Three of Britain’s four mobile phone networks – EE, Vodafone and Three – are providing call records to police forces across the UK on request at the click of a mouse, according to a new investigation.
The data is handed over without a warrant or any other safeguards under the Regulation of Investigatory Powers Act (RIPA), which was introduced in 2000. RIPA is also the enabling act that allows GCHQ to conduct mass surveillance of people’s web activity.
The law has called into question after police used it to identify journalists’ sources in the story over former Liberal Democrat MP Chris Huhne’s speeding fine.
Mobile operators are legally obliged to store one year of call records of all of their customers, which police forces and other agencies can then access without a warrant under RIPA. The proposed Communications Data Bill, which is an implementation of a 2006 EU directive, would extend this to internet activity and, therefore, make people’s web browsing available to police under RIPA without a warrant.
The Communications Data Bill was put forward by Home Secretary Theresa May at the Conservative Party conference in September as an essential tool in the “war against terrorism” – although attempts to introduce it have already been twice defeated in the House of Commons after vociferous protests by privacy campaigners.
Documents from software providers and interviews with mobile phone company staff by The Guardian newspaper, however, have revealed how easy it has become for police to access any phone record held by EE, Vodafone or Three. The “vast majority” of records demand by the police, according to The Guardian, are delivered via an automated system without staff even needing to vet the requests.
“In the automated systems used by the phone companies, police officers seeking phone records must gain permission from another officer on the same force, who then enters the details into an online form. That mirrors the US Prism programme, revealed by Edward Snowden, which in effect created a backdoor into the products of US tech corporations. In the vast majority of cases, the information is then delivered without any further human role,” claims The Guardian.
Software for the systems used by police forces is provided by a company called Charter Systems. The company’s software enables police to access data from multiple phone operators with just one request.
Eric King, deputy director of Privacy International, warned that the telecoms operators were “essentially already provid[ing] law enforcement with the joined-up databases they claimed they didn’t have when pushing for the ‘snooper’s charter’.”
The three mobile phone operators have all admitted that they offer the police this automated access to their customers’ call records, with O2 the only operator handling the requests manually on a case-by-case basis. A spokesperson for Three claimed that it was obliged to provide such access to the police by law.
The big question is, of course, whether the same kind of automatic computer access will be provided to the police when the government passes the Communications Data Bill.
That will oblige all internet service providers in the UK to retain all web-surfing records of all of their customers so that the police can access the details.