Clause 17 — Retention of relevant internet data

Internet Communications (Regulation) – in the House of Commons at 4:30 pm on 6 January 2015.

Alert me about debates like this

Photo of Diana R. Johnson Diana R. Johnson Shadow Minister (Home Affairs) 4:30, 6 January 2015

I beg to move amendment 8, page 11, line 3, at end insert—

(iii) any information beyond that which is necessary to allow the identification of the user from the public Internet Protocol address.”

This amendment would make it explicit that the extra data retention provided for in Clause 17 does not extend beyond that which is necessary for the purpose of identifying a user from the IP address. This amendment is not intended to impact on the rest of the Data Retention and Investigatory Powers Act, only the extra retention requirements created by Clause 17.

The amendment attempts to clarify the limit of data that may be subject to a retention notice allowed for under clause 17. To put this into context, we need to understand that the Government are attempting in clause 17 to increase the types of metadata that the Secretary of State may require communications service providers to store. The amendment seeks to clarify the limits on what those extra data actually are. The aim of the Government’s proposals is to ensure that CSPs store internet protocol address information: the information required to enable the identification of the device that received a communication from the IP address that received the communication. The Opposition support the principle of what the Government are trying to achieve, and this is the one area of the Government’s ill-fated draft Communications Data Bill for which there was clear evidence and a relative consensus. We agree that this will be a vital and proportionate tool in fighting not only terrorism, but other serious and organised crime, most notably online child abuse.

However, the Opposition have some concerns about how this measure will be implemented, both legislatively and in practice, which is why we have tabled amendment 8. Clause 17 amends the definition of “relevant communications data” for the purposes of section 2 of the Data Retention and Investigatory Powers Act 2014 and subsequently the meaning of “relevant communications data” within the Data Retention Regulations 2014, which were created under the powers conferred on the Secretary of State under section 1 of DRIPA. This is not perhaps the most straightforward way of implementing change, and it certainly adds to the confusion and suspicion about data retention.

The Minister informed the House in Committee that the Government did not intend to issue new regulations following on from this Bill, because the change in the definition of “relevant communications data” would alter the meaning of the 2014 regulations. So the combination of this primary legislation and the existing secondary legislation is meant to be sufficient to bring about a change in the types of data retained by CSPs. I believe that could create confusion in interpreting the regulations, which is exactly what we want to avoid when we are trying to increase confidence in the use of retained data.

If we look at the definition of “relevant communications data” in the 2014 regulations, we find that such data are specified in the schedule and that they are the same as those in the schedule to the Data Retention (EC Directive) Regulations 2009. Although the regulations make it clear that section 2 of DRIPA is not being prejudiced, no explicit reference is made.

Would it not be clearer for all concerned if the schedule were updated with clear explanations of what exactly is intended? As I explained in Committee, there are serious issues with the drafting of clause 17, and it contrasts unfavourably with the clear wording currently used in the 2014 regulations. If the Minister is not willing to make that update, will he accept amendment 8, as he agrees with its principle? In Committee, he argued that it was unnecessary, but accepting it would be an important step to achieving clarity.

If the Government are not planning to update the regulations, can the Minister tell the House whether they are planning to issue or reissue existing retention notices and how specific those retention notices will be?

That leads me on to my practical concerns about how we can allow for the retention of internet protocol address information without demanding the retention of weblogs. Clause 17 is meant to cover the identifier for the recipient of a communication. That is supposed to cover e-mails but, as subsection (3)(c) and our amendment make it clear, not weblogs. The principle is that communication service providers would keep a record not of websites visited, but of the communications sent and received if not the communications themselves. However, that distinction is increasingly blurry and one that is not clear in practical terms either in the Bill or in the 2014 regulations.

For the benefit of public confidence, will the Minister explain how, in the following situations, communications will be separated from weblogs? First, with web-based e-mail servers such as Gmail, how can a distinction be made between visiting a web page and using that web page to send an e-mail? Secondly, there are the messaging services, which are either web-based on sites such as Gmail or Facebook or purely app-based such as WhatsApp or Snapchat. Will the Minister confirm whether receiving a Snapchat image counts as a communication? Snapchats may be sent to a few friends or thousands of people who have subscribed to a user with whom they are unlikely to be friends. In the latter case, viewing a Snapchat may be more akin to viewing a web page than receiving a communication. Will the Minister explain, so that we are clear, how that will be dealt with?

Will the Minister turn his attention to the other forms of contact on social media, such as tweets and direct messages on Twitter? Does being tagged in a photo on Instagram count as a communication, and what about being mentioned in a tweet? Does receiving a Facebook “like” or a Tinder “match”—I am sure the Minister is fully aware of Tinder and other such applications—count as a communication for these purposes? If the Minister can assure me, the House and the general public that the legislation is sufficient to make those distinctions with regard to the apps and websites that large parts of the population, including many Members, now use, I will be happy to withdraw my amendment. I look forward to his comments on those specific questions, because they do need to be answered at this point.

Photo of James Brokenshire James Brokenshire Minister of State (Home Office) (Security and Immigration) 5:00, 6 January 2015

I am grateful to Diana Johnson for raising these important issues. This is a complex and technical area, and I am grateful for the opportunity to return to some of the points that we discussed in Committee. Communications data—the who, where, when and how of a communication but not its content—are a vital tool in the investigation of serious crime, including terrorism, and in safeguarding the public.

The hon. Lady explained that her amendment seeks to limit the scope of the provision to the retention of data that are necessary to allow the identification of a user from a public internet protocol address. She is trying to restrict the provision and to gain clarity, and as I explained in Committee, I do not think there is any difference between us on the principle. It is important that the provision goes only so far as is necessary to ensure that communications service providers can be required to retain the data necessary to link the unique attributes of an internet connection to the person or device using it at any given time—in other words, to link person A to person B. At the moment, internet service providers might not be required to retain that level of information. That was the Government’s clear intention when drafting the clause, so the provision is already limited in a way that I believe reflects what the hon. Lady intends.

Subsection (3) restricts the data to be retained to data that might be used to identify or assist in identifying the internet protocol address or other identifier that belongs to the sender or recipient of a communication. Any data that cannot be used to identify or assist in identifying the user of an IP address is already outside the scope of the provision, which deals with a number of the specific points about communications platforms that the hon. Lady highlighted.

I appreciate that the wording in the clause is quite technical, but I want to assure the House that great care has been taken to ensure that the Bill is tightly drafted. In particular, clause 17(3)(c) excludes so-called weblogs, a record of internet communications services or websites a user has accessed. The Bill provides for the retention of data relating to IP resolution and only such data. Anything else is already beyond the scope of what clause 17 permits. It is also important for the House to note that any requirement for communications service providers to retain data under the Data Retention and Investigatory Powers Act 2014, which the clause amends, may be imposed only where it is necessary and proportionate. Access to that communications data is then subject to robust safeguards, and the UK already has one of the most rigorous systems in the world for safeguarding the acquisition of comms data.

Before such data can be acquired, an application must be made that clearly demonstrates that the request is both necessary and proportionate to the objective of a specific investigation for one of the statutory purposes in the Regulation of Investigatory Powers Act 2000. The process is clear and accountable and includes a strong and rigorous system of oversight, which includes the interception of communications commissioner, who must have held high judicial office. Following DRIPA, he will report every six months on the interception of communications data, and of course he regularly inspects all relevant public authorities.

The hon. Lady asked whether we intend to issue new retention notices. The Government will issue new data retention notices to affected communications services providers following the enactment of the legislation. We will also enable law enforcement agencies to resolve a communication to an individual or device, not to ascertain which services or websites an individual has accessed. The data would be considered to be weblog data, as I have said, which is already excluded from the Bill.

A communication can include any message sent over the internet. The legislation relates not to the retention of what the message contained, but purely to the fact that a message was sent, which is the key distinction between comms data and what might be regarded as the interception of a communication. The provision amends the definition contained in DRIPA, not the meaning of the regulations. The definitions in the Act are used in the regulations, so there is no requirement to amend the regulations. Accordingly, I agree with the sentiment behind the amendment. If I have any reflections on the detail of the further points that the hon. Lady has highlighted, perhaps I can write to her further. However, with these assurances, I hope that she will withdraw the amendment.

Photo of Diana R. Johnson Diana R. Johnson Shadow Minister (Home Affairs)

I am grateful to the Minister for going through this very technical part of the Bill. I think it is helpful to have heard that explanation on the Floor of the House. I do not wish to press the amendment any further at this stage, although I think that it might be returned to in the other place, and so I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Bill to be further considered tomorrow.