The Data Retention (EC Directive) Regulations 2009

Zoe O'Connell ukcrypto at chiark.greenend.org.uk
Fri, 13 Feb 2009 10:07:45 +0000 

On 12/02/09 16:06, Roland Perry wrote:
>> There are two RIPA-related systems I'm aware of - one was the old 
>> Police spreadsheets.
>
> But that scheme existed long before RIPA. There were transitional 
> arrangements while RIPA was made fully operational.

I've only been directly involved in such matters since 2003, so 
personally I was lucky enough not to have to wrap my head around DPA 
requests to quite the same extent!

>> The other system is the newer web-based Home Office SPoC system, 
>> which is very hard to get access to. I don't know if they track 
>> service provider contacts but we've certainly had more misdirected 
>> requests (Sent to generic support or sales addresses, sometimes in 
>> other parts of the group who don't know about the subject matter 
>> anyway) since the police system stopped.
>
> There's a whole bunch of people whose job it is to make sure you 
> aren't left out in the cold. I'm a bit disappointed you have been 
> treated in this way.

There is no published phone number on the RIPA site, the Home Office 
main switchboard have enormous difficulty finding a phone number for the 
RIPA unit and when they do all you can do is leave a message with 
someone which doesn't get actioned. Emails to the email address 
published on the web site are ignored. Ultimately, the only way we were 
able to get any response out of the Home Office was to reply to anyone 
requesting information saying that we were unable to verify their 
credentials due to lack of access to the SPoC list and asking them to 
contact the Home Office to resolve the matter. Within 48 hours, we had 
access to the SPoC data.

This was not an isolated incident - the Home Office had certainly been 
aware of our existence for at least 7 months (And should have been for 
significantly longer as we were listed on Police contact lists) as we 
had attempted to raise queries regarding the authority of a particular 
organization regarding an earlier s(22) request. In that case, we did 
not receive a satisfactory answer to our queries nor did we gain access 
to the SPoC list despite having asked for it more than once - 
ultimately, that situation was resolved as it turned out the request was 
asking for details of a resource that had never actually been used. 
(Presumably some spoofing had taken place)

Despite now having access to SPoC data and the Home Office having our 
contact details, we have never been contacted in any subsequent 
consultation (e.g. the Data Retention Directives) but have instead 
learnt of them via the "usual sources", I.e. Malcom Hutty at LINX, 
mailing lists such as this and the perennial favorite, the Register. 
We're not particularly big in the scheme of things but it really should 
not be hard for the Home Office to send out emails to known contacts 
informing them of any updates - if it were not for the fact that we are 
LINX members and Malcom does some excellent work then we would be cut 
off almost entirely from these processes.

If there is indeed a group whose job it is to talk to service providers, 
then at least as of 2008 they were not effective in dealing with smaller 
providers for whatever reason. It's possible this problem - which can 
easily be attributed to lack of resource - has been recognized and that 
is part of the reasoning behind s(10). This is easy to believe upon 
reading the impact assessment published by the Home Office 
(http://publicaffairs.linx.net/public/uk/EUDRD/EUDRD-UK-impact-assessment.pdf) 
as they talk about the excess burden compared to little benefit of 
talking to smaller providers.