1 History and Background |
1. There is nothing new about the use of communications
data by the police and other law enforcement agencies and by the
intelligence and security services. Since letters were sent and
since the first records of telephone calls began to be kept, knowledge
of who wrote or spoke to whom, when and how they wrote or spoke,
and where they were when they did socommunications datahas
been an important tool in the prevention, detection, investigation
and prosecution of crime and of threats to the safety of the state.
Knowledge of what people wrote or saidthe content of communicationshas
also been valuable but, as we explain more fully later, that has
been regulated entirely differently, and access to the content
of communications is outside the scope of the legislation we are
considering, It is not, however, beyond the scope of this
report. As we explain in Chapter 5, though the distinction between
communications data and content is theoretically clear, it may
often be possible to draw from communications data inferences
which give strong indications and which are evidentially acceptable
of the probable nature and purposes of content. One of the more
intractable problems we have had to consider is whether and if
so how legislation can or should distinguish and proscribe access
to data from which such inferences can convincingly be drawn.
2. During the last century there was virtually
no statutory regulation or control of the persons who could obtain
communications data and the uses to which it could be put except
for the provisions of the Data Protection Acts 1984 and 1998 which
dealt with the processing and protection of personal data, and
some general information powers in various other Acts, which permitted
a few public authorities to access documents.
Perhaps because postal and telecommunications services were originally
provided by a state-owned monopoly (the Post Office), interception
of all types (including access to communications data) was carried
out under the Royal Prerogative with oversight by the Judges'
Rules. The only practical limitation, from an investigator's perspective,
was that it was not always easy for those wishing to access data
to know if the data was there to be accessed, and if so, how to
access it. They relied usually on the goodwill and cooperation
of the telecommunications companies holding the data; short of
a court order for the production of evidence, there were only
limited powers to compel the companies to disclose whether they
had any relevant data and, if they had, to disclose the data itself.
Section 45 of the Telecommunications Act 1984 provided that the
disclosure of communications data by a person running a public
telecommunications system was prima facie an offence. It
was, however, permissible to make a disclosure for the prevention
or detection of crime or for the purposes of any criminal proceedings,
in the interests of national security or in pursuance of a court
order. Section 94 of the 1984 Act enables the Secretary of State
to issue directions to telecommunications operators in the interests
of national security.
3. In 2000 the Regulation of Investigatory Powers
Act (RIPA) was passed. Chapter II of Part I of the Actsections
21 to 25for the first time attempted to regulate who could
access communications data, what classes of data they could access,
for what purposes, and subject to what controls. This chapter
came into force on 5 January 2004
and is the principal law which currently
governs access to communications data. The chapter does not regulate
what data must be retained, dealing only with acquisition and
disclosure. Importantly, the only data available to be accessed
is the data retained by the Communication Service Providers (CSPs)
for their own purposes. These provisions impose on them no obligation
to retain data they do not need, or to retain it for longer than
they need it. A voluntary Code of Practice was introduced in 2003
with telecommunications operators being asked to retain information
on a voluntary basis on the understanding that they would be reimbursed
for the additional costs incurred.
4. At the same time there were important developments
on the European front. In April 2004 the United Kingdom was one
of four Member States of the EU which put forward a proposal for
the mandatory retention of data on communications networks for
combating crime. This initiative was superseded in September 2005
by a Commission proposal for a Directive which would have the
same effect. The United Kingdom then had the Presidency of the
EU and, following the London bombings in July 2005, pressed ahead
with the proposals. A general approach was agreed in December
2005, and the Directive was adopted on 15 March 2006.
This Data Retention Directive (DRD)
had to be transposed into national law within 18 months, and the
United Kingdom did so by Regulations which came into force on
1 October 2007.
These however applied only to fixed network and mobile phones;
the Government postponed implementation with respect to "the
retention of communications data relating to internet access,
internet telephony and internet email". This was generally
welcomed by providers, as the provisions relating to fixed network
and mobile phones were far easier to implement than those relating
to internet access, internet telephony and internet email.
5. In May 2008 the previous Government announced
plans for legislation which would have required communications
data to be stored for a year in a purpose-built database. The
proposal would also have completed the implementation of the DRD
in the United Kingdom. These plans were strongly criticised however,
not least by the Information Commissioner. The Government withdrew
the proposal, and instead completed the implementation of the
DRD by new Regulations
which superseded and revoked the earlier Regulations. The 2009
Regulations are those now in force. They require CSPs notified
by the Secretary of State to retain the categories of communications
data specified in the Schedule for 12 months. Access to the data
is governed by RIPA.
6. In April 2009 the Government put out to consultation
a revised plan
in which they suggested that there were three possible approaches.
The first was the previous proposal of a centralised database,
which they said that they did not intend to pursue. The second
was "doing nothing"; they said that they would be failing
in their duty to protect the public if they "allowed the
capability of public authorities to use communications data to
degrade." Doing nothing was therefore in their view not an
option. This, they said, left "a range of 'middle way' options"
on which they were consulting. In fact only one option was put
forward: legislation to compel CSPs based in the United Kingdom
to collect and keep all data public authorities might need, including
third party data crossing their networks, and to make all this
data accessible on a case-by-case basis to public authorities
"subject to the same rigorous safeguards that are now in
place." An additional proposalscarcely an alternativewas
to address "the problem of fragmentation" by requiring
CSPs not only to collect and store the data but to match third
party data to their own data where it had features in common.
The only choice for those who supported the middle way was therefore
whether or not the compulsory retention and availability of data
should be supplemented by requiring CSPs to process the data.
7. An analysis of the replies to this consultation
paper was published six months later.
On the all-important question "Do you support the Government's
approach to maintaining our capabilities? Which of the solutions
should it adopt?" the Home Office said that 29% of respondents
replied Yes, and 38% Nopresumably to the first part of
the question, since the second is hardly susceptible of a Yes
or No answer. The Information Commissioner supported the approach
on the basis that he was glad that the Government had abandoned
the idea of a single database, but he remained concerned "that
the case has yet to be made for the collection and processing
of additional communications data for the population as a whole
being relevant and not excessive". The Home Office cited
this as him replying both "yes" and "no" to
the same consultation question.
8. No legislation was proposed before the 2010
general election. The Coalition Agreement, published in May 2010,
stated that "We will end the storage of internet and email
records without good reason".
The Government took no action in the first session, but the 2012
Queen's Speech announced a draft Communications Data Bill. This
was presented to both Houses on 14 June 2012.
This Joint Committee was constituted
on 28 June 2012 with a remit to consider the draft Bill and report
to both Houses by 30 November 2012.
The current position
9. The annual report of the Interception of Communications
Commissioner (IoCC) for 2011 states that in that year 494,078
requests were made for access to communications data. We explain
in the following chapter how this figure should be interpreted.
On any view it is a major encroachment into individual privacy,
but it is far from being the only one, and should be considered
BOX 1: Other examples of intrusion into
Cheshire Constabulary estimated that in 2011 that
there were 1.85 million CCTV cameras in the United Kingdom, 1.7
million of which were privately owned. The quality of the images
has greatly improved.
In 2008 Transport for London alone had
over 10,000 CCTV cameras on its rail network, and all its 8,000
buses have CCTV cameras.
The National Policing Improvement Agency operates
a national DNA database, which is one of the world's largest,
with profiles on an estimated 5,570,284 individuals as of 31 March
It also operates a national automated number plate recognition
system, which by March 2011 was receiving 15 million sightings
daily, with over 11 billion vehicle sightings stored.
In April 2010 the national fingerprint database contained the
prints of 8.3m individuals.
The ELMER database, kept by the Serious Organised
Crime Agency (SOCA), includes over 1.5m suspicious activity reports
submitted by banks, lawyers, insurance companies etc to combat
The National Pupil Database holds information on
children in schools in England. It includes detailed information
about pupils (pre-school, primary, secondary and further education),
their test and exam results, prior attainment and progression
for all state schools in England. Attainment data is also held
for pupils and students in non-maintained special schools, sixth
form and Further Education colleges and (where available) independent
schools. The National Pupil Database includes information about
the characteristics of pupils in the state sector and non-maintained
special schools such as gender, ethnicity, first language, eligibility
for free school meals, information about special educational needs,
as well as detailed information about pupil absence and exclusions.
Mobile phones not only produce data relating to calls,
short message service (SMS) messages and general packet radio
service (GPRS) connections but they also leave a detailed trail
of information relating to users' locations. CSPs know roughly
which cell site each phone is connected to at any given time when
the phone is switched on. They keep records of the actual cell
sites used when communications are sent to and from the phone.
This cell site may not be the site which is nearest to the phone,
but it will be the site that sends the strongest signal to the
phone. This location data can be used, when a phone is in constant
use (for example if data is constantly being "pushed"
to the phone) to create a map of approximately where that phone
was moment by moment. In areas saturated with cell sites this
data can suggest locations to within a 50 metre radius. In sparsely
populated areas, however, cell sites may connect with phones that
are 25 kilometres away.
10. The reason for all this intrusion is not
simply curiosity, or a desire by the authorities unreasonably
to investigate individuals' private lives; though from many of
the comments we have read this appears to be the view of a section
of the public. The reason is that communications data is an invaluable
weapon in the defence of national security and in the fight against
crimeespecially terrorism and other serious crimes. The
intelligence and security services and the police are far and
away the main users of communications data. There are not infrequently
high profile cases where the importance of communications data
to an investigation is clear to all.
BOX 2: Examples of the use of communications
data in fighting terrorism and crime
In June 2007 a vehicle carrying improvised explosive
devices was used in an attack on the main terminal building at
Glasgow airport. Communications data was used to identify a bomb
factory through analysis of calls from suspects' phones to a letting
agency. Items and tools used in the making of devices were found,
and forensic evidence tied the suspects to the premises. Communications
data, including cell site analysis, identified where, from whom
and when the vehicles involved were purchased. Communications
data also provided evidence of contact between suspects and in
particular identified the prior knowledge of a third party who
was directed, via text, to an email account containing instructions
detailing how that person should answer questions from the authorities
after the event.
In 2002, during the investigation into the murder
of Holly Wells and Jessica Chapman in Soham, communications data
from their mobiles showed that they had been at or very close
to the house of Ian Huntley, suggesting flaws in his alibi. Records
of calls and text messages between Huntley and his ex-girlfriend,
Maxine Carr, also showed that she was in Grimsby when Huntley
killed the victims and that she deliberately misled the police
over his whereabouts.
In August 2009 two men in disguises entered Graff
Diamonds and stole £40m of jewellery. They left taking a
hostage at gunpoint. Shots were fired in the street at those who
gave chase. CCTV captured the suspects prior to entering the premises;
this showed one using a mobile. A handset was recovered in an
abandoned vehicle linked to the attack; from this other handsets
were identified. Analytical work on call data established contact
with the makeup artist who prepared the suspects' facial masks;
a car hire firm used for getaway vehicles; and the locations of
the suspects at various times during the robbery.
11. Less high profile, but no less important,
is the use of communications data by Her Majesty's Revenue and
Customs (HMRC) to uncover tax evasion. There are also uses of
communications data which are not connected with crime, but where
lives at risk can be saved: the location of individuals who are
threatening suicide, and others in life-threatening situations.
At the other extreme there are examples of the use of communications
data, much quoted by those opposed to the legislation, which show
what can happen if the system is misused or abused, and the safeguards
are inadequate or bypassed. The majority of these relate to local
authorities, and we deal with them in Chapter 4.
12. A special mention should be made of the work
of the Child Exploitation and Online Protection Centre (CEOP),
which uses communications data to detect paedophiles. Mr Davies,
the Chief Executive, gave us a particularly startling example
of how essential to their work was the ability to reconcile an
Internet Protocol (IP) address to an individual.
BOX 3: Reconciling an IP address to an
A child contacted a helpline service
online, indicating that he had selfharmed and was intending
to commit suicide. This was passed on to CEOP who acquired the
communications data to reconcile the IP address to an individual.
They did so in a very short space of time and passed it on to
the local police force. When they got into the address the child
had already hanged himself, but was still breathing. If there
had been any delay, or if the child had been unlucky enough to
be using one of those service providers that do not keep subscriber
data relating to IP addresses, that child would now be dead.
13. "Exponential" is a word we have
heard many times in the course of our inquiry but, as we explain
in Chapter 3, it is barely adequate to describe the explosion
in communications data over the decade since RIPA came into force.
The changes in the forms of communications and the volume of exchanges
are such that it is hardly surprising that the Government think
it appropriate to amend the law governing access to communications
data; and this is what the draft Bill would do.
14. We put out a call for written evidence, and
in response received a great deal of valuable information and
many conflicting views. All of this evidence is available on our
website, except for two categories. The first of these is evidence
which was sent to us in confidence. This has helped to inform
us and to form our views, but we have not referred to it specifically
in this report. The second category consists of some 19,000 emails
we received from individuals in response to prompting from two
organisations, 38 Degrees and the Open Rights Group. This reflects
the anxiety felt by large sections of the public about intrusion
by the authorities into their private lives.
15. In the course of five months, during two
of which one or both Houses were in recess, we held 20 meetings
(three of them while the House of Lords was in recess). We heard
over 23 hours of oral evidence from 54 witnessesin some
cases more than once. These ranged from officials of the Home
Office (the Bill's sponsoring department), the police and representatives
of other law enforcement agencies, who strongly supported the
Bill, to persons and bodies equally strongly opposed to it. The
witnesses included the main United Kingdom CSPs and overseas based
email providers and social networks. We concluded by hearing the
Home Secretary, who spoke on behalf of the Government. Transcripts
of all this evidence are available on our website, but in a few
cases we allowed witnesses to give evidence to us in private so
that the transcripts could be redacted before publication to remove
matters that were commercially sensitive or which could have compromised
security. Where redactions have been made, this appears in the
transcript. To all our witnesses we are most grateful.
16. We went on two visits. The first was to the
Metropolitan Police Central Intelligence Unit (CIU); the second
to Everything Everywhere, the company which owns and operates
both the T-Mobile and the Orange networks. We include notes of
those visits in Appendices 4 and 5. Of particular value to us
was to see in operation the procedure by which the authorities
request communications data from CSPs, and the procedure of CSPs
in response to those requests. We are grateful to both organisations
for their time and trouble.
17. We asked to see the intelligence service,
the security service and GCHQ. Their views on the draft Bill would
have been helpful to us. The Home Secretary, in accordance with
usual practice, would not permit them to give evidence to us,
even in private. She offered us "a general briefing on the
threat, particularly that from international terrorism, and the
Security Service's role in addressing it, [which] would take place
off the Parliamentary estate and would be strictly informal and
off-the-record". We did not see that this would advance our
scrutiny of the draft Bill, and declined the invitation. The intelligence
and security services did however give evidence to the Intelligence
and Security Committee. This, like us, is a Committee of members
of both Houses of Parliament, but it is not a Parliamentary Committee
and reports to the Prime Minister rather than to Parliament. Its
inquiry into the draft Bill has been limited to the needs of the
intelligence and security services. The conclusions and recommendations
of the Intelligence and Security Committee are being published
on the same day as this report. We thank the Committee for giving
us advance sight of its recommendations.
18. We also wish to place on record our thanks
to our specialist adviser, Mr Martin Hoskins, for the support
he provided during our consideration of the draft Bill.
19. Pre-legislative scrutiny provides the opportunity
for members from all sides of both Houses to come together and
scrutinise the principle and the detail of potentially sensitive
draft legislation. It gives an opportunity to build both Member
expertise and political consensus. It allows interested parties
from outside Parliament to engage with Parliament's scrutiny process
and to help inform Members on the consequences of implementing
the proposals. It gives Government the chance to hear the preliminary
views of Parliament at a stage when policy can still be amended
before the introduction of a Bill proper.
20. We welcome the Government's
decision to publish this Bill in draft form. We hope that Departments
from across Government will continue to show a commitment to publishing
as much legislation as possible in draft, and that Parliament
will continue to take advantage of the opportunities that exist
for pre-legislative scrutiny.
1 See further in paragraph 22. Back
We have been unable to obtain information about how section 94
of the Telecommunications Act 1984 has been used. The provisions
of section 94 permit directions to be given without the need for
them to be laid before Parliament if disclosure would be against
the interests of national security. A person must not disclose
anything done by virtue of section 94 if the Secretary of State
has notified him that disclosure would be against the interests
of national security. Back
The Regulation of Investigatory Powers Act 2000 (Commencement
No 3) Order 2003, SI 2003/3140, Article 2. Back
Directive 2006/24/EC of the European Parliament and of the Council
of 15 March 2006 on the retention of data generated or processed
in connection with the provision of publicly available electronic
communications services or of public communications networks and
amending Directive 2002/58/EC, OJ L 105 of 13 April 2006, page
54. Even now, over five years after the date for transposition,
not all Member States have implemented the Directive; in particular,
the German Constitutional Court has ruled that the legislation
implementing the Directive in Germany is unconstitutional. Back
The Data Retention (EC Directive) Regulations 2007, SI 2007/2199. Back
The Data Retention (EC Directive) Regulations 2009, SI 2009/859. Back
"The Coalition: our programme for Government" , 10 May
Cm 8359. Back
See BBC research in 2009 on the density of local authority-owned
cctv cameras: http://news.bbc.co.uk/1/hi/uk/8159141.stm and a
Channel 4 News assessment that in 2008 there was a cctv camera
for every 14 citizens. http://www.channel4.com/news/articles/society/factcheck+how+many+cctv+cameras/2291167.html Back
This example is taken from the written evidence of the Metropolitan
Q 1096 Back