Peers slam draft data-snooping bill as ‘overkill’

A committee has also said that the financial benefits of the bill are ‘fanciful’ and ‘misleading’

A joint parliamentary committee investigating the Draft Communications Data Bill has described the current proposed legislation as 'overkill' and said that the Home Secretary shouldn't be given sweeping powers that would trample on UK citizens privacy.

The Draft Communications Data Bill, which was put forward in June, would give police access to communications data for the purposes of tackling serious crime.

Communications data includes information such as which websites individuals have visited, and who they have emailed, but not the actual content of exchanges. The government wants to update existing data laws to enable police to access communications data generated by new technologies such as VoIP (voice over IP) service Skype.

The Draft Bill also plans to require communication service providers, when requested to do so, to retain and store communications records that they might not already keep.

Many companies and experts have heavily criticised the Bill, claiming it is 'daft' and that 'far too much discretion' would be given to the Home Secretary.

The joint committee's recommendations, which are released today, urge government to amend the proposals so that fewer public authorities would have access to communications data and that the Bill should include new definitions of communications data, which are narrower in scope, and draw a clearer line between data and content.

"There needs to be some substantial re-writing of the Bill before it is brought before Parliament as we feel that there is a case for legislation, but only if it strikes a better balance between the needs of law enforcement and other agencies and the right to privacy," said Lord Blencathra, Chair of the Joint Committee.

"There is a fine but crucial line between allowing our law enforcement and security agencies access to the information they need to protect the country and allowing our citizens to go about their daily business without a fear, however unjustified, that the state is monitoring their every move."

He added: "Whilst the Joint Committee realise that there are specific data types which are not currently available, and which would aid the work of law enforcement bodies and the security services, we are very concerned at how wide the scope of the Bill is in its current form."

Other recommendations in the report include establishing a centralised service that acts as an internal authorisation process for accessing communications data, as well as making 'wilful or reckless' misuse of communications data a specific offence that is punishable by a prison term.

"We can see only three types of data that are not currently being collected which we know could aid the work of law enforcement and other agencies: data matching IP addresses to specific users, data showing which internet services a user has accessed and data from overseas communications providers providing services in the UK," said Lord Blencathra.

"The breadth of the draft Bill as it stands appears to be overkill and is much wider than the specific needs identified by the law enforcement agencies. We urge the Government to reconsider its zeal to future-proof legislation and concentrate on getting the immediate necessities right."

He added: "We are confident that the safeguards already in the draft Bill, together with our recommendations to strengthen those safeguards, will do just that."

However, despite recommending a narrower scope when legislating, the Lords report also says that 'depending on how the communications world develops', the Home Office may need broader powers in the future.

The report claims that 'parliament and government both need to accept that legislation that covers the internet and other modern technologies may need revisiting and updating regularly'. It says that the committee has considered ways in which the Secretary of State might be given powers in the future to allow her to address 'new and significant gaps if and when they emerge'.

Initial thoughts are that if information outside the scope of the Bill was required, primary legislation on each occasion could occur, or power to amend the bill by order, which would be 'subject to a super-affirmative procedure, which would guarantee fuller Parliamentary consideration than a standard affirmative order'.

With regards to security, the committee is satisfied with the proposed safeguards to protect against the abuse of data or inadvertent error by public authorities, but also acknowledges that storing web log data, however securely, carries the possible risk that it may be hacked into or may fall into the wrong hands. It claims that 'potentially damaging inferences about people's interests or activities could be drawn' if this were to happen.

Finally, the committee highlights that it is 'concerned' with the government's financial cost/benefit analysis. The Home Office's impact assessment estimates the benefits from the draft Bill in the ten years to 2020/21 to be between £5 billion and £6.2 billion, with a cost estimate of £1.8 billion. This would give government a net benefit of between £3.2 billion and £4.4 billion.

However, the report slams the estimates for not being robust and prepared without consultation with the telecommunications industry. They also project forward 10 years to a time where the communications landscape may be very different, it says.

"Given successive governments' poor records of bringing IT projects in on budget, and the general lack of detail about how the powers under the Bill will be used, there is reasonable feat that this legislation will cost considerably more than the current estimates," says the report.

"The figure for estimated benefits is even less reliable than that for costs, and the estimated net figure is fanciful and misleading. It out not be used to influence parliament in deciding on the relative advantages and disadvantages of legislation."

It continues: "Whatever the benefits of the Bill, they are unlikely to be financial."

Join the CSO newsletter!

Error: Please check your email address.

Tags skypesecuritypublic sector

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek du Preez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place