Scrambling for Safety 7
The Scrambling for Safety 7 conference was held at the LSE on Wednesday, October 22, 2003, to discuss the detail of and issues around the five new Statutory Instruments released from the Home Office last month to do with the Regulation of Investigatory Powers Act 2000 and the Anti-Terrorism, Crime and Security Act 2001, not least after last year's withdrawn "Snoopers Charter". The conference was organised by Privacy International and FIPR and was chaired by Dr Simon Moores, of Zentelligence, who wrote an interesting review of the event in his blog. Though I think he should have gone with the Che Guevara tie… ;o)
As I disclaimed for SfS6, I won't guarantee the accuracy of my notes, not least because my handwriting and hearing are both rather suspect. Also, some of my notes are rather cursory, with little context to them. Sorry, they were written as aides-memoires, rather than as a certifiable transcript. All "quotes" are likely to be paraphrased, not verbatim. I've tried to look up people's names for the correct spelling, where audience members gave their name in panel discussions, but apologise for any mis-hearings or mis-spellings, as some are inevitable. I'm more than happy to correct any errors, do feel free to mail me. Hyperlinks from this page have not been set to open in a new window, so you may wish to do so manually.
Also, as one of the audience noted, these issues tend to involve a lot of acronyms; I have tried to explain all of these with <acronym> and <abbrev> tags, which should leave a dotted-underline on terms where I have added an explanation. Hovering over these terms should (hopefully, in most browsers) show you a tooltip with an expansion of the acronym and, usually, an explanation of what it actually means.
FIPR's website contains the agenda, some notes and some photos from the event itself. I made copious notes of the actual discussions, mainly for my own benefit and that of my Stand.org.uk colleagues who couldn't make it, but I figured that other people might find my notes useful, so I thought I would make them publicly available here on our site.
Comments and corrections should be addressed to me, Owen Blacker <email@example.com>. Queries should be addressed to the speakers themselves :oþ
Table of Contents
Table to go here…
Panel One: Overview and analysis of the proposals
Panelists: Simon Watkin (Home Office civil servant responsible for the Data Access consultation); Bob Lack (Home Office civil servant responsible for the Data Retention consultation); Richard Clayton (FIPR, slideshow PDF)
Simon Watkin (Home Office): The Home Office is seeking, with these SIs, to bring in regulation where currently there is none. The Data Access SI is a very different Order than last year's order (see his arguments on this in his rebuttal to FIPR's critique of the Order). The SI only provides for currently-used powers — it does not provide for anticipated powers and it does not provide for any powers "just in case".
The SI does not (because it cannot) cover some of the other safeguards, which would require primary legislation, it does not provide for training or ensuring that recipients of comms data would hold the appropriate level of understanding. It was floated, in consultation responses, that there could/should be a concept of third party approval of requests for comms data by agencies unfamiliar with comms data (and the Home Office would seem to prefer that Sir Swinton Thomas, the Interception Commissioner, perform such approval than the courts do). This could not, however, be a statutory requirement, as that would require further primary legislation.
Simon mentioned that 9/11 is part of the reason why data retention became a popular idea and acknowledged that there are grave reservations over any voluntary régime.
Richard Clayton (FIPR): [A PDF of Richard's fantastic slideshow presentation is available on the FIPR site. As I anticipated his presentation would be made available electronically, I made relatively sparse notes]
Issues regarding Data Retention:
- Would a voluntary retention régime be lawful?
- How would we assess whether or not any voluntary régime has worked?
- What percentage of CSPs would have to take up any voluntary scheme for it to be a success?
- What would be the cost of the scheme?
- Will the government reimburse the costs of CSPs partaking in the scheme?
Issues regarding Data Access:
- Whilst access maybe intended for Trading Standards, for example, there would be nothing to prevent data being requested for use by Planning or some other body, for whom access to comms data was not envisaged. [So, Stand's assumption about Councils is correct, the new restrictions may well be worthless]
- There is a lot of confusion over the different categories of data. There are three categories — A (traffic data), B (usage data), C (everything else, usually referred to as "subscriber data" or RDQs), but there is a lot of confusion as to whether who-called-who information would falls into A or B, or, indeed, into either, depending on call direction! [Richard summarised this well in a post to UK Crypto: Analysis of Councils' opinions on caller relationship data]
- The third category of data there is very widely defined. C is defined as anything that is neither A nor B; there is some concern, for example, that this could easily include the PIN to a voicemail account.
- There is still no Code of Practice.
Caspar Bowden (former director of FIPR): Mentioned the visibility of Sir Swinton Thomas, the Interception Commissioner [See similar comments from SfS6] and how his rôle has changed so that he now has to interact more with the public. Is there a difficulty in separating the rôles of the Commissioner and the Tribunal? Sir Swinton is a High Court judge, he has little experience of the media.
Simon Watkin: The Home Office knows this is an issue and Sir Swinton's profile is gradually being raised.
Baroness Emily Blatch (Tory Leader in the Lords): The baroness is concerned about the ability of government to be able to handle sensitive data like this — compare with the fiascos with the Criminal Records Bureau and the Firearms Register), notably that the data is sometimes sent to third world countries for processing. How do we manage the information overload? The baroness is concerned that we do not yet have the competence to handle all these data the government is wanting to be able to gather.
Simon Watkin: The Home Office believes that trust will be improved, not worsened, by this legislation. The point was frequently made that this legislation is not granting new powers, merely regulating existing ones — regulation should mean that the agencies using these powers should be trusted more, once their actions are more carefully monitored. Also, we want to move the onus of deciding whether the data requirements are proportionate, in each case, away from CSPs and on to the public authorities.
Richard Clayton: Yes, but the ATCSA provisions are more worrying, because CSPs are talking about the costs of retaining data for which they no longer have a clearly-defined business need, for example. Also, some data currently stored are becoming unnecessary for the CSPs' businesses (because they no longer need to store call data, if they're using a flat-rate billing tariff, for example), so the net effect of the retention powers could be to cause much more expensive communications for us all. Also, LEAs require access to data after a crime has been committed, which would mean that data preservation is just as good a solution.
Steen Larsen (Director of Security, MessageLabs): Steen is concerned about the costs of data retention, including the cost that could be brought about as a result of private litigants and fishing expeditions, for example. Once the data are retained under ATCSA provisions, they're there and can be acquired for all kinds of purposes (where "necessary and proportionate"), not just the anti-terrorism / anti-serious-crime provisions envisaged by ATCSA.
Simon Watkin: We should expect the number of requests to go down. It is the Information Commissioner [previously the Data Protection Commissioner] who has said that the data should be made available for non-ATCSA purposes, once it's been retained under ATCSA provisions.
Bob Lack: The reason it's a voluntary Code of Practice (as opposed to a mandatory one) is because Parliament decided it should be, originally.
Peter Reid(?): How much does this legislation roll back the Human Rights Act 1998 (HRA). For example, the Gaming Board of Great Britain (GBGB) believe that they do not currently have data access powers, as a result of the conflict between their legacy powers and the privacy provisions under the HRA.
Simon Watkin: We're not rolling back the HRA, but rather enforcing it; see, for example, the necessity and proportionality requirements in RIP. CSPs don't want to be taking decisions about releasing information under the Data Protection Acts (DPA) exemptions; that's not their job.
Caspar Bowden: The Information Commissioner seems to have decided it is acceptable for data retained under ATCSA to be accessed for other purposes, under RIP. Ben Emerson QC, however, said something rather different in his Legal Opinion for the Information Commissioner.
Bob Lack: "It might be lawful". RIP doesn't exclude such access and Parliament approved RIP. The Home Office believes such access would be lawful under RIP.
Panel Two: Who should be given surveillance powers?
Panelists: Bryan Letwin (Assistant Chief Officer, Northants County Council Trading Standards); Paul Boyle (Department of Constitutional Affairs, Information Rights Division); Richard Kitchen (Chief Investigation Officer, Department of Work and Pensions); DI John Donovan (ACPO Data Communications Strategy Group)
Bryan Letwin (Northants Trading Standards): As an Assistant Chief Officer, Bryan is an authorising officer, under the Data Access Order. Bryan sought to give some examples of uses of the powers the SI seeks to grant. He gave the example of Marks & Spencer — they're a reputable and responsible business; if you had some kind of problem with something you'd bought there, you could go back to the store, or write to their head office at Baker Street, or use their website. This is not the kind of company that Trading Standards departments generally have to deal with. 90% of councils' data access will be for Trading Standards and 99% of Trading Standards' access will be to get RDQ information, viz providing a phone number and getting a name and address from the
Bryan mentioned the example of Andrew Bagshaw, mentioned in the Data Access consultation paper. The only way Andrew Bagshaw was traced and brought to justice was through the use of RDQ information; he ripped off countless members of the public by claiming to be a CORGI-registered gas fitter when he wasn't and by misleading his customers over pricing and the like.
With a reputable company, like Marks & Spencer, you would not expect threatening phone calls at 2am or someone to come round to your home and abuse you, if you had a complaint. Bryan Letwin mentioned the case of Kenneth Hornsby, who was a washing machine fitter and had 19 different telephone numbers (again caught and brought to justice via RDQs) and technology to divert calls elsewhere, if they were from a Trading Standards officer, by looking at the CLI information.
So why should the police not handle these powers on behalf of smaller data users, such as council Trading Standards offices? Well, the police are busy. The vast majority of council investigations are for regulatory offences, but increasingly they involve serious crimes, like the cases above, and are commercial crimes. "99.999%" of the people about whom councils are seeking data access powers are tradesmen and businessmen, not individuals.
Paul Boyle (Dept Constitutional Affairs): The DCA has no data access powers and has no interest in being granted them. The DCA's interest in this debate is as the government department responsible for the implementation of the DPA and the HRA.
Only the organisations with a very clear need to exercise Data Access powers should be granted them. If they need these powers under RIP, powers to seek information are probably already given by other legacy legislation. Paul Boyle believes that the GBGB are just being (over?)-cautious with regard the HRA, after having received internal legal advice.
Organisations must act in a way that protects individuals' rights to privacy and confidentiality [in all their actions, that's part of the point of the Human Rights Act]. Any breach of an individual's right to privacy must have a clear basis in law and be proportionate. The ECHR's Article Eight states that there must be "no interference … except … in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
As a result, there is a limited list of rationales against which the proportionality must be evaluated. Essentially, one must ask what end is it that the organisation is trying to achieve. The investigation of terrorist offences, for example, would suggest a greater level of interference would be acceptable than would be with, say, Trading Standards investigations. The DCA is very pleased that the regulatory structure seeks to encompass everyone's powers. The DCA is less pleased about the DWP, for example, who would seem to seek to evade such regulation by using their own powers [from the Social Security Fraud Act 2001].
Richard Kitchen (Dept Work and Pensions): Over £100 bn are given out by the DWP every year in State benefits. 21m members of the public receive some form of State assistance. The DWP goes to great lengths to make sure their systems are accessible to the vulnerable.
By consequence, some people try to defraud the DWP. Around 85% of the roughly £2 bn lost to fraud and error are due to a failure to notify changes in the personal circumstances of a legitimate claimant. Only 15% of the cases include an initial motive to defraud.
There are several categories of deception:
- Deceptions of income;
- Deceptions of capital;
- Deceptions of health and/or ability;
- Deceptions of family circumstances; and
- Deceptions of identity, which are "increasingly common".
The DWP has no power of arrest and no power to commit intrusive surveillance. There are 100 000 staff at the DWP, of which 5000 are in the investigation branch.
In 2000, powers were debated and granted by Parliament [in the SSFA] to gain information from private bodies (including telcos). The structure was debated and approved after and in light of the HRA. There is a Code of Practice, which requires clear breaks between those officers who obtain the data and those officers who interpret the data. Around 175 officers are authorised to use the SSFA powers to get telecomms data. These are housed separately from the other DWP officers, in investigations offices, are specifically trained and the records of each of these officers is available for inspection by the Interception Commissioner.
The DWP didn't want inclusion in the RIP régime, because their powers are wider and the structure is solidly created. Since May 2002, there has only been one complaint where it was alleged that these powers have been misused, which Richard Kitchen says suggests they're doing quite well.
DI John Donovan (ACPO): The ACPO publishes a manual of standards, despite not yet having a statutory requirement to do so, as RIP Part I, Chapter 2, has yet to come into force. With industry, the ACPO created the SPoC procedures and a two-week course of training for the officers involved. They already force the use of the RIP procedures, rather than the DPA procedures, because they're a better way of handling things [incorporating the HRA safeguards, whereas the DPA predates the HRA] and they ensure that, as would be the case under RIP Part I, Chapter 2, but is not the case under the DPA exemption régime, that CSPs are paid costs for the access granted to law enforcement bodies.
Their manual of standards [as was mentioned by Richard Clayton in his presentation] cannot yet be published, as the ACPO are waiting for the Code of Practice to be finalised.
Anonymous male: Mentioned that miscarriage of justice groups have had their phones and emails interfered with. The RIP Tribunal has never upheld a single complaint.
DI Donovan: DI Donovan cannot comment on the RIP Tribunal, where issues such as this should be dealt with. The Tribunal, of course, cannot investigate issues such as these yet, as RIP Part I, Chapter 2, is still not in force.
Paul Boyle: The Tribunal is the right place for issues such as these and, thus, the DCA cannot comment. But it the Tribunal were not to be functioning and serving its purpose correctly, then this would be something that the DCA could look into. Of course, this isn't yet something we could know, though.
Adrian Norman (UK Internet Gateway): As a 40-year veteran of this debate, he has been very interested to hear from the Panelists Clearly, though, it would be possible to create CSPs that would not be susceptible to intercept. Why do people think that "the villains" wouldn't just find ways to get around the purview of these laws?
Richard Kitchen: It would be wrong to seek powers just in case they might be useful in the future and, obviously, noone could seek to obtain information from a CSP who does not have it. He acknowledges that the law will always be "playing catch-up" with the bad guys.
Simon Moores: Mentioned about identity fraud.
Ian Miller: There has been only one complaint made to the DWP? But how would one know that one's privacy has been invaded? [Amongst other things, Ian is alluding to that there is no post-facto notification required to surveillance targets.] If you don't know your privacy has been invaded, you can't level a complaint about it!
Richard Kitchen: Criminal law requires that details of the investigations are disclosed to all parties. Ian's point, though, is valid, where there is an out-of-court settlement, for example. The DWP's Code of Practice contains a clear indication for people to write to the Dept to raise complaints, also the DWP are open to regulatory inspection. He recognises that there is some merit to the ACPO [their methods? — notes are unclear here]; one can complain on the suspicion of having been a target of surveillance and the DWP will check their files to see if that has been the case.
John Dixon: Criminals are already devising systems to attack such countersystems — for example spammers are coordinating to attack anti-spam campaigns. The whole process inevitably lags behind criminals and, thus, it's all a waste of time.
DI Donovan: Yes, that is the case. DI Donovan mentioned the HTCU and zombie spammers. "And the greatest threat, of course, is encryption" [which generated some laughs].
Malcolm Hutty (Regulation Officer, LINX): Might the key reason that the DWP do not wish to go through the RIP régime be that, under the SSFA, there is no requirement to reimburse CSPs' costs? Organs of State seem to have an insatiable appetite for data (with good intentions, of course, because these data are required). Who considers the necessity and proportionality? Is this not a problem of self-serving bias? Paying costs to the CSPs would help with that some. With regard Data Retention, Malcolm would be very interested to know if the government is prepared to pay the full cost of retention; if not, there would seem to be a business case against co-operation.
DI Donovan: They currently reject around a quarter of all requests, mainly because the paperwork isn't right. The ACPO is pleased and proud that they pay reasonable costs (on the RIP Part I side, they pay all costs).
Richard Kitchen: The DWP doesn't require Data Retention, only access to existing data. Parliament discussed the issue and decided not to require the DWP to pay costs. Similarly, the Inland Revenue and Customs & Excise don't grant similar costs. In 2000, there were around 4500 instances of directed surveillance from the DWP. In 2002, after having taken on his current rôle, Richard had got this number down to 2500, due to having put better systems and structures into place. The DWP isn't looking after its self-interest, but rather the public interest. Richard argued rather strenuously that he doesn't think it's appropriate that public money should be being given to the private sector in compensation for costs incurred in complying with these Data Access provisions.
Anonymous male: To Bryan Lewin, when will public authorities announce a "public act of decommissioning" and formally "put beyond use" all legacy powers?
Bryan Lewin: Public authorities welcome RIP, they don't want to rely on DPA exemptions. Generally, they welcome the oversight and the greater transparency.
After a coffee break
Simon Davies (Privacy International): Hopefully, there will be another meeting, around a week before the debates in the House of Lords (so about a month after this meeting). Simon spoke about the Legal Opinion that Privacy International commissioned from Covington and Burling, which proves that Data Retention is an illegal violation of the rights guaranteed by the ECHR. [The Opinion doesn't yet seem to be on PI's website, but I will add a link once I have one.] PI have invited the House of Commons Human Rights Committee to attend. The Opinion states that mandatory Data Retention "completely eliminates the principle of foreseeability" required by the ECHR.
Panel Three: The industry perspective
Beatrice Rogers: Data Retention is the government forcing industry to hand over information for purposes other than those that were originally foreseen. What is the correct balance between national security and individuals' privacy? This is part of a worrying trend of government expecting industry to implement public policy. Intellect welcomes the ability to have input into the process, but is disappointed that the government continues to ignore industry's concerns.
There are legal concerns — there is a lack of certainty with regard to the DPA and that breaches won't leave CSPs liable, let alone left with damaged reputations. The Home Office has made verbal assurances that this won't be the case, but there has been no firm commitment on indemnity. And is the Home Secretary able to indemnify the private sector anyways?
There are technical and implementation issues — these seem to have been sidelined. CSPs will be required to ensure that any data that could legally be accessed would be searchable and retrievable for LEAs, all of which is complex and expensive. The Home Office is prepared to contribute to reasonable costs, but this does not include the costs of implementing business processes in order to comply. There is no direct return on investment and the ICT industry is not endowed with capital to spend on non–business-critical issues. This legislation will seriously inhibit the productivity increases called for from the government.
Business issues — Industry is not convinced by the lack of a business case. There is no evidence of having been any assessment or qualification of the interrogation of such systems. The Home Office has moved forward, but the definitions are still unclear. The regulations could imply that every packet containing IP addresses could require storage, which would be a massive amount of data.
The consequences are that the Data Retention requirements could threaten consumer confidence and the take-up of new services. Privacy is very important to CSPs' customers and the retention régime would raise grave privacy concerns amongst the customer base, which could threaten the growth of the whole e-market and e-government. In the US, post 9/11, the technical industry are finding investment increasingly difficult because of the requirements "due to national security concerns".
This cost burden has to be paid for somewhere and in the end, those costs will be passed onto the customer.
This would create a distortion in the UK market. If all CSPs have to comply, then there is a disproportionate burden on small companies. If, however, only larger CSPs have to comply, then they will suffer a disproportionate burden. Either way, there will be a direct impact on the competitiveness of UK companies in the global market. This could result in an off-shore black market, leaving UK CSPs at a competitive disadvantage and put criminals even further from investigation by UK LEAs, as "the bad guys" will just go off-shore.
Simon Moores: Mentioned the Matrix Churchill affair and questioned the government's ability to indemnify (in this case) CSPs against the breach of their customers' privacy. He also asked if Beatrice had any idea of the total cost of implementing these requirements.
Beatrice Rogers: There could be a short term gain in the data storage industry but, in the long term, the whole technology industry would suffer. Of course, in the end, it can only be either the consumer or the taxpayer who ends up footing the bill.
Philip Virgo (IMIS): Philip wanted to try to give a user's voice, as the main membership of IMIS are IT managers. IMIS thoroughly supports the need for regulation, but is concerned at the regulations' inadequacies:
- What about the powers that are left out?
- How could one easily check the authority of the requesting officer(s)?
- What is the cost of Data Retention — have we really done a risk/benefit analysis?
So what should an IS professional do, on receipt of a fax, requesting data, purporting to be from, say, the DWP?
A High Street bank routed all requests to a Head Office department and required four full-time members of staff just to handle them. Three quarters of all requests "disappeared" with a little interrogation — calling back the agency to get a reference number and some identification, for example. Were these fraudsters, or stalkers, or just staff who didn't know how best to make the request? We can't know.
Unless there's an easy way to check the authority of a request, individuals' privacy and safety may well be compromised. Philip mentioned a 25 year old story about a Columbian drug cartel, who gained information about all the people who had contacted the US Drug Enforcement Agency at the Embassy and had all the informants killed. Retained data can be dangerous, not just expensive.
Regulation is long overdue, but we don't know enough about how to make Data Retention work. There are some very grave doubts.
Ian (BCS, talking for SMEs): Ian [whose last name I didn't note] has been working on a village network of around 20 people, which has no real source of funding. They are likely to be selling services to guesthouses, for example, so that visitors to the village may access email and the Web. So is RIP deliberately protecting the "big boys" against the interests of small businesses, where noone can afford to spend time learning about RIP and how to process requests and the like, as money is very tight?
Beatrice Rogers: Indeed, there cannot be parity for all the players in the industry. The implementation needs looking at in a lot more detail; it's a very good question, to which she does not have the answer.
Philip Virgo: Indeed, training will be required of CSPs, even if it's just so they know, for example, how to check the identity of a requesting officer from the DWP and what they should do, on receipt of a request.
Simon Davies: Denmark instituted mandatory data retention recently. It has been suspended indefinitely, due to problems with technical and implementation details.
Simon Moores: What about identity theft — innocent people could easily become the focus of an investigation, just because the had had their identity stolen.
Philip Virgo: "Twelve percent of the credit cards" used in Operation Ore had been reported as stolen before the investigation started. That makes it incredibly difficult to trace anyone.
Anonymous male: But can we trust human nature? There are always bad apples in any business (see, for example, the current scandal of racism in the police forces). Can industry categorically be sure that their own employees won't misuse any retained data?
Philip Virgo: Banks and insurance companies already take the view that you must assume that you can't trust all your employees. A major advance with RIP is that the SPoC process is superb. Companies handling data such as this will always attract a few criminals who want to abuse the powers they get given in their job.
Beatrice Rogers: One should always assume that faults will occur.
Ross Anderson (Chair, FIPR, and Reader in Security Engineering, Cambridge University): Ross is very supportive of Philip Virgo's views, partly because he has been involved in stopping Cambridge University creating a register of faculty members' other interests. This has been important because otherwise animal liberation types, for example, would abuse the outside interests of faculty members — telephoning board members of companies for whom they consult, for example, at 2am or hurling abuse at them outside their homes).
Simon Watkin: Can the panelists accept that CSPs already retain the data that the Data Access order seeks to acquire? It seems to him that people have been trying to imply that no CSPs store any data, even for their own business purposes, at the moment, when the data they already hold could be useful to LEAs.
Beatrice Rogers: Yes, of course CSPs already hold some data, but it seems worrying that the Home Office seems to want to hold CSPs' business practices at the status quo, whereas they may soon find they no longer need to hold certain data on their customers. [See above for the example of telcos no longer needing to log call usage data, for example, if they move to fixed-rate billing.] Also, blanket data retention will cause other problems that will be difficult to resolve.
Panel Four: The wider picture
Participants: Richard Allan, MP (LibDem: Sheffield Hallam and joint Treasurer of the All-Party Internet Group); David Carnegie, The Earl of Northesk (Conservative peer, introduced the Computer Misuse (Amendment) Bill [HL] 2002)
Richard Allen: Spoke about how he approaches the issue, as a legislator. He believes he has a specific responsibility to his constituents and a general responsibility to the country — both to uphold our civil rights and privacy and to safeguard our right to safety. We have an important principle that policing in Britain is by consent. Noone would support an absolute right to privacy, but the public must consent to interference with that right.
There was, however, no consent for last summer's SI. The Home Office correctly identified that such consent would depend on the government explaining how such interference would be done and why it would be necessary. Of course, it is difficult yet to tell how the test of proportionality will be seen in the courts.
Data Retention is more complex and will also require the consent of industry. If a mandatory scheme is imposed, this will require CSPs that exist at the time to store any data they already collect for business purposes. It won't prevent, however, new CSPs setting up and deciding to hold no such data on their users. Obviously, we don't want effectively to encourage telcos who set up specifically not to hold call data, for example. Of course, no sane business would want to avoid helping LEAs but, similarly, no sane business wishes to incur unnecessary costs.
ATCSA was the wrong place for these powers. A legally-workable scheme and Codes of Practice may, in any case, require amendments to the DPA and to acts such as the Communications Act. They would have been more appropriate places to put these powers. Richard Allan made an entertaining analogy about mandatory Data Retention, of squeezing jelly too hard and making an awful mess. He made another analogy with the use of Anonymizer in Iran, because there is no consent by much of the population to be governed. We don't want to create a comparable situation here.
David Carnegie, Earl Northesk: The Earl believes that "that which is unregulated should be regulated". The SIs do need to be fit for the purpose, though, and he feels that these are not. He does not believe that they deliver on the requirement that authorisations should be made at the right level and that categories of data are well defined and so on. Also he feels that, despite the efforts of the Home Office to ensure that it was "technology neutral", RIP is now out of date.
There were key objections made in the House of Lords about Data Retention. It fails on the tests of effectiveness, necessity, proportionality and consonance. Basically, it won't work. Why, therefore, is the government so determined it's the right way forward. There are obvious alternatives, notably that of Data Preservation. The Earl fears that governments (plural) have adopted the mindset that Information Technologies were only invented to help governments in their aims. The Earl's belief is that IT belongs to the users.
RIP and ATCSA are bad legislation (albeit that they were improved by the House of Lords). This is because so few people in Parliament understand IT, so the government starts with an advantage and too many things slip through Parliamentary scrutiny.
Simon Moores: Could you explain the difference between Data Retention and Data Preservation?
David Carnegie, Earl Northesk: Data Retention is the blanket holding of all data, just in case it might be needed. Data Preservation is targeted to specific individuals — LEAs only ask that information not be deleted where it pertains to individuals under investigation. [Data Preservation, incidentally, is what we had immediately after 9/11, where all UK ISPs were asked by the government not to delete any traffic logs and the like, so that the police and intelligence services could garner any information about the conspirators' communications.]
Romek Szcsesniak (Security Consultant, Atlas Internet): Anyone can set up a telco; anyone can secure their data with technologies like IPv6 and IPSEC. How is the government going to enforce anything when everything is encrypted?
Richard Allen: Industry must want to comply. If an LEA goes to a company, most companies are going to comply.
Anonymous male: Terrorists will just go somewhere else that won't comply, though.
Ian (BCS guy from above): All this harkens back to the RAP Bill, under Queen Victoria — the Regulation of Automotive Power Act [sorry, Google didn't give me any hits], which proposed that cars should mandatorily be slowed down, because policemen on bicycles can no longer keep up with them.
Caspar Bowden: ATCSA provides that blanket retention is only a concept under discussion on the grounds of national security. David Blunkett has said this will have no effect — you can't separate the data, so you either retain it all or you don't. Most sophisticated criminals can already circumvent these provisions, so it's inherently disproportionate because it's ineffective against the most serious criminals. No analysis has been made as to whether targeted data preservation would better solve this problem.
Richard Allen: It strikes Richard that this is the result of a classic Parliamentary compromise, so that both sides can claim victory. Effectively, data retained on the grounds of national security are available under RIP provisions — for much wider classes of crimes — so it's largely irrelevant. All the analysis performed by APIG was related to telephone data; similar analysis has not been done for Internet data. These two classes are quite different and should be treated separately.
Mat Hanrahan (Technical Analyst, Dal Cais Research): Question for any of the panellists and the chair, actually, on the practical implementation of RIPA. Do you think a unique national ID number would help implementation of RIPA? I'm asking in terms of whether its going to be carried by a smartcard or not and I'm thinking in particular in reference to the recent green paper on child protection, which is talking about a unique national ID for children. Taking into account the ID issues that were raised earlier would it make the implementation RIPA easier in reference to proving who's using what record?
Simon Moore: I'm going to give a swift answer to that. First of all we have to leap over the proposals for the smartcards [regarding] making them available and making them work, and I have great reservations whether we can in the first place.
Mat Hanrahan: But the unique ID doesn't necessarily have to be enclosed in a smartcard, it can just be held on a database at the back-end.
Simon Davies: I think that raises a number of privacy issues, that will be addressed—
Mat Hanrahan: Is that an issue with the green paper and the Child Protection Act?
Richard Allen: What's different in the context of the data we're looking at under RIPA, where people have multiple identities none of them verified by Government they are individual identities my relationship with BP, with Demon, etc. So independent reasons for that. I think smartcards are a loony ID they're a solution looking for a problem.
Mat Hanrahan: But unique ID at the backend?
Richard Allen: I don't think it will come into the RIPA stuff but there's all sorts of other stuff it may have relevance to investigations or otherwise that government may want to carry out, how useful a unique ID might be but my communication is held on my BT account number, etc and I can't see anyone proposing to link that into a unique ID.
(Mat Hanrahan has helped me correct this part of the transcript, not least my mis-hearing of his name. He suggests it may be interesting to compare this with Nicola Roche's comments in response to Q17 of the Home Affairs Select Committee's questions to the Home Office, where Ms Roche misses this point completely.)
Anonymous female: Operation Ore — why is technology not being used to prosecute Operation Ore suspects? There are thousands of pædophiles known to have accessed the FBI child porn site…
Anonymous male: Corrected some of the "facts" mentioned by the previous questioner about Operation Ore. Importantly, Operation Ore has the names and addresses of thousands of credit card numbers, not thousands of pædophiles. Many of these credit cards had been reported stolen before the Operation was even publicised.
DI Donovan: There is an issue of Data Retention — how can we preserve that which we have not retained?
Richard Allen: Of course one could find things as a result of Data Retention, but are we consenting to that retention?
David Carnegie, Earl Northesk: Data can be very useful, but the fundamental issue is that systems must be trust-based.
Anonymous male: A clarification on Data Retention and Data Preservation. A request for Preservation must come in before the data are deleted (as a part of the normal business practices of the CSP). The data are deleted, customarily, because they are very large. Keeping these data for an order of magnitude longer time than CSPs already do is a big storage issue. The current régime of Preservation (used in cases of hacking and Computer Misuse) works well already.
Anonymous male: One could make an analogy to regular waste. Trash often includes evidence of crimes, but we don't mandate that people don't throw out their trash, just in case they're disposing of evidence. Sometimes, things are just the wrong solution.
Simon Watkin: The SIs can only address Secondary Legislation issues. The Home Office recognises that there are insoluble issues which will be part of an ongoing process. Telephony/Internet issues are complex, because of VoIP and so on.
There is some acceptance that these data are valuable. There are cases that have shown that data have been required and that this has only been known some time after the event.
If the public wants to stop data being kept, then society must consent to that too. Simon mentioned how the "Real" IRA members involved in the White City BBC bombing were only caught from their mobile phone location data, which was only recognised some time after the event.
The Home Office recognises that some areas need further examination, especially that of sanctions for abuse of the RIP and ATCSA processes. "We're not there yet, but we're all moving in the right direction."
Simon Moores: Simon finds that a good yardstick is to try to explain things to a London cabbie […]. Is this approach a sledgehammer to crack a walnut? Any régime must, self-evidently, be both transparent and proportionate.