Revealed - Government plans to tap phone and internet use

The Home Office is considering radical plans to develop a centralised surveillance system to track in real-time every kind of electronic activity undertaken by citizens.

The Home Office is considering radical plans to develop a centralised surveillance system to track in real-time every kind of electronic activity undertaken by citizens.

The project, driven by intelligence services, would require the development of a surveillance system unprecedented in its scope and technical sophistication.

The work is still at the discussion stage and has not been agreed by ministers. But if the project goes ahead as expected, it would require the development of untried technology to tap into phone lines and the internet, retrieve details on every individual's browsing and communications traffic, and store it in a central database.

The envisaged database would not record the content of telephone calls, e-mails or other internet messages. However, it could hold records of telephone and interent traffic data, which would enable investigators to build up a proile of an individual and identify their network of contacts.

The information gathered, for example, could include the time an individual sent an e-mail or instant message, and who received it. It could also record details of websites visited by members of the public, and even who had used which online computer game or video clip, when and for how long.

The project represents a major esclation in the government's powers and the speed at which electronic surveillance can be undertaken. Under existing legislation, telcos are required to hand over limited data to public authorities holding a relevant notice under the Regulation of Investigatory Powers Act (RIPA).

Subscriber details

This data, which is held for specific lengths of time, includes subscriber details, logs of phone calls, text messages, e-mails and when users have logged on and off the internet . ISPs currently only have to subscribe to a voluntary code, but retain subscriber data as a matter of course for billing purposes.

Under the new proposals being discussed by a Home Office project team, however, public authorities would retain a much wider range of internet traffic and communications data. They would also be able to access it themselves, rather than wait for network providers to hand it over.

Because Computer Weekly understands that the government has not yet decided who would operate the database or under what rules, it is unclear whether government officials would need to present a RIPA notice to access an individual's communications data in future.

ISPs and telcos are currently not allowed to hand over the volume of data currently envisaged in the proposals. The government would need to introduce legislative change to make such a move permissible. If the project is given the go-ahead, new legal rights are expected to appear in a proposed new Communications Data Bill. The Bill, which includes plans to enact the remainder of the European Union's Data Retention Initiative into UK law, is expected to be introduced in the Queen's Speech in November.

"Ministers have made no decision on whether a central database will be included in the draft Bill," said a Home Office spokeswoman.

Fight against terrorism

The Home Office sees the proposals as an essential step in its fight against terrorism, but the potential cost and the technical sophistication of the undertaking has raised eyebrows among technical specialists.

The success of the project will depend on the development of black boxes, known as network probes, that could extract traffic and communications data from raw network traffic.

Computer Weekly understands the project would require thousands of boxes to be positioned at different points on ISP and telco networks. They would be programmed to tap into messages, decode them and pass them on for storage.

Early cost estimates for the prototype work alone are huge. The costs would rise to "eye-popping" levels if applied to a full production national database. This is not least because the network probe technology being considered does not yet exist. Some experts think it may not even be possible to get the idea to work.

Peter Sommer, professor at the London School of Economics, says that no off-the-shelf systems exist to create a specialist database of this type. A new database would have to be custom-made and would require huge amounts of highly performant - and expensive - hardware to run fast enough.

The aim of creating a massive electronic communications database is to save public authorities time in having to approach individual network providers for logs. This time factor is considered important if anti-terrorism officials want to trace possible gang members by examining transaction logs quickly in order to prevent possible loss of life, the Home Office claims.

But Sommer says, "The exercise only has value if the data is available more or less online. In other words, data can be instantly searched and a result obtained in real-time as opposed to it being stored on tape. But we're talking about considerable resources for that and there's all the usual problems of government projects that don't altogether go according to the initial plan."

Value for money

Whether the project offers value for money by focussing on those rare situations where there is an imminent threat to life rather than on improving intelligence-gathering in a general sense to prevent activities progressing that far, was another question, said Sommer.

How such a database could be made secure is unclear. If the database was hacked by members of organised crime rings, foreign governments involved in espionage or terrorists, the potential misuse of the information gathered on individuals' online habits could have serious repercussions.

The cost of securing such a database would possibly be higher than building it. Paul Vlissidis, technical director at the NCC Group, said necessary protection mechanisms would include encrypting the data, rigorous access controls to ensure only authorised personnel could access it and all the usual anti-hacking measures.

But these are not the only concerns around the project. Another is technical feasibility, particularly in the area of data formats. Network providers use a wide range of incompatible data formats. Although there have already been attempts to standardise them to make it quicker and easier to deliver information to public authorities for use in court, little success has been evident so far.

European Data Protection Supervisor condemns data protection legislation >>

Government plans database to connect every citizen record >>

Read more on IT legislation and regulation