"Warrants authorising phone taps treble"

[Caspar Bowden]

>From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-admin@chiark.=
greenend.org.uk] On Behalf Of Roland Perry

>>I think people forget that the idea of lumping together reverse DQ,
>>traffic data, and location data into one catch-all category of comms
>>data (under the same administrative self-authorisation framework) was
>>one of the landgrabs of RIPA that was never properly scrutinised.

>It was scrutinised at some length, hence the emergence of the separate
>categories.

A bunch of officials and industry insiders ruminating in secret isn't reall=
y what most mean by scrutiny is it?

>> Why shouldn't traffic and location data be subject to prior judicial
>>authorisation, as in most other countries?

>The situation varies widely, with some investigators having access to
>much more non-judicial access than RIPA allows. Trying to harmonise this
>over Europe begs many questions about the different regimes in different
>countries.

That's just waffle. There are arguments about why admitting intercept data =
is less problematic in inquisitorial systems, but that's irrelevant to this=
 question. Why shouldn't independent judges decide if a given request is pr=
oportionate, in advance (with some bypass procedure for emergencies).

...
>>SpyBlog got this rather puzzling answer when he tried a FOIA on another
>>matter http://www.spy.org.uk/foia/2006/01/interception_of_communication
>>s.html.

>Some confusion between the Commissioner and his 'Office' perhaps.

Eh?

>>Perhaps Simon can tell us whether the HO "collates this information
>>centrally", and thus whether a FOIA to the Home Office might work. Of
>>course if HO does NOT have that information, it's hard to see how they
>>could properly formulate future policy and designations.

>There seems to me to be an understandable reluctance to answer such
>questions with "rough" figures that might be good enough for policy
>formulation,

Why not give exact figures? The IoCC gives a precise total, and there aren'=
t any "Birkett" reasons for withholding the breakdown in categories.

>but not precise enough to be inflicted upon journalists.
>Would they be happy with figures like "7-10%", or would they use such a
>degree of imprecision as another stick to beat people with?

What are you talking about?

>>They discussed concepts, and from a very early stage as well...
>
>ISTR raising the specific issue early and often in many different fora,
>but always getting stonewalled on whether full URLs were sought or not.

>That was probably because we were still working on what expressions like
>"full urls" meant in practice. You may have assumed people knew at a
>glance what it was they were being expected to have a view on. Not as
>simple as that I'm afraid.

No, I was typically blunt and specific, and spelled out the difference it w=
ould make to capabilities for privacy intrusion, and how the appallingly (d=
eliberately?) vague wording in the published Bill could mean a number of di=
fferent things. If that was a genuine attempt at drafting clarity, maybe it=
 would have been easier with some specific consultation (with explicit and =
genuine choices on offer over authorisation mechanisms)

>>>The problem is, you can't write "ignore everything beyond the first sing=
le
>>>forward slash" into an Act.

>>Of course all this happened pre-data retention, so the question then
>>was how blanket retention of ANY traffic (rather than subscriber) data
>>by ISPs was lawful under data protection?

>It's still the case that the most overlooked aspect of all of this is
>"who logs what and why". You can't either retain or disclose something
>you don't log in the first place.

Obviously

>>(It's STILL a valid question wrt traffic data not covered by the DRD).

>The big debate at the time (for data retention anyway) was the size of
>the logs, which were mainly those incidental to the operation of web
>caches. You may recall that the retention period was negotiated down to
>3 days,

Surely any such "negotiation" must have happened around ATCSA, since at the=
 time of RIPA and pre-ATCSA there was no statutory basis whatsoever for any=
 minimum retention period. Of course, cognoscenti knew from the Gaspar docu=
ment that LEAs were itching to have mandatory retention.

>as that was all that made sense given both the size, and the
>operational requirements which had caused the logs to be kept at all.

Namely? What were these operational requirements? Did any ISP go out busine=
ss by NOT retaining any web caches, or IPs of the associated customers?

>>So from that point of view there should have been no need to worry
>>about drafting slash language, as the data it sought to catch shouldn't
>>have existed at all.

>>And it would have been more sensible to ignore the possibility that the
>>data might exist in the future, and fail to introduce measures to cope
>>with that? Surely not.

Well, ministers gave assurances that they were not going to introduce data =
retention, and then 9/11 happened and they changed their mind with ATCSA Pt=
.11. If a minister gives assurances that they are not going to setup a popu=
lation register of fishfinger consumption (detailing every breadcrumb), it =
seems otiose to spend a lot of time figuring out how such a fishfinger regi=
ster is going to be accessed in such excruciating detail. Unless you believ=
e and acquiesce to the idea that a fishfinger register is going to happen a=
nyway. However if your employer at the time was a prominent fishfinger exch=
ange (whose clients would be greatly encumbered by a register), they might =
not think you were serving their interests well by designing legislative ap=
paratus that would dovetail neatly with the non-existent fishfinger registe=
r, because it would rather tend to make it easier to create one.

>>Any traffic data that ISPs decided needed to be case-by-case retained
>>for e.g. QoS investigation could have been got through production
>>orders anyway.

>That's an old and somewhat cracked record.

Not from the perspective of 2000. It would have done rather nicely for what=
 was supposed to be happening, but of course would have been inadequate for=
 the purposes of the fishfingerati.

>>>As Margaret Thatcher might have said "There's no such thing as the Civil
>>>Society". Maybe we should start one.
>>
>>That's basically what FIPR was for, faute de mieux. Govt chooses which
>>trade/lobby groups they want inside the magic circle. ISTR that a year
>>or two earlier in the crypto wars, they excluded FIPR from a "Working
>>Group" because it would "lead to an uncontrollable agenda" (i.e. others
>>present might be persuaded).

>So if you made too many waves to enter the circle yourself, enter it by
>proxy. Which is exactly what you did.

This is why I get fed up with your disingenuous trolling in the manner of O=
wen (late of this parish as he would no doubt say). Your remark supposes th=
at:

1) "making waves" is a good and sufficient cause not to listen to or even g=
ive a hearing to critical viewpoints

2) "enter it by proxy" - I did not enter any magic circle by proxy. Nobody =
official asked for my views at all (except over a drink in the Lords' bar *=
after* crucial amendments had just been decided). I'm not even suggesting t=
hey *should* have asked for *my* views particularly. What is objectionable =
is that the tramlines of policy are laid in secret, by officials who proved=
 to be incompetent, influenced by technical volunteers from "industry" whos=
e motives remain obscure, but evidently were selected for their complaisant=
 views on policy.

Why is it you feel the need to pop up on every controversial thread, diffus=
ing the sharp points of discussion, but recede into reticent nose-tapping a=
nd winking whenever challenged on your preposterous Panglossian para-histor=
y? What's it all about Roland?

>>>And when you have "sensitive personal data" having a specific meaning
>>>within the DPA, it's unhelpful when people apply the word "sensitive"
>>>outside that context (which has recently in a debate in Europe).
>>
>>I wonder which instance you are thinking of?

>http://informationweek.com/news/showArticle.jhtml?articleID=3D205916731

So there are two references to sensitive, the first is normal journalistic =
cluelessness, the second is interesting and susceptible of some Kremlinolog=
ical interpretation. What's your point. Do you actually have a point Roland=
? Is this sustained hyperactive spinning of "move along, nothing to see her=
e" some type of repressed guilt trip, or who do hold a brief for these days=
?
--
Caspar Bowden