CCDP: It's not what you know, it's who you know

The dust has temporarily settled a little on the Home Office’s announcement of the Communications Capabilities Development Programme (CCDP), and doubtless some Ministers are now licking their wounds whilst others sharpen weapons in preparation for the fight that lies ahead when the legislation appears before Parliament. That the Coalition could countenance such an illiberal and disproportionate dismantling of privacy rights came as a shock; that they almost immediately fell into the same traps as the last government whilst they tried to justify their arguments was risible.

So what’s all the fuss about? CCDP is the logical successor to the last government’s abandoned Interception Modernisation Programme, which was intended to create a central database of all telephone and Internet communications traffic. In its new guise, the plan will force Communications Service Providers (CSPs) to maintain their own databases of communications metadata: storing details of all communications over their networks, but not the actual content of the communications. Government bodies will have access to communications metadata under statutory powers, but will not be able to access the actual contents of the communications without first obtaining a warrant to do so. The excellent ORG wiki has a wealth of information about CCDP.

The Coalition has been at pains to play down the significance of the strategy, which is championed by the Home Office, and has been lurking around for some months now, but was thrust into the spotlight by articles in the Telegraph and the Sunday Times. Prime Minister David Cameron assured Parliament that “we have made good progress on rolling back state intrusion in terms of getting rid of ID cards and in terms of the right to enter a person’s home. We are not considering a central Government database to store all communications information, and we shall be working with the Information Commissioner’s Office on anything we do in that area.” The Prime Minister’s reassurance should make everything OK. After all, the government’s only asking for communications metadata, and doesn’t want to store it centrally; and the ICO will ensure that things happen by the book. Isn’t that a reasonable and proportionate requirement in the Internet age? Absolutely not.

Let’s debunk the facile arguments about centralisation and oversight. The government does not want, nor need, a central communications database in order to monitor our lives, and in fact that would make the job harder: rather than wanting one giant haystack in which to find a particular needle, the Home Office plans to create many smaller, more manageable haystacks, the costs of which can be forced upon the CSPs, together with associated delivery challenges, so that there’s a much smaller risk of the implementation failing. In the federated world, there’s no point in having a centralised database, when multiple sources can be accessed as easily (or even more easily) than once central one. As for oversight, that’s a hollow reassurance given the ICO’s impotence at dealing with the most basic threats to privacy and liberties caused by central government departments and major corporations. The Commissioner doesn’t have a fraction of the resources required to apply even a veneer of control over public servants’ use of CCDP data, and any claim of governance from his office is clearly meaningless.

But the most worrying aspect of CCDP is the mandatory interception of communications metadata. That metadata can provide a richer and deeper insight into an individual’s life than any amount of communications content. Simply by analysing the times, sources and destinations, geographic locations, devices and contexts of an individual’s communications – as well as taking into account things that they don’t do – a wealth of information can be obtained. At a glance, a public servant who has not had to obtain a warrant or apply to a court, will be able to find out where you live and work, with whom you correspond, what your financial, health, sexual, religious, political or professional interests might be, your day to day movements, and from these, your likely intentions.

Consider Google’s interest in your online activity: the search giant is actively trying to drop personal data about users because it doesn’t need it; what Google is after is not to know who you are, but what you are about to do. If it can accurately predict that, then it can intercept your plans and try to modify them with paid-for advertising. That’s how Google makes money. Social networks are very similar. LinkedIn, for example, will allow you to post and browse to your heart’s content for free, because it’s exploiting that behaviour on behalf of paying advertisers. If you want to see who’s looking at your profile then you have to pay hard cash to do so. So the real value in online activity is not in the content, but in the communications metadata, and that’s what the Home Office is now seeking: they don’t want to mine what you know, they want to mine who you know. Without recourse to the courts, or meaningful oversight mechanisms. Without any form of opt-out mechanism or user transparency.

Fortunately, there are storm clouds are gathering over CCDP. Sir Tim Berners-Lee has spoken out about the scheme, saying that “The idea that we should routinely record information about people is obviously very dangerous…”  Civil liberties groups will be meeting at the London School of Economics on Thursday 19th April to discuss how best to fight the plans, in a revival of the ‘Scrambling for Safety‘ events which were last held in the fight against the National Identity Scheme. The likes of NO2ID and 38 Degrees are pushing politicians to drop the draft legislation before it even reaches Parliament. But if this idea is to be stopped in its tracks, it will require the sort of popular protest that killed ID Cards and must now be brought to bear on CCDP. As the greatest living Englishman says in his Guardian interview:

‎”The amount of control you have over somebody if you can monitor internet activity is amazing… You get to know every detail, you get to know, in a way, more intimate details about their life than any person that they talk to because often people will confide in the internet as they find their way through medical websites … or as an adolescent finds their way through a website about homosexuality, wondering what they are and whether they should talk to people about it.”