Information commissioner Christopher Graham has voiced concerns about the government’s intention to force internet firms to store customer data for 12 months, claiming that no clear justification has been made for this time period.
Graham said while giving evidence to the Draft Investigatory Powers Bill Select Committee on Wednesday that he had seen no evidence from the government justifying such a long retention period, despite the huge privacy fears it poses.
“If you’re going to say: ‘We reserve the right to invade your privacy and by the way this material has to be retained for 12 months,’ you’ve got to make the case of why 12 months,” he said.
“But nowhere in the bill or supporting memoranda have I seen the argument about why 12 months.”
When told by the panel that evidence from police and "other agencies" had suggested that 12 months' old data has proved useful in the past, Graham was still sceptical that this is enough to justify such long-term bulk data retention.
“I would be a little wary if there was one case where information that was 12 months old was useful. I’d still take some persuading that it justified the retention, potentially, of everyone’s [data] for 12 months just in case.”
Graham added that it is hard to gauge whether the proposed bill strikes an appropriate balance between privacy and security.
“We don’t have any real evidence, as opposed to anecdotes, about the utility of the information that is being sought,” he said.
Sunset clause required
Graham also believes that the proposed legislation should contain a ‘sunset clause’ so that parliament reviews the data collection element each year to assess its use and benefits and address any problems it causes.
“If you’re saying to communications service providers: ‘You need to retain everything and we reserve the right to look at it,’ you’re building a huge risk around data security and privacy,” he said.
“Parliament needs to be sure that arrangements remain secure, and one way of doing that is having a rolling sunset clause.”
Graham explained that this is also important given how easy it is for data to be lost or stolen, as witnessed many times over the years.
“The committee shouldn’t concentrate simply on whether or not data use by forces of law and order is appropriate. It’s all just a whole pile of [data] that can get lost or inappropriately accessed from a criminal point of view,” he said.
"Because the risk is created, the legislation has to have safeguards so that it is reviewed and being used as it is intended to be used."
Graham also raised concerns that the government is not being clear about the sort of data is is seeking to access, noting that the examples given in the supporting documents to the bill are actually already available to the authorities.
“The authors of the bill have chosen some very inapt examples of the sort of bulk data sets they want to access for reasons of law and order by giving the telephone directory and electoral register as the two examples. This is bizarre," he said.
“That information is already available. Explicitly, legislation was amended to make sure that information is available to the security services. It doesn’t require this bill to provide that.
"So that then begs the questions: what are these data sets that are so necessary? And if you’re not going to tell us what data sets you are going to access, are you prepared to say what data sets you wouldn’t be prepared to access?"
Graham is just the latest in a long line of technology experts, businesses and privacy campaigners to offer his thoughts on the Investigatory Powers Bill as the government looks to introduce the legislation during 2016.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers