Controversial DRIP bill set to become UK law

News by Steve Gold

The controversial DRIP (Data Retention and Investigatory Powers) bill completed its Lords committee stage without amendment yesterday, after effectively being rubber-stamped into the legislative books overnight.

The new legislation comes amidst unconfirmed reports that several media and communications companies have been under a sustained internet attack from outside the UK for several weeks.

The legislation - which has a `sunset clause' (expiry date) of the end of 2016 - currently allows CSPs (Communication Service Providers) to retain customer data for up to a year, whilst at the same time granting UK security services access to that information, including overlay metadata that includes records of all phone and IP calls, emails and social media interactions.

It will also mandate non-UK companies - such as Facebook and Google - to hold information on web activities if their users are based in the UK.

The Act - which effectively passed on the nod last week through the House of Commons - had many critics in the House of Lords this week, but peers seemed unable to stop its passage into legislation. The House of Lords' constitutional committee, for example, warned that the bill handed the Home Secretary extraordinary new powers to expand future surveillance systems without having to put it to a vote.

"One is right to be deeply suspicious of emergency legislation that appears in this way," Lord King, the former British Airways chairman, said in the debate last night, adding that "I should also say, deeply cynically, that that is even more the case when such legislation comes with all-party agreement."

"That is a time to fasten your seat belts and wonder what the background to it really is," he said.

Lord King's concerns were echoed by Lord Butler - who has served as private secretary to five Prime Ministers and has been a member of the UK's Intelligence and Security Joint Committee since 2010 - and who remarked that the issues the bill addressed had been known about by the government for several months.

"Why has parliament been given so little time to consider this bill?" he said.


Professor Peter Sommer, a digital forensics specialist, said that the DRIP Act is certainly not a long-term fix and may not even work in the short term.

"The CJEU (Court of Justice of the EU) set ten tests for a revised Data Retention Directive, few of which are met by DRIP. Instead the Home Office seems to be suggesting that UK procedure for obtaining retained data from telephone companies and Internet service providers are sufficiently tough to make the UK compliant," he said.

Sommer - a visiting professor with de-Montfort University - said the legislation is based on the notion that law enforcement agencies only get to see communications data after rigorous review within the agency by a Single Point of Contact (SPOC) and then by a senior designated officer.

But several serious commentators, he explained, have cast doubt on this premise, citing Tom Hickman and Graham Smith's comments.

"This means that, despite DRIP, either the CSPs or human rights non-governmental organisations may return to the CJEU for further rulings before the arrival of the sunset clause in December 2016," he said.

"Much depends, therefore, on the review of RIPA and related legislation by David Anderson QC. It is to be hoped he will be funded to carry out his task properly and to include advice on the relevant surveillance technologies," he added.

Professor Sommer went on to say that the decision to make DRIP an emergency bill is inexcusable, as the submissions from the Austrian and Irish courts went into CJEU in 2012 and the court judgement of 8 April 2014 makes quite clear that it considered representations from the UK.

"Home Office officials would have known for many months that a well-thought-out and negotiated contingency plan was needed," he concluded.

Dr Adrian Davis, the EMEA managing director of (ISC)2, meanwhile, said the DRIP legislation could leave UK personal data at greater risk from cyber-criminals

"The debate around the DRIP bill has centred on how much the state should be allowed to know about us, but it is not just the state that would like to know who we have called, emailed, or instant-messaged in the past year. Cyber-criminals and hacker groups are frequently targeting phone and internet companies in search of this information with increasing success," he said.

Davis explained that Clause 4 of DRIP forces foreign Internet or phone companies with UK customers to comply with interception warrants, store personal data outside of the UK in data centres around the world where it could be exposed to greater risks from hackers.

DRIP, he says, will require more and more information to be stored, processed, accessed, backed up and deleted with more and more people having either access or control over it. And, he adds, the more people involved, the more steps involved, the more likely that an accidental breach or disclosure may occur: it is not inconceivable that such capabilities will be attractive to criminals.

The extension of the RIPA legislation to include a duty on foreign-based internet companies with subsidiaries in the UK to cooperate with UK surveillance requests, he says, raises disturbing legal questions over how that data is to be protected in foreign jurisdictions that are not governed by our data privacy laws.

"It is estimated that the new DRIP legislation could increase the average cost of government surveillance by £8.4 million a year - partly due to the cost of paying ISP's to store extra data) - but if the UK government is paying for this storage, how does the government know that the data is being protected according to best practice," he said, adding that the debate around DRIP has focused on UK state surveillance so far.

"Yet the true legacy of DRIP could reach much further, with perhaps the unintended consequence of making our data more accessible not just to the UK but also intelligence agencies, governments, organisations and criminals across the globe,” he concluded.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews