15 September 2003. Add Home Office response.

15 September 2003. Thanks to Anonymous, the two draft statuatory instruments:

The Regulation of Investigatory Powers (Communications Data) Order 2003

http://cryptome.org/RIP-2003-1.doc (10 pages, 73KB)

The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2003

http://cryptome.org/RIP-2003-2.doc  (11 pages, 83KB)

FIPR Press Release - Home Office snooping plans are almost unchanged

FOR IMMEDIATE USE : 15 September 2003

In June 2002 the Home Office backed down in the face of the outrage that greeted their totally disproportionate proposals for access to communications data (records of email senders and receivers, phone numbers called or web pages visited). Last week they gave the impression of a change of heart, yet closer examination of the detail of their proposals shows that their plans are almost entirely unchanged.

The Home Office have also been hinting at criminal penalties for misuse of communications data, extra scrutiny of the new bodies by the Interception Commissioner and a scheme to prevent authorities from continuing to use their existing powers under so-called "legacy legislation". The Draft Regulations laid before Parliament last Friday contain none of these measures.

The new Regulations do contain significantly more detail than has ever been provided before. Previously, for example, the whole of the Department of the Environment, Food and Rural Affairs (DEFRA) was listed and now it is made clear that only three investigative branches are to be authorised. They also exclude access to mobile phone location data for some of these organisations.

However, careful analysis of the schedules of agencies that are to be authorised shows that only one of the 24 categories of bodies that were to be given access to data in 2002 has been dropped from the Government's list. That body was the Department of Work and Pensions, which has its own legacy legislation to allow access to Benefit Fraud investigators. In fact, far from the Home Office restricting the bodies that might access data, three new ones (the Charity Commission, the Serious Fraud Office and the Gaming Board for Great Britain) have been added to the list.

Ian Brown, Director of FIPR, commented: "The Home Office have failed to understand that it is unacceptable for government officials to authorise themselves to snoop on who we have been calling or which websites we have been looking at. Even where crimes are serious enough for this to be justified, it is vital to have a proper oversight routine and criminal penalties for those who misuse their powers."

He continued: "They are resurrecting, and indeed extending, the same proposals that were rejected last year. The 'spin' is that this is a new approach, but the Home Office have delivered none of the safeguards they have been hinting at. Underneath the paint job is the same ugly scheme."

From: Watkin Simon <Simon.Watkin@homeoffice.gsi.gov.uk>
To: bulletin@admin.fipr.org, "'ukcrypto@chiark.greenend.org.uk'" <ukcrypto@chiark.greenend.org.uk>
Subject: RE: FIPR on RIP SIs
Date: Mon, 15 Sep 2003 17:35:47 +0100

> From: Ian Brown [mailto:ian@fipr.org]
> Sent: 15 September 2003 09:41
>
> FIPR Press Release - Home Office snooping plans are almost unchanged
>
> In June 2002 the Home Office backed down in the face of the outrage that
> greeted their totally disproportionate proposals for access to
> communications data (records of email senders and receivers,
> phone numbers called or web pages visited). Last week they gave the
> impression of a change of heart, yet closer examination of the detail of their
> proposals shows that their plans are almost entirely unchanged.

The new Order:

> The Home Office have also been hinting at criminal penalties
> for misuse of communications data, extra scrutiny of the new bodies by the
> Interception Commissioner and a scheme to prevent authorities from
> continuing to use their existing powers under so-called "legacy
> legislation". The Draft Regulations laid before Parliament last Friday
> contain none of these measures.

Quite right.  That's because secondary legislation can only do what the piece of primary legislation says an Order can do.  The Order can add authorities, because RIPA s. 25(1)(g) says it can (or delete them, 25(4)), can designate who may authorise access, because s. 25(2) says so, and can restrict access by data type or by designated person, because s. 25(3) says so.  The RIPA Order cannot, and never could have done anything else - other than add purposes 22(2)(h), which as the consultation paper indicated we have no intention of doing.

We will continue to "hint" at criminal penalties for abuse of powers.  It is a point that has been well made, is understood, and is applicable in a range of circumstances beyond acquisition of communications data.  However the new RIPA Order cannot provide for it.  We will want to work up proposals in the wider context of work on privacy and data-sharing.

We want to provide for extra prior scrutiny by the Interception of Communications Commissioner of certain requirements for access to communications data but, as we made clear in the consultation paper, "it would not be statutory".

The legacy legislation point cannot be covered in the new RIPA Order.  In the summary of consultation responses we wrote "There were 26 respondents who called either for the repeal of so-called "legacy" legislation, which public authorities use to lawfully acquire communications data or called for public authorities not to use pre-existing legislation once the RIPA legislation come into force.  Repeal of legislation is not straightforward. The powers being used are usually information-gathering powers used to lawfully obtain information, of which communications data is a part and often a small part."  Public authorities with access to communications data under RIPA know full well they should, once RIPA is in force, use only RIPA to acquire communications data.  In any event the communications service industry will resist the use of other non-specific information gathering legislation.   

> The new Regulations do contain significantly more detail than has ever
> been provided before. Previously, for example, the whole of the
> Department of the Environment, Food and Rural Affairs (DEFRA)
> was listed and now it is made clear that only three investigative branches are to
> be authorised.

We would have gone on to say that last summer, as those of you familiar with the "mysterious second Order" will have read.

> They also exclude access to mobile phone location data
> for some of these organisations.

Not some.  Most.  And that, we acknowledged in the consultation paper, was not on the cards last summer.  Last summer we were giving all authorities access to all data.  Not so now.

> However, careful analysis of the schedules of agencies that are to be
> authorised shows that only one of the 24 categories of bodies
> that were to be given access to data in 2002 has been dropped from the
> Government's list. That body was the Department of Work and Pensions,
> which has its own legacy legislation to allow access to Benefit Fraud
> investigators.

We explained in the consultation paper why we believe all the various bodies have necessary and proportionate requirements to acquire communications data.  We would have liked to have included the DWP within the RIPA regime. Of course, it doesn't have "legacy" legislation.  It has post-RIPA legislation and a code of practice approved by Parliament just two years ago.

> In fact, far from the Home Office restricting
> the bodies > that might access data, three new ones (the Charity Commission, the
> Serious Fraud Office and the Gaming Board for Great Britain) have been
> added to the list.

Plus the Police Ombudsman for Northern Ireland.  They all have functions to investigate certain criminal conduct, all have information gathering legislation and all have used it to acquire communications data.  Their pre-HRA legislation requires no explicit consideration of human rights principles and is not subject to any independent oversight.  They are accessing data now without any regulation.  We believe their acquisition of communications data should be regulated under RIPA - and so do those authorities. 

> Ian Brown, Director of FIPR, commented: "The Home Office have
> failed to understand that it is unacceptable for government officials
> to authorise themselves to snoop on who we have been calling

Of course that rather depends on which "we" you mean.  I take it to be "we" who are encompassed within a public authorities' activities that are related directly to a purpose for which the RIPA powers can be used and that use of powers is both necessary and proportionate.

> or which websites we have been looking at.

I really don't think you can say we have to failed to understand the sensitivity around web logs or mobile phone location, or failed to address that concern. 

> Even where crimes are serious enough for this to
> be justified, it is vital to have a proper oversight routine and
> criminal penalties for those who misuse their powers."

There will be oversight (and questions about whether the level of that oversight is "proper") and there are penalties (and questions about whether the penalties in the Data Protection Act are "appropriate").  Oversight and penalties will be under scrutiny.  We realise that.

> He continued: "They are resurrecting, and indeed extending, the same
> proposals that were rejected last year. The 'spin' is that
> this is a new > approach, but the Home Office have delivered none of the
> safeguards they > have been hinting at. Underneath the paint job is the same
> ugly scheme."

Try telling that to trading standards officers and environmental health officers who, under our new proposals, will no longer have the access to traffic data they presently "enjoy".

Simon Watkin