Whilst on holiday abroad (late August), I spotted a Daily Mail headline that baldly stated that “one in 78 adults came under state-sanctioned surveillance last year”. Perusing the newspaper at a safe distance of 1.625 metres, it did not take me long to work out that the story had missed some other interesting statistical points in relation to the Annual Report of the Interception of Communications Commissioner, just published.
Any informed analysis of this controversial subject must start with the Regulation of Investigatory Powers Act (RIPA) and its definition of “communications data” in S.21(4). Such data includes “any traffic data comprised in or attached to a communication...” or “...any information which includes none of the contents of a communication... in connection with the provision to or use by any person of any telecommunications service”. Note that word “person” – most of our data protection ISEB delegates would recognise it from its use in the definitions of the Act where it means “organisation” or “individual”.
So if a public body demands “communications data” by virtue of Section 22 of RIPA, that demand relates to communications made to, or by, a “person”. So when the Commissioner reports 504,073 requests for communications data, each one of these requests could relate to a “person”. The implications of this are profound; for example “Please give me the communications data relating those who called Boots the Chemist last week” is technically one request for communications data relating to a person.
Given that each request for communications data usually involves a minimum of two individuals (the caller and called), it follows that up to 1.08 million citizens may have been affected by these provisions in the year as reported by the Commissioner. Given that there are 60 million plus in the UK, one can see that the Daily Mail statistic of 1 in 78 figure could well underestimate the scale of the surveillance.
In my missive (“Nine principles for assessing whether privacy is protected in a surveillance society (Part 2)” – see Amberhawk web-site), I argue that public trust requires that Government should not define the criteria that is intended to reassure the public about the degree of surveillance. I argue that it should be the responsibility of the Commissioner to be able to define what records are kept by those doing the surveillance and what statistical information is collected and published in order to reassure the public.
To do otherwise is to risk collecting data that are designed to obscure rather than to illuminate. For example, Regulation 9 of SI 2007 No 2199 (dealing with the retention of communications data) limits one statistical item required by Government to "the number of occasions when data have been disclosed". This means, for example, that a disclosure of communications data pertaining to say 3,000 individuals would count as one “occasion” of disclosure, when perhaps the 3,000 affected individuals is the more interesting number.
In the same piece, I argue that any Commissioner has to be well resourced. In his report, the Interception Commissioner says that he is supported by a “Chief Inspector and five Inspectors” – that makes seven investigatory staff, excluding office support. So if 504,000 requests are supervised by seven staff, this means that each staff member is acting as a public watchdog for over 1,600 different requests for communications data per week. This stark statistic does not reassure with respect to the resources needed for effective supervision.
Finally, it is interesting to note that the Commissioner reports to, and is appointed by, the Prime Minister, the politician most responsible for the surveillance undertaken by the state. That is why I argue that in such a structure, there is a significant risk that the Commissioner does not possess the independence needed to guarantee the delivery of effective scrutiny.
So what should be done? My top three simple suggestions are:
(1) The Commissioner should report to, be financed by and appointed by Parliament
(2) There should be no “no-go” areas of supervision; a Parliamentary Committee can decide what to redact in any report, not the Prime Minister.
(3) The Commissioner decides what records of surveillance should be kept by those doing the surveillance and what statistics to report.
Without something like the above, the system of supervision of the wider use and disclosure of communications data is, in my view, unfit for purpose.