31/01/2013 07:29 GMT | Updated 01/04/2013 06:12 BST

Where Now for the Draft Communications Data Bill?


Not all of us were relaxing over Christmas: Home Office officials working on the draft Communications Data Bill were probably quite busy. Following the Scrutiny Committee's report on the Bill, the Prime Minister promised a redraft. So what now? Here's my advice to the Home Office on the changes needed if this Bill is to be passed this session.

First, move quickly. Both the Joint Committee and the (largely unreported but very important) Intelligence and Security Committee accepted that, although imperfect, legislation is probably required to fill a capability gap, and soon. This fundamental point, that law enforcement and intelligence agencies do need new powers to discharge their functions effectively, was largely ignored by media coverage.

Second, amend clause 1. A major sticking point for many critics is that the powers available in the current draft essentially allow the Secretary of State to collect whatever is deemed necessary by executive order, whenever it is deemed necessary. Clearer limits on this power would go some way to assuaging legitimate concerns about mission creep.

Third, the system of oversight and scrutiny - the centralized 'Single Point Of Contact' system and the duty of the Information Commissioner - should be set down on the face of the Bill. Only legislation will satisfy legitimate worries about possible misuse, which is vital given the scope of the Bill.

Fourth, the use of Deep Packet Inspection (DPI) needs to be more clearly specified as a last resort when vitally important information is desperately needed and all other avenues are exhausted. DPI has caused great consternation because it would essentially require government installing technology that allows direct access to network traffic. The technology itself is not particularly novel - DPI is routinely used by commercial companies - but government use is something different. As experience shows, once you build a capability it is hard not to use it.

Fifth, the Regulation of Investigatory Powers Act (RIPA), which this bill amends, makes a distinction between content and communication. Intercepting the 'content' of a communication is deemed as more intrusive to our privacy, and so is regulated more tightly. However, when RIPA was passed in 2000, communications data mainly covered who you telephoned, when, and subscriber information. Now it covers far more, such as the websites you visited and your GPS location, which is updated constantly. This is more instrusive than had been envisioned over a decade ago, and I believe the Bill should reflect that - perhaps creating (sorry if this is getting technical) a graduated system, whereby some types of communications data require more oversight, and those decisions perhaps made by a centralized quasi-judicial body.

Sixth, although many critics of the Draft Bill argued that the permissible purposes for the use of communications data should be restricted, I've yet to see anyone suggest which ones, because all the purposes listed are in fact very reasonable. They should remain more or less intact.

Finally, presentation is everything. I think the Home Office may have learned an important lesson from this affair: that terrorism and paedophiles do not automatically trump digital rights. The Home Secretary consistently argued the new Bill is essential to tackle terrorism, serious crime and paedophilia. She may have believed that any law strengthening powers to do that would be more or less accepted. She perhaps underestimated how important digital freedoms and data sovereignty are to people today. And the online and privacy community - often tech savvy, networked, and highly defensive of internet freedom - are a powerful lobby group. Those that disagree with the Bill are not on the side of criminals, and it is not helpful to say they are: it obscures areas of agreement and the possibility of compromise.

Ultimately, some people will never be happy with any measures that are taken. Many civil liberty campaigners believe the entire exercise is unnecessary and even a reformed Bill would be too much. Equally, a watered down version will probably frustrate law enforcement agencies, who would like to 'future proof' the Bill against likely technological changes. You can't please everyone, and this Bill, in whatever revised form, will not. But these changes are probably just about enough to keep everyone only mildly displeased. When it comes to security and Internet freedom, that might be the best we can manage.