YouGov :"POLL - Blunkett's proposals on internet privacy: for or against"

Charles Lindsey Charles Lindsey <chl at clw.cs.man.ac.uk>
Fri, 14 Dec 2001 21:18:41 +0000 (GMT) 

	On Fri, 14 Dec 2001 13:14:45 -0000
	"Caspar Bowden" <cb@fipr.org> said...

> 
> > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Charles
> > Lindsey
> ...
> > I don't think RIPA allows "articles read" and "use of
> > newsgroups" to be
> > classed as communications data. I think the most that could be stored
> > would be the identity of the site to which an HTTP or NNTP connection
> > was made (and even that might turn out to be a proxy in most cases,
> > unless the LEA also has access to the proxy logs and the
> > means to do the necessary correlations).
> 
> I agree with this, although seems arguable that newsgroup (not article
> number) might fall within defn. of traffic data - but I wouldn't care to put
> money on it.

All of the stuff that is proposed to be retained MUST be "communications
data", as defined by RIPA. This comprises:

S21(4)(a) Address information which travels with a communication (so
that it gets to the right place, and maybe source addresses so the reply
can get back again). That might be IP addresses within packets, or email
addresses within emails (either in headers or in the envelope).

S21(4)(b) Logging information about what packets were sent, or
connections made, or emails handled, but that information MUST be keyed
to a "person" (I might extend that to include an "address", as being
representative of the "person"). Moreover, it MUST NOT include any
"content" of the communications. Certainly RADIUS logs are fair game.

S21(4)(c) Account information (who is the real person behind an email
address or IP address).

Clearly, this present fuss relates only to S21(4)(b). Requests for
S21(4)(a) material would be requests to record stuff as it went by,
which is essentially the same as interception with an SOS warrant, except
that you only extract the communications data. S21(4)(c) is static
information, so the question of retention times does not arise.

Now look at newsgroup access, as it fits within S21(4)(b). You make an
IP connection to port 119 of some server, and go through a "greeting"
process (which may involve passwords, etc). Now you have a TCP
connection, and can exchange data contained in IP packets.

The administrator of the server (who may of may not be an ISP, or a
telecommunications provider, but let us suppose he is) may well keep
logs of when you connected, and for how long, so Plod can know which
server you connected to. The ISP could, in theory, keep logs of every
packet you sent, but can only divulge the identity of the hosts from
and to which it was sent (so Plod knows, at most, the quantity of data
you sent). But in fact no ISP in his right mind would regularly log at
that level of detail (though it might be recorded in real time under
S21(4)(a) in specific cases).

Note that the connection is made "to" a server, not "to" a newsgroup.
The data you now exchange with the server is "content", which in this
case consists of commands and responses under the NNTP protocol.

"Please Mr Server, record that my current Group is misc.test" (the NNTP
protocol is stateful in that respect).

"Please Mr server, send me article so and so" (which you may specify by
article number within the current group, or by message ID).

"Please Mr server, tell me what articles have arrived in groups
misc.test (and a load of other groups) since such-and-such a time".

None of that is communications data. The situation with HHTP requests is
similar. It is arguable that even the port number is not communications
data.


	On Fri, 14 Dec 2001 12:52:54 +0000
	Ian G Batten <I.G.Batten@ftel.co.uk> said...

> Having in the past week been served with an order by NCIS to provide
> information from my logs dating back to September --- which, needless to
> say, I don't have --- I've been watching the new legislation with
> interest.

Currently, NCIS cannot "order" you to do anything (that bit of RIPA is
not in force yet). So I hope they asked you politely :-) .

>  I'm still not clear what I (a) must and (b) may retain as
> logging on things like mail servers, web proxies and dialup access
> servers.  As of the final version of the Terrorism Act, is it OK to just
> keep no logs?

Are you a "telecommunications operator"? Yes, I think so, because
you provide a service to the staff of Fujitsu over a private
telecommunications system (which is connected to a public
telecommunications system). But, being private, they cannot lean on
you quite so heavily (in particular, they cannot make you fit "Black
Boxes").

You keep whatever logs are needed for the efficient running of your
service. The Blunkett Bill will allow you (even require you eventually)
to retain them longer than you otherwise might, and perhaps even to
keep logs which you otherwise might not, but that has to be "reasonably
practicable" (S22(7)), so I reckon logging every IP packet is out.

Mail servers. The things that sendmail routinely logs seem fair game.

Web proxies. An interesting case, since a lot of what you log might not
be "communications data" within the meaning of the act.

Dialup access server. RADIUS logs? Yes, certainly.

> To take a slightly complex example, I have a personal offsite server,
> which is hosted in another organisation's racks. It does outgoing SMTP
> for me, not passing through their mail relay. Are they in a difficult
> position, allowing mail to leave their network without logging it? Do
> I have to keep logs?

Your telecommunications system extends as far as your co-located box.
Your contract with the provider (who presumably operates a public
telecommunications system) is for the delivery and receipt of IP
packets. Nothing more. So if Plod wants to know whether the IP packets
contained mail, and to whom, they he has to come to you. Insofar as the
provider keeps logs of your IP traffic (and I doubt he does much beyond
recording statistics of usage, so he can bill you) those logs can be
inspected.

If the SOS signs an interception warrant, then he can require your
provider to look at your traffic in much more detail, of course, but
that is another topic entirely.

And he may be required to divulge, under S21(4)(c), what block of IP
addresses you use, and who you are, etc.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clw.cs.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5