Intercept Modernisation FAQ

Intercept Modernisation Programme FAQs

What is it?

To quote Lord West of Spithead, Parliamentary Under-Secretary, Home Office, in the last government(2008): "The objective of the interception modernisation programme (IMP) is to maintain the UK's lawful intercept and communications data capabilities in the changing communications environment. It is a cross-government programme, led by the Home Office, to ensure that our capability to lawfully intercept and exploit data when fighting crime and terrorism is not lost. It was established in response to my right honourable friend the Prime Minister's national security remit in 2006."

In essence it is an extension of current data retention and interception requirements for Communications Service Providers (CSPs), which would require the interception and retention for no longer than 12 months of data concerning email, telephone calls and other telephone communications, and internet communications(such as going to a website and communicating with others through a website, like Facebook) for all subscribers.

What specific data is to be intercepted and retained?

CSPs must retain data that shows the time you sent the communication, the recipient of the communication, and your location at the time of the communication. This is called ‘traffic data’. The data required to be retained includes voicemail, call forwarding and transfer, and unsuccessful call attempts. It is important to remember that the content of your communications are not to be retained, except in the case of a specific request for you to be ‘tapped’, which must be approved by the Home Secretary and is heavily regulated. So, except in the case of you being a suspected terrorist or crime lord(quite unlikely), the government wouldn’t know what you’re saying, but it would know who you’re saying it to, when, and where from.

What data is currently retained?

At the moment many CSPs keep all the traffic data of their subscriber’s web and phone use for billing. They are required under law to retain this data for 12 months for law enforcement authority use. They do not retain data for third-party communications data that passes through their networks. So, at the moment, they don’t watch who you’re emailing through Gmail, who you’re talking to on Skype or Facebook, or who you message on Twitter, or anything like that, but under IMP, all this data would be retained. So you can see that this is an enormous potential change.

Why should I be worried?

There has never been such a wide range of data collected by a government, even the most sophisticated police states of the 20th century were not capable of monitoring such a large volume of communication. The reasons for this are numerous; 50 years ago the vast majority of communication would occur on a face-to-face basis, making mass surveillance, for all intents and purposes, impossible. Now that a large amount of everyday communication occurs on the internet or through telephony, it is possible for much more to be monitored. This raises a number of issues...

First of all, where there is mass data retention, there is the potential for abuse of the retained data. There have been cases in the past where authorities have used data for nefarious purposes(http://www.thesun.co.uk/sol/homepage/news/justice/article1041125.ece), or were simply incompetent(http://news.bbc.co.uk/1/hi/uk_politics/7104945.stm). By widening the scope of data to be retained, the chances and effects of abuse would inevitably increase.

Secondly, it opens up the opportunity for profiling. That is, for example, assuming that people with a particular characteristic(such as location or social background) are statistically more or less likely to commit crime, or be involved with terrorism, and so become more or less likely to find themselves the unknowing subject of targeted surveillance, along with all their family, friends, and acquaintances.

Is it legal?

ECHR, Article 8. Enough Said.

The Home Office argued in its 2009 consultation Protecting the Public in a Changing Communications Environment that "Article 8 is, however, a qualified right which means that any interference with an individual’s rights by the state is permissible so long as it is necessary (and not just reasonable) for a legitimate aim and proportionate. Furthermore, the interference must have a clear legal basis...A “legitimate aim” under article 8 of the ECHR includes the aims of national security, public safety, protection of the economy, prevention of crime, the protection of health or morals or the protection of the rights and freedoms of others."

Will it be effective?

There is no doubt that, if the technology exists(which it may not), the government will be able to intercept and retain a much larger proportion of the total traffic data on communications in the UK, but the aim of the programme is to intercept communications between criminals and terrorists. One simple thing that the government has overlooked is this: Encryption. It is not difficult to encrypt your traffic data so that it cannot be intercepted, and the current laws on demanding decryption of suspicious communications are not strong enough to be of any use(refusal to give up an encryption key or o decrypt suspicious materials results in a 12 month custodial sentence. That’s hardly a firm deterrent against terrorism or organised crime.). So, by and large, the only usable data that the government will acquire will be that of innocent people who indeed have nothing to hide, so why bother?

Which CSPs will have to retain this new data?

So far it is unclear which CSPs in particular would be covered by this new legislation, as the document states that ‘notified’(by the secretary of state) CSPs would have to retain the data. However, that could mean that the secretary of state simply ‘notifies’ every CSP in the world, or it could mean that just the major CSPs would be ‘notified’. Either way, many of us would have our traffic data recorded.

What would it cost?

It is estimated to cost £2bn, which is likely to come from the taxpayers pocket(Yes, that means you’ll be paying for the people who’ll be invading your privacy!), over a 10 year period.

How would it be done?

Under the original plan CSPs would intercept third-party communications using Deep Packet Inspection (DPI), and collect the data and hand it over to one government-run ‘uberdatabase’ to be retained for 12 months. However, more recently plans for this massive database seem to have been abandoned, in favour of requiring CSPs to retain the data themselves, and organise it in a fashion that would allow it to be used efficiently by whatever authority that wanted to use it(sorted by user). Though this is perhaps a better option on the privacy side of things(big databases are as a rule not a good thing), it does raise questions of feasibility. Also, it was leaked in May 2008 that GCHQ were installing a new system known as ‘Mastering the Internet’, which would employ advanced methods of DPI, allowing rapid interception of traffic data on a massive scale(and perhaps content data as well, this much is unclear), but since IMP has not been accepted it is currently restricted to only targeted interception.

How does the government justify this extension?

The government justifies this by saying that it would be very useful in identifying suspects, tracing their contacts, locating them at specific times and confirming or disproving alibis. The Home Office says this would be extremely useful in terrorism, murder investigations, child protection, and other violent crime including rape and theft.

What has the Coalition said up to this point on this issue?

The Coalition Agreement published on the 12th May 2010 said; "We will end the storage of internet and email records without good reason."

Nick Clegg said on the 19th May 2010: “It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. ... We won’t hold your internet and email records when there is just no reason to do so.”

On the 19th October 2010, however, this statement was included in the Strategic Defence and Security Review: “We will introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework … We will put in place the necessary regulations and safeguards to ensure that our response to this technology challenge is compatible with the government's approach to information storage and civil liberties."

What have CSPs said up to this point on this issue?

CSPs have questioned three things; the cost, whether it’s even possible(Some of the data asked for would be difficult or maybe impossible to attain with current technology), and of course the morality behind it. CSPs want to see that it corresponds to both UK Human Rights law and the European Convention for Human Rights.

What is the EU’s standpoint?

In the European Convention for Human Rights, this statement is included: "1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

However, up to this point the specific EU standpoint on IMP is unclear. IMP goes above and beyond the European Commission Data Retention Directive 2007, which requires only the retention of traffic data relating to communications going directly through the CSP’s networks, such as telephone calls and connection to the internet, but there have been no obvious objections to or blessings for IMP by the European Commission or Parliament as a whole.