The government published the Draft Communications Data Bill today. As always, I recommend you read it before reading my comments, although you have to beware of the way it’s formatted – it’s designed for printing, with notes on the left hand pages and the Bill on the right, so when viewed sequentially as a PDF it’s a bit awkward as you alternate between notes and content.
The first thing that has to be said is that it’s nowhere near as bad as some of the proposals which came out of the previous government. And that’s not just me being partisan; I’m quite happy to criticise those on my own side of the fence when I feel they deserve it. I don’t have any problem at all with the basic premise that the police and security services need to have a legal framework which gives them the same access to newer forms of communication, such as email and online chat, as they already have to telephone data. And this Bill makes a fair stab at doing that.
Having said that, it’s by no means perfect. There are three big issues with it, as far as I can see.
The first is that the authors of the bill really don’t seem to appreciate that with electronic communications, there is no simple boundary between “data” and “content”. With a telephone call it’s quite easy to see that the data which says that person A called person B at such a time on such a date is separate to a recording of what they actually said in the course of that call. It’s equally obvious that you can see where a letter is posted to without having to open it. But with Internet traffic, that’s not the case. Instead, it’s more like an onion, with multiple layers all wrapped around each other. And the point at which the layers separate into “data” and “content”, to use the terminology of the draft Bill, isn’t always the same each time or even consistent between requests of the same nature. To take an example, I would expect that the body of a web page is “content” and the HTTP request which causes it to be sent is “data”. But what about the other headers sent with a web page that only my browser gets to see and doesn’t display to me? What about data that I send – if a simple GET request is data, then what about GET form variables? What about POST variables, or cookie data? Does the content of an email include the Received headers? What about multipart/alternative boundaries? What about RFC1701 encapsulated messages?
These are all questions that will need to be answered, by the courts if not by the legislators, before we can have a meaningful understanding of the limits if this Bill. That’s not a showstopper as far as the law is concerned, because a lot of it can, if necessary, be worked out in case law. But the big risk in that is that the ambiguity will result in unintended consequences when judges interpret the law differently to how the authors expected.
(Oh, and by the way, if I’ve lost you already and you don’t understand what on earth I’m on about, then consider the fact that many of the Bill’s authors are in the same position. That’s part of the problem).
The second is the potential for the government to insist that ISPs install specified equipment on their networks. If I ran an ISP, this would be the part that most concerns me, because it would mean that I’d have to accept equipment on my network that I can’t control and that could potentially have an impact on the service I provide to customers. Presumably the government will also want these boxes to be able to communicate with their own servers, which means a whopping big hole on the firewall. There are also other regulatory issues; I can’t see how a payment processing system whose traffic can be monitored by one of these boxes can possibly be PCI-DSS compliant.
The last issue, though, is one which appears to me to be simply a huge political clanger. In a seeming attempt to placate those who object to RIPA on the grounds that too many different organisations can use it to access data, the proposals here are that the list of authorised users will be very small. I think most people would agree that it’s a good thing that county councils, for example, can’t access the data. But some of the other exclusions seem more strange. Among them, for example, is the Serious Fraud Office. It seems to me that combatting serious fraud is one of the few things that ought to justify this kind of intrusion, and the fact that it isn’t considered important is a bit odd.
On the other hand, one of the few organisations with access is HMRC. OK, so HMRC does have a role in combatting crime as well, but – unlike the SFO – that’s not its primary purpose. So why should it have privileged access to the data while crime-fighting organisations don’t?
That’s bad, for two reasons. For a start, it gives the impression that, rather than gaining new powers to deal with serious crime, the government is more interested in tracking down small-time traders who have failed to declare all their earnings to the taxman. But it also undermines the justification for the Bill itself, since if it isn’t necessary in order to investigate serious fraud then it’s hard to make a case for it being necessary to investigate any other crime.