[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) FIPR wants Big Browser scenarios

------- Forwarded message follows -------
From:           	"Caspar Bowden" <cb@fipr.org>
To:             	"Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>,
Subject:        	FIPR wants Big Browser scenarios
Date sent:      	Sat, 27 May 2000 08:33:22 +0100
Send reply to:  	ukcrypto@maillist.ox.ac.uk

FIPR is trying to develop briefing material which elucidates for
non-techies the risks to privacy of the "Big Browser" that RIP will
enable (and that will provide good arguments for using
traffic-analysis-defeating methods involving crypto):

[There are important new arguments for requiring prior judicial
authorisation for access to Internet communications data. The
explosive growth of e-commerce, coupled with anticipated high
penetration of interactive digital television and third-generation
mobile phones, means that the Internet is on the verge of becoming a
single conduit carrying comprehensive transaction data tracing
virtually every facet of private life, which previously was scattered
on separate utility, bank, credit-card, library, and
telecommunications billing computers, if indeed they were recorded at
all. The Home Office has made clear that it classes Internet audit
trails, including lists of e-mail correspondents and web sites
browsed, as communications data (rather than content). If, as seems
likely, the Internet in time subsumes both television and written
information sources, under the RIP Bill it will be lawful for any
public authority to obtain comprehensive details of what any person
has read, watched, and who they have corresponded with, without a
ministerial or judicial warrant.

It is relevant that a current de facto safeguard, that such data can
only be obtained by police request on presenting a data controller
with satisfactory evidence that a Data Protection Act (s.29) exemption
applies, is abolished. If the power of interception were implemented
as envisaged by the Smith Report, it would be both lawful and feasible
for such communications data to be obtained instantaneously, remotely,
and secretly by the same apparatus: the "black-boxes" installed at
ISPs, linked to the GTAC monitoring centre.

Moreover, rapid advances in computing power now permit warehousing and
"traffic-analysis" of unlimited quantities of communications data by
automated tools[7] that derive "friendship trees" and can detect
patterns of association between individuals and groups using
sophisticated artificial intelligence programming. This method can be
considered as a "suspicion-engine" which can identify new targets of
investigation with complete generality – without any access to the
content of communications – but which could subsequently serve as the
basis for an interception warrant.

In summary, the combination of:

.) an interception infrastructure linking all data carriers (for
feasible cost) to a central monitoring facility capable of remotely
selecting traffic and content .) traffic-analysis tools which make
intelligent inferences from patterns of association matched to
arbitrary criteria .) a legal power of self-authorisation, without
prior judicial approval can justifiably be regarded as the emergence
of a powerful new form of mass-surveillance.

It should be emphasised that whilst GCHQ performs broad-spectrum
processing of both the content and traffic patterns of external
communications, mass-surveillance of domestic communications is
legally unprecedented in peacetime.

We wish to emphasise that it is not our view that RIP was drafted with
this intention – however it is sobering to realise that proposals
modestly billed as "updating and modernising existing powers", would
in fact legitimise what an extreme government might seek to achieve.]

. - . - . - .

I'd be very interested in hearing from anyone (or getting a thread
going if not too off-topic) who would like to work on developing
near-future scenarios on how government departments are likely to want
progressively more data, which could lead ineluctably to GTAC
mission-creep involving direct siphoning of traffic data from the ISP.

For an example see "A Perfect Match"
including the rather bald statement buried in the Appendix
"Information was required by the auditor for the NFI 1998 under
Section 6 of the Audit Commission Act 1998 (Ref. 3). Disclosure of the
data to the Audit Commission was exempt from the non-disclosure
provisions of the Data Protection Acts 1984 (Ref. 4) and 1998 (Ref. 5)
Data Protection Act 1984)."

(I think this is now in the new Act S.35. - (1) Personal data are
exempt from the non-disclosure provisions where the disclosure is
required by or under any enactment, by any rule of law or by the order
of a court.)

Caspar Bowden               Tel: +44(0)20 7354 2333
Director, Foundation for Information Policy Research
RIP Information Centre at:    www.fipr.org/rip#media

------- End of forwarded message -------