Last updated: 
3 weeks 6 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Communications Data Bill - What changes for Networks?

Tuesday, June 19, 2012 - 08:30

A first look at Part 1 of the Government’s draft Communications Data Bill seems to confirm predictions that it would represent a significant change for network operators. Formally the Bill would replace both Part 11 of the Anti-Terrorism, Crime and Security Act 2001 (ATCSA - the original, voluntary, data retention provisions) and Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA - which allows law enforcement and others to obtain information about communications), but leaves in force the Data Retention (EC Directive) Regulations 2009 (which transposed a European Directive requiring public network providers to retain specified information about communications made using their systems).

Potentially the biggest change is that while the current data retention provisions only apply to “public communications providers” (Reg.4), the data retention powers under the Bill would cover “telecommunications providers”, which appears to be defined in clause 28 in a way that includes all networks, including private networks in businesses, organisations and homes. Unfortunately it’s impossible to know whether all those extra networks will actually have to do anything different because, like a lot of the Bill, who is actually required to comply will depend on what is in the Orders that the Secretary of State may make under clause 1.

The same applies to what information those networks are required to collect: unlike the current Data Retention Regulations, which list the required information in a schedule (derived from the original Directive), the Bill has that being specified by subsequent Orders. The notes accompanying the Bill do indicate one highly significant change, however. At the moment public networks may be required (or, under ATCSA may choose) to keep for longer the information about use of their own e-mail and telephony services that is “generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned” (reg.3). In other words, you can’t be required to collect data that you don’t already have. Note 19 explaining the Bill states that Orders will be able to require in addition the collection of data about “services of overseas providers used by people in this country but which the system provider currently has no business to retain” (in fact, as far as I can see, the wording of the Bill doesn’t actually restrict it to “overseas” providers). The introduction suggests that this would include "voice over internet, online gaming and instant messaging". So any network could be ordered to collect information about all the communications or phone calls its users may make using any webmail, instant messaging or internet telephony service or inside any on-line game.

That seems like a huge technical challenge for two reasons. Most obviously, an increasing number of those applications now use encrypted communications for the vital purpose of protecting usernames, passwords, credit card numbers and other sensitive information. The whole point of encryption is to prevent the network operator, indeed anyone other than the user and the service, from being able to see that information. And, even for unencrypted traffic, the protocols used by services for webmail, instant messaging, etc. can change at any time and the collection system would somehow have to change to match. There’s also a legal difficulty, in that these powers can only lawfully be used to collect data about communications which, as the introduction to the draft Bill stresses, is very different in law from the content of those communications. But at the technical level there may be no difference at all: if you were to happen to tweet “RT: blog posting by @Janet_LegReg on #CCDP”, your network provider would see an undifferentiated string of ASCII characters. Any system that wants to extract the fact that that’s a reply to me (presumably the sort of communications data that would be of interest) is going to have to read and process each one of those bytes. Emma Byrne has a more detailed discussion of this issue

The Bill does require the Secretary of State to consult with Ofcom, the Technical Advisory Board established under RIPA, and those likely to be required to comply with the Order; however it seems to be the Secretary of State who has the final decision on what the Order says. According to clause 29(2) Orders can only come into force if voted for by both Houses of Parliament (though they can't amend them), but it seems optimistic to rely on Peers and MPs to understand the issues of protocols and network topology that will determine when a proposal is technically infeasible or massively onerous.

[UPDATE: Francis Davey has a detailed analysis of the legal provisions]