The government and security services shouldn’t have “willy-nilly” access to citizen’s digital communications and online activities, the Information Commissioner has warned. Such powers would represent an excessive invasion of privacy, he added.
Christopher Graham made the comments while presenting evidence to a House of Lords Joint Committee on the draft Investigatory Powers Bill. The Committee also heard from ex-NSA technical director William Binney, who claimed that mass surveillance and bulk data collection make preventing terrorism harder, not easier.
The draft Bill – dubbed the “Snooper’s Charter” by critics – was introduced by Home Secretary Theresa May last year. It explicitly authorises security services to bulk-collect personal communications data and makes it illegal to even ask in court whether evidence was obtained via bulk surveillance.
However, Graham warned that the legislation must not give the government carte blanche for collecting and storing citizen’s private data.
“Simply by the fact that we’re all doing business, social actions and communications digitally, wherever we go, whatever we do; like it or not, we leave a digital trail,” he told the Joint Committee, and argued that data protection legislation requires much of this to remain private.
“The challenge for the data protection framework is to make sure that remains private where it should be private or, if it’s accessed and shared, it’s accessed and shared within a regime of data protection where all the rules are agreed,” he continued.
Graham told the Committee that it shouldn’t be the case the state can access all of a citizen’s private data, just because it wants the power to do so.
“What I’m not prepared to sign up to is the suggestion that willy-nilly, the state ultimately always has a right to access all that, just because it can and salus populi suprema lex [Latin: The welfare of the people shall be the supreme law] and all that,” he said.
According to Graham, any legislation must be repeatedly re-evaluated to ensure that citizens’ information is not passed between different agencies without any regard for their privacy.
“There has got to be constant making the case for the necessity and proportionality of anything which invades our privacy,” he said, arguing that this should apply to the government, corporations, the health service and intelligence agencies.
“I’m not pretending that challenge isn’t there, I’m just saying we’ve got to always be clear that the rules under which that information is accessed have integrity and are closely followed,” Graham added.
The Information Commissioner also told the panel that he had concerns about plans for a 12-month retention period for all web and communications data, arguing that the timeframe is arbitrary and the draft Bill doesn’t explain why this timeframe is necessary.
“Those who are putting forward this bill are not explaining what 12 months is about; why 12 months? If you’re going to say we reserve the right to invade your privacy – and by the way this material has to be retained for 12 months – you’ve got to make the case for why 12 months,” he said, adding: “Nowhere in the Bill or the supporting memoranda have I seen the supporting argument why it’s 12 months”.
“It’s not for me to say ‘I think 12 months is wrong or right’, or if another figure is appropriate, because I’m not the one seeking the powers. I’m not the one knowing what they want to do with the information; I’m not the one who knows how the information is being used,” Graham continued.
“I understand that there has to be some care, but nowhere in this 296-page package is the case actually made for 12 months,” he concluded.
Previously, MPs have been warned that the Investigatory Powers Bill represents a government right to hack and a risk to British business.