- Email: [email protected]
UK ANTI-TERRORISM ACT 2001 & ISP’S
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 338
UK Anti-Terrorism Act 2001 & ISP’s
UK ANTI-TERRORISM ACT 2001 & ISP’s A CYBER CHECK-POINT CHARLIE? Jason Saiban and John Sykes, Charles Russell, London Jason Saiban and John Sykes of Charles Russell consider the Anti-Terrorism, Crime and Security Act 2001 and its likely impact, particularly in relation to Internet service providers. The article is based on issues raised in an “e-business at CR” breakfast seminar held on 12 April 2002.
The Anti-terrorism, Crime and Security Act 2001 (the Act) was of course a direct reaction to the events of September 11 2001. At the time of its implementation, although dissenting voices were raised, there seemed to be a consensus that it was a piece of legislation necessary to safeguard the fundamental rights of a democratic society. However, now that time has passed, consideration is being given to its extremely wide ambit and own potential impact on rights apparently seeks to protect.This article considers what the Act does and why the Government considered it necessary; the politics surrounding the Act and the perceived problems it addresses.
1. THE LEGISLATION The Act received Royal Assent on 14 December 2001, after just a single month of debate. The Act was very different from the Bill originally published, which had been campaigned against by many industry and consumer groups, including MPs and the Home Affairs Select Committee. However, even with the changes made, the Act has caused great concern in the communications industry and amongst those seeking to protect individual rights of privacy.
2. PREVIOUS LEGISLATION To understand the Act fully, it is necessary to understand the background.The Regulation of Investigatory Powers Act 2000 (RIPA) gave the Government increased powers to intercept communications and data. It placed increased burdens on those responsible for the communications apparatus, particularly Internet Service Providers (ISPs), to allow for easier interception. However, RIPA was not the first Act to impose such burdens. The Data Protection Act 1998 had previously placed certain burdens on businesses, including those involved in communications, intended to protect the privacy of individuals. However, these previous pieces of legislation differed from the Act by virtue of taking many months of political negotiation and consultation before obtaining Royal Assent. In particular, RIPA appeared to take the ability of the State to invade individual privacy as far as Society would allow.
338
3. GOVERNMENT JUSTIFICATION The Act was a direct reaction to September 11. In an attempt to justify the Bill, the Home Office issued a ‘Regulatory Impact Assessment’ statement, posted on its website and outlining the reasoning behind the new legislation: “…the attacks in New York and Washington on September 11 represent an escalation in the scale and scope of the international terrorist threat to our interests. In particular, suicide operations have been a step change in terrorist methods. It is clear that a single attack can have a severe impact on specific industry sectors and on the economy as a whole.Through improved protection, tracking and prevention of terrorism, the Government considers that the Bill will contribute to an improved level of security for the UK, preventing loss of life and ensuring that businesses and society as a whole continue to operate in safety.”
4. NOBLE WORDS INDEED. SO WHAT DOES THE ACT ACTUALLY DO? (a) Scope of the Act The Act is split into fourteen parts including, and the area on which this article will concentrate: the retention of communication data.Data means traffic data and any other data that is not the content of the communication itself:this includes billing data,subscriber details,numbers dialed,internet sites accessed,emails sent and received,but not the content of emails or telephone calls.
(b) A voluntary code of practice? The Act does not yet place an obligation on communications providers to retain communication data.The Government’s preferred option is that the communications providers agree and implement a voluntary code for self-regulation. Failure to comply with such a code will not render a communications provider liable to criminal or civil proceedings but the failure to retain data in contravention of the code could be used as evidence in the prosecution of offenders for offences that may relate to matters of national security.The implication is that, at the very least, failure to comply would be highly embarrassing for a communications provider.
Computer Law & Security Report Vol. 18 no. 5 2002 ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 339
UK Anti-Terrorism Act 2001 & ISP’s
(c) Imposed direction?
(d) How effective will the Act actually be?
However, if the ISP’s fail to agree and implement the code, the Secretary of State has power to issue a mandatory direction for retention of communications data. Failure to adhere to such a direction would expose a communications provider to civil proceedings for injunction or specific performance with payment of costs. There have been discussions between the Home Office and the industry, but the code is still awaited. The Government has stated that it wants the period of data retention to be 12 months. In other words, communications providers will need the ability and capacity to store 12 months worth of communications data at any given time.
Although we have considered the Government’s stated reasons for the Act, a number of analysts have expressed doubts whether it will have the desired impact. Surveillance via ISP and telephone traffic data can easily be evaded,for example by using stolen or pre-paid mobile phones or web-based email from public terminals. If anything has been learned from the recent attacks, it is that terrorists are capable of utilizing technology to their benefit and advantage, and will use evasion measures to avoid unwanted surveillance. If so, the Act’s powers, despite the huge outlay in time and expense by providers and investigators, will be redundant. The only impact of the Act could be a negative one,the infringement of human rights.
5. A CHECK-POINT CHARLIE?
(e) A hidden agenda?
Why is this Act controversial? The remainder of this article will outline the main concerns.
The telecoms industry is in a period of severe economic uncertainty.The costs of complying with new data retention policies (in combination with the new surveillance measures already required under RIPA) will be extremely high. In the UK alone, over 400 million emails are sent daily. When one reflects upon the capacity required to store twelve months’ worth of emails at any given time, the cost concerns of communications providers become clear. In an attempt to sweeten the pill, the Government has declared its intention to compensate communications providers. However, it is by no means certain that the compensation will be adequate. Understandably, there is a real concern that the communications providers will be left with an unreasonably large proportion of the compliance costs.
As the Act’s technical failings have become more apparent, the feeling has grown that, maybe rather than being a reaction to the September 11 attacks, the Act serves as a convenient method for the Government to obtain powers it has craved for many years: viz. to retain data on individuals by means of data warehousing. Although, such concerns are clearly influenced by the present Government’s perceived utilization of spin, certain evidence can be put forward in its support. For example, in 2000, The Observer newspaper released a leaked report from the National Criminal Intelligence Service (NCIS). In this report, NCIS proposed the establishment of a national traffic data warehouse to cover the entire population, with all data to be retained for a period of seven years. The proposal was supported by MI5, MI6, GCHQ and HM Customs and Excise. Perhaps it is the case that the Act is a means to introduce such a warehouse, so that the intelligence agencies and, perhaps more importantly, the tax collectors, can keep track of individuals.
(b) Impacting upon Human Rights
6. CONCLUSION
The Act will provide intelligence agencies with the ability to track: • who people talk to • where people go and • what people read Perhaps Orwell’s ‘Big Brother’ is closer than is commonly believed. With all this information made available, individual patterns of thought can be tracked and traced. Although the content of the data may not be revealed, it will be clear from certain website and email addresses what kind of content is being viewed. Anonymity may no longer be an advantage of on-line viewing. Such intrusion into private lives is a clear breach of the Human Rights Act. Consequently, the Act raises matters of extreme concern with regard to the basic rights and freedoms of a democratic society.
A democratic society strives to balance conflicting principles; the right to individual privacy and freedom of expression must be weighed against the requirement to protect its citizens. No one can deny the threat posed by terrorism, and measures implemented to stave this threat off are to be applauded. However, the legislation, although well-intentioned, was conceived in a time of crisis and consequently rushed through Parliament without the opportunity for serious consideration of its flaws. Unfortunately, these flaws are now all too clear and likely to lead to great uncertainty in the future. Finally, one should not forget that, authorized or not, it is extremely likely that emails and other communications are being read by the intelligence agencies in any event.‘Echelon’ is the CIA’s preferred means of access. Will the Act actually make any difference to the way in which our daily lives are monitored?
(a) Cost to the providers
(c) Data Protection The Fifth Data Protection Principle in the Data Protection Act 1998 states that personal data should not be kept for longer than is necessary for the purposes of processing.Will the period of data retention, once agreed (or imposed), conflict with this requirement, meant as a safeguard for privacy? Is it possible for this opposing principles to be reconciled?
John Sykes is a Partner at Charles Russell’s Media and Communications Group specializing in dispute resolution. Jason Saiban is a solicitor at Charles Russell’s Media and Communications Group, specializing in IT and Internet Law:;;
339
9/3/02
2:18 PM
Page 338
UK Anti-Terrorism Act 2001 & ISP’s
UK ANTI-TERRORISM ACT 2001 & ISP’s A CYBER CHECK-POINT CHARLIE? Jason Saiban and John Sykes, Charles Russell, London Jason Saiban and John Sykes of Charles Russell consider the Anti-Terrorism, Crime and Security Act 2001 and its likely impact, particularly in relation to Internet service providers. The article is based on issues raised in an “e-business at CR” breakfast seminar held on 12 April 2002.
The Anti-terrorism, Crime and Security Act 2001 (the Act) was of course a direct reaction to the events of September 11 2001. At the time of its implementation, although dissenting voices were raised, there seemed to be a consensus that it was a piece of legislation necessary to safeguard the fundamental rights of a democratic society. However, now that time has passed, consideration is being given to its extremely wide ambit and own potential impact on rights apparently seeks to protect.This article considers what the Act does and why the Government considered it necessary; the politics surrounding the Act and the perceived problems it addresses.
1. THE LEGISLATION The Act received Royal Assent on 14 December 2001, after just a single month of debate. The Act was very different from the Bill originally published, which had been campaigned against by many industry and consumer groups, including MPs and the Home Affairs Select Committee. However, even with the changes made, the Act has caused great concern in the communications industry and amongst those seeking to protect individual rights of privacy.
2. PREVIOUS LEGISLATION To understand the Act fully, it is necessary to understand the background.The Regulation of Investigatory Powers Act 2000 (RIPA) gave the Government increased powers to intercept communications and data. It placed increased burdens on those responsible for the communications apparatus, particularly Internet Service Providers (ISPs), to allow for easier interception. However, RIPA was not the first Act to impose such burdens. The Data Protection Act 1998 had previously placed certain burdens on businesses, including those involved in communications, intended to protect the privacy of individuals. However, these previous pieces of legislation differed from the Act by virtue of taking many months of political negotiation and consultation before obtaining Royal Assent. In particular, RIPA appeared to take the ability of the State to invade individual privacy as far as Society would allow.
338
3. GOVERNMENT JUSTIFICATION The Act was a direct reaction to September 11. In an attempt to justify the Bill, the Home Office issued a ‘Regulatory Impact Assessment’ statement, posted on its website and outlining the reasoning behind the new legislation: “…the attacks in New York and Washington on September 11 represent an escalation in the scale and scope of the international terrorist threat to our interests. In particular, suicide operations have been a step change in terrorist methods. It is clear that a single attack can have a severe impact on specific industry sectors and on the economy as a whole.Through improved protection, tracking and prevention of terrorism, the Government considers that the Bill will contribute to an improved level of security for the UK, preventing loss of life and ensuring that businesses and society as a whole continue to operate in safety.”
4. NOBLE WORDS INDEED. SO WHAT DOES THE ACT ACTUALLY DO? (a) Scope of the Act The Act is split into fourteen parts including, and the area on which this article will concentrate: the retention of communication data.Data means traffic data and any other data that is not the content of the communication itself:this includes billing data,subscriber details,numbers dialed,internet sites accessed,emails sent and received,but not the content of emails or telephone calls.
(b) A voluntary code of practice? The Act does not yet place an obligation on communications providers to retain communication data.The Government’s preferred option is that the communications providers agree and implement a voluntary code for self-regulation. Failure to comply with such a code will not render a communications provider liable to criminal or civil proceedings but the failure to retain data in contravention of the code could be used as evidence in the prosecution of offenders for offences that may relate to matters of national security.The implication is that, at the very least, failure to comply would be highly embarrassing for a communications provider.
Computer Law & Security Report Vol. 18 no. 5 2002 ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 339
UK Anti-Terrorism Act 2001 & ISP’s
(c) Imposed direction?
(d) How effective will the Act actually be?
However, if the ISP’s fail to agree and implement the code, the Secretary of State has power to issue a mandatory direction for retention of communications data. Failure to adhere to such a direction would expose a communications provider to civil proceedings for injunction or specific performance with payment of costs. There have been discussions between the Home Office and the industry, but the code is still awaited. The Government has stated that it wants the period of data retention to be 12 months. In other words, communications providers will need the ability and capacity to store 12 months worth of communications data at any given time.
Although we have considered the Government’s stated reasons for the Act, a number of analysts have expressed doubts whether it will have the desired impact. Surveillance via ISP and telephone traffic data can easily be evaded,for example by using stolen or pre-paid mobile phones or web-based email from public terminals. If anything has been learned from the recent attacks, it is that terrorists are capable of utilizing technology to their benefit and advantage, and will use evasion measures to avoid unwanted surveillance. If so, the Act’s powers, despite the huge outlay in time and expense by providers and investigators, will be redundant. The only impact of the Act could be a negative one,the infringement of human rights.
5. A CHECK-POINT CHARLIE?
(e) A hidden agenda?
Why is this Act controversial? The remainder of this article will outline the main concerns.
The telecoms industry is in a period of severe economic uncertainty.The costs of complying with new data retention policies (in combination with the new surveillance measures already required under RIPA) will be extremely high. In the UK alone, over 400 million emails are sent daily. When one reflects upon the capacity required to store twelve months’ worth of emails at any given time, the cost concerns of communications providers become clear. In an attempt to sweeten the pill, the Government has declared its intention to compensate communications providers. However, it is by no means certain that the compensation will be adequate. Understandably, there is a real concern that the communications providers will be left with an unreasonably large proportion of the compliance costs.
As the Act’s technical failings have become more apparent, the feeling has grown that, maybe rather than being a reaction to the September 11 attacks, the Act serves as a convenient method for the Government to obtain powers it has craved for many years: viz. to retain data on individuals by means of data warehousing. Although, such concerns are clearly influenced by the present Government’s perceived utilization of spin, certain evidence can be put forward in its support. For example, in 2000, The Observer newspaper released a leaked report from the National Criminal Intelligence Service (NCIS). In this report, NCIS proposed the establishment of a national traffic data warehouse to cover the entire population, with all data to be retained for a period of seven years. The proposal was supported by MI5, MI6, GCHQ and HM Customs and Excise. Perhaps it is the case that the Act is a means to introduce such a warehouse, so that the intelligence agencies and, perhaps more importantly, the tax collectors, can keep track of individuals.
(b) Impacting upon Human Rights
6. CONCLUSION
The Act will provide intelligence agencies with the ability to track: • who people talk to • where people go and • what people read Perhaps Orwell’s ‘Big Brother’ is closer than is commonly believed. With all this information made available, individual patterns of thought can be tracked and traced. Although the content of the data may not be revealed, it will be clear from certain website and email addresses what kind of content is being viewed. Anonymity may no longer be an advantage of on-line viewing. Such intrusion into private lives is a clear breach of the Human Rights Act. Consequently, the Act raises matters of extreme concern with regard to the basic rights and freedoms of a democratic society.
A democratic society strives to balance conflicting principles; the right to individual privacy and freedom of expression must be weighed against the requirement to protect its citizens. No one can deny the threat posed by terrorism, and measures implemented to stave this threat off are to be applauded. However, the legislation, although well-intentioned, was conceived in a time of crisis and consequently rushed through Parliament without the opportunity for serious consideration of its flaws. Unfortunately, these flaws are now all too clear and likely to lead to great uncertainty in the future. Finally, one should not forget that, authorized or not, it is extremely likely that emails and other communications are being read by the intelligence agencies in any event.‘Echelon’ is the CIA’s preferred means of access. Will the Act actually make any difference to the way in which our daily lives are monitored?
(a) Cost to the providers
(c) Data Protection The Fifth Data Protection Principle in the Data Protection Act 1998 states that personal data should not be kept for longer than is necessary for the purposes of processing.Will the period of data retention, once agreed (or imposed), conflict with this requirement, meant as a safeguard for privacy? Is it possible for this opposing principles to be reconciled?
John Sykes is a Partner at Charles Russell’s Media and Communications Group specializing in dispute resolution. Jason Saiban is a solicitor at Charles Russell’s Media and Communications Group, specializing in IT and Internet Law:
339