IMP or CCDP? Who cares, it’s still storing your data

Eye spy image, courtesy of Shutterstock

Eye spy image, courtesy of ShutterstockWith a new moniker and tweaked scope, another version of the Interception Modernisation Programme (IMP) is making its way back on to the UK’s legislative agenda.

Dropping the IMP tag, it’s now the slightly less ominous sounding Communications Capabilities Development Programme (CCDP).

This programme’s resurgence might come as a surprise. When the Labour party was in power and pushing the IMP, the Conservatives and Liberal Democrats were rightfully very critical of it, terming it “reckless”.

When the Conservative-Liberal Democrat coalition was formed in May 2010 and assumed power, one of the commitments they made was:

We will end the storage of internet and email records without good reason.

This promise didn’t last long, and the wheels were officially set in motion back in October 2010 when a programme was added to the Strategic Defence and Security Review to:

Preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications.

So perhaps the British government has made big changes? Maybe this new programme is different? Unfortunately not, according to Jim Killock, Executive Director at the Open Rights Group:

"Labour's online surveillance plans have hardly changed but have been rebranded. They are just as intrusive and offensive."

Man on phone, courtesy ShutterstockThe Telegraph reports that the CCDP will require mobile and landline telcos and ISPs to create databases to store communications data for a year, for use by security services.

This data will define the “who, when and where” of data subjects, including email addresses, IP addresses, phone numbers, time, location, data sender and recipient.

The Telegraph also notes how bodies like GCHQ, MI5 and MI6 will use the databases to monitor email and text traffic in “real time”.

Importantly, social networking data would be included in the database, including private messages sent on sites like Twitter and online gaming environments like Xbox Live.

While the actual content of calls, texts and emails wouldn’t be stored, it means the companies and law enforcement are brought together in an even closer working relationship and incorporates companies into public policing practices, despite their lack of public accountability and transparency.

Home OfficeAccording to Home Office documents, the plans will be published by the end of April 2012, and implemented by the end of June 2015.

I’m sure more debate will ensue when details are drafted and released. But there are a few concerns at the outset.

Security is a big issue. Although distributing databases around different ISPs and telcos is more secure than the government’s original idea of one huge central database, there are still problems.

The databases would presumably be prize hacking targets, and the resulting collateral impacts for privacy would be huge. Mass disclosures of personal data would compromise a lot of individuals’ rights, especially when data from social networks is included in the pot.

Another big practical concern is the financial burden on ISPs and telcos from this scheme; who will bear the costs?

In an interview with ZDNet, Professor Peter Sommer highlighted some of the costs, including the initial installation of the ‘black box’ interception equipment and the cost of maintaining and regularly updating interception algorithms.

Importantly he raises a poignant question about the scope of the programme:

An ISP only sees a stream of data going into a particular home hub, and the data needs to be sorted out... is it communications data or content? Are you asking ISPs to retain everything?

The agencies already have the ability to obtain and intercept the data they need under existing laws and access processes. So the expensive, unnecessary and draconian tool like the CCDP really is difficult to justify, from a privacy perspective.

The potential for scope creep highlights the disproportionate use of mass surveillance techniques.

Storing everyone’s communications data “just in-case” it comes in useful for an investigation is an inefficient and unjustifiable approach.

Eye spy and man on phone images, courtesy of Shutterstock.