The Counter-Terrorism and Security Bill, which includes further provision relating to data retention, has now been published (26 November). It is anticipated that the Bill will have its Second Reading in the Commons on 27 November. The Bill and relevant documents may be found here.
Part 3 proposes to amend the Data Retention and Investigatory Powers Act 2014 so as to enable the Secretary of State to require communications service providers to retain the data that would allow relevant authorities to identify the individual or the device that was using a particular internet protocol address at any given time. The Government states that it is necessary to fast-track the Bill and gives the following explanation for fast-tracking the data retention element:
‘Communications data has played a significant role in every Security Service counter-terrorism operation over the last decade. Enabling the retention of relevant internet data will close one element of the gap in the retention of communications data by communications service providers, thereby helping law enforcement agencies to carry out their functions.’
SCL members will no doubt be aware that it is rare for any legislation affecting these areas of interest to have a leisurely passage through Parliament. Perhaps it is felt that the extreme simplicity of this sort of issue makes debate unnecessary. The Government has however listed its efforts to maximise the time available for parliamentary scrutiny and mentions the fact that Parliament recently considered wider data retention in relation to the Data Retention and Investigatory Powers Act 2014. (Though SCL members may recall that the Act was passed in an ’emergency’ and discussion andconsideration was somewhat truncated.) In addition, they point out that they published a Draft Communications Data Bill in June 2012 and refer to the joint committee’s report on it which is available at http://www.parliament.uk/draft-communications-bill/. (SCL members will recall that this is the so-called ‘Snooper’s Charter’ which was blocked because of the lack of support from the Liberal Democrats.) Moreover, the Home Office met communications service providers to discuss the measure on communications data.
The data retention element has, in effect, a ‘sunset clause’ because it amends the Data Retention and Investigatory Powers Act 2014 which is subject to such a clause.
The content of Part 3 and the relevant explanatory notes are set out below for ease of reference.
Part 3 of the Bill
Part 3 Data retention
17 Retention of relevant internet data
(1) Section 2(1) of the Data Retention and Investigatory Powers Act 2014 (temporary provision about the retention of relevant communications data subject to safeguards: definitions) is amended as follows.
(2) In the definition of “relevant communications data”—
(a) for “means communications data” substitute “means—
(a) communications data”;
(b) after “Regulations” insert “, or
“(b) relevant internet data not falling within paragraph (a),”;
(c) the words from “so far as” to the end of the definition become full-out
words beneath the new paragraphs (a) and (b).
(3) After the definition of “relevant communications data” insert—
“”relevant internet data” means communications data which—
(a) relates to an internet access service or an internet communications service,
(b) may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person), and
(c) is not data which—
(i) may be used to identify an internet communications service to which a communication is transmitted through an internet access service for the purpose of obtaining access to, or running, a computer file or computer program, and
(ii) is generated or processed by a public telecommunications operator in the process of supplying the internet access service to the sender of the communication (whether or not a person);”.
(4) In addition—
(a) before the definition of “communications data” insert—
“”communication” has the meaning given by section 81(1) of the Regulation of Investigatory Powers Act 2000 so far as that meaning applies in relation to telecommunications services and telecommunication systems;”;
(b) after the definition of “functions” insert—
“”identifier” means an identifier used to facilitate the transmission of a communication;”;
(c) after the definition of “notice” insert—
“”person” includes an organisation and any association or
combination of persons;”.
(5) Subsections (1) to (4) are repealed on 31 December 2016.
Explanatory notes to Part 3 of the Bill
PART 3: DATA RETENTION
SUMMARY AND BACKGROUND
121. Communications data is the who, where, when and how of a communication, but not its content. Internet Protocol (IP) address resolution is the ability to identify who in the real world was using an IP address at a given point in time. An IP address is automatically allocated by a network provider to a customer’s internet connection, so that communications can be routed backwards and forwards to the customer. Communications service providers (CSPs) may share IP addresses between multiple users. The providers generally have no business purpose for keeping a log of who used each address at a specific point in time.
COMMENTARY ON CLAUSES
Clause 17 : Retention of relevant internet data
122. Clause 17 amends section 2(1) of the Data Retention and Investigatory Powers Act 2014 (DRIPA) which provides definitions relating to the retention of relevant communications data under that Act. This will enable the Secretary of State to require communications service providers to retain an additional category of communications data, namely data that will allow relevant authorities to link the unique attributes of a public Internet Protocol (IP) address to the person (or device) using it at any given time.
123. Subsection (2) adds an additional limb of “relevant internet data” to the definition of “relevant communications data” which communications service providers can be required to retain under DRIPA.
124. Subsection (3) defines the “relevant internet data”, necessary to reliably attribute internet protocol addresses to a person or device, to which subsection (2) relates. Subsection (3) (a) limits this to communications data which relates to an internet access service or an internet communications service. Subsection (3)(b) describes data to be retained as data which may be used to identify, or assist in identifying, the internet protocol address or other identifier which belongs to the sender or recipient of a communication. Such data could include data required to identify the sender or recipient of a communication (which could be a person or a device), the time or duration of a communication, the type, method or pattern of a communication (e.g. the protocol used to send an email), the telecommunications system used or the location of such a telecommunications system that the person was communicating from. An IP address can often be shared by hundreds of people at once – in order to resolve an IP address to an individual other data (“other identifier” in this clause) would be required. Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses. Subsection (3)(c) specifically prevents a telecommunications operator providing an internet access service from retaining under this legislation data that explicitly identifies the internet communications service or websites a user of the service has accessed. This type of data is sometimes referred to as web logs.
125. Subsection (4) adds definitions for “communications”, “identifier” and “person” to section 2(1) of DRIPA.
126. Subsection (5) provides that, like the provisions of DRIPA itself, these provisions are repealed on 31 December 2016.