Privacy watchdog attacks Whitehall e-mail snoopers

Sweeping laws allowing government agencies to monitor e-mails and phone calls put human rights at risk.

Sweeping laws allowing government agencies to monitor e-mails and phone calls put human rights at risk.

Controversial powers giving the police and other government organisations the right to access details of e-mail, Web and telephone communications may breach fundamental human rights principles, the UK's privacy watchdog has told the Government.

Information commissioner Elizabeth France has written to Home Office officials warning that e-mail snooping powers, taken together with recently introduced anti-terrorism laws, are at odds with the European Convention on Human Rights.

This could delay government plans to set up a voluntary code of practice for Internet and phone companies on storing e-mail and phone data.

Recent confidential drafts of the code, issued under the Anti-terrorism Crime and Security Act 2001, call for service providers to retain e-mails and phone logs for six months, Web caches, including page addresses, for four days, and customer contact details for two years after an account has closed.

But legal opinion sought by the Information Commission points out that although the code requires Internet and phone companies to keep the data for anti-terrorism purposes, in practice government agencies and the police will then be able to use the Regulation of Investigatory Powers Act (RIPA) to access the same data for other purposes, including investigating benefit or tax fraud.

"The problem is having data retained for national security accessed for other purposes," said David Smith, assistant information commissioner.

"The real risk is that an authorising officer with the Inland Revenue or whatever is then breaching human rights provisions by accessing data retained for national security reasons for other purposes."

Computer Weekly has established that Government agencies are making use of existing laws to access Internet and phone details, for reasons that have little to do with national security.

Service providers have identified a series of laws that allow organisations such as the Financial Services Authority, police, Customs & Excise, and trading standards officers to apply for communications data without coming under the safeguards of RIPA codes of conduct or the oversight of the Government's Interception Commission.

Human rights barrister Ben Emmerson, of Matrix Chambers, told the Information Commission that there is no doubt that the data retention regulations are at odds with rights to privacy under European human rights conventions.

"The retention of communications data on behalf of a public authority and the disclosure of such data to a public authority constitute an interference with the right to respect for private life and correspondence enshrined in Article 8 (1) of the European Convention," he stated in a formal opinion for the Information Commission.

The commission's findings could force the Government to re-think its data retention plans unless a way around the problem can be found.

Richard Clayton, security expert at the Foundation for Information Policy Research, said, "The voluntary code of practice could be a non-starter.

"No one would want to keep information for longer than needed for business purposes if the information commissioner says it's unlawful."

The commissioner's concerns could have ramifications for businesses that provide employees access to the Internet, or internal phone networks, since under RIPA they are defined as service providers, and could be required to store e-mail and telephone records for access by the law enforcement authorities.

Laws allowing government agencies to snoop
  • Regulation of Investigatory Powers Act 2000

  • Social Security Fraud Act 2001

  • Financial Services Act 1986

  • Criminal Justice Act 1987, section 2

  • Terrorism Act 2000

  • Drug Trafficking Act 1994, section 55

  • VAT Act 1994: Production Order

  • Consumer Protection Act 1987

  • Data Protection 1998, section 29(3)

Read more on IT risk management