UK internet service providers will be invited to tender for a British government scheme to monitor all internet communications and telecommunications.
Under the proposed Interception Modernisation Program (IMP), internet service providers (ISPs) would be required to link 'black boxes' to their servers to record all internet traffic, including details of emails, VoIP telephone conversations, instant messages and browsing habits. Telephone conversations would also be monitored.
The traffic data would then be siphoned into a centralised database, enabling the government to monitor all business and domestic internet and telephone communications. According to insiders, some ISPs have already been pitching to the Home Office to provide the 'black boxes' to record the data.
The Home Office and GCHQ have applied to central government for funding for the scheme. Answering a written question posed by Lord Northesk last month, Admiral West, the parliamentary undersecretary of state for security and an adviser to Gordon Brown, gave details of the funding request last week.
According to West, as part of the 2007 Comprehensive Spending Review (CSR), "a central bid was made to HM Treasury on behalf of the security and intelligence agencies. Funding for IMP was included in the bid, and the exact programme allocation across the CSR years is currently being finalised between the Home Office and HM Treasury."
Funding would be for three years. University of Cambridge security expert Richard Clayton told ZDNet.com.au sister site ZDNet.co.uk that putting state-of-the-art surveillance devices into all UK ISPs would be "likely to cost quite a lot". As a consequence, Clayton said the government plans to deploy the system at one ISP initially.
West confirmed that the government would be conducting a "feasibility study" for the surveillance of ISPs and for the centralised communications database, up to 2010.
"A significant proportion of the programme investment over the Comprehensive Spending Review period will be used to test feasibility and reduce the risk associated with implementing the proposed IMP solution," said West. "The private sector is likely to play a major role in this work and the programme will be conducting a competitive tender and entering commercial negotiations to commission its services."
However, peers criticised the government proposals. Lord Errol of Hay told ZDNet.co.uk on Tuesday in the UK that the proposals were "incredibly dangerous".
"Part of the problem is that the Home Office would be able to self-authorise to do any searches in the database, which is very dangerous indeed," said Errol. "At the moment, someone checks the access requests."
Clayton agreed with Errol that the proposals were "completely not proportionate". "If the government is going to do this, it would be far better to force all mosques, churches, and public houses to fit microphones and tape recorders," he told ZDNet.co.uk. "East Germany used to have a comparable system."
At present, surveillance information can be requested from ISPs by law-enforcement agencies, but those requests can be queried by the ISPs concerned. According to Clayton, a centralised database without such a check may contravene existing data-protection legislation, so the government would need to change the law to make the database legal.
"At the moment, the centralised database and self-authorisation would be illegal under the Data Protection Act," said Clayton. "The draft Communications Data Bill will contain clauses to make this legal."
Lord Errol agreed that the only reason to bring the Communications Data Bill in as primary, rather than secondary, legislation would be to legalise the government plans - secondary legislation would have to conform to existing data-protection laws.
"The Communications Data Bill has to be producing something new - the Home Office is going after some new powers," said Errol. "They have all of the powers they want, except for being able to bring all of the data together at the Home Office."
The Home Office on Tuesday confirmed that it was seeking to introduce a centralised database of communications data, but said the plans were at the proposal stage.
"The changes to the way we communicate, due particularly to the internet revolution, will increasingly undermine our current capabilities to obtain communications data - essential for counter-terrorism and investigation of crime purpose[s] - and use it to protect the public," stated a Home Office spokesperson. "Proposals are being developed and full details of the draft Bill will be released later this year, allowing for full engagement with Parliament and the public."
The Home Office spokesperson admitted that primary legislation would be necessary to legalise a self-authorised, centralised database. "That is why we're introducing primary legislation," the spokesperson told ZDNet.co.uk. However, the spokesperson again added that, at present, these are proposals rather than plans.
Privacy watchdog the Information Commissioner's Office (ICO) said it had "grave questions about the acceptability of such a scheme".
"In the fight against evil, we must not ride roughshod over our liberties," said Richard Thomas in a speech on Tuesday. "Every phone call, email, internet search and online transaction would be monitored. Even the possibility of such a scheme needs the fullest debate before becoming legislation."
Thomas declined to comment as to whether the Home Office proposals were legal under current data-protection law, and refused to comment any further about his concerns.
The ICO had not been consulted by the Home Office over the communications-database plans, said an ICO insider.
Then again, private companies are already doing this to an extent. When you ring many of them you get the big warning, "Your call will be monitored for quality and coaching purposes."
"Coaching" seems meaningful enough but what about "quality" - that could mean a number of things and a lack of a specific definition could mean that a company could use the sound recording for a number of reasons.
Only difference here is that the UK Government will have access to recordings of phone calls - mostly likely inbound as well as outbound and your e-mails as well.
What happens though if you own your own mail server and send an e-mail to someone who also owns their own mail server? How is the message intercepted by your ISP? And what if the message is encrypted?
Now the $64 question - how long before the US and Australia make the same move?