Briefing on Counter-Terrorism and Security Bill

Briefing on Counter-Terrorism and Security Bill (“the Bill”)

Introduction

  1. Open Rights Group is the UK’s most prominent voice defending freedom of expression and privacy on the Internet, with expertise gained from nine years of working on data retention issues.
  2. Clause 17 (retention of relevant internet data) and clause 21 (general duty on specified authorities) of the Bill have concerning digital rights implications. These clauses should be dropped. The oversight mechanism introduced under clause 36 (Privacy and Civil Liberties Board) is also inadequate.
  3. The Bill extends the scope of the Data Retention and Investigatory Powers Act 2014 (DRIPA). Service providers served with a retention notice under DRIPA will now be obliged to retain an additional type of communications data. This constitutes a further expansion of indiscriminate (as opposed to targeted) data retention, which has been found to be unlawful by the Court of Justice of the European Union. In essence, the provision represents the embedding and extension of a bad law that was rushed through Parliament without proper scrutiny.  
  4. Part 3 (data retention) should be removed from the Bill. The provisions are unlikely to be lawful on human rights and EU law grounds. DRIPA (which Part 3 of the Bill amends) is currently subject to judicial review. Part 3 will require significant expenditure on measures that may be found unlawful by the courts.
  5. Part 5 Chapter 1 (preventing people being drawn into terrorism) should also be removed from the Bill. The potential of the public authorities listed in the Bill to undertake surveillance of the population is huge. The Prevent programme has been very controversial and it is vital there is a distinction between civil institutions and policing. The clause places no restraint on the kinds of duties that could be imposed.
  6. The legislation is being rushed through on a fast-track timetable, as the government similarly rushed through the DRIPA legislation on an emergency timetable. The subject matter of this legislation deserves comprehensive parliamentary scrutiny.
  7. A detailed analysis is set out below.

    Part 3, Clause 17: retention of relevant internet data

  8. Clause 17 amends section 2(1) of DRIPA, which sets out definitions regarding the retention of communications data. It will allow the Secretary of State to require communications service providers to retain an additional category of communications data, namely data that will allow relevant authorities to link the unique attributes of a public Internet Protocol (IP) address to the person (or device) using it at any given time.[1]
  9. The clause introduces a new type of data that is to be retained, namely “relevant internet data”. This is defined as communications data that relates to an internet access service or an internet communications service[2], which may be used to identify, or assist in identifying, the internet protocol address or other identifier which belongs to the sender or recipient of a communication.[3] The terms “internet access service” and “internet communications service” are also new. They are not defined in DRIPA, in the Regulation of Investigatory Powers Act (RIPA) or in this new Bill. The definition of relevant internet data excludes specific types of data under subsections 3(c)(i) and (ii) of clause 17[4]. Our understanding is that the excluded types of data includes data relating to website use and which programs are used as well as routing data.
  10. According to the explanatory notes, the data to be retained “could include data required to identify the sender or recipient of a communication (which could be a person or a device), the time or duration of a communication, the type, method or pattern of a communication (e.g. the protocol used to send an email), the telecommunications system used or the location of such a telecommunications system that the person was communicating from.” The notes confirm that data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses. The notes state that web logs are specifically excluded under subsection 3(c).[5]
  11. Subsection (5) provides that the clause will be repealed on 31 December 2016. This is necessary because it is the date on which DRIPA expires.  
  12. This provision represents a further extension of indiscriminate data retention. The Court of Justice of the European Union (CJEU) ruled in Digital Rights Ireland[6] that the previous data retention regime was unlawful on the grounds that it breached Articles 7 and 8 of the EU Charter of Fundamental Rights (privacy and protection of personal data). Three months later the government rushed through legislation in the form of DRIPA that reinstated almost exactly the same data retention regime[7]. Tom Watson MP and David Davis MP are challenging the lawfulness of DRIPA by way of judicial review[8] and Open Rights Group has applied to make additional submissions in the case.
  13. The Bill seeks to further extend the amount of data that communications service providers are obliged to retain. The obligation will apply to the data of all users of providers served with a notice, without targeting or suspicion, as is the case for all data retention under DRIPA. This is contrary to the principle expressed by the CJEU that there should be a relationship between the data being retained and a threat to public security and, in particular, it should be restricted to a particular time period, a geographical zone, persons likely to be involved in a serious crime or persons who could contribute to the investigation of serious crimes.[9] This legislation would breach human rights (both under the European Convention on Human Rights and the Charter of Fundamental Rights) on the same grounds.
  14. Data retention legislation must also comply with EU data protection legislation in place before the Data Retention Directive (in particular the Data Protection Directive[10] and the E-Privacy Directive[11]). It is likely the legislation does not comply in light of the clear guidance from the CJEU regarding the permissible limits of data retention.
  15. The legislation will affect both mobile providers and ISPs. The effect on mobile providers served with a retention notice is that they will be required to record and retain data that they do not currently retain for business purposes. They will then have to provide the data to public authorities via access requests under RIPA. For ISPs served with a notice, which may already voluntarily retain some of this data, the legislation means they will be legally obliged to retain the data for a specified period and to provide it in response to RIPA requests.
  16. When combined with the traffic and location data already retained under DRIPA, IP address-linking data can be used to construct an extremely detailed and intrusive picture of individuals’ lives.

    Part 5, Chapter 1: Preventing people being drawn into terrorism

  17. Clause 21 creates a “general duty on specified authorities”. Subsection (1) provides that a specified authority (listed in Schedule 3) must, when exercising its functions, have due regard to the need to prevent people from being drawn into terrorism. The Bill does not include detail of the substance of the duty on public authorities. Clause 24 confers on the Secretary of State the power to issue guidance to specified authorities about the exercise of the duty. Schedule 3 sets out a long list of public authorities that are subject to the duty. These include councils, prisons, schools, universities, nursery schools, NHS Trusts and the police.
  18. The explanatory notes suggest that the purpose is to turn its existing “Prevent” programme in to a legal requirement. The notes state that Prevent aims to stop people becoming terrorists or supporting terrorism. It is stated that: “Prevent activity in local areas relies on the co-operation of many organisations to be effective. Currently, such co-operation is not consistent across Great Britain. In legislating, the Government’s policy intention is to make delivery of such activity a legal requirement for specified authorities and improve the standard of work on the Prevent programme across Great Britain.”[12]
  19. There is lack of clarity around what the general duty will require in practice. In our view there is the potential for the duty to encourage monitoring of individuals by institutions, which could consist of workplace monitoring. We believe the Bill should make clear that the duty must not oblige public authorities to use information gathered electronically. 

    Part 7, clause 36: Privacy and Civil Liberties Board

  20. The clause confers on the Secretary of State the power to establish by statutory instrument a Privacy and Civil Liberties Board. This body was promised in the announcement of the DRIP bill. Its function will be to assist persons appointed under specified terrorism legislation[13] in the discharge of their functions. These functions are carried out by the Independent Reviewer of Terrorism legislation (currently David Anderson QC). The terms of reference previously published by the government suggest that the Board’s remit will not include oversight of the operation of RIPA or DRIPA.[14]
  21. Open Rights Group and the Don’t Spy On Us coalition are committed to increasing oversight of the security services and surveillance legislation. The creation of a Privacy and Civil Liberties Board is not even close to what is needed. Instead we need proper oversight through judicial authorisation of requests for both content and communications data. We also need a more transparent Investigatory Powers Tribunal and stronger and more independent parliamentary oversight by the Intelligence and Security Committee, the Intelligence Services Commissioner and Interception of Communications Commissioner.

    Other

  22. Many other elements of the Bill are of concern, whilst falling outside Open Rights Group’s digital rights remit. The use of temporary exclusion from the UK and TPIMs are likely to raise further human rights and civil liberties concerns. 

    Glossary

    Internet Protocol (IP) address:An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.

    MAC (media access control) address: A MAC (media access control) address is a quasi-unique identifier assigned to a network interface such as a wifi radio (which emits your wifi signal) or Ethernet card (which connects your computer to your local network). They are usually embedded in a physical device. They differ from IP addresses, which can be assigned and reassigned as devices enter or leave a network.

    Port number: In this context a port number can be used to help route traffic to specific devices on a local network where the devices are not directly connected to the Internet. This happens in workplaces and at home and similar techniques are used by mobile companies to route Internet traffic to individual phones.

    This briefing was edited on 28 November (addition of introduction and glossary).


[1] Explanatory notes, paragraph 122

[2] 17(3)(a)

[3] 17(3)(b)

[4] (c) is not data which—

(i) may be used to identify an internet

communications service to which a communication is transmitted through an internet access service for the purpose of 40 obtaining access to, or running, a computer file or computer program, and

(ii) is generated or processed by a public telecommunications operator in the process of supplying the internet access service to the sender of the communication (whether or not a person)

[5] Explanatory notes, paragraph 124

[7] The minimal improvements consisted of the changing of the retention period from 12 months to a maximum of 12 months and to clarify that when accessing data in the interests of the UK’s economic wellbeing the interest must also be relevant to national security

[10] Article 13(1), Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L.281, 23.11.1995 at pp.31-50), implemented in the UK by the Data Protection Act 1998

[11] Article 15(1), Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Official Journal L.201, 31.07.2002 at pp.37-47), implemented in the United Kingdom by the Privacy and Electronic Communications (EC Directive) Regulations 2003

[12] Explanatory notes, paragraph 201

[13] appointed under (a) section 36(1) of the Terrorism Act 2006, (b) section 31(1) of the Terrorist Asset-Freezing etc. Act 2010, and (c) section 20(1) of the Terrorism Prevention and Investigation Measures Act 2011