Reflections on the UK's DRIP Act

It’s not straightforward being a law enforcement officer in the UK in 2014. I often think of how different my working existence is to that of my great-grandfather, also in law enforcement, but working in a small Scottish village in the late 19th Century. The highlight of Constable Taylor’s 30-year career was once catching a burglar. 

One of the most complex areas law enforcement tackles in the 21st Century is the use of communications data. My instinct is that the debate on the Data Retention and Investigatory Powers Act in the UK last week hit the right balance, considering both security and human rights.

Crime nowadays is different from even 15 years ago, as shown by the UK’s 2014 crime statistics. We are dealing with increasing identification of cybercrime (including data theft and fraud) and online child sexual exploitation, as some of the statistics reported by my agency over the last six months have shown.  At the same time, the way that all of us communicate has changed dramatically over the last 5 years, with criminals, like everyone else, increasingly using web-based communication. Finally, although it appears a glib, often repeated statement, my everyday work indicates that the most insidious crimes - from contract killings to multi-ton drug trafficking, from people smuggling to online child sexual exploitation - all have an international dimension. Often the international element also relates to the evidence we need to investigate and prosecute these crimes. Kate Westmoreland’s recent blog on the Microsoft case clearly highlights this.

But it’s not just that crime has become more complex in the 21st Century: so have our lives as citizens.  The debates around human rights, and in particular privacy in the digital age, are much more complicated. Some find it easy to create a false dichotomy of privacy versus security and decide where they believe the sliding rule should sit. However, I know few people in the UK who feel the need to deal simultaneously with both security and privacy as acutely as my law enforcement colleagues. On a daily, if not hourly basis, we make decisions about whether exercising law enforcement powers, including access to data, is a justifiable, proportionate and necessary invasion of an individual’s privacy. 

Media reporting often suggests we take these decisions lightly. I’m yet to find a colleague who does. Instead, each individual request is considered on its own merits and justified in detail. There is often an ensuing discussion on necessity and proportionality, in particular looking not just on the impact on the private life of the subject of the request, but also anyone else who may be associated. As UK citizens, we are conscious that by protecting others’ privacy we are also protecting our own. In the same way, by protecting the public against crime, we are protecting ourselves. I know I am not alone in feeling that we are regularly in a no-win situation. I think back to early June 2013 as UK newspapers simultaneously published headlines demanding to know why more hadn’t been done to track the killers of Fusilier Drummer Lee Rigby, and in the same breath questioned the legitimacy of law enforcement data collection, following the revelations of Edward Snowden.

That is why I was particularly interested when the UK government passed the Data Retention and Investigatory Powers Act last week. The Act focuses on communications data, the life blood of modern criminal investigations. Communications data can reveal the who, where, when and (if we include stored content, which the Act does not) often the what and why of a crime, and plays a role in over 90% of serious criminal and terrorist investigations in the UK. I think this Act not only makes it possible to continue to investigate  - and often prevent - the most serious crimes, but it also forces us to think about how we should continue to investigate in the future, with privacy and security given equal importance. That is a debate we critically need to have.

There are 4 key elements of the Act and the measures that accompany it: 

Data retention: The Act re-affirms the state of play that has existed in the UK for some years under the European Data Retention Directive (DRD), until it was struck down down by the European Court of Justice (ECJ) in April 2014. The ECJ argued that the DRD failed to sufficiently differentiate data types; nor did it contain access criteria or internal safeguards (all of these already existed in UK legislation but were not explicitly linked to the DRD). The Act does not require companies to create new data for law enforcement, but rather to retain data already created in the course of their business for a minimum of a year, with new safeguards added to the legislation. 

There are four stages that law enforcement bodies must undertake in order to use communications data for an investigation or prosecution. In reverse order: presenting the data; analysing the data; obtaining the data; the data being in existence. The act deals with ‘the data being in existence’. As much as it would be great for data retention to be unnecessary, the reality of many investigations, including drug importations, murders and rapes, is that we only link a suspect to a crime after the crime has been committed, making ongoing ‘data preservation’ ineffective. Retained data also allows us to see historic links with other suspects in organised crime offences. Whilst it may be possible in the future to develop technological alternatives to data retention, these don’t currently exist.

Extraterritoriality: when using communications data to investigate a crime, it is quite possible that the location of the companies, the location of data, and the location of perpetrators are all in different parts of the world. In the world of crime investigation and prosecution it’s law enforcement and victims that are paying the price for this complexity. My own work at Stanford showed that the UK wasn’t alone in having delayed or dropped serious cases due to not obtaining international data in a timely manner. The extraterritoriality part of the Act is about getting our own house in order, hopefully providing clarity where previously there had been legal ambiguity to extraterritorial aspects of issues such as asset recovery. It will enable me to ask the question, whilst taking into account “requirements or restrictions under the law of that country or territory relevant” to the provider. This feels right to me: after all, I’m usually asking US providers for data relating to a criminal, crime or victims with no links whatsoever to the US.

Privacy and Civil Liberties: The measures accompanying the Act will scale back the 600 public bodies who can ask for the data. This brings a higher bar to the requirement to show necessity and proportionality of data. Only organisations, such as the National Crime Agency, which deal with some of the most serious offences, will legitimately be able to approach communications providers for their users’ data. The government is also introducing an Independent Privacy and Civil Liberties Board (IPCLB), to replace the current Independent Reviewer of Terrorism Legislation and consider the balance between the threat and civil liberties concerns in the UK where they are affected by policies, procedures and legislation relating to the prevention of terrorism. The IPCLB will be assisted by the production of an annual transparency report, building on the existing reports by the Interception of Communications Commissioner. It seems that the government intends these measures to be tangible evidence of its desire to incorporate civil liberties and privacy into the heart of the work of law enforcement and the security services.

The future: The parts of the act and accompanying measures that excite me most are, however, the parts that look to the future: the appointment of a senior diplomat to look at what international systems we should have for sharing data; and a top-to-toe review of the UK’s Regulation of Investigatory Powers Act. This is an important opportunity to discuss what we mean by privacy online and the justification we need to intrude on this privacy relative to the type of crime being committed. As Glenn Greenwald says in No Place to Hide, the internet is now [for many] ’the epicentre of our world, the place where virtually everything is done. It is where friends are made, where books and films are chosen, where political activism is organised, where the most private data is created and stored. It is where we develop and express our very personality and sense of self.’  However, privacy online can’t be absolute, we need to have the ability as law enforcement officers to effectively investigate serious crimes. The review will enable us to present the evidence of the benefits of different levels of access, including data preservation versus different periods of data retention. It will  enable us to review whether the current legal categories of subscriber, traffic and content data are reasonable. The appointment of the senior diplomat may also enable the UK to fully grasp the thorny issue of internet and jurisdiction. I hope that consideration will be given to a human rights-compliant framework that enables a country to use its own legislation to access data held elsewhere in the world, superseding the idea that data belongs simply to one jurisdiction (such as where the company is incorporated). Mutual Legal Assistance Treaties have their role, but they can’t be the only solutions.

I now hope that looking forward in the communications data debate we will embrace the excitement, the innovation and optimism that has accompanied much of the creation of the internet, and the belief that we can change our own future for the better. We can get this right.

The views expressed in this post are my personal opinion, and do not necessarily reflect those of the UK National Crime Agency

Add new comment