FITUG e.V.
Förderverein Informationstechnik und Gesellschaft
FITUG e.V.Förderverein Informationstechnik und Gesellschaft |
|
------- Forwarded message follows ------- From: "Caspar Bowden" <cb@fipr.org> To: "Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>, <ir-l@gn.apc.org>, <cyber-rights-UK@mail.cyber-rights.org> Subject: FIPR wants Big Browser scenarios Date sent: Sat, 27 May 2000 08:33:22 +0100 Send reply to: ukcrypto@maillist.ox.ac.uk
FIPR is trying to develop briefing material which elucidates for non-techies the risks to privacy of the "Big Browser" that RIP will enable (and that will provide good arguments for using traffic-analysis-defeating methods involving crypto):
<http://www.fipr.org/rip/FIPR%20Lords%202nd%20reading%20briefing.htm> [There are important new arguments for requiring prior judicial authorisation for access to Internet communications data. The explosive growth of e-commerce, coupled with anticipated high penetration of interactive digital television and third-generation mobile phones, means that the Internet is on the verge of becoming a single conduit carrying comprehensive transaction data tracing virtually every facet of private life, which previously was scattered on separate utility, bank, credit-card, library, and telecommunications billing computers, if indeed they were recorded at all. The Home Office has made clear that it classes Internet audit trails, including lists of e-mail correspondents and web sites browsed, as communications data (rather than content). If, as seems likely, the Internet in time subsumes both television and written information sources, under the RIP Bill it will be lawful for any public authority to obtain comprehensive details of what any person has read, watched, and who they have corresponded with, without a ministerial or judicial warrant.
It is relevant that a current de facto safeguard, that such data can only be obtained by police request on presenting a data controller with satisfactory evidence that a Data Protection Act (s.29) exemption applies, is abolished. If the power of interception were implemented as envisaged by the Smith Report, it would be both lawful and feasible for such communications data to be obtained instantaneously, remotely, and secretly by the same apparatus: the "black-boxes" installed at ISPs, linked to the GTAC monitoring centre.
Moreover, rapid advances in computing power now permit warehousing and "traffic-analysis" of unlimited quantities of communications data by automated tools[7] that derive "friendship trees" and can detect patterns of association between individuals and groups using sophisticated artificial intelligence programming. This method can be considered as a "suspicion-engine" which can identify new targets of investigation with complete generality – without any access to the content of communications – but which could subsequently serve as the basis for an interception warrant.
In summary, the combination of:
.) an interception infrastructure linking all data carriers (for feasible cost) to a central monitoring facility capable of remotely selecting traffic and content .) traffic-analysis tools which make intelligent inferences from patterns of association matched to arbitrary criteria .) a legal power of self-authorisation, without prior judicial approval can justifiably be regarded as the emergence of a powerful new form of mass-surveillance.
It should be emphasised that whilst GCHQ performs broad-spectrum processing of both the content and traffic patterns of external communications, mass-surveillance of domestic communications is legally unprecedented in peacetime.
We wish to emphasise that it is not our view that RIP was drafted with this intention – however it is sobering to realise that proposals modestly billed as "updating and modernising existing powers", would in fact legitimise what an extreme government might seek to achieve.]
. - . - . - .
I'd be very interested in hearing from anyone (or getting a thread going if not too off-topic) who would like to work on developing near-future scenarios on how government departments are likely to want progressively more data, which could lead ineluctably to GTAC mission-creep involving direct siphoning of traffic data from the ISP.
For an example see "A Perfect Match" <http://www.audit-commission.gov.uk/ac2/NR/LocalA/prdatamf.htm> including the rather bald statement buried in the Appendix "Information was required by the auditor for the NFI 1998 under Section 6 of the Audit Commission Act 1998 (Ref. 3). Disclosure of the data to the Audit Commission was exempt from the non-disclosure provisions of the Data Protection Acts 1984 (Ref. 4) and 1998 (Ref. 5) BECAUSE THE DISCLOSURE WAS REQUIRED BY STATUTE (Section 34(5) of the Data Protection Act 1984)."
(I think this is now in the new Act S.35. - (1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.)
-- Caspar Bowden Tel: +44(0)20 7354 2333 Director, Foundation for Information Policy Research RIP Information Centre at: www.fipr.org/rip#media
------- End of forwarded message -------