In a new report, Parliament's Intelligence and Security Committee (ISC) said that there was a "significant" gap between what communications data the agencies need access to and what CSPs currently retain for "internal business reasons".
However, it said that the exact size of the gap had not been determined and issued a thinly disguised criticism of the Government for the way it has provided "superficially precise estimates" of the extent of the gap.
The ISC's report assessed the access to communications data by the intelligence and security agencies and reviewed the draft Communications Data Bill that has been proposed by the Government. The Committee said the provisions in the Bill would affect "several hundred" communications service providers in the UK.
Communications data is a term that refers to information associated with communications, such as the time of communications, the location in which communications are initiated and received as well as the phone numbers or IP addresses of those communicating. It does not refer to the contents of those communications.
Last year the Home Office published the draft Bill that would, if introduced, place new requirements on businesses that transmit "communications by any means involving the use of electrical or electro-magnetic energy" to retain 'communications data'. Under the Bill law enforcement bodies, subject to particular procedures and safeguards, would have access to the information in order to protect the UK's national security and prevent or detect crime, among other 'permitted purposes'.
The Government has sought to justify the new Bill by claiming that existing powers of surveillance available are insufficient to enable the intelligence and security agencies to track criminal activity. It said that 25% of communications cannot be accessed due to those limitations in the current framework. However, the projection has drawn criticism from politicians and campaigners that are opposed to the plans on privacy grounds.
The ISC said that the Government should consider being more specific about the kind of data that CSPs would be required to retain under the Bill.
"We recognise that the draft Bill is deliberately broad in order both to permit future-proofing of the legislation against technological change and not to reveal gaps in operational capability," the Committee said in its report. "However, this is causing considerable concern for the Communications Service Providers, and also Parliament and the public."
"We therefore welcome the decision by the Home Office to make public information on the three core elements of the gap: subscriber details showing who is using an Internet Protocol address; data identifying which internet services or websites are being accessed; and data from overseas Communications Service Providers which provide services such as webmail and social networking to users in the UK. This is a positive step. However, we recommend that more thought is given as to whether this can be reflected on the face of the Bill," it added.
The ISC said, though, that some information had to remain private because it would, if made public, "reveal which companies’ services or applications can be used with the least risk of detection".
The Committee said that it was "essential" that the UK's intelligence and security agencies have the ability to access communications data because other methods of investigating serious crime, such as surveillance monitoring and the use of informants are "not like-for-like substitutes, are more intrusive and therefore not always justifiable, and are far more resource-intensive". It said that the drafting of new laws was the best way to ensure that the 'capability gap' currently experienced by the agencies could be closed.
The Government has admitted that it may not be able to convince CPSs based overseas to provide UK intelligence and security agencies with access to the communications data they collect.
The ISC report said, though, that the Government would agree with UK-based CSPs that they would "place ‘probes’ on their network(s)" in order to collect the data relating to communications with overseas CPSs as the information "traverses to the end user". The Government, the UK's lead intelligence agency GCHQ and a Government supplier of the 'deep packet inspection' (DPI) technology are all "confident" that the use of DPI will not expose the content of communications, the ISC said.
Late last year Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, told Out-Law.com that DPI technology is used by "repressive" Governments around the world to monitor citizens' communications and that it is either "clueless or recklessly dishonest" to claim that DPI operations respect privacy.
The ISC said that the Communications Data Bill should be altered to make clear that Government should have to "demonstrate due diligence before resorting to the use of Deep Packet Inspection to collect communications data from overseas communications service providers".
The Committee also backed a new system that could be utilised by the intelligence and security agencies under the Bill to pool together communications data from different CSPs and filter for only the information they need.