A Joint Select Committee is currently reviewing the Draft Communications Data Bill, also affectionately known as the Snoopers’ Charter. This Bill would compel “telecommunications operators” – everyone from your ISP to your mobile phone company to Royal Mail – to collect and share with the government certain data about your communications: who, where, when, how. There are, unsurprisingly, a number of privacy issues with this approach.
The Joint Select Committee is running a consultation, which you can access here. The deadline for written evidence is tomorrow, August 23rd. You can also submit a written response to the consultation through 38 Degrees, which is what I did. For reference (and reapplication if you want), my response, particularly to questions 2 and 3 of the consultation, is below.
My response to the Joint Committee Consultation on the Draft Communications Data Bill
2. Has the Government made a convincing case for the need for the new powers proposed in the draft Bill?
There already extensive provisions under the Regulation of Investigatory Powers Act (RIPA). There is currently no convincing case for an extension of data gathering and surveillance powers as proposed in the Draft Communications Data Bill. The proposals are likely to generate vast amounts of additional data, and rather than looking for a needle in a haystack, the effect would be akin to adding more hay to the stack. This also increases the risk of “false positives” – flagging perfectly legitimate behaviours as suspicious, thereby turning us all into a nation of suspects. Rather than introducing the Communications Data Bill, the government should focus on tightening up RIPA, making it more transparent and limiting the number of often frivolous requests granted under that Act.
3. How do the proposals in the draft Bill fit within the wider landscape on intrusion into individuals’ privacy?
Both of the likely uses of the data generated under the Communications Data Bill are problematic from a privacy point of view:
Data mining: This is the practice of looking at the entire data set to spot suspicious behaviour patterns and proactively take steps to prevent an individual from doing something as a result. A possible action that could be taken as a result of data mining is, for instance, putting someone on a no-fly list. We are therefore likely to end up with law enforcement agencies making life-changing decisions about individuals on the basis of data which is likely to be inaccurate, generate false positives and which individuals will have very little or no access to in order to appeal and overturn such decisions.
Data filtering: This is the practice of tracing one individual’s activity through the entire data set. A remarkably detailed picture of an individual’s life can be generated from records such as who they have contacted by phone or email, what websites they have accessed or where they have been, based on location data from mobile phone networks. Simply by existing, this data set becomes a target for malicious activity by criminals, corrupt journalists or other parties not authorised to access the data. Rather than increasing our safety and security, this data set would expose us to additional risks.
Both data mining and data filtering at the scale proposed in the Draft Bill give the state unprecedented powers to invade individual’s privacy. They extend well beyond the sphere of digital communications and into our physical day-to-day lives. There are also additional concerns over the extent of the intrusion into content of communications, as well as potential future secondary uses of the data set.
Intrusion into communication content: While the Draft Bill is intended to only track headline communications data (who, where, how, when) rather than content, the proposed implementation would potentially give access to communication content. For instance, in the case of data on which websites an individual has visited, content is implicitly included in this information. Remarkably accurate conclusions about content may be also be made by putting together different pieces of information from the data set, e.g. if an individual looked up medical terms on the Internet and then went to see their GP.
Secondary uses: We have seen a number of cases where data sets collected by companies or governments for one purpose have later been used for other purposes without gaining consent from individuals. A recent example comes from Germany where the government is in the process of legalising the sale of citizens’ data acquired through the mandatory registration programme to private companies for marketing purposes on an opt-out rather than opt-in basis. Therefore invasion of privacy is unlikely to remain limited to the state and law enforcement agencies.