John Kampfner opened by saying the Home Office had unfortunately not had anyone available and thanked Jamie Bartlett for stepping into the fray at the last minute to offer a "mild version" of their perspective. He then invited Ian Brown to open proceedings, later disclosing he had briefed Ian to stick to as balanced and factual a serving as possible.
Dr Ian Brown. OII.
Ian started with a quote from Security Minister, James Brokenshire, in Thursday's Guardian, defending the communications data bill and arguing that terrorists are using internet messaging, phone services and video games to communicate, so the government needed to track it all. Ian agreed that the first job of government was to look after the security of citizens and that there is a non trivial threat from terrorism to the UK that even the most ardent civil rights campaigners would not deny.
There is already a legal requirement for ISPs and phone companies to retain data. The Home Office say terrorists know this and as a result are moving to social networks, games etc and therefore they need access to that data too.
In reality they are wanting to take a narrow power and broadening it to any person who controls or supplies a communications service, a communications service provider (CSP). The Secretary of State can make changes by order. The CDB also allows government to say they are not building a giant central database since it is the ISPs and other technology companies that will be holding the data.
Ian said there were two key issues:
- Firstly the rhetoric from government is that this is "all about terrorism". But if you want to tackle/prevent terrorism mass surveillance is useless compared to targeted surveillance. Government believes the hype from tech vendors of surveillance kit that all they have to do to stop the next 9/11 is gather all the data on everyone and mine it. Unfortunately the technology is no where near doing the kinds of things that are claimed for it. The US government know this from an officially commissioned scientific report published earlier this year. So anti-terrorism is a red herring.
- Secondly the data collected under the CDB will be used for all kinds of purposes which have nothing to do with serious crime. You only have to look at the abuse of data collecting under the Regulation of Investigatory Powers Act to see this. The CDB will very seriously infringe on EU privacy rights. These privacy rights are not absolute and if the government has serious social, national security or economic reasons for overriding them they are entitled to do so. But there are indications from high courts around Europe and from the European Court of Human Rights that the kinds of invasions that would be facilitated by the CDB would eventually be declared unlawful. The Bulgarian and Romanian supreme courts have disapproved of data retention. The Irish High Court has declared it important to limit and control data retention and has referred the issue to the European Court of Justice. Ian didn't quote him but it's worth pointing out what Mr. Justice McKechnie said in that case:
"Given the rapid advance of current technology it is of great importance to define the legitimate legal limits of modern surveillance techniques used by governments… without sufficient legal safeguards the potential for abuse and unwarranted invasion of privacy is obvious… That is not to say that this is the case here, but the potential is in my opinion so great that a greater scrutiny of the proposed legislation is certainly merited."In addition to courts in Ireland, Bulgaria and Romania, the European Court of Human Rights has examined these issues quite closely in the case of S & Marper v UK, relating to the unlawful retention of DNA and fingerprints of innocent people. There are more than 5 million people on the UK DNA police database. That is now being changed, in theory, under the Protection of Freedoms Act, as a result of the S & Marper decision.
In the S & Marper case the UK government trotted out all the old worn arguments about why they needed blanket data collection - e.g. collecting the data doesn't infringe anyone's privacy; only using it would infringe privacy - and a whole host of others. The Court completely rejected this line idea and all the others. Of course the blanket retention of fingerprints and DNA of innocent people infringes their privacy.
Ian recommends everyone should read the S &Marper judgement. In his opinion it comprehensively deconstructs and rejects all the excuses trotted out to justify blanket data retention. I agree it is worth reading. If you can't face the full judgment, I did a blog post on the key extracts at the time. The ECHR came as close as it could, without saying so directly, to accusing the UK government of lying about the statistics they used to "prove" how good mass (fingerprint and DNA) data retention would be for serious crime detection and prevention.
The S & Marper decision is a clear indicator that, should the CDB be passed in its current form, the European Court of Human Rights would eventually declare it incompatible with the European Convention on Human Rights. Unfortunately there would be significant damage done to our society and our system of justice in the many years it would take for this to happen.
John Kampfner then invited Emma Ascroft from Yahoo! to provide the company's perspective.
Emma Ascroft. Yahoo!
Ms Ascroft opened by saying that Yahoo1 is a member of the Global Network Initiative (GNI) and by quoting Liberty who have criticised the CDB as "massively enabling and lacking in prescriptive detail". She recommends the Liberty written submission to the Joint Select Committee on the draft CDB as a good summary of the primary concerns. Liberty's submission starts at page 254 of the so far published written evidence. My own submission and quite a lot of others were omitted from this publication as a result of an error, due, I am told, to be put right shortly, now the latest set of oral evidence hearings have been completed last week. You can get a sense of Liberty's stance from their opening paragraph:
"It is no exaggeration to say that these legislative proposals signal a major shift in the relationship between the communications industry, the state and the public. Never before have private companies been called upon to orchestrate blanket collection of personal data which they have no business reason to retain."Ms Ascroft then went on to say that the CDB could be relatively benign - just a tidying up of the loose ends of the Regulation of Investigatory Powers Act. (I noticed Kirsty Hughes stiffen visibly at this point, at the implied notion that RIPA was itself relatively benign). However it could also be hugely intrusive. The Home Office is sitting somewhere on the spectrum in between the two, she believes.
Section 1 of the bill means there would be no further parliamentary scrutiny once the Bill became law. The Home Office continually tells us not to worry and just take the details on trust.
Yahoo! think the CDB would give governments in the 57 different jurisdictions they operate in the green light to adopt similar laws. It would be a dangerous tool for repressive regimes.
There are more proportionate approaches to tackling the use of networks for nefarious ends. For example the use of bilateral Mutual Legal Assistance Treaties (MLATs). These respect the fact of jurisdiction limits rather than extending government powers to access personal data into other sovereign jurisdictions.
On whether the CDB is a snoopers' charter Ms Ascroft agreed that safeguarding security was the duty of government. RIPA is 12 years old now and needs reviewing. Yahoo! are very concerned about the way the RIPA review happened. There was no public confidence in the process through which RIPA came to be reviewed. When considering these kinds of laws we need an inclusive, consultative, evidence based and transparent process. The process in relation to the CDB has been anything but transparent. The Home Office says the world has moved on and the government has access to 25% less data for tackling serious crime. But they refuse to disclose what they mean by that 25%. In Australia there is a much more open process around the development of internet crime laws.
Civil society and the Global Network Initiative (GNI) are pushing for transparency. The CDB is pushing in the opposite direction. CDB orders would be served on companies without public scrutiny.
Kirsty Hughes. Index on Censorship.
Kirsty Hughes of Index on Censorship was next to the party. She opened by saying she agreed with a lot of what had been said in criticising the Bill but also fundamentally disagreed with the notion that the first duty of government was security.
She wanted to remind us of fundamental principles. The first duty of government was the protection of liberty. Index say the CDB would be a snoopers' charter. It will be the most intrusive form of surveillance anywhere and will be widely imitated.
Foreign Secretary, William Hague goes round the world saying we like free speech and it's important to protect the rights of people. The Home Office does the opposite.
The CDB is about privacy and free speech. A lot of critical discussion is focused on privacy alone but they go hand in hand. This is not just about the digital world. Look at the history of detailed Stasi surveillance and the chilling effect of that. An Azerbaijan citizen recently told her he has to live his life as if he is constantly in public since he doesn't know exactly when he is being tracked/watched and when not.
Again she emphasised government's first duty is to protect rights. Then at the margins they need to look after security. Having an open, democratic, rights based society is inherently secure. There is a fundamental question about the direction of travel.
The extent of the CDB proposals in facilitating the collection of population wide data is completely disproportionate and indicative of a police state.
There are lots of questions on what constitutes traffic and what is content data and whether the two are clearly distinguishable. (I highly recommend Peter Sommer's submission to the Joint Select Committee starting at page 412 to get an in-depth understanding of the issues here). The range of data that is now available can give an extraordinary picture of people's lives.
The CDB risks undermining anonymity and therefore whistle-blowing. The chilling effect is huge.
We have seen it already on other systems where personal data is collected and passed on to less savoury regimes.
The fact that you can do something technologically does not mean you should do it. It's bad civic hygiene to deploy such systems because of the damage they do to our democracy, our rights, our society and our security.
Jamie Bartlett, Demos.
The final member of the panel to speak was Jamie Barlett, Demos Head of the Violence and Extremism Programme, and Director of the Centre for the Analysis of Social Media. Mr Bartlett was joint author of the Demos paper #Intelligence published earlier this year which argued that social media should be used for intelligence purposes. Hence John Kampfner's characterisation of his perspective as a mild version of that of the Home Office.
Mr Bartlett opened by saying he is mildly in favour of the extension of general surveillance to social media. He think the CDB does not go far enough and believes it has been unfairly misrepresented as a snoopers' charter through which the UK will join repressive regimes like Iran, China etc in using deep packet inspection to spy on citizens.
Mr Bartlett believes there is a world of difference between states that pass laws like the UK in a democracy and those that pass laws without public consent like Iran. Democratic states all do snooping, surveillance, bugging etc but it is regulated. And there are other states with similar provisions to the CDB.
Is the CDB an extension of powers? He does not think so. This is about comms and traffic data that the government already collects routinely. (Only two minutes in that's the biggest of a series of misstatements).
There are lots of reasons the government need access to comms/traffic data. The Home Office believes there is an increasing degradation in the data it has. Under the CDB they will still have to go through the same process to get access to the data as through RIPA. (I'm beginning to suspect that Ian Brown may point, in rebuttal if given the opportunity, to some holes in this perspective. The CDB, vague though it is, will significantly change the process of getting access to data).
Mr Bartlett agrees with the other panellists about the vagueness of the detail in the Bill and has a clear problem with this. We need a public debate on what data should be collected and how etc.
His second major problem with the Bill in its current form is the degree of oversight the processes of collecting and accessing the data will receive. This is not clear.
There are also already too many agencies getting access to data under RIPA. We should take a narrow approach as to which agencies need access under the CDB. RIPA is based on a sliding scale - the greater the intrusion allowed, the fewer agencies can do and for fewer purposes. (I'm not sure that's entirely representative of RIPA processes.) Access to comms data (e.g. browser history) can be more intrusive than access to traffic data. He'd like a sliding scale like RIPA.
The concern that most people have is that the agencies of state can easily and routinely collect and traverse this data for their own purposes. This is being done already and not just by the state. Commercial enterprises are doing it on an industrial scale and the scale of what the FBI is doing is staggering.
Currently directed surveillance by a police officer of someone on a public highway - e.g. following a suspect in a public place - can be done with a minimum of authorisation or oversight. Online state, private or commercial actors can do much more than this directed surveillance now. And it is being done with no control at all. It has to be regulated. Hopefully the CDB will go some way to getting this activity under control.
John Kampfner then directed three questions at Jamie Bartlett.
Firstly did Mr Barlett believe the CDB was legislation based on consent and he alluded to a Sunday Times exposé about government making laws in dark smoky rooms.
The second question was whether he believed the Bill dealt in the voluntary handing over of data by communications service providers. It seemed to Mr Kampfner that there was nothing voluntary about the draft provisions.
Thirdly he asked did Mr Bartlett have evidence of other democracies that have similar laws to the proposed CDB.
Jamie Bartlett said firstly he was not in favour of any secret surveillance powers that were not based on legislation.
Kirsty Hughes of Index interrupted with a question, asking if Mr Bartlett believed that a majority in Parliament had the right to turn us into a police state, overriding her human rights.
Ian Brown pitched in by agreeing that one of the fundamentals of human rights was that the majority cannot override the rights of minorities.
Jamie Barlett said he has significant concerns about the lack of clarity of the CDB.
John Kampfner then directed the question about the voluntary nature or otherwise of the handing over of data at Emma Ascroft of Yahoo!
Ms Ascroft said UK companies have an obligation to retain data for 12 months under the data retention regulations. The CDB would extend this to new data types.
There would be a second obligation to generate data types specified under order. As far as non UK providers are concerned that constitutes an attempt by the UK to extend its jurisdiction beyond its borders. There is a significant question about whether the government can do that.
It would be better to use MLATs (mutual legal assistance treaties). This would be more proportionate. Law enforcement authorities find the MLAT process slow. But as far as Yahoo! are concerned the communications providers are not the ones holding up the process. The CSPs are not on the critical path and it is the government to government processes that are causing it to be slow.
The Home Office has never had a sensible policy discussion around MLATs.
Jamie Barlett came back in at this stage to answer Mr Kampfner's third question. Other democracies, he said, have not passed into law powers as extensive as those in the CDB. But they have worse right abusing laws in other contexts. He started to use an example from France when John Kampfner interrupted asking he address the question of similar provisions in other democracies to the CDB.
Mr Bartlett said ok. The UK is the biggest terror target in Europe. He accepts other democracies don't have CDB equivalents. But we need regulated, transparent and clear surveillance powers.
John Kampfner said he had been in Russia recently and the Russian authorities were taking great cheer from the UK introducing these kinds of laws and using them to justify their own surveillance laws. They will be happy to bounce the UK's own repressive regulations back at them in response every time the UK government dares to lecture them hypocritically about their human rights abuses.
Mr Bartlett said we have to understand we are doing this data collection and access already. So it needs to be properly regulated. Companies already given government 75% of the data they want anyway.
John Kampfner moved on. Tony Blair post 9/11 said "the rules of the game have changed... do whatever it takes". Mr Kampfner then asked Ian Brown whether the potential monitoring of millions is ok if you stop one terrorist outrage.
Ian responded that you can make that argument about any democracy. Blair also said "human rights are a terribly outdated 19th century approach." Security is important but not at the price of breaking our democracy. The price of freedom is eternal vigilance.
Kirsty Hughes said the lack of judicial oversight in the CDB is a huge problem. And in spite of the benign perspective hitherto given on RIPA it is a terrible act in many ways and a poor starting point for further legislation in this area.
Emma Ascroft said a big change under the CDB would be to broaden the range of providers to include social networks, domain name registries and anything that might remotely touch on telecommunications.
The consequences for commerce, if other jurisdictions follow suit with their own brand of CDBs, will be to be faced with a complex international portfolio of national laws, with private companies potentially becoming the arbiters of what is allowable and what not, in relation to data collection and access.
With RIPA there was a big public consultation. Even after 9/11 there was a big consultation with companies prior to the passing of the Anti Terrorism Crime and Security Act 2003. But in the case of the CDB there has been no consultation. The debate has not happened.
For lawful access to data it would be better for the CSPs if government authorities used the MLATs. The Home Office says it has no intention to undermine MLATs but the CDB.
Kirsty Hughes said this is not about a clear and neutral security threat. The CDB is that latest in a long line post 9/11, 7/7, 11/3, liberty destroying laws. Absolute rights have been compromised and even torture approved, sold on the populist message of the need for blanket surveillance.
Jamie Barlett thinks the CDB should be withdrawn and replaced with a green paper and proper public consultation going forward.
Emma Ascroft said the CDB provides and extension of jurisdiction and a backstop power - when a provider refuses to collect and provide extra jurisdictional data - to enable a third party agency through deep packet inspection or other alternative process, to collect the data, even without the knowledge of the primary provider. That is indefensible.
At this point the Chair opened questions to the audience.
Paul Bernal of UEA was first. He pointed out that politicians simply do not understand what they are dealing with when attempting to draw up regulations for modern technology. That is a serious fault line in our law making process.
Emma Ascroft agreed that the Joint Committee is "on a steep learning curve". Parliamentary ability to scrutinise proposals depends on understanding of the technology and having enough detail in the Bill to scrutinise. The committee, she is confident, has some good advisers.
Ian Brown agreed too that most parliamentarians do not have a technological background.
Anna Fielder from Privacy International asked if anyone on the panel had compared the CDB to the USA/PATRIOT Act.
Emma Ascroft said the US doesn't apply data retention in the same way as the EU. They rely much more on "data preservation". Law enforcement contact the communications provider and say they have identified a suspect and ask the provider to collect and retain the data on that suspect. There is a fundamental difference of principle here - targeted as opposed to mass surveillance.
The Home Office did not even consult the Ministry of Justice or other government departments before going ahead with the CDB. It is by no means clear that the Bill attracts whole government support. The Home Office declared after 9/11 that they were unilaterally introducing data retention. The Information Commissioner at the time told them they could not force ISPs to retain data that data protection law required them to destroy.
If you have 12 months data retention and extend that extra territorially then you can expect other countries to follow suit. Therefore UK citizens' data will be available to other jurisdictions on an extra territorial basis.
Ian Brown said we cannot keep these massive valuable data silos secure. He also mentioned the example of Chinese hackers getting at the Google accounts of human rights activists as well as Google's proprietary source code, the release of which could do Google significant commercial damage.
John Kampfner then invited the panellists to close.
Ian Brown hopes that the Lib Dem branch of the coalition government will force the CDB to be withdrawn and force the Home Office to consult more widely. The more proportionate approach on digital network surveillance is to go through MLATs. The UK should be setting an example to avoid a race to the bottom on surveillance grabs.
Jamie Barlett, a bit bruised, said he agreed with a lot of the points made by the other panellists especially about the process surrounding the CDB. He is impressed with the Joint Select Committee who have been critical of both the process and the Bill. The question he says we need to ask is whether in 10 year the police and the Crown Prosecution Service will have the data to do their jobs. If they only have access to 10% of the comms and traffic data they need we will be in trouble. But more generally, access to social networking and media content needs to be regulated better.
Emma Ascroft concluded by admonishing the Home Office for claiming communications service providers supported the CDB. That was a big claim when they had not involved the companies in the process. John Kampfner interrupted to ask was the Home Office, then, telling a porky pie? Emma Ascroft suggested it might be better to suggest they were being economical with the truth.
We need engagement but with more detail so we can figure out and debate the detail. The department of Justice, the Culture department and other parts of government really don't approve of the CDB. The Home Office are trying to drive it through when the range and depth of stakeholders is huge.
What would be an acceptable outcome for CSPs? CSPs do not want to be asked to catch and retain third party data. This is not proportionate. For non UK providers there are other mechanisms such as the MLATs. It is also not acceptable for CSPs to have 3rd parties hacking, mining, retaining and passing on their data through surreptitious means.
Kirsty Hughes rounded off. The CDB is a sledgehammer to crack a nut. There is a serious risk that even if it gets amended it will not get amended enough. We need the voice of the UK out there defending digital freedoms not undermining them. Just think about the criminalisation of speech on social media. The CDB is worse than anything that has come before in this area. It is not just a slippery slope. It is a drop to the bottom of the barrel.