Data retention directive "invalid"
Roland Perry
lists at internetpolicyagency.com
Fri Jul 11 07:55:45 BST 2014
In article <53BF13E1.8000709 at zen.co.uk>, Peter Fairbrother
<zenadsl6186 at zen.co.uk> writes
>>> Nick Robinson video 1/3 down the
>>> page, "there was no British law on this, in other words the security
>>> service and the police, the national crime agency were able to find
>>> out who
>>> you spoke to on your phone and when, who you emailed and when as a result
>>> of a European Directive".
>>>
>>> It's like a scene from the Wizard of Oz: oh look at those wicked
>>> Europeans
>>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>>
>> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
>> hasn't been retained there's nothing to disclose. That's why the Data
>> Retention stuff was introduced.
>
>Actually, this is about disclosure too.
I'm trying to unpick the roles of RIPA and the EU when it comes to
mandating blanket retention. Nick Robinson is right that it [was] and EU
Directive (and by implication not RIPA).
>Subsection 1(6) allows the SoS to make regulations about disclosure,
>either MAY or MUST, with almost no restrictions.
>
>> [1] And potentially retention on a case by case basis, not blanket.
>
>I have little complaint about case-by-case retention (though I don't
>see the RIPA connection?)
s22(4)(b), the "subsequently" is in effect mandating retention of data
about the subject of the notice, when in the general case the CSP might
not have been retaining it at all before the notice was served.
...
>second that someone independent must supervise access, presumably on a
>per-case basis.
...
>On the second claim there is this, from clause 62 of the judgement:
>
>"Above all, the access by the competent national authorities to the
>data retained is not made dependent on a prior review carried out by a
>court or by an independent administrative body whose decision seeks to
>limit access to the data and their use to what is strictly necessary
>for the purpose of attaining the objective pursued and which intervenes
>following a reasoned request of those authorities submitted within the
>framework of procedures of prevention, detection or criminal prosecutions."
Before RIPA one of the main ways that communications data was obtained
related to various powers to demand evidence arising from a multitude
[someone made a list and it was about 50] agency-specific Acts of
Parliament. Here's an example of one which is actually post-RIPA (which
created a certain degree of tension over the principle that all
telecomms data post-2000 should be gathered via RIPA, but I digress):
http://www.legislation.gov.uk/ukpga/2001/11/section/1
There was no common structure for either the authorisation regime of
that multitude of requests, nor the way they were presented to CSPs. It
was entirely possible to get something scribbled on the back of an
envelope by a junior investigator, there was no regulatory oversight,
and every CSP had to have a process in place to evaluate the credentials
of each request including whether it was genuine or not, and there was
no line in the sand that defined where an individual investigation ends
and a fishing expedition starts.
To that extent RIPA was, for comms data, a huge improvement - because
there were standardised codes of practice, request forms, levels of
authority and levels of probable cause, plus lists of authorised public
authorities with pre-identified contact points benefiting from mandatory
trained in law and technology, and auditing processes involving
compulsory record keeping and a centrally appointed commissioner.
I know people can pick holes in each aspect, but taken as a whole it was
a significant paradigm change.
One of the basic principles was also to keep the chain of custody of the
product as short as possible, such that each separate public authority
(and each police force is separate) was only able to process requests
for its own investigative activity. The reason being to increase the
accountability, but also to reduce the possibility of data going astray.
If there is to be an intermediate layer between the investigating
authorities and CSPs it will have to work hard at not either adding to
the "fog of war" [send three and sixpence], delaying urgent requests,
nor be captured by one or other side of the table.
To emphasise, all of the above is about disclosure, and nothing at all
to do with blanket retention (mandatory or otherwise).
--
Roland Perry
More information about the ukcrypto
mailing list