In the first public admission of its kind, the Home Office's Peter Hill admitted this week that the British government routinely sweeps up the identities of thousands of people in a given area - with a single request to a mobile phone network.
The statement was made during the first hearing of the Joint Committee on the Draft Communications Data Bill, at which Mr Hill (Head of Unit for Pursue Policy and Strategy Unit at the Home Office), Charles Farr (Director of the Office for Security and Counter-Terrorism) and Richard Alcock (Director of the Communications Capability Directorate) gave evidence to support the Home Office's latest legislative attempt to implement mass surveillance in the UK.
Your mobile phone needs to connects to one or more cell towers used by your network in order to function, and it will always seek the strongest signal. This means that if your phone is on and you have it with you, you can be located with a frightening degree of accuracy - in urban areas, sometimes to within a 50 metre radius. Your mobile phone company is required by the EU Data Retention Directive to keep records of every tower you connect to for a twelve-month period. What Peter Hill let slip was that the police can request not only targeted information about a certain individual, but also vast 'dumps' of information about a certain cell tower - potentially sweeping up the location data of hundreds or even thousands of people with a single request.
One recent example of the kind of abuses this practice can facilitate comes from Belarus - in 2010 the entire staff of Charter 97, a local activist organization, was arrested, along with hundreds of protestors who made the mistake of taking their mobile phones to an anti-government protest. The authorities immediately identified everyone who had attended the protest (and presumably a number of people who just happened to be in the area) using cell-tower triangulation, and rounded them up for interrogation.
The legal situation surrounding the proper law enforcement access standard for location data has always been unclear. Access to "communications data?, including the location of mobile phones, has been regulated under Part I Chapter 2 of the Regulation of Investigatory Powers Act since it was brought into force in January 2004. In his 2010 Annual Report, the Interception of Communications Commissioner noted for the first time the total number of requests for communications data; public authorities made a total 552,550 requests. However, the report provides no breakdown of the types or purposes of requests, so it is impossible to tell whether a request is for access to a single individual's phone, or access to one or more cell towers within a given area. In the latter case, the authorities would be grabbing the location data of thousands of unwitting people, but the action would still show up in the IoCC report as a single request. It is therefore currently impossible to ascertain the degree and scope of surveillance by public authorities in the UK.
Information about how cell tower dumps are used by the police and security services and how this activity is regulated is also conspicuously absent from the public domain. There is no paper trail to audit and no published guidance explaining what safeguards are in place to protect against abuse of this powerful tool. In a democratic and informed society it is unacceptable that we have no idea how - and how often - the government accesses information that nearly all of us generate every day by simply carrying our mobile phone around with us. Greater transparency is clearly needed, and we can no longer rely on a single annual report by the IoCC for an accurate picture of surveillance in the UK. A public reporting requirement for telecommunications companies would be an essential first step to improve our understanding of what the state knows about where we are, and what it does with this information.