Be Very Afraid! In this mini-interview Simon gives a quick introduction to the Communications Data Bill, recently introduced to the UK Parliament, which proposes to establish a nation-wide database of all citizens' text and email communications, and explains the problems with the proposals, notably the lack of judicial oversight and the massive potential for mission creep.
doubi: We're here at OggCamp 2012 at John Moores University in Liverpool and I'm here with Simon Phipps who's going to be giving a talk tomorrow on behalf of the Open Rights Group. Simon, what will your talk be about?
Simon Phipps: I'm going to be talking about the Communications Data Bill, which is a piece of legislation that's just about to go through Parliament, and has very worrying consequences for people's civil liberties on the internet.
doubi: Right, "Communications Data" maybe doesn't sound like it's to do with people's civil liberties, so what's it all about?
Simon: Well, this is a Bill that solves a problem for the security services in the UK, in particular the secret service that we have over here, and the police forces. They're very worried that they can't see what's going on inside your email, and inside your text messaging, and inside your other online communications.
They have for a long time been trying to get a succession of governments to put into law rules that allow them to snoop on all of your communications. They tried to do it under [the previous Labour Party government], and it didn't quite work out because there was an outcry in civil society about it, and it's now happening under the Tories and Liberal Democrats. So this is not a partisan issue at all. This is an activity that is arising out of the Cheltenham data centre that is used by the intelligence services and arising out of the police forces, who are all very worried that they can't read your email.
doubi: Now, I've heard a little bit about this and I've heard it pitched in terms of, "This is the security services just trying to keep up with changing technology." What do you say to that, because people obviously people are using different forms of communication now; is there anything legitimate in the security services needing to "keep up" with that?
Simon: I think it's legitimate for them to need to "keep up" but that is not a good excuse for them to do what they're doing here, because what they're doing is creating a right to ask every internet service provider to keep, for twelve months, all of your traffic on the internet, so they can analyse it off-line. That gives them plenty of time to crack SSH, to crack SSL keys, to crack any encryption that's going on.
The big problem is that this right is being created fresh, it's being created without any right for you to know that it's happening, it's being created without any judicial oversight, so that the police can just decide to ask for your material to be created. It's also being created in such a way that should the police choose to they could create a central database of all this information that could then be casually searched.
By "casually searched", I mean it could be searched, for example, by organisations enforcing family law disputes, organisations enforcing defaults on mortgage payments, organisations who are looking into whether you have renewed the MOT [annual road-worthiness test] on your car. All of those would be the sort of excuses to go dipping in on a fishing expedition on your personal data.
So what's being proposed is not just keeping up to date with technology, it's going way, way, way beyond any scope for keeping up, and it's creating for the first time a database of citizen communications that can then in the future be fished-into arbitrarily, without notification, without recourse and without judicial oversight.
doubi: It might sound to people like some of the examples you gave about the misuse of such a database are hypothetical or facetious, but already if people were to go to the Open Rights Group website, openrightsgroup.org there are on the wiki there are documented examples of how local councils, both individuals and in an official capacity, are already abusing some of these databases that are intended for much more serious purposes and are ostensibly there to save us from real threats [NB: This is inaccurate; please see footnote].
Simon: When these things get started, they're always packed in guarantees that nobody will do anything bad with your data. The CDB is no different: all of the padding around it says, "Trust us to create this database of communications, because look at all these protections we're putting around it to prevent abuse." Now what we know is that once you've created a resource, mission creep in the future will change the way that it's used.
Take for example the congestion charge cameras in London. All around London now there are number-plate [license-plate] recognition cameras that were put there only to collect congestion charges. But as time has gone by, people have found other, extremely legitimate uses for them: to prevent terrorism, to enforce laws. And now they are part of a network that the police can routinely use to identify the location of any vehicle in central London. That wasn't what the cameras were put there for, and when they were set up we were told that wasn't going to happen.
I look at the CDB and I believe it's exactly the same thing. The thing that's wrong with the Communications Data Bill is not the uses to which the authorities will put the data, it is creating the repository of data in the first place.
doubi: Absolutely. And I think together with the lack of judicial oversight which you already mentioned, those are the really scary aspects about this. What can people do at this stage?
Simon: Well, at the lowest level what people can do it join the Open Rights Group. The Open Rights Group is an organisation which is funded largely from the membership fees of its members. You can visit openrightsgroup.org and sign up, set up a standing order to pay is little as £5 a month, that will help to pay for professional researchers to understand all these highly complex laws, and then go and engage on your behalf, to make sure that the bad things don't happen.
If you're more motivated than that, than just joining, you could get involved with a local chapter of the Open Rights Group. There are local chapters all over the UK, where you can meet with other like-minded people and take local action: ttalking with MPs, talking with local radio stations, talking with local newspapers, and making sure that the digital rights agenda of the individal citizen has as loud a voice as the media lobby is able to bring to corporate concerns.
doubi: Sounds great. Simon, thank you very much; do you want to give your vital statistics, where to find you on the web?
Simon: I do all sorts of things of the web. They are all locatable from my website webmink.com.
doubi: Thank you very much, looking forward to your presentation tomorrow, and enjoy OggCamp!
Simon: Thank you very much.
NB: I was quite wrong about the ORG wiki. There isn't a page about concerted abuses of centralised data repositories as such; what there is the UK Privacy Debacles page, which lists (worryingly numerous) examples of companies and public bodies accidentally losing or releasing data. There's only one example of malicious abuse by an individual.
However, these examples of organisational incompetence to deal with data in themselves give an independent reason why the data store proposed by the CDB is a bad idea. Secondly, the examples of misuse of investigative resources and powers has been well documented elsewhere (, ).