Most UK carriers give cops automated access to customer call records

Most of the U.K.’s big mobile carriers give the police automated access to their customers’ metadata, the Guardian reported on Friday.

British data retention laws, notably the Regulation of Investigatory Powers Act (RIPA), ensure that operators must hang onto call records so they can be queried without a warrant by the authorities — but they don’t say the cops should get direct access. Nonetheless, that seems to be what EE, Vodafone and Three allow, with O2 being the only standout.

The Guardian compared this direct-access program with the Prism scheme in the U.S. Indeed, though Edward Snowden’s revelations have been wide-ranging, the first one to emerge was about the NSA accessing Verizon call records — more of a scandal in the U.S., which doesn’t have U.K.-style data retention laws.

RIPA has recently been implicated as a mechanism for the police to secretly figure out the identity of journalists’ sources. According to a separate Guardian report on Sunday, the government will alter the law so that any requests relating to journalistic sources must be approved by a judge.

As over half a million RIPA requests were made by UK public authorities in 2013 alone, it’s not hard to see why an automated system is preferable for efficiency reasons, though I’d argue that the fact it has to do with customer privacy means the practice is ethically questionable.

“Our policy is to review all the requests we get manually and that’s just the way it works,” an O2 spokeswoman told me on Monday, quite proudly.

Vodafone, meanwhile, said in a statement: “The overwhelming majority of the RIPA notices we receive are processed automatically in accordance with the strict framework set out by RIPA and underpinned by the Code of Practice. This reduces the risk of human error, while ensuring that all written demands sent to us comply with legal due process.

“It also creates an effective audit trail for [the interception of communications watchdog], which provides another level of oversight. Even with a manual process, we cannot look behind the demand to determine whether it is properly authorised.”