EU says URLS and Search Terms _are_ PECR data

Caspar Bowden ukcrypto at chiark.greenend.org.uk
Wed, 16 Apr 2008 14:21:37 +0100 

>From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-admin@chiark.=
greenend.org.uk] On Behalf Of Ian Batten
..
>Taken from a post to a Phorm inventor forum a few minutes ago.  I
>don't have a real source, I'm afraid.  This is an interesting contrast
>to Caspar's take on PECR last night.  The money shot is ``The data
>concerned in this particular matter i.e. the content of search
>queries, constitute communication within the meaning of this Directive
>and the URLs used in the packets constitute traffic data. This data
>should therefore be protected appropriately.''

Indeed, I find this surprising (in terms of what the e-Privacy Directive sa=
ys rather than what perhaps it ought to say...)

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=3DCELEX:32002L0058:EN=
:NOT
<<<Recital (15) A communication may include any naming, numbering or addres=
sing information provided by the sender of a communication or the user of a=
 connection to carry out the communication. Traffic data may include any tr=
anslation of this information by the network over which the communication i=
s transmitted ***FOR THE PURPOSE OF CARRYING OUT THE TRANSMISSION***. Traff=
ic data may, inter alia, consist of data referring to the routing, duration=
, time or volume of a communication, to the protocol used, to the location =
of the terminal equipment of the sender or recipient, to the network on whi=
ch the communication originates or terminates, to the beginning, end or dur=
ation of a connection. They may also consist of the format in which the com=
munication is conveyed by the network
...

Article 2 - Definitions
...
(b) "traffic data" means any data processed FOR THE PURPOSE OF THE CONVEYAN=
CE of a communication on an electronic communications network or for the bi=
lling thereof>>>

Hmmm. I suppose one might argue that in an ISP system which has been Phorme=
d, that the processing of the URLs and search terms etc. has become necessa=
ry for the purpose of the conveyance of the communication, because that is =
the way the ISP has contrived to gimcrack their system. But that seems to t=
orture the meaning of "purpose".

It seems to me the point is that providers of communications services shoul=
d not be mucking about with CONTENTS of the communication, viz.

<<<Recital (21) Measures should be taken to prevent unauthorised access to =
communications in order to protect the confidentiality of communications, *=
**INCLUDING BOTH THE CONTENTS AND ANY DATA RELATED TO SUCH COMMUNICATIONS**=
*, by means of public communications networks and publicly available electr=
onic communications services. National legislation in some Member States on=
ly prohibits INTENTIONAL unauthorised access to communications.

Article 5 - Confidentiality of the communications

1. Member States shall ensure the confidentiality of communications and the=
 related traffic data by means of a public communications network and publi=
cly available electronic communications services, through national legislat=
ion. In particular, they shall prohibit listening, tapping, storage OR OTHE=
R KINDS OF INTERCEPTION OR SURVEILLANCE OF COMMUNICATIONS AND THE RELATED T=
RAFFIC DATA BY PERSONS OTHER THAN USERS, WITHOUT THE CONSENT OF THE USERS C=
ONCERNED, except when legally authorised to do so in accordance with Articl=
e 15(1). This paragraph shall not prevent technical storage which is necess=
ary for the conveyance of a communication without prejudice to the principl=
e of confidentiality>>>

So there's an interesting twist here: Recital 21 flags up that some member =
states only prohibit INTENTIONAL unauthorised access (with the implication =
that those Member States should fix their laws). And yea verily, S.1(1) of =
RIPA says

<<< Unlawful interception
1(1) It shall be an offence for a person intentionally and without lawful a=
uthority to intercept>>>

So

Q1. Was the end bit of Recital 21 having a dig at RIPA (amongst other natio=
nal laws)?

Q2. is the ISP's defence, "we didn't realise we were intercepting, honest g=
uv"?

Q3. If lots of people tell the ISP that they think they ARE being intercept=
ed, does that nullify the defence?

--
Caspar Bowden