In late November, UK Home Secretary Theresa May introduced a bill in Parliament that, if enacted, will give sweeping new powers to the UK Home Office and police forces in the name of counter-terrorism. The legislation—known as the draft Counter-Terrorism and Security Bill—would, among other things, enable the government authorities to bar British citizens who take part in “terrorism-related activity” abroad from returning home to the UK, and it would give the Home Office the power to censure universities that allow “extremists” speakers to give talks on campus.
Building on our previous expert comments regarding anti-terrorism legislation adopted in the UK last summer, CDT has submitted comments to the House of Commons’ Home Affairs Committee about one aspect of the bill that we believe is particularly problematic: the power it would grant to the Home Office to compel Internet and telecommunications companies to take part in its dragnet “IP-matching” program.
The “IP-matching” proposal seeks to create an unprecedented system of Internet traffic identification, one that would allow any online communication that passes through the UK’s Internet infrastructure to be traced to a single device or individual user. Leaving aside the question of how technologically feasible the proposal is, CDT believes that “IP-matching” and other invasive surveillance programs raise serious human rights concerns and should be rejected by the UK Parliament.
As explained in our comments, Internet Protocol (IP) addresses are used to route traffic to devices and individual users on the Internet, much like a telephone number is used to route calls to a particular phone. Unlike in a phone directory, however, an Internet user is not more or less permanently associated with a particular IP address, and in fact may receive a different address at different times and between different e-mailing or web browsing sessions.
The UK’s proposed “IP-matching” regime could (if the Home Secretary orders) require Internet access providers to maintain records of all of these “dynamic” IP address allocations made to each subscriber over the course of a year. It would also empower the Home Secretary to require all “Internet communications services”—essentially any website or online service provider that allows individuals to communicate, including email providers, social media sites, and user-generated content platforms—to keep records of the IP addresses associated with communications made through their service. In other words, social media sites would need to log the IP address associated with every comment, photo upload, or other communication posted on their site. Law-enforcement officials would then have easy access to databases that would allow them to “match” the IP address associated with a comment on a website to the subscriber information maintained by the Internet access provider.
As CDT has explained to Parliament, we believe this sort of “IP-matching” regime undermines the privacy and free expression rights of millions of end users who are not suspected of a connection to terrorism or any other criminal activity. This bill would violate the right to respect for private life and correspondence found in Article 8 of the European Convention on Human Rights, as well as the right to the protection of personal data found in Article 8 of the EU Charter of Fundamental Rights.
In our view, it would also undermine the freedom of speech. A system in which anonymous or pseudonymous online communications can be easily linked back to individuals limits their freedom to engage in private communications as a matter of course; furthermore, Internet users in the UK would feel reluctant to access wholly lawful but sensitive information online if they knew that their visit would be recorded and maintained in a re-identifiable form for a year. Studies have demonstrated that data retention regimes in Europe have significantly diminished citizensʼ willingness to discuss and obtain information about personal issues such as mental health or marriage counselling—creating a “chilling effect” on their freedom of speech, including both the right to receive and impart information.
Providers of Internet access and other online services should not be required to retain vast amounts of data that increase their subscribers and users’ exposure to risks, including unwarranted surveillance and data or identity theft. As we have argued in our submission, discrete data-preservation orders issued as part of specific criminal investigations can provide law enforcement with the same powers to ensure community security without exposing Internet users to serious infringements on their privacy and free expression rights.
Full comments here.