Collecting metadata “can be more intrusive than traditional communications data,” Scotland Yard’s deputy assistant commissioner has admitted to Ars.
Neil Basu made his comment during a briefing session on law enforcement requirements for investigatory powers. The UK government claims that the new Internet connection records (ICRs) at the heart of the Investigatory Powers Bill are “only” metadata, and therefore no more intrusive than traditional communications data.
However, this contradicts the view of many experts who believe that “analysing metadata is often a far more powerful analytical strategy than investigating content.”
The briefing was held on Tuesday at the National Crime Agency’s headquarters in Vauxhall, London because “it’s important we are as open as we can possibly be,” Basu told reporters. “We police by consent. If we lose that consent, the cornerstone of policing, we can’t police without trust and confidence from the public.”
He said that “the reasons we need communications data have not changed, have not changed in decades. It’s the way we get data has changed.”
Evidently seeking to re-assure the public that UK police won’t abuse the new powers granted to them under the planned IP Bill—or Snoopers’ Charter, as it’s colloquially known—Basu was keen to emphasise the considerable bureaucracy involved in obtaining authorisation, and the degree of oversight.
The meeting also clarified that the police aren’t allowed to use bulk collection (mass surveillance), or bulk “equipment interference”—hacking, basically—at all. However, they can use “thematic” warrants, which refer to specific groups of people, which is clearly a step beyond purely targeted actions.
The Investigatory Powers Bill is still moving through parliament, so many of its details have yet to be specified. However, during the briefing the NCA’s legal director, Jonathan Richards, provided an indication of what the police expect an Internet connection record to look like.
Another piece of information to emerge was that although the ICRs would be held by individual ISPs on separate databases, there would be a central piece of software that could interrogate all of them using the obscurely named “request filters.”
The filters, we’re told, ensure that only the information requested is sent by the ISPs. However, NCA experts indicated during the briefing that a single piece of software, run centrally, will be able to use request filters to interrogate multiple ICR databases, and then pool the results automatically. This effectively turns the separate metadata stores into a single virtual database.
The fact that this extremely sensitive program will need to be written by the UK government, which has a terrible record for major software projects, does not inspire confidence, however.
As well as concerns about its timely delivery and eventual robustness, another issue is that this software represents a single point of weakness, and a very attractive target for criminals and foreign intelligence agencies. Anyone gaining high-level access to the system may be able to extract revealing metadata from any of the ICR databases around the country
And—on the vexed question of encryption—Basu told us: “It is a massive issue for law enforcement, there’s no doubt about it. It definitely affects us in interception, it definitely affects us in communications data.”
He went on to say: “I’m pro-encryption, for all sorts of reasons. I used to be head of the organised crime unit, and if I want to stop people doing fraud, I want people to be protected when they’re on the Internet.”
Article by Glyn Moody and arstechnica.co.uk