DRIP - Legislating the Indefensible

ThoughtWorks shares concerns expressed by legal scholars, civil liberties advocates and companies about the Data Retention and Investigatory Powers Bill (DRIP) being rushed through the UK Parliament. 

The DRIP Bill authorises blanket communications data retention which the European Court of Justice found in April to violate the Charter of Fundamental Rights.  The Court stated that data retention was a "serious interference with … the right to privacy and the right to protection of personal data". 

Many States across Europe, including Germany, Romania, Bulgaria, Belgium, Austria, Sweden and Greece, have found mass data retention to be superfluous, harmful or even unconstitutional.  A US federal judge, Richard J Leon in December 2013 ruled that a lawsuit challenging NSA bulk metadata collection had a “substantial likelihood of success”.

Courts don’t make rulings on a whim, and parliaments should not make laws on the fly.  

The DRIP Bill was announced last Thursday 10 July, published the following day, pushed through the House of Commons on Tuesday 15 July.  While on Wednesday the House of Lords Constitutional Committee issued a statement of concern about fast tracking, it held a first reading and second reading debate on the same day.

Such haste is especially concerning when an increase in surveillance powers are enacted without parliament playing its proper role.

Without debate and scrutiny we don't know if the Oversight Board or the reporting regime to this data retention bill is meaningful. We also don't have a chance to understand how additional powers such as compelling companies outside the UK to execute a UK interception warrant will operate.  We also don't understand how the UK government can expect to access submarine cables that don't go through the UK or its territorial waters.  

Data retention is wholesale collection of all data on all citizens, who are treated as suspects, reversing the doctrine of "innocent before proven guilty". Advances in technology means data about telephone calls, emails, and information accessed online and detailed information about the location of mobile telephones tell a very detailed story about someone.  Data retention makes huge quantities of information available for potential misuse, theft and breach.

ThoughtWorks believes in data austerity or 'datensparsamkeit' in German, and promotes the practice of storing only data that is necessary rather than collecting everything that might be useful in the future.  When a company or government practices data austerity, the burden is on them to demonstrate a need for the data they store. They must make the case for sharing their data, rather than routinely collecting and storing it for policing, intelligence, or commerce.  Germany has evolved laws that embrace this principle, not least due to former regimes that have carried out extensive mass surveillance programs. 

UK citizens have a legitimate expectation that the government will defend their democratic right to privacy, freedom of expression and freedom from arbitrary acts of surveillance. Ensuring that there is balance between national security and privacy means treating citizens as citizens first, with basic rights and protections, and not merely suspects.  

The data retention regime has created real costs for ISPs and telcos in the administration and labour required to collect, store, maintain and transfer data onto new or evolving systems.  These costs are hardest on small companies, with a competition and market impact, and ISPs are forced to pass on some of the costs to users.  That is, data retention costs everyone.  

As technologists we are concerned that technology is being used to invade privacy in ways that courts have found to be unnecessary and disproportionate. If government agencies need a warrant to enter your house, we believe they should need one to enter your online life.  Proper warrant procedures, not data retention, protect those agencies from suspicion of misuse of power and ensure they have social license.