The Home Office has proposed implementing new laws that would enable all police forces and government departments to prevent citizens and organisations from deleting digital data.
The suggested legislative update would allow authorities to order “the preservation of specified computer data by a person in control of such data”. The proposed “would apply to any data relating to any offence” deemed to be relevant to a criminal investigation, which the data owner would be required to retain for 90 days.
The new law, which the government has proposed adding to the existing Computer Misuse Act (CMA) of 1990, would not automatically enable police to seize the data – which would still require additional and separate authorisation.
“But is intended to allow time for an agency to determine whether the data is relevant to an investigation,” the Home Office said, in its newly published response to a consultation on the CMA.
It added: “Given the wide range of offences where electronic data might be needed during an investigation, we propose that this power should be available to all UK law enforcement agencies, including the National Crime Agency, UK police forces, HM Revenue and Customs and the Serious Fraud Office, and other departments and agencies responsible for tackling crime.
“We also propose that the power should be available for a law-enforcement agency to use in relation to a request from an overseas law enforcement agency, subject to the UK’s existing safeguards for international cooperation.”
Invoking the power of preservation would require a senior officer’s sign-off, and the owner of the data would have the right to lodge a court appeal against the non-deletion order.
“There are very few offences where it would not be conceivable that electronic evidence could be required as part of an investigation, and it is therefore essential that law enforcement agencies are able to require the preservation of existing data by a data owner to prevent that data being deleted,” the government response said.
“Preservation would require the data to be retained by the system owner in an unaltered state, pending a decision on whether a formal request for seizure of the data by a law enforcement agency should be made to a court.”
It added: “Data is preserved voluntarily at the request of law enforcement agencies, and this process works well. However, given the need for electronic evidence to be available for investigations in an increasing number of cases, we believe that it is necessary for the UK’s law enforcement agencies to have access to a power that requires the preservation of data where a person is unwilling to do so voluntarily.”
Following the completion of the CMA – which, even after 33 years on the books, remains the UK’s primary legislation for prosecuting cybercrime – the government has put forward three potential legislative changes it believes would help the law keep pace with technological changes.
Alongside the proposed powers for preservation orders, the Home Office has suggested granting greater powers for law enforcement to take down or take over IP addresses or internet domains. The new powers would also enable authorities to prevent certain domains being registered in the first place, “where it is possible to predict that certain domain names will be created for criminal purposes, perhaps to mimic a business or a government department, for the purpose of committing fraud”.
The department has also proposed creating a “general offence for possessing or using illegally obtained data”.
A secondary consultation is now seeking further feedback on all three proposed new laws, as well as insights into three general areas: the complexities of cross-border cyber offences; ensuring legal differentiation between defensive and offensive cyber activity; and sentencing for cybercrimes.
In his foreword to the response to the initial consultation, security minister Tom Tugendhat wrote: “These are complex issues, and therefore the Home Office will lead a programme to bring stakeholders together to identify how these issues should be addressed to ensure that the UK’s cybersecurity can counter the risks posed by state threats and criminals.”
Sam Trendall is editor of PublicTechnology, where this story first appeared