Data retention question
Peter Fairbrother
zenadsl6186 at zen.co.uk
Tue Jul 15 21:03:48 BST 2014
On 15/07/14 00:01, Alex Burr wrote:
> All, I hope this isn't a dumb question: I'm trying to figure out
> whether 'location data' in retained data includes location while a
> mobile device is not active in a call/text. I'm finding conflicting
> information, does anyone know precisely?
>
> On the face of it, DRIP & the invalidated directive call for 'cell id
> at the start of a communication', which sounds like only when a call
> or text happens. This sounds like location when the phone is in
> standby is not logged (this is apparently the case by statute in the
> Netherlands, according to val Loenen [1, p100] However, the German
> politician Malte Spitze found that his mobile was being tracked every
> 10 minutes because of polling by an email client [2].
>
> Does anyone know if this applies in the UK? So far all I've found is
> a slide set by a forensics company [3, slide 7] which says
> "Operators will in general only retain records relating to call
> activity • GPRS Data is frequently available, giving data without
> call activity • There are several exceptions including Home Location
> Register updates". My knowledge of mobile systems is a bit hazy but
> I've guessing if 'Home Location Register' was logged then the
> location would be retained data even during standby. In summary, does
> anyone know if a) location data is retained during standby in the
> UK? b) location data is logged at a fine grain due to email polling
> in the UK?
A better answer - the sort of data you mention are not regularly
collected in bulk in the UK. The types of data which are regularly
collected in bulk are fairly limited [1], and relate mostly to calls and
texts.
This is the same sorts of data in the failed Data Retention Directive
(no surprise, the Directive was mostly authored by the UK Home Office).
However if a medium-senior Policeman wants to, he can order a CSP to
obtain and disclose "communications data", on a once-off or ongoing
basis, using a Notice under RIPA ss.22(4).
This is supposed to be more a targeted power rather than a wholesale
power, though limits on it, eg regarding eg duration of a Notice,
numbers of people or devices involved, or types of communications
affected, are pretty much non-existent.
For this purpose "communications data" is pretty widely defined [2],
and would include email polling and even cell registration and handover
data;
they can, on a full-time basis, trace which cell a device on standby is
in, if medium-senior Policeman or similar has authorised it.
The extent to which this power is used is not publicly known - about
half a million communications data Notices are issued per year, but
these could cover everything from a single reverse telephone directory
lookup to, potentially, a single order to trace all the devices of every
Muslim (or every politician, or indeed every person in the entire World).
- Peter Fairbrother
[1] SCHEDULE
COMMUNICATIONS DATA TO BE RETAINED
PART 1 FIXED NETWORK TELEPHONY
Data necessary to trace and identify the source of a communication
1. (1) The calling telephone number.
(2) The name and address of the subscriber or registered user of any
such telephone.
Data necessary to identify the destination of a communication
2. (1) The telephone number dialled and, in cases involving
supplementary services such as call forwarding or call transfer, any
telephone number to which the call is forwarded or transferred.
(2) The name and address of the subscriber or registered user of any
such telephone.
Data necessary to identify the date, time and duration of a communication
3. The date and time of the start and end of the call.
Data necessary to identify the type of communication
4. The telephone service used.
PART 2 MOBILE TELEPHONY
Data necessary to trace and identify the source of a communication
5. (1) The calling telephone number.
(2) The name and address of the subscriber or registered user of any
such telephone.
Data necessary to identify the destination of a communication
6. (1) The telephone number dialled and, in cases involving
supplementary services such as call forwarding or call transfer, any
telephone number to which the call is forwarded or transferred.
(2) The name and address of the subscriber or registered user of any
such telephone.
Data necessary to identify the date, time and duration of a communication
7. The date and time of the start and end of the call.
Data necessary to identify the type of communication
8. The telephone service used.
Data necessary to identify users’ communication equipment (or what
purports to be their equipment)
9. (1) The International Mobile Subscriber Identity (IMSI) and the
International Mobile Equipment Identity (IMEI) of the telephone from
which a telephone call is made.
(2) The IMSI and the IMEI of the telephone dialled.
(3) In the case of pre-paid anonymous services, the date and time of the
initial activation of the service and the cell ID from which the service
was activated.
Data necessary to identify the location of mobile communication equipment
10. (1) The cell ID at the start of the communication.
(2) Data identifying the geographic location of cells by reference to
their cell ID.
PART 3INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY
Data necessary to trace and identify the source of a communication
11. (1) The user ID allocated.
(2) The user ID and telephone number allocated to the communication
entering the public telephone network.
(3) The name and address of the subscriber or registered user to whom an
Internet Protocol (IP) address, user ID or telephone number was
allocated at the time of the communication.
Data necessary to identify the destination of a communication
12. (1) In the case of internet telephony, the user ID or telephone
number of the intended recipient of the call.
(2) In the case of internet e-mail or internet telephony, the name and
address of the subscriber or registered user and the user ID of the
intended recipient of the communication.
Data necessary to identify the date, time and duration of a communication
13. (1) In the case of internet access—
(a)The date and time of the log-in to and log-off from the internet
access service, based on a specified time zone,
(b)The IP address, whether dynamic or static, allocated by the internet
access service provider to the communication, and
(c)The user ID of the subscriber or registered user of the internet
access service.
(2) In the case of internet e-mail or internet telephony, the date and
time of the log-in to and log-off from the internet e-mail or internet
telephony service, based on a specified time zone.
Data necessary to identify the type of communication
14. In the case of internet e-mail or internet telephony, the internet
service used.
Data necessary to identify users’ communication equipment (or what
purports to be their equipment)
15. (1) In the case of dial-up access, the calling telephone number.
(2) In any other case, the digital subscriber line (DSL) or other end
point of the originator of the communication.
[2] RIPA ss22(4):(4)In this Chapter “communications data” means any
of the following—
(a)any traffic data comprised in or attached to a communication (whether
by the sender or otherwise) for the purposes of any postal service or
telecommunication system by means of which it is being or may be
transmitted;
(b)any information which includes none of the contents of a
communication (apart from any information falling within paragraph (a))
and is about the use made by any person—
(i)of any postal service or telecommunications service; or
(ii)in connection with the provision to or use by any person of any
telecommunications service, of any part of a telecommunication system;
(c)any information not falling within paragraph (a) or (b) that is held
or obtained, in relation to persons to whom he provides the service, by
a person providing a postal service or telecommunications service.
More information about the ukcrypto
mailing list