[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Guardian 15/11/2001: "The net's eyes are watching"


------- Forwarded message follows -------
From:           	"Caspar Bowden" <cb@fipr.org>
To:             	"'Ukcrypto'" <ukcrypto@chiark.greenend.org.uk>
Subject:        	Guardian 15/11/2001: "The net's eyes are watching"
Date sent:      	Thu, 15 Nov 2001 23:35:06 -0000
Send reply to:  	ukcrypto@chiark.greenend.org.uk

http://www.guardian.co.uk/online/story/0,3605,593343,00.html 
The net's eyes are watching 

The new anti-terrorism bill may force internet firms to spy on us. S A
Mathieson reports 

Thursday November 15, 2001
The Guardian 

Anti-terrorism measures announced this week by the home secretary,
David Blunkett, will dramatically increase the amount of information
internet service providers can keep on their customers, the Home
Office has admitted. Part 11 of the emergency anti-terrorism, crime
and security bill, announced on Tuesday, will allow internet service
providers (ISPs) to keep a year's worth of information on their
customers' internet activity. Two reasons are given: safeguarding
national security, and the prevention and detection of crime. 

Most ISPs currently retain such data on emails for, at most, three
months. Others delete it immediately, or within days. None of the ISPs
interviewed by the Guardian say they store data on general
web-browsing against individual accounts. 

Yet the Home Office says the bill is likely to allow the collection
and storage of detailed information about web-browsing as well as
email, subject to a planned voluntary code. 

That would be an extension of monitoring likely to outrage civil
liberties groups and spark protests from internet industry
organisations. 

Blunkett's bill would not oblige ISPs to hoard web browsing informa
tion - yet. But clause 102 allows the home secretary to force traffic
data retention if he feels the voluntary code is failing to work. He
would force compulsory retention through a statutory instrument, a
relatively easy procedure compared with getting a bill through
parliament. 

Under the Regulation of Investigatory Powers (RIP) Act, passed last
year, police and other state investigators such as the Inland Revenue
already have the ability to seize traffic data (see panel). This is
effectively self-regulated, as it requires only the say-so of a police
superintendent or equivalent rank to gather the data. 

Seizures can be justified by minor crimes, tax evasion or health and
safety inquiries, despite Mr Blunkett suggesting in an article for
Tribune, a leftwing weekly newspaper, that the extensions to ISPs'
powers to retain data were only designed to fight terrorism. 

Today, applications for content data - listening to someone's phone
calls, reading the content of their emails or seeing the pages they
download - have to be passed by the home secretary. They are only
allowed for serious crime, threats to national security and
safeguarding national well-being. 

The police see the proposed change as removing an anomaly. Under
current data protection laws, personal information must be deleted
when it is of no further use to the business. The police can only see
traffic data while it exists - and at ISPs, this is not for very long,
particularly for websites visited. 

Phone companies have a legitimate business reason for keeping traffic
data: they use it to calculate customers' bills. BT retains it for
seven years for its 28m UK fixed lines. 

But ISPs do not charge by the email, and so do not need to keep the
information that long. AOL says it retains email traffic data for
three months, Freeserve for 90 days. Claranet, an ISP that has
campaigned for protection of its customers' data, retains it for just
a fortnight, although it is now increasing this in preparation for the
proposed laws.


The secretary-general of the Internet Service Providers Association,
Nicholas Lansman, says the cost of a year's worth of traffic data
retention could soar into the millions for some ISPs, should they
choose - or be forced to - take up their proposed new rights. 

As for web-browsing, Freeserve says it retains individualised data for
its own chatrooms aimed at children, but that it retains only
anonymous, aggregated data on its customers' general web-browsing. AOL
retains only aggregated data. 

Claranet does not keep even this much, and is shocked by the idea of
retaining personalised logs. Steve Rawlinson, the company's chief
technology officer, says keeping such logs would mean "a complete
reorganisation of our network", and could lead to ISPs moving abroad
to protect customers' privacy. 

"It's extremely intrusive, and I think we would be very unhappy," he
says. 

The National Criminal Intelligence Service (NCIS), which produces
intelligence for UK law enforcement authorities, has been asking for
standardisation between phone and internet traffic retention for more
than a year. 

According to a document written by the NCIS deputy director-general
Roger Gaspar in August 2000 (later leaked to the Observer), police
forces, Customs and Excise, MI5 and MI6 would like all communications
traffic data retained for seven years. 

The NCIS now says the leaked document does not represent the
organisation's view, but adds that the case for internet traffic data
retention has strengthened since September 11. 

"In the real world, you have witnesses, forensics, DNA profiling and
fingerprints," says the spokesperson. "In the digital world, all
you've got is data. If that data is being erased as it's created, you
haven't got any equivalent of forensics. Our position is that law
enforcement must be provided with a reasonable minimum." 

Some think that law enforcement already has access to plenty of data.
The RIP Act gives them some of the strongest powers in the
industrialised world to tap communications. 

Roger Bingham, spokesman for Liberty, the civil rights group, says:
"In terms of exceptional circumstances, we can see how it might be
reasonable to retain data a little longer, on the basis that police
can get information on specific people where there is a clear and
reasonable suspicion. 

"As a safeguard, we think the police should seek a judicial warrant
for reasonable suspicion of terrorist activity." 

This is somewhat different to what is proposed - keeping everyone's
data, then granting access for minor crimes on the strength of a
police-issued warrant. Technically minded MPs, although supportive of
the fight against terrorism, have doubts. 

Richard Allan, the Liberal Democrat's IT spokesman, says: "I find it
very difficult to see what point there is to it, in terms of catching
anyone doing anything." 

He calls for more work on targeting individuals, pointing out that any
serious criminal would use anonymous library or web-café terminals. 

And Brian White, a backbench Labour MP who chairs the IT
industry-parliament liaison group Eurim, worries that this legislation
will not be technically practicable. "I have some concerns that we
won't repeat the problems we had with the RIP Act," he says. 

The bill's voluntary code puts the onus on ISPs, and the two largest
ISPs in the country are not keen to participate. David Melville,
company secretary of Freeserve (with 18% of the UK's web-users), says
the ISP could extend retention of email traffic data from 90 days to a
year, without much technical difficulty. 

But that's not the point. "I'm slightly worried that a period of
retention beyond 90 days means me knowing a little bit more than I
need to know," he says. "I think there's a creeping sense of worry
about whether the response is proportional."

Freeserve's traffic goes through UK servers. But all AOL traffic, with
17% of UK subscribers, goes through servers in Virginia. 

Caspar Bowden, director of the Foundation for Information Policy
Research, an IT think-tank, says this means UK users may be hit by the
strict USA Act. "If you're a British subscriber to AOL, your data
could be raided by the FBI," he warns. 

Bowden says the USA Act, passed late last month, means the US has
overtaken the UK in the strength of its abilities to bug the internet.
The act allows law enforcement agencies to collect both traffic and
content data, and for the data to be passed to nearly any government
department. 

However, Clare Gilbert, AOL Europe's senior vice-president for public
policy and regulatory affairs, says she would be very surprised if the
USA Act affected UK users, as AOL knows which country its traffic
streams comes from, even if it does all flow through Virginia. 

But she says that UK law enforcement authorities have to obtain an
international warrant to get access to UK-held AOL accounts. "It's an
additional hoop. We make that process as painless as possible," she
says. 

Gilbert sees little need to extend AOL's retention of email traffic
data beyond three months. "We've been working with the police since we
established in the UK in 1996. 

"Where we're dealing with police who are efficient in their duties, it
works," she says. "There's never been an instance where the process in
place has not worked. We question the need to force or allow ISPs to
keep data for a year - it doesn't really make sense." 

Gilbert says an alternative is data preservation: law enforcement
authorities express interest in named individuals, and ISPs retain
their account data until a warrant is produced. "It's much easier to
preserve specific data than randomly keep vast amounts. You're talking
about billions and billions of IP addresses over a 12-month period." 

Yet this is what UK ISPs will soon to be allowed to do - with the
pressure of compulsion if the home secretary decides they don't
volunteer enough. 

The bill is published in PDF format at:
www.publications.parliament.uk/pa/cm200102/cmbills/049/2002049.htm





------- End of forwarded message -------

-- 
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de