The United Kingdom’s draft Communications Data Bill, more commonly known as the Snoopers’ Charter, has drawn a sharp critique from the Global Network Initiative (GNI). In a submission to the UK Parliament’s Communications Data Bill Joint Scrutiny Committee, the organization outlined serious concerns with the proposed legislation, which would expand governmental powers to access the online communications of all UK citizens.
GNI is a coalition of companies, civil society organizations (including EFF), investors and academics working collaboratively to advance freedom of expression and privacy in the Information Communications and Technology (ICT) sector.
One major problem is that the UK Snoopers' Charter contains a provision requiring the generation of data specifically and only for law enforcement access, making it even more extreme than the highly problematic EU Data Retention Directive, which EFF is working to repeal. From the GNI submission:
The bill broadens the collection and retention of new data on anyone in the UK using communications services. This includes requirements to generate data—not required for business purposes and not routinely collected by providers—specifically and only for the purpose of law enforcement access. This provision goes beyond the existing requirements under the Regulatory and Investigatory Powers Act (RIPA) and the EU’s Data Retention Directive.
Furthermore, not only would the Snoopers’ Charter further erode the privacy rights of its UK citizens, GNI pointed out, it could set a negative precedent that would give authoritarian regimes a model to point to when seeking to justify surveilling their own citizens. Such an outcome could have grave consequences for human rights.
This … could set a powerful precedent for repressive regimes to follow when seeking to justify surveillance on their own populations. Regimes attempt to claim legitimacy for their actions when they are able to point to similar requirements, even if only in the form of policy statements or draft legislation, in leading democratic nations. An example of exactly this type of reaction came from China in response to statements made in Parliament by the Prime Minister David Cameron in the days following the riots in 2011 around the need to consider placing limits on social networks and allowing greater government access to user communications in certain circumstances.
And while the draft Communications Data Bill seeks to require providers to store communications data, rather than content, of users’ communications, GNI pointed out that such a distinction isn’t always so clear-cut. What's more is that in some cases, access to communications data can be just as privacy-invasive.
Technological advances are also blurring the distinction between communications data and content that is at the heart of this Bill. For example, the URL for a web address can provide considerable access to information about the type of content the user is viewing. Stakeholders must be reassured that communications data could be reliably extracted without also disclosing content. Taken alongside the expanded scope of data collection for anyone using communications services in the UK this must be considered when assessing the proportionality of the proposals.
GNI also flagged problems with the bill’s assertion of jurisdiction over communications service providers based outside the UK, in cases where UK-based users access the services.
The draft Bill could provide unintended justification for actions by other governments. … Even if other jurisdictions do not enact similar or contrary laws, UK citizens’ data could still be at jeopardy. Once other governments become aware of the storage of this additional communications data, law enforcement entities in other jurisdictions will seek to obtain it as well. If ICT companies are required to obtain and retain communications data for UK residents law enforcement entities in other jurisdictions could have a legitimate claim to seek access to it. Non-UK law enforcement entities may either try to obtain it through UK law enforcement or by exerting pressure on companies to release the data without UK cooperation.
Finally, GNI highlighted the specific problems with a reserve power proposed in the bill, which would empower the UK Home Secretary to require UK providers to capture and retain data (specifically and only for law enforcement purposes) in cases where the requirements were unable to be imposed on a non-UK provider.
Setting aside the technical challenges of whether this can be done ... this requirement could have the effect of increasing pressure on non-UK providers to cooperate with law enforcement in informal, voluntary agreements. In contrast, GNI’s Implementation Guidelines commit companies to encourage governments to be “specific, transparent and consistent in the demands, laws, and regulations” they issue.
EFF remains deeply concerned about the UK Snoopers Charter and will continue working in tandem with privacy advocates in the UK to challenge this privacy-invasive legislation.