Communications services providers face huge technical
and liability problems in complying withproposalsto upgrade the UK's capacity
to eavesdrop on the internet, a parliamentary committee heard this
morning.
The government is consulting on how to track suspected
law-breakers in cyberspace. Its proposals for an
Interception Modernisation Programme (IMP) have been scaled
back since they first emerged, but law enforcement officers are
adamant that they need access to communications data.
The government proposes that communications services providers
(CSPs) such as telecoms companies and internet service providers
(ISPs) should collect and store information that may be helpful to
the police.
The All Party
Parliamentary Group on Privacy, which was formed three months
ago and is chaired by Edward Garnier MP, is looking into the
privacy and cost implications of the IMP.
Tim Hayward, the Home Office official in charge of IMP, and Jim
Gamble, the chief police officer who heads the
Child Exploitation and Online
Protection Centre, said the programme is essential to maintain
the state's ability to track and trace criminals and their
associates.
Hayward said communications data had been material to 95% of
investigations by the Serious Organised Crime Agency.
Gamble said such data had been crucial in identifying paedophile
networks with hundreds of members.
Both said courts accepted communications as important evidence
in trials, and in building up a picture of criminals' modus
operandi.
The proposals call for CSPs to retain communications data such
as caller name, location, called party, location and duration of
call, as well as sites they visit on the internet.
This is easy to do with fixed wire telephony, but it is more
difficult on the internet because it uses a more random way of
getting information to and from sender and receiver. It is also
easier to hide an internet address.
Upgrades to internet software also mean that the information
wanted from a message might not always be found in the same place
in the message. This would add to the overhead of keeping in
technological compliance with the proposed law, said Cambridge
University's Richard
Clayton.
The London School of Economics'
Peter Sommer said rules on admissible evidence mean that the
content of calls is not admissible, although "communications data"
is. CSPs would have to strip out the content of the message to
ensure that it complied with the rules.
This is a non-business burden on CSPs that will have to be paid
for, said Martin Hoskins, head of data protection and disclosure at
mobile network operator T-Mobile.
Hoskins said that his company processed 137,000 information
requests under Regulation of Investigatory Powers Act (Ripa) last
year. The Home Office paid T-Mobile some £3m for its trouble, he
said. There are between 10 and 13 firms which are in the same
position to collect and pass on customers' call information, he
said.
Hoskins said it would simplify matters if there was a single,
clear and unambiguous legal regime for CSPs to comply with. He said
T-Mobile preferred it to be Ripa because Ripa had a clear and
auditable chain of accountability for releasing customer
information.
He said the Department of Work and Pensions, which is excluded
from Ripa, and Ofcom, the communications regulator, had each asked
T-Mobile for personally identifiable information under different
laws.
He said it is also important to clarify the liability of CSPs
with respect to processing and releasing third-party data, such as
e-mails sent via Google or Microsoft's e-mail services.
He said it might be technically impossible to identify such
traffic because it would mean breaking into proprietary protocols
used to transmit the messages.
Secondly, CSPs are presently protected against litigation while
they collect and hold the data, but become liable as soon as it is
passed to others, even if they are law enforcement officers acting
with authorisation.