Data retention directive "invalid"

Roland Perry lists at internetpolicyagency.com
Fri Jul 11 07:55:45 BST 2014 

In article <53BF13E1.8000709 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>> Nick Robinson video 1/3 down the
>>> page, "there was no British law on this, in other words the security
>>> service and the police, the national crime agency were able to find
>>> out who
>>> you spoke to on your phone and when, who you emailed and when as a result
>>> of a European Directive".
>>>
>>> It's like a scene from the Wizard of Oz: oh look at those wicked
>>> Europeans
>>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>>
>> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
>> hasn't been retained there's nothing to disclose. That's why the Data
>> Retention stuff was introduced.
>
>Actually, this is about disclosure too.

I'm trying to unpick the roles of RIPA and the EU when it comes to 
mandating blanket retention. Nick Robinson is right that it [was] and EU 
Directive (and by implication not RIPA).

>Subsection 1(6) allows the SoS to make regulations about disclosure, 
>either MAY or MUST, with almost no restrictions.
>
>> [1] And potentially retention on a case by case basis, not blanket.
>
>I have little complaint about case-by-case retention (though I don't 
>see the RIPA connection?)

s22(4)(b), the "subsequently" is in effect mandating retention of data 
about the subject of the notice, when in the general case the CSP might 
not have been retaining it at all before the notice was served.
...

>second that someone independent must supervise access, presumably on a 
>per-case basis.
...
>On the second claim there is this, from clause 62 of the judgement:
>
>"Above all, the access by the competent national authorities to the 
>data retained is not made dependent on a prior review carried out by a 
>court or by an independent administrative body whose decision seeks to 
>limit access to the data and their use to what is strictly necessary 
>for the purpose of attaining the objective pursued and which intervenes 
>following a reasoned request of those authorities submitted within the 
>framework of procedures of prevention, detection or criminal prosecutions."

Before RIPA one of the main ways that communications data was obtained 
related to various powers to demand evidence arising from a multitude 
[someone made a list and it was about 50] agency-specific Acts of 
Parliament. Here's an example of one which is actually post-RIPA (which 
created a certain degree of tension over the principle that all 
telecomms data post-2000 should be gathered via RIPA, but I digress):

http://www.legislation.gov.uk/ukpga/2001/11/section/1

There was no common structure for either the authorisation regime of 
that multitude of requests, nor the way they were presented to CSPs. It 
was entirely possible to get something scribbled on the back of an 
envelope by a junior investigator, there was no regulatory oversight, 
and every CSP had to have a process in place to evaluate the credentials 
of each request including whether it was genuine or not, and there was 
no line in the sand that defined where an individual investigation ends 
and a fishing expedition starts.

To that extent RIPA was, for comms data, a huge improvement - because 
there were standardised codes of practice, request forms, levels of 
authority and levels of probable cause, plus lists of authorised public 
authorities with pre-identified contact points benefiting from mandatory 
trained in law and technology, and auditing processes involving 
compulsory record keeping and a centrally appointed commissioner.

I know people can pick holes in each aspect, but taken as a whole it was 
a significant paradigm change.

One of the basic principles was also to keep the chain of custody of the 
product as short as possible, such that each separate public authority 
(and each police force is separate) was only able to process requests 
for its own investigative activity. The reason being to increase the 
accountability, but also to reduce the possibility of data going astray.

If there is to be an intermediate layer between the investigating 
authorities and CSPs it will have to work hard at not either adding to 
the "fog of war" [send three and sixpence], delaying urgent requests, 
nor be captured by one or other side of the table.

To emphasise, all of the above is about disclosure, and nothing at all 
to do with blanket retention (mandatory or otherwise).
-- 
Roland Perry

More information about the ukcrypto mailing list