FITUG e.V.
Förderverein Informationstechnik und Gesellschaft
FITUG e.V.Förderverein Informationstechnik und Gesellschaft |
|
------- Forwarded message follows ------- From: "Caspar Bowden" <cb@fipr.org> To: <cb@fipr.org> Subject: FIPR Release 16/10/2001: EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS Date sent: Tue, 16 Oct 2001 15:13:41 +0100 Send reply to: ukcrypto@chiark.greenend.org.uk
Press release: FOR IMMEDIATE USE : 16th October 2001
EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS ====================================================================== == =
*) Home Office undecided whether ISP data retention to be voluntary or compulsory
*) Data revealing who you talk to, what you read, where you are, collected for "national security"
*) Data can be trawled for public order, minor crimes, tax, health and safety
*) E-Commerce to bear open-ended storage and data-protection compliance costs
====================================================================== == =====
As part of an emergency package of anti-terrorism measures, Home Secretary David Blunkett announced yesterday (Note 3) that Internet Service Providers would be "enabled" to retain logs detailing the online activity of their customers (but NOT the contents of communications).
Data protection legislation (Note 4) currently protects electronic privacy by prohibiting blanket storage by ISPs of logs recording such details as websites browsed, To and From addresses of e-mails, and which 'newsgroup' articles are read by a subscriber. Other "communications data", such as the telephone number used to dial-up the Internet, may be kept so long as it is relevant to billing or fraud control.
Although Mr.Blunkett's use of the word "enable" (rather than "require") implied that compliance will be at the ISP's discretion, the lead official told FIPR that retention may be made compulsory, enforced through civil law. The same source said a ministerial certificate will assert "national security" exemptions (Note 5) so that ISPs and telephone companies will not be in breach of European Directives. The government will only specify later exactly what data may be collected and for how long in a Code of Practice in consultation with ISPs.
No new legislation is necessary for police and intelligence agencies to collect the data once it is recorded by ISPs and telephone companies. The Regulation of Investigatory Powers (RIP) Act 2000 (Note 5) allows records to be obtained for broad purposes including tax, health and safety, public order offences and minor crime. Although "communications data" provides a complete map of private life, revealing who you talk to, what you read, and where you go, the authorities can rubber-stamp compilation and trawling of large and detailed databases. In contrast, inspection of the contents of a single e-mail requires a warrant from a Secretary of State, and a search for documents requires a court order.
Bulk requests can be made on groups or the history of an individual and kept by police and intelligence agencies indefinitely under data protection exemptions. This includes the exact co-ordinates of your geographic location - which 3rd-generation mobiles produce continuously whilst the phone is switched on.
Computerised 'traffic analysis' (tracing links between individuals) is a powerful new form of mass-surveillance, but is only efficient at keeping tabs on the law-abiding. Professional terrorists know how to cover their tracks - for example throw-away use of pre-paid mobile phones. Reports of the modus operandi of the September 11th terrorists indicate they used Web-based e-mail from public terminals. Clearly it is not persuasive to argue for privacy to be sacrificed in the name of fighting terrorism if the measures would not in fact be effective.
A leaked report from the National Criminal Intelligence Servcie last year revealed that police and security agencies are nevertheless pressing for a mandatory data retention law to warehouse the traffic data of the entire population for several years (http://cryptome.org/ncis-carnivore.htm). Blunkett's proposals amount to blanket 'dataveillance' for non-terrorist investigations, using the the tragic events of Sep 11 as justification.
Providers of e-commerce authentication services could be affected as well as ISPs and telcos. Anyone offering "provision of access to, and of facilities for making use of...the transmission of communications" [RIP S.22(4) & S.1 defs] could face extra costs of providing suitable storage devices and media, and full compliance with data protection legislation.
Quotes ======
Caspar Bowden, director of Internet think-tank FIPR (Foundation for Information Policy Research) commented:
"Sensitive data revealing what you read, where you are, and who you talk to online could be collected in the name of national security. But Mr.Blunkett intends to allow access to this data for purposes nothing to do with fighting terrorism. Minor crimes, public order and tax offences, attendance at demonstrations, even 'health and safety' will be legitimate reasons to siphon sensitive details of private life into government databases to be retained indefinitely. This would be in flagrant breach of the first and second Data Protection Principles."
Contact for enquiries:
Caspar Bowden Foundation for Information Policy Research www.fipr.org cb@fipr.org +44(0)20 7354 2333
Notes for editors -----------------
1. The Foundation for Information Policy Research (www.fipr.org), is a non-profit think-tank for Internet policy, governed by an independent Board of Trustees with an Advisory Council of experts.
2. FIPR's analysis of the RIP Act (www.fipr.org/rip) stimulated media debate, and led to amendments ensuring that people who lose decryption keys or forget passwords are presumed innocent until proven guilty, and prohibiting detailed surveillance of web browsing without a full warrant.
3. Home Office Press Release 15/10/2001: "BLUNKETT OUTLINES FURTHER ANTI-TERRORIST MEASURES" (http://wood.ccta.gov.uk/homeoffice/hopress.nsf/50e2456405b67f7d802566 b3 006819dc/2a5fc6811dec4c7180256ae6004fa4d3?OpenDocument)
3. The Telecommunications Data Protection Directive 1996, implemented in UK law as SI 2093 (1999). The Office of the Information Commissioner (contact Iain Bourne) has stated that ISP blanket (i.e. for all subscribers) logging and retention of online Internet activity is prohibited. Logging of telephone numbers is permitted whilst relevant for billing or fraud control.
4. Section 32. of SI 2093 allows a certificate signed by a Minister of the Crown to over-ride the prohibition on blanket data retention for National Security purposes (http://www.hmso.gov.uk/si/si1999/19992093.htm)
5. Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2, Section 22 (http://www.hmso.gov.uk/acts/acts2000/00023--c.htm#22). This Part is not yet in force and the relevant Code of Practice is open for consultation until November 2nd (http://www.homeoffice.gov.uk/ripa/consultintro.htm)
6. Data Protection Act 1998, Schedule 1, (http://www.hmso.gov.uk/acts/acts1998/80029--l.htm#sch1)
------- End of forwarded message -------