Big Brother Watch has just published a report that shows UK police forces are requesting access to communications data 670 times per day or 1 request every 2 minutes. It has labelled the level of access as excessive and called for greater transparency from police forces.
The report is damning about the way that police forces justify access to data. Rather than use an external body to validate and approve access to data, UK police forces approve data requests themselves. As a result, 96% of all requests are rubber stamped with just 4% being refused.
The Home Office and other sources claim that police access to data is diminishing. However data obtained for the report shows that while 11 police forces have reduced their data requests over the last year, 26 have increased the number of requests.
Top ten police forces requesting data
The difference between the number of requests from forces is substantial. Only three forces admitted to making over 60,000 requests.
|No||Police Force||No of requests|
|2||West Midlands Police||99,444|
|5||West Yorkshire Police||19,757|
|6||Devon and Cornwall Police||19,731|
|8||Greater Manchester Police||19,037|
|9||Avon and Somerset Constabulary||18,923|
|10||Thames Valley Police||17,562|
Only three forces in the top ten make it onto the list of those forces who had the most requests refused.
- The Metropolitan Police made 177,287 requests for access to data with just 18% refused
- Essex Police made 19, 541 requests and had 28% refused
- Avon and Somerset made 18,923 requests with just 4.8% refused
Essex Police ranked 7th in requests and 1st in refusals are an interesting case. Three years ago they were at the centre of a storm when 8 employees were forced to resign over illegal access to data. While the report gave no reason for their high refusal rate, it is not unreasonable to assume that new working procedures implemented after the scandal will have made it harder to get access to data.
Big Brother Watch has set out five recommendations to improve both the handling of data and a more rigorous process for access. These are:
- Police forces should be required to publish transparency reports detailing how requests are approved, the number of individuals affected and the type of crime Communications Data is used for.
- Proof that data of more than 6 months old is regularly used in order to establish a proportionate approach to data retention.
- A clear, standardised procedure for the access of Communications Data, which all police forces, telecommunications and internet service providers must adhere to.
- Judicial approval should be the final step in any request for Communications Data.
- New definitions for Communications Data should be adopted.
Perhaps the most interesting of these recommendations is the last one where Big Brother Watch calls for a new definition for communications data. It highlights the recent report from the Intelligence and Security Committee titled: Privacy and Security: A modern and transparent legal framework. In that report, the committee called for two new definitions of data Communications Data Plus and Content-Derived Information.
The committee defined these as:
- ‘Communications Data Plus’ – this goes further than the basic ‘who, when and where’ of CD. So, for example, this would encompass details of web domains visited or the locational tracking information in a smartphone. Under RIPA, the majority of this information is currently treated as CD (the acquisition of which is governed on the basis of it being relatively unobtrusive), although some is treated as content (e.g. full web browsing histories).
- ‘Content-Derived Information’ – this is information which the Agencies can only obtain by processing or analysing the content of a communication (for example, the accent of the person speaking, but not what they actually say). This is – correctly – treated as content in RIPA, even though it is not the actual content of the communication (while clearly separating this category from content, we are not proposing that it should be treated differently).
The committee also put on record its concerns that data in the Communications Plus category had the potential to reveal much more about a person’s private life than would be expected. This is backed up by numerous studies of anonymous data where researchers have been able to show that with relatively small amounts of data it is simple to identify individuals and reveal large amounts of information about their lives.
In the report Big Brother Watch points out that Communications Data Plus would include data such as the web domains visited by a user and the location of the individual involved. There are significant challenges with using this type of data as probative. For example, malware will often redirect users to a range of sites serving up content that they would not normally access. This is common with sex sites and it would require very high levels of skill to prove that a user had willingly visited some sites rather than had their computer hijacked.
New categories of data would, according to the report, make it easier to apply safeguards to the data. For example:
- Communications Data – Existing safeguards under RIPA.
- Communications Data Plus – “greater safeguards” required.
- Content- Derived Information – The safeguards already applied to content would be applied.
- Content – Existing safeguards under RIPA.
Transparency of use still a major concern
This is not the first time that Big Brother Watch and other organisations have questioned the transparency of how data is gathered and collected. Police and security services are naturally reticent to disclose too much about how and why they are gathering data, often hiding behind claims of terror-related needs.
What is surprising is that in this report Big Brother Watch say that US based technology companies publish far more information about the use of UK surveillance powers than the UK agencies do. This disconnect can only lead to mistrust over what is happening with data and that feeds into the political debate around the new communications act.
The report refers back to a 2012 request it made to police forces for information around how they use the data they have collected. Surprisingly, only one force was willing or able to provide a breakdown of data requested by type of crime it was used for. It would be interesting to see how many forces, three years on, are now able to provide that same degree of breakdown.
This is report that should be required reading for anyone who is concerned about how their data is used and anyone responsible for responding to requests for data access. The report highlights the lack of skills and knowledge in a lot of companies in how to deal with requests and that means that a lot of companies are likely to simply hand over data without questioning the request or looking to safeguard user data.
In the end, it is hard to escape the fact that vast amounts of data are being accessed by the police and other agencies with relative ease. While the new UK Government is looking to make it even easier to get access to data, this report brings home the need for greater transparency around both the new laws and those access the data are urgently required.