Data retention directive "invalid"

Peter Fairbrother zenadsl6186 at
Fri Jul 11 18:27:11 BST 2014

On 11/07/14 07:55, Roland Perry wrote:

> Before RIPA one of the main ways that communications data was obtained
> related to various powers to demand evidence arising from a multitude
> [someone made a list and it was about 50] agency-specific Acts of
> Parliament. Here's an example of one which is actually post-RIPA (which
> created a certain degree of tension over the principle that all
> telecomms data post-2000 should be gathered via RIPA, but I digress):
> There was no common structure for either the authorisation regime of
> that multitude of requests, nor the way they were presented to CSPs. It
> was entirely possible to get something scribbled on the back of an
> envelope by a junior investigator, there was no regulatory oversight,
> and every CSP had to have a process in place to evaluate the credentials
> of each request including whether it was genuine or not, and there was
> no line in the sand that defined where an individual investigation ends
> and a fishing expedition starts.
> To that extent RIPA was, for comms data, a huge improvement - because
> there were standardised codes of practice, request forms, levels of
> authority and levels of probable cause, plus lists of authorised public
> authorities with pre-identified contact points benefiting from mandatory
> trained in law and technology, and auditing processes involving
> compulsory record keeping and a centrally appointed commissioner.
> I know people can pick holes in each aspect, but taken as a whole it was
> a significant paradigm change.
> One of the basic principles was also to keep the chain of custody of the
> product as short as possible, such that each separate public authority
> (and each police force is separate) was only able to process requests
> for its own investigative activity. The reason being to increase the
> accountability, but also to reduce the possibility of data going astray.
> If there is to be an intermediate layer between the investigating
> authorities and CSPs it will have to work hard at not either adding to
> the "fog of war" [send three and sixpence], delaying urgent requests,
> nor be captured by one or other side of the table.
> To emphasise, all of the above is about disclosure, and nothing at all
> to do with blanket retention (mandatory or otherwise).

They are of course intimately linked - you can't disclose historic data 
you haven't retained.

It is one of my bad habits to pick at Roland as an (ex?-)emissary of the 
de^H^H ISP industry, but I am not doing that here, I do not mean this 
next personally, and Roland, please take no offence.

I am sure that the new regime gave a much-welcomed clarity as to what an 
ISP should or should not do in order to comply with the law, and to that 
extent I think it would have been welcomed whatever it contained - after 
all, it is not the business of the ISP industry to make moral or ethical 
judgements about what should be disclosed or retained.

Except, in a way, it is.

We use the ISPs as a layer between the rapacious policemen and data they 
are so greedy for. That's actual EU policy.

We do not allow the police to store bulk comms data, the ISPs do that, 
and we expect the ISPs to ensure that they do not disclose data which 
they should not, or store data for longer than allowed.

The ISPs are paid by their customers, and to that extent they are under 
some pressure to protect their customers' interests. However, in terms 
of retention and disclosure, they are also paid by the policemen - and 
therein lies a conflict of interest.

Of course it's only an internal conflict of interest, so it becomes a 
"business decision".

To which I note: The only part of the draft Bill which is in italics is:

"1(4)g)  the reimbursement by the Secretary of State (with or without 
conditions) of expenses incurred by public telecommunications operators 
in complying with relevant requirements or restrictions,"

-- Peter Fairbrother
(somewhat tongue in cheek)

More information about the ukcrypto mailing list