28 March 2012
At a time when the UK government is lobbying hard for mandatory data retention across the EU it is pertinent to consider how things already work in practise in that country. This article examines the way mobile telecommunications "traffic data" is stored in the UK, and the way in which the police are able to access that data.
The provisions of the Data Protection Act 1998 (DPA) and the Telecommunications (Data Protection and Privacy) Regulations 1999 (Statutory Instrument 2093) were meant to ensure that communications records would not be retained by service providers beyond the "business need" to do so. For call records, this business need is specifically constrained by matters such as billing.
Companies differ considerably in their arrangements, but in general the telecoms industry keep records for one year while internet services providers have much much shorter periods. Mandatory data retention would oblige all service providers to keep this data for at least a year, potentially much longer.
The Regulation of Investigatory Powers Act 2000
The Regulation of Investigatory Powers Act (RIPA) did not introduce data retention. But it does mean that the police are able to serve "section 22" (S22) notices on service providers, giving them access to the data that they do retain. This means, the longer the data retention period, the greater the extent of access under RIPA.
S22 notices are not authorised by the courts but by police officers holding the rank of inspector or superintendent (depending on the type of data). RIPA also introduced an "authorisation" process allowing the police to access data directly where this is technically possible - i.e. without the need for an S22 notice. Again, senior officers and not the courts decide on the "authorisation".
The only time a warrant is necessary is if the police want to access communications in "real time" or want to access to the "content data". However, even in these cases it is the Home Office and not the courts that authorises the warrant.
The system in the UK differs widely to jurisdictions with constitutional privacy protections and governments keen to uphold those traditions. Here, the police must obtain judicial approval to access communications data in the same way as they must obtain a "search warrant" from the courts to enter someone's private dwelling.
Even under the notorious United States PATRIOT Act there is judicial oversight, albeit in the form of a special tribunal. Instead of "data retention", law enforcement in the US can only seek "preservation orders" for the communications of suspected individuals, obliging service providers to retain data on individuals that would normally be automatically deleted. This is clearly more proportionate in a democratic society than retaining everybody's communications records for long periods in case the police want to look at them.
The Anti-terrorism, Crime and Security Act 2001: data retention by the back door
Adopted in the aftermath of the 11 September bombings in the United States, ATCSA introduced a voluntary data retention scheme in the UK, allowing the Home Secretary to enter into formal agreements with individual service providers. The Bill was originally worded so that data retention could be used for the purposes of the prevention and investigation of crime in general, but was amended by a large majority in the House of Lords to change the purpose of retention to:
"(a) for the purpose of safeguarding national security; or
(b) for the purposes of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to
national security (s.103(3), part 11)"
This suggests that data should only be accessed for limited purposes. However, because access to the data is governed by RIPA (as explained above) this restriction appears worthless in practise.
In "accepting" the amendment, the government constructed - apparently to legitimise retention for wider purposes - the entirely superfluous argument that it is not possible to separate the data that might be useful for national security purposes from the rest of the data.
"The amendment, in relation to part 11 therefore suggests that we should try to separate out those parts of data. As I tried to explain on a number of occasions, including last night, it is not possible to do that, but paradoxically, because it is not possible to do it, it is not reasonable to suggest that we should not do it. I am therefore prepared to accept the amendments that have been tabled. In order to be able to implement what they want, we will have to retain the data, so that it can be accessed to test out whether the intelligence services are right in believing that it is relevant in tackling terrorists. That is how stupid the Liberal Democrats are."
Lest there be any doubt, in the Spring of 2002, legal advice to the UK Information Commissioner said that the provisions of ATCSA made data retention lawful because parliament had judged it proportionate for national security reasons.
The Information Commissioner also advised that the uses of this data for anything other than "national security" matters would be unlawful under the Human Rights Act (Article 8 ECHR, the right to privacy). The problem, as we will see below, is that the system in place makes it unlikely that any such breaches will be detected.
From voluntary to mandatory data retention
Most large telecoms service providers were retaining their data for one year anyway and for all intents and purposes comply with the Home Office's voluntary code - the example of T-mobile is provided below. The situation is different for internet service providers (ISPs) and smaller companies.
But in case not enough service providers "volunteer", s.140 of ACTSA allows the Home Secretary, if s/he is so minded, to introduce a compulsory scheme. This, given the extent of the opposition to data retention from parliament, ISPs and civil society groups, would be an extremely controversial move. Adoption of the EU data retention legislation would therefore provide a fresh justification for the introduction of the compulsory scheme and - as currently drafted - allow the use of data for the policing in general and not just national security (as requested by the UK parliament). As an EC Directive, the UK would have "no choice" but to implement it.
Mobile phones: direct law enforcement access for three months
Once data retention becomes both policy and practise, as is de facto the case for the big mobile phone operators, the key issue is the way in which law enforcement is able to access that data.
According to recent documents from T-mobile seen by Statewatch that company has an automated e-mail system that allows law enforcement agencies to retrieve subscriber and billing details by consulting the system directly - all they need is a mobile phone number. This process requires no human intervention from T-mobile staff: the system automatically generates spreadsheets showing the subscriber and billing information and sends them to the law enforcement e-mail address. Until recently the system generated data on the previous six months but this has now been reduced to three.
Already then, the police have direct access to the recent phone bills of at least T-mobile customers (though it can be assumed that other companies have introduced similar "gateways"). The data generated by the T-mobile system is basically what is detailed on mobile phone bills: the subscriber information (name, address etc); the date, time and duration of all voice, fax and data calls and SMS (text messages); and all the numbers that were called.
It can be recalled that RIPA allows police inspectors to "authorise" the direct access with no prior judicial approval or consultation of T-mobile staff to ensure that they are acting in accordance with RIPA, ATCSA, the DPA and other relevant statutes. It is very hard to see how the absence of any external control can be reconciled with the right to respect for privacy under Article 8 of the ECHR.
The European Court has ruled repeatedly that surveillance must be prescribed by law, holding that:
"powers of secret surveillance of citizens are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions" (Rotaru v. Romania, §47, case 28341/95, judgment 4.5.00)
but there is little case-law on the question of supervision. The Court has ruled that judicial control of surveillance, at least in national security cases, is not absolutely necessary if an alternative system of control exists, but the situation described above - which concerns law enforcement rather than national security - suggests no control outside the of law enforcement agencies themselves.
Mobile phones: indirect access for law enforcement for 12 months
All the major mobile phone companies collect traffic data from their "cell" sites. These are the mobile phone masts resisted by many local communities and hidden in telephone boxes and on tower blocks. When you make a call with your mobile it is routed through the cell site to which your phone is connected.
For several years, all the major mobile telecommunications companies have been storing the data from their cell sites in central databases for twelve months. These databases were set-up for two reasons: firstly, to allow "inter-operator" billing and secondly, to combat massive fraud in the telecommunications sector from high-tech scams.
The S22 notices issued to service providers under RIPA mean that law enforcement has access to this data too. Again, it can be recalled that there is no judicial oversight and that the S22 must simply be approved by ranking officers.
The cell sites or "switching" databases enable law enforcement to paint a bigger picture of the user, adding the location of the first and last cell sites to be used by each call. Each cell site has a dedicated number attached to a national grid reference and an address, and each site also records which "aerial sector" was used. In urban areas, cell sites typically cover around 500 metres. Add to this the bearing (direction) of the aerial sector that was used and it possible to derive a fairly accurate picture of someone's location and - depending on how many calls they make - their movements. However, because mobile phone technology works on the basis of cell switching and signal strength (allowing customers to continue talking while moving through an area) a call may start and finish on a different cell site even if the caller was stationary throughout the call, so the location data is far from exact. The recently established UK Forensic Telecommunications Service claims to "lead the world" in this kind of analysis.
Computer modelling by the mobile phone companies themselves, based on the power and characteristics of individual and adjacent cell site transmitters and the local topography, is able to provide "best server plots" and a far more accurate indication of an individual's location. The use of "real-time" location data requires a warrant from the Home Secretary and also requires direct assistance from service providers (though direct access might obviously be provided in future).
Implications for mandatory data retention in the EU
The most alarming thing about the current situation is the way in which UK law enforcement can already directly access mobile phone records without judicial or even third-party oversight. The extension of data retention to all communications service providers including internet and e-mail therefore has serious implications as the trend suggested is one of direct ("gateway") access. For this reason, as pointed out in Statewatch's analysis of the EU proposals, it is astonishing that the European Parliament is being asked to adopt the proposal on mandatory retention before it has even seen the proposal on access to the data.
This point is crucial because the emerging framework for EU police cooperation mean the extensive UK powers of access to communications records have significant cross-border implications.
One scenario is that police in one country have already obtained communications records on a suspect individual - these could simply be forwarded (by e-mail) to another member state with no further judicial oversight under the EU Mutual Legal Assistance Convention of 2000. This Convention provides for the "spontaneous" exchange of information in connection with any criminal offence in the state receiving the data and encourages states to cooperate with one another as widely as possible. A point that Statewatch has made time-and-time again is that once police data crosses borders it is extremely difficult for affected individuals to assert their data protection rights or to prevent onward exchange to third countries or agencies.
The draft legislation on the European Evidence Warrant (EEW) itself warrants a stark reappraisal of the EU's proposed data retention regime. This proposes to - like the European Arrest Warrant (EAW) - abolish "dual criminality" (requiring an equivalence test for the gravity of the offence in question) for an almost exhaustive list of 32 broadly defined crimes. As with the EAW, the EEW will simply apply the law of the requesting state across the EU - the principle is that a search warrant (for example) issued by the (judicial) authorities in one member state will be enforced in all the others. Because the EEW may be issued for anything that already exists, including computer data, the law of the requesting state is thus crucial.
EEWs will be served directly by the issuing judicial authority in one state to the authority competent to enforce them in another (police, customs etc.). Does the UK simply intend to append S22 authorisations under RIPA to the EEW form and serve them directly on police forces in other countries? Since there is no judicial oversight whatsoever of law enforcement access to communications records in the UK, the best protection that individuals in other countries can apparently hope for is that EEWs issued by the UK might be rubber stamped by the Home Office.
At a time when the UK is using its EU presidency to rush data retention through the legislative process in the name of the investigation and prevention of crime it really is time for reflection. This reflection starts with the fact that the large telecoms companies are already retaining call records for one year and it is inconceivable they are not making them available to the police and security services in the wake of appalling events like those in Madrid and London.
But is data retention necessary to prevent acts of terrorism? As Statewatch has suggested on various occasions, the police and security services have all the powers they need to place suspected terrorists under sustained, "real-time" surveillance and in the wake of any credible intelligence it must be hoped that this exactly what they are doing. And again, when credible terrorist suspects are identified we can be certain that expedited access to the previous year's call records is granted as a matter of course.
The argument that data retention is necessary to allow law enforcement access to suspects' internet records is also a spurious one because law enforcement already can and do obtain wide-ranging interception and preservation orders. The Council of Europe "Cybercrime" Convention was designed for exactly this purpose and there has been no suggestion that any further powers are needed.
Data retention is not about "intelligence-led" policing or counter-terrorism, it is about "fishing expeditions", "risk analysis" and wholesale surveillance of the internet. This must be situated in the context of the broader law enforcement trend toward "guilt by association" and "suspicion by profile" (what has been called "guilt by google").
Ben Hayes of Statewatch comments:
"There are a number of fundamental objections to mandatory data retention that arise from our understanding of democracy and human rights. It should also be understood that a policy of data retention - based on the principle of direct, unrestricted and unregulated law enforcement access - will fundamentally distort the way in which we are policed and the nature of the society in which we live."
3. Forensic Telcommunications Service Ltd (website).
Filed 3 November 2005
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: 10 Queen Street Place, London EC4R 1BE. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.