"The rules of the game have changed," then-Prime Minister Tony Blair said after the July 7, 2005, terrorist attacks in London as he announced that the U.K. government would clamp down on terrorists "whatever it takes." Now, the limits of such bold but vague intentions are on show as the draft Communications Data Bill undergoes pre-legislative scrutiny in a joint committee of British Members of Parliament and Peers. Is gathering digital data from the general population a necessary upgrade of law enforcement capabilities, as the British Government argues, or does it dilute the liberal tenets of British democracy for the sake of security?
Critics of the bill argue that, in its current form, it translates into a "snoopers' charter." Henry Porter, a columnist at the Observer, conveyed his concerns that Britain would become a police state when he appeared before Parliament on Tuesday. "I don't believe this entire nation should subject itself to a massive surveillance campaign by a few people who appear to be unscrutinized and the methods untransparent," he said. A week earlier, before the same committee of members of the House of Commons and the House of Lords, Lord Carlile, the official reviewer of terrorism legislation between 2001 and 2011, dismissed that argument, saying "the term 'snoopers' charter' is a complete traducement of this bill."
Many offenders are "not half as clever as you imagine," Carlile, a leading criminal lawyer, argued. He echoed the government's case: "Police should be able to know who was telephoning whom and for how long and what time... Prosecutions would be brought to their knees if this was not possible." Several officials from the Home Office, the U.K.'s interior ministry, were expected to be the last ones to appear before the Joint Committee on Wednesday afternoon. They were heard mostly behind closed doors, but were likely to follow the minister of security's justification, as expressed in a recent interview with the Guardian. "Those who want to do us serious harm are waiting for the moment we take our eye off the ball," James Brokenshire said.
Information about government plans to lay out a comprehensive "spy plan," as it has been characterized by the British press, were uncovered in February. "U.K. surveillance plan must be watched carefully," warned CPJ Internet Advocacy Coordinator Danny O'Brien, in this blog post. Public outcry from digital experts, journalists, and activists was immediate. "It would be the most intrusive law in democratic countries; it would be a snoopers' charter--not could; it risks undermining anonymity, particularly whistleblowing; and it would set a terrible example for authoritarian regimes," said Kirsty Hughes, chief executive of Index for Censorship, at a panel held last week in London, attended by CPJ and organized by Index and the Global Network Initiative.
Parliament decided to cool down the social debate and the legislative process by launching a scrutiny committee in July. Dozens of experts have been heard so far (see a full list here), with some observers worried about the lack of technical and technological expertise among the parliamentarians. "At least, by now the scrutiny committee knows what it doesn't know," said Emma Ascroft, director of public policy at Yahoo, during the debate. Once the committee wraps up proceedings in coming weeks, the bill will be subject to full parliamentary debate.
The bill would extend to up to 12 months the time telecommunications firms have to store data and broaden the range of the data they need to store. It would include data they don't currently retain like details of messages sent on social media such as Facebook or Twitter, Web-based mail such as Gmail, and voice calls over the Internet such as Skype, in addition to client-based emails and phone calls. The data would not include the "content" of messages (what is being said, written, or tweeted); officers would still need a warrant to access content. As stated in the draft presented by the government in June, "Communications data falls into three categories: subscriber data; use data; and traffic data." The British Government wants all telecommunications companies to store for a year those data, which include traffic information such as the time, duration, originator, and recipient of a communication and the location of the device from which it is made.
The main criticism of the bill derives from the consideration that in the digital era, the distinction between "communications data" and "content" is far less clear than it used to be. Traffic information such as the websites visited, the use of geolocalized telephone applications, or Facebook activity provides much more "content" about our lives than the traditional number dialed in telephone calls and at what time, in the pre-digital world (known as "use data"). "Traffic information, such as our Internet browsing activity, is much more intrusive than the so-called use data," said Jamie Bartlett, director of social media at Demos, a British think-tank, and one of the experts heard by the scrutiny committee.
"The bill is so broadly drafted that it might go down to any individual," said Ian Brown during the panel held in London, expressing a widely shared concern that any person could potentially be tracked. Bartlett and Brown both advocated a minimalist approach regarding the data involved, the people targeted, and the number of government agencies benefiting from the powers allocated by the bill. Brown, associate director of Oxford University's Cyber Security Centre, flatly denies that the current bill serves its stated purpose of combating security threats: "Many in big data companies argue that if we gather enough data from everyone and we mine it constantly we can prevent the next September 11, but scientists don't agree that this would help fighting terrorism," because the most threatening plots would circumvent the data gathering, he said. Brown noted that the U.K. already hosts the largest DNA database per capita in the world, which has raised privacy issues before the European Court of Human Rights.
From the perspective of Internet service providers (ISPs), Yahoo's Ascroft expressed her concerns about the extension of British jurisdiction enshrined in the draft law. "It increases the data types and applies to a broader range of providers, not just ISPs [usually involved in the data gathering for law enforcement purposes] but any 'telecommunications system,' a definition that we don't know how far it goes," she said. In her briefing to the scrutiny committee, she said the broad nature of the bill means the U.K. would be the first country to extend its jurisdiction, creating a reserve power to "require U.K. providers to retain data that authorities could not obtain directly." Yahoo, a member of the Global Network Initiative, has also complained that the bill requires ISPs to generate data types specifically and only for law enforcement, which is "over and above what a provider would generate and retain for their commercial purposes," according to Ascroft.
During the Index on Censorship panel, Ascroft called for "respecting the jurisdiction boundaries using existing mutual legal assistance treaties (MLATs) as opposed to the aggressive assertion of U.K. jurisdiction included in the bill." "Law enforcement tends to see MLAT processes as slow and cumbersome," she noted. Many privacy and press freedom groups fear that such broad powers could encourage other countries, including those under authoritarian regimes, to similarly assert the extension of their own jurisdiction, with a potentially damaging impact on freedom of expression.
It's true that, as Blair said, the rules of the game have changed. But let's make sure new rules in democratic countries do not end up benefiting the enemies of our very own freedoms.
[Reporting from London]