
A Home Office representative insisted that access to private data under RIPA "is lawful under the provisions of that Act... We are aware of the concerns that the information commissioner has, but at the moment it's laid down in law the reasons for which bodies can access data."
However, the Home Office allowed that the data access provision -- the last, along with the retention capabilities provision, to come into effect -- has caused "a lot of public concern" and will have to be examined during the upcoming consultation.
The consultation, for which a date has not yet been set, was intended only to examine whether the number of bodies covered by the act should be extended. However, "the purposes for which data can be accessed will also be addressed," the Home Office representative said.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.