Memorandum submitted by the Foundation
for Information Policy Research (FIPR)
FIPR (http://www.fipr.org) is a non-profit think-tank
for Internet policy in the UK and Europe. Research topics include:
legislation and regulation of electronic commerce and infrastructure,
consumer protection, data protection and privacy, copyright, law
enforcement and national security, evidence and archiving, electronic
government and interaction with business and the citizen, and
social inclusion. Donors have no influence over general or specific
policy, which is governed by an independent Board of Trustees
in consultation with an expert Advisory Council
Mass-surveillance for non-terrorist investigations
Traffic Analysiscomputerized trawling
of who you talk to, where you go, what you read:
Blanket data retention is the penultimate
step towards a national "traffic data warehouse", sought
jointly by police, customs, intelligence and security agencies.
Police Superintendent or equivalent
rank can self-authorize mass-surveillance for public order, minor
crime, health and safety, and tax.
Stockpiling private and sensitive
"traffic data" on the entire population is not effective
in tracking organized crime or terrorist cells. Identification
is avoided using pre-paid mobile phones and web-based e-mail from
There will be no statutory basis
for the Home Secretary's assurance that new data will be used
only for terrorist cases, until a restriction order is made under
1. This submission addresses the issues
of "data retention" in proposed new anti-terrorist legislation.
Under the Regulation of Investigatory Powers (RIP)Act, law enforcement
already has extensive powers to intercept communications carried
by telephone and Internet companies. The new proposals will request
(or compel) them to stockpile "traffic data" on all
their customers in case required retrospectively by law enforcement.
2. "Traffic data" constitutes
a near complete map of private life: who everyone talks to (by
e-mail and phone), where everyone goes (mobile phone location
co-ordinates), and what everyone reads online (websites browsed).
Current mobile phones track location to a few hundred meters whilst
the phone is switched on (not merely when a call is made), and
3rd generation phones will pinpoint location to a few meters.
3. Traffic data is logged in computer files,
and either deleted or backed-up to magnetic tape periodically.
Usually there is no commercial need to refer to Internet logs
more than a month old. Samples of anonymised data suffice for
marketing or system performance research. The web browsing behaviour
of a million customers for a year could be held on about a hundred
matchbox-size tapes. [Very large storage systems used by intelligence
agencies can provide instant access to at least a thousand times
this amount of data].
4. Systems which record traffic data are
not designed to be secure or to prove the identity of the user.
Traffic data is admissible as evidence, but may be incomplete
(system failure), inaccurate (hacked or corrupted), and sensitive
(geographic location or websites implicitly revealing medical,
political, sexual, religious matters). Data protection law gives
full rights for subject access to identifiable data.
5. The Internet Service Provider (ISP) business
is increasingly commoditized. Extra costs arising from retention
could increase overheads to the point where cheap transatlantic
bandwidth makes it attractive to locate servers in offshore subsidiaries
where requirements are less onerous.
6. Different companies log widely different
amounts and types of data depending on their business model, and
some may be in breach
of current European law requiring destruction of records irrelevant
to billing or fraud control.
However there are national security exemptions
which would allow data to be lawfully retained.
allows interception of the contents of communications only for
national security, safeguarding economic wellbeing, and serious
crime. Any ISP can be required to install a "black-box"
capable of relaying intercepts back to a central monitoring facility
in the MI5 building ('NTAC'). The government has confirmed
that RIP confers new powers to scan the contents of all the data
carried by an ISP.
8. RIP also allows access to traffic data,
but for much broader reasons than for interception, including
public order, minor crime, health and safety, and tax. Both content
and traffic data can lawfully be collected by the black-boxes
directly, without serving the warrant or Notice on the ISP.
9. Oversight is provided by the Interception
Commissioner with responsibility for checking about two thousand
Secretary of State warrants. Next year he will also have to assess
tens or a hundred thousand Notices and Authorisations for communications
data. RIP empowers a Superintendent or equivalent rank to obtain
any and all traffic data ISPs hold about groups or individuals.
The proportionality of a request is supposed to be judged by the
police and Agencies themselves, but no criteria or framework is
provided in the Code of Practice to decide what is justified.
Traffic data may be kept in police or intelligence databases for
at least three years, and potentially indefinitely. Such processing
is exempt from some or all of the data protection principles.
10. The new Interception Commissioner's
first report has just been published.
It makes no mention of the Internet, and there are no indications
of how statistically robust sampling to investigate the vast number
of cases, for widely differing amounts of data, will be carried
out. The Home Office will not say when the Commissioner will be
provided with promised "reliable and verifiable technical
to inspect the operation of black-boxes, or even whether he will
work with paper or a database. Last year the RIP Tribunal supposed
to safeguard civil liberties "did not have sufficient secretariat
to enable it even to open the mail, let alone process and investigate
11. FIPR has previously drawn attention
to the dangers of large-scale traffic-analysis,
and proposes this solution. A new type of data preservation order,
judicially authorized case-by-case, could require ISPs to perform
detailed logging and preservation of specified traffic data on
specified targets, only for the same purposes as interception.
As with intercepted content, we believe bulk traffic data should
be destroyed at the end of an investigation, or in finite time
subject to strict tests.
12. UK law enforcement agencies might
be expected to support proposals for data preservation, but they
are holding out for blanket retention with open-ended definitions.
Ironically, UK law will need to provide for a data preservation
power in any case, when the Council of Europe Convention on Cybercrime
is implemented. The RIP Act does not obligate companies to record
any data at all.
13. Some data already widely held is useful
for investigations (start/stop of Internet sessions and phone
logs), but we believe the line should be firmly drawn rejecting
blanket retention of the online contacts and interests, and physical
movements of the entire population. Automated trawling of traffic
databases is a powerful form of mass-surveillance over the associations
and relationships that constitute private life. It also reveals
the pattern of thought of individuals using the Internet. It is
incompatible with the Human Rights Act (infringing Articles 8,
10, and 11 of ECHR) and undermines the basic rights and freedoms
of a democratic society.
14. In any case, even such general surveillance
can be evaded by using pre-paid mobile phones and web-based e-mail
from public terminals to avoid identification. Clearly it is not
persuasive to argue for the rights and freedoms of the law-abiding
to be sacrificed in the name of fighting terrorism if the measures
would not be effective for that purpose.
15. Last year it was leaked that NCIS, MI5,
MI6, GCHQ, and ACPO jointly lobbied the Home Office to create
a comprehensive "traffic data warehouse" covering the
entire population. They wanted one year of records online, and
at least three years held in archive. Government has declined
requests to publish the 30-page proposal, but a full copy is on
16. The Home Secretary has seemingly given
a guarantee that extra traffic data obtained under new arrangements
would be used "...strictly in the case of a criminal investigation
against suspected terrorists" .
But somewhat incongruously, the Home Office afterwards stated
that he was "simply reiterating..data may be accessed..for..prevention
and detection of crime. The law on access to communications data
will not be affected". Without an order under RIP S.25(3)(b),
imposing a restriction to counter-terrorist purposes, there will
be no statutory basis to give effect to his assurance.
9 Home Office Press Release 15/10/2001: "Blunkett
outlines further anti-terrorist measures". Back
HPCwire 30/5/97: "Toward Petabyte On-Line Storage". Back
Guardian 27/10/01: "Liberties fear over mobile phone details-Records
which map out users' whereabouts held indefinitely". Back
Iain Bourne of the Office of the Information Commissioner (letter
to FIPR and Internet Service Providers Association 19/7/01). Back
The Telecommunications Data Protection Directive 1997, implemented
in UK law as SI 2093 (1999), S.32. Back
Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2,
S.22 This Chapter is not yet in force and the consultation on
its Code of Practice closed on 2/11/01. Back
Lord Bassam letter to Lord Phillips 4/7/00. Back
Data Protection Act 1998 S.28 & 29. Back
Report of the Interception of Communications Commissioner for
2000 31/10/01 (published on Web 2/11/01). Back
Lords' Hansard, RIP Committee Stage, 19/6/00: Column 14-Amendment
50A, withdrawn after accepted in spirit. Back
Intelligence and Security Committee Interim Report 2000-2001
29/3/01 (published on Web 3/4/01). Back
FIPR response to the Home Office consultation paper (CM 4368
June 1999); "Unprecendented safeguards for Unprecedented
Capabilities", Stanford conference on cyber crime and terrorism
7/12/99; "Four Fallacies"-Briefing for Lords' 2nd Reading
Debate 25/5/00. Back
Roger Gaspar (NCIS) 21/8/00, ACPO, ACPO(S), HM Customs &
Excise, Security Service, Secret Intelligence Service, and GCHQ,
"Looking to the Future: Clarity on Communications Data Retention
Tribune 26/10/2001, David Blunkett, Democracy must be vigorously
defended : "...we do need-strictly in the case of a criminal
investigation against suspected terrorists-to have access to more
information than we have at present. That is why we are working
with companies on a code of practice with the result that they
will keep billing records for longer than at present, to allow
access in relation to anti-terrorist activity." Back
E-mail(s) from mailto:Rachel.James@homeoffice.gsi.gov.uk 1/11/01
in reply to question from FIPR 27/10/01. Back