CHAPTER 14: EXPLANATIONS
(b)
The progress towards universal encryption has accelerated since the
publication of the Snowden Documents, giving added force to the doubts
expressed by the JCDCDB about the technical utility of the third party data
proposal.24
(c)
The Digital Rights Ireland decision of April 2014, with its sceptical approach to
data retention even in the more limited form that was provided for in the Data
Retention Directive, raises legal questions as to the more extensive powers
mooted in the draft Bill.
(d)
It was suggested to me at the CDSG meeting that I attended in early 2015 that
the proposed request filter may have been overtaken by technological
developments.
14.30. Though the position is sometimes opaque or hard to research, I am aware of no other
Five Eyes or European country that provides for the compulsory retention either of
web logs (9.55 above) or of third party data.25 Such obligations were not considered
politically conceivable by my interlocutors in Germany, Canada or the US. The 2015
Australian data retention law specifically exempts both web logs and third party data
from the categories of data that must be retained by CSPs (9.55 and 9.64 above).
14.31. Against that legal, technical and comparative background, it seems to me that a high
degree of caution is in order.
14.32. So far as web logs are concerned, the police and NCA asserted their operational
utility for three purposes in particular (9.58-9.59 above):
(a)
to help attribute communications to individual devices;
(b)
to identify use of communications sites (allowing service providers to be
approached for further detail); and
(c)
to gather intelligence or evidence on web browsing activity, both on sites
suggestive of criminality and more generally.
14.33. I have no doubt that retained records of user interaction with the internet (whether or
not via web logs) would be useful for each of those purposes. But that is not enough
on its own to justify the introduction of a new obligation on CSPs, particularly one
which could be portrayed as potentially very intrusive on their customers’ activities. 26
Though the submissions I received from law enforcement were emphatic about the
value of such records, I was not presented with a detailed or unified case on:
24
25
26
JCDCBC Report, paras 91-101.
A recent comparative survey referred to (1) a Danish law of 2002 that provided for “session logging”
(sampling the destination and source IP address of every 500 th packet) until this requirement was
removed in June 2014, reportedly because Danish police were unable to use the data, and (2) a
recent Finnish Bill (HE 221/2013) which provided for retention of “metadata produced from browsing of
websites”, until this was removed after criticism from a parliamentary committee: Open Rights Group,
“Data Retention in the EU following the CJEU ruling”, April 2015.
The MPS suggested to me that the retained data would be useful for researching such matters as
travel bookings and financial and property transactions: cf 9.59(b) above.
265