FIPR Release 16/10/2001: EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS

Tue Oct 16 18:26:02 EDT 2001

FIPR Press release: FOR IMMEDIATE USE : 16th October 2001

EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST
INVESTIGATIONS
========================================================================

*) Home Office undecided whether ISP data retention to be voluntary or
compulsory 

*) Data revealing who you talk to, what you read, where you are,
collected for "national security"

*) Data can be trawled for public order, minor crimes, tax, health and
safety

*) E-Commerce to bear open-ended storage and data-protection compliance
costs

========================================================================

As part of an emergency package of anti-terrorism measures, Home
Secretary David Blunkett announced yesterday (Note 3) that Internet
Service Providers would be "enabled" to retain logs detailing the online
activity of their customers (but NOT the contents of communications).

Data protection legislation (Note 4) currently protects electronic
privacy by prohibiting blanket storage by ISPs of logs recording such
details as websites browsed, To and From addresses of e-mails, and which
'newsgroup' articles are read by a subscriber. Other "communications
data", such as the telephone number used to dial-up the Internet, may be
kept so long as it is relevant to billing or fraud control.

Although Mr.Blunkett's use of the word "enable" (rather than "require")
implied that compliance will be at the ISP's discretion, the lead
official told FIPR that retention may be made compulsory, enforced
through civil law. The same source said a ministerial certificate will
assert "national security" exemptions (Note 5) so that ISPs and
telephone companies will not be in breach of European Directives. The
government will only specify later exactly what data may be collected
and for how long in a Code of Practice in consultation with ISPs. 

No new legislation is necessary for police and intelligence agencies to
collect the data once it is recorded by ISPs and telephone companies. 
The Regulation of Investigatory Powers (RIP) Act 2000 (Note 5) allows
records to be obtained for broad purposes including tax, health and
safety, public order offences and minor crime. Although "communications
data" provides a complete map of private life, revealing who you talk
to, what you read, and where you go, the authorities can rubber-stamp
compilation and trawling of large and detailed databases. In contrast,
inspection of the contents of a single e-mail requires a warrant from a
Secretary of State, and a search for documents requires a court order.

Bulk requests can be made on groups or the history of an individual and
kept by police and intelligence agencies indefinitely under data
protection exemptions. This includes the exact co-ordinates of your
geographic location - which 3rd-generation mobiles produce continuously
whilst the phone is switched on.

Computerised 'traffic analysis' (tracing links between individuals) is a
powerful new form of mass-surveillance, but is only efficient at keeping
tabs on the law-abiding. Professional terrorists know how to cover their
tracks - for example throw-away use of pre-paid mobile phones. Reports
of the modus operandi of the September 11th terrorists indicate they
used Web-based e-mail from public terminals. Clearly it is not
persuasive to argue for privacy to be sacrificed in the name of fighting
terrorism if the measures would not in fact be effective.

A leaked report from the National Criminal Intelligence Service last
year revealed that police and security agencies are nevertheless
pressing for a mandatory data retention law to warehouse the traffic
data of the entire population for several years
(http://cryptome.org/ncis-carnivore.htm). Blunkett's proposals amount to
blanket 'dataveillance' for non-terrorist investigations, using the the
tragic events of Sep 11 as justification.

Providers of e-commerce authentication services could be affected as
well as ISPs and telcos. Anyone offering "provision of access to, and of
facilities for making use of...the transmission of communications" [RIP
S.22(4) & S.1 defs] could face extra costs of providing suitable storage
devices and media, and full compliance with data protection legislation.

Quotes
======

Caspar Bowden, director of Internet think-tank FIPR (Foundation for
Information Policy Research) commented:

"Sensitive data revealing what you read, where you are, and who you talk
to online could be collected in the name of national security. But
Mr.Blunkett intends to allow access to this data for purposes nothing to
do with fighting terrorism. Minor crimes, public order and tax offences,
attendance at demonstrations, even 'health and safety' will be
legitimate reasons to siphon sensitive details of private life into
government databases to be retained indefinitely. This would be in
flagrant breach of the first and second Data Protection Principles."
(Note 6)

Contact for enquiries: 

Caspar Bowden
Foundation for Information Policy Research 
www.fipr.org 
cb at fipr.org
+44(0)20 7354 2333

Notes for editors
-----------------

1. The Foundation for Information Policy Research (www.fipr.org), is a
non-profit think-tank for Internet policy, governed by an independent
Board of Trustees with an Advisory Council of experts.

2. FIPR's analysis of the RIP Act (www.fipr.org/rip) stimulated media
debate, and led to amendments ensuring that people who lose decryption
keys or forget passwords are presumed innocent until proven guilty, and
prohibiting detailed surveillance of web browsing without a full
warrant.

3. Home Office Press Release 15/10/2001: "BLUNKETT OUTLINES FURTHER
ANTI-TERRORIST MEASURES"
(http://wood.ccta.gov.uk/homeoffice/hopress.nsf/50e2456405b67f7d802566b3
006819dc/2a5fc6811dec4c7180256ae6004fa4d3?OpenDocument)

3. The Telecommunications Data Protection Directive 1996, implemented in
UK law as SI 2093 (1999). The Office of the Information Commissioner
(contact Iain Bourne) has stated that ISP blanket (i.e. for all
subscribers) logging and retention of online Internet activity is
prohibited. Logging of telephone numbers is permitted whilst relevant
for billing or fraud control.

4. Section 32. of SI 2093 allows a certificate signed by a Minister of
the Crown to over-ride the prohibition on blanket data retention for
National Security purposes
(http://www.hmso.gov.uk/si/si1999/19992093.htm)

5. Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2,
Section 22 (http://www.hmso.gov.uk/acts/acts2000/00023--c.htm#22). This
Part is not yet in force and the relevant Code of Practice is open for
consultation until November 2nd
(http://www.homeoffice.gov.uk/ripa/consultintro.htm)

6. Data Protection Act 1998, Schedule 1,
(http://www.hmso.gov.uk/acts/acts1998/80029--l.htm#sch1)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com