DoJ, Wikileaks and Twitter: Stones and Glasshouses

WL Helping HandThere seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]

Advertisements

Nothing gets in the way of "National Security"

Some of our team, as members of the Society of Computers and Law, argued in the SCL’s response to the Home Office consultation on the Data Retention Regulations that the Home Office had not made out a coherent case for the introduction of a 12 month data retention period for all communications data.  Why 12 months, when the Data Retention Directive allowed for anything up to 24 months, for example?

We had a number of other issues, including about the continuing problems concerning access to any retained data, but none of them were addressed by the Home Office.  Liberty had similar concerns

It’s all too late now.  In the current climate, anything done in the name of “national security” goes through.  The final regulations were made on 2 April and come into force on 6 April.