IOCCO Annual Report 2016

The 2016 annual report of the Interception of Communications Commissioner’s Office (IOCCO) was laid before Parliament by Prime Minister Theresa May MP on 20 Dec 2017.

The report was written by former Interception of Communications Commissioner Sir Stanley Burnton on the work done by his team during 2016.

Statistics

Communications Data statistics

In 2016: 754,599 items of communications data were acquired. 83% of the items of data were acquired for the purpose of preventing or detecting serious crime or of preventing disorder; 11% were for the purpose of preventing death or serious injury or damage to a person’s mental health, or of mitigating any injury or damage to a person’s physical or mental health; 6% were for the purpose of national security.

Age of Data

The report offers a statistical breakdown of the age of items of data requested. It suggests that "Approximately 70% of data requests were for data less than three months old, 25% aged between 3 months and 1 year, and 6% for data over 12 months old":

Age Percentage of Items Requested
Less than a day 21%
1 to 7 9%
8 to 14 5%
15 to 30 10%
31 to 90 24%
91 to 120 7%
121 to 240 10%
241 to 365 8%
over 365 6%

As seen in the table above, 30% of requests for data are for data less than a single week old.

Statistics like the above raise important questions about the necessity and proportionality of legislation that requires communications data to be retained for long periods.

Now-Sustained Increase in Requests for Data

Between 2014 and 2015, a significant increase was seen in the number of items of communications data that access was granted to, and the publication of the 2016 report confirms that this elevated level is now sustained:

Year Items of Communications Data
2014 517,236[1]
2015 761,702[2]
2016 754,599

Concerns with IP Address Resolution

The report highlighted the former Commissioner’s concern with the level of errors seen by bodies trying to resolve IP addresses to specific individuals:

I am concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses. These have resulted in the wrong people being arrested for extremely serious crimes.

The report highlights as false the assumption frequently seen within intelligence and law enforcement that an IP address can be safely resolved to an individual. It notes the difficulty that this assumption presents when considering dynamic IP addresses, providers that use network address translation, and issues caused by activity-recording systems which do not properly respect timezones.

The report then details the potential consequences of such errors:

The impact of these errors has, in some cases, been enormous. People have been arrested for crimes relating to child sexual exploitation. Their children have been taken into care, and they have had to tell their employers.

By way of balance, it is worth highlighting that there is a reason why serious IP address resolution errors are relatively more common in relation to child sexual exploitation cases than other crimes. Public Authorities are understandably unwilling to take the risk of exposing children to paedophiles.

The report specifically references the case of [Nigel Lang](http://www.bbc.co.uk/news/uk-39328853) to highlight the above point and the effect that erroneous IP address use can have.

Crucially, the former commissioner notes that:

There needs to be a change of mindset away from the assumption that technical intelligence, such as an IP address resolution, is always correct.

Error Reporting

As the report notes, "there is no statutory requirement under section 94 of the Telecommunications Act 1984 to report an error when acquiring or accessing bulk communications data." It suggests that over 2016 "no errors have been voluntarily reported to IOCCO in relation to the acquisition of bulk communications data by means of a section 94 direction."

Despite this, they note that the Security Service have developed and implemented an internal process for reporting instances of erroneous access to data already retained as a consequence of a s.94 direction.

The report then notes that GCHQ are unable to do the same, as they merge datasets in a way that makes them difficult to separate without causing further intrusion into privacy:

GCHQ in the main merges bulk communications data with other datasets containing communications data (for example, data obtained under an interception warrant). GCHQ has a mechanism for reporting errors to the Commissioner, but cannot easily differentiate the source from which the data is derived without compounding any potential intrusion (for example, by re-running the erroneous query).

Notification

The former Commissioner highlights in the report that the Investigatory Powers Act 2016 changed the thresholds for when an Investigatory Powers Commissioner can inform an individual that their data has been used in error:

Importantly, under the Investigative Powers Act 2016 (sic), there will be a change in the thresholds regarding when the Investigatory Powers Commissioner can inform an individual. Section 231 of the Act requires the Commissioner to inform a person of any relevant error where they consider it is serious and in the public interest for that person to be informed. The Commissioner is not permitted to determine that a matter is serious unless they conclude that the error has caused significant prejudice or harm to the person concerned.

The relevant section of the Investigatory Powers Act confirms that the "Investigatory Powers Commissioner may not decide that an error is a serious error unless the Commissioner considers that the error has caused significant prejudice or harm to the person concerned."[3]

When discussing serious harm, the act notes that "the fact that there has been a breach of a person’s Convention rights (within the meaning of the Human Rights Act 1998) is not sufficient by itself for an error to be a serious error."[4]

References