"Warrants authorising phone taps treble"

Roland Perry ukcrypto at chiark.greenend.org.uk
Mon, 4 Feb 2008 16:10:36 +0000 

In article 
<2298D4476FA2F44591690E423F07C37B11F6E8817F@EA-EXMSG-C333.europe.corp.mic
rosoft.com>, Caspar Bowden <casparb@microsoft.com> writes
>>From: ukcrypto-admin@chiark.greenend.org.uk 
>>[mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Roland Perry
>...
>>The activity that Caspar is seeking to explore at the moment was long
>>after that summer 1999 consultation process,
>
>AFAIR there was nothing *publicly* known about the authorisation 
>mechanism, safeguards, and crucial legal definitions between June 1999 
>and the publication of RIPA on Feb 9th 2000.

Why would there be? The consultation in the summer of 1999 asked for 
people's input...

>The bland and brief analysis of responses (which Simon already quoted) 
>just said
>http://web.archive.org/web/20000302022700/http://www.homeoffice.gov.uk/o
>icd/iocresp.htm#Chapter%2010
>"there was an almost equally balanced split between those who welcomed 
>the inclusion of this aspect of communications in the IOCA regime and 
>those who felt that it should be left separate and in the Data 
>Protection Act regime. Various suggestions were made as to who should 
>authorise requests: internal to agency; at Secretary of State level; or 
>by a judge. Some CSPs felt that requests for communications data should 
>be more tightly controlled"

... which covered a range of opinions as might be expected.

What CSPs thought, in general was (iirc, it was 7 years ago now):

o We need an end to DPA 29(3) [for the reasons Clive has given earlier]

o It would be good to have all public authorities brought under the same
    regime as we currently operate with the Police (SPoCs, training etc).

o It would be useful to have clarity over which persons in which
    agencies can make requests (currently anyone can try for anything),
    and also to pension off all the legacy powers.

The stage after consultation and publication of responses was normally 
the production of draft legislation.

>The consultation paper itself June 1999 said this:
>http://web.archive.org/web/20000817040911/www.homeoffice.gov.uk/oicd/int
>erban.htm#Chapter%2010
>
><<<<<<Chapter 10: PROVISION OF COMMUNICATIONS DATA
>
>10.1 Because the analysis of communications data can provide much 
>information about the way in which people live their lives, this has 
>led to concerns that the level of intrusion into an individual's 
>privacy may be too great and that the ability of the law enforcement, 
>security and intelligence agencies to access this data should be regulated.

See my bullets above.

>10.2 The Government believes that there is a balance to be struck 
>between the privacy of the individual and the needs of society as a 
>whole to be protected from crime. It is right that the police have 
>access to communications data when necessary in order to prevent or 
>detect crime, but only where this level of intrusion is justified, 
>taking into account the lower level of intrusion that access to such 
>data brings

Lower than wiretapping.

>10.3 In recent years, advances in telecommunications have meant that 
>the amount of data held by communications service providers has 
>increased, making the information much more useful as an investigative 
>tool. But so has the potential for privacy infringements. Although 
>accessing a person's communications data is not as intrusive as 
>interception, it clearly still represents an interference with the 
>privacy of the individual. The Government therefore believes it is time 
>to put in place a statutory framework for authorising access to 
>communications data.

And as required by the HRA.

>10.4 The Government proposes to introduce a statutorily based framework 
>to regulate access to communications data by investigating bodies. This 
>will lay down the purposes for which an application for access to 
>communications data may be made, the minimum standards of information 
>which must be included within an application and the factors which must 
>be taken into account by the authorising official.

The RIPA forms.

>We also propose to introduce strict statutory requirements regarding 
>the handling, storage and retention of communications data. It is 
>intended that these measures will be laid out in detail in the publicly 
>available Code of Practice (see paragraph 7.16).

Not sure they meant "retention" in the ATCSA sense. But one of the 
practical issues is that even when data is disclosed to an investigator, 
the court usually requires a new copy as evidence if a prosecution 
arises, which means preserving it.

>10.5 The proposed purposes for which data access may be authorised are:
>
>    * for the prevention or detection of crime;
>    * for the apprehension or prosecution of offenders;
>    * in the interests of national security;
>    * for the purpose of safeguarding the economic well-being of the 
>United Kingdom;
>    * for the urgent prevention of injury or damage to health; and
>    * for the assessment or collection of any tax or duty or of any 
>imposition of a similar nature.

I don't think the "urgent prevention of injury or damage" aspect made it 
onto the face of the bill, but does lurk within the CoP. Again, one 
practical aspect is that (mainly for telephone CSPs) tracing the 
whereabouts of people who in the process of (eg) committing suicide (and 
sometimes taking family member with them) often causes operational 
angst. This isn't entirely about bank robbers.

>10.6 Where a request has been properly authorised in accordance with 
>the arrangements outlined above, the communications service provider 
>will be required to provide the specified material within a reasonable 
>period.
>
>Safeguards
>
>10.7 The disclosure of data falls within the remit of the Data 
>Protection Act 1984 (soon to be replaced by the Data Protection Act 
>1998),

Which I think also ditched the "urgent prevention of injury or damage" 
aspect [I've never found out why]. So maybe that's why it didn't get 
onto the face of RIPA either.

>therefore the oversight and complaints mechanisms will continue to be 
>provided under this legislation.

That'll be people releasing data without the right RIPA paperwork, or 
making the wrong use of it afterwards. I realise there is widespread 
disbelief in the ability of TICO to police individual transgressions, 
but that's a horizontal complaint, not a vertical (comms data only) one.

Although the Interception Commissioner was also tasked with Comms Data 
(again, no need for the usual suspects to voice their misgivings).

>The Government welcomes comments on the proposals outlined in this 
>Chapter, particularly from Communication Service Providers and bodies 
>which make use of communications data.

And nowadays they might also remember to appeal specifically to Civil 
Society.
-- 
Roland Perry