UK surveillance plan must be watched carefully

When journalists make enemies in high places, they become vulnerable to the powers those figures wield. One such power is the state’s capacity to wiretap and obtain personal records from communications companies. From Colombia’s phone-tapping scandal to last year’s case of Gerard Davet–a Le Monde reporter whose phone records were obtained by the French intelligence service in apparent violation of press freedom laws–state surveillance has a long history of being misused against reporters.

That’s why proposed changes to how such surveillance is regulated in any country need to be closely examined for how they could affect press freedom worldwide.

For the past few weeks, the British press has been uncovering a planned shake-up in the country’s monitoring systems. Called the Communications Capabilities Development Programme, the proposal has encountered widespread criticism from civil liberties groups in the U.K. It also may set a precedent for a wider re-examination of how governments monitor the Net.

Traditionally, data obtained from the interception of electronic communications–a tapped phone or a monitored Internet connection–has been divided into two categories: the content of the interception (what is said) and what U.K. law calls “communications data.” Communications data is everything else about the message: who it was sent to and from, where and when it was sent, what kind of message it was.

Obtaining the content of an intercepted message has traditionally required a higher standard of judicial oversight than access to the communications data. For instance, in the U.K., wiretaps are only permissible via a warrant requested by law enforcement or the security services and signed by the Justice Minister. Communications data can be authorized and obtained by any number of government agencies, ranging from local councils to environmental regulators.

Historically, this statutory division between communications data and content was partly connected to the perceived intrusiveness of monitoring each of these categories. You could get communications data from the phone company’s existing billing records; to get the content of a call, you’d have to step in and listen directly. Steaming open an envelope to read a letter is more difficult than noting what letters get sent, when, and to what address.

In the digital world, however, the distinction between communications data and content is far less clear. The address of a web page that I visit is almost certainly communications data, under the old definition–it lists who I’m talking to (the website) and what I’m looking at (a web page). But some of the content of this page is included in its web address; the searches you type in Google are also reflected in web addresses it returns.

Today’s communications data can reveal far more about you than simply an address on an envelope–perhaps even more than the content of a message. Telephone companies have a record of the geographical position of their mobile phones, for instance. Is a detailed map of subscriber movements, as some have argued, merely part of the “where and when” of a phone? Should that information be obtainable by a local borough council?

Now add to the mix the myriad ways one can send a message online. One can send a private message via Twitter, or start a voice chat over Google. One can exchange files on Dropbox, or have a chat within a Facebook page. Much of this data is now encrypted to prevent third-party snooping, which means that governments have neither access to communications data nor the content through traditional interception systems, such as black box surveillance at ISPs.

The U.K. proposes to cut through this Gordian knot by setting up regulations and hardware to collect as much data as possible, at every step of the process. U.K.-based civil liberties organization Privacy International, citing experts and members of Parliament, says this will involve placing data-collecting devices in companies like Facebook and Google.

The details of the British proposal are unclear, but in replying to critical press coverage, the U.K. government states that Internet companies would be “required … to collect and store certain additional information.” Both Skype and instant messaging were mentioned as suitable targets for such data collection.

CPJ has advised Internet companies for years to improve security of their systems to prevent spying. The British government suggests that these companies should begin collecting more data on their users, and build systems to pass that data directly to U.K. authorities.

Unaddressed by the British government so far are three key questions: would the expansion in the kind of communications data collected reveal more about individual users than previously? Who would be in charge of unpacking communications data from the content of a message? And if the British government is permitted to obtain access to international companies like Facebook and Microsoft (which owns Skype), what would prevent other governments from demanding, and getting, the same access?

The first two issues are important to the protection of British journalists, and other citizens, from literally unwarranted intrusions on their work and personal life.

The third has global impact on all reporters, including those working in states where surveillance has less statutory oversight. If Britain decides to increase its own surveillance capabilities, it should take care not to step beyond the bounds of a free society–nor export uncontrolled snooping capabilities to the rest of the world.