About a month ago, Channel 4 News carried a report about the Communications Data Bill which mentioned that
the Home Office has held meetings with the UK’s largest ISPs and mobile network operators, and has given them information about the hardware which companies will have to use to monitor traffic flowing through their systems.
I wondered what that information might be, so I put in a Freedom of Information request about it. In particular, I asked the Home Office to
a) Confirm whether the report is accurate, and, if so,
b) Tell me which ISPs and mobile companies attended these meetings,
andc) Provide me with a copy of all documentation supplied to the ISPs
attending.
The response came back this week. And the answers were interesting – not so much for what they said, but for what they didn’t say.
Firstly, they stated that the C4 report was, in fact, wrong:
the Home Office has not held any meetings to issue hardware or software specifications to any ISPs or mobile network providers as part of the draft Communications Data Bill which was implied in the report.
That was the only straight answer I got. The other two questions weren’t answered directly, because the information was considered to be exempt.
I didn’t get a copy of any documentation supplied to ISPs (or, as the Home office calls them, CSPs – “Communication Service Providers”), because it was deemed to be exempt under the provisions for matters related to law enforcement. I wasn’t particularly surprised to get that response, and I’ve already challenged it by means of a request for an internal review. It’s still a response worth noting, though, because it confirms that material has, in fact, been issued to CSPs. If it had not, there would have been unnecessary to rely on any exemption – the response would be “Information not held”, rather than “Refused”, in terms of the WDTK classifications.
So, at the very least, we’ve established that, even if it hasn’t been in the form of specific meetings as alleged by Channel 4 News, the Home Office has issued at least some material to CSPs which is detailed enough to be considered a threat to law enforcement if made public.
(I’d still quite like to know what’s in that material, even if I’m unsuccessful in my review request. If you work for one of the CSPs that has received it, please feel free to leak it in my direction if you can do so without actually breaking the law).
The other refusal did surprise me a bit, though. I had expected that the list of attendees of any meetings would not be particularly confidential, especially since it’s possible to guess at the identities of the majority of them. But no, I wasn’t to be told. And the reason why not is possibly even more telling:
Providing a list of the ISPs and mobile companies the Government has met with would reveal which communications service providers (CSPs) the Home Office works with. The Home Office has received representations from Industry partners arguing that they should not be publically identified because of the risk that customers would transfer their business to services (or companies) who do not work with the Home Office voluntarily.
The disclosure of the names of those who have worked with the Home Office would cause financial and reputational harm to them.
I think that’s really significant. It seems that the CSPs themselves believe that their customers don’t want them voluntarily cooperating with any online communication monitoring. Or, possibly more plausibly, they believe that even if customers don’t care much now, they will when the extent of that monitoring becomes known. And I think they’re absolutely right.
Why are they cooperating voluntarily at all, then? Well, probably because they know that if they don’t they’ll simply be forced to do so by legislation, and it’s simpler and (more importantly) cheaper just to go along with it anyway without needing too much arm twisting. I don’t particularly blame them for that; that’s the way of the commercial world and choosing the path of least resistance is usually a sensible corporate strategy. Their accountants and lawyers will certainly argue that way, even if their techies disagree.
Whatever the underlying reasons, though, the fact that the CSPs are concerned enough about the potential unpopularity of the proposed monitoring to want confidentiality is a key admission from the Home Office. I don’t think that whoever drafted the response to my FoI request was doing it deliberately, but it has confirmed that they know the proposals are, or are likely to be, unpopular. Unpopular enough that the risk of “financial and reputational harm” to cooperating CSPs outweighs the public interest test when it comes to deciding whether to release their names.
I’ve blogged before on why I think that the Communications Data Bill could be a PR disaster for the government. This response only serves to confirm that. If it will cause reputational harm to CSPs, how much more will it damage the reputation of the government which introduces the legislation? Coalition MPs, I suggest you start agitating now. Your chances of still being in the Commons after the next election could depend on it.