Guardian: Privacy fear over (new) plan to store email (fwd)

ukcrypto@locofungus.org ukcrypto at locofungus.org
Tue, 20 Aug 2002 15:59:56 +0100 (BST) 

On Tue, 20 Aug 2002, Owen Blacker wrote:

> I meant to send this here too.
> 
> > http://www.guardian.co.uk/netprivacy/article/0,2763,777574,00.html
> >
> > Full text at the href above.  Highlights:
> >
> >  * EU admits plan an invasion of privacy but specifies retention
> >    periods as minimum 12 months, maximum 24 months.
> >
> >  * "Confidentiality and integrity" of retained traffic data must
> >    be "ensured", by methods unspecified.
> >
> >  * No individual right to check accuracy of data. No individual
> >    right to challenge decisions on its use by EU authorities.
> >

This is going to be a right royal PITA. One of the machines I administer
might need to do this, which is going to need a new /var/log or some
other way of storing/backing up this information. (I hope not but this
will probably need a donation to a lawyers bank account to confirm :-)

But would the following work[1]? (I'm not intending implementing this on my
servers ;-)

When each new customer signs up they are given the option to supply a
public key (and $$$, I've got to pay those lawyers :-)

Once the logs reach the end of their useful life to me (4 weeks currently
before I delete them) I make a random session key and encrypt the logs.

I then encrypt this random session key with each of the supplied public
keys in turn and store the final result (together with the exact order of 
the keys and who has the corresponding private keys)

I destroy the session key and all intermediate values, keeping just the
encrypted logs and session key.

When plod requests the logs I provide him with the encrypted logs together
with the encrypted session key. Being a cooperative citizen I will also,
if he requests it, ask the various users to supply their private keys.
(Of course, I can't force them to supply them but plod can always use the
act to demand them)

As part of my duty of care, when I do my annual disaster recovery tests,
I also ensure that the various users still hold the matching private key
and if they have lost it, insist that they produce a new key.


======

I also run a private mailserver and don't relay via my ISPs mailserver.
Will I have to keep my own logs or will my ISP have to keep logs of
my outgoing emails. (Freeserve intercepts port 25 but I hope that
other ISPs don't decide that they have to do this also.)


Regards,

Tim.

[1] Legally rather than practically. I _think_ it ensures that plod can't
read traffic data relating to my customer without my customer knowing but
I haven't thought it though in detail so there might be attacks against
the system.

-- 
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," 
and there was light.

     http://tjw.hn.org/      http://www.locofungus.btinternet.co.uk/