GCHQ

New privacy fears as IT challenges delay surveillance oversight body by a year

IT challenges have delayed government plans for an independent body to authorise requests to access the public’s internet and phone records by nearly a year, raising new legal and privacy concerns

Plans to set up an independent body to oversee requests by police, local authorities and other government agencies to access the public’s telephone and internet records are running nearly a year behind schedule, following difficulties in developing the complex IT systems needed to make the new body work.

The Office for Communications Data Authorisations (OCDA), part of the surveillance watchdog IPCO, was due become operation in July this year, but will not now be up and running until at least April 2019, Computer Weekly has learned.

The delay – which has been blamed largely on IT integration challenges – will raise new questions over the legality of the UK’s use of data retention powers after admissions by the government that the current regime is unlawful under European law.

The OCDA, will be responsible for authorising 200,000 requests a year from 600 public bodies to access communications data held by internet service providers (ISPs) and telephone companies on member of the public, according to documents seen by Computer Weekly.

But it faces challenges in integrating its IT systems with incompatible systems used by more than 80 government agencies, and police forces.

A letter from investigatory powers commissioner Adrian Fulford, disclosed in the High Court proceedings, revealed that the timetables for establishing a new body to authorise requests for police and government agencies had slipped until at least April 2019.

“The true extent of the task that needs to be undertaken has only been revealed as the planning has developed and a multiplicity of difficult issues have been identified,” he said. “I greatly regret the continued delay.”

The letter emerged during a judicial review in the High Court brought by human rights group Liberty, which is seeking a declaration that Part 4 of the Investigatory Powers Act – which gives the government powers to order internet and phone companies to retain data on their customers – is illegal under UK law.

Andrew Scurry, head of the investigatory powers unit at the Home Office, disclosed in written evidence that the OCDA faces major challenges building sophisticated IT systems to manage applications from public bodies to access the public’s telephone and internet data.

Police use 29 versions of software

The Home Office official said the OCDA needs access to the IT systems of every public body requesting communications data, which means its own IT systems must be “consistent” with a wide range of incompatible IT systems that are used to process requests to access phone and internet records.

The OCDA will need to integrate its IT systems with those of at least 80 government organisations, many of which will use incompatible software. Police forces, for example, use 29 different versions of software developed by three different suppliers to manage requests for communications data up to the security classification of “official sensitive”, Scurry revealed.

Police forces and other public bodies will also need to update their IT systems, which were developed under the previous surveillance regime, the Regulation of Investigatory Powers Act, to make them compatible with the requirements of the Investigatory Powers Act 2016.

The OCDA will need to invest in specialised computer systems to access secret or top secret material, based on terminals held in a secure environment, which will need to be linked using highly secure cabling.

IT integration most difficult task

“The IT integration is a really significant task,” said Scurry. “It is probably the most difficult part of setting up OCDA. If OCDA were to take shortcuts…it is highly likely that there would be an increase in errors which infringed individuals’ privacy rights.”

Using workarounds, such as rekeying data, was likely to lead to errors, said Scurry. For example, wrongly typing a digit in a telephone number could result in an innocent person having their phone records accessed, showing who they called, when, how often, and potentially a record of their location history from their mobile phone. “Anything that does not involve an existing automated system is more likely to generate errors,” he said.

The OCDA cannot begin work on its IT systems until it finds premises capable of securely storing and handling sensitive material, including top secret material. The building will need to be fitted with secure networks, which may require permission from the Highways Agency to dig up the roads to install the cabling, according to the Home Office evidence. A suitable building has only just been identified, said Fulford.

The OCDA will also need to recruit about 100 staff, who will need to be trained in how to use the new IT systems, and will have to go through security clearance processes, before it can begin its work.

Also, thousands of staff employed by the police and other government agencies, who are familiar with the Regulation of Investigatory Powers Act, will need training in the news processes contained in the Investigatory Powers Act.

Start date impossible to achieve

Scurry added: “As we have looked in more detail at what the IT requirements are, and understood fully how many different systems there are, and what their separate requirements are, and as the planning of sequencing has developed, it has become clear that the initial estimate of the anticipated start date is impossible to achieve.”

The government proposed creating the OCDA, along with other amendments to the Investigatory Powers Act, following a ruling by the European Court of Justice that found that near-identical powers in the UK government’s previous surveillance law, the Data Retention and Investigatory Powers Act (Dripa), were unlawful.

The OCDA will act as an independent body to pre-authorise access to data retained by telephone and internet companies as a result of government retention orders. It will limit the ability of senior police officers, and officials at the Department for Work and Pensions and HM Revenue and Customs, to authorise their own access to communications data.

It was one of a series of amendments to the Investigatory Powers Act on 30 November 2017, which were put to public consultation for eight weeks in a move the government said would address the Act’s “shortcomings”. The amendments have yet to be enacted by parliament.

Corey Stoughton, advocacy director at Liberty, said the government had been unlawfully ordering the retention of sensitive communications data on the UK population for 14 months, and that a delay of another year was a breach of democratic rights.

“The government has admitted that without the independent review the Office for Communications Data Authorisations provides, its regime for holding data on the who, when and where of millions of people’s communications violates our right to privacy,” said Stoughton. “A court ruling made this clear over a year ago.

“It is therefore disturbing that – for no clear reason – the government is asking us to wait yet another full year for it to stop violating our rights. It’s time ministers recognised they aren’t above the law and got on with building a targeted surveillance regime that keeps us safe and protects our democratic rights.”

Read more on Privacy and data protection