BBC News - 'Fresh proposals' planned over cyber-monitoring

[Ben Liddicott]

On 23/05/2013 15:31, Roland Perry wrote:
>
> Briefly, the issue is that when it's really important (for example an 
> estranged father rings his ex-wife to say he's committing suicide and 
> taking the children with him, now) then court orders are too slow.
>
> And if every request required the police and the telco to physically 
> attend court (which is likely to be some distance from the telco's HQ) 
> and then be required to respond to a non-urgent request in a week 
> rather than a month, then the costs would spiral out of control (for 
> all parties involved).
>

Well, that's a good summary of the argument, but not actually a good 
reason, and it's not actually what happens.

It's not what happens because the vast majority of such requests are for 
things which could perfectly well have waited to the next working day 
and been dealt with in bulk.

It's not a good reason firstly because there is no technical reason why 
a court order has to be slow. IANAL, but AFAIK a court order or warrant 
can be given by telephone, fax or email if need be - I don't believe 
there is any legal requirement for the judge to be in the same room as 
the petitioner - and if there is, why not just change that rule for 
emergencies?

Even if it was the case that court orders are too slow, there is no 
reason not to have a post-request review requirement like the US Federal 
FISA courts.

It is impossible to avoid the conclusion that the reason for removing 
review altogether (as opposed to having an emergency procedure plus a 
post-request review) is because the authorities intend to vastly expand 
the volume of such requests they make.


>> (Hmm - a while ago I called 999 about a fire, and the operator asked 
>> if I was calling from <my address>, which I had not told her - do 
>> they pay for that RDQ service? Is it different from investigative 
>> RDQs? I can't imagine there is a SPOC involved for a 999 call.)
>
> The emergency services are allowed to know where people are calling 
> from (including mobiles, which is why so many these days have GPS 
> because that's a USA requirement). Perhaps you'd rather wait for them 
> to get a court order??
Well the EU have recently mandated that from (2014 I think or maybe 
2016?) all new cars sold in the EU must have both GPS and mobile network 
connectivity so that in the event of an accident they can automatically 
summon the emergency services, just in case the occupants are unable to.

Of course to make a difference all of the following would have to be true:
a) the occupants are so badly injured that they are unable to summon help.
b) they are in too remote an area to encounter passers-by who can summon 
help
c) yet paradoxically they close enough to urban centres that the 
emergency services can arrive before they die of their injuries.

It is obvious that while this could happen, it will occur a most few 
times in any given year in the entire EU, and shave a fraction of a 
percentage point off the road accident death rate. And for this benefit 
we are about to give the authorities the ability to access to a complete 
history of every journey we make, as soon as they decide that we need a 
firmware upgrade to, e.g. "better plan the transport system" or 
"implement a personal carbon ration", or whatever excuse they think they 
can slide past us. (c.f. access to NHS data sicut nunc).

If it saves a single life it /isn't /worth it.

If the police are able to persuade the telco that it is an emergency, 
then there is an exception in the DPA for that, and the telco will no 
doubt want to follow up as to the end result as part of their ISO27001 
controls. If they cannot persuade the telco, then *Yes* they should get 
a court order. If it is so urgent, then it is urgent enough to wake up a 
judge.

Cheers!
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130523/f132da65/attachment.html>