Thursday, July 17, 2014

Another letter to my MP on DRIP

I've written to Nicola Blackwood, MP, again about the Data Retention and Regulatory Powers (DRIP) Bill, this time directly criticising MPs' approach to it. I phoned and wrote to her prior to the debate in the Commons on Tuesday but have had no substantive response, as of yet. Ms Blackwood does usually take the time to respond and I do expect to hear from her. It will by then, however, be much too late to do anything about the legislative plane crash that is DRIP with MPs currently fast asleep at the controls.
Nicola,
I was disappointed to see you didn’t attend the debate on the Data Retention & Investigatory Powers (DRIP) Bill on Tuesday, 15 July, yet showed up to vote it through.
It’s inspires little confidence in the integrity of Parliament when MPs just vote as instructed by the party leadership without any apparent evidence of engagement with the substance of the proposed legislation. I appreciate MPs are busy but for something as serious as an emergency law that requires blanket, indiscriminate communications data retention targeted not at criminals but  the entire population, every single MP should take notice and make time.
I would make one final request that you do take the requisite time to read the Bill and associated documents at http://services.parliament.uk/bills/2014-15/dataretentionandinvestigatorypowers/documents.html
In order to understand what the Bill actually says rather than what the party briefing might be telling you it says.
And then take a principled stand against the Bill when the it comes before the Commons for confirmation later today.
Regards,
Ray

PS For information, I’m a co-signatory of the letter from UK academics to MPs asking that full and proper parliamentary scrutiny by (sic) applied to DRIP to ensure Parliamentarians are not mislead as to what powers this Bill truly contains. Our opposition to the Bill has been noted by Lord Knight in the House of Lords debate on DRIP yesterday and widely reported in the mainstream media by The Independent, The Guardian, the technology press such as Wired, also in The Wall Street Journal and several other prominent overseas media outlets.  Copy available at
Ray Corrigan 
Typo in the PS corrected in follow upmail.

Tuesday, July 15, 2014

DRIP debate in House of Commons

Data Retention & Investigatory Powers (DRIP) Bill debate in House of Commons (begins 12:45:37)
Not to be recommended for those of a quesy disposition

Open Letter to MPs re DRIP from UK academics

Open letter to MPs on the emergency Data Retention and Investigatory Powers (DRIP) Bill being rushed through the House of Commons today. (Full disclosure - I'm a co-signatory)
"Tuesday 15th July 2014 
To all Members of Parliament, 
Re: An open letter from UK internet law academic experts 

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014. 
In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers. 
On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;
  • compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
  • compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
  • compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).
The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally. 
Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment. 
Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception. 
DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains. 
Signed,

Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithí Mac Síthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex
Update 17/7/'14: I'm pleased to say Dr Andres Guadamuz, University of Sussex and Professor Viktor Mayer-Schönberger, Oxford University have joined as signatories to the letter.

Note to MP re Data Retention & Investigatory Powers (DRIP) Bill

In addition to phoning my MP, Nicola Blackwood, yesterday I emailed her asking that she consider voting down the Data Retention & Investigatory Powers (DRIP) Bill.
Dear Nicola,

Sorry I missed you when I phoned your office earlier today. I'm writing to you about the complex emergency data retention and investigatory powers (DRIP) Bill the Government are rushing through Parliament this week.

I understand you may be compelled as a member of the Conservative Party into agreeing with the contents of this Bill. However, I would urge you at the very least to

·         push back on the timeframe on this legislation (there is no real emergency that requires it be passed this week)
·         advocate the deletion of clause 5 which expands the definition of “communications service” exponentially
·         advocate the amended date for the repeal of the legislation (clause 6(3)) be brought forward to three months from today or at the very latest 31 December this year – if the government are serious about this being an emergency so there can be a debate then 6 months should provide adequate time for this
·         advocate the deletion of the really complex investigatory powers amendments to the Regulation of Investigatory Powers Act 2000 (clauses 3 and 4)

As I see it, the primary threat is the Government is concerned about is a lawsuit for failing to comply with the European Court of Justice ruling in April (in joined cases C-293/12 and C-594/12) that existing Data Retention laws are incompatible with human rights.

I would welcome comprehensive public and parliamentary debates about the issues connected to the Bill, in which you and all MPs are involved.

I appreciate you are busy so have not loaded this email with an analysis of the Bill but if you are interested in further details I have expanded on some of the problems at


I’d appreciate it if you would oppose(sic) against this legislation being rushed through in a day and as always thanks for taking time to consider my perspective on this kind of legislation.

Regards,

Ray
"...oppose..."  in that final sentence should, of course, read "...vote..."

Monday, July 14, 2014

Data Retention & Investigatory Powers (DRIP) Bill: a significant change in the law

The "emergency" Data Retention & Investigatory Powers (DRIP) Bill being rushed though Parliament this week sets out to -
  • make provision for data retention, now that the Court of Justice of the European Union has annulled the data retention directive; the asserted intention (of the Home Secretary) being to "maintain the status quo" by essentially re-enacting the Data Retention Regulations 2009 (S.I. 2009/859)
  • amend the grounds for issuing interception warrants or granting or giving certain authorisations or notices under Part 1 of the Regulation of Investigatory Powers Act (RIPA) 2000 
  • make provision to apply data retention and investigatory powers extra-territorially
  • expand the meaning of "telecommunications service
These stated intentions on the front page of the draft Bill alone create a clear impression that this measure goes significantly beyond an effort to "maintain the status quo". Reading the Bill itself, along with its associated 10 pages of draft regulations and 15 pages of explanatory notes only confirms this impression. The number of times the Home Secretary repeated last week that the new law was just about maintaining the status quo on data retention, in the face of those disagreeable European Court judges, was undermined by the lady herself adding that there is allegedly an
" increasingly pressing need to put beyond doubt the application of our laws on interception, so that communication service providers have to comply with their legal obligations irrespective of where they are based" (final para, Hansard, 10/07/14 Col 456)
If re-enacting the 2009 data retention regulations, this time as primary legislation, was all the government intended this could be done in significantly less than 32 pages of statute, regulations and explanatory notes. Whether to protect the UK from the EU law, as David Allen Green suggests, or otherwise, a new Bill could just say it was enacting the 2009 regulations as primary legislation. Job done.

Given how comprehensively the European Court of Justice dismantled the data retention directive that those regulations are based on - blanket indiscriminate data retention is a disproportionate interference with rights guaranteed under Articles 7 & 8 and 52(1) of the Charter of Fundamental Rights of the European Union -  that short cut to making the 2009 regs primary legislation would still be incompatible with the Charter. But it would be known law, just with brand spanking primary statute new foundations. (Even though it would be a law that the European Court has clearly stated is incompatible with those lily-livered human rights abhorrent to all true Brits, if prominent parliamentarians are to be believed). The extra provisions beyond that intent just make the Bill even more complex.

What if DRIP was just shoring up the 2009 regulations? Well blanket indiscriminate data retention has been outlawed by every high court that has considered it, including courts in Germany, Slovenia, Romania, Austria, Bulgaria, Sweden, Czech Republic and Cyprus and of course the European Court of Justice in April this year.

Yet the UK coalition government and their agreeable main opposition party don't stop just at giving our likely defunct data retention regulations the protection of parliamentary supremacy, to protect us from those big bad Europeans and their terribly un-British human rights that only protect pedophiles and terrorists. They go much further -
  • expanding data retention
  • providing the Secretary of State with Henry VIII powers to amend the law
  • expanding the reach of data retention and access, extra territorially
  • amending and expanding the scope of the incredibly complicated Regulation of Investigatory Powers Act (RIPA) 2000
  • amending and expanding the scope of what constitutes a "telecommunications service"
Clause 1 of DRIP, for example, attempts to re-enact the 2009 regulations, in addition to giving the Secretary of State, under sections 1(3), 1(4) and 1(7) wide ranging Henry VIII clause powers to amend the law, essentially as and when she likes. Section 1(1) puts a nominal brake on data retention by stating the Secretary of State can only order retention she considers "necessary and proportionate". However, given successive UK governments are repeatedly on record as claiming blanket surveillance is not just necessary and proportionate but "essential" to "save lives" that's not much of a practical restraint.

Some of the provisions of DRIP are seriously far reaching but mind numbing and I'd refer you in particular to excellent legal analyses by Steve Peers, Graham Smith, Liberty, the Open Rights Group, Privacy International, Big Brother Watch, Article 19 and English PEN and Tom Hickman who all do the job much better than I can on this.

If legalese leaves you cold there are quite a lot of nicely digestible articles floating around various corners of the web outlining the issues including those from the following cast of characters -
I should here, though, before closing draw your attention to Clauses 5 and 6 of DRIP. Clause 5 states:
"5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of "interception" etc), after subsection (8) insert - 
"(8A) For the purposes of the definition of "telecommunications service" in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system."
It seems that in attempting to bring services like Twitter and Facebook further into the data retention and investigatory powers fold, the government has managed to expand the scope of what is meant by "telecommunications service". It would now seem to encompass email listservs, webmail servers (as it says in the explanatory notes), social media providers like Facebook, app providers, retailers, gaming sites, the whole spectrum of website controllers/operators, bloggers, broadcast, print and online media and you can probably think of many more. I wonder if they'll try to use it as leverage on the good folk at the Guardian
Dear Mr Rusbridger,
Subject to the provisions of the DRIP Act 2014 we require that you retain and provide us with access, in the first instance, to the metadata and content of all your primary sources on GCHQ surveillance ...
I suspect even Mr Rusbridger's adversaries in the bulk of the mainstream press might suddenly find themselves on his side on the mass surveillance debate were that to happen.

Clause 6(3) of the Bill is the so-called sunset clause which says the law times out aka gets repealed on 31 December 2016. The history of such sunset clauses is that they get continually renewed - especially with nominally labelled anti-terrorist legislation. No politician can risk being accused of being soft on terrorism. If the government were serious that this is a temporary emergency measure to allow for a free and full debate on the matters it addresses the sunset clause would be three months, or at the very longest, expire at the end of this year. Not 2 and half years from now, when whichever government is in power can, if I may mix my metaphors, kick the sunset clause into the long grass with little concern about  political opposition.

Bottom line

The bottom line on DRIP is
  • DRIP is a major change in UK data retention, surveillance and investigatory powers laws
  • it involves the cementing into statute blanket indiscriminate data retention and therefore affects everyone in the UK
  • this blanket indiscriminate data retention activity was considered a serious and disproportionate breach of the right privacy by the European Court of Justice
  • I consider this an abuse of the rule of law
  • this data retention element of DRIP alone undermines UK citizens rights in the context of the Charter of Fundamental Rights of the EU and must presumably, therefore, as a direct challenge to the European Court of Justice (ECJ) ruling (in joined cases C-293/12 and C-594/12) declaring the data retention directive invalid, be open to legal challenge at European level.
  • DRIP additionally expands the immensely complex Regulation of Investigatory Powers Act (RIPA) 2000 interception powers, including the extra-territorial reach of those powers
  • DRIP, having been agreed behind closed doors by the leadership of the three biggest political parties, is being rushed through Parliament without proper parliamentary scrutiny 
  • the Home Secretary has admitted in evidence to the Home Affairs Select Committee today that MPs will not know the full details of the law they are being asked to pass this week
  • this appears to me to be an affront to the principle of Parliamentary sovereignty
  • clause 5 expands the scope of the meaning of "communications service" to a degree that it could be interpreted to mean any entity using a computer and the internet
  • there is no emergency that justifies rushing this ill thought out law through - no ongoing serious crime investigations will be put at risk, as communications service providers have a long history of cooperating willingly with the police on such matters; I suspect as in the past they would be perfectly willing to continue to retain and provide access to communications of suspects about whom law enforcement authorities have reasonable cause to harbour suspicion
  • the "be afraid of terrorists and pedophiles" line is wearing very thin
The entire DRIP enterprise is a mess which if it does, as is likely, get passed in haste this week, we will all come to regret at our leisure. Some commentators have amusingly labelled it the Dangerous Logs Act. The sad thing about that particular joke is that many of the MPs, following their party line and voting DRIP through in the next few days, will not get it.

Friday, July 11, 2014

Mass surveillance and scared politicians

So the latest UK government shambles on communications surveillance is the emergency Data Retention and Investigatory Powers (DRIP) Bill to be rushed through next week in a single day. "Explanatory notes" on the draft Bill are available here.  The official text of the Home Secretary's statement in Parliament yesterday about the Bill is here.

In short, the latter says -
Be AFRAID... terrorists... child abusers... serious criminals might get away... because of those idiot European Court judges ... BE AFRAID ...Our data retention regulations are A1, super duper, OK ... but just in case they're not we need to pass this new emergency law... just to let us do what we've always been doing... BE AFRAID... but don't worry we'll protect you with this new emergency law that even that Labour gang agree is wonderful... oh and just in case I didn't mention it... BE VERY AFRAID!
Prior to that David Cameron and Nick Clegg had made a big announcement about it at an earlier specially trailored press conference. The telling point for me in this session was when the BBC's Nick Robinson, generally totally clueless about digital rights whilst on air at least, decided to go for the standard journalistic trolling approach, perhaps since he didn't really have any informed questions to ask. Mr Robinson accused Mr Cameron of rushing through an emergency law in haste which we would all repent at leisure. To which the Prime Minister responded with a cracking voice and a face like a toddler on the verge of tears -
"I am simply not prepared to be a prime minister who has to address the people after a terrorist incident and explain that I could have done more to prevent it."
There you have the whole story of the political interest in the construction of our mass surveillance infrastructure in a single sentence.

Our political leaders are scared.

They are not scared of the terrorists.

No.

They are scared that the next time there is a terrorist attack they will be accused of having not done enough to prevent it.

So they have to DO SOMETHING.

It doesn't matter if that something causes untold damage of immeasurable proportions.

In fact it is better if it is immeasurable, preferably complex, costly, involving computers; and accompanied by a selection of misleading 2 to 3 second soundbites carefully crafted for promotional purposes which come with bonus points if they can include sniping at Europe or human rights.

That way critics cannot easily pin them down.

But they must, at all costs, DO SOMETHING.

It is also better if that something involves everyone, plus large sums of public money, plus computers.

Then when the inevitable happens they can hit the broadcast circuits with pride "We did everything we could and we're going to try harder and spend more money on high tech security and never let the terrorists win..."

And you know what's so sad about this disastrously damaging cycle? The fear driving the politicians to get things so completely wrong will not save them from accusations of incompetence. When the time comes the media will still attack the government for not doing enough.

The parliamentary debate on DRIP yesterday was a parody of itself (Begins at 11:18:53)


TheyWorkForYou have the transcript of the debate.

Analysis of DRIP later if I get the chance but what is very clear is that it much more than a re-assertion of the data retention regulations.

Friday, July 04, 2014

House of Lords evidence session on CJEU Google ruling

The House of Lords EU Sub-Committee on Home Affairs, Health and Education had a hearing earlier in the week about the European Court of Justice decision in the Google v González case, popularly known as the right to be forgotten ruling.
Witnesses at the first session were Neil Cameron, consultant; Chris Scott, Partner, Schillings; Jennie Sumpster, Senior Associate, Schillings; and Jim Killock, Executive Director, Open Rights Group.

Tuesday, July 01, 2014

Health Committee hearing on handling of health data

Video of UK Parliament Health Committee hearing on handling of health data and the proposed care.data scheme now due to be rolled out in "pathfinder" pilots in the autumn.

Sunday, June 29, 2014

Twitter down?

Twitter seems to be unstable and/or inaccessible for a couple of days. But then so is my Virgin Media connection so maybe the two are related?