- 10/11/2015
- Posted by: Valerie Vaz MP
- Category: News
The Science & Technology Committee, of which I am a member, has an inquiry the Investigatory Powers Bill and its technological issues and questioned witnesses. here is the exchange of questions with the first panel of witnesses:
Q20 Valerie Vaz: I was interested in your opening remarks about the Bill. Could I ask you to clarify? Are you saying that this Bill is not necessary because you can do whatever the Bill wants you to do anyway?
Matthew Hare: At the back of the Bill is a list of all the things they are going to repeal and replace with the Bill. It is a wide range of different bits of legislation. If today we as a company received a notice requiring us to intercept traffic to a particular IP address, we could do that, as could pretty much any ISP in the UK. I cannot speak as to communication service providers, but the Bill appears to widen the net to include them. Could Twitch deliver this information to you if they were served with a notice? Probably,
but I have no idea.
Q21 Valerie Vaz: Mr Shaw, did you want to say something?
John Shaw: I think you have covered it. The crucial difference with the new Bill is the requirement to hold 12 months of data on everyone all the time. What Matthew was saying was that in response to a particular demand you can track data for a particular situation, but that is very different from the requirement to capture 12 months’ worth of data. That is very new and different in this Bill. It is not just the cost of the data; the exposure of everyone in the UK’s data to people trying to hack it to do bad things with it is a very
meaningful difference.
Valerie Vaz: You touched on data. Are the differences between data and content blurred in this Bill?
John Shaw: Incredibly blurred—in real life. It is not the Bill’s fault; that is the way things are. That is another place where the telecoms analogy does not really help us very much. In a phone call there is a number you dial and then there is what you say when you speak. In terms of communications over the internet, as Matthew was describing, a lot of the time
the data going back and forth is not even what two people are generating between each other; it is a whole bunch of software and services in between sending communications back and forth. What is content, and what is the delivery mechanism and the destination? There is a danger that you would end up having to capture virtually everything in case something within that could be defined as one versus the other.
Q23 Valerie Vaz: That is not clarified in the Bill.
John Shaw: No.
Matthew Hare: The Bill talks about there being, effectively, three layers: stuff that is clearly the address; stuff that is clearly content; and stuff that could be one or the other. The Bill talks about those three different things and how you need to treat them differently. I accept that it does. The problem is that the real world is a bit tricky, and it will be different tomorrow from what it is today.
Q24 Valerie Vaz: In reality, there is no difference between the two.
Matthew Hare: For some things it is very clear. If you are watching a movie on Netflix, receiving that movie is clearly content. If you happened to be resizing your screen you might be passing code back to Netflix about something you wanted to pass across the internet, because every time you resize your screen it sends control information back to Netflix.
Matthew Hare: For some things it is very clear. If you are watching a movie on Netflix, receiving that movie is clearly content. If you happened to be resizing your screen you might be passing code back to Netflix about something you wanted to pass across the internet, because every time you resize your screen it sends control information back to Netflix.
John Shaw: Which is a communication.
Q25 Valerie Vaz: To take the 16 year-old hacker, TalkTalk say it is okay; it is just data, not content. That is not true. Effectively, a 16-year-old hacker can get into all our data and our content.
James Blessing: We are conflating two things. Once you have captured the
communications data it becomes content. You capture it and then you put it into a database and it becomes information, because it is content about the communication. Once it becomes part of the database it becomes content and it becomes very attractive to anybody who wants to use it for nefarious matters, or just to have some fun.
John Shaw: The fact that you bank with HSBC, which you can deduce, in anyone’s definition, as communications data, is then meaningful information about you, which will have to be stored.
Q26 Valerie Vaz: Were you aware of the handling arrangements for bulk personal databases that came into effect on 4 November?
Matthew Hare: Which regulation?
Valerie Vaz: It came into force on 4 November this year just as the draft Bill was published. It is about the handling arrangements for bulk personal databases. Are you not aware of that? I am not expecting that you should be.