CCDP wasn’t an April Fools’ joke; it’s very
real and it effectively allows the government to see who everyone talks to
online.
Recently, stories about the sinister but
innocuously titled Communications Capabilities Development Programme (CCDP)
have emerged in the form of leaks and partial confirmations to Sunday
newspapers. The second story, printed in The Sunday Times on April Fools’ Day,
had many people asking if this supposed plan was a joke. The CCDP, it was
claimed, is a plan to collect as much data as possible about who you talk to
online, and when. Could such an outrageous story really be true?
CCDP
Within a day, minister Theresa May was
wheeled out, justifying the idea by reminding people that ‘traffic data’ had in
the past been used to investigate terrorists and paedophiles going free … Data
like this has already helped lock away murderer Ian Huntley. It helped catch
the gangland thugs who gunned down Rhys Jones.’
She also reminded people that the new plans
wouldn’t involve storing actual messages you send, just who you communicate
with (traffic data). By the time you read this, we may have firmer ideas about
what the CCDP really means, so please accept my apologies in advance for any
errors: Internet policy can be implemented quickly and dangerously.
CCDP has its roots in a Labour idea from
2009, called the Interception Modernisation Plan (IMP). This included a plan to
store all your traffic data in a giant national database, although that part
was quickly dropped.
CCDP has its roots in a Labour idea from
2009, called the Interception Modernisation Plan (IMP).
However, the worry remains that the Home
Office wants access to stored data in order to ‘fish’ for suspects, by scanning
through data it can access easily to their logs. These include email send and
receive details, account IP addresses and some data about web visits. ISPs are
also required to keep these details for up to 18 months.
ISP aren’t keeping all the relevant
information any more. In fact, Skype, Gmail and Facebook are much more likely
to have details about who you talk to than BT or TalkTalk, so the Home Office
wants to target these ‘third-party applications’ and collect information from
them.
When the coalition was formed in May 2010,
many people expected the approach to change. After all, we had a new government
whose parties had opposed IMP. The coalition, in fact, said in its agreement
that we will end the storage of Internet and email records without good reason.
However, by October, the Home Office’s new
strategy documents told us the opposite.
We will introduce a programme to preserve
the ability of the security, intelligence and law enforcement agencies to
obtain communications data and to intercept communications within the
appropriate legal framework… We will put in place the necessary regulations and
safeguards to ensure that our response to this technology challenge is
compatible with the government’s approach to information storage and civil
liberties.
Soon, Home Office budget lines were
reserving $3 billion for the project. What had changed? Not very much. The Home
Office’s, office for Security and Counter-Terrorism (OSCT) still exists and is
run by the same officials, including director Charles Farr, an ex-Afghanistan
M16 agent. OSCT promoted both IMP and the CCDP.
The OSCT had been talking to industry and
other bodies, including the Information Commission, which is in charge of UK
data protection. Last November, its representatives met with the ISP
Association (ISPA) to discuss how they might implement the CCDP.
During this period, my organization, the
Open Rights Group, asked the Home Office for a meeting and minutes were turned
down on cost grounds.
The OSCT and Home Office appear to have
learned that the previous consultations, under Labour, provoked too much debate
and opposition, and a quieter, more secretive approach would be more likely to
dampen opposition and succeed. Campaigners such as ORG and Privacy
International have had to rely on rumours and leaks to establish what might be
happening.
The greatest uncertainties surround how the
government will deal with the concerned companies, such as Google and Facebook.
Why bother intercepting and storing this data, when you can simply ask for it
directly?
In fact, this already happens. For example,
Google publishes how many requests it gets for data about its users. In the UK,
Google says it receives over 1,000 requests a year, and it complies with around
63 per cent of these.
However, this pales into insignificance
against the 500,000 annual requests made under the Regulation of Investigatory
Powers Act (RIPA). Most of these are believed to be requests to phone companies
asking who has registered a particular phone number. A smaller number will be
traffic data.
Facebook complies with requests in part:
it doesn’t provide the full details of every message an individual sends, but
will give subscriber information.
Meanwhile, Facebook complies with requests
in part: it doesn’t provide the full details of every message an individual
sends, but will give subscriber information. What’s more, if a company doesn’t
comply with such requests, the UK police can usually ask through international
legal agreements.
All RIPA requests are self-authorised by
law enforcement, and they don’t require a magistrate or court to check that
they’re reasonable. On the plus side, the government accepts that the number of
bodies able to use RIPA powers should be more limited: the list once included
the Milk Marketing Board, and still includes all local councils.
However, a complete list of someone’s
friends and associates, along with a large proportion of their communications
is much more intrusive than a phone bill, and potentially more open to a abuse.
Stronger safeguards are needed, including independent supervision. Afterall,
the Leveson inquiry has already shown that police and journalists colluded and
shared information inappropriately.
Targeted collection, ‘data freezing’ or
retaining data of genuine suspects, and targeted interception are all possible
without CCDP. Responsible services may co-operate, and cross-border agreements
ensure that data can be obtained no matter what the jurisdiction. In the long
term, this legislation will also cause massive expense, especially given the
number of services the hardware will need to intercept and read.
What is CCDP
What is CCDP
What
is it?
The Communications Capabilities Development
Plan aims to access details of everyone’s online communications, but not
messages’ content. The government will sleek powers to compel companies such as
Google to hand over this data under the Regulations of Investigatory Powers
Act. It’s expected to ask ISPs to collect data from other companies by
intercepting our online communications.
When
did these plan start?
The CCDP is the successor to Labour’s
Intercept ModernisationProgramme, debated in 2009.
Who’s
pushing it?
The Home Office’s Office for Security and
Counter-Terrorism, under director Charles Farr
What
will be stored or accessed?
The time, location or IP address, and data
about which users communicates with whom.
What
do ISPs store already?
ISPs store the IP addresses of websites you
visit, the time, ‘from and to’ details of your emails if you use your ISP’s
email service, the times you can log on and off your Internet connection and
your home IP address.
What
does the government intercept already?
The government already has powers under
RIPA, and it also has the technology for targeted interception of
communications.
What
do Internet companies do today?
Most major companies will comply with UK
government requests. When they’re based in a country such as the USA, there are
agreements between both countries to ensure that information needed for
investigations can be handed over.
Take
action
Visit www.openrightsgroup.org/issues/ccdp
