DRIP: The need for mass surveillance

Much has already been written about the poor handling of the Data Retention and Investigatory Powers Bill (DRIP) so I won’t go into detail on the emergency legislation.  Instead I’ll consider the validity of harvesting communication data en-masse which is at the heart of the bill.


First a little background… The bill distinguishes between Communication Data and Content; The former being the context or metadata of a message such as who/when/where/how, the latter being the actual body of the message.  Context would tell you that Alice called Bob from her mobile phone at 13:37 on Tuesday in Hyde Park but would not tell you what they discussed.

The bill provides powers to instruct any Communication Service Provider (CSP) that they must retain any or all metadata for up to 12 months.  The police and other security agencies can request this data on provision of an appropriate court order that is deemed necessary and proportionate.

Metadata huh, what is it good for?

Those supporting the Bill have trumpeted that 95% of serious organised crime cases use communication data.  At a glance this sounds positive but how invaluable or inconsequential is the metadata in any given case?  It is claimed that metadata can confirm or disprove an alibi for example but in reality it does neither, it only provides evidence of the message or the device but not of the person.

If I’m suspected of robbing a bank and I state an alibi that I was in the Kings Arms two towns away then records from my mobile network provider could only confirm that my phone was in the Kings Arms or that my phone was at the bank, the metadata offers no attestation of my whereabouts.  Other evidence would be required firstly to assert a suspicion and secondly to conclude guilt or innocence beyond all reasonable doubt.  If any case has been won or lost on the strength of metadata alone then our justice system needs a stern talking to.

What could go wrong?

The Bill applies not only to UK companies but also overseas companies that provide services in the UK so there is no consistency in legal obligation to announce a data breach and no consistency in minimum requirements for security policies/procedures/platforms.  All too often a company remains unaware that a breach has occurred, and if a breach is discovered then there’s often no incentive for them to raise public awareness of the event.

Any large volume of data is likely to hold some value for those with malicious intent and recent headlines have shown repeatedly that companies of all shapes and sizes fall short in protecting the data that they hold, or that trusted members of staff will sometimes take data that does not belong to them.  How much data will be retained and subsequently placed at risk? How much data is requested and used? How invaluable or disposable is that data?

Who watches the watchmen?

We’d like to think that the individuals and organisations charged with protecting our freedom are dependable and beyond reproach but recent headlines again show this is not always the case.  From abusing privileges for personal gain to seemingly endemic illegitimate snooping, hardly a month goes by where one authority or another is not called upon to answer for their behaviour.

Even amongst those tasked at the highest levels to steer the nation, define our laws, and protect the economic wellbeing of the country there is a well documented history of scandal and deviancy.  Many in Parliament and Government voiced concern that they did not have adequate opportunity to evaluate the bill, others have demonstrated that they have only a weak grasp of technology.  Are these individuals best placed to determine the validity of a privacy directive?

TL;DR

At every level there seems to be a shortfall in ability and trust.  Without proven ability to protect our personal data there should be oversight and governance.  Without confidence in those tasked with safeguarding our privacy there should be transparency and answerability.

The DRIP Bill and the harvesting of communication data that it governs are probably necessary, but it could probably be done better and in a way that doesn’t leave so many unanswered questions.