"Warrants authorising phone taps treble"

Roland Perry ukcrypto at chiark.greenend.org.uk
Sun, 3 Feb 2008 15:07:22 +0000 

In article <2298D4476FA2F44591690E423F07C37B11F3AFC4B6@EA-EXMSG-
C333.europe.corp.microsoft.com>, Caspar Bowden <casparb@microsoft.com>
writes

>I think people forget that the idea of lumping together reverse DQ,
>traffic data, and location data into one catch-all category of comms
>data (under the same administrative self-authorisation framework) was
>one of the landgrabs of RIPA that was never properly scrutinised.

It was scrutinised at some length, hence the emergence of the separate
categories.

> Why shouldn't traffic and location data be subject to prior judicial
>authorisation, as in most other countries?

The situation varies widely, with some investigators having access to
much more non-judicial access than RIPA allows. Trying to harmonise this
over Europe begs many questions about the different regimes in different
countries.

>The stock answer would be there are too many requests, not enough
>judges, but to gauge the plausibility of this, it would be helpful to
>know the breakdown of the exercise of Pt.1 Ch.2 powers amongst the
>different category of comms data, but the IoCC doesn't tell us.

I agree that they should.

>SpyBlog got this rather puzzling answer when he tried a FOIA on another
>matter http://www.spy.org.uk/foia/2006/01/interception_of_communication
>s.html.

Some confusion between the Commissioner and his 'Office' perhaps.

>Perhaps Simon can tell us whether the HO "collates this information
>centrally", and thus whether a FOIA to the Home Office might work. Of
>course if HO does NOT have that information, it's hard to see how they
>could properly formulate future policy and designations.

There seems to me to be an understandable reluctance to answer such
questions with "rough" figures that might be good enough for policy
formulation, but not precise enough to be inflicted upon journalists.
Would they be happy with figures like "7-10%", or would they use such a
degree of imprecision as another stick to beat people with?

>>They discussed concepts, and from a very early stage as well...
>
>ISTR raising the specific issue early and often in many different fora,
>but always getting stonewalled on whether full URLs were sought or not.

That was probably because we were still working on what expressions like
"full urls" meant in practice. You may have assumed people knew at a
glance what it was they were being expected to have a view on. Not as
simple as that I'm afraid.

>>The problem is, you can't write "ignore everything beyond the first single
>>forward slash" into an Act.
>
>Of course all this happened pre-data retention, so the question then
>was how blanket retention of ANY traffic (rather than subscriber) data
>by ISPs was lawful under data protection?

It's still the case that the most overlooked aspect of all of this is
"who logs what and why". You can't either retain or disclose something
you don't log in the first place.

>(It's STILL a valid question wrt traffic data not covered by the DRD).

The big debate at the time (for data retention anyway) was the size of
the logs, which were mainly those incidental to the operation of web
caches. You may recall that the retention period was negotiated down to
3 days, as that was all that made sense given both the size, and the
operational requirements which had caused the logs to be kept at all.

>So from that point of view there should have been no need to worry
>about drafting slash language, as the data it sought to catch shouldn't
>have existed at all.

And it would have been more sensible to ignore the possibility that the
data might exist in the future, and fail to introduce measures to cope
with that? Surely not.

>Any traffic data that ISPs decided needed to be case-by-case retained
>for e.g. QoS investigation could have been got through production
>orders anyway.

That's an old and somewhat cracked record.

>>As Margaret Thatcher might have said "There's no such thing as the Civil
>>Society". Maybe we should start one.
>
>That's basically what FIPR was for, faute de mieux. Govt chooses which
>trade/lobby groups they want inside the magic circle. ISTR that a year
>or two earlier in the crypto wars, they excluded FIPR from a "Working
>Group" because it would "lead to an uncontrollable agenda" (i.e. others
>present might be persuaded).

So if you made too many waves to enter the circle yourself, enter it by
proxy. Which is exactly what you did.

>>And when you have "sensitive personal data" having a specific meaning
>>within the DPA, it's unhelpful when people apply the word "sensitive"
>>outside that context (which has recently in a debate in Europe).
>
>I wonder which instance you are thinking of?

http://informationweek.com/news/showArticle.jhtml?articleID=205916731
-- 
Roland Perry