Data-Privacy-200The UK government inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata.

The inquiry finds that mass surveillance capabilities exist in the UK, but are used appropriately. The inquiry also rejects use of the term “metadata”, which it feels is not helpful because it is too vague. Instead the UK prefers the term “Content-Derived Information” because it is felt a more nuanced approach to the collection of data about communications is required.

The report offers the four-level definitions of data that can be gleaned from details of an individual’s electronic communications. The report goes on to say that Communications Data Plus “would encompass details of web domains visited or the locational tracking information in a smartphone” and to make the following observation about how it should be handled: “However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication.

The report says it has no problem with UK intelligence agencies collecting communications data through intercepts and does not recommend tighter controls on its collection and use. The call for more safeguards on Communications Data Plus is therefore notable in the Australian context, as the antipodean communications data collection proposal requires no warrant for access.

The UK report also says local legislation should therefore define three levels of metadata, under the following definitions:  Communications Data should be restricted to basic information about a communication, rather than data, which would reveal a person’s habits, preferences or lifestyle choices.  This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information. Communications Data Plus would include a more detailed class of information, which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.  Content-Derived Information would include all information, which the Agencies are able to generate from a communication by analyzing or processing the content. This would continue to be treated as content in the legislation. It’s hard to see its suggestions on a finer classification of metadata being followed, if only because the call for “greater safeguards” is vague and hard to follow.  The register

Source:  Cyber Security Intelligence