Out-Law / Your Daily Need-To-Know

Mobile networks raise concerns with the Investigatory Powers Bill

Out-Law News | 21 Dec 2015 | 4:58 pm | 4 min. read

WhatsApp, Skype and other over-the-top communication service providers should be responsible for retaining communications data relevant to their own services under planned new UK surveillance laws, the head of corporate security at Vodafone has said.

Mark Hughes told a parliamentary committee set up to scrutinise the Investigatory Powers Bill that forcing mobile network operators (MNOs) to be responsible for retention of that data would raise technical difficulties, potentially increase information security risks and make it harder to verify the accuracy of the data.

Under the Investigatory Powers Bill, proposed by the UK government in November, communication service providers would be required to retain communications data for up to a year and make that data available to the police, intelligence and security services in certain circumstances, including to help with investigations into acts of terrorism or serious crime.

The Bill, for the first time, extends the communication data retention regime to include internet connection records (ICRs), which is broadly data that reveals which websites internet users have visited without detailing the precise webpages of those sites that have been viewed.

Hughes said that Vodafone is going to have to "deploy new technology" so as to create the ICRs they will be required to retain under the Bill but said it should not be left up to MNOs to retain ICRs relevant to over-the-top communication services. Instead he said MNOs should only have a "signposting" role to play to "point" law enforcement and intelligence agencies towards the third party company they need to approach to get the rest of the information they desire.

"At the moment we are really concerned about being able to keep data about a service that is nothing to do with our core business, generating new data about our customers and especially stripping off electronic protection and decrypting communications passing through the internet," Hughes said. "This is a highly challenging arena for any of the companies here today in which to do things on behalf of somebody else’s communications services. We feel that the third parties providing those services have an obligation here to assist law enforcement fight crime."

Hughes said Vodafone and other MNOs currently act as "a postman" when carrying packets of data between users of third party over-the-top communication services like WhatsApp and Skype over their networks. He said that, under current proposals set out in the Bill, MNOs would have to open those packets of data, which might mean accessing the contents of communications rather than merely communications data like ICRs. The Investigatory Powers Bill would apply a different legal regime to the accessing of the contents of communications.

"You can already start to see how the lines are being blurred between traffic data and content when you start having to open packets of data as they cross the internet," Hughes said.

Hughes said it would "much more elegant" for third‑party communication service providers to be required to decrypt communications data for their services and retain ICRs under the Bill. This would help address information security and accuracy risks that would be present if MNOs were held responsible for the decryption and retention of data from third party services, he said.

"One of the main concerns here, especially around third‑party data, is that, today, Vodafone has no day‑to‑day business use for this data," Hughes said. "We do not create it, so we are going to have to generate new data about our customers that we do not generate today. Secondly, we do not understand its structure. That structure can change on a day‑to‑day basis, and it is encrypted, so we will have to be able to strip off the electronic protection and decrypt it before we can store it."

"We would be concerned about attesting to the accuracy of that information as well. I am also concerned about possibly creating a single point of cyber vulnerability when you start decrypting things to be able to store them. There is a very good reason why they are encrypted in the first place. I am concerned that we will perhaps solve one problem, but not necessarily in the best way, and create another cyber security problem," he said.

Jonathan Grayling, head of government liaison at EE, said that EE is currently looking into the feasibility of new technology to allow it to retain ICRs so as to meet the requirements in the new Bill. However, he said it could take 18 months after the feasibility stage has been completed to "deliver a solution because of the complexity involved".

Grayling's comments raise questions about the workability of the timescale for the proposed new laws. The UK government has outlined its intention for the Bill to be in force by the end of 2016 when existing data retention rules expire.

Simon Miller, head of government and regulatory engagement at Three, and Adrian Gorham, head of fraud and security at O2 Telefónica, also identified concerns with how a new filtering system for communications data, envisaged under the Bill, might be operated.

Miller said: "We understand that the request filter is a mechanism by which large amounts of bulk or collateral data provided by us as communications service providers, as a consequence of requests made by law enforcement agencies, will be gradually – through a process of correlation and different data points – narrowed down to identify either a single subscriber or a smaller subset of users, and that this will be done by a trusted third party. The whole purpose of this request filter is to minimise the amount of unnecessary bulk data that will be handed over to law enforcement agencies."

"We are all agreed as to the principle of this. There are a number of concerns … regarding the detail. The first is the fact that we would still continue to provide bulk data to a third party, and in so doing could be in breach of our duty of care under the Data Protection Act and the Privacy and Electronic Communications Regulations to our customers’ data. The second is that we have absolutely no detail on what this trusted third party would look like, the form it would take, or the legal obligations that it would be under. As a minimum, we would simply expect that whatever operation the request filter undertook was done to the same standards, and was as secure, as our own arrangements," he said.