On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Wednesday, 4 April 2012

Confusion over warrants, surveillance powers and the intrusiveness of traffic data

Since I wrote a post explaining how the Government's draft surveillance plans had the effect of downgrading what traditionally would be classed as intrusive interception to a lesser category of access to traffic data - which has far fewer safeguards - a few people have written to me asking about the issue of warrants.

As it stands today a local authority, police force or government intelligence agency does not need a warrant to access traffic data, whereas access to the content of electronic communications - interception - requires an interception warrant, each ultimately authorised personally by the Secretary of State.

The use of interception warrants is overseen by the secretive Interception of Communications Commissioner (ICC) whereas traffic data is regulated as personal data by the Information Commissioners Office (ICO).

Confusion over warrants for access to traffic data arises perhaps because of the coalition's much-vaunted Protection of Freedoms Bill, which will require a judicial warrant for many requests for traffic data.

The Protection of Freedoms Bill is still ping-ponging between the Lords and the Commons so it's still not absolutely clear when a warrant will be required, but it's pretty certain that Local Authorities will have to approach a magistrate for approval.

But this won't solve a fundamental problem in that RIPA, the law governing the state use of surveillance, was written for an analogue era; despite being enacted a good 8 years after the world wide web took off.

As I expressed in another post, drawing analogies between traffic data from a telephone network and data milked from an internet connection undermines a step-change in sensitivity caused by the way we use modern communications today.

Traffic data - which includes the websites we visit - can give a good indication of:
  • Our religion, if we visit church websites
  • Our political views, by virtue of the newspapers we read
  • Our sexual preferences
  • Our taste in popular culture, films, music, theatre etc
  • Our location at most times, day or night
  • Whether we are politically active, or members of a campaign group
  • Where we work
Additionally, a key measure of the intrusiveness of traffic data has its origins in the data being already available, compiled as a necessary part of running a telephone network (billing data).

The Data Retention Directive, by requiring designated ISPs to store data it would otherwise discard, already moves away from this concept.  A method which requires additional steps or measures in order to capture data is inherently more intrusive than passive access to data already available.

The latest government plans take this one stage further, introducing the possibility that additional hardware and/or computer software will be added to networks to gather this so-called traffic data.  

This should be taken as a strong indication that we are no-longer talking about traffic data, as traffic data is information required for getting data from point A to point B.  Such information is always placed in the easily-accessible header section of all communications packets and specialised equipment is not needed to extract this.

When we start talking about what is to all intents and purposes a network tap dressed up as a tool to access some bastardised concept of traffic data it's time to wake up and realise the underlying law - RIPA - is not fit for the internet age.

We need new definitions for what is intrusive for online surveillance.

And to get there we need an open, honest and adult debate about what represents an acceptable balance between security and privacy in communications.

Safeguards will form part of this balance, and we need to ensure the level of oversight and protection is in each case appropriate to the intrusiveness of any given method of monitoring.

Yes I respect and admire the work of security services and police but that doesn't mean the state gets carte blanche. There has to be some give - some let-up in the secrecy for there to be a public debate about what is necessary and proportionate.

After all, public trust and confidence in the work of the security forces is a bigger asset, even, than the ability to monitor all electronic communications.  A consensual approach makes society stronger and inherently stable.

Related: Privacy initiatives as an enabler for cyber security


Bootnote: It has been pointed out that access to traffic data stored under the Data Retention Directive has been made available to civil litigants under a Norwich Pharmacal Order.  Again this needs to be looked at:- if we introduce measures for the sole purpose of preventing serious crime and securing the nation we must also introduce robust safeguards to prevent the measures then being used for far lesser infringements.

1 comment:

  1. "Confusion over warrants for access to traffic data arises perhaps because of the coalition's much-vaunted Protection of Freedoms Bill, which will require a judicial warrant for many requests for traffic data"

    Perhaps that's the cause, though the confused I've seen have made no reference to it. But it ain't *that* many. The bill would subject only local authorities to an independent warrant procedure, and ALL Local authority RIPA requests covered by the Surveillance Commissioner (so including bugging, secret filming, and following people around for example, as well as comms data requests) amount to about 12,000 a year. No more than 6% of the total.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.