Wednesday, 15 September 2010

Assessing the impact

Having spent more than three weeks trying to overcome the post-holiday blues, Matron was abruptly dragged back into the grey skies of coalition government Britain yesterday when she worked her way through the fresh-from-the-press consultation paper on "Implementing the revised EU Electronic Communications Framework". That framework (also known as the "Telecoms Package") was adopted by the EU at the end of last year after a considerable period of legal and political wrangling between the Commission, Council members, MEPs and lobbists.

Now, Matron feels a little about the Telecoms Package how she feels about reading the works of Judith Butler or Stephen Hawking. If she applies razorsharp, quasi-transcendental focus she manages - for the length of one heartbeat - to understand what it is all about. But then the kitchen door slams shut with a bang or the cats loudly demand their dinner and - whoosh - it is gone. The reason for this, she feels, is that the Packages tries to wrap up all the legal issues that are somehow expected to affect the internet now or in the near future - regulators' powers, spectrum allocation, infrastructure, network security, interoperability, universal service obligations, quality of service, net neutrality, consumer protection and online privacy, to name but a few - into one neat little parcel, thereby creating something very much like a packet of Licorice Allsorts. There's something in there for everone; but because there is also so much in there that you don't fancy, it makes you want to head for a packet of winegums instead.

Nonetheless, needs must, so yesterday afternoon, Matron banned the cats to the bedroom, closed the kitchen door as a preventative measure, and sat down to read. The consultation paper itself is only (!) a concise 74 pages long, but it is accompanied by a rather lengthy impact assessment. Now, impact assessments are funny things, written by administrators to satisfy the beancounters, and most lawyers - Matron included - tend to avoid them like the plague. However, the sections in the consultation paper that Matron was scrutinising - the bit that dealt with the changes to the E-Privacy Regulations, data security breach notifications, information requirements, the cookie wars v2.0 etc. - referred to the impact assessment rather more often than usual. So, with an audible groan Matron gave it a go. And found some truly surprising stuff.

Hidden between "E-Privacy Directive: Annex 1: Data Breach Notification" and "E-Privacy Directive: Annex 3: Cookies" one can find an innocous little document titled "Information Provisions" which, under the heading "What is the problem under consideration? Why is government intervention necessary?", addresses a completely different policy objective from those set out in the Telecoms Package.

After pointing out that "[p]olice and security services will continue, under the amended E-Privacy Directive, to be able to request information from the providers of electronic communications services in order to aid in the protection of national security and following criminal cases", it then explains that the government must take steps "to increase the investment service providers put into being able to provide this information". To this end, the government wants to require those providers to "have a procedure in place to be able to respond to request for information from the police or security services" quickly and with a minimum of fuss. It also wants to impose the duty of checking that such procedures are in place on the Information Commissioner's Office. The intended effect of the government's policy is, apparently, "to increase the availability of suitable information for use by the police and security services" so as to enable them to provide "a high level of protection to citizens".

Like many of her ilk, Matron gets very nervous when it comes to laws that facilitate the "availability of suitable information for use by the police and the security services", particularly when there is no defintion of what actually constitutes such "suitable information". As the controversies over communications data retention and interception of communications under RIPA have shown, there is something of a chasm between what those service feel might be suitable and what civil liberties campaigners as well as many ordinary people feel those service should have access to. So what is funny about this new policy is this:

1. Access by public authorities of communications data and intercepted electronic communications are already laid down in the Acquisition and Disclosure of Communications Data Code of Practice and the Interception of Communications Code of Practice. They cover in quite some detail what the service providers must do in order to assist the authorities in relation to disclosure requests. Why then does the government feel that it must use this consultation to impose even more structured requirements on providers? Did the old system not work? Do they want to cover requests for data that are not yet covered by RIPA and its codes of practice? Would this make it easier to access data held by CSPs for other purposes, say the prosecution of copyright infringement?

2. The government somehow wants to hang this one on Article 15 of the E-Privacy Directive (as revised by the Telecoms Package) which, it concludes, gives an ‘opt-out’ from the Directive's provisions that prohibit the listening, tapping, storage or other kinds of interception of communication "in cases where these methods of information gathering are a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system". Although this is a fairly true description of the law as it stands (one could argue about the use of the word "opt-out"), it is surprising that this new requirements is included in this implementation proposal because - to Matron's knowledge - there is nothing in the Telecoms Package that requires the establishment of such procedural rules or, indeed, this level of micromanagement of the ways in which CSPs must comply with their duties under RIPA.

3. Why drag the ICO into this? It's not that Matron wouldn't be grateful, if the ICO had some power to inspect and review whether the disclosure of personal data by CSPs to the police under RIPA actually complied with data protection principles and the right to privacy. As the whole Phorm debacle has shown, there are some worrying gaps in regulatory oversight between the role of the ICO and that of the Interception of Communications Commissioner. But that is not what the ICO is asked or authorised to do. Instead, it is used as an enforcement agent whose duty seems to be to ensure that the police get their data in the most efficient way. That is surely not the ICO's job and it should not have to use its already meagre resources to play fetch for the security services.

4. There is nothing - nothing at all - said about this proposal in the main consultation document. This reminds Matron - as almost everything seems to these days - of yet another "Yes Minister" episode which mischievously dwells on the civil service's habit of hiding the important documents that it doesn't want the Minister to find, er see, "at the bottom of the fifth red box". Of course, Matron knows that one should never suspect conspiracy where mere incompetence will do, and maybe the good folks at the BIS did just forget to mention their plans in the place where everyone might read about them. But page 138 of a 180-page impact assessment seems to her as good a place as any to bury a proposal that might otherwise attract some negative headlines - particularly if it is published on the same day as another proposal which condemns ISPs to pay for 25% of the cost of pursuing illegal fileshares under the much-reviled Digital Economy Act. As the government itself admits, "there will be costs associated with service providers needing to implement internal procedures to respond to information requests" although it judges these costs to be "minimal". The government's rationale for imposing such extra costs at a time when it publicly touts that it wishes to liberate industry from overburdening regulation, is that the benefits for the general public from the police having access to that information outweigh the CSPs' business interests. They must therefore increase their level of investment to be able to provide this information (again - which information is that exactly?) "to the socially optimal level".

The BIS invites responses to the consultation by 3 December with plans to submit draft statutory instruments to Parliament in April 2011. Given that the Telecoms Package must be transposed by 25 May 2011, this seems to suggest that they do not expect there to be much parliamentary resistance to their plans or that they plan to overcome that resistance pretty sharpishly. After all, the old Labour government has provided them with a blueprint on how to do just that when it rushed the DEA through the wash-up with no regard for reason or democratic decorum. This approach is, of course, made much easier by the fact that the blasted thing is so complicated that - like with DEA - most MPs will not understand it anyway and are likely to follow their Whips' directions out of a desire to protect their poor brains from intellectual overload.

But this sort of stuff IS important and at a time when the new government still pretends that it intends to clean up the Augean stable that is the previous government's civil liberties record, this is a proposal to take note off.

Is Matron just her normal paranoid self and is blowing this completely out of proportion? She would love to be convinced that that is the case. Any volunteers out there?

No comments:

Post a Comment