"Warrants authorising phone taps treble"

[Roland Perry]

In article 
<2298D4476FA2F44591690E423F07C37B11F6E87F40@EA-EXMSG-C333.europe.corp.mic
rosoft.com>, Caspar Bowden <casparb@microsoft.com> writes
>>>I think people forget that the idea of lumping together reverse DQ,
>>>traffic data, and location data into one catch-all category of comms
>>>data (under the same administrative self-authorisation framework) was
>>>one of the landgrabs of RIPA that was never properly scrutinised.
>
>>It was scrutinised at some length, hence the emergence of the separate
>>categories.
>
>A bunch of officials and industry insiders ruminating in secret isn't 
>really what most mean by scrutiny is it?

Perhaps we are talking at cross purposes. The scrutiny (in the 
parliamentary sense) was what happened during debates in the houses. You 
can't possibly mean that happened in secret.

I was talking about was the process of "looking at" traffic and 
subscriber data types so they could be divided into subsections that 
made sense, which would be workable in practice, and which could be 
expressed in parliamentary language.

>>> Why shouldn't traffic and location data be subject to prior judicial
>>>authorisation, as in most other countries?
>
>>The situation varies widely, with some investigators having access to
>>much more non-judicial access than RIPA allows. Trying to harmonise this
>>over Europe begs many questions about the different regimes in different
>>countries.
>
>That's just waffle. There are arguments about why admitting intercept 
>data is less problematic in inquisitorial systems, but that's 
>irrelevant to this question. Why shouldn't independent judges decide if 
>a given request is proportionate, in advance (with some bypass 
>procedure for emergencies).

We seem to be losing focus here. Are you now mainly arguing that 
intercepts should be agreed with a judge, not the Home Secretary?

If it's still about comms data, then the fact remains that dozens of 
agencies have powers to demand the disclosure of (other intrusive forms 
of) data without even a senior official being involved, let alone the 
infrastructure in RIPA, or a court.

>>>SpyBlog got this rather puzzling answer when he tried a FOIA on another
>>>matter http://www.spy.org.uk/foia/2006/01/interception_of_communication
>>>s.html.
>
>>Some confusion between the Commissioner and his 'Office' perhaps.
>
>Eh?

The reply seemed to be saying that the Commissioner was just a person, 
and therefore not an FOI "body", but the Commissioner's 'office' is 
clearly a bunch of people (he doesn't act on his own). So maybe the 
answer is to make an FOI request on his office, that might remove the 
objection at face value.

>>>Perhaps Simon can tell us whether the HO "collates this information
>>>centrally", and thus whether a FOIA to the Home Office might work. Of
>>>course if HO does NOT have that information, it's hard to see how they
>>>could properly formulate future policy and designations.
>
>>There seems to me to be an understandable reluctance to answer such
>>questions with "rough" figures that might be good enough for policy
>>formulation,
>
>Why not give exact figures? The IoCC gives a precise total, and there 
>aren't any "Birkett" reasons for withholding the breakdown in 
>categories.

I don't disagree that figures would be useful, just saying that if they 
aren't collected exactly, that doesn't rule out the ability to formulate 
policy. It's clearly easier to collect exact figures in the region of 
2,000 from one or two departments, than in the region of 250K from 
hundreds of departments.

>>but not precise enough to be inflicted upon journalists.
>>Would they be happy with figures like "7-10%", or would they use such a
>>degree of imprecision as another stick to beat people with?
>
>What are you talking about?

If the figures that were published were "guesstimates", I predict they 
would cause problems.

>>>They discussed concepts, and from a very early stage as well...
>>
>>ISTR raising the specific issue early and often in many different fora,
>>but always getting stonewalled on whether full URLs were sought or not.
>
>>That was probably because we were still working on what expressions like
>>"full urls" meant in practice. You may have assumed people knew at a
>>glance what it was they were being expected to have a view on. Not as
>>simple as that I'm afraid.
>
>No, I was typically blunt and specific, and spelled out the difference 
>it would make to capabilities for privacy intrusion, and how the 
>appallingly (deliberately?) vague wording in the published Bill could 
>mean a number of different things. If that was a genuine attempt at 
>drafting clarity, maybe it would have been easier with some specific 
>consultation (with explicit and genuine choices on offer over 
>authorisation mechanisms)

I don't believe there's any ambiguity as far as practitioners are 
concerned, between interception and between the three sorts of comms 
data. The only surprise I'm aware of is the ability of judges (who you 
generally approve of) apparently being able to intercept stored emails 
on servers without further ado.

The big step forward is recognising that there are separate categories 
with separate rules, when the regime that was being replaced had no such 
framework.

>>>(It's STILL a valid question wrt traffic data not covered by the DRD).
>
>>The big debate at the time (for data retention anyway) was the size of
>>the logs, which were mainly those incidental to the operation of web
>>caches. You may recall that the retention period was negotiated down to
>>3 days,
>
>Surely any such "negotiation" must have happened around ATCSA,

Which is why I said "for data retention".

>since at the time of RIPA and pre-ATCSA there was no statutory basis 
>whatsoever for any minimum retention period. Of course, cognoscenti 
>knew from the Gaspar document that LEAs were itching to have mandatory 
>retention.

They wanted ISPs to stop destroying evidence. Just two sides of the same 
coin, really.

>>as that was all that made sense given both the size, and the
>>operational requirements which had caused the logs to be kept at all.
>
>Namely? What were these operational requirements?

https://www.linx.net/good/bcp/privacy-bcp-v1_0.html#8

>Did any ISP go out business by NOT retaining any web caches, or IPs of 
>the associated customers?

Is "going out of business" the only valid test?

>>>So from that point of view there should have been no need to worry
>>>about drafting slash language, as the data it sought to catch shouldn't
>>>have existed at all.
>
>>>And it would have been more sensible to ignore the possibility that the
>>>data might exist in the future, and fail to introduce measures to cope
>>>with that? Surely not.
>
>Well, ministers gave assurances that they were not going to introduce 
>data retention, and then 9/11 happened and they changed their mind with 
>ATCSA Pt.11. If a minister gives assurances that they are not going to 
>setup a population register of fishfinger consumption (detailing every 
>breadcrumb), it seems otiose to spend a lot of time figuring out how 
>such a fishfinger register is going to be accessed in such excruciating 
>detail.

It has nothing to do with data retention. Are you really suggesting that 
this opportunity to express a greater degree of protection for the most 
intrusive forms of comms data should have been squandered? If so, why 
were you so active in a campaign to so express it?

>>>Any traffic data that ISPs decided needed to be case-by-case retained
>>>for e.g. QoS investigation could have been got through production
>>>orders anyway.
>
>>That's an old and somewhat cracked record.
>
>Not from the perspective of 2000. It would have done rather nicely for 
>what was supposed to be happening, but of course would have been 
>inadequate for the purposes of the fishfingerati.

Having once categorised the data, it's now much simpler to introduce an 
amendment to vary the degree of access. Although I think it's 
unrealistic to start making things harder for the police in the current 
climate.

>>>>As Margaret Thatcher might have said "There's no such thing as the Civil
>>>>Society". Maybe we should start one.
>>>
>>>That's basically what FIPR was for, faute de mieux. Govt chooses which
>>>trade/lobby groups they want inside the magic circle. ISTR that a year
>>>or two earlier in the crypto wars, they excluded FIPR from a "Working
>>>Group" because it would "lead to an uncontrollable agenda" (i.e. others
>>>present might be persuaded).
>
>>So if you made too many waves to enter the circle yourself, enter it by
>>proxy. Which is exactly what you did.
>
>This is why I get fed up with your disingenuous trolling

que? I though trolls started arguments, I'd be happy if this one 
concluded as soon as possible. Frankly I can't keep up with your 
words-per-minute.

>in the manner of Owen (late of this parish as he would no doubt say). 
>Your remark supposes that:
>
>1) "making waves" is a good and sufficient cause not to listen to or 
>even give a hearing to critical viewpoints

Human nature being what it is, megaphone politics is not always the most 
productive.

>2) "enter it by proxy" - I did not enter any magic circle by proxy. 
>Nobody official asked for my views at all (except over a drink in the 
>Lords' bar *after* crucial amendments had just been decided). I'm not 
>even suggesting they *should* have asked for *my* views particularly. 
>What is objectionable is that the tramlines of policy are laid in 
>secret, by officials who proved to be incompetent, influenced by 
>technical volunteers from "industry" whose motives remain obscure, but 
>evidently were selected for their complaisant views on policy.

We seem to have somewhat hit a nerve. Calm down old chap.

>Why is it you feel the need to pop up on every controversial thread, 
>diffusing the sharp points of discussion, but recede into reticent 
>nose-tapping and winking whenever challenged on your preposterous 
>Panglossian para-history? What's it all about Roland?

So that's why I didn't get a Christmas card from you his year?

>>>>And when you have "sensitive personal data" having a specific meaning
>>>>within the DPA, it's unhelpful when people apply the word "sensitive"
>>>>outside that context (which has recently in a debate in Europe).
>>>
>>>I wonder which instance you are thinking of?
>
>>http://informationweek.com/news/showArticle.jhtml?articleID=205916731
>
>So there are two references to sensitive, the first is normal 
>journalistic cluelessness, the second is interesting and susceptible of 
>some Kremlinological interpretation. What's your point.

People misusing the word "sensitive". Wasn't that obvious?

>Do you actually have a point Roland? Is this sustained hyperactive 
>spinning of "move along, nothing to see here" some type of repressed 
>guilt trip,

Maybe there isn't anything to see. There certainly aren't 1,000 
telephone taps a day, which was where we started this thread.

>or who do hold a brief for these days?

"The consumer" is the hat which fits best. That's why I don't like 
seeing false scare stories the press.
-- 
Roland Perry