Web Browsing Records

Brian Beesley BJ.Beesley at ulster.ac.uk
Thu, 13 Mar 2003 14:21:21 +0000 

On Wednesday 12 March 2003 15:52, Watkin Simon wrote:
>
> The data retention paper includes examples - not claims - of terrorist
> investigations which were facilitated by the recovery of communications
> data that was over 12 months old (where that data was held for business
> purposes.)

I think you're making a very important mistake here.

I rather think that terrorist investigations which may have been "assisted" 
in this way involved some detectable actions other than those which might 
have been recorded in telecomms logs. (e.g. murder, kidnapping, bodily harm, 
destruction of property, extortion, ...). Even if you fail to detect 
terrorists directly, experience is that terrorists are serial offenders; in 
fact, terrorism depends on the threat or actuality of continuing action. 
(Even when individual terrorists engage in suicide operations, the 
organization as a whole must survive in order for the action to be at all 
meaningful).

So my assertion is that, in the long term, the detection rate for terrorist 
investigations would not be affected much by retaining access to 
communications data for periods of time greater than, at most, a few days.
>
> When we say, after lengthy consultation with industry and the Information
> Commissioner, that the maximum retention period for the purpose of
> safeguarding national security should be 12 months we say that in the
> knowledge that the past capability to detect terrorists using 12+ months
> data will no longer exist - if, as I think we are seeing, retention periods
> for business purposes continue to tumble.
>
So there is a risk that a few specific incidents will occur that might 
otherwise have been prevented. 

- What about the incidents that weren't stopped in real time because 
investigators had their heads buried in ancient communications data instead 
of being at places where incidents might actually occur? 

- What about the incidents which continue to occur whilst the comms data is 
"ageing"? If you say that you don't have a "pattern" until months of activity 
has been collated, then it seems to me that use of this tool as a  
preventative measure is pointless.

What I'd like to see (and I'm sure a large number of other people are with me 
on this) is a graph of the proportion of incidents which _could_ be prevented 
vs the length of time comms data is retained. My guess is that the initial 
curve is steep, but flattens out within a few days.

Brian Beesley