From zenadsl6186 at zen.co.uk  Thu Jul 10 15:07:56 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 10 Jul 2014 15:07:56 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <5343F53C.4090504@zen.co.uk>
References: <5343F53C.4090504@zen.co.uk>
Message-ID: <53BE9E3C.7010807@zen.co.uk>

On 08/04/14 14:10, Peter Fairbrother wrote:
> eg:
> http://www.reuters.com/article/2014/04/08/us-eu-data-ruling-idUSBREA370F02014040
[...]
> Would it be legal for an ISP to delete all it's retained data today?

It seems the gubbmint thinks it would:



"Emergency phone and internet data laws to be passed"

http://www.bbc.co.uk/news/uk-politics-28237111


-- Peter Fairbrother


From tonynaggs at gmail.com  Thu Jul 10 15:34:38 2014
From: tonynaggs at gmail.com (Tony Naggs)
Date: Thu, 10 Jul 2014 15:34:38 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <53BE9E3C.7010807@zen.co.uk>
References: <5343F53C.4090504@zen.co.uk>
	<53BE9E3C.7010807@zen.co.uk>
Message-ID: <CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>

On 10 July 2014 15:07, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:

>
>
> "Emergency phone and internet data laws to be passed"
>
> http://www.bbc.co.uk/news/uk-politics-28237111
>
>
Oh gawd, that is pretty mangled. E.g. Nick Robinson video 1/3 down the
page, "there was no British law on this, in other words the security
service and the police, the national crime agency were able to find out who
you spoke to on your phone and when, who you emailed and when as a result
of a European Directive".

It's like a scene from the Wizard of Oz: oh look at those wicked Europeans
and their intrusive rules, don't look at the RIPA behind the curtain ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140710/a430b957/attachment.html>

From james at talkunafraid.co.uk  Thu Jul 10 12:44:04 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Thu, 10 Jul 2014 12:44:04 +0100
Subject: DRIP
Message-ID: <53BE7C84.3080204@talkunafraid.co.uk>

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/328939/draft-drip-bill.pdf

... and the notes:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/328940/draft-drip-notes.pdf

Thoughts so far? At first glance it looks like this gives the government
a considerably wider remit in terms of what retention notices may
require providers to retain.

-- 
Cheers,
James


From tony.naggs at googlemail.com  Thu Jul 10 14:32:28 2014
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Thu, 10 Jul 2014 14:32:28 +0100
Subject: UK Data Retention and Investigatory Powers Bill
Message-ID: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>

The government is pushing through this newly announced 'emergency' bill in
the last week & a half or parliament before their summer break.

I appreciate police & intelligence services want to be able to request
metadata from communications providers, but I'm not really clear why a law
change is required for communications data to be held for 12 months.
Probably most businesses will want to hold this data for a year in order to
address billing disputes & such.

Draft bill is here:
https://www.gov.uk/government/publications/the-data-retention-and-investigatory-powers-bill

There's some news coverage here:
http://www.theguardian.com/world/2014/jul/10/surveillance-legislation-commons-support-critics-stitch-up
http://www.telegraph.co.uk/news/politics/10958366/Emergency-laws-to-monitor-phone-and-internet-records-to-stop-terrorists.html

And BBC Radio 4's World At One covered this:
http://www.bbc.co.uk/programmes/b048nlfn
Including David Davis MP (C, for Haltemprice & Howden) critiquing the
proposal & calling for a warrant based process:
http://www.bbc.co.uk/programmes/p022kbnx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140710/e03002af/attachment.html>

From richard at lamont.me.uk  Thu Jul 10 14:03:23 2014
From: richard at lamont.me.uk (Richard Lamont)
Date: Thu, 10 Jul 2014 14:03:23 +0100
Subject: Draft Data Retention and Investigatory Powers Bill
Message-ID: <53BE8F1B.8070808@lamont.me.uk>

The government's 'emergency' bill can be found here:

https://www.gov.uk/government/publications/the-data-retention-and-investigatory-powers-bill


-- 
Richard Lamont
<richard at lamont.me.uk>


From zenadsl6186 at zen.co.uk  Thu Jul 10 19:26:05 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 10 Jul 2014 19:26:05 +0100
Subject: DRIP
In-Reply-To: <53BE7C84.3080204@talkunafraid.co.uk>
References: <53BE7C84.3080204@talkunafraid.co.uk>
Message-ID: <53BEDABD.6010000@zen.co.uk>

On 10/07/14 12:44, James Harrison wrote:
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/328939/draft-drip-bill.pdf
>
> ... and the notes:
> https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/328940/draft-drip-notes.pdf

Thanks for the links.

>
> Thoughts so far? At first glance it looks like this gives the government
> a considerably wider remit in terms of what retention notices may
> require providers to retain.
>

Yep, a bit of a landgrab.


_BUT_ *Note* that the only types of communications data to which Section 
1 applies is "relevant" data, which is actually the same types of 
communications data which came under the previous regime, ie the types 
of data in the Schedule to the The Data Retention (EC Directive) 
Regulations 2009 - so it doesn't directly affect any new types of data.

See ss.2(3) (below) and
http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule


However it does affect what can be done with that data.







In more detail:


[][][][][][][][][][][] Section 1


Subsections 1(1) and 1(2). These subsections give the the Secretary of 
State the power to issue Notices requiring a communication service 
provider to store "relevant" communications data.

There are no limitations (other than what the Secretary considers to be 
"necessary and proportionate") on the types of communication data which 
these Notices may cover, or how long [1] that data must be stored for.


There are some similar powers in existence, but they are far more 
limited. This is a very large expansion of existing powers.

[1] the 12 month maximum retention period to which a regulation may 
apply applies to regulations made under subsection 1(3) - but it does 
*not* apply to notices under subsection 1(1).

-----------------


Subsections 1(3) to 1(5) authorise the Secretary of State to make 
Regulations about the retention of "relevant" communication data.

However the *only* restriction on the Regulations he can make is a 12 
month maximum period for which data is to be stored for under the 
Regulations - there are *no* other restrictions at all, not even the 
usual "necessary and proportionate".

This is an expansion of existing powers.

---------------------


Subsection 6 restricts the times when a communications provider may 
disclose data stored under the regulations or a notice to those 
circumstances outlined in RIPA chapter 2 or under a court order - but it 
also introduces yet another new power which allows the Secretary to make 
regulations, of any kind, under which disclosure may (or must) be made.



--------------

I'm not sure what subsection 1(7) is about, anyone?

(7) The Secretary of State may by regulations make provision, which 
corresponds to any provision made (or capable of being made) by virtue 
of subsection (4)(d) to (g) or (6), in relation to communications data 
which is retained by telecommunications service providers by
virtue of a code of practice under section 102 of the Anti-terrorism, 
Crime and Security Act 2001.


---------------



[][][][][][][][][][][] Section 2

Subsection 2(1) contains some definitions. I haven't looked closely at them.

Subsection 2(2) distinguishes between unsuccessful call attempts and 
unconnected calls, but doesn't actually explain the difference.

Subsection 2(3) says that Section 1 only applies to types of comms data 
as in Schedule 1 of the The Data Retention (EC Directive) Regulations 
2009. I don't know why that's hidden away there rather than being in 
Section 1.

----------------------


[][][][][][][][][][][] Section 3


Section 3 is about trying to get around some EU Competencies issues by 
redefining the economic well-being of the UK as  a matter of national 
security (which may not be in the jurisdiction of the ECtJ - but it is 
the ECtJ which decides whether or not it is in its jurisdiction).



[][][][][][][][][][][] Section 4

Is about extraterritoriality, I haven't read it in detail.


[][][][][][][][][][][] Section

Redefines  "telecommunications service" in what seems to me to be a 
pretty insane way - as I read it, it includes my computer as I am typing 
this. Not when I send it, but while I am typing it. It includes anyone 
who is creating something which may be transmitted, eg a television 
producer or a recording artist, or anyone who is using web creations 
software.




-- Peter Fairbrother


From lists at internetpolicyagency.com  Thu Jul 10 21:10:31 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 10 Jul 2014 21:10:31 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
Message-ID: <fcZ+V3q3MvvTFAMe@perry.co.uk>

In article 
<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ at mail.gmail.com>, 
Tony Naggs <tonynaggs at gmail.com> writes
>> "Emergency phone and internet data laws to be passed"
>>
>> http://www.bbc.co.uk/news/uk-politics-28237111
>>
>Oh gawd, that is pretty mangled. E.g. Nick Robinson video 1/3 down the
>page, "there was no British law on this, in other words the security
>service and the police, the national crime agency were able to find out who
>you spoke to on your phone and when, who you emailed and when as a result
>of a European Directive".
>
>It's like a scene from the Wizard of Oz: oh look at those wicked Europeans
>and their intrusive rules, don't look at the RIPA behind the curtain ...

It's not quite as bad as that. RIPA is about disclosure[1]. If the data 
hasn't been retained there's nothing to disclose. That's why the Data 
Retention stuff was introduced.

[1] And potentially retention on a case by case basis, not blanket.
-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Thu Jul 10 23:29:53 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Thu, 10 Jul 2014 23:29:53 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <fcZ+V3q3MvvTFAMe@perry.co.uk>
References: <5343F53C.4090504@zen.co.uk>
	<53BE9E3C.7010807@zen.co.uk>	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk>
Message-ID: <53BF13E1.8000709@zen.co.uk>

On 10/07/14 21:10, Roland Perry wrote:
> In article
> <CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ at mail.gmail.com>,
> Tony Naggs <tonynaggs at gmail.com> writes
>>> "Emergency phone and internet data laws to be passed"
>>>
>>> http://www.bbc.co.uk/news/uk-politics-28237111
>>>
>> Oh gawd, that is pretty mangled. E.g. Nick Robinson video 1/3 down the
>> page, "there was no British law on this, in other words the security
>> service and the police, the national crime agency were able to find
>> out who
>> you spoke to on your phone and when, who you emailed and when as a result
>> of a European Directive".
>>
>> It's like a scene from the Wizard of Oz: oh look at those wicked
>> Europeans
>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>
> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
> hasn't been retained there's nothing to disclose. That's why the Data
> Retention stuff was introduced.

Actually, this is about disclosure too. Subsection 1(6) allows the SoS 
to make regulations about disclosure, either MAY or MUST, with almost no 
restrictions.


>
> [1] And potentially retention on a case by case basis, not blanket.

I have little complaint about case-by-case retention (though I don't see 
the RIPA connection?) - but I have been looking at

https://www.openrightsgroup.org/blog/2014/updates-on-emergency-data-retention-law?quip_approved=1#qcom18557

who say

"Legislation must comply with human rights judgements

What exactly is the point of human rights judgements if even the Liberal 
Democrats are prepared to ignore them? The CJEU have outlined very 
clearly what needs to happen before governments compel data to be 
retained. They say you cannot do it on a blanket basis, and someone 
independent, such as a regulator or a judge, must supervise police 
access. These fundamental points are missing from the emergency laws.
and studying the ECtJ judgement in terms of blanket retention."


I see two claims here, first that blanket retention is not allowed at 
all, and second that someone independent must supervise access, 
presumably on a per-case basis.


On the first claim, afaict the Court did not actually rule out blanket 
retention, though it did not rule out ruling it out (it didn't address 
that issue).



On the second claim there is this, from clause 62 of the judgement:


"Above all, the access by the competent national authorities to the data 
retained is not made dependent on a prior review carried out by a court 
or by an independent administrative body whose decision seeks to limit 
access to the data and their use to what is strictly necessary for the 
purpose of attaining the objective pursued and which intervenes 
following a reasoned request of those authorities submitted within the 
framework of procedures of prevention, detection or criminal prosecutions."


http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130de29d54fbc5c03411c896bf327f62b9890.e34KaxiLc3eQc40LaxqMbN4OaNyQe0?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=448162

It certainly seems to *mandate* a judicial or otherwise independent 
layer between requests/demands from the Police etc and the ISPs. I 
cannot see any legislation which does not contain such a layer as being 
in compliance with the judgement - and the present proposal, the DRIP 
bill,  does not have any such layer.

Squaddy policemen may ask senior policemen to authorise their demands; 
but the person who authorises them should be someone independent; ie, 
not another policeman.



-- Peter Fairbrother


From lists at internetpolicyagency.com  Thu Jul 10 21:14:13 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 10 Jul 2014 21:14:13 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
Message-ID: <T8R9d1rVQvvTFAPI@perry.co.uk>

In article 
<CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>, 
Tony Naggs <tony.naggs at googlemail.com> writes
>I'm not really clear why a law change is required for communications 
>data to be held for 12 months. Probably most businesses will want to 
>hold this data for a year in order to address billing disputes & such

Very few ISPs produce itemised bills saying who you emailed and when, or 
listing which web pages you went to in order to use up your 1GB/month.
-- 
Roland Perry


From lists at internetpolicyagency.com  Fri Jul 11 07:55:45 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 07:55:45 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <53BF13E1.8000709@zen.co.uk>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
Message-ID: <lt4gJLzxp4vTFAZt@perry.co.uk>

In article <53BF13E1.8000709 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>> Nick Robinson video 1/3 down the
>>> page, "there was no British law on this, in other words the security
>>> service and the police, the national crime agency were able to find
>>> out who
>>> you spoke to on your phone and when, who you emailed and when as a result
>>> of a European Directive".
>>>
>>> It's like a scene from the Wizard of Oz: oh look at those wicked
>>> Europeans
>>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>>
>> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
>> hasn't been retained there's nothing to disclose. That's why the Data
>> Retention stuff was introduced.
>
>Actually, this is about disclosure too.

I'm trying to unpick the roles of RIPA and the EU when it comes to 
mandating blanket retention. Nick Robinson is right that it [was] and EU 
Directive (and by implication not RIPA).

>Subsection 1(6) allows the SoS to make regulations about disclosure, 
>either MAY or MUST, with almost no restrictions.
>
>> [1] And potentially retention on a case by case basis, not blanket.
>
>I have little complaint about case-by-case retention (though I don't 
>see the RIPA connection?)

s22(4)(b), the "subsequently" is in effect mandating retention of data 
about the subject of the notice, when in the general case the CSP might 
not have been retaining it at all before the notice was served.
...

>second that someone independent must supervise access, presumably on a 
>per-case basis.
...
>On the second claim there is this, from clause 62 of the judgement:
>
>"Above all, the access by the competent national authorities to the 
>data retained is not made dependent on a prior review carried out by a 
>court or by an independent administrative body whose decision seeks to 
>limit access to the data and their use to what is strictly necessary 
>for the purpose of attaining the objective pursued and which intervenes 
>following a reasoned request of those authorities submitted within the 
>framework of procedures of prevention, detection or criminal prosecutions."

Before RIPA one of the main ways that communications data was obtained 
related to various powers to demand evidence arising from a multitude 
[someone made a list and it was about 50] agency-specific Acts of 
Parliament. Here's an example of one which is actually post-RIPA (which 
created a certain degree of tension over the principle that all 
telecomms data post-2000 should be gathered via RIPA, but I digress):

http://www.legislation.gov.uk/ukpga/2001/11/section/1

There was no common structure for either the authorisation regime of 
that multitude of requests, nor the way they were presented to CSPs. It 
was entirely possible to get something scribbled on the back of an 
envelope by a junior investigator, there was no regulatory oversight, 
and every CSP had to have a process in place to evaluate the credentials 
of each request including whether it was genuine or not, and there was 
no line in the sand that defined where an individual investigation ends 
and a fishing expedition starts.

To that extent RIPA was, for comms data, a huge improvement - because 
there were standardised codes of practice, request forms, levels of 
authority and levels of probable cause, plus lists of authorised public 
authorities with pre-identified contact points benefiting from mandatory 
trained in law and technology, and auditing processes involving 
compulsory record keeping and a centrally appointed commissioner.

I know people can pick holes in each aspect, but taken as a whole it was 
a significant paradigm change.

One of the basic principles was also to keep the chain of custody of the 
product as short as possible, such that each separate public authority 
(and each police force is separate) was only able to process requests 
for its own investigative activity. The reason being to increase the 
accountability, but also to reduce the possibility of data going astray.

If there is to be an intermediate layer between the investigating 
authorities and CSPs it will have to work hard at not either adding to 
the "fog of war" [send three and sixpence], delaying urgent requests, 
nor be captured by one or other side of the table.

To emphasise, all of the above is about disclosure, and nothing at all 
to do with blanket retention (mandatory or otherwise).
-- 
Roland Perry


From Andrew.Cormack at ja.net  Fri Jul 11 08:56:48 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Fri, 11 Jul 2014 07:56:48 +0000
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <T8R9d1rVQvvTFAPI@perry.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4ADCFC3@EXC001>



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 10 July 2014 21:14
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: UK Data Retention and Investigatory Powers Bill
> 
> In article
> <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>,
> Tony Naggs <tony.naggs at googlemail.com> writes
> >I'm not really clear why a law change is required for communications
> >data to be held for 12 months. Probably most businesses will want to
> >hold this data for a year in order to address billing disputes & such
> 
> Very few ISPs produce itemised bills saying who you emailed and when,
> or
> listing which web pages you went to in order to use up your 1GB/month.
> --
> Roland Perry

And, as far as I can see, under the old regs, if the comms data wasn't related to the service you supplied then you couldn't be forced to collect/retain it. For example, an ISP that simply moved packets couldn't be required to 'retain' the comms data that happened to be contained in those of the packets that related to someone else's VoIP service:

Reg.3 These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services 
concerned.
[http://www.legislation.gov.uk/uksi/2009/859/regulation/3/made]

I can't see anything in DRIP that continues that limitation. Can anyone else?

Andrew


--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


From lists at internetpolicyagency.com  Fri Jul 11 09:57:45 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 09:57:45 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4ADCFC3@EXC001>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<61E52F3A5532BE43B0211254F13883AEA4ADCFC3@EXC001>
Message-ID: <WsG8pQ$Jc6vTFAe7@perry.co.uk>

In article <61E52F3A5532BE43B0211254F13883AEA4ADCFC3 at EXC001>, Andrew 
Cormack <Andrew.Cormack at ja.net> writes
>as far as I can see, under the old regs, if the comms data wasn't related to the service you supplied then you couldn't be forced to
>collect/retain it. For example, an ISP that simply moved packets couldn't be required to 'retain' the comms data that happened to be contained
>in those of the packets that related to someone else's VoIP service:
>
>Reg.3 These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by
>public communications providers in the process of supplying the communications services
>concerned.
>[http://www.legislation.gov.uk/uksi/2009/859/regulation/3/made]
>
>I can't see anything in DRIP that continues that limitation. Can anyone else?

perhaps page 3 line 4:

"<<relevant communications data>> means communications data of the kind
mentioned in the Schedule to the 2009 Regulations so far as such data
is generated or processed in the United Kingdom by public
telecommunications operators in the process of supplying the
telecommunications services concerned;"
-- 
Roland Perry


From Andrew.Cormack at ja.net  Fri Jul 11 11:04:16 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Fri, 11 Jul 2014 10:04:16 +0000
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <WsG8pQ$Jc6vTFAe7@perry.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<61E52F3A5532BE43B0211254F13883AEA4ADCFC3@EXC001>
	<WsG8pQ$Jc6vTFAe7@perry.co.uk>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4ADD738@EXC001>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 11 July 2014 09:58
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: UK Data Retention and Investigatory Powers Bill
> 
> In article <61E52F3A5532BE43B0211254F13883AEA4ADCFC3 at EXC001>, Andrew
> Cormack <Andrew.Cormack at ja.net> writes
> >as far as I can see, under the old regs, if the comms data wasn't
> related to the service you supplied then you couldn't be forced to
> >collect/retain it. For example, an ISP that simply moved packets
> couldn't be required to 'retain' the comms data that happened to be
> contained
> >in those of the packets that related to someone else's VoIP service:
> >
> >Reg.3 These Regulations apply to communications data if, or to the
> extent that, the data are generated or processed in the United Kingdom
> by
> >public communications providers in the process of supplying the
> communications services
> >concerned.
> >[http://www.legislation.gov.uk/uksi/2009/859/regulation/3/made]
> >
> >I can't see anything in DRIP that continues that limitation. Can
> anyone else?
> 
> perhaps page 3 line 4:
> 
> "<<relevant communications data>> means communications data of the kind
> mentioned in the Schedule to the 2009 Regulations so far as such data
> is generated or processed in the United Kingdom by public
> telecommunications operators in the process of supplying the
> telecommunications services concerned;"

Ah, thanks. Was hoping they'd copied it somewhere

Andrew

 --
> Roland Perry



From igb at batten.eu.org  Fri Jul 11 14:31:25 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 11 Jul 2014 14:31:25 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <T8R9d1rVQvvTFAPI@perry.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
Message-ID: <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>


On 10 Jul 2014, at 21:14, Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>, Tony Naggs <tony.naggs at googlemail.com> writes
>> I'm not really clear why a law change is required for communications data to be held for 12 months. Probably most businesses will want to hold this data for a year in order to address billing disputes & such
> 
> Very few ISPs produce itemised bills saying who you emailed and when, or listing which web pages you went to in order to use up your 1GB/month.

I still don't follow (either technically or legally) on what basis ISPs will be able to retain logs of which websites you visited.  I thought it was quite clear (and, indeed, that it was Roland who negotiated this with Simon Watkin, late of this parish) that "communications data" only covered the bit up to the first / in the URL, and that in any event that only arose when (as was much more common back then) the ISP had natural access to that data, such as when running an outbound cache (younger readers may like to ask their fathers).

I guess (conspiracy theory alert) that such logs might be generated out of the back of the Cameron-mandated content filters, but for people who are not opted in to those, on what basis would the ISP have the information?  And those that are opted in to them, if the ISP were to log the URLs without redacting them at the first /, wouldn't they still fall foul of the DPA because DRIP explicitly only provides cover for retaining RIPA S.21 metadata, and everything after the / is content?

ian



From lists at casparbowden.net  Fri Jul 11 14:51:37 2014
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Fri, 11 Jul 2014 15:51:37 +0200
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
Message-ID: <53BFEBE9.9070701@casparbowden.net>

On 07/11/14 15:31, Ian Batten wrote:
> On 10 Jul 2014, at 21:14, Roland Perry <lists at internetpolicyagency.com> wrote:
>
>> In article <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>, Tony Naggs <tony.naggs at googlemail.com> writes
>>> I'm not really clear why a law change is required for communications data to be held for 12 months. Probably most businesses will want to hold this data for a year in order to address billing disputes & such
>> Very few ISPs produce itemised bills saying who you emailed and when, or listing which web pages you went to in order to use up your 1GB/month.
> I still don't follow (either technically or legally) on what basis ISPs will be able to retain logs of which websites you visited.

Up until now, I think the 2003 Code of Practice on ATCSA Retention - it 
is still in force

DRIP 1(2)c now provides compulsion, of what was previously "voluntary"

> I thought it was quite clear (and, indeed, that it was Roland who negotiated this with Simon Watkin, late of this parish) that "communications data" only covered the bit up to the first / in the URL, and that in any event that only arose when (as was much more common back then) the ISP had natural access to that data, such as when running an outbound cache (younger readers may like to ask their fathers).

Most ISPs (esp mobile) have kit which will do this now, the only quibble 
is the rationale to switch it on.

The govt can also say any data is necessary for national security and 
disapply DPA Principles backed (only if challenged) by a DPA s.28 cert

> I guess (conspiracy theory alert) that such logs might be generated out of the back of the Cameron-mandated content filters, but for people who are not opted in to those, on what basis would the ISP have the information?

"Malware" or "cybersecurity" usually works.

> And those that are opted in to them, if the ISP were to log the URLs without redacting them at the first /, wouldn't they still fall foul of the DPA because DRIP explicitly only provides cover for retaining RIPA S.21 metadata, and everything after the / is content?

Yes. Art.29 WP did an "inspection" of a mobile and fixed ISP in 2 
countries (not UK) circa 2009, and found gross overcollection, 
especially in mobile ISPs

Did they enforce? Did they ____

Apparently "enforcement" incompatible with "fact-finding" inquiry

CB


From zenadsl6186 at zen.co.uk  Fri Jul 11 17:23:31 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 11 Jul 2014 17:23:31 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53BFEBE9.9070701@casparbowden.net>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<53BFEBE9.9070701@casparbowden.net>
Message-ID: <53C00F83.8030608@zen.co.uk>

On 11/07/14 14:51, Caspar Bowden (lists) wrote:
> On 07/11/14 15:31, Ian Batten wrote:
>> On 10 Jul 2014, at 21:14, Roland Perry
>> <lists at internetpolicyagency.com> wrote:
>>
>>> In article
>>> <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>,
>>> Tony Naggs <tony.naggs at googlemail.com> writes
>>>> I'm not really clear why a law change is required for communications
>>>> data to be held for 12 months. Probably most businesses will want to
>>>> hold this data for a year in order to address billing disputes & such
>>> Very few ISPs produce itemised bills saying who you emailed and when,
>>> or listing which web pages you went to in order to use up your
>>> 1GB/month.
>> I still don't follow (either technically or legally) on what basis
>> ISPs will be able to retain logs of which websites you visited.
>
> Up until now, I think the 2003 Code of Practice on ATCSA Retention - it
> is still in force
>
> DRIP 1(2)c now provides compulsion, of what was previously "voluntary"

No. DRIP ss.1(2)c only applies to "relevant" comms data, defined in ss.2(1):

""relevant communications data" means communications data of the kind
mentioned in the Schedule to the 2009 Regulations so far as such data
is generated or processed in the United Kingdom by public
telecommunications operators in the process of supplying the
telecommunications services concerned;"

That does *NOT* include website logs. There is a list of the types of 
data to which DRIP applies here:

http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule

and of course it is exactly the same list as was in force before the 
ECtJ judgement.

However, there are a couple of minor caveats: subsections 2(2) and 
perhaps 2(3) modify that definition, and I don't know what they actually 
mean - anyone?








However, a Notice given under DRIP ss.1(1) can demand that data is kept 
forever - there is no time limit on it.

Reading the notes, this may be due to incompetence rather than a power 
grab: the notes envisage that some future Regulations  to be made under 
ss.1(3) will limit retention to 12 months.

However such Regulations do not exist at present [the notes say a draft 
of the regs will be available during the bill's passage - anyone know a 
link for this please?], and they can't be brought into force until the 
next session of Parliament anyway.

Further, there is nothing in DRIP which says they have to make any 
Regulations at all, or that those Regulations must include a maximum 
period for all retentions - only that any maximum period they do contain 
must not exceed 12 months.

I think a small amendment to ss.1(5) might cure this oversight, and not 
be too objectionable to anyone - just put the maximum time limit in the 
Act rather than in the Regulations (it probably belongs there anyway).







I think the most egregious part (apart from the fact that overall the 
Bill does nothing whatsoever to comply with the sentiments behind the 
ECtJ judgement), and the part to get most upset about, may well be 
section 5.


The notes say "This clause inserts a new subsection into section 2 of 
RIPA. New section 2(8A) makes clear that the definition of 
?telecommunications service? includes companies who provide 
internet-based services, such as webmail."


But it goes a whole lot further than that:

5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning 
of "interception" etc), after subsection (8) insert--

(8A) For the purposes of the definition of "telecommunications service" 
in subsection (1), the cases in which a service is to be taken to 
consist in the provision of access to, and of facilities for making use 
of, a telecommunication system include any case where a service consists 
in or includes facilitating the creation, management or storage of 
communications transmitted, or that may be transmitted, by means of such 
a system.


which as far as I can see *IS* a major landgrab - it includes whole 
swathes of things which weren't included before.  Like web designers. 
for instance.

Or internet reporters.

And a Zillion more.


Again, it may be just incompetence rather than a deliberate landgrab; 
but as-is section 5 should most definitely not be included in the Act.

-- Peter Fairbrother


From zenadsl6186 at zen.co.uk  Fri Jul 11 18:27:11 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 11 Jul 2014 18:27:11 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <lt4gJLzxp4vTFAZt@perry.co.uk>
References: <5343F53C.4090504@zen.co.uk>
	<53BE9E3C.7010807@zen.co.uk>	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>	<fcZ+V3q3MvvTFAMe@perry.co.uk>
	<53BF13E1.8000709@zen.co.uk> <lt4gJLzxp4vTFAZt@perry.co.uk>
Message-ID: <53C01E6F.7020601@zen.co.uk>

On 11/07/14 07:55, Roland Perry wrote:

> Before RIPA one of the main ways that communications data was obtained
> related to various powers to demand evidence arising from a multitude
> [someone made a list and it was about 50] agency-specific Acts of
> Parliament. Here's an example of one which is actually post-RIPA (which
> created a certain degree of tension over the principle that all
> telecomms data post-2000 should be gathered via RIPA, but I digress):
>
> http://www.legislation.gov.uk/ukpga/2001/11/section/1
>
> There was no common structure for either the authorisation regime of
> that multitude of requests, nor the way they were presented to CSPs. It
> was entirely possible to get something scribbled on the back of an
> envelope by a junior investigator, there was no regulatory oversight,
> and every CSP had to have a process in place to evaluate the credentials
> of each request including whether it was genuine or not, and there was
> no line in the sand that defined where an individual investigation ends
> and a fishing expedition starts.
>
> To that extent RIPA was, for comms data, a huge improvement - because
> there were standardised codes of practice, request forms, levels of
> authority and levels of probable cause, plus lists of authorised public
> authorities with pre-identified contact points benefiting from mandatory
> trained in law and technology, and auditing processes involving
> compulsory record keeping and a centrally appointed commissioner.
>
> I know people can pick holes in each aspect, but taken as a whole it was
> a significant paradigm change.
>
> One of the basic principles was also to keep the chain of custody of the
> product as short as possible, such that each separate public authority
> (and each police force is separate) was only able to process requests
> for its own investigative activity. The reason being to increase the
> accountability, but also to reduce the possibility of data going astray.
>
> If there is to be an intermediate layer between the investigating
> authorities and CSPs it will have to work hard at not either adding to
> the "fog of war" [send three and sixpence], delaying urgent requests,
> nor be captured by one or other side of the table.
>
> To emphasise, all of the above is about disclosure, and nothing at all
> to do with blanket retention (mandatory or otherwise).

They are of course intimately linked - you can't disclose historic data 
you haven't retained.




It is one of my bad habits to pick at Roland as an (ex?-)emissary of the 
de^H^H ISP industry, but I am not doing that here, I do not mean this 
next personally, and Roland, please take no offence.


I am sure that the new regime gave a much-welcomed clarity as to what an 
ISP should or should not do in order to comply with the law, and to that 
extent I think it would have been welcomed whatever it contained - after 
all, it is not the business of the ISP industry to make moral or ethical 
judgements about what should be disclosed or retained.

Except, in a way, it is.

We use the ISPs as a layer between the rapacious policemen and data they 
are so greedy for. That's actual EU policy.

We do not allow the police to store bulk comms data, the ISPs do that, 
and we expect the ISPs to ensure that they do not disclose data which 
they should not, or store data for longer than allowed.

The ISPs are paid by their customers, and to that extent they are under 
some pressure to protect their customers' interests. However, in terms 
of retention and disclosure, they are also paid by the policemen - and 
therein lies a conflict of interest.

Of course it's only an internal conflict of interest, so it becomes a 
"business decision".

To which I note: The only part of the draft Bill which is in italics is:

"1(4)g)  the reimbursement by the Secretary of State (with or without 
conditions) of expenses incurred by public telecommunications operators 
in complying with relevant requirements or restrictions,"





-- Peter Fairbrother
(somewhat tongue in cheek)



From lists at internetpolicyagency.com  Fri Jul 11 18:43:44 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 18:43:44 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
Message-ID: <PPfKxiTQJCwTFAH1@perry.co.uk>

In article <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>>> I'm not really clear why a law change is required for communications data to be held for 12 months. Probably most businesses will want to
>>>hold this data for a year in order to address billing disputes & such
>>
>> Very few ISPs produce itemised bills saying who you emailed and when, or listing which web pages you went to in order to use up your
>>1GB/month.
>
>I still don't follow (either technically or legally) on what basis ISPs will be able to retain logs of which websites you visited.

That's what the UK Data Retention stuff does (various versions of, but 
not the Directive which doesn't address web browsing, only email; and 
some say as a result doesn't address webmail).

>  I thought it was quite clear (and, indeed, that it was Roland who negotiated this with Simon Watkin, late of this parish) that
>"communications data" only covered the bit up to the first / in the URL,

That's the disclosure part, in RIPA tailpiece of 21(6)(d).

And what's in RIPA is only a proxy for "the first /", but the best proxy 
we could come up with in Parliamentary language.

But I expect the CSP will probably be retaining the whole thing, ahead 
of only disclosed what's allowed, but CSPs are welcome to correct me. In 
other words not redacting the logs in real time.

No disrespect to Simon, who was always a very reliable communications 
channel, but the negotiation was with ministers, and the idea was 
Caspar's.

> and that in any event that only arose when (as was much more common back then) the ISP had natural access to that data, such as when running
>an outbound cache (younger readers may like to ask their fathers).

Yes, that's where the logs would originally have arisen, but only for 
very short periods of time. Not even the three/four days that law 
enforcement hoped for (to cover bad things happening over a long 
weekend).

>I guess (conspiracy theory alert) that such logs might be generated out of the back of the Cameron-mandated content filters, but for people who
>are not opted in to those, on what basis would the ISP have the information?

>And those that are opted in to them, if the ISP were to log the URLs without redacting them at the first /, wouldn't they still fall foul of
>the DPA because DRIP explicitly only provides cover for retaining RIPA S.21 metadata, and everything after the / is content?

I'd need to study these points in greater detail before commenting 
(having been out of this arena for many years now).
-- 
Roland Perry


From igb at batten.eu.org  Fri Jul 11 19:23:24 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 11 Jul 2014 19:23:24 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <PPfKxiTQJCwTFAH1@perry.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<PPfKxiTQJCwTFAH1@perry.co.uk>
Message-ID: <A71019CB-A7F6-4C36-8368-DFE320410481@batten.eu.org>


On 11 Jul 2014, at 18:43, Roland Perry <lists at internetpolicyagency.com> wrote:
> 
> But I expect the CSP will probably be retaining the whole thing, ahead of only disclosed what's allowed, but CSPs are welcome to correct me. In other words not redacting the logs in real time.

Where would that leave them from a data protection perspective?  If a CSP is retaining data which would not be disclosable under RIPA S.21 (ie, isn't picked up by S.21(2)(b) "the conduct is in accordance with, or in pursuance of, the authorisation or requirement.") does DRIP provide them with cover against a claim that they are maintaining data unfairly in DPA terms?  Surely, if the purpose of DRIP is to enable S.21 to work "properly" (for some value of properly which is a different debate), then it can only cover data which would be released subsequent to an S.22 request?

ian



From zenadsl6186 at zen.co.uk  Fri Jul 11 20:01:20 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 11 Jul 2014 20:01:20 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <PPfKxiTQJCwTFAH1@perry.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<PPfKxiTQJCwTFAH1@perry.co.uk>
Message-ID: <53C03480.3090805@zen.co.uk>

On 11/07/14 18:43, Roland Perry wrote:
> In article <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85 at batten.eu.org>, Ian
> Batten <igb at batten.eu.org> writes
>>>> I'm not really clear why a law change is required for communications
>>>> data to be held for 12 months. Probably most businesses will want to
>>>> hold this data for a year in order to address billing disputes & such
>>>
>>> Very few ISPs produce itemised bills saying who you emailed and when,
>>> or listing which web pages you went to in order to use up your
>>> 1GB/month.
>>
>> I still don't follow (either technically or legally) on what basis
>> ISPs will be able to retain logs of which websites you visited.
>
> That's what the UK Data Retention stuff does

Could you explain that please?

-- Peter Fairbrother




From lists at internetpolicyagency.com  Fri Jul 11 21:20:26 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 21:20:26 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C03480.3090805@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<PPfKxiTQJCwTFAH1@perry.co.uk> <53C03480.3090805@zen.co.uk>
Message-ID: <aoJ$YjXKcEwTFAHw@perry.co.uk>

In article <53C03480.3090805 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>>> I still don't follow (either technically or legally) on what basis
>>> ISPs will be able to retain logs of which websites you visited.
>>
>> That's what the UK Data Retention stuff does
>
>Could you explain that please?

4 days retention was enabled by SI 2003/3175 and I've not seen
anything which says that's not still in force (but as I said earlier,
I no longer work in this area).
-- 
Roland Perry


From lists at internetpolicyagency.com  Fri Jul 11 21:22:19 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 21:22:19 +0100
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <A71019CB-A7F6-4C36-8368-DFE320410481@batten.eu.org>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<PPfKxiTQJCwTFAH1@perry.co.uk>
	<A71019CB-A7F6-4C36-8368-DFE320410481@batten.eu.org>
Message-ID: <m7FAcUY7dEwTFAhT@perry.co.uk>

In article <A71019CB-A7F6-4C36-8368-DFE320410481 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes

>> But I expect the CSP will probably be retaining the whole thing, ahead
>>of only disclosed what's allowed, but CSPs are welcome to correct me.
>>In other words not redacting the logs in real time.
>
>Where would that leave them from a data protection perspective?

You'd have to ask them, or the Home Office, or the ICO etc.
-- 
Roland Perry


From lists at internetpolicyagency.com  Fri Jul 11 21:24:42 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 11 Jul 2014 21:24:42 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <53C01E6F.7020601@zen.co.uk>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk> <53C01E6F.7020601@zen.co.uk>
Message-ID: <Rr5NY$YKgEwTFAHg@perry.co.uk>

In article <53C01E6F.7020601 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>
>It is one of my bad habits to pick at Roland as an (ex?-)emissary of 
>the ISP industry

I relinquished that aspect of my career over ten years ago.
-- 
Roland Perry


From peter at pmsommer.com  Sat Jul 12 15:06:28 2014
From: peter at pmsommer.com (Peter Sommer)
Date: Sat, 12 Jul 2014 15:06:28 +0100
Subject: DRIP -  UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C00F83.8030608@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>
	<53C00F83.8030608@zen.co.uk>
Message-ID: <53C140E4.7040302@pmsommer.com>


Very useful analysis in a blog by Graham Smith as "Cyberleagle":

http://cyberleagle.blogspot.co.uk/2014/07/dissecting-emergency-data-retention-and.html


Peter Sommer





From zenadsl6186 at zen.co.uk  Sat Jul 12 16:54:56 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 12 Jul 2014 16:54:56 +0100
Subject: DRIP -  UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C140E4.7040302@pmsommer.com>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>	<53C00F83.8030608@zen.co.uk>
	<53C140E4.7040302@pmsommer.com>
Message-ID: <53C15A50.6010903@zen.co.uk>

On 12/07/14 15:06, Peter Sommer wrote:
>
> Very useful analysis in a blog by Graham Smith as "Cyberleagle":
>
> http://cyberleagle.blogspot.co.uk/2014/07/dissecting-emergency-data-retention-and.html
>
>
>
> Peter Sommer
>

Three points: first, I don't think he makes enough of the redefinition 
of "communications service"  in clause 5 - which as far as I can see 
includes eg an advertising agency whose service includes creation and 
management of communications (advertisements) to be transmitted by a 
telecomms system:

Or Google ads, for that matter.

Or a web page designer. Or a million more people.

I don't know whether that is deliberate power grab or just sloppy 
drafting - but it really cannot be allowed to stand.




Second, ss.1(6)(b) gives the Secretary of State a new power to regulate 
disclosure of retained data in a manner entirely apart from RIPA.

Now he already has some powers to regulate disclosure under RIPA and 
other legislation, so why does he need more? This is a new power, 
without the limitations in RIPA, and does not replace any power in the 
2009 regulations.




Third, under ss.1(7) and ss.1(4)(d) the Secretary of State can regulate 
data retained under the ACTSA regime, and how it can be disclosed, in 
any way he likes - without time limit, or limits as to who or when it 
may be disclosed.

As far as I can tell, this would include weblogs - there does not seem 
to be any limitations as to types of data to be retained here, as it 
does not only cover "relevant" data.

Again, a new power, not replacing an existing one which is to be removed.



But apart from those points, I think Graham Smith's analysis is pretty 
good stuff.


-- Peter Fairbrother


From fjmd1a at gmail.com  Sat Jul 12 17:17:25 2014
From: fjmd1a at gmail.com (Francis Davey)
Date: Sat, 12 Jul 2014 17:17:25 +0100
Subject: DRIP - UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C15A50.6010903@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>
	<T8R9d1rVQvvTFAPI@perry.co.uk>
	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>
	<53BFEBE9.9070701@casparbowden.net> <53C00F83.8030608@zen.co.uk>
	<53C140E4.7040302@pmsommer.com> <53C15A50.6010903@zen.co.uk>
Message-ID: <CAEWR3ksW+=S7=6rdV=aFYDO-pvP9MHg0PbY-NU0yxLOTB6_3-Q@mail.gmail.com>

2014-07-12 16:54 GMT+01:00 Peter Fairbrother <zenadsl6186 at zen.co.uk>:
>
>
> I don't know whether that is deliberate power grab or just sloppy drafting
> - but it really cannot be allowed to stand.
>

I discussed this with him. I think "sloppy drafting" is more likely in my
experience of the way these things are put together in a rush. Obviously it
could well be deliberate, but legislative drafting is an extremely poor
quality exercise - one of the reasons why you need Parliamentary time.

I am afraid I completely believe that this was all done at the last minute.
I.e. that not only was nothing done since April but no-one was planning for
the result in April - which many of us anticipated anyway.

However, it is self-evident that DRIP does more than re-enact the 2009
regulations. Indeed if that was what they wanted to do, a few lines of
statute would do the trick. There is therefore no excuse for the rush with
the wording before Parliament right now.

-- 
Francis Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140712/2af9b474/attachment.html>

From lists at casparbowden.net  Sat Jul 12 18:25:17 2014
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Sat, 12 Jul 2014 19:25:17 +0200
Subject: UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C00F83.8030608@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>
	<53C00F83.8030608@zen.co.uk>
Message-ID: <53C16F7D.20802@casparbowden.net>

On 07/11/14 18:23, Peter Fairbrother wrote:
> On 11/07/14 14:51, Caspar Bowden (lists) wrote:
>> On 07/11/14 15:31, Ian Batten wrote:
>>> On 10 Jul 2014, at 21:14, Roland Perry
>>> <lists at internetpolicyagency.com> wrote:
>>>
>>>> In article
>>>> <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>,
>>>> Tony Naggs <tony.naggs at googlemail.com> writes
>>>>> I'm not really clear why a law change is required for communications
>>>>> data to be held for 12 months. Probably most businesses will want to
>>>>> hold this data for a year in order to address billing disputes & such
>>>> Very few ISPs produce itemised bills saying who you emailed and when,
>>>> or listing which web pages you went to in order to use up your
>>>> 1GB/month.
>>> I still don't follow (either technically or legally) on what basis
>>> ISPs will be able to retain logs of which websites you visited.
>>
>> Up until now, I think the 2003 Code of Practice on ATCSA Retention - it
>> is still in force
>>
>> DRIP 1(2)c now provides compulsion, of what was previously "voluntary"
>
> No. DRIP ss.1(2)c only applies to "relevant" comms data, defined in 
> ss.2(1):

Yes, I agree. I was suspicious the wording in DRIP wasn't nailed down, 
but having read the draft Regulation I don't think that is a viable loophole

CB


From zenadsl6186 at zen.co.uk  Sat Jul 12 18:45:41 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 12 Jul 2014 18:45:41 +0100
Subject: DRIP -  UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C15A50.6010903@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>	<53C00F83.8030608@zen.co.uk>	<53C140E4.7040302@pmsommer.com>
	<53C15A50.6010903@zen.co.uk>
Message-ID: <53C17445.2040802@zen.co.uk>

On 12/07/14 16:54, Peter Fairbrother wrote:
[...]
> I don't think he makes enough of the redefinition
> of "communications service"  in clause 5 - which as far as I can see
> includes eg an advertising agency whose service includes creation and
> management of communications (advertisements) to be transmitted by a
> telecomms system:
>
> Google ads, for that matter.
>
> Or a web page designer.

Or mailing list archives.



Can anyone think of any more ridiculous but (supposedly-)unintended 
things the clause (below) actually includes?


(Apart from Facebook and Twitter and the like, obviously. And then 
there's the changes to extraterritoriality to consider ...)



-- Peter Fairbrother




5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning 
of "interception" etc), after subsection (8) insert--

(8A) For the purposes of the definition of "telecommunications service" 
in subsection (1), the cases in which a service is to be taken to 
consist in the provision of access to, and of facilities for making use 
of, a telecommunication system include any case where a service consists 
in or includes facilitating the creation, management or storage of 
communications transmitted, or that may be transmitted, by means of such 
a system.





From zenadsl6186 at zen.co.uk  Sat Jul 12 19:29:44 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 12 Jul 2014 19:29:44 +0100
Subject: DRIP -  UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C17445.2040802@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>	<53C00F83.8030608@zen.co.uk>	<53C140E4.7040302@pmsommer.com>	<53C15A50.6010903@zen.co.uk>
	<53C17445.2040802@zen.co.uk>
Message-ID: <53C17E98.6000709@zen.co.uk>

On 12/07/14 18:45, Peter Fairbrother wrote:
> On 12/07/14 16:54, Peter Fairbrother wrote:
> [...]
>> I don't think he makes enough of the redefinition
>> of "communications service"  in clause 5 - which as far as I can see
>> includes eg an advertising agency whose service includes creation and
>> management of communications (advertisements) to be transmitted by a
>> telecomms system:
>>
>> Google ads, for that matter.
>>
>> Or a web page designer.
>
> Or mailing list archives.
>
>
>
> Can anyone think of any more ridiculous but (supposedly-)unintended
> things the clause (below) actually includes?
>
>
> (Apart from Facebook and Twitter and the like, obviously. And then
> there's the changes to extraterritoriality to consider ...)

And games sites which allow players to message each other.


>
>
>
> -- Peter Fairbrother
>
>
>
>
> 5 Meaning of "telecommunications service"
> In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning
> of "interception" etc), after subsection (8) insert--
>
> (8A) For the purposes of the definition of "telecommunications service"
> in subsection (1), the cases in which a service is to be taken to
> consist in the provision of access to, and of facilities for making use
> of, a telecommunication system include any case where a service consists
> in or includes facilitating the creation, management or storage of
> communications transmitted, or that may be transmitted, by means of such
> a system.
>
>
>
>
>



From zenadsl6186 at zen.co.uk  Sat Jul 12 20:32:07 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 12 Jul 2014 20:32:07 +0100
Subject: DRIP - UK Data Retention and Investigatory Powers Bill
In-Reply-To: <CAEWR3ksW+=S7=6rdV=aFYDO-pvP9MHg0PbY-NU0yxLOTB6_3-Q@mail.gmail.com>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>
	<53C00F83.8030608@zen.co.uk>	<53C140E4.7040302@pmsommer.com>
	<53C15A50.6010903@zen.co.uk>
	<CAEWR3ksW+=S7=6rdV=aFYDO-pvP9MHg0PbY-NU0yxLOTB6_3-Q@mail.gmail.com>
Message-ID: <53C18D37.1010609@zen.co.uk>

On 12/07/14 17:17, Francis Davey wrote:
>
> 2014-07-12 16:54 GMT+01:00 Peter Fairbrother <zenadsl6186 at zen.co.uk
> <mailto:zenadsl6186 at zen.co.uk>>:
>
>
>     I don't know whether that is deliberate power grab or just sloppy
>     drafting - but it really cannot be allowed to stand.
>
>
> I discussed this with him. I think "sloppy drafting" is more likely in
> my experience of the way these things are put together in a rush.
> Obviously it could well be deliberate, but legislative drafting is an
> extremely poor quality exercise - one of the reasons why you need
> Parliamentary time.

I dunno - maybe they got the wording from an earlier attempt to, Oh, 
let's say, do deep packet inspection of the entire the web - and didn't 
change it.



The supposed justification (in the notes) for the change is to make 
plain that the revised definition includes webmail servers - but this is 
a fundamental change to RIPA, not just to the otherwise partly-limited 
DRIP, and apart from including webmail servers it includes all social 
media sites like Facebook, and almost all online games sites, and many 
many other services, which were never included (or thought to be 
included) before.


I find it hard to believe that nobody realised that.


> I am afraid I completely believe that this was all done at the last
> minute. I.e. that not only was nothing done since April but no-one was
> planning for the result in April - which many of us anticipated anyway.

Yes, I can easily believe it was done in a bit of a hurry - but again, 
it was supposed to be done in such a way as to _ensure_ that it did 
nothing more, or as little more as possible more, than replace the 2009 
Regulations.

Section/Clause 5 conspicuously does far far more that that. Did nobody 
notice?


> However, it is self-evident that DRIP does more than re-enact the 2009
> regulations. Indeed if that was what they wanted to do, a few lines of
> statute would do the trick. There is therefore no excuse for the rush
> with the wording before Parliament right now.


Agreed. To do that we would need to at least:

Modify ss. 1(5) to apply the 12-month limit to all Notices and 
Regulations and Powers made under the Act.

Delete ss.1(6)(b)

Delete ss.1(7)

Otherwise modify section1 to comply with the above.

Put the 2009 Regulations schedule in a schedule to the Act, and apply it 
universally, so that only data described in the schedule comes under DRIP.

Modify ss.2(1) to the definitions in the 2009 Regulations.

Delete ss.2(2) and 2(3).

Delete ss.2(4)(c).

Delete sections 3,4 and 5 entirely.







Or, perhaps most important of all, just delete section 5.

AFAICT, that's the baddest bit, by a very very long way.





I don't much care about the exact details of how and what, I just care 
that the job of the Police in accessing personal data from the internet 
is hard - otherwise they may make too much use of their legal power to 
do it.

Also, if it's hard they will tend to only use it where necessary.



-- Peter Fairbrother


From igb at batten.eu.org  Sat Jul 12 21:13:54 2014
From: igb at batten.eu.org (Ian Batten)
Date: Sat, 12 Jul 2014 21:13:54 +0100
Subject: DRIP -  UK Data Retention and Investigatory Powers Bill
In-Reply-To: <53C17445.2040802@zen.co.uk>
References: <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw@mail.gmail.com>	<T8R9d1rVQvvTFAPI@perry.co.uk>	<E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85@batten.eu.org>	<53BFEBE9.9070701@casparbowden.net>	<53C00F83.8030608@zen.co.uk>	<53C140E4.7040302@pmsommer.com>
	<53C15A50.6010903@zen.co.uk> <53C17445.2040802@zen.co.uk>
Message-ID: <1E28734C-9100-47BA-994A-C9D9DECC6390@batten.eu.org>


On 12 Jul 2014, at 18:45, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:

> On 12/07/14 16:54, Peter Fairbrother wrote:
> [...]
>> I don't think he makes enough of the redefinition
>> of "communications service"  in clause 5 - which as far as I can see
>> includes eg an advertising agency whose service includes creation and
>> management of communications (advertisements) to be transmitted by a
>> telecomms system:
>> 
>> Google ads, for that matter.
>> 
>> Or a web page designer.
> 
> Or mailing list archives.
> 
> 
> 
> Can anyone think of any more ridiculous but (supposedly-)unintended things the clause (below) actually includes?

Iron Mountain, or other tape backup services?  They're facilitating the management or storage of communications.

ian

> 
> 
> (Apart from Facebook and Twitter and the like, obviously. And then there's the changes to extraterritoriality to consider ...)
> 
> 
> 
> -- Peter Fairbrother
> 
> 
> 
> 
> 5 Meaning of "telecommunications service"
> In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of "interception" etc), after subsection (8) insert--
> 
> (8A) For the purposes of the definition of "telecommunications service" in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.
> 
> 
> 
> 



From clive at davros.org  Sun Jul 13 23:36:10 2014
From: clive at davros.org (Clive D.W. Feather)
Date: Sun, 13 Jul 2014 23:36:10 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <lt4gJLzxp4vTFAZt@perry.co.uk>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk>
Message-ID: <20140713223610.GD43159@davros.org>

Roland Perry said:
> I'm trying to unpick the roles of RIPA and the EU when it comes to 
> mandating blanket retention. Nick Robinson is right that it [was] and EU 
> Directive (and by implication not RIPA).

But you may recall that everyone was convinced it was a eurowash - the UK
knew it would never get it through Parliament, so they got the Commission
to propose it instead.

> Before RIPA one of the main ways that communications data was obtained 
> related to various powers to demand evidence arising from a multitude 
> [someone made a list and it was about 50] agency-specific Acts of 
> Parliament. Here's an example of one which is actually post-RIPA (which 
> created a certain degree of tension over the principle that all 
> telecomms data post-2000 should be gathered via RIPA, but I digress):
> 
> http://www.legislation.gov.uk/ukpga/2001/11/section/1
> 
> There was no common structure for either the authorisation regime of 
> that multitude of requests, nor the way they were presented to CSPs. It 
> was entirely possible to get something scribbled on the back of an 
> envelope by a junior investigator, there was no regulatory oversight, 
> and every CSP had to have a process in place to evaluate the credentials 
> of each request including whether it was genuine or not, and there was 
> no line in the sand that defined where an individual investigation ends 
> and a fishing expedition starts.
> 
> To that extent RIPA was, for comms data, a huge improvement - because 
> there were standardised codes of practice, request forms, levels of 
> authority and levels of probable cause, plus lists of authorised public 
> authorities with pre-identified contact points benefiting from mandatory 
> trained in law and technology, and auditing processes involving 
> compulsory record keeping and a centrally appointed commissioner.
> 
> I know people can pick holes in each aspect, but taken as a whole it was 
> a significant paradigm change.

Indeed.

In fact, there was a point when the Home Office were delaying introducing
the RIPA scheme for some not-very-plausible reason, and I threatened (on
ISPA's behalf) to organize a strike by ISPs. Certainly several ISPs stopped
providing data to anyone except the police or who had a clear statutory
power to demand (as opposed to request under DPA s.29) as a first step in
putting the pressure on.

> One of the basic principles was also to keep the chain of custody of the 
> product as short as possible, such that each separate public authority 
> (and each police force is separate) was only able to process requests 
> for its own investigative activity.

What happened to that company setting itself up as an intermediary? Howard
somebody, wasn't it? Formerly Energis or C&W, I think - he was based in
Leeds.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From clive at davros.org  Sun Jul 13 23:41:35 2014
From: clive at davros.org (Clive D.W. Feather)
Date: Sun, 13 Jul 2014 23:41:35 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <53C01E6F.7020601@zen.co.uk>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk> <53C01E6F.7020601@zen.co.uk>
Message-ID: <20140713224135.GE43159@davros.org>

Peter Fairbrother said:
> I am sure that the new regime gave a much-welcomed clarity as to what an 
> ISP should or should not do in order to comply with the law, and to that 
> extent I think it would have been welcomed whatever it contained - after 
> all, it is not the business of the ISP industry to make moral or ethical 
> judgements about what should be disclosed or retained.
> 
> Except, in a way, it is.
> 
> We use the ISPs as a layer between the rapacious policemen and data they 
> are so greedy for. That's actual EU policy.
> 
> We do not allow the police to store bulk comms data, the ISPs do that, 
> and we expect the ISPs to ensure that they do not disclose data which 
> they should not, or store data for longer than allowed.

Agree. But "should" is defined in terms of "have the correct paperwork".
One of the problems with the old scheme was that ISPs were expected to
judge whether the police "needed" any particular piece of data in order to
do their investigation (and if it turned out later that they didn't need
it, in theory the ISP was liable for breach of data protection). There's no
reasonable way an ISP can do that.

Yes, ISPs should be checking the paperwork properly, and shouldn't be
retaining data without a good reason (whether business or statutory), but
they shouldn't be expected to second-guess the requesters.

> The ISPs are paid by their customers, and to that extent they are under 
> some pressure to protect their customers' interests. However, in terms 
> of retention and disclosure, they are also paid by the policemen - and 
> therein lies a conflict of interest.

Not really. Police requests are not a significant source of profit - the
income is just to cover the costs, and in any case the number of requests
is small compared with the business overall. I would be surprised if
anyone, even BT, thought they could make enough profit from requests to pay
for generating and storing stuff they didn't otherwise need to.

> To which I note: The only part of the draft Bill which is in italics is:
> 
> "1(4)g)  the reimbursement by the Secretary of State (with or without 
> conditions) of expenses incurred by public telecommunications operators 
> in complying with relevant requirements or restrictions,"

I believe it's in italics because it's a public finance issue, and the
Lords aren't allowed to alter those bits.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From peter at pmsommer.com  Mon Jul 14 07:45:29 2014
From: peter at pmsommer.com (Peter Sommer)
Date: Mon, 14 Jul 2014 07:45:29 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <20140713223610.GD43159@davros.org>
References: <5343F53C.4090504@zen.co.uk>
	<53BE9E3C.7010807@zen.co.uk>	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>	<fcZ+V3q3MvvTFAMe@perry.co.uk>
	<53BF13E1.8000709@zen.co.uk>	<lt4gJLzxp4vTFAZt@perry.co.uk>
	<20140713223610.GD43159@davros.org>
Message-ID: <53C37C89.8080007@pmsommer.com>

On 13/07/2014 23:36, Clive D.W. Feather wrote:
> What happened to that company setting itself up as an intermediary? Howard
> somebody, wasn't it?
Howard Lamb,  now working for FACT


Peter Sommer



From clive at davros.org  Mon Jul 14 08:41:08 2014
From: clive at davros.org (Clive D.W. Feather)
Date: Mon, 14 Jul 2014 08:41:08 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <53C37C89.8080007@pmsommer.com>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk> <20140713223610.GD43159@davros.org>
	<53C37C89.8080007@pmsommer.com>
Message-ID: <20140714074108.GG43159@davros.org>

Peter Sommer said:
>> What happened to that company setting itself up as an intermediary? Howard
>> somebody, wasn't it?
> Howard Lamb,  now working for FACT

That's him. Thanks.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From lists at internetpolicyagency.com  Mon Jul 14 10:22:01 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 14 Jul 2014 10:22:01 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <20140713223610.GD43159@davros.org>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk> <20140713223610.GD43159@davros.org>
Message-ID: <PkV6bUf5E6wTFAlE@perry.co.uk>

In article <20140713223610.GD43159 at davros.org>, Clive D.W. Feather 
<clive at davros.org> writes
>Roland Perry said:
>> I'm trying to unpick the roles of RIPA and the EU when it comes to
>> mandating blanket retention. Nick Robinson is right that it [was] and EU
>> Directive (and by implication not RIPA).
>
>But you may recall that everyone was convinced it was a eurowash - the UK
>knew it would never get it through Parliament, so they got the Commission
>to propose it instead.

I'm aware of those suggestions, however despite its pedigree it wasn't 
part of RIPA. Trying to keep the concepts of retention and disclosure 
separate is vital to a proper understanding of the situation.

>What happened to that company setting itself up as an intermediary? Howard
>somebody, wasn't it?

It was called Singlepoint (a play on 'SPOC' no doubt). Presumably not to 
be confused with a USA-based payroll company. I have no recollection of 
it trading.
-- 
Roland Perry


From bdm at fenrir.org.uk  Mon Jul 14 14:39:49 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Mon, 14 Jul 2014 14:39:49 +0100
Subject: Data retention directive "invalid"
In-Reply-To: <Rr5NY$YKgEwTFAHg@perry.co.uk>
References: <5343F53C.4090504@zen.co.uk> <53BE9E3C.7010807@zen.co.uk>
	<CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ@mail.gmail.com>
	<fcZ+V3q3MvvTFAMe@perry.co.uk> <53BF13E1.8000709@zen.co.uk>
	<lt4gJLzxp4vTFAZt@perry.co.uk> <53C01E6F.7020601@zen.co.uk>
	<Rr5NY$YKgEwTFAHg@perry.co.uk>
Message-ID: <20140714143949.00000e1c@surtees.fenrir.org.uk>

On Fri, 11 Jul 2014 21:24:42 +0100
Roland Perry wrote:

> In article <53C01E6F.7020601 at zen.co.uk>, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk> writes
> >
> >It is one of my bad habits to pick at Roland as an (ex?-)emissary of 
> >the ISP industry
> 
> I relinquished that aspect of my career over ten years ago.

Give it another ten and people will start to forget about it...

-- 

Brian Morrison


From ajb44.geo at yahoo.com  Tue Jul 15 00:01:33 2014
From: ajb44.geo at yahoo.com (Alex Burr)
Date: Mon, 14 Jul 2014 16:01:33 -0700
Subject: Data retention question
Message-ID: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>

All,
I hope this isn't a dumb question: I'm trying to figure out whether 'location data' in retained data?includes location while a mobile device is not active in a call/text. I'm finding conflicting information, does anyone know precisely?

On the face of it, DRIP & the invalidated directive call for 'cell id at the start of a communication', which sounds like only when a call or text happens. This sounds like location when the phone is in standby is not logged (this is apparently the case by statute in the Netherlands, according to val Loenen [1, p100]?However, the German politician Malte Spitze found that his mobile was being tracked every 10 minutes because of polling by an email client [2].?

Does anyone know if this applies in the UK? So far all I've found is a slide set by a forensics company [3, slide 7]?which ?says "Operators will in general only retain records relating to call activity ? GPRS Data is frequently available, giving data without call activity ? There are several exceptions including Home Location Register updates". My knowledge of mobile systems is a bit hazy but I've guessing if 'Home Location Register' was logged then the location would be retained data even during standby.
In summary, does anyone know if
?a) location data is retained during standby in the UK?
?b) location data is logged at a fine grain due to email polling in the UK?


Thanks,

Alex



[1] http://www.bastiaanvanloenen.nl/pubs/BVL_Locating%20mobile%20devices%202008.pdf?

[2] http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz/seite-2 
[3] http://www.slideshare.net/TheCellSiteExperts/cell-site-analysis-truths-myths


From zenadsl6186 at zen.co.uk  Tue Jul 15 04:41:37 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 15 Jul 2014 04:41:37 +0100
Subject: Data retention question
In-Reply-To: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
Message-ID: <53C4A2F1.8050605@zen.co.uk>

On 15/07/14 00:01, Alex Burr wrote:
> All, I hope this isn't a dumb question: I'm trying to figure out
> whether 'location data' in retained data includes location while a
> mobile device is not active in a call/text. I'm finding conflicting
> information, does anyone know precisely?
>
> On the face of it, DRIP & the invalidated directive call for 'cell id
> at the start of a communication', which sounds like only when a call
> or text happens.

I have no idea of the answers to your questions, but I'd like to point 
out that eg an email poll is a communication, of sorts at least - the 
device and the email server send each other information.

There isn't a definition of "communication" in either RIPA, the 
directive, or DRIP; certainly not one which limits the meaning to eg 
person-to-person communications like calls or texts.



-- Peter Fairbrother

(nor is the start or end of a communication anywhere defined; so what 
one person might think of as one communication might appear to another 
person as a series containing several communications)


This sounds like location when the phone is in
> standby is not logged (this is apparently the case by statute in the
> Netherlands, according to val Loenen [1, p100] However, the German
> politician Malte Spitze found that his mobile was being tracked every
> 10 minutes because of polling by an email client [2].
>
> Does anyone know if this applies in the UK? So far all I've found is
> a slide set by a forensics company [3, slide 7] which  says
> "Operators will in general only retain records relating to call
> activity ? GPRS Data is frequently available, giving data without
> call activity ? There are several exceptions including Home Location
> Register updates". My knowledge of mobile systems is a bit hazy but
> I've guessing if 'Home Location Register' was logged then the
> location would be retained data even during standby. In summary, does
> anyone know if a) location data is retained during standby in the
> UK? b) location data is logged at a fine grain due to email polling
> in the UK?
>
>
> Thanks,
>
> Alex
>
>
>
> [1]
> http://www.bastiaanvanloenen.nl/pubs/BVL_Locating%20mobile%20devices%202008.pdf
>
>  [2]
> http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz/seite-2
>
>
[3] 
http://www.slideshare.net/TheCellSiteExperts/cell-site-analysis-truths-myths
>
>



From ukcrypto at sourcetagged.ian.co.uk  Tue Jul 15 15:37:23 2014
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Tue, 15 Jul 2014 15:37:23 +0100
Subject: Data retention question
In-Reply-To: <53C4A2F1.8050605@zen.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C4A2F1.8050605@zen.co.uk>
Message-ID: <4DBCC45B-9655-441D-95D6-8210EB80D446@sourcetagged.ian.co.uk>


On 15 Jul 2014, at 04:41, Peter Fairbrother wrote:

> I have no idea of the answers to your questions, but I'd like to point out that eg an email poll is a communication, of sorts at least - the device and the email server send each other information.

I'd argue for a poll being part of the *protocol*, not a *communication* per se. By analogy with the physical postal service, it's a bit like Bert shouting to George across the post-room "Anything to go to Farmer Giles today?". Bert's uttering may, in the strictest sense, be communication but as part of the Post Office's job of transmitting communications between users it's mere internal protocol. 

If one was to rely on this as *communication* then, coming back to the world of electronic communications, ARP packets would count as *communication* and suddenly every LAN in the country would suddenly come with a data retention requirement. 

From zenadsl6186 at zen.co.uk  Tue Jul 15 19:41:40 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 15 Jul 2014 19:41:40 +0100
Subject: Data retention question
In-Reply-To: <4DBCC45B-9655-441D-95D6-8210EB80D446@sourcetagged.ian.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C4A2F1.8050605@zen.co.uk>
	<4DBCC45B-9655-441D-95D6-8210EB80D446@sourcetagged.ian.co.uk>
Message-ID: <53C575E4.7070704@zen.co.uk>

On 15/07/14 15:37, Ian Mason wrote:
>
> On 15 Jul 2014, at 04:41, Peter Fairbrother wrote:
>
>> I have no idea of the answers to your questions, but I'd like to
>> point out that eg an email poll is a communication, of sorts at
>> least - the device and the email server send each other
>> information.
>
> I'd argue for a poll being part of the *protocol*, not a
> *communication* per se. By analogy with the physical postal service,
> it's a bit like Bert shouting to George across the post-room
> "Anything to go to Farmer Giles today?". Bert's uttering may, in the
> strictest sense, be communication but as part of the Post Office's
> job of transmitting communications between users it's mere internal
> protocol.
>
> If one was to rely on this as *communication* then, coming back to
> the world of electronic communications, ARP packets would count as
> *communication* and

I agree that an email poll (or ARP packet, or cell tower registration) 
is part of a protocol - but it is very hard to argue that it is not, in 
itself, a communication as well.

Certainly, there is little in RIPA or DRIP to support that.


> suddenly every LAN in the country would suddenly
> come with a data retention requirement.


No: that isn't a type of data which must be retained.



-- Peter Fairbrother


SCHEDULE

COMMUNICATIONS DATA TO BE RETAINED

PART 1 FIXED NETWORK TELEPHONY
Data necessary to trace and identify the source of a communication

1.  (1)  The calling telephone number.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the destination of a communication

2.  (1)  The telephone number dialled and, in cases involving 
supplementary services such as call forwarding or call transfer, any 
telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any 
such telephone.
Data necessary to identify the date, time and duration of a communication

3.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

4.  The telephone service used.

PART 2 MOBILE TELEPHONY

Data necessary to trace and identify the source of a communication

5.  (1)  The calling telephone number.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the destination of a communication

6.  (1)  The telephone number dialled and, in cases involving 
supplementary services such as call forwarding or call transfer, any 
telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the date, time and duration of a communication

7.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

8.  The telephone service used.

Data necessary to identify users? communication equipment (or what 
purports to be their equipment)

9.  (1)  The International Mobile Subscriber Identity (IMSI) and the 
International Mobile Equipment Identity (IMEI) of the telephone from 
which a telephone call is made.

(2) The IMSI and the IMEI of the telephone dialled.

(3) In the case of pre-paid anonymous services, the date and time of the 
initial activation of the service and the cell ID from which the service 
was activated.

Data necessary to identify the location of mobile communication equipment

10.  (1)  The cell ID at the start of the communication.

(2) Data identifying the geographic location of cells by reference to 
their cell ID.


PART 3INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY

Data necessary to trace and identify the source of a communication

11.  (1)  The user ID allocated.

(2) The user ID and telephone number allocated to the communication 
entering the public telephone network.

(3) The name and address of the subscriber or registered user to whom an 
Internet Protocol (IP) address, user ID or telephone number was 
allocated at the time of the communication.

Data necessary to identify the destination of a communication

12.  (1)  In the case of internet telephony, the user ID or telephone 
number of the intended recipient of the call.

(2) In the case of internet e-mail or internet telephony, the name and 
address of the subscriber or registered user and the user ID of the 
intended recipient of the communication.

Data necessary to identify the date, time and duration of a communication

13.  (1)  In the case of internet access?

(a) The date and time of the log-in to and log-off from the internet 
access service, based on a specified time zone,

(b) The IP address, whether dynamic or static, allocated by the internet 
access service provider to the communication, and

(c) The user ID of the subscriber or registered user of the internet 
access service.

(2) In the case of internet e-mail or internet telephony, the date and 
time of the log-in to and log-off from the internet e-mail or internet 
telephony service, based on a specified time zone.

Data necessary to identify the type of communication

14.  In the case of internet e-mail or internet telephony, the internet 
service used.

Data necessary to identify users? communication equipment (or what 
purports to be their equipment)

15.  (1)  In the case of dial-up access, the calling telephone number.


From zenadsl6186 at zen.co.uk  Tue Jul 15 21:03:48 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 15 Jul 2014 21:03:48 +0100
Subject: Data retention question
In-Reply-To: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
Message-ID: <53C58924.8050304@zen.co.uk>

On 15/07/14 00:01, Alex Burr wrote:
> All, I hope this isn't a dumb question: I'm trying to figure out
> whether 'location data' in retained data includes location while a
> mobile device is not active in a call/text. I'm finding conflicting
> information, does anyone know precisely?
>
> On the face of it, DRIP & the invalidated directive call for 'cell id
> at the start of a communication', which sounds like only when a call
> or text happens. This sounds like location when the phone is in
> standby is not logged (this is apparently the case by statute in the
> Netherlands, according to val Loenen [1, p100] However, the German
> politician Malte Spitze found that his mobile was being tracked every
> 10 minutes because of polling by an email client [2].
>
> Does anyone know if this applies in the UK? So far all I've found is
> a slide set by a forensics company [3, slide 7] which  says
> "Operators will in general only retain records relating to call
> activity ? GPRS Data is frequently available, giving data without
> call activity ? There are several exceptions including Home Location
> Register updates". My knowledge of mobile systems is a bit hazy but
> I've guessing if 'Home Location Register' was logged then the
> location would be retained data even during standby. In summary, does
> anyone know if a) location data is retained during standby in the
> UK? b) location data is logged at a fine grain due to email polling
> in the UK?

A better answer - the sort of data you mention are not regularly 
collected in bulk in the UK. The types of data which are regularly 
collected in bulk are fairly limited [1], and relate mostly to calls and 
texts.

This is the same sorts of data in the failed Data Retention Directive 
(no surprise, the Directive was mostly authored by the UK Home Office).




However if a medium-senior Policeman wants to, he can order a CSP to 
obtain and disclose "communications data", on a once-off or ongoing 
basis, using a Notice under RIPA ss.22(4).

This is supposed to be more a targeted power rather than a wholesale 
power, though limits on it, eg regarding eg duration of a Notice, 
numbers of people or devices involved, or types of communications 
affected, are pretty much non-existent.

For this purpose  "communications data" is pretty widely defined [2], 
and would include email polling and even cell registration and handover 
data;

they can, on a full-time basis, trace which cell a device on standby is 
in, if medium-senior Policeman or similar has authorised it.




The extent to which this power is used is not publicly known - about 
half a million communications data Notices are issued per year, but 
these could cover everything from a single reverse telephone directory 
lookup to, potentially, a single order to trace all the devices of every 
Muslim (or every politician, or indeed every person in the entire World).





- Peter Fairbrother


[1] SCHEDULE

COMMUNICATIONS DATA TO BE RETAINED

PART 1 FIXED NETWORK TELEPHONY
Data necessary to trace and identify the source of a communication

1.  (1)  The calling telephone number.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the destination of a communication

2.  (1)  The telephone number dialled and, in cases involving 
supplementary services such as call forwarding or call transfer, any 
telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any 
such telephone.
Data necessary to identify the date, time and duration of a communication

3.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

4.  The telephone service used.

PART 2 MOBILE TELEPHONY

Data necessary to trace and identify the source of a communication

5.  (1)  The calling telephone number.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the destination of a communication

6.  (1)  The telephone number dialled and, in cases involving 
supplementary services such as call forwarding or call transfer, any 
telephone number to which the call is forwarded or transferred.

(2) The name and address of the subscriber or registered user of any 
such telephone.

Data necessary to identify the date, time and duration of a communication

7.  The date and time of the start and end of the call.

Data necessary to identify the type of communication

8.  The telephone service used.

Data necessary to identify users? communication equipment (or what 
purports to be their equipment)

9.  (1)  The International Mobile Subscriber Identity (IMSI) and the 
International Mobile Equipment Identity (IMEI) of the telephone from 
which a telephone call is made.

(2) The IMSI and the IMEI of the telephone dialled.

(3) In the case of pre-paid anonymous services, the date and time of the 
initial activation of the service and the cell ID from which the service 
was activated.

Data necessary to identify the location of mobile communication equipment

10.  (1)  The cell ID at the start of the communication.

(2) Data identifying the geographic location of cells by reference to 
their cell ID.

PART 3INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY

Data necessary to trace and identify the source of a communication

11.  (1)  The user ID allocated.

(2) The user ID and telephone number allocated to the communication 
entering the public telephone network.

(3) The name and address of the subscriber or registered user to whom an 
Internet Protocol (IP) address, user ID or telephone number was 
allocated at the time of the communication.

Data necessary to identify the destination of a communication

12.  (1)  In the case of internet telephony, the user ID or telephone 
number of the intended recipient of the call.

(2) In the case of internet e-mail or internet telephony, the name and 
address of the subscriber or registered user and the user ID of the 
intended recipient of the communication.

Data necessary to identify the date, time and duration of a communication

13.  (1)  In the case of internet access?

(a)The date and time of the log-in to and log-off from the internet 
access service, based on a specified time zone,

(b)The IP address, whether dynamic or static, allocated by the internet 
access service provider to the communication, and

(c)The user ID of the subscriber or registered user of the internet 
access service.

(2) In the case of internet e-mail or internet telephony, the date and 
time of the log-in to and log-off from the internet e-mail or internet 
telephony service, based on a specified time zone.

Data necessary to identify the type of communication

14.  In the case of internet e-mail or internet telephony, the internet 
service used.

Data necessary to identify users? communication equipment (or what 
purports to be their equipment)

15.  (1)  In the case of dial-up access, the calling telephone number.

(2) In any other case, the digital subscriber line (DSL) or other end 
point of the originator of the communication.










  [2]  RIPA ss22(4):(4)In this Chapter ?communications data? means any 
of the following?

(a)any traffic data comprised in or attached to a communication (whether 
by the sender or otherwise) for the purposes of any postal service or 
telecommunication system by means of which it is being or may be 
transmitted;

(b)any information which includes none of the contents of a 
communication (apart from any information falling within paragraph (a)) 
and is about the use made by any person?

(i)of any postal service or telecommunications service; or

(ii)in connection with the provision to or use by any person of any 
telecommunications service, of any part of a telecommunication system;

(c)any information not falling within paragraph (a) or (b) that is held 
or obtained, in relation to persons to whom he provides the service, by 
a person providing a postal service or telecommunications service.






From g+ukcrypto at cobb.uk.net  Tue Jul 15 21:28:54 2014
From: g+ukcrypto at cobb.uk.net (Graham Cobb)
Date: Tue, 15 Jul 2014 21:28:54 +0100
Subject: Data retention question
In-Reply-To: <53C58924.8050304@zen.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk>
Message-ID: <53C58F06.3000501@cobb.uk.net>

On 15/07/14 21:03, Peter Fairbrother wrote:
> A better answer - the sort of data you mention are not regularly
> collected in bulk in the UK. The types of data which are regularly
> collected in bulk are fairly limited [1], and relate mostly to calls and
> texts.

But for mobile phone calls, location (Cell ID) is on that list...

> [1] SCHEDULE
...
> Data necessary to identify the location of mobile communication equipment
> 
> 10.  (1)  The cell ID at the start of the communication.

So, can we be sure that because location is NOT on that list for other
types of communication, it is not collected or available for them?

So, if you are not being individually targetted, you can avoid having
your location recorded by avoiding using voice calls (use texts and/or
VoIP instead)?




From james at talkunafraid.co.uk  Tue Jul 15 21:52:39 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Tue, 15 Jul 2014 21:52:39 +0100
Subject: Data retention question
In-Reply-To: <53C58F06.3000501@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>
Message-ID: <53C59497.3050408@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/07/2014 21:28, Graham Cobb wrote:
> So, can we be sure that because location is NOT on that list for
> other types of communication, it is not collected or available for
> them?
> 
> So, if you are not being individually targetted, you can avoid
> having your location recorded by avoiding using voice calls (use
> texts and/or VoIP instead)?
> 

Given how fuzzily the government interprets the law as it stands
(given their repeated and consistent claims that DRIP does not extend
RIPA) I wouldn't want to make any assumptions other than "your
location will always be recorded and made available to the government".

If you really want to remain anonymous/unlocated, use VoIP or simpler
still, use a burner SIM paid for in cash.

IANAL, of course, but that'd be my assessment of this and other 'edge
cases'.
- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJTxZSXAAoJENTyYHL8dmp9QcIP/1xkRBNshUP7Q2i5e4iyzyAW
dIS66mvOU4DibTjIj/0kIDIugDqoLU7+ioMlQMZ4B/K9ZZkV30WmXvhX7wBgY2/V
ir9nBwlmnzgvMZ7X8UvrvyPdjCOiXspqKWknR2IF9+vvhV8KqsEz+YqrQswtbhHM
CV9G0mBL6KeqGD3lqhzDLniMl0dQHUkc1PDG3EitNzTAYlw5b7GrMelmNKl2ipn8
qImbxKh3RjV3bm6Ajdqe1FV0hMUtLDfR/avEPm3iRC20GXEtWg7+MadDll3+W2U+
5Diy9Kav+Tk/Br+q05jvvxXQlJMvR1FnU2lFyeMQbK/u03QYJwXq2TIsvPKhD1sO
KT1uiPa23qNg+zkJaFhV7dUP4Vw3fRDHHLrI+3HN+tGlX7e5xnixMITRqYGSW9rx
K58onxFT7kU7u1/B2yPBcNUL47NKjQeSKt5QSZ1uFmUyLNSe4hoI+NmZ6+0oMQhs
GXZ6rs+2zsgHe3y+MbiO5l5YMtg4uHi/8vZEKN9IpxqoGtyUfytkhjczvC94Vd4j
fGfhsW/Sko8h453x4rnrSKoV5MX9o8IU0bfCPPl6ZR/B83TQ2FJWhXAIjlOgYjKx
cNjj4XsA7BHWQ/HCYuwxwHzuQYODXF5NUBv4zi0fAUCyaRT1ExAjMMEbs4/lV+ob
EN0i2GMZdulRvgPdMq3q
=jTQs
-----END PGP SIGNATURE-----


From igb at batten.eu.org  Tue Jul 15 22:01:39 2014
From: igb at batten.eu.org (Ian Batten)
Date: Tue, 15 Jul 2014 22:01:39 +0100
Subject: Data retention question
In-Reply-To: <53C59497.3050408@talkunafraid.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
Message-ID: <64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>


On 15 Jul 2014, at 21:52, James Harrison <james at talkunafraid.co.uk> wrote:

> 
> If you really want to remain anonymous/unlocated, use VoIP or simpler
> still, use a burner SIM paid for in cash.

I might be about to make a statement that will cause those under fifty to have
a strange sense on unreality, but another possibility would be...

...steady now...

...brace yourselves...

...to not carry a mobile phone, or to turn it off when not using it.

ian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140715/5629cd80/attachment-0001.pgp>

From james at talkunafraid.co.uk  Tue Jul 15 22:07:04 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Tue, 15 Jul 2014 22:07:04 +0100
Subject: Data retention question
In-Reply-To: <64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
Message-ID: <53C597F8.30103@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/07/2014 22:01, Ian Batten wrote:
> I might be about to make a statement that will cause those under
> fifty to have a strange sense on unreality, but another possibility
> would be...
> 
> ...steady now...
> 
> ...brace yourselves...
> 
> ...to not carry a mobile phone, or to turn it off when not using
> it.
> 

Speaking as a person under fifty - I routinely switch off my phone. I
also have a home-made copper enclosure in which it lives when switched
off :-)

*adjusts tinfoil hat*

DRIP passed, either way. A whole 33 MPs against. Here's hoping the
Lords do something.

- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJTxZf4AAoJENTyYHL8dmp9wu4P/inRmWOm8LQcxifQcPdQNr2o
BopNgyFuoBb1CXqwcPKnuQsmdIzQQS5L8Ov8kQ8v58xehlobyBzM415W8HJgPqVT
LqBg4wSqaTkycuQRUV0Ce9ZGOhcQUOBEPhP9MTV4nlc8z8gBZG/MPADRn83F3fQe
YZfoeF21+/Yiaaft5LxuWveZf7miPc8XiMIjtcs2Kg16xKewGLnr4yNj2bchMAkC
PNQohVVqTotmMDM7QBEGXWrpHjKfPlDitUbHDcOM5J/65ETj4Mf1oRGcuk9Jjz8I
ZEREDUAA3WmXTlbjBhHxvsUC/eT5N0/8bWL8xpNeBLUrDj6of2ZltobJn+RdVGhj
CftG7QnU0RDFMa+Tp8JE+nqCfhf2fu4Kyo6Gi+A/8pzI4WaE2Fa40P+RASPz0B81
qzbaU7IUUx0ygXNrbwVDnLQrtkiiz+CrCdTr23wcIv3q0gUPKo7ynLBNbLhLRgXu
9DvyGRXikJ6AmAxuM7teK01ANId7cRQxoJhEQzem7JbgsaLsZ/pzuTRxvwVWJ6Fc
2uYmaw3Dk85ZeXA5OQgllZ0FoIC624XIUpTtfco7hnkKcu+Ulx6fe2kj37MV9IZM
sf3dHOdX7RB8hOD6hNdc3SvXke/6jMWgrU0+ZEFNzdwY/AL8gHROK11eANbE7zQb
4PjEgJlm/vwu2TReyUsx
=p/IX
-----END PGP SIGNATURE-----


From zenadsl6186 at zen.co.uk  Tue Jul 15 23:33:00 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 15 Jul 2014 23:33:00 +0100
Subject: Data retention question
In-Reply-To: <53C58F06.3000501@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>
Message-ID: <53C5AC1C.8010004@zen.co.uk>

On 15/07/14 21:28, Graham Cobb wrote:
> On 15/07/14 21:03, Peter Fairbrother wrote:
>> A better answer - the sort of data

[mobile device location data when email polling]

>> you mention are not regularly
>> collected in bulk in the UK. The types of data which are regularly
>> collected in bulk are fairly limited [1], and relate mostly to calls and
>> texts.
>
> But for mobile phone calls, location (Cell ID) is on that list...
>> [1] SCHEDULE
> ...
>> Data necessary to identify the location of mobile communication equipment
>>
>> 10.  (1)  The cell ID at the start of the communication.

The part you quote comes under the heading "MOBILE TELEPHONY" - so I 
think for location data to be retained under DRIP it has to be mobile 
telephony of some kind, ie calls.

For internet access, internet email, or internet telephony, the data to 
be retained are different, and do not include location data.

There terms are not defined in strange ways, so they take on their 
everyday meanings. To most people, mobile internet is not mobile 
telephony - telephony means sound, and the telephone system.




What I meant was, in practice, I don't think cellphone companies 
actually do retain location data for email polling events under the 
Directive (or DRIP). Probably.

The email server should retain log-ins and log-outs - but those records 
would not include location data.

The cell service provider, in its role as internet service provider, 
should record log-ins and log-outs to the internet service as well; 
which might or might not include occasions when an email server was 
polled. But again, I don't think the data to be retained would include 
location data.

>
> So, can we be sure that because location is NOT on that list for other
> types of communication, it is not collected or available for them?

Even if we are not targeted, we cannot ever be *sure* that the data is 
not retained - it may be retained for other reasons, eg for purposes of 
the service provider, or under ATCSA (which is remarkably flexible as to 
what data may be retained), and probably under some other laws too.


> So, if you are not being individually targeted, you can avoid having
> your location recorded by avoiding using voice calls (use texts and/or
> VoIP instead?

Ah, possibly, though "mobile telephony" may just about include texts. 
Everyday meaning, remember?


However if you are using VoIP in the form of "internet telephony", then 
different rules apply; and perhaps location might not be recorded by the 
cell service provider when this is done using a mobile device.

If you use a vpn or even SSL, the cell service provider may not even 
know when you are using VoIP - or who you are calling - anyway ...  but 
I wouldn't risk much on that.

An "internet telephony" service provider should of course record call data.

But then, VoIP need not go through such a provider ..

-- Peter Fairbrother


From ew206 at cam.ac.uk  Wed Jul 16 11:45:44 2014
From: ew206 at cam.ac.uk (Ellis Weinberger)
Date: Wed, 16 Jul 2014 11:45:44 +0100 (BST)
Subject: Turn off the mobile
In-Reply-To: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
Message-ID: <alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>


Ian Batten:

> ... steady now ... brace yourselves ... to not carry a mobile phone, or 
> to turn it off when not using it. ...

Good point, well made. If you need to reach people, turn on the phone. If 
people need to reach you, they can phone your pager. The pager signal will 
reach you in places (in the UK) a mobile phone signal will never reach 
you.

--
                            Mr Ellis Weinberger
            Pager: +44 (0)7659 599 845 ; Mobile: +44 (0)7870 755 792
              ew206 at cam.ac.uk ; http://people.pwf.cam.ac.uk/ew206/



From bdm at fenrir.org.uk  Wed Jul 16 13:11:36 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 16 Jul 2014 13:11:36 +0100
Subject: Data retention question
In-Reply-To: <53C597F8.30103@talkunafraid.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
Message-ID: <20140716131136.00007438@surtees.fenrir.org.uk>

On Tue, 15 Jul 2014 22:07:04 +0100
James Harrison wrote:

> DRIP passed, either way. A whole 33 MPs against.

I saw some reports of a higher number, 45+...

-- 

Brian Morrison


From peter at pmsommer.com  Wed Jul 16 13:19:00 2014
From: peter at pmsommer.com (Peter Sommer)
Date: Wed, 16 Jul 2014 13:19:00 +0100
Subject: Data retention question
In-Reply-To: <20140716131136.00007438@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
Message-ID: <53C66DB4.5090504@pmsommer.com>

On 16/07/2014 13:11, Brian Morrison wrote:
> On Tue, 15 Jul 2014 22:07:04 +0100
> James Harrison wrote:
>
>> DRIP passed, either way. A whole 33 MPs against.
> I saw some reports of a higher number, 45+...
>
There were several votes - on the accelerated timetable, on individual 
clauses and amendments.   What was interesting is that most of the time 
there were about 40-50 MPs on the benches in the House,  yet the number 
of voters was 400 +


Peter Sommer



From james at talkunafraid.co.uk  Wed Jul 16 13:20:43 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Wed, 16 Jul 2014 13:20:43 +0100
Subject: Data retention question
In-Reply-To: <20140716131136.00007438@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
Message-ID: <53C66E1B.1020507@talkunafraid.co.uk>

On 16/07/14 13:11, Brian Morrison wrote:
> I saw some reports of a higher number, 45+...

49 opposed the timetable, 31 opposed the bill in its third reading.
Both times wholly irrelevant as the ~500 other MPs popped down from
their offices to vote, apparently.

Makes you wonder why we don't enforce attendance of the debate in all
three readings + committee stage as a requirement before allowing
voting on an issue. Any votes from people not in attendance at the
debates are surely uninformed. Ho hum. There was me thinking we had a
functional democracy for a moment :-( what really pissed me off was that
the amendment to force the legislation to sunset in 6 months were
rejected by a similar majority - clearly not emergency legislation, then...

So now this thing is on its way through (Lords and Royal Assent pending
but near-certain, I'd imagine), what are the real implications of the
extraterritorial stuff? As a service operator who operates services
outside the UK but which are available within the UK (eg, 99% of
websites) can the UK government now demand that I retain data? Obviously
unenforceable if I'm not based in the UK, but..

-- 
Cheers,
James


From bdm at fenrir.org.uk  Wed Jul 16 13:37:45 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 16 Jul 2014 13:37:45 +0100
Subject: Turn off the mobile
In-Reply-To: <alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
Message-ID: <20140716133745.000052fe@surtees.fenrir.org.uk>

On Wed, 16 Jul 2014 11:45:44 +0100 (BST)
Ellis Weinberger wrote:

> If people need to reach you, they can phone your pager.

Do such services still exist? <fx:Googles...> They do! I am quite
surprised, but perhaps the paging networks are essentially unchanged
from 25 years ago and no new equipment is being installed so these
services can operate without expense exceeding revenue.

-- 

Brian Morrison


From lists at internetpolicyagency.com  Wed Jul 16 14:47:54 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 16 Jul 2014 14:47:54 +0100
Subject: Data retention question
In-Reply-To: <53C66DB4.5090504@pmsommer.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com>
Message-ID: <bAY$C$GKKoxTFANS@perry.co.uk>

In article <53C66DB4.5090504 at pmsommer.com>, Peter Sommer 
<peter at pmsommer.com> writes

>What was interesting is that most of the time there were about 40-50 
>MPs on the benches in the House,  yet the number of voters was 400 +

I was in a committee room regarding a completely different issue 
[listening to a response from the Chief Executive of the CPS to a report 
that's taken a couple of years to write], and the MP chairing the 
meeting excused herself to go and vote. And as always happens, didn't 
return. This happens all the time, it's not a criticism of the 
individual.

Overall it might be much better if MPs who were "on site" (as strictly 
defined as you like, I was in the main Palace not even Portcullis House) 
were able to vote on such things without having to abandon whatever 
other important business they were involved in at the time. They do 
multitask, actually.

This is also why people attempting to mock the Parliamentary system by 
posting photos of a handful of members in the chamber are attempting to 
leverage a falsehood. MPs can't be in several places at once, and 
hopping from meeting to another is simply par for the course.

I would not have wanted the very long term meeting I was attending to 
have been less effective simply because the MPs present had been 
prevented from attending by very short term issues like DRIP, or 
relatively short term issues such as the committee stage of the Serious 
Crime Bill happening elsewhere yesterday afternoon.

That's a road to no useful progress being made on anything.
-- 
Roland Perry


From fearghas at gmail.com  Wed Jul 16 13:27:07 2014
From: fearghas at gmail.com (Fearghas McKay)
Date: Wed, 16 Jul 2014 13:27:07 +0100
Subject: Turn off the mobile
In-Reply-To: <alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
Message-ID: <FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>


On 16 Jul 2014, at 11:45, Ellis Weinberger <ew206 at cam.ac.uk> wrote:

> Good point, well made. If you need to reach people, turn on the phone. If people need to reach you, they can phone your pager. The pager signal will reach you in places (in the UK) a mobile phone signal will never reach you.

Has anyone tried getting a new pager recently ?I am not convinced it is a deployable strategy :-( 

	f



From lists at internetpolicyagency.com  Wed Jul 16 16:04:56 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 16 Jul 2014 16:04:56 +0100
Subject: Turn off the mobile
In-Reply-To: <FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
	<FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
Message-ID: <7jcHKeNYSpxTFAbe@perry.co.uk>

In article <FF16B92B-BE54-449F-8ACA-CC88CA6C0863 at gmail.com>, Fearghas 
McKay <fearghas at gmail.com> writes
>> Good point, well made. If you need to reach people, turn on the phone. If people need to reach you, they can phone your pager. The pager
>>signal will reach you in places (in the UK) a mobile phone signal will never reach you.
>
>Has anyone tried getting a new pager recently ?I am not convinced it is a deployable strategy :-(

The last pager network I had anything to do with withdrew its service 
almost fifteen years ago and gave all the remaining a subscribers a free 
orange PAYG phone. I was reminded of this when said phone turned up in a 
pile of old-tech stuff I reluctantly sent off to the tip a fortnight 
ago.

Getting back on topic, one of the major "issues" when RIPA was 
originally being discussed is whether the police could easily get to see 
"old[1] pager messages" using things like search warrants, because they 
arguably weren't communications any more, protected by interception law, 
but just data sat on a computer somewhere. Enquiring minds might want to 
think about "old SMS messages".

[1] ie delivered already.
-- 
Roland Perry


From bdm at fenrir.org.uk  Wed Jul 16 18:41:57 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 16 Jul 2014 18:41:57 +0100
Subject: Data retention question
In-Reply-To: <bAY$C$GKKoxTFANS@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
Message-ID: <20140716184157.0000286b@surtees.fenrir.org.uk>

On Wed, 16 Jul 2014 14:47:54 +0100
Roland Perry wrote:

> This is also why people attempting to mock the Parliamentary system
> by posting photos of a handful of members in the chamber are
> attempting to leverage a falsehood.

Except that in this case they had so little time to read the Bill that
the extra time spent listening to the debate (spaf!) might well have
focused their thoughts on what it was they were voting on.

-- 

Brian Morrison


From igb at batten.eu.org  Wed Jul 16 19:34:00 2014
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 16 Jul 2014 19:34:00 +0100
Subject: Turn off the mobile
In-Reply-To: <FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
	<FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
Message-ID: <42DA1458-8CCC-4948-A629-C9CD6FC18BB3@batten.eu.org>


On 16 Jul 2014, at 13:27, Fearghas McKay <fearghas at gmail.com> wrote:

> 
> On 16 Jul 2014, at 11:45, Ellis Weinberger <ew206 at cam.ac.uk> wrote:
> 
>> Good point, well made. If you need to reach people, turn on the phone. If people need to reach you, they can phone your pager. The pager signal will reach you in places (in the UK) a mobile phone signal will never reach you.
> 
> Has anyone tried getting a new pager recently ?I am not convinced it is a deployable strategy :-( 

http://www.pagers.co.uk/shop/ doesn't look abandoned.

ian



From igb at batten.eu.org  Wed Jul 16 19:37:23 2014
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 16 Jul 2014 19:37:23 +0100
Subject: Data retention question
In-Reply-To: <bAY$C$GKKoxTFANS@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
Message-ID: <7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>


On 16 Jul 2014, at 14:47, Roland Perry <lists at internetpolicyagency.com> wrote:

> 
> This is also why people attempting to mock the Parliamentary system by posting photos of a handful of members in the chamber are attempting to leverage a falsehood. MPs can't be in several places at once, and hopping from meeting to another is simply par for the course.

So what's the point of having the debate at all if the other 90% of the MPs are simply going to
vote on party lines without listening to a word of what was said?

ian



From lists at internetpolicyagency.com  Wed Jul 16 22:20:43 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 16 Jul 2014 22:20:43 +0100
Subject: Data retention question
In-Reply-To: <20140716184157.0000286b@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<20140716184157.0000286b@surtees.fenrir.org.uk>
Message-ID: <9ewWFFnryuxTFAps@perry.co.uk>

In article <20140716184157.0000286b at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> This is also why people attempting to mock the Parliamentary system
>> by posting photos of a handful of members in the chamber are
>> attempting to leverage a falsehood.
>
>Except that in this case they had so little time to read the Bill that
>the extra time spent listening to the debate (spaf!) might well have
>focused their thoughts on what it was they were voting on.

Not really, it's a very short bill and they've had several days.

At the other meeting I was attending, people seems to have no problems 
assimilating a 20-page report in about ten minutes.
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Jul 16 22:23:11 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 16 Jul 2014 22:23:11 +0100
Subject: Data retention question
In-Reply-To: <7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
Message-ID: <IdlrVIo$0uxTFAvh@perry.co.uk>

In article <7FE96CB2-EE08-4791-9770-C079D607C25F at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> This is also why people attempting to mock the Parliamentary system by posting photos of a handful of members in the chamber are attempting
>>to leverage a falsehood. MPs can't be in several places at once, and hopping from meeting to another is simply par for the course.
>
>So what's the point of having the debate at all if the other 90% of the MPs are simply going to
>vote on party lines without listening to a word of what was said?

Because all the issues have been aired at length for some time. Not just 
since April but in the debates surrounding the 2012 comms data bill.
-- 
Roland Perry


From fearghas at gmail.com  Wed Jul 16 22:35:08 2014
From: fearghas at gmail.com (Fearghas McKay)
Date: Wed, 16 Jul 2014 22:35:08 +0100
Subject: Turn off the mobile
In-Reply-To: <42DA1458-8CCC-4948-A629-C9CD6FC18BB3@batten.eu.org>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
	<FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
	<42DA1458-8CCC-4948-A629-C9CD6FC18BB3@batten.eu.org>
Message-ID: <6BF6CD95-9A87-491A-9739-28A8CEE29969@gmail.com>


On 16 Jul 2014, at 19:34, Ian Batten <igb at batten.eu.org> wrote:

> http://www.pagers.co.uk/shop/ doesn't look abandoned.

Agreed but try buying one and see how much information they give you in the buying process about costs, network availability etc. Oh and itemised billing is meant to be available but wasn?t on the one I tried to buy.

	f



From james at talkunafraid.co.uk  Wed Jul 16 22:43:57 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Wed, 16 Jul 2014 22:43:57 +0100
Subject: Data retention question
In-Reply-To: <IdlrVIo$0uxTFAvh@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
Message-ID: <53C6F21D.7050205@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/07/2014 22:23, Roland Perry wrote:
> 
> Because all the issues have been aired at length for some time. Not
> just since April but in the debates surrounding the 2012 comms data
> bill.

So future debate is irrelevant and we should give up, they've made up
their minds because the issue's been talked about enough? This
specific bill must be fine as a result?

Speaking as a young 'un, it's no fucking wonder, pardon the French,
that we have apathy about the political system in this country. This
whole thing has me thoroughly depressed and demotivated.

- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJTxvIdAAoJENTyYHL8dmp9C40P/i3wCn0nwKsYm2AfU9itNuaa
AEfCwgDhITlqLZHHa1gueHq+c+G/kD4PjXpl1DgPoGpD4/0fkFljoenPDHWlBgyk
MesNpAjX1aYwMq/qIlCDjCIcHS3hIIR4+OrFgO2qRBoP3Hr+sJd6PRFtiWGJWH8b
Zqt4AzSv7IqET2ibNE85/O2heaJ3HaQ9XXbfuu21WD+0nYyo9AsiVQuWQXKXYH6b
Yg0yxDqh6DlLLSug6u6gaz6djMS/Y2t8Bz5+DgLY/gP01c5JtniOoNW6E5YG6oh5
pJwhA8mmvp7TzcVJIhaedgS8Z0IxQbMxWYW27fDf9GnA6uHRBcSsjLVZGUH2TedB
TleLgdX83NG6lfctUdEJKLooCtTNf2vKS4ukRIP4r31xE6hXoiNFJPD9UaWfWLMf
xm66VWf2RWLtl7tOQWK6M2BCy5lfIy0Zyw5lGS+poLyOFr6O8MmNBelN8hfZ9bnl
c4EH+nmnvKC7H3MMbStZMGecvz6r+6D/zg6oY7obx+cpZDQJHPR5mByAFkpTi0tA
B7x1de0FWPlmYYAD/Cb8jmdkJWRenz0qCkJs+/bCTtR+PVppiZ6ZQGF4gSwzyVOm
E3DwS9RkePIqyArfcPJiOjRsa+vsvwEpJZbOAoYsglV2QRL7TonI6Anxs1KR75xC
ZkZVRpqMySmYDOgeh7O2
=f5m3
-----END PGP SIGNATURE-----


From igb at batten.eu.org  Thu Jul 17 00:07:43 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 00:07:43 +0100
Subject: Data retention question
In-Reply-To: <IdlrVIo$0uxTFAvh@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
Message-ID: <271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>


On 16 Jul 2014, at 22:23, Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <7FE96CB2-EE08-4791-9770-C079D607C25F at batten.eu.org>, Ian Batten <igb at batten.eu.org> writes
>>> This is also why people attempting to mock the Parliamentary system by posting photos of a handful of members in the chamber are attempting
>>> to leverage a falsehood. MPs can't be in several places at once, and hopping from meeting to another is simply par for the course.
>> 
>> So what's the point of having the debate at all if the other 90% of the MPs are simply going to
>> vote on party lines without listening to a word of what was said?
> 
> Because all the issues have been aired at length for some time. Not just since April but in the debates surrounding the 2012 comms data bill.

And yet, as the photo-montage you are objecting to so accurately shows, when the
issue is pay, suddenly MPs find themselves with a pressing need to be present in
the chamber.  It is, indeed, most odd: it's after all not as though the issues around
pay for MPs hadn't been well exercised in the preceding days, is it?

I am, I suspect, rather older than James, and usually am ready to defend MPs against
the accusation that they are lobby fodder.  Here, however, they appear to be lobby
fodder. 

And as to the shadow home secretary's claim that her children know more about crypto
policy than she does, I can only presume she also smugly tells people at dinner parties
that she can't program her video recorder, as though that makes her more interesting.
Why do MPs make out that utter ignorance of technology is something to be proud of?

ian






From brg at gladman.plus.com  Wed Jul 16 23:03:46 2014
From: brg at gladman.plus.com (Brian Gladman)
Date: Wed, 16 Jul 2014 23:03:46 +0100
Subject: Data retention question
In-Reply-To: <7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
Message-ID: <53C6F6C2.9080800@gladman.plus.com>

On 16/07/2014 19:37, Ian Batten wrote:
> 
> On 16 Jul 2014, at 14:47, Roland Perry <lists at internetpolicyagency.com> wrote:
> 
>>
>> This is also why people attempting to mock the Parliamentary system by posting photos of a handful of members in the chamber are attempting to leverage a falsehood. MPs can't be in several places at once, and hopping from meeting to another is simply par for the course.
> 
> So what's the point of having the debate at all if the other 90% of the MPs are simply going to
> vote on party lines without listening to a word of what was said?

I am 100% in agreement with you on this.  So much of what Parliament
does badly is done badly because MPs are simply acting as lobby fodder.

Which is not what we are paying (or electing) them to do.

   Brian



From lists at internetpolicyagency.com  Thu Jul 17 08:10:46 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 08:10:46 +0100
Subject: Data retention question
In-Reply-To: <53C6F21D.7050205@talkunafraid.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
Message-ID: <5U333wp2b3xTFAZL@perry.co.uk>

In article <53C6F21D.7050205 at talkunafraid.co.uk>, James Harrison 
<james at talkunafraid.co.uk> writes
>> Because all the issues have been aired at length for some time. Not
>> just since April but in the debates surrounding the 2012 comms data
>> bill.
>
>So future debate is irrelevant and we should give up, they've made up
>their minds because the issue's been talked about enough? This
>specific bill must be fine as a result?

Future debate is important, and the bill could be changed (either more 
or less stringent rules, obviously). But it doesn't have to be done as a 
spectator sport in the chamber, with MPs giving up the other work they 
were already booked to do that particular afternoon.
-- 
Roland Perry


From ew206 at cam.ac.uk  Thu Jul 17 08:26:22 2014
From: ew206 at cam.ac.uk (Ellis Weinberger)
Date: Thu, 17 Jul 2014 08:26:22 +0100 (BST)
Subject: Turn off the mobile
In-Reply-To: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
Message-ID: <alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>


Fearghas McKay:

> ... Has anyone tried getting a new pager recently? I am not convinced it 
> is a deployable strategy ...

Vodafone: <www.paging.vodafone.net/>

-- 
 		           Mr Ellis Weinberger
            Pager: +44 (0)7659 599 845 ; Mobile: +44 (0)7870 755 792
              ew206 at cam.ac.uk ; http://people.pwf.cam.ac.uk/ew206/



From lists at internetpolicyagency.com  Thu Jul 17 08:33:59 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 08:33:59 +0100
Subject: Data retention question
In-Reply-To: <271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
Message-ID: <AFjpz9snx3xTFAfx@perry.co.uk>

In article <271DED10-0CBD-472D-8FA9-216749F76F60 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>
>On 16 Jul 2014, at 22:23, Roland Perry <lists at internetpolicyagency.com> wrote:
>
>> In article <7FE96CB2-EE08-4791-9770-C079D607C25F at batten.eu.org>, Ian 
>>Batten <igb at batten.eu.org> writes
>>>> This is also why people attempting to mock the Parliamentary system 
>>>>by posting photos of a handful of members in the chamber are 
>>>>attempting  to leverage a falsehood. MPs can't be in several places 
>>>>at once, and hopping from meeting to another is simply par for the course.
>>>
>>> So what's the point of having the debate at all if the other 90% of 
>>>the MPs are simply going to
>>> vote on party lines without listening to a word of what was said?
>>
>> Because all the issues have been aired at length for some time. Not 
>>just since April but in the debates surrounding the 2012 comms data 
>>bill.
>
>And yet, as the photo-montage you are objecting to so accurately shows, 
>when the issue is pay, suddenly MPs find themselves with a pressing 
>need to be present in the chamber.  It is, indeed, most odd: it's after 
>all not as though the issues around pay for MPs hadn't been well 
>exercised in the preceding days, is it?

I hadn't heard there was debate about pay - I don't follow the 
proceedings that closely. But it's not a very good example because 
everyone is interested in their pay, however not every MP can attend all 
sessions (literally, they happen simultaneously - there were six Select 
Committees sitting at the same time last Tuesday afternoon as well as 
numerous other meeting elsewhere than the chamber).

>I am, I suspect, rather older than James, and usually am ready to 
>defend MPs against the accusation that they are lobby fodder.  Here, 
>however, they appear to be lobby fodder.

There's also the possibility that they've studied the issue and are in 
substantial agreement.

>And as to the shadow home secretary's claim that her children know more 
>about crypto policy than she does, I can only presume she also smugly 
>tells people at dinner parties that she can't program her video 
>recorder, as though that makes her more interesting. Why do MPs make 
>out that utter ignorance of technology is something to be proud of?

That's a rather different issue, and my approach to that is to actually 
contribute (educate, inform etc) at first hand regarding technology 
issues when I think it'll help. How many others here were available 
on-site on Tuesday (albeit I was there for a different workstream than 
Data Retention, and neither was it HS2 or Shale Gas, both of which I'm 
interested in).

-- 
Roland Perry


From Richard.Hopkins at bristol.ac.uk  Thu Jul 17 09:06:29 2014
From: Richard.Hopkins at bristol.ac.uk (Richard Hopkins)
Date: Thu, 17 Jul 2014 09:06:29 +0100
Subject: Turn off the mobile
In-Reply-To: <6BF6CD95-9A87-491A-9739-28A8CEE29969@gmail.com>
References: <mailman.296.1405458103.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407161121140.17899@snap.ds.cam.ac.uk>
	<FF16B92B-BE54-449F-8ACA-CC88CA6C0863@gmail.com>
	<42DA1458-8CCC-4948-A629-C9CD6FC18BB3@batten.eu.org>
	<6BF6CD95-9A87-491A-9739-28A8CEE29969@gmail.com>
Message-ID: <6F5480B86417CADB529E7D97@IT001040.users.bris.ac.uk>

--On 16 July 2014 22:35 +0100 Fearghas McKay <fearghas at gmail.com> wrote:

>
> On 16 Jul 2014, at 19:34, Ian Batten <igb at batten.eu.org> wrote:
>
>> http://www.pagers.co.uk/shop/ doesn't look abandoned.
>
> Agreed but try buying one and see how much information they give you in
> the buying process about costs, network availability etc. Oh and itemised
> billing is meant to be available but wasn't on the one I tried to buy.

Langford Veterinary Services (closely affiliated with the University of 
Bristol):

<http://www.langfordvets.co.uk/>

have recently installed a new pager system from Multitone

<http://www.multitone.com/pagers.html>

Richard

http://www.bris.ac.uk/infosec



From lists at internetpolicyagency.com  Thu Jul 17 09:16:25 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 09:16:25 +0100
Subject: Turn off the mobile
In-Reply-To: <alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
Message-ID: <atMvJ2zZZ4xTFAva@perry.co.uk>

In article <alpine.DEB.2.02.1407170824030.3055 at snap.ds.cam.ac.uk>, Ellis 
Weinberger <ew206 at cam.ac.uk> writes
>> ... Has anyone tried getting a new pager recently? I am not convinced 
>>it  is a deployable strategy ...
>
>Vodafone: <www.paging.vodafone.net/>

That's a corporate product (HQ->workers); do we know it's available 
one-off to the public?
-- 
Roland Perry


From igb at batten.eu.org  Thu Jul 17 10:38:31 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 10:38:31 +0100
Subject: Data retention question
In-Reply-To: <AFjpz9snx3xTFAfx@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
Message-ID: <E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>


On 17 Jul 2014, at 08:33, Roland Perry <lists at internetpolicyagency.com> wrote:
> 
>> And as to the shadow home secretary's claim that her children know more about crypto policy than she does, I can only presume she also smugly tells people at dinner parties that she can't program her video recorder, as though that makes her more interesting. Why do MPs make out that utter ignorance of technology is something to be proud of?
> 
> That's a rather different issue, and my approach to that is to actually contribute (educate, inform etc) at first hand regarding technology issues when I think it'll help. How many others here were available on-site on Tuesday

I don't think it's as simple as checking yourself into Portcullis house and sitting in the atrium
with a sign saying "Crypto how?  Ask me now!"  Perhaps we could all cluster on the wall outside with
signs saying "Will do policy analysis for food".

I'd be very happy to do educational work with MPs on crypto/intercept policy, and (in broad terms) I'd do it
for free too.  I don't get the slightest sense that they're interested.  I was at an event with
Julian Huppert a few weeks ago which Caspar was at as well.  But he was there as a speaker, and
a very good one at that, and I'm not sure that he learned much that he didn't already know.

There doesn't seem to be a venue for subject matter experts to offer their knowledge to MPs in the
large.  You can correspond with your own MP, but if it's not something on their radar then it's
not clear how you make input to other MPs.

ian




From igb at batten.eu.org  Thu Jul 17 11:37:55 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 11:37:55 +0100
Subject: Data retention question
In-Reply-To: <E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
Message-ID: <7E63D446-BEF7-42F3-AA14-7EAFF894F9CE@batten.eu.org>


On 17 Jul 2014, at 10:38, Ian Batten <igb at batten.eu.org> wrote:

> But he was there as a speaker, and
> a very good one at that, and I'm not sure that he learned much that he didn't already know.

By which I mean "he was already well-informed, so that he was present at a meeting of
experts wasn't surprising".  I realise it could be read rather differently...

ian

From wendyg at pelicancrossing.net  Thu Jul 17 11:55:44 2014
From: wendyg at pelicancrossing.net (Wendy M. Grossman)
Date: Thu, 17 Jul 2014 11:55:44 +0100
Subject: Turn off the mobile
In-Reply-To: <alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
Message-ID: <53C7ABB0.4060507@pelicancrossing.net>

On 07/17/2014 08:26, Ellis Weinberger wrote:
> 
> Fearghas McKay:
> 
>> ... Has anyone tried getting a new pager recently? I am not convinced
>> it is a deployable strategy ...
> 
> Vodafone: <www.paging.vodafone.net/>
> 

I'm sorry, but I don't see how getting a pager and keeping the phone
off, other than making your life more difficult, really has that much
benefit. The pager still has to be locatable in order for you to get the
page, right? So it can still be used to track you?

Or is the point that no one can remotely turn on audio/video/etc? I have
a mobile phone but keep the GPS, wifi, Bluetooth, and location services
turned off unless I absolutely need to use them.

wg
-- 
www.pelicancrossing.net <-- all about me
Twitter: @wendyg


From g+ukcrypto at cobb.uk.net  Thu Jul 17 12:04:16 2014
From: g+ukcrypto at cobb.uk.net (Graham Cobb)
Date: Thu, 17 Jul 2014 12:04:16 +0100
Subject: Data retention question
In-Reply-To: <E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
Message-ID: <53C7ADB0.5060804@cobb.uk.net>

On 17/07/14 10:38, Ian Batten wrote:
> There doesn't seem to be a venue for subject matter experts to offer their knowledge to MPs in the
> large.  You can correspond with your own MP, but if it's not something on their radar then it's
> not clear how you make input to other MPs.

The channels to MPs seem to be lobbyists, think tanks and party policy
units.  Unfortunately, those all choose their experts to match their
existing views, rather than the other way round.

The only way to educate MPs on crypto policy is to turn it into a major
public issue -- in a similar way to global warming.  Then they will at
least be willing to be educated to the "sound bite" level -- we can't
hope for better than that.




From ew206 at cam.ac.uk  Thu Jul 17 12:43:10 2014
From: ew206 at cam.ac.uk (Ellis Weinberger)
Date: Thu, 17 Jul 2014 12:43:10 +0100 (BST)
Subject: Turn off the mobile
In-Reply-To: <mailman.317.1405594557.7995.ukcrypto@chiark.greenend.org.uk>
References: <mailman.317.1405594557.7995.ukcrypto@chiark.greenend.org.uk>
Message-ID: <alpine.DEB.2.02.1407171240590.22476@puff.ds.cam.ac.uk>

Roland Perry:

> ... That's a corporate product (HQ -> workers); do we know it's
> available one-off to the public? ...

Yes, I have a personal contract with them.

Wendy M. Grossman:

> ... The pager still has to be locatable in order for you to get the 
> page, right? So it can still be used to track you? ...

The pager company transmits across a region, or across the entire country, 
but the pager only needs to receive, and thus, in general, is harder to 
track.

-- 
 		           Mr Ellis Weinberger
            Pager: +44 (0)7659 599 845 ; Mobile: +44 (0)7870 755 792
              ew206 at cam.ac.uk ; http://people.pwf.cam.ac.uk/ew206/



From igb at batten.eu.org  Thu Jul 17 13:24:21 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 13:24:21 +0100
Subject: Turn off the mobile
In-Reply-To: <53C7ABB0.4060507@pelicancrossing.net>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
Message-ID: <B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>


On 17 Jul 2014, at 11:55, Wendy M. Grossman <wendyg at pelicancrossing.net> wrote:

>  The pager still has to be locatable in order for you to get the
> page, right? 

No, old-style pagers are receive only.  Each page is transmitted on all transmitters, 
once (or at most a few times), and if your pager receives it, good, if it doesn't,
tough.  That's why pagers can run for a month or more on a AA battery: they're just
a simple receiver. If memory serves, the paging frequencies are adjacent to the
the 144MHz/2m and 432MHz/70cm amateur allocations.  You're hardly going to manage 
two-way communication on the 2m band with a device the size of a packet of cigarettes with
no external aerial and a single AA battery.

On the one hand, that makes paging pretty insecure: it's all broadcast in plaintext, and 
an appropriate radio would trivially pick up all pages (warning: might be illegal under the 1948
Wireless Telegraphy Act, consult a lawyer before firing up your GNU Radio hardware).

On the other hand, that means the devices themselves are essentially untrackable: you
could at very close range possibly locate an individual device by faking a page
addressed to it and then looking for TEMPEST emissions from the receiver as it
responds to its coded address, but that doesn't seem a terribly practical or useful
approach: in reality, any page wakes up all pagers.

ian



From bdm at fenrir.org.uk  Thu Jul 17 13:37:04 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 13:37:04 +0100
Subject: Data retention question
In-Reply-To: <9ewWFFnryuxTFAps@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<20140716184157.0000286b@surtees.fenrir.org.uk>
	<9ewWFFnryuxTFAps@perry.co.uk>
Message-ID: <20140717133704.00002838@surtees.fenrir.org.uk>

On Wed, 16 Jul 2014 22:20:43 +0100
Roland Perry wrote:

> In article <20140716184157.0000286b at surtees.fenrir.org.uk>, Brian 
> Morrison <bdm at fenrir.org.uk> writes
> >> This is also why people attempting to mock the Parliamentary system
> >> by posting photos of a handful of members in the chamber are
> >> attempting to leverage a falsehood.
> >
> >Except that in this case they had so little time to read the Bill
> >that the extra time spent listening to the debate (spaf!) might well
> >have focused their thoughts on what it was they were voting on.
> 
> Not really, it's a very short bill and they've had several days.

Amazing that so few voted against then.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 13:39:57 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 13:39:57 +0100
Subject: Data retention question
In-Reply-To: <5U333wp2b3xTFAZL@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
Message-ID: <20140717133957.0000794c@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 08:10:46 +0100
Roland Perry wrote:

> In article <53C6F21D.7050205 at talkunafraid.co.uk>, James Harrison 
> <james at talkunafraid.co.uk> writes
> >> Because all the issues have been aired at length for some time. Not
> >> just since April but in the debates surrounding the 2012 comms data
> >> bill.
> >
> >So future debate is irrelevant and we should give up, they've made up
> >their minds because the issue's been talked about enough? This
> >specific bill must be fine as a result?
> 
> Future debate is important, and the bill could be changed (either
> more or less stringent rules, obviously). But it doesn't have to be
> done as a spectator sport in the chamber, with MPs giving up the
> other work they were already booked to do that particular afternoon.

It would be extremely sensible to make all the changes *before* the
bloody thing gets it 3rd reading wouldn't it? This way we get bad law
that may well not be revised or made to conform to the ECHR for some
time, not to mention the Home Office's apparent desire to keep every
citizen in a locked metal box.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 13:40:54 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 13:40:54 +0100
Subject: Data retention question
In-Reply-To: <271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
Message-ID: <20140717134054.000075a2@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 00:07:43 +0100
Ian Batten wrote:

> I am, I suspect, rather older than James, and usually am ready to
> defend MPs against the accusation that they are lobby fodder.  Here,
> however, they appear to be lobby fodder. 

+1.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 13:45:35 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 13:45:35 +0100
Subject: Data retention question
In-Reply-To: <53C6F6C2.9080800@gladman.plus.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<53C6F6C2.9080800@gladman.plus.com>
Message-ID: <20140717134535.00007f8f@surtees.fenrir.org.uk>

On Wed, 16 Jul 2014 23:03:46 +0100
Brian Gladman wrote:

> Which is not what we are paying (or electing) them to do.

The only way to change this is for everyone to vote for independent
candidates who are a) not controlled by a party and b) able to get
enough help to campaign for election from people who are not party
workers.

Sadly I don't see it happening any time soon unless people start to
actually care about what their MP does and how they vote on various
issues.

-- 

Brian Morrison


From igb at batten.eu.org  Thu Jul 17 13:57:59 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 13:57:59 +0100
Subject: Data retention question
In-Reply-To: <20140717133704.00002838@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<20140716184157.0000286b@surtees.fenrir.org.uk>
	<9ewWFFnryuxTFAps@perry.co.uk>
	<20140717133704.00002838@surtees.fenrir.org.uk>
Message-ID: <A0AEBFDC-948D-48DD-BF2C-F0AE260D9ECF@batten.eu.org>


On 17 Jul 2014, at 13:37, Brian Morrison <bdm at fenrir.org.uk> wrote:

> On Wed, 16 Jul 2014 22:20:43 +0100
> Roland Perry wrote:
> 
>> In article <20140716184157.0000286b at surtees.fenrir.org.uk>, Brian 
>> Morrison <bdm at fenrir.org.uk> writes
>>>> This is also why people attempting to mock the Parliamentary system
>>>> by posting photos of a handful of members in the chamber are
>>>> attempting to leverage a falsehood.
>>> 
>>> Except that in this case they had so little time to read the Bill
>>> that the extra time spent listening to the debate (spaf!) might well
>>> have focused their thoughts on what it was they were voting on.
>> 
>> Not really, it's a very short bill and they've had several days.
> 
> Amazing that so few voted against then.


They don't want to be thought to be soft on terror, or soft on child abuse, or something.

Here's my theory on terrorism.

There are two sorts of terrorists.  There are tossers who fantasise about
blowing up their political enemies (let's, for the purpose at hand, say
"undergraduates Trots of the 1980s fantasising about killing Thatcher").
They don't have access to any munitions, they wouldn't know what to do
with those munitions if they were delivered to them on a plate, they don't
know where their target is, they have no viable plan to fix any of these
problems and in any event, their discussion is mere bravado.

Then there's Patrick McGee, an experienced and competent bomb maker able
to obtain travel plans for Thatcher, construct a viable weapon that is
difficult to detect, equipped it with an effective trigger with an appropriate
delay, obtain documents that allow him to visit the room a month in advance,
install the weapon without being detected and get away with it when the
large explosion almost achieves its aim.

Intercept (etc) appears very good at catching the first category.  They 
have no operational security, because they're tossers, but they can be
arrested these days on the basis of thinking bad thoughts and trumpeted
as a triumph of modern policing.

Intercept appears almost completely useless at catching the second category,
who are rare, clever and extremely dangerous.  McGee got a PhD while in jail.

Yes, it's not as simple as this polar split, and in reality there's a continuum.
There might, possibly, be a tiny overlap between "competent and resourced
enough to present a real risk" and "stupid enough to get caught talking
about it on Facebook".  But all the people who have so far been arrested
for terrorist offences have been pretty much in the first category, and 
luckily the genuinely competent are thin on the ground and (as compared
to the very effective IRA) rather keen on getting killed in the process, which
limits their ability to learn from their mistakes.

The same appears to apply, mutatis mutandis, to the other horsemen of the 
modern apocalypse.  It seems quite easy to arrest people for downloading
child porn, and in the sense that they create a market for hideous abuse
quite right too.  On the other hand, it seems a great deal harder to actually
arrest people for actually abusing children, because presumably they're aware
enough of how seriously their crime is treated to take some operational 
precautions.  I'm not for a second minimising the issue of child pornography,
but beyond the creating a market argument I suspect that the vast majority
of those arrested as part of network-based child pornography operations 
present little actual threat.

In both cases, it's easier to arrest rather pathetic individuals who 
present little physical risk, but fantasise about being harder than they
actually are, than it is to find and arrest the genuinely dangerous who 
present a real risk.  So long as the distinction isn't made, law enforcement
can claim to be waging an effective war on bad stuff, using a vital crime
fighting tool, when in fact they're using a weapon mostly effective against
idiots to arrest idiots.

ian





From bdm at fenrir.org.uk  Thu Jul 17 14:06:47 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 14:06:47 +0100
Subject: Turn off the mobile
In-Reply-To: <B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
	<B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
Message-ID: <20140717140647.00004a00@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 13:24:21 +0100
Ian Batten wrote:

>  in reality, any page wakes up all pagers.

If it uses POCSAG (now very old) it doesn't because pages are batched
and the order they are transmitted puts them into time slots. And
individual pager only listens during its slot, if you don't do this it
makes the battery life awful.

There was a later european pager standard that may not have done it
the same way, but it came about when cellular stuff was on its
exponential increase and hence may not have been widely deployed.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 14:07:31 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 14:07:31 +0100
Subject: Turn off the mobile
In-Reply-To: <alpine.DEB.2.02.1407171240590.22476@puff.ds.cam.ac.uk>
References: <mailman.317.1405594557.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407171240590.22476@puff.ds.cam.ac.uk>
Message-ID: <20140717140731.00003cfa@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 12:43:10 +0100 (BST)
Ellis Weinberger wrote:

> The pager company transmits across a region, or across the entire
> country, but the pager only needs to receive, and thus, in general,
> is harder to track.

Until you turn your mobile on after being paged...

-- 

Brian Morrison


From lists at internetpolicyagency.com  Thu Jul 17 16:44:41 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 16:44:41 +0100
Subject: Data retention question
In-Reply-To: <20140717133957.0000794c@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
Message-ID: <$kQ2LxPp9+xTFALd@perry.co.uk>

In article <20140717133957.0000794c at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>It would be extremely sensible to make all the changes *before* the
>bloody thing gets it 3rd reading wouldn't it?

Who is making the changes, and why is the 3rd reading too late? Many of 
the important changes to RIPA were made at the very last opportunity; 
such seems to be the way things are done.
-- 
Roland Perry


From ukcrypto at sourcetagged.ian.co.uk  Thu Jul 17 16:48:35 2014
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Thu, 17 Jul 2014 16:48:35 +0100
Subject: Turn off the mobile
In-Reply-To: <B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
	<B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
Message-ID: <DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>


On 17 Jul 2014, at 13:24, Ian Batten wrote:

> You're hardly going to manage 
> two-way communication on the 2m band with a device the size of a packet of cigarettes with
> no external aerial and a single AA battery.

Actually, that's not far off from a description of the current crop of handheld 2m/70cm tranceivers. Substitute single Li-Ion battery and stubby antenna and you're there.

Ian Mason

From lists at internetpolicyagency.com  Thu Jul 17 16:50:29 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 16:50:29 +0100
Subject: Data retention question
In-Reply-To: <E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
Message-ID: <4irX6XQFD$xTFAaw@perry.co.uk>

In article <E5B7107D-0ACD-4411-9E82-D6679888952E at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes

>>my approach to that is to actually contribute (educate, inform etc) at
>>first hand regarding technology issues when I think it'll help. How
>>many others here were available on-site on Tuesday
>
>I don't think it's as simple as checking yourself into Portcullis house and sitting in the atrium
>with a sign saying "Crypto how?  Ask me now!"  Perhaps we could all cluster on the wall outside with
>signs saying "Will do policy analysis for food".

Almost all the time what you suggest is months too late.

>I'd be very happy to do educational work with MPs on crypto/intercept policy, and (in broad terms) I'd do it
>for free too.  I don't get the slightest sense that they're interested.

Only because you apparently aren't aware of the channels through which 
such advice might be offered.

>I was at an event with Julian Huppert a few weeks ago which Caspar was 
>at as well.  But he was there as a speaker, and a very good one at 
>that, and I'm not sure that he learned much that he didn't already know.

Julian has his agenda, and quite well informed. He's not the audience 
for the sort of advice I'm talking about.

>There doesn't seem to be a venue for subject matter experts to offer 
>their knowledge to MPs in the large.

Try going to some of the All-Party groups. Although I'm not saying you 
have to educate "in the large", about 1% is enough to make a difference.

>You can correspond with your own MP, but if it's not something on their 
>radar then it's not clear how you make input to other MPs.

Not that trite route, certainly.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Jul 17 16:51:36 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 16:51:36 +0100
Subject: Data retention question
In-Reply-To: <53C7ADB0.5060804@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<53C7ADB0.5060804@cobb.uk.net>
Message-ID: <1y4UO$QIE$xTFA6u@perry.co.uk>

In article <53C7ADB0.5060804 at cobb.uk.net>, Graham Cobb 
<g+ukcrypto at cobb.uk.net> writes
>The channels to MPs seem to be lobbyists, think tanks and party policy
>units.

That's some, but by no means all.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Jul 17 16:54:26 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 17 Jul 2014 16:54:26 +0100
Subject: Data retention question
In-Reply-To: <20140717134535.00007f8f@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<53C6F6C2.9080800@gladman.plus.com>
	<20140717134535.00007f8f@surtees.fenrir.org.uk>
Message-ID: <lS2Qm0RyG$xTFA67@perry.co.uk>

In article <20140717134535.00007f8f at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>The only way to change this is for everyone to vote for independent
>candidates who are a) not controlled by a party and b) able to get
>enough help to campaign for election from people who are not party
>workers.
>
>Sadly I don't see it happening any time soon unless people start to
>actually care about what their MP does and how they vote on various
>issues.

But what do you do if your chosen independent candidate is 100% on side 
over data retention, but 100% off-side on things like immigration, 
education, transport, broadband rollout, taxation and pensions?

-- 
Roland Perry


From fjmd1a at gmail.com  Thu Jul 17 17:00:55 2014
From: fjmd1a at gmail.com (Francis Davey)
Date: Thu, 17 Jul 2014 17:00:55 +0100
Subject: Data retention question
In-Reply-To: <4irX6XQFD$xTFAaw@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<4irX6XQFD$xTFAaw@perry.co.uk>
Message-ID: <CAEWR3ktRJeApzaLOMJufoXdj2_MoSxGPW9sSF9pKbLpFkxZuuw@mail.gmail.com>

2014-07-17 16:50 GMT+01:00 Roland Perry <lists at internetpolicyagency.com>:
>
>
> Only because you apparently aren't aware of the channels through which
> such advice might be offered.
>
>
Please educate us.


>
> Try going to some of the All-Party groups. Although I'm not saying you
> have to educate "in the large", about 1% is enough to make a difference.


My experience - with the Digital Economy Act - was that these weren't
particularly helpful meetings. For example in the middle of a presentation
by me a member of the House of Lords wandered in and muttered (loudly
enough for everyone to hear) "rubbish, rubbish" at what I was saying.

On the one hand one might think - why bother giving my expertise free to
people so rude (they'd have been firmly spanked by my grandparents) but on
the other hand they do unfortunately govern the country and their ignorance
is our suffering.

Sigh.

-- 
Francis Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140717/12cf2d04/attachment.html>

From g+ukcrypto at cobb.uk.net  Thu Jul 17 17:22:46 2014
From: g+ukcrypto at cobb.uk.net (Graham Cobb)
Date: Thu, 17 Jul 2014 17:22:46 +0100
Subject: Data retention question
In-Reply-To: <1y4UO$QIE$xTFA6u@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>	<AFjpz9snx3xTFAfx@perry.co.uk>	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>	<53C7ADB0.5060804@cobb.uk.net>
	<1y4UO$QIE$xTFA6u@perry.co.uk>
Message-ID: <53C7F856.1030500@cobb.uk.net>

On 17/07/14 16:51, Roland Perry wrote:
> In article <53C7ADB0.5060804 at cobb.uk.net>, Graham Cobb
> <g+ukcrypto at cobb.uk.net> writes
>> The channels to MPs seem to be lobbyists, think tanks and party policy
>> units.
> 
> That's some, but by no means all.

Realistically, is there much point trying to educate MPs?  Is the ORG
approach of trying to get to the civil servants who really define policy
the best option?

On this topic I don't think that has much chance of success, but getting
change through the actions of MPs seems to have even less.


From ajb44.geo at yahoo.com  Thu Jul 17 17:36:03 2014
From: ajb44.geo at yahoo.com (Alex Burr)
Date: Thu, 17 Jul 2014 09:36:03 -0700
Subject: Data retention question
In-Reply-To: <1405464070.21330.YahooMailNeo@web122506.mail.ne1.yahoo.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk>
	<1405464070.21330.YahooMailNeo@web122506.mail.ne1.yahoo.com> 
Message-ID: <1405614963.43161.YahooMailNeo@web122504.mail.ne1.yahoo.com>

Okay an update: I found a free 'cell site analysis' guide. It is downloadable from here:
http://www.forensicanalytics.co.uk/services/training/free-resources
but you have to give them contact details. It appears that location for data use *is*
retained in the UK, except by Three. Records do not correspond to packets or tcp sessions, they correspond to 'an entire connectivity session' (I'm not familiar enough of mobile phone protocols to identify that) which are apparently 'closed' due to, for example a time out, which can happen after 5 minutes of inactivity. So it is plausible that a poll every 10 minutes by an email client could cause a comprehensive location record for a UK user, as in the Spitze case. But I don't have evidence of whether this typical.

Alex





> On Tuesday, July 15, 2014 11:41 PM, Alex Burr <ajb44.geo at yahoo.com> wrote:
> > 
> 
>>? On Tuesday, July 15, 2014 9:03 PM, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk> wrote:
> 
>>? A better answer - the sort of data you mention are not regularly 
>>? collected in bulk in the UK. The types of data which are regularly 
>>? collected in bulk are fairly limited [1], and relate mostly to calls and 
>>? texts.
> 
> Thanks, that's very helpful. I'm assuming [1] is ?from 'The Data 
> Retention (EC Directive) Regulations 2009'. It does seem to have the same 
> interpretation problem you mentioned earlier, in that 'communication' 
> could include internet data and doesn't have defined start and end. Can you 
> say where you found out that these aren't regularly collected? (As well 
> as?being interested from a civil perspective, I'm doing academic work so 
> I'm trying to find a citation, but no worries if you don't have one).
> 
> [Further helpful explanation snipped]
> 
> 
> Alex
>


From brg at gladman.plus.com  Thu Jul 17 18:06:44 2014
From: brg at gladman.plus.com (Brian Gladman)
Date: Thu, 17 Jul 2014 18:06:44 +0100
Subject: Data retention question
In-Reply-To: <lS2Qm0RyG$xTFA67@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<53C6F6C2.9080800@gladman.plus.com>	<20140717134535.00007f8f@surtees.fenrir.org.uk>
	<lS2Qm0RyG$xTFA67@perry.co.uk>
Message-ID: <53C802A4.2070700@gladman.plus.com>

On 17/07/2014 16:54, Roland Perry wrote:
> In article <20140717134535.00007f8f at surtees.fenrir.org.uk>, Brian
> Morrison <bdm at fenrir.org.uk> writes
>> The only way to change this is for everyone to vote for independent
>> candidates who are a) not controlled by a party and b) able to get
>> enough help to campaign for election from people who are not party
>> workers.
>>
>> Sadly I don't see it happening any time soon unless people start to
>> actually care about what their MP does and how they vote on various
>> issues.
> 
> But what do you do if your chosen independent candidate is 100% on side
> over data retention, but 100% off-side on things like immigration,
> education, transport, broadband rollout, taxation and pensions?

They will enter an election in which, at least in principle, their
constituents will select them based on the policies that they advocate.
 Once elected they then vote on issues as best they can as a
representative of their constituents.  If they deviate completely from
their announced policies, they don't get elected next time (or maybe get
fired).

Of course this won't work well in a modern world since it would mean
that we had no real policy direction overall.  But the Party system has
completely undermined representative democracy to the point where a
large proprtion of the population is now completely disinterested in
what Parliament does.

Rather than going completely along the independent line, I would prefer
to weaken the Party system by restricting whipping to a small number of
key issues such as confidence votes, finance bills etc., thereby leaving
a much greater proportion of what Parliament does open to free votes.

We are supposed to live in a representative democracy but few if any now
feel that they are represented in what Parliament does.

Judging the balance between security and privacy would be a much more
worthwhile exercise if MPs really had to think about it rather than
being led blindfold through the lobbies.



From igb at batten.eu.org  Thu Jul 17 18:27:28 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 18:27:28 +0100
Subject: Data retention question
In-Reply-To: <4irX6XQFD$xTFAaw@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<4irX6XQFD$xTFAaw@perry.co.uk>
Message-ID: <1C24F87B-A102-4963-A911-7EB6D6F45E36@batten.eu.org>

Sorry for top-posting - waiting for a train to prove the ukcrypto uk.railway crossover again. 

I'm aware of all-party groups, and went to a few all-party internet group meetings at portcullis house. One appeared to consist of an opportunity for men of a certain age to get sweaty over Tanya Byron.  In fact, I have a memory of standing next to you in a side room while some ld peer (Susan Kramer?) spoke.  But I didn't see those as serious forums for influence. Are they?  If not, where is?

ian

http://igb.tel

> On 17 juil. 2014, at 16:50, Roland Perry <lists at internetpolicyagency.com> wrote:
> 
> In article <E5B7107D-0ACD-4411-9E82-D6679888952E at batten.eu.org>, Ian Batten <igb at batten.eu.org> writes
> 
>>> my approach to that is to actually contribute (educate, inform etc) at
>>> first hand regarding technology issues when I think it'll help. How
>>> many others here were available on-site on Tuesday
>> 
>> I don't think it's as simple as checking yourself into Portcullis house and sitting in the atrium
>> with a sign saying "Crypto how?  Ask me now!"  Perhaps we could all cluster on the wall outside with
>> signs saying "Will do policy analysis for food".
> 
> Almost all the time what you suggest is months too late.
> 
>> I'd be very happy to do educational work with MPs on crypto/intercept policy, and (in broad terms) I'd do it
>> for free too.  I don't get the slightest sense that they're interested.
> 
> Only because you apparently aren't aware of the channels through which such advice might be offered.
> 
>> I was at an event with Julian Huppert a few weeks ago which Caspar was at as well.  But he was there as a speaker, and a very good one at that, and I'm not sure that he learned much that he didn't already know.
> 
> Julian has his agenda, and quite well informed. He's not the audience for the sort of advice I'm talking about.
> 
>> There doesn't seem to be a venue for subject matter experts to offer their knowledge to MPs in the large.
> 
> Try going to some of the All-Party groups. Although I'm not saying you have to educate "in the large", about 1% is enough to make a difference.
> 
>> You can correspond with your own MP, but if it's not something on their radar then it's not clear how you make input to other MPs.
> 
> Not that trite route, certainly.
> -- 
> Roland Perry
> 


From ats at offog.org  Thu Jul 17 17:23:37 2014
From: ats at offog.org (Adam Sampson)
Date: Thu, 17 Jul 2014 17:23:37 +0100
Subject: Turn off the mobile
In-Reply-To: <DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>
	(Ian Mason's message of "Thu, 17 Jul 2014 16:48:35 +0100")
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
	<B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
	<DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>
Message-ID: <y2aha2g6jjq.fsf@cartman.at.offog.org>

Ian Mason <ukcrypto at sourcetagged.ian.co.uk> writes:

> Substitute single Li-Ion battery and stubby antenna and you're there.

Or even a plate antenna, as used in some versions of the Pye Pocketfone
police radios -- which were basically doing exactly this in the 1970s:
  https://sites.google.com/site/g3xbmqrp3/vuhf/pf8

-- 
Adam Sampson <ats at offog.org>                         <http://offog.org/>


From bdm at fenrir.org.uk  Thu Jul 17 19:08:23 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 19:08:23 +0100
Subject: Data retention question
In-Reply-To: <$kQ2LxPp9+xTFALd@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
Message-ID: <20140717190823.000068da@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 16:44:41 +0100
Roland Perry wrote:

> In article <20140717133957.0000794c at surtees.fenrir.org.uk>, Brian 
> Morrison <bdm at fenrir.org.uk> writes
> >It would be extremely sensible to make all the changes *before* the
> >bloody thing gets it 3rd reading wouldn't it?
> 
> Who is making the changes, and why is the 3rd reading too late? Many
> of the important changes to RIPA were made at the very last
> opportunity; such seems to be the way things are done.

I assume you mean "just before the 3rd reading" because it's very soon
after it that a division is called. I have nothing against last minute
amendments per se, but I would prefer that there is a period of calm to
consider them fully rather than amending the Bill in a mad scramble.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 19:15:45 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 19:15:45 +0100
Subject: Data retention question
In-Reply-To: <lS2Qm0RyG$xTFA67@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<53C6F6C2.9080800@gladman.plus.com>
	<20140717134535.00007f8f@surtees.fenrir.org.uk>
	<lS2Qm0RyG$xTFA67@perry.co.uk>
Message-ID: <20140717191545.000075a9@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 16:54:26 +0100
Roland Perry wrote:

> In article <20140717134535.00007f8f at surtees.fenrir.org.uk>, Brian 
> Morrison <bdm at fenrir.org.uk> writes
> >The only way to change this is for everyone to vote for independent
> >candidates who are a) not controlled by a party and b) able to get
> >enough help to campaign for election from people who are not party
> >workers.
> >
> >Sadly I don't see it happening any time soon unless people start to
> >actually care about what their MP does and how they vote on various
> >issues.
> 
> But what do you do if your chosen independent candidate is 100% on
> side over data retention, but 100% off-side on things like
> immigration, education, transport, broadband rollout, taxation and
> pensions?
> 

Well, I would hope that the sort of independent candidate that I would
vote for that had a good chance of being elected would also be of
independent mind but at the same time read correspondence from and
listen to opinions from their constituents and use it to inform their
thinking.

The only way to have my exact opinions on everything used directly is
to have the Swiss system of using a referendum to decide. I'd like that
because I'm interested enough to find out as much as I can about
various issues but I imagine a lot of people would find it a chore.
That's why we are where we are because not enough people care and MPs
are left to do much of what they do without a lot of constituency input
other than on local issues.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Thu Jul 17 19:17:29 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Thu, 17 Jul 2014 19:17:29 +0100
Subject: Turn off the mobile
In-Reply-To: <DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
	<B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
	<DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>
Message-ID: <20140717191729.00007540@surtees.fenrir.org.uk>

On Thu, 17 Jul 2014 16:48:35 +0100
Ian Mason wrote:

> 
> On 17 Jul 2014, at 13:24, Ian Batten wrote:
> 
> > You're hardly going to manage 
> > two-way communication on the 2m band with a device the size of a
> > packet of cigarettes with no external aerial and a single AA
> > battery.
> 
> Actually, that's not far off from a description of the current crop
> of handheld 2m/70cm tranceivers. Substitute single Li-Ion battery and
> stubby antenna and you're there.

And have a very short range in urban areas at ground level between two
people. Similar for the unlicensed non-amateur equivalents.

-- 

Brian Morrison


From g+ukcrypto at cobb.uk.net  Thu Jul 17 19:32:54 2014
From: g+ukcrypto at cobb.uk.net (Graham Cobb)
Date: Thu, 17 Jul 2014 19:32:54 +0100
Subject: Data retention question
In-Reply-To: <1405614963.43161.YahooMailNeo@web122504.mail.ne1.yahoo.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>	<1405464070.21330.YahooMailNeo@web122506.mail.ne1.yahoo.com>
	<1405614963.43161.YahooMailNeo@web122504.mail.ne1.yahoo.com>
Message-ID: <53C816D6.9050303@cobb.uk.net>

On 17/07/14 17:36, Alex Burr wrote:
> Records do not correspond to packets or tcp sessions, they correspond to 'an entire connectivity session' (I'm not familiar enough of mobile phone protocols to identify that) which are apparently 'closed' due to, for example a time out, which can happen after 5 minutes of inactivity. So it is plausible that a poll every 10 minutes by an email client could cause a comprehensive location record for a UK user, as in the Spitze case. But I don't have evidence of whether this typical.

I know nothing about how the UK operators are set up, but I know a
little about billing in mobile networks in general.

For those operators who retain location for data use, they almost
certainly take it from the "CDR" (call detail record) which is the
notification sent to the billing system about any (potentially)
chargeable event.  That is consistent with the description you reproduced.

For voice calls, the CDR is normally only generated at the end of the
call (except for very long-lived calls -- most networks will generate a
CDR after 24 hours if the call is still going).

For data, there is no standardisation, and the situation changes as more
equipment gets put into the network.  In general, for data, many network
elements may generate CDRs for the same data session and it is up to the
network which ones they actually use or record.

A simplified discussion (the details are different for 2G, 3G, 4G as
well as for different networks)... It is almost certain a CDR will be
generated when an IP "connectivity session" is disconnected.  However,
the connection being talked about here, is the connection between the
phone and some router (more than just a router, but basically a router),
at a lower level than IP.  That is normally either because the phone
drops off the network or the phone decides it doesn't think it needs to
send/receive any more data for a while.  It is not necessarily related
to any TCP connections, although in simple cases it often is.  CDRs for
data may also be generated when a phone moves (most often when it moves
out of a Location Area, which is a group of cell sites).  It is quite
likely (depending on many things in the phone and network configuration)
that a CDR will be generated after each of the mail polling sessions, in
your example.

As networks get more sophisticated, much more CDR processing is
occurring.  For example, it is very common to combine CDRs that relate
to the same user at a low level in the network to save on
storage/processing.  So, the several CDRs from your email polling may
get combined back into one CDR before it gets to be "retained" (or it
might be after it is retained -- up to the Billing architect).

Also, equipment like policy enforcement can generate more detailed CDRs
including the protocols used (and other information like web pages
accessed, if it includes deep packet inspection, which many do).  Those
CDRs typically do align with TCP sessions (although not always), but
they may or may not include information like location.  And they may or
may not go into the "retention" database.

Bottom line: even if the authors of that document understood correctly
how it is handled for each of the UK networks at the time they asked, it
has probably changed several times since!

Note that this assumes the data is taken from (some of the) CDRs.  That
is the most likely for the bulk retention.  However, to track location
at all times requires a completely different process, fairly expensive
in network resources, so it is probably only available if served with a
specific request (and with a price attached).

Graham


From davehowe.pentesting at gmail.com  Thu Jul 17 17:48:09 2014
From: davehowe.pentesting at gmail.com (Dave Howe)
Date: Thu, 17 Jul 2014 17:48:09 +0100
Subject: Data retention question
In-Reply-To: <20140717134535.00007f8f@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<53C6F6C2.9080800@gladman.plus.com>
	<20140717134535.00007f8f@surtees.fenrir.org.uk>
Message-ID: <53C7FE49.4020609@gmail.com>

On 17/07/2014 13:45, Brian Morrison wrote:
> Sadly I don't see it happening any time soon unless people start to
> actually care about what their MP does and how they vote on various
> issues. 
+1

I would wonder, if you took a poll on the way out from voting and asked
one simple question about the content of the bill (for example, how long
the bill says data should be retained for), what percentage could answer it?

Perhaps such a question on the way in (with the right to vote
conditional on getting it right) would lead to more informed voting (but
I am not planning on holding my breath on that one)


From chl at clerew.man.ac.uk  Thu Jul 17 20:23:13 2014
From: chl at clerew.man.ac.uk (Charles Lindsey)
Date: Thu, 17 Jul 2014 20:23:13 +0100
Subject: Data retention question
In-Reply-To: <53C7ADB0.5060804@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<53C7ADB0.5060804@cobb.uk.net>
Message-ID: <op.xi5pgzcb6hl8nm@clerew.man.ac.uk>

On Thu, 17 Jul 2014 12:04:16 +0100, Graham Cobb <g+ukcrypto at cobb.uk.net>  
wrote:

> On 17/07/14 10:38, Ian Batten wrote:
>> There doesn't seem to be a venue for subject matter experts to offer  
>> their knowledge to MPs in the
>> large.  You can correspond with your own MP, but if it's not something  
>> on their radar then it's
>> not clear how you make input to other MPs.
>
> The channels to MPs seem to be lobbyists, think tanks and party policy
> units.  Unfortunately, those all choose their experts to match their
> existing views, rather than the other way round.
>
> The only way to educate MPs on crypto policy is to turn it into a major
> public issue -- in a similar way to global warming.  Then they will at
> least be willing to be educated to the "sound bite" level -- we can't
> hope for better than that.

Can I just remind you that, 10 years ago, this group managed to forge  
pretty good links with a group of peers, and RIPA was the better for it.  
We could do it again if we had to, but it takes time (we failed at the  
Commons stage because we had not learnt the ropes). But a Bill that HAS to  
be passed in 3 days is not a good candidate for such an operation.

-- 
Charles H. Lindsey ---------At Home, doing my own  
thing------------------------
Tel: +44 161 436 6131                         Web:  
http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU,  
U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4  
AB A5


From dfawcus+lists-ukcrypto at employees.org  Thu Jul 17 20:24:45 2014
From: dfawcus+lists-ukcrypto at employees.org (Derek Fawcus)
Date: Thu, 17 Jul 2014 12:24:45 -0700
Subject: Data retention question
In-Reply-To: <53C802A4.2070700@gladman.plus.com>
References: <64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<53C6F6C2.9080800@gladman.plus.com>
	<20140717134535.00007f8f@surtees.fenrir.org.uk>
	<lS2Qm0RyG$xTFA67@perry.co.uk> <53C802A4.2070700@gladman.plus.com>
Message-ID: <20140717192444.GA57109@banjo.employees.org>

On Thu, Jul 17, 2014 at 06:06:44PM +0100, Brian Gladman wrote:
> But the Party system has
> completely undermined representative democracy to the point where a
> large proprtion of the population is now completely disinterested in
> what Parliament does.
... [snip] ...
> We are supposed to live in a representative democracy but few if any now
> feel that they are represented in what Parliament does.

I became so dissatisfied with the sorry state of affairs that I took
action so as to ensure I am no longer represented.

.pdf


From igb at batten.eu.org  Thu Jul 17 21:09:35 2014
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 17 Jul 2014 21:09:35 +0100
Subject: Turn off the mobile
In-Reply-To: <y2aha2g6jjq.fsf@cartman.at.offog.org>
References: <mailman.305.1405535645.7995.ukcrypto@chiark.greenend.org.uk>
	<alpine.DEB.2.02.1407170824030.3055@snap.ds.cam.ac.uk>
	<53C7ABB0.4060507@pelicancrossing.net>
	<B5ABA546-D4AC-4E5B-BD78-989D95132886@batten.eu.org>
	<DA619254-FFF8-4CB8-85EC-36CE6177C92C@sourcetagged.ian.co.uk>
	<y2aha2g6jjq.fsf@cartman.at.offog.org>
Message-ID: <DAEC55D7-19FA-484A-9F18-79DDD653ABAA@batten.eu.org>


On 17 Jul 2014, at 17:23, Adam Sampson <ats at offog.org> wrote:

> Ian Mason <ukcrypto at sourcetagged.ian.co.uk> writes:
> 
>> Substitute single Li-Ion battery and stubby antenna and you're there.
> 
> Or even a plate antenna, as used in some versions of the Pye Pocketfone
> police radios 

Which used an 18V lead-acid battery, not a single AA cell...

ian



From pwt at iosis.co.uk  Fri Jul 18 09:48:25 2014
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Fri, 18 Jul 2014 09:48:25 +0100
Subject: Data retention question
In-Reply-To: <53C7F856.1030500@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>	<AFjpz9snx3xTFAfx@perry.co.uk>	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>	<53C7ADB0.5060804@cobb.uk.net><1y4UO$QIE$xTFA6u@perry.co.uk>
	<53C7F856.1030500@cobb.uk.net>
Message-ID: <53C8DF59.1020405@iosis.co.uk>

At risk of being told I'm off topic, I would rather deal with Scottish 
civil servants or with Dutch than with Whitehall. Much more in other 
jurisdictions of the right person with the right skills in the right 
job. There have been attempts to remedy this, but its still rather like 
the proverbial curate's egg: good in (small) parts. I suspect that MPs 
have the same trouble with them that us mere citizens do.

Peter

On 17/07/2014 17:22, Graham Cobb wrote:
> Realistically, is there much point trying to educate MPs?  Is the ORG
> approach of trying to get to the civil servants who really define policy
> the best option?



From jul at healthecard.co.uk  Fri Jul 18 12:24:45 2014
From: jul at healthecard.co.uk (jul kornbluth)
Date: Fri, 18 Jul 2014 14:24:45 +0300
Subject: Another new Off topic: DPA question
Message-ID: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>

Hello

Another off topic question on the DPA if I may.

We have had a complaint raised against our school with the Schools
Adjudicator.   I am chair of the trustees. The School Adjudicator has
powers virtually unchangeable,  and has tied us up in knots and numerous
meetings.   The complainant has asked to remain anonymous.

The 2012 Admission Code, which is the Statutory basis of the Adjudicators
investigation, states clearly anonymous complaints cannot be brought. ~
para 3.3.f)    In the Notes it states  that the person objecting must
provide their name to the Adjudicator.  Are the notes part of the Code, or
am I entitled to find out under the DPA who this objector is  e.g. a
parent, prospective parent, member of staff, an unconnected outsider, or
even a member of the governing body?

Any help would be appreciated.
Jul Kornbluth



On 12 June 2014 19:44, Marcus Williamson <marcus at connectotel.com> wrote:

>
> Hello
>
> An off-topic question if I may:
>
> Is a business email address considered "personal data" under the terms of
> the Data
> Protection Act (DPA)?
>
> Thanks
> Marcus Williamson
>
>


-- 
Jul Kornbluth
Health eSystems Ltd     (UK Company Reg.  5754837)


6 Dalston Gardens,         Stanmore HA7 1BU
Phone 020 8206 3500      Fax 020 8206 3501


e-mail      jul at healthecard.co.uk
website   www.healthecard.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140718/ccec02f8/attachment.html>

From ajb44.geo at yahoo.com  Fri Jul 18 16:03:10 2014
From: ajb44.geo at yahoo.com (Alex Burr)
Date: Fri, 18 Jul 2014 08:03:10 -0700
Subject: Data retention question
Message-ID: <1405695790.65451.YahooMailNeo@web122502.mail.ne1.yahoo.com>

Thanks, this is very helpful.

Alex
Graham Cobb?g+ukcrypto at cobb.uk.net? wrote:
> I know nothing about how the UK operators are set up, but I know a
> little about billing in mobile networks in general.
> For those operators who retain location for data use, they almost

> certainly take it from the "CDR" (call detail record) which is the

> notification sent to the billing system about any (potentially)

> chargeable event.  That is consistent with the description you reproduced. > For voice calls, the CDR is normally only generated at the end of the

> call (except for very long-lived calls -- most networks will generate a
> CDR after 24 hours if the call is still going). 
> [ more useful information snipped]?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140718/ec0658fb/attachment.html>

From igb at batten.eu.org  Fri Jul 18 16:36:06 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 18 Jul 2014 16:36:06 +0100
Subject: Another new Off topic: DPA question
In-Reply-To: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
References: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
Message-ID: <9F9B9ADA-29B8-4726-A3DF-8499258AAB4B@batten.eu.org>


On 18 Jul 2014, at 12:24, jul kornbluth <jul at healthecard.co.uk> wrote:

> Hello
> 
> Another off topic question on the DPA if I may.
> 
> We have had a complaint raised against our school with the Schools Adjudicator.   I am chair of the trustees. The School Adjudicator has powers virtually unchangeable,  and has tied us up in knots and numerous meetings.   The complainant has asked to remain anonymous.
> 
> The 2012 Admission Code, which is the Statutory basis of the Adjudicators investigation, states clearly anonymous complaints cannot be brought. ~ para 3.3.f)    In the Notes it states  that the person objecting must provide their name to the Adjudicator.  Are the notes part of the Code, or am I entitled to find out under the DPA who this objector is  e.g. a parent, prospective parent, member of staff, an unconnected outsider, or even a member of the governing body? 

No.  Because the Data Protection Act applies to individuals, not corporate bodies, 
and the board of governors are a corporate body (S.1(1) "?data subject? means an 
individual who is the subject of personal data;").

It's therefore not relevant what document is part of what: a governing body, acting
corporately, is not an "individual" and information about it is not "personal data".

Even were that not to stop you, you can't use the DPA to find out about other
people because of S.7(4) "Where a data controller cannot comply with the request 
without disclosing information relating to another individual who can be identified 
rom that information, he is not obliged to comply with the request unless" (either the
subject agrees or would have no reason whatsoever to object, neither of which is
likely to apply).

The DPA is about data about _you_.  It's not about companies, it's not about corporate
bodies, and it's not about other people.

ian



From jul at healthecard.co.uk  Fri Jul 18 16:55:59 2014
From: jul at healthecard.co.uk (jul kornbluth)
Date: Fri, 18 Jul 2014 18:55:59 +0300
Subject: Another new Off topic: DPA question
In-Reply-To: <9F9B9ADA-29B8-4726-A3DF-8499258AAB4B@batten.eu.org>
References: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
	<9F9B9ADA-29B8-4726-A3DF-8499258AAB4B@batten.eu.org>
Message-ID: <CAMZL-XUG9r2FG4GW1Eu8_y5-0xWCHpzHA7T1+cqx6-kUE6K_SA@mail.gmail.com>

Thanks, makes sense, very helpful.

So as a corporate body we are not entitled to find out who has complained
about us.

So when
*The School Admissions (Admission Arrangements and Co-ordination of
Admission Arrangements) (England) Regulations 2012*
Condition to be met before the determination of an objection

24.  An objection may only be referred under section 88H(2) where the
person or body making the objection provides their name and address to the
adjudicator.


there is no obligation on the adjudicator to advise us of the complainant.

Is there another route by which we can find out if not via the DPA/


Jul




On 18 July 2014 18:36, Ian Batten <igb at batten.eu.org> wrote:

>
> On 18 Jul 2014, at 12:24, jul kornbluth <jul at healthecard.co.uk> wrote:
>
> > Hello
> >
> > Another off topic question on the DPA if I may.
> >
> > We have had a complaint raised against our school with the Schools
> Adjudicator.   I am chair of the trustees. The School Adjudicator has
> powers virtually unchangeable,  and has tied us up in knots and numerous
> meetings.   The complainant has asked to remain anonymous.
> >
> > The 2012 Admission Code, which is the Statutory basis of the
> Adjudicators investigation, states clearly anonymous complaints cannot be
> brought. ~ para 3.3.f)    In the Notes it states  that the person objecting
> must provide their name to the Adjudicator.  Are the notes part of the
> Code, or am I entitled to find out under the DPA who this objector is  e.g.
> a parent, prospective parent, member of staff, an unconnected outsider, or
> even a member of the governing body?
>
> No.  Because the Data Protection Act applies to individuals, not corporate
> bodies,
> and the board of governors are a corporate body (S.1(1) ""data subject"
> means an
> individual who is the subject of personal data;").
>
> It's therefore not relevant what document is part of what: a governing
> body, acting
> corporately, is not an "individual" and information about it is not
> "personal data".
>
> Even were that not to stop you, you can't use the DPA to find out about
> other
> people because of S.7(4) "Where a data controller cannot comply with the
> request
> without disclosing information relating to another individual who can be
> identified
> rom that information, he is not obliged to comply with the request unless"
> (either the
> subject agrees or would have no reason whatsoever to object, neither of
> which is
> likely to apply).
>
> The DPA is about data about _you_.  It's not about companies, it's not
> about corporate
> bodies, and it's not about other people.
>
> ian
>
>


-- 
Jul Kornbluth
Health eSystems Ltd     (UK Company Reg.  5754837)


6 Dalston Gardens,         Stanmore HA7 1BU
Phone 020 8206 3500      Fax 020 8206 3501


e-mail      jul at healthecard.co.uk
website   www.healthecard.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140718/4334b16e/attachment-0001.html>

From lists at internetpolicyagency.com  Fri Jul 18 16:57:13 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 18 Jul 2014 16:57:13 +0100
Subject: Data retention question
In-Reply-To: <20140717190823.000068da@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
Message-ID: <VC$cyS+ZPUyTFA1Y@perry.co.uk>

In article <20140717190823.000068da at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes

 >I assume you mean "just before the 3rd reading" because it's very soon
 >after it that a division is called.

Shorthand for 'everything after 2nd reading', sorry if not clear.

> I have nothing against last minute
>amendments per se, but I would prefer that there is a period of calm to
>consider them fully rather than amending the Bill in a mad scramble.

But every Bill is amended in a "mad scramble", even if it's been in the 
works for months.

The policy-making and lobbying behind the scramble might well have been 
going on for years, which is the case for RIPA, Data Retention etc. It's 
hardly as if the topic has never been discussed the last ten years and 
people need to start making their minds up in a rush.
-- 
Roland Perry


From igb at batten.eu.org  Fri Jul 18 17:10:15 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 18 Jul 2014 17:10:15 +0100
Subject: Another new Off topic: DPA question
In-Reply-To: <CAMZL-XUG9r2FG4GW1Eu8_y5-0xWCHpzHA7T1+cqx6-kUE6K_SA@mail.gmail.com>
References: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
	<9F9B9ADA-29B8-4726-A3DF-8499258AAB4B@batten.eu.org>
	<CAMZL-XUG9r2FG4GW1Eu8_y5-0xWCHpzHA7T1+cqx6-kUE6K_SA@mail.gmail.com>
Message-ID: <7D3A5226-7747-46CF-8F51-0F2213B393A3@batten.eu.org>


On 18 Jul 2014, at 16:55, jul kornbluth <jul at healthecard.co.uk> wrote:

> Thanks, makes sense, very helpful.
> 
> So as a corporate body we are not entitled to find out who has complained about us.  

Not  via DPA, no.

> 
> So when 
> The School Admissions (Admission Arrangements and Co-ordination of Admission Arrangements) (England) Regulations 2012
> Condition to be met before the determination of an objection
> 24.  An objection may only be referred under section 88H(2) where the person or body making the objection provides their name and address to the adjudicator. 
> 
> there is no obligation on the adjudicator to advise us of the complainant. 

Obviously not:  the clause's meaning is quite clear on its face.

> Is there another route by which we can find out if not via the DPA/

It is unlikely.  Just to pre-empt your question, FoI doesn't apply, because of S.40(3)(a)(i)
(and probably other sections as well): you can't use FoI to obtain other people's
personal information unless disclosing it to you is  fair processing, which it almost
certainly is not (ie, FoI does not override the obligation of a body to process personal
information according to the data protection principals).

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140718/3887a67f/attachment.html>

From bdm at fenrir.org.uk  Fri Jul 18 17:18:09 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Fri, 18 Jul 2014 17:18:09 +0100
Subject: Data retention question
In-Reply-To: <VC$cyS+ZPUyTFA1Y@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
Message-ID: <20140718171809.0000235b@surtees.fenrir.org.uk>

On Fri, 18 Jul 2014 16:57:13 +0100
Roland Perry wrote:

> > I have nothing against last minute
> >amendments per se, but I would prefer that there is a period of calm
> >to consider them fully rather than amending the Bill in a mad
> >scramble.  
> 
> But every Bill is amended in a "mad scramble", even if it's been in
> the works for months.

Why is this? Is it done deliberately to make it difficult to fix
deliberately bad drafting I wonder?

> 
> The policy-making and lobbying behind the scramble might well have
> been going on for years, which is the case for RIPA, Data Retention
> etc. It's hardly as if the topic has never been discussed the last
> ten years and people need to start making their minds up in a rush.

This time 450+ MPs appear to have not noticed that the new legislation
makes the blanket data retention aspects even worse and hence the ECJ
objection to its predecessor is quite unchanged. Or did the whips
blackmail them all by referring to their character notes?

-- 

Brian Morrison


From jim at openrightsgroup.org  Fri Jul 18 17:23:54 2014
From: jim at openrightsgroup.org (Jim Killock)
Date: Fri, 18 Jul 2014 17:23:54 +0100
Subject: Data retention question
In-Reply-To: <20140718171809.0000235b@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
Message-ID: <6DAF59F3-B0DC-4F39-94F8-2F57AEE515E0@openrightsgroup.org>


On 18 Jul 2014, at 17:18, Brian Morrison <bdm at fenrir.org.uk> wrote:

> On Fri, 18 Jul 2014 16:57:13 +0100
> Roland Perry wrote:
> 
>>> I have nothing against last minute
>>> amendments per se, but I would prefer that there is a period of calm
>>> to consider them fully rather than amending the Bill in a mad
>>> scramble.  
>> 
>> But every Bill is amended in a "mad scramble", even if it's been in
>> the works for months.
> 
> Why is this? Is it done deliberately to make it difficult to fix
> deliberately bad drafting I wonder?

The emergency is that public debate might break out or civil liberties arguments would gain traction in Parliament


> 
>> 
>> The policy-making and lobbying behind the scramble might well have
>> been going on for years, which is the case for RIPA, Data Retention
>> etc. It's hardly as if the topic has never been discussed the last
>> ten years and people need to start making their minds up in a rush.
> 
> This time 450+ MPs appear to have not noticed that the new legislation
> makes the blanket data retention aspects even worse and hence the ECJ
> objection to its predecessor is quite unchanged. Or did the whips
> blackmail them all by referring to their character notes?

?Paedophiles and terrorists will walk free if you vote this down? is plenty enough threat for most MPs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140718/e4979be5/attachment.pgp>

From james at talkunafraid.co.uk  Fri Jul 18 19:07:57 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Fri, 18 Jul 2014 19:07:57 +0100
Subject: Data retention question
In-Reply-To: <6DAF59F3-B0DC-4F39-94F8-2F57AEE515E0@openrightsgroup.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk>	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<6DAF59F3-B0DC-4F39-94F8-2F57AEE515E0@openrightsgroup.org>
Message-ID: <53C9627D.7070201@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/07/2014 17:23, Jim Killock wrote:
> ?Paedophiles and terrorists will walk free if you vote this down?
> is plenty enough threat for most MPs.

I suspect, reading most of the responses people have been posting and
the emphasis placed on the point during the readings etc, that the
"maintaining the status quo" aspect meant most didn't bother to look
closely at it.

Sure, "Paedogeddon shall be hastened by those who vote against" is
another threat against voting against it, but I don't think many MPs
got as far as even considering it. "Oh, EU law withdrawn that needs
replacing with primary legislation, whatever"

- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJTyWJ9AAoJENTyYHL8dmp9FfcP/RrMm/7UNhlYiyJ4/+daGmUE
vWpNRKe0kXEBAKCzVRmLvyJclqVUZk0Ecw5bkfy203TDWSKl8sQqe94h2tqnJNF9
cNfBDOxzX5cllkZteEcesj3UmTTnWCADEoUGwqYGcbte1tNU/9mvRBi88P+ZxIbl
KqOvZ9Qtc0QOA99BQvyYx1knDS/eTCzi9FOPTgL+LhtAU/EG93Qq9V9SE7E3nLM/
BXgFG4hTzgU/HW9+PUfKEYEhgsD991fDDAJzDmdM5k8xJ+oSMEkr/wQ/CYkXo4bH
zo37+hPv/sGcRJP+dIHNBJvcfVzVfUT195P/4xJXb+nStScYtM9kj/0dPHl5vKBS
UD69gZXSJOqVHEdfG6odBqLlCfu9+stJZd8sx8Z17sTofKTctykmmI6X8HFds7ua
Op/Fx6qSvxs2s48Qug9IIziOcB75qcTEeMS4C2fhV+I1X/7ium9bNTXZA5+lpw/R
d40jJiJ3ZEBA2m5Vb4L5jHLRhwxB61QsyCrdyhonTNb+ZJR3RayyJx7Qvl7Oqrdm
RRhXwKneTMT3nMhPD7oQZZLhF+z7DluKoL32Bd14nO0OK88BexZSJMLtGco/LtuE
sdSzkRFmQx07lRg8VNEKYbSO3BY8/Hv0yIeWwbth3+kJ9c6aM11QcgX4AlsEYs1J
aFqHuW6GT1sMS+UgzfpK
=P+c8
-----END PGP SIGNATURE-----


From zenadsl6186 at zen.co.uk  Fri Jul 18 22:57:33 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 18 Jul 2014 22:57:33 +0100
Subject: Data retention question
In-Reply-To: <1405614963.43161.YahooMailNeo@web122504.mail.ne1.yahoo.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>	<1405464070.21330.YahooMailNeo@web122506.mail.ne1.yahoo.com>
	<1405614963.43161.YahooMailNeo@web122504.mail.ne1.yahoo.com>
Message-ID: <53C9984D.6040200@zen.co.uk>

On 17/07/14 17:36, Alex Burr wrote:
> Okay an update: I found a free 'cell site analysis' guide. It is
> downloadable from here:
> http://www.forensicanalytics.co.uk/services/training/free-resources
> but you have to give them contact details. It appears that location
> for data use *is* retained in the UK, except by Three. Records do not
> correspond to packets or tcp sessions, they correspond to 'an entire
> connectivity session' (I'm not familiar enough of mobile phone
> protocols to identify that) which are apparently 'closed' due to, for
> example a time out, which can happen after 5 minutes of inactivity.
>
> So it is plausible that a poll every 10 minutes by an email client
> could cause a comprehensive location record for a UK user, as in the
> Spitze case. But I don't have evidence of whether this typical.
>
> Alex

Thanks, useful link.


I don't know for sure whether mobile service providers are required to 
retain location data for internet sessions under the 2009 regs/DRIP - 
personally I'd have said no, they do not, but others may disagree.

The meanings of "mobile telephony" and "communication" are in question, 
and who knows what a Judge might say?, they seem to make it up as they 
go, and usually in favour of the Establishment.

Though perhaps Three agree with me?


However, mobile service providers are free to retain as much location 
data as they might want to, under ACTSA.

I would be interested in any more information you can come up with. Or a 
link to your paper, if you write one.


-- Peter Fairbrother


From zenadsl6186 at zen.co.uk  Fri Jul 18 23:13:35 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 18 Jul 2014 23:13:35 +0100
Subject: Data retention question
In-Reply-To: <20140718171809.0000235b@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
Message-ID: <53C99C0F.3020602@zen.co.uk>

On 18/07/14 17:18, Brian Morrison wrote:

> This time 450+ MPs appear to have not noticed that the new legislation
> makes the blanket data retention aspects even worse and hence the ECJ
> objection to its predecessor is quite unchanged.

I don't think that's the case - while it does nothing to make the 
blanket collection regime better, it doesn't seem to me to make it any 
worse.



What the MPs apparently did fail to notice was that the Bill was in two 
unrelated parts: though the first clue was in the name, the Data 
Retention and Investigatory Powers bill.


The Data Retention bit, sections 1 and 2, while wrong-headed and the 
wrong way to do it, and not complying with the ECtJ decision, and mostly 
caused by their previous inaction, was in fact a real possible emergency.

?Paedophiles and terrorists will walk free if you vote this down? - I 
can't say I can actually disagree with that.



The Investigatory Powers part (sections 3-5), on the other hand, was no 
emergency.

More important, and I don't care how much Teresa May doublespeaks 
otherwise, it also begins to implement the measures in the Comms bill 
which was rejected a couple years ago.



They didn't see the latter, didn't care, or were complicit. But anyone 
who believed it had nothing to do with the comms bill got screwed.



-- Peter Fairbrother




> Or did the whips
> blackmail them all by referring to their character notes?
>



From amidgley at gmail.com  Sat Jul 19 09:16:57 2014
From: amidgley at gmail.com (Adrian Midgley)
Date: Sat, 19 Jul 2014 09:16:57 +0100
Subject: Another new Off topic: DPA question
In-Reply-To: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
References: <CAMZL-XWiTpO=T1FxwpmWCR6Jr6LF+-fs=5w3uLmZsHfy6-5zig@mail.gmail.com>
Message-ID: <CAN2jWyimSEw9H0fcV0sRQ3y5nBFkht6gkg0VzGLsM3-os-YfrA@mail.gmail.com>

Is the complaint or the complainer vexatious?

If not it will need to be dealt with.

Generally the public officials or bodies involved do seek efficient
management of such complaints and if they don't your MP might take an
interest.
On 18 Jul 2014 15:12, "jul kornbluth" <jul at healthecard.co.uk> wrote:

> Hello
>
> Another off topic question on the DPA if I may.
>
> We have had a complaint raised against our school with the Schools
> Adjudicator.   I am chair of the trustees. The School Adjudicator has
> powers virtually unchangeable,  and has tied us up in knots and numerous
> meetings.   The complainant has asked to remain anonymous.
>
> The 2012 Admission Code, which is the Statutory basis of the Adjudicators
> investigation, states clearly anonymous complaints cannot be brought. ~
> para 3.3.f)    In the Notes it states  that the person objecting must
> provide their name to the Adjudicator.  Are the notes part of the Code, or
> am I entitled to find out under the DPA who this objector is  e.g. a
> parent, prospective parent, member of staff, an unconnected outsider, or
> even a member of the governing body?
>
> Any help would be appreciated.
> Jul Kornbluth
>
>
>
> On 12 June 2014 19:44, Marcus Williamson <marcus at connectotel.com> wrote:
>
>>
>> Hello
>>
>> An off-topic question if I may:
>>
>> Is a business email address considered "personal data" under the terms of
>> the Data
>> Protection Act (DPA)?
>>
>> Thanks
>> Marcus Williamson
>>
>>
>
>
> --
> Jul Kornbluth
> Health eSystems Ltd     (UK Company Reg.  5754837)
>
>
> 6 Dalston Gardens,         Stanmore HA7 1BU
> Phone 020 8206 3500      Fax 020 8206 3501
>
>
> e-mail      jul at healthecard.co.uk
> website   www.healthecard.co.uk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140719/aa17cc01/attachment.html>

From amidgley at gmail.com  Sat Jul 19 20:22:32 2014
From: amidgley at gmail.com (Adrian Midgley)
Date: Sat, 19 Jul 2014 20:22:32 +0100
Subject: Data retentio
Message-ID: <CAN2jWygOQ+1ZMLKi14W44XnE9NjkeDHU4KO523B3Xhu50RdRHA@mail.gmail.com>

On 17 Jul 2014 13:58, "Ian Batten" <igb at batten.eu.org> wrote:

> can claim to be waging an effective war on bad stuff, using a vital crime
> fighting tool, when in fact they're using a weapon mostly effective
against
> idiots to arrest idiots.

And lunatics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140719/76066487/attachment.html>

From lists at internetpolicyagency.com  Sat Jul 19 21:07:22 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 19 Jul 2014 21:07:22 +0100
Subject: Data retention question
In-Reply-To: <20140718171809.0000235b@surtees.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
Message-ID: <ZL3Pwg56$syTFA0L@perry.co.uk>

In article <20140718171809.0000235b at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes

>> But every Bill is amended in a "mad scramble", even if it's been in
>> the works for months.
>
>Why is this?

Because there's so many different workstreams and meetings, that nothing 
else would work.
-- 
Roland Perry


From lists at internetpolicyagency.com  Sat Jul 19 21:09:18 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 19 Jul 2014 21:09:18 +0100
Subject: Data retention question
In-Reply-To: <53C7F856.1030500@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<53C7ADB0.5060804@cobb.uk.net> <1y4UO$QIE$xTFA6u@perry.co.uk>
	<53C7F856.1030500@cobb.uk.net>
Message-ID: <aKCfgV6uBtyTFAly@perry.co.uk>

In article <53C7F856.1030500 at cobb.uk.net>, Graham Cobb 
<g+ukcrypto at cobb.uk.net> writes
>Realistically, is there much point trying to educate MPs?

I hope so. I think there might also be some point in educating people 
outside parliament on how legislation passes through the system.
-- 
Roland Perry


From lists at internetpolicyagency.com  Sat Jul 19 21:12:26 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 19 Jul 2014 21:12:26 +0100
Subject: Data retention question
In-Reply-To: <53C802A4.2070700@gladman.plus.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<53C6F6C2.9080800@gladman.plus.com>
	<20140717134535.00007f8f@surtees.fenrir.org.uk>
	<lS2Qm0RyG$xTFA67@perry.co.uk> <53C802A4.2070700@gladman.plus.com>
Message-ID: <KKDbwB7qEtyTFAHG@perry.co.uk>

In article <53C802A4.2070700 at gladman.plus.com>, Brian Gladman 
<brg at gladman.plus.com> writes
>> But what do you do if your chosen independent candidate is 100% on side
>> over data retention, but 100% off-side on things like immigration,
>> education, transport, broadband rollout, taxation and pensions?
>
>They will enter an election in which, at least in principle, their
>constituents will select them based on the policies that they advocate.

They do that already. You are missing the point - every MP, whether 
following a "party line" or not, will tend to have some policies an 
elector will agree with and some that they don't.
-- 
Roland Perry


From lists at internetpolicyagency.com  Sat Jul 19 21:14:47 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 19 Jul 2014 21:14:47 +0100
Subject: Data retention question
In-Reply-To: <CAEWR3ktRJeApzaLOMJufoXdj2_MoSxGPW9sSF9pKbLpFkxZuuw@mail.gmail.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<4irX6XQFD$xTFAaw@perry.co.uk>
	<CAEWR3ktRJeApzaLOMJufoXdj2_MoSxGPW9sSF9pKbLpFkxZuuw@mail.gmail.com>
Message-ID: <9b0GEU83GtyTFABQ@perry.co.uk>

In article 
<CAEWR3ktRJeApzaLOMJufoXdj2_MoSxGPW9sSF9pKbLpFkxZuuw at mail.gmail.com>, 
Francis Davey <fjmd1a at gmail.com> writes

>Only because you apparently aren't aware of the channels through which 
>such advice might be offered.
>
>Please educate us

Come and see me and we can talk about it.
-- 
Roland Perry


From lists at internetpolicyagency.com  Sat Jul 19 21:18:05 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 19 Jul 2014 21:18:05 +0100
Subject: Data retention question
In-Reply-To: <1C24F87B-A102-4963-A911-7EB6D6F45E36@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<4irX6XQFD$xTFAaw@perry.co.uk>
	<1C24F87B-A102-4963-A911-7EB6D6F45E36@batten.eu.org>
Message-ID: <j7WBsQ99JtyTFAh$@perry.co.uk>

In article <1C24F87B-A102-4963-A911-7EB6D6F45E36 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>I'm aware of all-party groups, and went to a few all-party internet group meetings at portcullis house. One appeared to consist of an
>opportunity for men of a certain age to get sweaty over Tanya Byron.  In fact, I have a memory of standing next to you in a side room while
>some ld peer (Susan Kramer?) spoke.  But I didn't see those as serious forums for influence.

Sample of one, was it?

> Are they?  If not, where is?

See the reply I gave to Francis.
-- 
Roland Perry


From maryhawking at tigers.demon.co.uk  Sat Jul 19 20:30:29 2014
From: maryhawking at tigers.demon.co.uk (Mary Hawking)
Date: Sat, 19 Jul 2014 20:30:29 +0100
Subject: Data retention question
In-Reply-To: <53C99C0F.3020602@zen.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
Message-ID: <9D4645F9555043F0879F8153DA9CBA18@MaryPC>

Is that (conspiracy theory) the reason they were not given any opportunity
for scrutiny?

Mary Hawking
Retired from NHS on 31.3.13 because of the Health and Social Care Act 2012
"thinking - independent thinking - is to humans as swimming is to cats: we
can do it if we really have to."? Mark Earles on Radio 4
blog http://maryhawking.wordpress.com/ And Fred! 
http://primaryhealthinfo.wordpress.com/2013/11/02/freds-saying-you-just-dont
-get-it/  

-----Original Message-----
From: Peter Fairbrother [mailto:zenadsl6186 at zen.co.uk] 
Sent: 18 July 2014 23:14
To: UK Cryptography Policy Discussion Group
Subject: Re: Data retention question

On 18/07/14 17:18, Brian Morrison wrote:

> This time 450+ MPs appear to have not noticed that the new legislation
> makes the blanket data retention aspects even worse and hence the ECJ
> objection to its predecessor is quite unchanged.

I don't think that's the case - while it does nothing to make the 
blanket collection regime better, it doesn't seem to me to make it any 
worse.



What the MPs apparently did fail to notice was that the Bill was in two 
unrelated parts: though the first clue was in the name, the Data 
Retention and Investigatory Powers bill.


The Data Retention bit, sections 1 and 2, while wrong-headed and the 
wrong way to do it, and not complying with the ECtJ decision, and mostly 
caused by their previous inaction, was in fact a real possible emergency.

?Paedophiles and terrorists will walk free if you vote this down? - I 
can't say I can actually disagree with that.



The Investigatory Powers part (sections 3-5), on the other hand, was no 
emergency.

More important, and I don't care how much Teresa May doublespeaks 
otherwise, it also begins to implement the measures in the Comms bill 
which was rejected a couple years ago.



They didn't see the latter, didn't care, or were complicit. But anyone 
who believed it had nothing to do with the comms bill got screwed.



-- Peter Fairbrother




> Or did the whips
> blackmail them all by referring to their character notes?
>







From zenadsl6186 at zen.co.uk  Sun Jul 20 04:04:14 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sun, 20 Jul 2014 04:04:14 +0100
Subject: Data retention question
In-Reply-To: <9D4645F9555043F0879F8153DA9CBA18@MaryPC>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
Message-ID: <53CB31AE.3030003@zen.co.uk>

On 19/07/14 20:30, Mary Hawking wrote:
> Is that (conspiracy theory) the reason they were not given any opportunity
> for scrutiny?


short answer:


Please, that is not a conspiracy theory; just an informed opinion on the 
actual content of the Bill, contrasted with its supposed content and the 
measures in the rejected Comms Bill.


As to a theory of conspiracy, I think the main initial reason MPs were 
given no opportunity for scrutiny was semi-legitimate, in that data 
retention law was in crisis; so no conspiracy there.

Then someone added on the objectionable bits about Investigatory Powers; 
and probably conspired, both before and after, to hide what it actually 
does.



I say semi-legitimate because I suspect several "conspiracies" 
contributed to the delay in responding to the ECtJ judgement and thus 
the crisis - including, would we leave the EU? If we did, then they 
wouldn't have to do anything to comply with the judgement.

There was also probably a bit of disbelief - someone in the UK Home 
Office mostly wrote and pressed through the EU Directive, and after the 
judgement (which had been widely anticipated elsewhere) they probably 
went "Oh no, the ECtJ couldn't reject my directive," ...  and then 
behaved as if the ECtJ hadn't.




As to a real conspiracy theory? Hmmm. Anyone fancy Charles Farr (no Sir 
Humphrey, more of a Francis Urquhart) for a role?



-- Peter Fairbrother

>
> Mary Hawking

[...]
> On 18/07/14 17:18, Brian Morrison wrote:
>
>> This time 450+ MPs appear to have not noticed that the new legislation
>> makes the blanket data retention aspects even worse and hence the ECJ
>> objection to its predecessor is quite unchanged.
>
> I don't think that's the case - while it does nothing to make the
> blanket collection regime better, it doesn't seem to me to make it any
> worse.
>
>
>
> What the MPs apparently did fail to notice was that the Bill was in two
> unrelated parts: though the first clue was in the name, the Data
> Retention and Investigatory Powers bill.
>
>
> The Data Retention bit, sections 1 and 2, while wrong-headed and the
> wrong way to do it, and not complying with the ECtJ decision, and mostly
> caused by their previous inaction, was in fact a real possible emergency.
>
> ?Paedophiles and terrorists will walk free if you vote this down? - I
> can't say I can actually disagree with that.
>
>
>
> The Investigatory Powers part (sections 3-5), on the other hand, was no
> emergency.
>
> More important, and I don't care how much Teresa May doublespeaks
> otherwise, it also begins to implement the measures in the Comms bill
> which was rejected a couple years ago.
>
>
>
> They didn't see the latter, didn't care, or were complicit. But anyone
> who believed it had nothing to do with the comms bill got screwed.
>
>
>
> -- Peter Fairbrother
>



From g+ukcrypto at cobb.uk.net  Sun Jul 20 16:38:42 2014
From: g+ukcrypto at cobb.uk.net (Graham Cobb)
Date: Sun, 20 Jul 2014 16:38:42 +0100
Subject: Data retention question
In-Reply-To: <aKCfgV6uBtyTFAly@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>	<AFjpz9snx3xTFAfx@perry.co.uk>	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>	<53C7ADB0.5060804@cobb.uk.net>
	<1y4UO$QIE$xTFA6u@perry.co.uk>	<53C7F856.1030500@cobb.uk.net>
	<aKCfgV6uBtyTFAly@perry.co.uk>
Message-ID: <53CBE282.2060005@cobb.uk.net>

On 19/07/14 21:09, Roland Perry wrote:
> In article <53C7F856.1030500 at cobb.uk.net>, Graham Cobb
> <g+ukcrypto at cobb.uk.net> writes
>> Realistically, is there much point trying to educate MPs?
> 
> I hope so. I think there might also be some point in educating people
> outside parliament on how legislation passes through the system.

We will have to agree to differ: on fairly technical subjects, like
crypto, I see little point in educating MPs -- concentrate the efforts
on the civil servants setting policy and, particularly, those drafting
the legislation.

Where I do see point, is in educating MPs on "softer" topics -- more
political and policy related.  For example, the importance of human
rights: including how the right to privacy is critical to other rights
they are more aware of and already care more about, such as free
expression, health, family life, safety, business, etc.  It might be
worth trying to educate them on how the rule of law in the Internet age
is dependent on governance with consent, and that getting consent means
respecting human rights, particularly those that despotic regimes ride
roughshod over.

Most important of all, the challenge is how to make rights such as
privacy important to the electorate, so that they become important to
politicians.  Once that happens, crypto can take care of itself.

Graham



From zenadsl6186 at zen.co.uk  Sun Jul 20 21:20:30 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sun, 20 Jul 2014 21:20:30 +0100
Subject: Data retentio
In-Reply-To: <CAN2jWygOQ+1ZMLKi14W44XnE9NjkeDHU4KO523B3Xhu50RdRHA@mail.gmail.com>
References: <CAN2jWygOQ+1ZMLKi14W44XnE9NjkeDHU4KO523B3Xhu50RdRHA@mail.gmail.com>
Message-ID: <53CC248E.7010806@zen.co.uk>

On 19/07/14 20:22, Adrian Midgley wrote:
>
> On 17 Jul 2014 13:58, "Ian Batten" <igb at batten.eu.org
> <mailto:igb at batten.eu.org>> wrote:
>
>  > can claim to be waging an effective war on bad stuff, using a vital crime
>  > fighting tool, when in fact they're using a weapon mostly effective
> against
>  > idiots to arrest idiots.
>
> And lunatics.
>
But if they weren't arresting anyone, that would be bad ..





From james2 at jfirth.net  Mon Jul 21 09:11:44 2014
From: james2 at jfirth.net (AO Forum Email)
Date: Mon, 21 Jul 2014 09:11:44 +0100
Subject: Data retention question
In-Reply-To: <9D4645F9555043F0879F8153DA9CBA18@MaryPC>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
Message-ID: <008a01cfa4bb$694ce380$3be6aa80$@net>

I don't know if anyone caught my blog on the subject but I noticed that DRIP
was notified to Europe last week under the Authorisation Directive, since it
constitutes a technical measure that will affect cross-border supply of
telecommunications services.

http://www.sroc.eu/2014/07/emergency-data-retention-legislation.html

This is interesting because in practice the EC Trade and Industry body is
being asked to rubber-stamp legislation that replaces EU legislation that
the ECtHR has struck down.

The timetable will be interesting. Usually it's a 3-month notification
period to allow interested parties to comment (and other member states to
raise objections) but some discussion on Twitter indicated an "emergency"
timetable is allowed under Article 9 ss7 of the Authorisation Directive
(98/34/EC):
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:204:0037:004
8:EN:PDF

It will be interesting to see if this leads to a stand-off with govt and UK
politicians claiming Europe is blocking emergency laws needed to tackle
terrorists.

In fact it will be interesting to see whether the UK government claims this
law is active or not once Royal Assent has been granted. Maybe the 3-month
notification window is why Government decided to rush it through before
summer recess?

Also I would be interested to know how much capability would be lost if DRIP
stalled. TSPs could lose some extraneous data but one assumes billing data
and many email logs etc would be retained.

And retained, "legitimately", under DPA, claiming necessary for e.g.
security (who accessed my account and when), spam filter tuning, billing
records, etc - plus all the location data Application Service Providers like
to keep to tune their targeted advertising profiles, etc.

But my suspicion is the vast bulk of data requested by police forces would
remain available. Who texted whom, etc.

James Firth


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Mary Hawking
> Sent: 19 July 2014 8:30 PM
> To: 'UK Cryptography Policy Discussion Group'
> Subject: RE: Data retention question
> 
> Is that (conspiracy theory) the reason they were not given any opportunity
> for scrutiny?
> 
> Mary Hawking
> Retired from NHS on 31.3.13 because of the Health and Social Care Act 2012
> "thinking - independent thinking - is to humans as swimming is to cats: we
> can do it if we really have to."? Mark Earles on Radio 4
> blog http://maryhawking.wordpress.com/ And Fred!
> http://primaryhealthinfo.wordpress.com/2013/11/02/freds-saying-you-just-
> dont
> -get-it/
> 
> -----Original Message-----
> From: Peter Fairbrother [mailto:zenadsl6186 at zen.co.uk]
> Sent: 18 July 2014 23:14
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Data retention question
> 
> On 18/07/14 17:18, Brian Morrison wrote:
> 
> > This time 450+ MPs appear to have not noticed that the new legislation
> > makes the blanket data retention aspects even worse and hence the ECJ
> > objection to its predecessor is quite unchanged.
> 
> I don't think that's the case - while it does nothing to make the
> blanket collection regime better, it doesn't seem to me to make it any
> worse.
> 
> 
> 
> What the MPs apparently did fail to notice was that the Bill was in two
> unrelated parts: though the first clue was in the name, the Data
> Retention and Investigatory Powers bill.
> 
> 
> The Data Retention bit, sections 1 and 2, while wrong-headed and the
> wrong way to do it, and not complying with the ECtJ decision, and mostly
> caused by their previous inaction, was in fact a real possible emergency.
> 
> ?Paedophiles and terrorists will walk free if you vote this down? - I
> can't say I can actually disagree with that.
> 
> 
> 
> The Investigatory Powers part (sections 3-5), on the other hand, was no
> emergency.
> 
> More important, and I don't care how much Teresa May doublespeaks
> otherwise, it also begins to implement the measures in the Comms bill
> which was rejected a couple years ago.
> 
> 
> 
> They didn't see the latter, didn't care, or were complicit. But anyone
> who believed it had nothing to do with the comms bill got screwed.
> 
> 
> 
> -- Peter Fairbrother
> 
> 
> 
> 
> > Or did the whips
> > blackmail them all by referring to their character notes?
> >
> 
> 
> 
> 
> 




From wendyg at pelicancrossing.net  Mon Jul 21 12:38:25 2014
From: wendyg at pelicancrossing.net (Wendy M. Grossman)
Date: Mon, 21 Jul 2014 12:38:25 +0100
Subject: Data retention question
In-Reply-To: <008a01cfa4bb$694ce380$3be6aa80$@net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
Message-ID: <53CCFBB1.7070008@pelicancrossing.net>

On 07/21/2014 09:11, AO Forum Email wrote:
> It will be interesting to see if this leads to a stand-off with govt and UK
> politicians claiming Europe is blocking emergency laws needed to tackle
> terrorists.

And then how far they would use that as a reason to get out of the ECHR.

wg
-- 
www.pelicancrossing.net <-- all about me
Twitter: @wendyg


From fjmd1a at gmail.com  Mon Jul 21 12:38:49 2014
From: fjmd1a at gmail.com (Francis Davey)
Date: Mon, 21 Jul 2014 12:38:49 +0100
Subject: Data retention question
In-Reply-To: <008a01cfa4bb$694ce380$3be6aa80$@net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk> <5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
Message-ID: <CAEWR3kt7f2Gtm1Kw3mxs24759-+=U9zvTppYujLGgVoTLM7aDg@mail.gmail.com>

2014-07-21 9:11 GMT+01:00 AO Forum Email <james2 at jfirth.net>:
>
> The timetable will be interesting. Usually it's a 3-month notification
> period to allow interested parties to comment (and other member states to
> raise objections) but some discussion on Twitter indicated an "emergency"
> timetable is allowed under Article 9 ss7 of the Authorisation Directive
> (98/34/EC):
>
> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:204:0037:004
> 8:EN:PDF


Yes, that's what I thought the government would try to use. The Commission
are usually very strict about interpreting what counts as an "emergency".
They might well feel that this isn't.

-- 
Francis Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140721/88463aea/attachment.html>

From lists at internetpolicyagency.com  Mon Jul 21 14:25:23 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 21 Jul 2014 14:25:23 +0100
Subject: Data retention question
In-Reply-To: <53CBE282.2060005@cobb.uk.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk> <53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<271DED10-0CBD-472D-8FA9-216749F76F60@batten.eu.org>
	<AFjpz9snx3xTFAfx@perry.co.uk>
	<E5B7107D-0ACD-4411-9E82-D6679888952E@batten.eu.org>
	<53C7ADB0.5060804@cobb.uk.net> <1y4UO$QIE$xTFA6u@perry.co.uk>
	<53C7F856.1030500@cobb.uk.net> <aKCfgV6uBtyTFAly@perry.co.uk>
	<53CBE282.2060005@cobb.uk.net>
Message-ID: <kqoQInIDTRzTFApF@perry.co.uk>

In article <53CBE282.2060005 at cobb.uk.net>, Graham Cobb 
<g+ukcrypto at cobb.uk.net> writes
>Where I do see point, is in educating MPs on "softer" topics -- more
>political and policy related.  For example, the importance of human
>rights: including how the right to privacy is critical to other rights
>they are more aware of and already care more about, such as free
>expression, health, family life, safety, business, etc.

I agree quite strongly. To take one example, unsolicited email (which is 
a privacy, business and safety issue - assuming one don't also subscribe 
to the view that spam should be allowed as a form of self-expression).

MPs in Westminster (of all parties) in the run-up to the 2001 election 
couldn't initially see anything wrong in using email addresses their 
party machines had acquired, in order to spam them with political 
'marketing'. (The Data Protection Registrar having agreed that such 
emails would indeed count as marketing). I had to go to a meeting 
arranged by the all-party IT group to explain to them why this was wrong 
(from the point of view of UK-based ISPs acting on behalf of their long 
suffering customers).

Fast-forward to Europe a year later, when it was necessary to engage in 
an education campaign for Euro-MPs to vote against proposals to make 
email spamming legal unless someone complained on a case-by-case basis 
to the sender (aka opted-out). The MP's excuse was that the systems they 
were familiar with filtered spam into a folder that they could ignore, 
so didn't understand why it was an issue for the public to be deluged 
with spam because it was so easy to ignore.
-- 
Roland Perry


From brg at gladman.plus.com  Mon Jul 21 15:34:43 2014
From: brg at gladman.plus.com (Brian Gladman)
Date: Mon, 21 Jul 2014 15:34:43 +0100
Subject: Data retention question
In-Reply-To: <KKDbwB7qEtyTFAHG@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk>
	<53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<53C6F6C2.9080800@gladman.plus.com>	<20140717134535.00007f8f@surtees.fenrir.org.uk>	<lS2Qm0RyG$xTFA67@perry.co.uk>
	<53C802A4.2070700@gladman.plus.com> <KKDbwB7qEtyTFAHG@perry.co.uk>
Message-ID: <53CD2503.6000702@gladman.plus.com>

On 19/07/2014 21:12, Roland Perry wrote:
> In article <53C802A4.2070700 at gladman.plus.com>, Brian Gladman
> <brg at gladman.plus.com> writes
>>> But what do you do if your chosen independent candidate is 100% on side
>>> over data retention, but 100% off-side on things like immigration,
>>> education, transport, broadband rollout, taxation and pensions?
>>
>> They will enter an election in which, at least in principle, their
>> constituents will select them based on the policies that they advocate.
> 
> They do that already. You are missing the point - every MP, whether
> following a "party line" or not, will tend to have some policies an
> elector will agree with and some that they don't.

It is of course very likely that the independent MP will be elected
based on his views on the 'big' issues just as happens now.

But, although there may be some occasions such as you suggest, a far
more likely situation is that many independents will be far more open to
listening to the views of their constituents in formulating their own
positions on the many non-core issues that come up.  And with no party
line to follow (and no whips) this will typically mean that constituents
will have far greater chance of infleuncing the line that their MP takes
than they do now.

Of course, the problem then is that of making progress on such issues
when he or she gets to Parliament where there will be several hundred
different views on several hundred non-core issues.  It would need a
very good independent to make progress on non-core issues in such a
situation but it should at least mean that debates on such issues would
be more meaningful than they are now.

However, as I said earlier, it might be better to keep the Party system
but weaken it considerably by having free votes on all but a small core
of policies (e.g. votes of confidence and the budget).

   Brian Gladman



From pwt at iosis.co.uk  Thu Jul 24 14:39:25 2014
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Thu, 24 Jul 2014 14:39:25 +0100
Subject: Legal challenge to DRIP
Message-ID: <53D10C8D.7010601@iosis.co.uk>

 From Pinsent Masons weekly news:

Civil rights campaigners Liberty said it will seek a judicial review of 
the Data Retention and Investigatory Powers (DRIP) Act on behalf of two 
MPs, David Davis and Tom Watson.

http://www.out-law.com/en/articles/2014/july/legal-challenge-lodged-against-new-uk-data-retention-laws/

Peter



From Andrew.Cormack at ja.net  Fri Jul 25 10:46:44 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Fri, 25 Jul 2014 09:46:44 +0000
Subject: Data retention question
In-Reply-To: <008a01cfa4bb$694ce380$3be6aa80$@net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>

James
On the question of what might be lost, a long time ago LINX consulted Elizabeth France (yes, *that* long ago) and concluded that "necessary for security" probably covered retention of all logs for roughly six months. Since Janet is a private network, not covered by either set of Data Retention laws (nor ATCSA) we've continued to recommend that retention period to universities and colleges, and it still feels about right. Sadly the time to detect security incidents hasn't improved much (see, the Verizon DBIR, for example). LINX still publish that recommendation as their Traceability BCP, though I've long had a suspicion that we were the only ones still using it!

Other business processes in commercial telcos/ISPs may provide a DPA justification for keeping (some) logs for longer than six months, but I don't know whether they'd extend to the full period covered by the Data Retention Regs. Since ATCSA was phrased as a new DPA justification, I suspect that someone back then thought not. So I'd expect the same logs to be retained without the Regs, but maybe not for as long?

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of AO Forum Email
> Sent: 21 July 2014 09:12
> To: 'UK Cryptography Policy Discussion Group'
> Subject: RE: Data retention question
> 
> I don't know if anyone caught my blog on the subject but I noticed that
> DRIP
> was notified to Europe last week under the Authorisation Directive,
> since it
> constitutes a technical measure that will affect cross-border supply of
> telecommunications services.
> 
> http://www.sroc.eu/2014/07/emergency-data-retention-legislation.html
> 
> This is interesting because in practice the EC Trade and Industry body
> is
> being asked to rubber-stamp legislation that replaces EU legislation
> that
> the ECtHR has struck down.
> 
> The timetable will be interesting. Usually it's a 3-month notification
> period to allow interested parties to comment (and other member states
> to
> raise objections) but some discussion on Twitter indicated an
> "emergency"
> timetable is allowed under Article 9 ss7 of the Authorisation Directive
> (98/34/EC):
> http://eur-
> lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:204:0037:004
> 8:EN:PDF
> 
> It will be interesting to see if this leads to a stand-off with govt
> and UK
> politicians claiming Europe is blocking emergency laws needed to tackle
> terrorists.
> 
> In fact it will be interesting to see whether the UK government claims
> this
> law is active or not once Royal Assent has been granted. Maybe the 3-
> month
> notification window is why Government decided to rush it through before
> summer recess?
> 
> Also I would be interested to know how much capability would be lost if
> DRIP
> stalled. TSPs could lose some extraneous data but one assumes billing
> data
> and many email logs etc would be retained.
> 
> And retained, "legitimately", under DPA, claiming necessary for e.g.
> security (who accessed my account and when), spam filter tuning,
> billing
> records, etc - plus all the location data Application Service Providers
> like
> to keep to tune their targeted advertising profiles, etc.
> 
> But my suspicion is the vast bulk of data requested by police forces
> would
> remain available. Who texted whom, etc.
> 
> James Firth
> 
> 
> > -----Original Message-----
> > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> > bounces at chiark.greenend.org.uk] On Behalf Of Mary Hawking
> > Sent: 19 July 2014 8:30 PM
> > To: 'UK Cryptography Policy Discussion Group'
> > Subject: RE: Data retention question
> >
> > Is that (conspiracy theory) the reason they were not given any
> opportunity
> > for scrutiny?
> >
> > Mary Hawking
> > Retired from NHS on 31.3.13 because of the Health and Social Care Act
> 2012
> > "thinking - independent thinking - is to humans as swimming is to
> cats: we
> > can do it if we really have to."? Mark Earles on Radio 4
> > blog http://maryhawking.wordpress.com/ And Fred!
> > http://primaryhealthinfo.wordpress.com/2013/11/02/freds-saying-you-
> just-
> > dont
> > -get-it/
> >
> > -----Original Message-----
> > From: Peter Fairbrother [mailto:zenadsl6186 at zen.co.uk]
> > Sent: 18 July 2014 23:14
> > To: UK Cryptography Policy Discussion Group
> > Subject: Re: Data retention question
> >
> > On 18/07/14 17:18, Brian Morrison wrote:
> >
> > > This time 450+ MPs appear to have not noticed that the new
> legislation
> > > makes the blanket data retention aspects even worse and hence the
> ECJ
> > > objection to its predecessor is quite unchanged.
> >
> > I don't think that's the case - while it does nothing to make the
> > blanket collection regime better, it doesn't seem to me to make it
> any
> > worse.
> >
> >
> >
> > What the MPs apparently did fail to notice was that the Bill was in
> two
> > unrelated parts: though the first clue was in the name, the Data
> > Retention and Investigatory Powers bill.
> >
> >
> > The Data Retention bit, sections 1 and 2, while wrong-headed and the
> > wrong way to do it, and not complying with the ECtJ decision, and
> mostly
> > caused by their previous inaction, was in fact a real possible
> emergency.
> >
> > "Paedophiles and terrorists will walk free if you vote this down" - I
> > can't say I can actually disagree with that.
> >
> >
> >
> > The Investigatory Powers part (sections 3-5), on the other hand, was
> no
> > emergency.
> >
> > More important, and I don't care how much Teresa May doublespeaks
> > otherwise, it also begins to implement the measures in the Comms bill
> > which was rejected a couple years ago.
> >
> >
> >
> > They didn't see the latter, didn't care, or were complicit. But
> anyone
> > who believed it had nothing to do with the comms bill got screwed.
> >
> >
> >
> > -- Peter Fairbrother
> >
> >
> >
> >
> > > Or did the whips
> > > blackmail them all by referring to their character notes?
> > >
> >
> >
> >
> >
> >
> 
> 



From lists at casparbowden.net  Fri Jul 25 11:30:03 2014
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Fri, 25 Jul 2014 12:30:03 +0200
Subject: Data retention question
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
Message-ID: <53D231AB.30803@casparbowden.net>

On 07/25/14 11:46, Andrew Cormack wrote:
> James
> On the question of what might be lost, a long time ago LINX consulted Elizabeth France (yes, *that* long ago) and concluded that "necessary for security" probably covered retention of all logs for roughly six months.

And obviously DP Registrar then, as ICO now, renowned as leading 
authority on Internet technology and punctilious assessment of the 
"strict necessity" (CJEU words) of infringements to private life arising 
therefrom.

{/heavy_sarcasm}

Caspar


From Andrew.Cormack at ja.net  Fri Jul 25 14:00:10 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Fri, 25 Jul 2014 13:00:10 +0000
Subject: Data retention question
In-Reply-To: <53D231AB.30803@casparbowden.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Caspar Bowden (lists)
> Sent: 25 July 2014 11:30
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Data retention question
> 
> On 07/25/14 11:46, Andrew Cormack wrote:
> > James
> > On the question of what might be lost, a long time ago LINX consulted
> Elizabeth France (yes, *that* long ago) and concluded that "necessary
> for security" probably covered retention of all logs for roughly six
> months.
> 
> And obviously DP Registrar then, as ICO now, renowned as leading
> authority on Internet technology and punctilious assessment of the
> "strict necessity" (CJEU words) of infringements to private life
> arising
> therefrom.
> 
> {/heavy_sarcasm}
> 
> Caspar

The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target. I wish companies holding personal data were better at detecting incidents, but DBIR et al suggest it's not happening.

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


From lists at casparbowden.net  Fri Jul 25 14:15:48 2014
From: lists at casparbowden.net (Caspar Bowden (lists))
Date: Fri, 25 Jul 2014 15:15:48 +0200
Subject: Data retention question
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
Message-ID: <53D25884.4080808@casparbowden.net>

On 07/25/14 15:00, Andrew Cormack wrote:
>> -----Original Message-----
>> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
>> bounces at chiark.greenend.org.uk] On Behalf Of Caspar Bowden (lists)
>> Sent: 25 July 2014 11:30
>> To: UK Cryptography Policy Discussion Group
>> Subject: Re: Data retention question
>>
>> On 07/25/14 11:46, Andrew Cormack wrote:
>>> James
>>> On the question of what might be lost, a long time ago LINX consulted
>> Elizabeth France (yes, *that* long ago) and concluded that "necessary
>> for security" probably covered retention of all logs for roughly six
>> months.
>>
>> And obviously DP Registrar then, as ICO now, renowned as leading
>> authority on Internet technology and punctilious assessment of the
>> "strict necessity" (CJEU words) of infringements to private life
>> arising
>> therefrom.
>>
>> {/heavy_sarcasm}
>>
>> Caspar
> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target. I wish companies holding personal data were better at detecting incidents, but DBIR et al suggest it's not happening.

Nobody forced customers to use Target, but most users have no choice in 
JANET-type provider. Running a comms service (public or private) entails 
obligations of comms data minimization against which 
security/availability of the service are factors to be weighed against 
(not trumping) privacy.

The public still doesn't realize that little stitch-ups legitimating 
retention like this go way back to France's era, under the deluded 
collective premise that a public benefit was being served, rather than 
damn-nearly-fatal erosion of a fundamental right.

CB



From igb at batten.eu.org  Fri Jul 25 16:28:30 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 25 Jul 2014 16:28:30 +0100
Subject: Data retention question
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
Message-ID: <32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>


On 25 Jul 2014, at 14:00, Andrew Cormack <Andrew.Cormack at ja.net> wrote:

> 
> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target.

On the other hand, the longer you keep logs for, the greater chance there is a having a breach of privacy, because the logs themselves are a target.  That trade-off is something that the subjects of the logs should be involved in.

ian



From lists at internetpolicyagency.com  Fri Jul 25 18:58:50 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 25 Jul 2014 18:58:50 +0100
Subject: Data retention question
In-Reply-To: <32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
Message-ID: <eKJeQvoarp0TFAVu@perry.co.uk>

In article <32CE680C-2BC0-406D-82B8-535D61D10D29 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target.
>
>On the other hand, the longer you keep logs for, the greater chance there is a having a breach of privacy, because the logs themselves are a
>target.  That trade-off is something that the subjects of the logs should be involved in.

I assume any criminals using the Internet would vote for a short/zero 
retention time. "Wild West" doesn't even begin to describe the 
consequences.
-- 
Roland Perry


From igb at batten.eu.org  Fri Jul 25 19:43:29 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 25 Jul 2014 19:43:29 +0100
Subject: Data retention question
In-Reply-To: <eKJeQvoarp0TFAVu@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
Message-ID: <CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>


On 25 Jul 2014, at 18:58, Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <32CE680C-2BC0-406D-82B8-535D61D10D29 at batten.eu.org>, Ian Batten <igb at batten.eu.org> writes
>>> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target.
>> 
>> On the other hand, the longer you keep logs for, the greater chance there is a having a breach of privacy, because the logs themselves are a
>> target.  That trade-off is something that the subjects of the logs should be involved in.
> 
> I assume any criminals using the Internet would vote for a short/zero retention time. "Wild West" doesn't even begin to describe the consequences.
> -- 

"Criminals would like that" is not universal knock-down argument.  Cameras in every 
bedroom would reduce domestic violence.  You don't have to be a defender of violent
abusers to think that it isn't an appropriate response.

It's not enough to assert that a course of action would be popular with criminals.  You
have to also show that the unintended consequences don't outweigh the benefits.

ian




From bakeryworms at gmail.com  Fri Jul 25 20:15:41 2014
From: bakeryworms at gmail.com (bakeryworms at gmail.com)
Date: Fri, 25 Jul 2014 20:15:41 +0100
Subject: Data retention question
In-Reply-To: <eKJeQvoarp0TFAVu@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
Message-ID: <20140725191541.5984402.41509.491@gmail.com>

I don't think any amount of data retention in the UK will have much affect on criminals from ?far away places outside of Europe target the UK with relative impunity.?

If the data retention is about terrorists or paedophiles, then why not just have targeted logging of the parts of the Internet that relate to those activities and those who visit them??

KRS
Mark

? Original Message ?
From: Roland Perry
Sent: Friday, 25 July 2014 19:00
To: ukcrypto at chiark.greenend.org.uk
Reply To: UK Cryptography Policy Discussion Group
Subject: Re: Data retention question

In article <32CE680C-2BC0-406D-82B8-535D61D10D29 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> The shorter time you keep logs for, the less chance of determining either the cause or impact of breaches of privacy such as Target.
>
>On the other hand, the longer you keep logs for, the greater chance there is a having a breach of privacy, because the logs themselves are a
>target. That trade-off is something that the subjects of the logs should be involved in.

I assume any criminals using the Internet would vote for a short/zero 
retention time. "Wild West" doesn't even begin to describe the 
consequences.
-- 
Roland Perry



From lists at internetpolicyagency.com  Fri Jul 25 20:40:53 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 25 Jul 2014 20:40:53 +0100
Subject: Data retention question
In-Reply-To: <CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
Message-ID: <U5ussGuFLr0TFA2p@perry.co.uk>

In article <CC40578D-6D94-4E79-B8AA-B40152DC82FF at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>"Criminals would like that" is not universal knock-down argument.  Cameras in every
>bedroom would reduce domestic violence.

Not very much, it generally takes place elsewhere.

>You don't have to be a defender of violent abusers to think that it 
>isn't an appropriate response.

But being able to show where emailed death-threats (eg from an estranged 
ex-partner) were coming from might help.

-- 
Roland Perry


From lists at internetpolicyagency.com  Fri Jul 25 20:43:19 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 25 Jul 2014 20:43:19 +0100
Subject: Data retention question
In-Reply-To: <20140725191541.5984402.41509.491@gmail.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<20140725191541.5984402.41509.491@gmail.com>
Message-ID: <dZ6uk7uXNr0TFA1s@perry.co.uk>

In article <20140725191541.5984402.41509.491 at gmail.com>, 
bakeryworms at gmail.com writes
>If the data retention is about terrorists or paedophiles,

They are by no means the only serious criminal activities.

>then why not just have targeted logging of the parts of the Internet 
>that relate to those activities and those who visit them??

If only it was that simple.
-- 
Roland Perry


From james at talkunafraid.co.uk  Fri Jul 25 21:20:43 2014
From: james at talkunafraid.co.uk (James Harrison)
Date: Fri, 25 Jul 2014 21:20:43 +0100
Subject: Data retention question
In-Reply-To: <U5ussGuFLr0TFA2p@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk>	<20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>	<53D231AB.30803@casparbowden.net>	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>	<eKJeQvoarp0TFAVu@perry.co.uk>	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
Message-ID: <53D2BC1B.8040501@talkunafraid.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/07/2014 20:40, Roland Perry wrote:
> 
> But being able to show where emailed death-threats (eg from an
> estranged ex-partner) were coming from might help.

It's also very useful for the Chinese or Iranian authorities to know
who is searching for nasty filth like "democracy".

It doesn't take a genius to see that by having these systems permitted
by law, a rogue actor, particularly nasty government or intelligence
agency can be much more effective in supressing the populace.

Do you value your safety more than you value your liberty?

Of course, networks like Tor, I2P, Freenet et al fundamentally make
logging useless and connections practically untraceable
(fingerprinting and the like aside - properly used, it's irrelevant).
So should we ban this sick filth? Ignore all the good it brings and
focus on the negative uses? By extension we can't trace letters -
let's ban the postal service. We can't trace in-person visits... where
_do_ you draw the line, hm? Are you happy with the government
installing microphones and cameras in every room of every house, with
the proviso that they won't listen to the recordings (that they keep
for a year) unless you become "of interest"? Because for people whose
lives are increasingly online, DRIP/RIPA's retention laws are
equivalent to almost precisely that (metadata ~= content, in the
context of things like addresses of websites you visit - "oh, visited
http://some-specific-page.com/path.html - but that's all we know, no
way we can get the content of the message there").

- -- 
Cheers,
James Harrison
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJT0rwbAAoJENTyYHL8dmp9g4wQAIFpVZ+Z6nBKXfZWC9F4zfmt
P90+3RvDBCntDjEm5i2jqWYTrm+OmQOYbaUk/nTqsTi3bPD76Ql0TqJOBGz6EGNS
eOhTvqPWGxSRGPZn6Vn8cKXBzNTUDsgETX0XvBa9G7mTICviA2FZ1HgVqbvJXY8c
t9FEaaZMoa1mWc/7pj7qMU/rWbvbVZKJNEB/vAceXzcYCV70vKzvMq2hAApDRxdP
/xQAHMMx+QheZqfxXP3/unOqL40C9bwf3XGJbfkZaqUeOqjXfDurzlc1yDkOvh9Z
a0BAJk9wnnkYUv2kYD/vWZRU+YJYID1lc0wnzEe2P9gbLabwdDf5RLHWtaUBvG2Q
FqmKUBGixDOhASkO3ndrto1ExHKBLjxfOU6XLs7eAYnEzTeqIQzh2TJYIpyKn4Nu
nvRvqwpb82dneBr9axBNH7bRxkgGQDGYBiDSb1D917dC3KPT7ZZBiY8WX57mIa1a
ctsTLpFB+eL80lik9J6x+2zgKo9Z7nllwy+LnN1XaLNc9707djj+Tbe+aqA6InFK
SCAB1mmULyH/5SYbJcKwWLAk4djqBHJnm6x6Cco2zpdeyI2CbSO+R2iS9u0MgKvS
x3b+RijiAePwJWvy3aN3ELK3xDc5AsTU7RZwzIzAqQnydjPgAVxLhAtEUSYoMtx2
wyexuwlA8juLPW8PKOLx
=99I2
-----END PGP SIGNATURE-----


From bakeryworms at gmail.com  Fri Jul 25 21:48:31 2014
From: bakeryworms at gmail.com (bakeryworms at gmail.com)
Date: Fri, 25 Jul 2014 21:48:31 +0100
Subject: Data retention question
In-Reply-To: <dZ6uk7uXNr0TFA1s@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<20140725191541.5984402.41509.491@gmail.com>
	<dZ6uk7uXNr0TFA1s@perry.co.uk>
Message-ID: <20140725204831.5984402.49254.495@gmail.com>

?'if only it was that simple'
No, it's not - it should start with a suspicion of criminal activity and go from there. Not start with a presumption. ?

KRS
Mark

? Original Message ?
From: Roland Perry
Sent: Friday, 25 July 2014 20:44
To: ukcrypto at chiark.greenend.org.uk
Reply To: UK Cryptography Policy Discussion Group
Subject: Re: Data retention question

In article <20140725191541.5984402.41509.491 at gmail.com>,
bakeryworms at gmail.com writes
>If the data retention is about terrorists or paedophiles,

They are by no means the only serious criminal activities.

>then why not just have targeted logging of the parts of the Internet 
>that relate to those activities and those who visit them??

If only it was that simple.
-- ?
Roland Perry



From igb at batten.eu.org  Fri Jul 25 23:04:00 2014
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 25 Jul 2014 23:04:00 +0100
Subject: Data retention question
In-Reply-To: <U5ussGuFLr0TFA2p@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
Message-ID: <48388DD4-4697-4752-8ECF-9A98867DC413@batten.eu.org>


On 25 Jul 2014, at 20:40, Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <CC40578D-6D94-4E79-B8AA-B40152DC82FF at batten.eu.org>, Ian Batten <igb at batten.eu.org> writes
>> "Criminals would like that" is not universal knock-down argument.  Cameras in every
>> bedroom would reduce domestic violence.
> 
> Not very much, it generally takes place elsewhere.
> 
>> You don't have to be a defender of violent abusers to think that it isn't an appropriate response.
> 
> But being able to show where emailed death-threats (eg from an estranged ex-partner) were coming from might help.

We've functioned perfectly well as a society without needing to log the sender of every piece of paper mail
posted.  Why does electronic communication need more accurate logging?

ian



From zenadsl6186 at zen.co.uk  Sat Jul 26 08:32:58 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 26 Jul 2014 08:32:58 +0100
Subject: Data retention question
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
Message-ID: <53D359AA.8070106@zen.co.uk>

On 25/07/14 10:46, Andrew Cormack wrote:
> James On the question of what might be lost, a long time ago LINX
> consulted Elizabeth France (yes, *that* long ago) and concluded that
> "necessary for security" probably covered retention of all logs for
> roughly six months.

I am a little uncertain as to what "necessary for security" actually 
means. Whose security? Security of what?

If you mean the security of the network, why would a network need to 
keep any customer logs at all?



-- Peter Fairbrother



From wendyg at pelicancrossing.net  Sat Jul 26 14:39:37 2014
From: wendyg at pelicancrossing.net (Wendy M. Grossman)
Date: Sat, 26 Jul 2014 14:39:37 +0100
Subject: Data retention question
In-Reply-To: <U5ussGuFLr0TFA2p@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C66DB4.5090504@pmsommer.com>
	<bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk>	<20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>	<53D231AB.30803@casparbowden.net>	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>	<eKJeQvoarp0TFAVu@perry.co.uk>	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
Message-ID: <53D3AF99.6000804@pelicancrossing.net>

On 07/25/2014 20:40, Roland Perry wrote:
> In article <CC40578D-6D94-4E79-B8AA-B40152DC82FF at batten.eu.org>, Ian
> Batten <igb at batten.eu.org> writes
>> "Criminals would like that" is not universal knock-down argument. 
>> Cameras in every
>> bedroom would reduce domestic violence.
> 
> Not very much, it generally takes place elsewhere.
> 
>> You don't have to be a defender of violent abusers to think that it
>> isn't an appropriate response.
> 
> But being able to show where emailed death-threats (eg from an estranged
> ex-partner) were coming from might help.
> 

One of the most concerned people I know about data privacy is Cindy
Southworth, the executive director of the (US) National Network to End
Domestic Violence. I doubt you'll find her favoring data retention as a
solution - the much bigger risk is the abuser being able to track his
victim.

wg
-- 
www.pelicancrossing.net <-- all about me
Twitter: @wendyg


From Andrew.Cormack at ja.net  Mon Jul 28 10:28:14 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Mon, 28 Jul 2014 09:28:14 +0000
Subject: Data retention question
In-Reply-To: <53D359AA.8070106@zen.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D359AA.8070106@zen.co.uk>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF4421@EXC001>



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 26 July 2014 08:33
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Data retention question
> 
> On 25/07/14 10:46, Andrew Cormack wrote:
> > James On the question of what might be lost, a long time ago LINX
> > consulted Elizabeth France (yes, *that* long ago) and concluded that
> > "necessary for security" probably covered retention of all logs for
> > roughly six months.
> 
> I am a little uncertain as to what "necessary for security" actually
> means. Whose security? Security of what?
> 
> If you mean the security of the network, why would a network need to
> keep any customer logs at all?

"Necessary for security" wasn't my phrase. Actually I suspect that a lot of protecting the security/availability of a network service can probably mostly be done using aggregated flow data. 

But detecting and protecting breaches of end systems, whether servers or clients, does seem to me to be a genuinely hard privacy question. That does need logs of activity by individual users and on individual records: the longer I keep the logs then the greater privacy threat the logs themselves become. But if I reduce the retention period then I increase the risk that when a breach does occur I won't be able to look back and find out either how it happened or who was affected. Depressingly, the results from the Verizon breach survey suggest that compromise to detection could easily be more than six months :(

As the law heads towards mandatory reporting of breaches and also mandatory minimisation of data, that dilemma between keeping logs and not keeping them is going to get sharper, so if there's any reliable research on where the best balance lies I'd be interested to hear of it?

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


From zenadsl6186 at zen.co.uk  Tue Jul 29 09:29:41 2014
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 29 Jul 2014 09:29:41 +0100
Subject: Data retention question
In-Reply-To: <61E52F3A5532BE43B0211254F13883AEA4AF4421@EXC001>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>	<53C59497.3050408@talkunafraid.co.uk>	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>	<53C597F8.30103@talkunafraid.co.uk>	<20140716131136.00007438@surtees.fenrir.org.uk>	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>	<5U333wp2b3xTFAZL@perry.co.uk>	<20140717133957.0000794c@surtees.fenrir.org.uk>	<$kQ2LxPp9+xTFALd@perry.co.uk>	<20140717190823.000068da@surtees.fenrir.org.uk>	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>	<008a01cfa4bb$694ce380$3be6aa80$@net>	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>	<53D359AA.8070106@zen.co.uk>
	<61E52F3A5532BE43B0211254F13883AEA4AF4421@EXC001>
Message-ID: <53D75B75.5080604@zen.co.uk>

On 28/07/14 10:28, Andrew Cormack wrote:
>>  On Behalf Of Peter Fairbrother
>> On 25/07/14 10:46, Andrew Cormack wrote:

>>> James On the question of what might be lost, a long time ago
>>> LINX consulted Elizabeth France (yes, *that* long ago) and
>>> concluded that "necessary for security" probably covered
>>> retention of all logs for roughly six months.
>>
>> I am a little uncertain as to what "necessary for security"
>> actually means. Whose security? Security of what?
>>
>> If you mean the security of the network, why would a network need
>> to keep any customer logs at all?
>
> "Necessary for security" wasn't my phrase. Actually I suspect that a
> lot of protecting the security/availability of a network service can
> probably mostly be done using aggregated flow data.

Yes, I agree - maybe you would want to keep records of which IP was 
issued to which customer, but I see no reason to keep records detailing 
user's individual communications.


> But detecting and protecting breaches of end systems, whether servers
> or clients, does seem to me to be a genuinely hard privacy question.


I don't see it that way. so much, as long as the ISP, in its role as a 
pure packet-passer, has nothing to do with keeping the logs.

In practice ISPs do do other things than passing packets, eg they run 
email servers, webservers, and so on - and keeping logs for those may be 
necessary for security and in order to maintain the service. For 
instance, keeping email to-and-from logs may help if you get blacklisted 
- though I don't see any need to keep them for more than a few days.

JANET is of course a different proposition from the average ISP, and I 
expect you have many different roles to perform - but I don't think even 
you need to keep detailed user network records in order to protect the 
network.

Use of email and other services you provide, yes as needed. Packets 
passed, no.



[

though of course if you keep detailed records of all traffic, including 
content, that might one day allow you to trace a breach which you might 
not otherwise be able to trace - however privacy must come into it 
somewhere, and like keeping packet-level records, keeping att traffic 
would be too much.

On the DRIP issue, Cameron said he is "not prepared to be a prime 
minister who addressed people after a terrorist incident, saying he 
could have done more to prevent it."

But that will always be the case, you can always do more.

The real question to ask is, is it worth the cost - how well does it 
work, and is that result good value in terms of money, lost liberties, 
lost privacy.

There are no absolutes here, just calculations.

Calculations of risk and reward - calculations which I do not believe 
the involved politicians and civil servants actually make, or even know 
how to make.

Let's see the numbers!

]


> That does need logs of activity by individual users and on individual
> records: the longer I keep the logs then the greater privacy threat
> the logs themselves become. But if I reduce the retention period then
> I increase the risk that when a breach does occur I won't be able to
> look back and find out either how it happened or who was affected.
> Depressingly, the results from the Verizon breach survey suggest that
> compromise to detection could easily be more than six months :(

The types of breaches in the report seem to be breaches in an attached 
server, not in the network itself - the operators of the server may well 
want to keep detailed logs, but I don't see that an ISP which does not 
run the server has any need to.

> As the law heads towards mandatory reporting of breaches and also
> mandatory minimisation of data, that dilemma between keeping logs and
> not keeping them is going to get sharper, so if there's any reliable
> research on where the best balance lies I'd be interested to hear of
> it?


I don't know of any research into that specific area - but in general we 
do know how to do the math behind the risk and reward calculations.

It's just hard to get people to agree on the values of the risks and 
rewards.

-- Peter Fairbrother


From Ross.Anderson at cl.cam.ac.uk  Tue Jul 29 08:38:38 2014
From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson)
Date: Tue, 29 Jul 2014 08:38:38 +0100
Subject: Data retention question
Message-ID: <E1XC1zd-0001JN-AB@mta1.cl.cam.ac.uk>

Andrew Cormack:

> As the law heads towards mandatory reporting of breaches and also mandatory 
> minimisation of data, that dilemma between keeping logs and not keeping them is going 
> to get sharper, so if there's any reliable research on where the best balance lies I'd be 
> interested to hear of it?

We did a big report for ENISA in 2008 which recommended that the EU move
towards reporting security breaches to affected citizens, as in the USA:

  https://www.lightbluetouchpaper.org/2008/03/07/security-economics-and-the-eu/

Unfortunately ENISA decided that it would rather have breaches reported to a
network of intelligence agencies, with itself at the centre. Hence the NIS
Directive.

I'm afraid that if you try to minimise our data before you send it off to 
the spooks, they will probably pass a law pretty quick to stop you.

All in the name of "situational awareness", old boy ...

Ross


From Andrew.Cormack at ja.net  Tue Jul 29 11:42:00 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Tue, 29 Jul 2014 10:42:00 +0000
Subject: Data retention question
In-Reply-To: <53D75B75.5080604@zen.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C58924.8050304@zen.co.uk><53C58F06.3000501@cobb.uk.net>
	<53C59497.3050408@talkunafraid.co.uk>
	<64462341-AD75-499F-A468-662F8C510A8B@batten.eu.org>
	<53C597F8.30103@talkunafraid.co.uk>
	<20140716131136.00007438@surtees.fenrir.org.uk>
	<53C66DB4.5090504@pmsommer.com><bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk><20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D359AA.8070106@zen.co.uk>
	<61E52F3A5532BE43B0211254F13883AEA4AF4421@EXC001>
	<53D75B75.5080604@zen.co.uk>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF7965@EXC001>



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 29 July 2014 09:30
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention question
> 
> On 28/07/14 10:28, Andrew Cormack wrote:
> >>  On Behalf Of Peter Fairbrother
> >> On 25/07/14 10:46, Andrew Cormack wrote:
> 
> >>> James On the question of what might be lost, a long time ago
> >>> LINX consulted Elizabeth France (yes, *that* long ago) and
> >>> concluded that "necessary for security" probably covered
> >>> retention of all logs for roughly six months.
> >>
> >> I am a little uncertain as to what "necessary for security"
> >> actually means. Whose security? Security of what?
> >>
> >> If you mean the security of the network, why would a network need
> >> to keep any customer logs at all?
> >
> > "Necessary for security" wasn't my phrase. Actually I suspect that a
> > lot of protecting the security/availability of a network service can
> > probably mostly be done using aggregated flow data.
> 
> Yes, I agree - maybe you would want to keep records of which IP was
> issued to which customer, but I see no reason to keep records detailing
> user's individual communications.

Nor do I, and we don't have anywhere near the technology that would be needed to collect either comms data or content on our links (100Gbps) anyway. 

Identification and helping the user is something we leave to the responsible university/college - we just send them the network coordinates and time and the nature (to the extent that we can determine it) of the problem. Even within universities, I recommend doing identification as a separate process (probably formally escalated) from investigation to protect both the investigated and the investigator.
 
> > But detecting and protecting breaches of end systems, whether servers
> > or clients, does seem to me to be a genuinely hard privacy question.
> 
> 
> I don't see it that way. so much, as long as the ISP, in its role as a
> pure packet-passer, has nothing to do with keeping the logs.
> 
> In practice ISPs do do other things than passing packets, eg they run
> email servers, webservers, and so on - and keeping logs for those may
> be
> necessary for security and in order to maintain the service. For
> instance, keeping email to-and-from logs may help if you get
> blacklisted
> - though I don't see any need to keep them for more than a few days.

Agreed on what to keep, and why. Though from my experience as postmaster, users expect you to be able to resolve problems a lot longer after the event than that. Typically, "my supervisor didn't receive the essay I sent last term, what happened to it?" :(
 
> JANET is of course a different proposition from the average ISP, and I
> expect you have many different roles to perform - but I don't think
> even
> you need to keep detailed user network records in order to protect the
> network.
> 
> Use of email and other services you provide, yes as needed. Packets
> passed, no.
>
> though of course if you keep detailed records of all traffic, including
> content, that might one day allow you to trace a breach which you might
> not otherwise be able to trace - however privacy must come into it
> somewhere, and like keeping packet-level records, keeping att traffic
> would be too much.

Completely agree!
 
> On the DRIP issue, Cameron said he is "not prepared to be a prime
> minister who addressed people after a terrorist incident, saying he
> could have done more to prevent it."
> 
> But that will always be the case, you can always do more.
> 
> The real question to ask is, is it worth the cost - how well does it
> work, and is that result good value in terms of money, lost liberties,
> lost privacy.
> 
> There are no absolutes here, just calculations.
> 
> Calculations of risk and reward - calculations which I do not believe
> the involved politicians and civil servants actually make, or even know
> how to make.
> 
> Let's see the numbers!
> 
> ]
> 
> 
> > That does need logs of activity by individual users and on individual
> > records: the longer I keep the logs then the greater privacy threat
> > the logs themselves become. But if I reduce the retention period then
> > I increase the risk that when a breach does occur I won't be able to
> > look back and find out either how it happened or who was affected.
> > Depressingly, the results from the Verizon breach survey suggest that
> > compromise to detection could easily be more than six months :(
> 
> The types of breaches in the report seem to be breaches in an attached
> server, not in the network itself - the operators of the server may
> well
> want to keep detailed logs, but I don't see that an ISP which does not
> run the server has any need to.
> 
> > As the law heads towards mandatory reporting of breaches and also
> > mandatory minimisation of data, that dilemma between keeping logs and
> > not keeping them is going to get sharper, so if there's any reliable
> > research on where the best balance lies I'd be interested to hear of
> > it?
> 
> 
> I don't know of any research into that specific area - but in general
> we
> do know how to do the math behind the risk and reward calculations.
> 
> It's just hard to get people to agree on the values of the risks and
> rewards.
> 
> -- Peter Fairbrother

I just hope someone informed and authoritative (Art29, maybe?) can come up with something before the Regulation makes inconsistent demands on breach notification versus data minimisation. Otherwise we'll end up with businesses each making that decision themselves (probably based on the balance of sanctions, rather than any balance of privacy), which hasn't exactly been a great success this far :(

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238



From lists at internetpolicyagency.com  Tue Jul 29 11:44:37 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 29 Jul 2014 11:44:37 +0100
Subject: Data retention question
In-Reply-To: <53D3AF99.6000804@pelicancrossing.net>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk> <53D3AF99.6000804@pelicancrossing.net>
Message-ID: <uqLS4zTVs31TFAZj@perry.co.uk>

In article <53D3AF99.6000804 at pelicancrossing.net>, Wendy M. Grossman 
<wendyg at pelicancrossing.net> writes
>>> "Criminals would like that" is not universal knock-down argument.
>>> Cameras in every
>>> bedroom would reduce domestic violence.
>>
>> Not very much, it generally takes place elsewhere.
>>
>>> You don't have to be a defender of violent abusers to think that it
>>> isn't an appropriate response.
>>
>> But being able to show where emailed death-threats (eg from an estranged
>> ex-partner) were coming from might help.
>
>One of the most concerned people I know about data privacy is Cindy
>Southworth, the executive director of the (US) National Network to End
>Domestic Violence. I doubt you'll find her favoring data retention as a
>solution - the much bigger risk is the abuser being able to track his
>victim.

Cindy has legitimate concerns, which I share, but it's a different kind 
of data she's talking about - at an application layer. These are the 
geo-location facilities in smartphones which facilitate primarily 
cloud-based apps such as 
monitor-my-employee/track-my-child/find-my-phone/map-my-photos.

It's fairly easy for an abuser to gain unauthorised access to such 
information, and victims (or survivors as they are called in DV circles) 
need to be more aware about the potential for their activities to be 
monitored. The abuser already knows where they live, and pretty much 
everything else about their digital accounts and footprint. The data is 
almost certainly being held by a US-based organisation and isn't in a 
class that Eu data retention or disclosure rules have much traction on.

Once someone has fled to a shelter (in the UK we'd call them a refuge) 
everyone agrees it's important to completely cease doing whatever it is 
that's been causing leakage in the past, to forestall further tracking; 
although throwing the phone away and/or cancelling all the online 
accounts is unpopular advice in many quarters. But just 'turning off 
gps' is not enough.

The data which current proposals talk about "retaining", and I say would 
be useful to track abusers, is at the access level (Comms Data including 
subscriber details, and not content, to use RIPA terms).

And is useful to catalogue the abuser's activity and for example whether 
they are breaking any restraining orders. Classic domestic violence is 
not the only form of abuse either, and in the early days one of the 
biggest fears arising from victims is not knowing who their abuser is. 
If access data can be used to establish a simple fact like that, it can 
be very helpful.

-- 
Roland Perry


From lists at internetpolicyagency.com  Tue Jul 29 11:57:40 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 29 Jul 2014 11:57:40 +0100
Subject: Data retention question
In-Reply-To: <20140725204831.5984402.49254.495@gmail.com>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<20140725191541.5984402.41509.491@gmail.com>
	<dZ6uk7uXNr0TFA1s@perry.co.uk>
	<20140725204831.5984402.49254.495@gmail.com>
Message-ID: <X7XM8EVk431TFAfI@perry.co.uk>

In article <20140725204831.5984402.49254.495 at gmail.com>, 
bakeryworms at gmail.com writes
>
'if only it was that simple'
>No, it's not - it should start with a suspicion of criminal activity 
>and go from there. Not start with a presumption. ?

Is the Inland Revenue presuming you are a tax dodger when they ask you 
to keep paperwork for seven years? Shouldn't they just ask people they 
have suspicion about.

Much of the data retention stuff originates in long standing consumer 
protection law that regards it as appropriate for telcos to keep billing 
records (in case of disputes) for three billing periods, at a time when 
a lot of billing was quarterly.

The lack of per-transaction billing for a lot of Internet activity does 
rather break that analogy though. But then there's investigations into 
'abuse' to take into account.

I often find that people who have had something bad happen to them are 
less tolerant of the excuse that "there's nothing we can do, because as 
far as we are concerned it never happened".

R.

>? Original Message ?
>From: Roland Perry
>Sent: Friday, 25 July 2014 20:44
>To: ukcrypto at chiark.greenend.org.uk
>Reply To: UK Cryptography Policy Discussion Group
>Subject: Re: Data retention question
>
>In article <20140725191541.5984402.41509.491 at gmail.com>,
>bakeryworms at gmail.com writes
>>If the data retention is about terrorists or paedophiles,
>
>They are by no means the only serious criminal activities.
>
>>then why not just have targeted logging of the parts of the Internet
>>that relate to those activities and those who visit them??
>
>If only it was that simple.
>-- 

>Roland Perry
>
>

-- 
Roland Perry


From lists at internetpolicyagency.com  Tue Jul 29 12:05:12 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 29 Jul 2014 12:05:12 +0100
Subject: Data retention question
In-Reply-To: <53D2BC1B.8040501@talkunafraid.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk> <53D2BC1B.8040501@talkunafraid.co.uk>
Message-ID: <r7UDMoWo$31TFA4h@perry.co.uk>

In article <53D2BC1B.8040501 at talkunafraid.co.uk>, James Harrison 
<james at talkunafraid.co.uk> writes

 >Do you value your safety more than you value your liberty?

It's not a simplistic tradeoff. If I have a kidnapper's knife to my 
throat and the only way the police can find me is by geo-locating my 
phone, then I think I'd rather be alive and findable than dead and not.

>for people whose
>lives are increasingly online, DRIP/RIPA's retention laws are
>equivalent to almost precisely that (metadata ~= content, in the
>context of things like addresses of websites you visit - "oh, visited
>http://some-specific-page.com/path.html - but that's all we know, no
>way we can get the content of the message there").

Just to answer this technical point: in theory the part after the first 
"/" should not be handed over to investigators. As an anonymising 
formula it's a bit crude, but hundreds of hours of work seemed to show 
there was nothing better, and it's also better than nothing, which was 
where we started the discussion.
-- 
Roland Perry


From lists at internetpolicyagency.com  Tue Jul 29 12:07:48 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 29 Jul 2014 12:07:48 +0100
Subject: Data retention question
In-Reply-To: <48388DD4-4697-4752-8ECF-9A98867DC413@batten.eu.org>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
	<48388DD4-4697-4752-8ECF-9A98867DC413@batten.eu.org>
Message-ID: <O0P6$KXEC41TFAsy@perry.co.uk>

In article <48388DD4-4697-4752-8ECF-9A98867DC413 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> But being able to show where emailed death-threats (eg from an estranged ex-partner) were coming from might help.
>
>We've functioned perfectly well as a society without needing to log the sender of every piece of paper mail
>posted.  Why does electronic communication need more accurate logging?

On one hand the paper letter may have a postmark, fingerprints, and DNA 
under the stamp, and perhaps even handwriting to look at. On the other 
hand electronic communications make "everything" faster and easier. 
Including what the villains do. Isn't it fair to also allow law 
enforcement to benefit a little too?
-- 
Roland Perry


From bdm at fenrir.org.uk  Wed Jul 30 19:17:27 2014
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 30 Jul 2014 19:17:27 +0100
Subject: Data retention question
In-Reply-To: <U5ussGuFLr0TFA2p@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<53C66DB4.5090504@pmsommer.com> <bAY$C$GKKoxTFANS@perry.co.uk>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk>
	<53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
Message-ID: <20140730191727.68ab69e9@peterson.fenrir.org.uk>

On Fri, 25 Jul 2014 20:40:53 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> But being able to show where emailed death-threats (eg from an estranged 
> ex-partner) were coming from might help.

Isn't that what the headers on the received email do (amongst their
other uses)?

-- 

Brian Morrison



From lists at internetpolicyagency.com  Thu Jul 31 11:26:31 2014
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 31 Jul 2014 11:26:31 +0100
Subject: Data retention question
In-Reply-To: <20140730191727.68ab69e9@peterson.fenrir.org.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>
	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
	<20140730191727.68ab69e9@peterson.fenrir.org.uk>
Message-ID: <ScI9FvQXnh2TFAFv@perry.co.uk>

In article <20140730191727.68ab69e9 at peterson.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> But being able to show where emailed death-threats (eg from an estranged
>> ex-partner) were coming from might help.
>
>Isn't that what the headers on the received email do (amongst their
>other uses)?

Only to a certain extent. And if they do reveal which account it was 
sent from, you need the network's help to identify information which 
might eventually trace it back sufficiently.

Of course, the headers can also be forged, which is another common 
technique: Abusers making false reports against their victims, which are 
often hard to debunk if all you have are the headers.
-- 
Roland Perry


From Andrew.Cormack at ja.net  Thu Jul 31 12:07:22 2014
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Thu, 31 Jul 2014 11:07:22 +0000
Subject: Data retention question
In-Reply-To: <ScI9FvQXnh2TFAFv@perry.co.uk>
References: <1405378893.24364.YahooMailNeo@web122501.mail.ne1.yahoo.com>
	<7FE96CB2-EE08-4791-9770-C079D607C25F@batten.eu.org>
	<IdlrVIo$0uxTFAvh@perry.co.uk> <53C6F21D.7050205@talkunafraid.co.uk>
	<5U333wp2b3xTFAZL@perry.co.uk>
	<20140717133957.0000794c@surtees.fenrir.org.uk>
	<$kQ2LxPp9+xTFALd@perry.co.uk>
	<20140717190823.000068da@surtees.fenrir.org.uk>
	<VC$cyS+ZPUyTFA1Y@perry.co.uk>
	<20140718171809.0000235b@surtees.fenrir.org.uk>	<53C99C0F.3020602@zen.co.uk>
	<9D4645F9555043F0879F8153DA9CBA18@MaryPC>
	<008a01cfa4bb$694ce380$3be6aa80$@net>
	<61E52F3A5532BE43B0211254F13883AEA4AF0DF3@EXC001>
	<53D231AB.30803@casparbowden.net>
	<61E52F3A5532BE43B0211254F13883AEA4AF1BF5@EXC001>
	<32CE680C-2BC0-406D-82B8-535D61D10D29@batten.eu.org>
	<eKJeQvoarp0TFAVu@perry.co.uk>
	<CC40578D-6D94-4E79-B8AA-B40152DC82FF@batten.eu.org>
	<U5ussGuFLr0TFA2p@perry.co.uk>
	<20140730191727.68ab69e9@peterson.fenrir.org.uk>
	<ScI9FvQXnh2TFAFv@perry.co.uk>
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AFD8C9@EXC001>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 31 July 2014 11:27
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention question
> 
> In article <20140730191727.68ab69e9 at peterson.fenrir.org.uk>, Brian
> Morrison <bdm at fenrir.org.uk> writes
> >> But being able to show where emailed death-threats (eg from an
> estranged
> >> ex-partner) were coming from might help.
> >
> >Isn't that what the headers on the received email do (amongst their
> >other uses)?
> 
> Only to a certain extent. And if they do reveal which account it was
> sent from, you need the network's help to identify information which
> might eventually trace it back sufficiently.

A concrete, and not unusually complex, example from a few years ago.

A death threat was sent from a commercial webmail account, so to trace that we would have needed the webmail provider to have details of who their subscriber was (assuming the details provided on registration were accurate, of course). In fact it turned out that we could skip that step because the webmail included the originating IP address in a mail header. That IP address turned out to belong to one of the national Janet web caches (hence my then team's involvement), so we needed to look in those logs to identify the actual IP address from which the message had been posted. That address (belonging to a commercial ISP) was passed to the police who I believe then got in touch with the ISP.

IIRC Richard Clayton's PhD thesis has a lot more examples of how complex it can get, and which sources of tracing information are actually reliable.

Andrew
 
> Of course, the headers can also be forged, which is another common
> technique: Abusers making false reports against their victims, which
> are
> often hard to debunk if all you have are the headers.
> --
> Roland Perry