From: "Caspar Bowden" <[log in to unmask]> To:CSL
Subject: Guardian 15/11/2001: "The net's eyes are watching"
Date: Thu, 15 Nov 2001 23:48:57 -0000
--------------------------------------------
http://www.guardian.co.uk/online/story/0,3605,593343,00.html=20
The net's eyes are watching=20
The new anti-terrorism bill may force internet firms to spy on us. S A
Mathieson reports=20
Thursday November 15, 2001
The Guardian=20
Anti-terrorism measures announced this week by the home secretary, David
Blunkett, will dramatically increase the amount of information internet
service providers can keep on their customers, the Home Office has
admitted.=20
Part 11 of the emergency anti-terrorism, crime and security bill,
announced on Tuesday, will allow internet service providers (ISPs) to
keep a year's worth of information on their customers' internet
activity. Two reasons are given: safeguarding national security, and the
prevention and detection of crime.=20
Most ISPs currently retain such data on emails for, at most, three
months. Others delete it immediately, or within days. None of the ISPs
interviewed by the Guardian say they store data on general web-browsing
against individual accounts.=20
Yet the Home Office says the bill is likely to allow the collection and
storage of detailed information about web-browsing as well as email,
subject to a planned voluntary code.=20
That would be an extension of monitoring likely to outrage civil
liberties groups and spark protests from internet industry
organisations.=20
Blunkett's bill would not oblige ISPs to hoard web browsing informa tion
- yet. But clause 102 allows the home secretary to force traffic data
retention if he feels the voluntary code is failing to work. He would
force compulsory retention through a statutory instrument, a relatively
easy procedure compared with getting a bill through parliament.=20
Under the Regulation of Investigatory Powers (RIP) Act, passed last
year, police and other state investigators such as the Inland Revenue
already have the ability to seize traffic data (see panel). This is
effectively self-regulated, as it requires only the say-so of a police
superintendent or equivalent rank to gather the data.=20
Seizures can be justified by minor crimes, tax evasion or health and
safety inquiries, despite Mr Blunkett suggesting in an article for
Tribune, a leftwing weekly newspaper, that the extensions to ISPs'
powers to retain data were only designed to fight terrorism.=20
Today, applications for content data - listening to someone's phone
calls, reading the content of their emails or seeing the pages they
download - have to be passed by the home secretary. They are only
allowed for serious crime, threats to national security and safeguarding
national well-being.=20
The police see the proposed change as removing an anomaly. Under current
data protection laws, personal information must be deleted when it is of
no further use to the business. The police can only see traffic data
while it exists - and at ISPs, this is not for very long, particularly
for websites visited.=20
Phone companies have a legitimate business reason for keeping traffic
data: they use it to calculate customers' bills. BT retains it for seven
years for its 28m UK fixed lines.=20
But ISPs do not charge by the email, and so do not need to keep the
information that long. AOL says it retains email traffic data for three
months, Freeserve for 90 days. Claranet, an ISP that has campaigned for
protection of its customers' data, retains it for just a fortnight,
although it is now increasing this in preparation for the proposed laws.
The secretary-general of the Internet Service Providers Association,
Nicholas Lansman, says the cost of a year's worth of traffic data
retention could soar into the millions for some ISPs, should they choose
- or be forced to - take up their proposed new rights.=20
As for web-browsing, Freeserve says it retains individualised data for
its own chatrooms aimed at children, but that it retains only anonymous,
aggregated data on its customers' general web-browsing. AOL retains only
aggregated data.=20
Claranet does not keep even this much, and is shocked by the idea of
retaining personalised logs. Steve Rawlinson, the company's chief
technology officer, says keeping such logs would mean "a complete
reorganisation of our network", and could lead to ISPs moving abroad to
protect customers' privacy.=20
"It's extremely intrusive, and I think we would be very unhappy," he
says.=20
The National Criminal Intelligence Service (NCIS), which produces
intelligence for UK law enforcement authorities, has been asking for
standardisation between phone and internet traffic retention for more
than a year.=20
According to a document written by the NCIS deputy director-general
Roger Gaspar in August 2000 (later leaked to the Observer), police
forces, Customs and Excise, MI5 and MI6 would like all communications
traffic data retained for seven years.=20
The NCIS now says the leaked document does not represent the
organisation's view, but adds that the case for internet traffic data
retention has strengthened since September 11.=20
"In the real world, you have witnesses, forensics, DNA profiling and
fingerprints," says the spokesperson. "In the digital world, all you've
got is data. If that data is being erased as it's created, you haven't
got any equivalent of forensics. Our position is that law enforcement
must be provided with a reasonable minimum."=20
Some think that law enforcement already has access to plenty of data.
The RIP Act gives them some of the strongest powers in the
industrialised world to tap communications.=20
Roger Bingham, spokesman for Liberty, the civil rights group, says: "In
terms of exceptional circumstances, we can see how it might be
reasonable to retain data a little longer, on the basis that police can
get information on specific people where there is a clear and reasonable
suspicion.=20
"As a safeguard, we think the police should seek a judicial warrant for
reasonable suspicion of terrorist activity."=20
This is somewhat different to what is proposed - keeping everyone's
data, then granting access for minor crimes on the strength of a
police-issued warrant. Technically minded MPs, although supportive of
the fight against terrorism, have doubts.=20
Richard Allan, the Liberal Democrat's IT spokesman, says: "I find it
very difficult to see what point there is to it, in terms of catching
anyone doing anything."=20
He calls for more work on targeting individuals, pointing out that any
serious criminal would use anonymous library or web-caf=E9 terminals.=20
And Brian White, a backbench Labour MP who chairs the IT
industry-parliament liaison group Eurim, worries that this legislation
will not be technically practicable. "I have some concerns that we won't
repeat the problems we had with the RIP Act," he says.=20
The bill's voluntary code puts the onus on ISPs, and the two largest
ISPs in the country are not keen to participate. David Melville, company
secretary of Freeserve (with 18% of the UK's web-users), says the ISP
could extend retention of email traffic data from 90 days to a year,
without much technical difficulty.=20
But that's not the point. "I'm slightly worried that a period of
retention beyond 90 days means me knowing a little bit more than I need
to know," he says. "I think there's a creeping sense of worry about
whether the response is proportional."
Freeserve's traffic goes through UK servers. But all AOL traffic, with
17% of UK subscribers, goes through servers in Virginia.=20
Caspar Bowden, director of the Foundation for Information Policy
Research, an IT think-tank, says this means UK users may be hit by the
strict USA Act. "If you're a British subscriber to AOL, your data could
be raided by the FBI," he warns.=20
Bowden says the USA Act, passed late last month, means the US has
overtaken the UK in the strength of its abilities to bug the internet.
The act allows law enforcement agencies to collect both traffic and
content data, and for the data to be passed to nearly any government
department.=20
However, Clare Gilbert, AOL Europe's senior vice-president for public
policy and regulatory affairs, says she would be very surprised if the
USA Act affected UK users, as AOL knows which country its traffic
streams comes from, even if it does all flow through Virginia.=20
But she says that UK law enforcement authorities have to obtain an
international warrant to get access to UK-held AOL accounts. "It's an
additional hoop. We make that process as painless as possible," she
says.=20
Gilbert sees little need to extend AOL's retention of email traffic data
beyond three months. "We've been working with the police since we
established in the UK in 1996.=20
"Where we're dealing with police who are efficient in their duties, it
works," she says. "There's never been an instance where the process in
place has not worked. We question the need to force or allow ISPs to
keep data for a year - it doesn't really make sense."=20
Gilbert says an alternative is data preservation: law enforcement
authorities express interest in named individuals, and ISPs retain their
account data until a warrant is produced. "It's much easier to preserve
specific data than randomly keep vast amounts. You're talking about
billions and billions of IP addresses over a 12-month period."=20
Yet this is what UK ISPs will soon to be allowed to do - with the
pressure of compulsion if the home secretary decides they don't
volunteer enough.=20
The bill is published in PDF format at:
www.publications.parliament.uk/pa/cm200102/cmbills/049/2002049.htm
************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************
|