The UK’s Regulation of Investigatory Powers Act 2000 (RIPA) allows public bodies (e.g. the police) to carry out surveillance, investigation, and interception of communications, including phone records. An investigation by the Guardian shows that three of the UK’s four major mobile phone networks (EE, Vodafone and Three, with O2 being the notable exception)) use automated systems to hand over this information ‘like a cash machine’ with almost no human oversight.
Despite the European Court of Justice ruling the EU wide Data Retention Directive invalid on the grounds that it ‘interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,’ theUK government recently rushed through the highly controversial Data Retention and Investigatory Powers (DRIP) Act, which requires telecommunications companies to keep records of all phone data for a year.
Taken together, RIPA and DRIP give government agencies the legal power to access any phone conversations made over the preceding year. For privacy advocates this is alarming enough, but news that mobile phones companies are automating this process has aroused particular anger, as it effectively turns the companies’ records in to a vast national database, which government agencies can access with almost trivial ease. As deputy director of Privacy International, Eric King, observes,
‘If companies are providing communications data to law enforcement on automatic pilot, it’s as good as giving police direct access [to individual phone bills].’
Two years ago the government’s junior coalition partner, the Liberal Party, successfully managed to scupper plans for a ‘snooper’s charter’ (Draft Communications Data Bill), which is something the leading Conservatives have always been angry about. However, by allowing government agencies unrestricted and unsupervised access to phone records, something very similar to the state database of communications sought for in the ‘snooper’s charter’ has to all intents and purposes been created.
Mike Harris, director of the Don’t Spy On Us campaign, argues that such a system is a direct assault on British citizens’ right to free expression,
‘How do we know that the police through new Home Office systems aren’t making automated requests that reveal journalist’s sources or even the private contacts of politicians? Edward Snowden showed that both the NSA and GCHQ had backdoor access to our private information stored on servers. Now potentially the police have access too, when will Parliament stand up and protect our fundamental civil liberties?’
The problem is compounded by the fact that telecoms staff who handle Ripa requests are effectively being paid by the home office, making them less likely to question surveillance requests. For a policeman to access phone records, the only oversight when using an automated system is that permission must be obtained from another officer on the same force.
EE (who also own Orange and T-Mobile), Vodafone and Three all confirmed that most Ripa requests are automated. A Vodafone spokesperson defended the practice on the grounds that,
‘The overwhelming majority of the Ripa notices we receive are processed automatically in accordance with the strict framework set out by Ripa and underpinned by the code of practice. Even with a manual process, we cannot look behind the demand to determine whether it is properly authorised.’
The remaining member of the ‘big four’ UK mobile providers,O2, however does not seem to view things in this way, and manually reviews all Ripa requests,
‘We have a request management system with which the law enforcement agencies can make their requests to us. All O2 responses are validated by the disclosure team to ensure that each request is lawful and the data provided is commensurate with the request.’