Friday, 11 February 2011

Surveillance: Celebrating a step in the right direction

While our thoughts today are rightly focussed on the historic changes that are taking place in Egypt, we should not take our eye off the changes that are being planned for our own society, too. So, while what I’m blogging about today can’t possibly be described as a giant leap for mankind, at least it’s an opportunity to celebrate a step in the right direction.

What am I on about?

I’m referring to a proposal that is contained on page 29 of that recently published document containing the findings and recommendations of the Home Secretary’s review of her most sensitive and controversial counter terrorism and security powers.

This is the bit of the review which discusses the thorny issue of access to communications data, and in particular whether all public authorities should use RIPA as the vehicle to compel communication and internet service providers to hand over their customer records.

The review points out that RIPA ensures that the acquisition and handling of communications data is consistent with the European Convention on Human Rights (ECHR). RIPA specifically requires the applicant for data to demonstrate that any intrusion into individuals’ privacy is necessary and proportionate. This RIPA regime is used extensively by public authorities in the UK. Although RIPA is the principal legal framework under which communications data is acquired from CSPs, it may also be acquired by various public authorities under many other regimes, including the Social Security Fraud Act 2001 (SSFA) and the Financial Services and Markets Act 2000 (FSMA). These, and other general information-gathering powers, are not specific to communications data. Most were not designed with communications data in mind and they contain fewer safeguards for its acquisition.

This point was made with some force when the communication and internet service providers commented on the RIPA regime, back in the summer of 2009. Some of the providers focussed on the powers that the Department of Work and Pensions used, pointing out the consequences of of using the SSFA rather than the RIPA route:

• They had not had an opportunity to provide any initial or refresher training to competent DWP investigators on the range of information that is available from providers, or to advise how maximum value can be derived from their records (unlike the training currently given to potential and accredited Single Point of Contact (“SPOC”) Officers).
• They found it hard to check the authenticity of all DWP investigators, (the Home Office has a RIPA website which has an up-to-date list of accredited SPOC Officers).
• They had not provided any statistics to the DWP to enable them to confirm that all of the requests received had actually been sent from DWP investigators.
• They had not been involved in any of the oversight mechanisms that the DWP might have put in place to mirror the oversight functions of the Interception of Communications Commissioner (whose annual visits to providers were greatly appreciated, as providers could brief him on trends which had been detected). Providers were not even sure whether an equivalent oversight function exists within the DWP.
• Providers were not able to recover any costs that were incurred in dealing with these requests.
• Providers were also not sure how many other Authorities would follow the DWP’s example and remove themselves from the RIPA regime should they also elect to exercise any concurrent powers that may be conferred on their investigators to acquire “any information” in the future.

Well, commeth the review, cometh the recommendation. The Home Office has recommended that:

• Government departments, agencies, regulatory authorities and CSPs should be consulted to establish the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from CSPs, and for what purposes.
• These legal frameworks should then be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.


Time to break open our bottles of Egyptian champagne, and to go and celebrate with the masses.