The data retention swizzle

People tear down Iron Felix statue of KGB founder Felix Dzerzhinsky outside KGB headquarters - Moscow - 24 August 1991 - during putsch against Mikhail Gorbachev - CROP.pngThe government’s reform of state snooping powers is a bit of a swizzle.

It was needed to address a “capability gap” that stopped police and intelligence spooks listening to the private communications of crime suspects, said a brief Prime minister David Cameron’s office issued on 27 May. And they were needed in answer to issues being raised by David Anderson QC, the Independent Reviewer of Counter-Terrorism legislation.

But the primary cause of Cameron’s capability gap was a court ruling that outlawed some of his most contentious snooping powers last year. The primary cause of his reforms was a need to make his snooping powers legitimate again. And Anderson was called to review how to do it.

The snooping powers had been created under a false premise at the UK’s insistence in 2006. The UK did it under European law, having tried and failed to do it in UK law. But the European court exposed the falsehood and revoked the law – the European Data Retention Directive – on 8 April last year. So Cameron’s government has been attempting to legitimise them in UK law again.

History suggests this might be difficult to do. The European Union changed human rights law in 2002 to permit member states to implement these snooping powers, which require teclos to keep copies of people’s communications records and internet browsing so police can look at them. But few EU states actually did it.

Cataclysmic US president George W Bush had personally pressed them do it for the sake of his “War on Terror”. But Europeans were uncomfortable about their private lives being scrutinized by peevish officials for fear that the slightest slip or stumble would become punishable under the pitiless rules of software-driven policing.

It meant rewiring the post-World War II consciousness The post-war bad guys – the East German Stasi, Chinese Communist bureaucracy, Soviet spying apparatus – had all been characterised by their snooping.

Such powers were so despised a decade ago that the UK had made of them an apology. It managed to create a comms data surveillance regime by pressing emergency anti-terrorism laws upon parliament a month after the terrorist attacks that destroyed New York’s Twin Towers in 2001. But it was voluntary.

The internet industry had opposed retention because it would cost them money to store communications records for millions of customers. The EU had finished liberalising its telecoms market just as the internet boomed at the end of the 90s. The theory was that if the UK made BT do retention but Germany left Deutsche Telekom alone, which would be top dog of Europe’s telecoms industry in five years?

Other EU states were similarly indisposed to do it without being forced. After the EU changed the law in 2002 to permit them to do it, just six of 14 did so. It was so unpopular that by 2006 only about 4 out of 24 EU states had such rules actually in force.

So the UK proposed forcing EU states to implement data retention regimes instead, with a 2006 Directive it formulated with Ireland, France and Sweden. They justified it as an urgent anti-terrorism measure after the London and Madrid terrorist bombings of 2004 and 2005. But they needed to impose this unwanted data retention regime on the whole of Europe in order to make it possible for them to do themselves.

Not only would any country that did retention put their own telecoms industry at a disadvantage. But even existing national regimes were becoming useless, said the UK group’s proposal for a Europe-wide retention law in 2005.

It was common for EU states to insist telcos erase or anonymise records of people’s communications as soon as they hung up or signed off. Some countries made exceptions so telcos could retain comms records and use them to create detailed (presumably itemised) bills of their customers’ call usage. Data retention regimes typically allowed police to search this data, just as they might get a warrant to search any civil space if they had good reason in the course of a criminal investigation. But it was unusual to require telcos to keep records solely for police purposes.

But telcos had started doing flat-rate, all-inclusive phone contracts. They consequently began to stop keeping comms records because they no longer needed them to bill customers, said UK group in the annex to their proposed Data Retention Directive.

Retention was already prohibitively costly. And now it was unnecessary as well. Any country that attempted to do data retention would be imposing a huge additional cost on their telecoms industry. They could only get away with it they could make everyone do it.

“The problem which the proposal for a Directive on retention of traffic data aims to address is that the law enforcement authorities are slowly but surely losing one of their most important instruments for preventing and combating (organised) crime and terrorism – access to traffic data retained by electronic communications providers,” the UK group said.

So they attempted to save their frail police retention regimes from complete disintegration by crafting a law to harmonize them across Europe.

The single market was, roughly, the only reason the EU could legislate on anything. It certainly wasn’t allowed to create police powers, said the European Court when it published its opinion on the Retention Directive in December 2013. It was wicked to use the EU to regulate the single market solely to ease the way for unpopular police powers. Harmonization would mean obliging any EU country impose retention rules that hadn’t already. That meant creating police powers, which the EU wasn’t allowed to do. So the ECJ called foul last year and revoked the law, eight years after it was introduced, and between eight and eleven years after legal challanges were raised against data retention in the Irish and Austrian courts.

The court’s final condemnation last April said the powers might have been justified if they had imposed restraints on police who used them. But they hadn’t so the law was illegitimate.

But it didn’t matter anyway. The 2006 Directive had done its job. Twenty-three of 27 member states had implemented the Data Retention Directive by the time it was revoked. Four of the other five – Germany, Romania, Czech Republic and Austria – all had their data retention regimes prohibited by their constitutional courts. Europe now largely had data retention. Industry opposition had been appeased. Civil opposition – only ever precipitated by industry’s public relations machine – had been quieted.

Home secretary Theresa May followed the ECJ ruling last year by pressing emergency data retention laws upon parliament, which she did with barely any opposition. She reassured parliament her emergency legislation would be followed by a proper review, so they could legislate a permanent snooping law after considering it properly. That was the Anderson review the prime minister now cites as justification for his Investigatory Powers Bill.

Such a misbegotten law as data retention would be vulnerable it were shoved out into the world now on its own. Fortunately for Cameron, and for his police force, the immense and legally dubious snooping infrastructure that the intelligence services have built in the last five to ten years has been brought to light by The Guardian newspaper’s Snowden revelations. MI5, MI6 and GCHQ appear to have done as much mass snooping as they want and as the latest technology would permit them. But now their extraordinary internet snooping apparatus has grown beyond the limit of their legal cover, beyond the limit of what the law had previously conceived possible and was therefore necessary to explicitly permit, they need parliamentary approval for what they are doing.

As Dr Eric Metcalf, a barrister at Monckton Chamber s who represented Justice, a legal charity, in the parliamentary Intelligence and Security Committee’s promenading hearings last October, said of the those parts of the new surveillance apparatus that Cameron’s establishment has been less transparent than they would have people believe: “In crude terms, it is the largest breach of privacy in British history.”

But swept into one, uber snooping law with the weight of the entire establishment and every police and intelligence agency behind it, the Investigatory Powers Bill will land on the statute like a gorilla at a family picnic. Some people might splutter. But most will go on sipping their tea.