BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Mason ukcrypto at sourcetagged.ian.co.uk
Thu May 23 18:50:34 BST 2013 

On May 22, 2013, at 11:12 PM, Peter Fairbrother wrote:

> On 22/05/13 18:24, Ian Mason wrote:
>>
>> On May 22, 2013, at 9:26 AM, Roland Perry wrote:
>>
>>> In article <519BFD2D.5070102 at zen.co.uk>, Peter Fairbrother
>>> <zenadsl6186 at zen.co.uk> writes
>
>

[snip]

> That's good and bad security - good because access would be broadly  
> limited to policemen who could enter the room, bad because there  
> would be no logging of who asked. For the "bad old days", it's not  
> that bad.

I'm not convinced that the 'bad old days' have gone away. I find  
little difference in the actual attitudes of coppers that I talk to  
socially nowadays to the ones I used to share curry and beer with back  
then.

>
> Limiting access to policemen, preferably at least sergeant level,  
> and logging of who asked, and why (with occasional for-real  
> checkups) is probably all that is needed for RDQs and electoral roll  
> enquiries. They are not really very intrusive.

The heaviest users of these will be enquiry officers - usually DCs and  
PCs. Bear in mind that nowadays there are many civilian staff inside  
police stations - largely invisible to the general public. These are  
not limited to obviously clerical roles (e.g. I've come across at  
least one civilian evidence/exhibits 'officer'). In the case in point  
I was present as a non-police civilian and had free access to the  
incident room in question for several weeks - often outside office  
hours when it was not in operational use.

Interestingly, the actual cases I have heard of where staff were  
disciplined/prosecuted for improper use of police records have often,  
possibly even primarily, been civilian staff and have often been to  
exactly the kinds of records we're discussing. They may be less  
intrusive but they are the ones that often have the most value outside  
of legitimate police work - i.e. are most likely to be abused for non- 
policing reasons.

>
> It's when they get into more intrusive matters. like phone and  
> internet logs, that more severe restrictions are warranted. The  
> intrusion is different, and more severe - so why not more severe  
> restrictions? Like a Court-issued warrant?
>
> That would cos for the Court time, but it would be balanced by not  
> needing to go through a SPOC for most enquiries.
>
> Might even end up cheaper - suppose Plod get a warrant, costs £800,   
> and get a list of 50 people the suspect called. If a SPOC RDQ  
> enquiry costs £20, a non-SPOC RDQ enquiry costs £2, and a SPOC log  
> enquiry costs £100, that's a saving of £200 overall (I have no idea  
> of the actual costs, but I hope the point is made).
>
>
> IMO, conflating RDQs and accesses to usage logs was one of the worst  
> aspects of RIPA (after enforced key reveals).
>
> Or maybe it was done to hide an enormous number of access log  
> requests.
>
>
> (Hmm - a while ago I called 999 about a fire, and the operator asked  
> if I was calling from <my address>, which I had not told her - do  
> they pay for that RDQ service? Is it different from investigative  
> RDQs? I can't imagine there is a SPOC involved for a 999 call.)
>


This has been SOP for quite a while now. There are no separate charges  
for this, they are bundled into the charges made to the emergency  
services for the basic provision of 999 services and charges made to  
telcos that don't run their own 999 operators. It's very different  
from investigative RDQs, the database of addresses is supplied to the  
999 operators and is automatically linked to any incoming call. The  
address is automatically passed to the emergency services with the  
call hand-off. I've only been involved at the very periphery of this -  
providing addresses for a database that was being passed up the line -  
so I can't comment on the access control arrangements at the 999  
operator end.

Investigative RDQs are explicit enquiries (one off and bulk) and are  
supposed to meet a minimum level of necessity before being made. I  
can't remember the exact wording used for the level of necessity and  
am too lazy to go and look it up. I can say, from experience, that  
what ought to be assessed on necessity often turns into an assessment  
of expedience once in the hands of the police. In marginal cases the  
assessment won't be 'is this necessary' but 'can we get away with it'.

This might seem a jaundiced view, but it's based on my personal  
observations of real police officers, on real operations that used  
exactly the kind of widespread surveillance and access to records that  
regularly concern us here. Make no mistake, the operations were  
necessary and legitimate but some of the individual things I saw  
happen weren't necessary or legitimate and some were even driven by  
idle curiosity - the latter meaning that I can tell you that the  
armoured car the prime minister is driven around in has the Ministry  
of Transport as its registered keeper. The fact that the prime  
minister's car's registration plate was within eyeball range of  
someone with access to a PNC terminal will suggest that I'm highly  
limited in telling you any specifics of the particular operation in  
question.

> -- Peter Fairbrother

More information about the ukcrypto mailing list