UK's Web monitoring draft bill revealed: What you need to know

The United Kingdom could soon become a "surveillance superpower" --- more so than it already is --- following today's publication of the draft Communications Data Bill by the U.K. government.

HM the Queen outlined the plan in her annual speech to the U.K. Parliament in May. The plan to monitor data associated with all Web, email and call activity, and give the U.K. intelligence agencies "near-realtime" access, has been met with extreme criticism from privacy advocacy groups and ordinary citizens alike.

Here's everything you need to know.

Nutshell this one for me: What is the bill going to do?

The U.K. government wants the police, intelligence services and other government departments to have access to data relating to citizens Web, email and phone traffic in a bid to prevent terrorism and disrupt major crime.

It would see every shred of "communication data" collected and stored by ISPs and phone companies which could then be accessed in near-realtime speed by U.K. authorities.

OK, so that wouldn't fit in a single tweet, but we're off to a good start.

What is "communication data"?

Basically, it's all the details about everything that's sent and received online --- rather than the actual contents of the data.

Say you send an email to John Smith. Your name will be recorded, John Smith's name will be recorded, the IP addresses and the timestamp of the email being sent and received will be collected. This is "communication data".

If you visit a website, that domain name will be logged along with the IP address, and the date and time data will be collected. Pages within sites will not be logged.

The "contents" of communication data is still under lock and key and can only be accessed by the usual judicial requests --- such as a court order or a search warrant signed by the Home Secretary. Next question explains all.

So, the U.K. government can access my Web activity, emails, and calls?

No, just the details of Web activity, emails, and calls --- rather than the contents of emails and phone call recordings.

(That said, the contents have always been available to the authorities. The way police and intelligence services access the contents of the data will remain vastly unchanged.)

Of course, this means data relating to Web searches, email and phone call traffic --- including landlines and mobile phone calls. But it also includes social media messages and data, Web email, voicemail messages, and Voice-over-IP (VoIP) calls, such as Skype and Google Talk. Gaming websites and instant messaging services will also be monitored.

How the U.K. government will access Skype calls is beyond me. As far as I'm aware, because of the peer-to-peer nature of the system, it's close to impossible to eavesdrop. Authorities who want to access the data will have to ask Microsoft, which now owns Skype. That opens up a whole other can of worms.

U.K. Home Secretary Theresa May told the BBC: "It's not about the content, it's not about reading people's emails or listening to their telephone calls. This is purely about the who, when and where made these communications and it's about ensuring we catch criminals and stop terrorists."

How long will the communication data be stored for?

ISPs and phone companies will continue to hold the data for a period of up to 12 months. This keeps the proposed law in line with the E.U. Data Retention Directive.

And where will all this data be stored? A new "government database"?

Not quite. ISPs and phone companies already collect most data, such as Web traffic, email traffic and call logs --- even details of text messages and voicemails. But this is out of the government's control unless a judicial request --- such as a search warrant from the Home Secretary --- is presented to ISPs or phone companies.

The previous Labour government had plans to centralise all U.K. Internet data in one place, but the plans were scrapped. May said there were "no plans" to resurrect the idea.

The danger is that a series of decentralised databases with single points of access --- and given the ability for police to self-authorise access to the "communication data" --- the effect could be effecitively the same as a centralised database.

ISPs and phone companies will retain hold of the data. It will stay in their respective, secure and non-government controlled datacenters.

Who will have access to the data?

There are four bodies who will have access to the data. The police is an obvious one. The second is the U.K. intelligence services --- including domestic service MI5, foreign service MI6 (SIS), and the electronic eavesdropping service GCHQ.

The Serious Organised Crime Agency (SOCA) will also have access to the data in a bid to prevent serious crime. Also, HM Revenue and Customs (HMRC) --- the U.K.'s tax authority --- will have access to such communication data.

Do police need a warrant for this communication data?

A warrant is required to access the content of communications, but access to communications data does not require a warrant. A senior police officer would have to authorise access to the communications data, however.

“The new bill will set out what the police would be able to do --- they will not be able to access content,” May said. “It requires senior officers authorising this, they can only do this when investigating a criminal and when it is necessary and proportionate,” May said.

Who currently has access to communication data?

ISPs and phone companies of course. But they can't access it unless they are presented with a court order or a search warrant.

Local authorities account for less than 0.5 percent of total annual RIPA requests for communication data. This means that only those with extremely high national security clearance --- such as police officers and even higher, the intelligence services --- can access this highly-sensitive personal data.

At least, on the bright side, though more data is being collected, fewer people can access it.

How do I know the police et al will not access more data than they should?

May said: "The technology will ensure that any extraneous data is filtered out so that the police, or whoever is asking, only get what they are asking for."

This comes under the "reasonable safeguards" element to the E.U.'s concerns. Databases of highly-sensitive personal data, such as the Police National Computer (PNC) and GENESIS, for example, are heavily audited and monitored to ensure staff and vetted officials are not accessing their friends' or family's records.

What's the reasoning behind the bill? Terrorism? Sex offenders? Dare I say it: anti-piracy?

All of the above, though less so on the anti-piracy front.

Theresa May said “ordinary people” had nothing to fear from the proposed law.

"Such data has been used in every security service terrorism investigation and 95 per cent of serious organised crime investigations over the last ten years,” she said. "Only suspected terrorists, paedophiles or serious criminals will be investigated."

The trouble is: even terrorists are "ordinary people" until they are charged with a crime under British law. This middle ground of "suspected" something to actively being arrested and charged for a crime could leave U.K. citizens in legal purgatory.

I've heard a lot about SOPA and PIPA. Is this the same thing?

Not really. This bill does not really dive into the anti-piracy movement. However, the U.K. government "has an app for that," more so in the Digital Economy Act 2010. But that's a whole separate piece of legislation, and as of the time of writing is not 'active'.

Having said that, the U.K. judiciary kicked off the proceedings with the Newzbin2 case. It forced telecoms giant BT to block access to the file-sharing site. A few months later, The Pirate Bay was blocked by a U.K. court order to more than 20 million British citizens.

Does this mean that foreign data could also be collected if it was sent to a U.K. recipient?

Yes. At this point, it does not appear that the U.K. draft bill can access foreign data on foreign soil. However, the implications could be that a U.K.-based company could see a government data request but find the data is stored at a foreign datacenter in Europe.

Also, if a foreign citizen emails a U.K. citizen, it's possible that the sender's communications data may also be subject to access requests. This one needs to be explored in more detail. Amendments to the U.K. draft bill are expected, so this may not be set in stone.

How much is this costing the U.K. taxpayer for the 'privilege' of being spied upon?

The U.K. government says it will spend £1.8 billion ($2.8bn) once the bill passes through Parliament. Critics say it could cost as much as £2 billion ($3.1bn). It's a good job we're not in a double dip recession. Oh, wait.

Having said that, the government was quick to say it could get back between £5--£6.2 billion ($7.7--$9.6bn) in reducing tax fraud and seizing assets from criminals under the Proceeds of Crime Act 2012.

Image credit: Wikimedia Commons, CC.

Related:

• Queen’s speech unveils U.K.’s ‘Patriot Act’ Web monitoring plan
• ZDNet: UK’s ‘Patriot Act’ Web monitoring law could face European veto
• Web inventor slams U.K. monitoring plans as ‘destruction of human rights’
• 20 million U.K. citizens hit by The Pirate Bay block

Around the network:

• ZDNet: SOPA, PIPA postponed: Nice work, everyone
• How ACTA would affect you: FAQ
• Gallery: Black Wednesday: The day the Web went dark
• David Gewirtz: 5 reasons why SOPA, PIPA and other legislative idiocy will never die
• Geeks 1, Congress 0: Controversial anti-piracy bill SOPA ’shelved’
• Unless Facebook, Google blackout, SOPA will succeed: Here’s what you can do
• Reddit will enact ‘nuclear option’ to protest SOPA, PIPA
• Reddit’s anti-SOPA “nuclear” protest is a good start
• CNET: Anonymous takes aim over Europe’s SOPA
• ACTA treaty aims to deputize ISPs on copyrights
• Dear President Obama: Get ACTA out in the open
• CBS News: Protests erupt after Poland passes SOPA-like bill