CSPs spell out problems with Big Brother proposals

Communications services providers face huge technical and liability problems in complying with proposals to upgrade the UK's capacity to eavesdrop on the internet, a parliamentary committee heard this morning.

Communications services providers face huge technical and liability problems in complying with proposals to upgrade the UK's capacity to eavesdrop on the internet, a parliamentary committee heard this morning.

The government is consulting on how to track suspected law-breakers in cyberspace. Its proposals for an Interception Modernisation Programme (IMP) have been scaled back since they first emerged, but law enforcement officers are adamant that they need access to communications data.

The government proposes that communications services providers (CSPs) such as telecoms companies and internet service providers (ISPs) should collect and store information that may be helpful to the police.

The All Party Parliamentary Group on Privacy, which was formed three months ago and is chaired by Edward Garnier MP, is looking into the privacy and cost implications of the IMP.

Tim Hayward, the Home Office official in charge of IMP, and Jim Gamble, the chief police officer who heads the Child Exploitation and Online Protection Centre, said the programme is essential to maintain the state's ability to track and trace criminals and their associates.

Hayward said communications data had been material to 95% of investigations by the Serious Organised Crime Agency.

Gamble said such data had been crucial in identifying paedophile networks with hundreds of members.

Both said courts accepted communications as important evidence in trials, and in building up a picture of criminals' modus operandi.

The proposals call for CSPs to retain communications data such as caller name, location, called party, location and duration of call, as well as sites they visit on the internet.

This is easy to do with fixed wire telephony, but it is more difficult on the internet because it uses a more random way of getting information to and from sender and receiver. It is also easier to hide an internet address.

Upgrades to internet software also mean that the information wanted from a message might not always be found in the same place in the message. This would add to the overhead of keeping in technological compliance with the proposed law, said Cambridge University's Richard Clayton.

The London School of Economics' Peter Sommer said rules on admissible evidence mean that the content of calls is not admissible, although "communications data" is. CSPs would have to strip out the content of the message to ensure that it complied with the rules.

This is a non-business burden on CSPs that will have to be paid for, said Martin Hoskins, head of data protection and disclosure at mobile network operator T-Mobile.

Hoskins said that his company processed 137,000 information requests under Regulation of Investigatory Powers Act (Ripa) last year. The Home Office paid T-Mobile some £3m for its trouble, he said. There are between 10 and 13 firms which are in the same position to collect and pass on customers' call information, he said.

Hoskins said it would simplify matters if there was a single, clear and unambiguous legal regime for CSPs to comply with. He said T-Mobile preferred it to be Ripa because Ripa had a clear and auditable chain of accountability for releasing customer information.

He said the Department of Work and Pensions, which is excluded from Ripa, and Ofcom, the communications regulator, had each asked T-Mobile for personally identifiable information under different laws.

He said it is also important to clarify the liability of CSPs with respect to processing and releasing third-party data, such as e-mails sent via Google or Microsoft's e-mail services.

He said it might be technically impossible to identify such traffic because it would mean breaking into proprietary protocols used to transmit the messages.

Secondly, CSPs are presently protected against litigation while they collect and hold the data, but become liable as soon as it is passed to others, even if they are law enforcement officers acting with authorisation.

Read more on IT legislation and regulation