[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


------- Forwarded message follows -------
From:           	"Caspar Bowden" <cb@fipr.org>
To:             	<cb@fipr.org>
Date sent:      	Tue, 16 Oct 2001 15:13:41 +0100
Send reply to:  	ukcrypto@chiark.greenend.org.uk

Press release: FOR IMMEDIATE USE : 16th October 2001

== =

*) Home Office undecided whether ISP data retention to be voluntary or

*) Data revealing who you talk to, what you read, where you are,
collected for "national security"

*) Data can be trawled for public order, minor crimes, tax, health and

*) E-Commerce to bear open-ended storage and data-protection
compliance costs

== =====

As part of an emergency package of anti-terrorism measures, Home
Secretary David Blunkett announced yesterday (Note 3) that Internet
Service Providers would be "enabled" to retain logs detailing the
online activity of their customers (but NOT the contents of

Data protection legislation (Note 4) currently protects electronic
privacy by prohibiting blanket storage by ISPs of logs recording such
details as websites browsed, To and From addresses of e-mails, and
which 'newsgroup' articles are read by a subscriber. Other
"communications data", such as the telephone number used to dial-up
the Internet, may be kept so long as it is relevant to billing or
fraud control.

Although Mr.Blunkett's use of the word "enable" (rather than
"require") implied that compliance will be at the ISP's discretion,
the lead official told FIPR that retention may be made compulsory,
enforced through civil law. The same source said a ministerial
certificate will assert "national security" exemptions (Note 5) so
that ISPs and telephone companies will not be in breach of European
Directives. The government will only specify later exactly what data
may be collected and for how long in a Code of Practice in
consultation with ISPs. 

No new legislation is necessary for police and intelligence agencies
to collect the data once it is recorded by ISPs and telephone
companies. The Regulation of Investigatory Powers (RIP) Act 2000 (Note
5) allows records to be obtained for broad purposes including tax,
health and safety, public order offences and minor crime. Although
"communications data" provides a complete map of private life,
revealing who you talk to, what you read, and where you go, the
authorities can rubber-stamp compilation and trawling of large and
detailed databases. In contrast, inspection of the contents of a
single e-mail requires a warrant from a Secretary of State, and a
search for documents requires a court order.

Bulk requests can be made on groups or the history of an individual
and kept by police and intelligence agencies indefinitely under data
protection exemptions. This includes the exact co-ordinates of your
geographic location - which 3rd-generation mobiles produce
continuously whilst the phone is switched on.

Computerised 'traffic analysis' (tracing links between individuals) is
a powerful new form of mass-surveillance, but is only efficient at
keeping tabs on the law-abiding. Professional terrorists know how to
cover their tracks - for example throw-away use of pre-paid mobile
phones. Reports of the modus operandi of the September 11th terrorists
indicate they used Web-based e-mail from public terminals. Clearly it
is not persuasive to argue for privacy to be sacrificed in the name of
fighting terrorism if the measures would not in fact be effective.

A leaked report from the National Criminal Intelligence Servcie last
year revealed that police and security agencies are nevertheless
pressing for a mandatory data retention law to warehouse the traffic
data of the entire population for several years
(http://cryptome.org/ncis-carnivore.htm). Blunkett's proposals amount
to blanket 'dataveillance' for non-terrorist investigations, using the
the tragic events of Sep 11 as justification.

Providers of e-commerce authentication services could be affected as
well as ISPs and telcos. Anyone offering "provision of access to, and
of facilities for making use of...the transmission of communications"
[RIP S.22(4) & S.1 defs] could face extra costs of providing suitable
storage devices and media, and full compliance with data protection


Caspar Bowden, director of Internet think-tank FIPR (Foundation for
Information Policy Research) commented:

"Sensitive data revealing what you read, where you are, and who you
talk to online could be collected in the name of national security.
But Mr.Blunkett intends to allow access to this data for purposes
nothing to do with fighting terrorism. Minor crimes, public order and
tax offences, attendance at demonstrations, even 'health and safety'
will be legitimate reasons to siphon sensitive details of private life
into government databases to be retained indefinitely. This would be
in flagrant breach of the first and second Data Protection

Contact for enquiries: 

Caspar Bowden
Foundation for Information Policy Research 
+44(0)20 7354 2333

Notes for editors

1. The Foundation for Information Policy Research (www.fipr.org), is a
non-profit think-tank for Internet policy, governed by an independent
Board of Trustees with an Advisory Council of experts.

2. FIPR's analysis of the RIP Act (www.fipr.org/rip) stimulated media
debate, and led to amendments ensuring that people who lose decryption
keys or forget passwords are presumed innocent until proven guilty,
and prohibiting detailed surveillance of web browsing without a full

3. Home Office Press Release 15/10/2001: "BLUNKETT OUTLINES FURTHER
b3 006819dc/2a5fc6811dec4c7180256ae6004fa4d3?OpenDocument)

3. The Telecommunications Data Protection Directive 1996, implemented
in UK law as SI 2093 (1999). The Office of the Information
Commissioner (contact Iain Bourne) has stated that ISP blanket (i.e.
for all subscribers) logging and retention of online Internet activity
is prohibited. Logging of telephone numbers is permitted whilst
relevant for billing or fraud control.

4. Section 32. of SI 2093 allows a certificate signed by a Minister of
the Crown to over-ride the prohibition on blanket data retention for
National Security purposes

5. Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2,
Section 22 (http://www.hmso.gov.uk/acts/acts2000/00023--c.htm#22).
This Part is not yet in force and the relevant Code of Practice is
open for consultation until November 2nd

6. Data Protection Act 1998, Schedule 1,

------- End of forwarded message -------