FIPR (http://www.fipr.org) is a non-profit think-tank for Internet policy in the UK and Europe. Research topics include: legislation and regulation of electronic commerce and infrastructure, consumer protection, data protection and privacy, copyright, law enforcement and national security, evidence and archiving, electronic government and interaction with business and the citizen, and social inclusion. Donors have no influence over general or specific policy, which is governed by an independent Board of Trustees in consultation with an expert Advisory Council

Mass-surveillance for non-terrorist investigations ?

  Traffic Analysis—computerized trawling of who you talk to, where you go, what you read:

—  Blanket data retention is the penultimate step towards a national "traffic data warehouse", sought jointly by police, customs, intelligence and security agencies.

—  Police Superintendent or equivalent rank can self-authorize mass-surveillance for public order, minor crime, health and safety, and tax.

—  Stockpiling private and sensitive "traffic data" on the entire population is not effective in tracking organized crime or terrorist cells. Identification is avoided using pre-paid mobile phones and web-based e-mail from public terminals.

—  There will be no statutory basis for the Home Secretary's assurance that new data will be used only for terrorist cases, until a restriction order is made under RIP S.25(3)(b)

  1.  This submission addresses the issues of "data retention" in proposed new anti-terrorist legislation. Under the Regulation of Investigatory Powers (RIP)Act, law enforcement already has extensive powers to intercept communications carried by telephone and Internet companies. The new proposals will request[9] (or compel) them to stockpile "traffic data" on all their customers in case required retrospectively by law enforcement.

  2.  "Traffic data" constitutes a near complete map of private life: who everyone talks to (by e-mail and phone), where everyone goes (mobile phone location co-ordinates), and what everyone reads online (websites browsed). Current mobile phones track location to a few hundred meters whilst the phone is switched on (not merely when a call is made), and 3rd generation phones will pinpoint location to a few meters.

  3.  Traffic data is logged in computer files, and either deleted or backed-up to magnetic tape periodically. Usually there is no commercial need to refer to Internet logs more than a month old. Samples of anonymised data suffice for marketing or system performance research. The web browsing behaviour of a million customers for a year could be held on about a hundred matchbox-size tapes. [Very large storage systems used by intelligence agencies can provide instant access to at least a thousand times this amount of data[10]].

  4.  Systems which record traffic data are not designed to be secure or to prove the identity of the user. Traffic data is admissible as evidence, but may be incomplete (system failure), inaccurate (hacked or corrupted), and sensitive (geographic location or websites implicitly revealing medical, political, sexual, religious matters). Data protection law gives full rights for subject access to identifiable data.

  5.  The Internet Service Provider (ISP) business is increasingly commoditized. Extra costs arising from retention could increase overheads to the point where cheap transatlantic bandwidth makes it attractive to locate servers in offshore subsidiaries where requirements are less onerous.

  6.  Different companies log widely different amounts and types of data depending on their business model, and some may be in breach[11] of current European law requiring destruction of records irrelevant to billing or fraud control[12]. However there are national security exemptions[13] which would allow data to be lawfully retained.

  7.  RIP[14] allows interception of the contents of communications only for national security, safeguarding economic wellbeing, and serious crime. Any ISP can be required to install a "black-box" capable of relaying intercepts back to a central monitoring facility in the MI5 building ('NTAC'). The government has confirmed[15] that RIP confers new powers to scan the contents of all the data carried by an ISP.

  8.  RIP also allows access to traffic data, but for much broader reasons than for interception, including public order, minor crime, health and safety, and tax. Both content and traffic data can lawfully be collected by the black-boxes directly, without serving the warrant or Notice on the ISP.

  9.  Oversight is provided by the Interception Commissioner with responsibility for checking about two thousand Secretary of State warrants. Next year he will also have to assess tens or a hundred thousand Notices and Authorisations for communications data. RIP empowers a Superintendent or equivalent rank to obtain any and all traffic data ISPs hold about groups or individuals. The proportionality of a request is supposed to be judged by the police and Agencies themselves, but no criteria or framework is provided in the Code of Practice to decide what is justified. Traffic data may be kept in police or intelligence databases for at least three years, and potentially indefinitely. Such processing is exempt from some or all of the data protection principles[16].

  10.  The new Interception Commissioner's first report has just been published[17]. It makes no mention of the Internet, and there are no indications of how statistically robust sampling to investigate the vast number of cases, for widely differing amounts of data, will be carried out. The Home Office will not say when the Commissioner will be provided with promised "reliable and verifiable technical means" [18] to inspect the operation of black-boxes, or even whether he will work with paper or a database. Last year the RIP Tribunal supposed to safeguard civil liberties "did not have sufficient secretariat to enable it even to open the mail, let alone process and investigate complaints" [19].

  11.  FIPR has previously drawn attention to the dangers of large-scale traffic-analysis[20], and proposes this solution. A new type of data preservation order, judicially authorized case-by-case, could require ISPs to perform detailed logging and preservation of specified traffic data on specified targets, only for the same purposes as interception. As with intercepted content, we believe bulk traffic data should be destroyed at the end of an investigation, or in finite time subject to strict tests.

    12.  UK law enforcement agencies might be expected to support proposals for data preservation, but they are holding out for blanket retention with open-ended definitions. Ironically, UK law will need to provide for a data preservation power in any case, when the Council of Europe Convention on Cybercrime is implemented. The RIP Act does not obligate companies to record any data at all.

  13.  Some data already widely held is useful for investigations (start/stop of Internet sessions and phone logs), but we believe the line should be firmly drawn rejecting blanket retention of the online contacts and interests, and physical movements of the entire population. Automated trawling of traffic databases is a powerful form of mass-surveillance over the associations and relationships that constitute private life. It also reveals the pattern of thought of individuals using the Internet. It is incompatible with the Human Rights Act (infringing Articles 8, 10, and 11 of ECHR) and undermines the basic rights and freedoms of a democratic society.

  14.  In any case, even such general surveillance can be evaded by using pre-paid mobile phones and web-based e-mail from public terminals to avoid identification. Clearly it is not persuasive to argue for the rights and freedoms of the law-abiding to be sacrificed in the name of fighting terrorism if the measures would not be effective for that purpose.

  15.  Last year it was leaked that NCIS, MI5, MI6, GCHQ, and ACPO jointly lobbied the Home Office to create a comprehensive "traffic data warehouse" covering the entire population. They wanted one year of records online, and at least three years held in archive. Government has declined requests to publish the 30-page proposal, but a full copy is on the Web[21].

  16.  The Home Secretary has seemingly given a guarantee that extra traffic data obtained under new arrangements would be used "...strictly in the case of a criminal investigation against suspected terrorists" [22]. But somewhat incongruously, the Home Office afterwards stated[23] that he was "simply reiterating..data may be accessed..for..prevention and detection of crime. The law on access to communications data will not be affected". Without an order under RIP S.25(3)(b), imposing a restriction to counter-terrorist purposes, there will be no statutory basis to give effect to his assurance.

November 2001

10   HPCwire 30/5/97: "Toward Petabyte On-Line Storage". Back

11   Guardian 27/10/01: "Liberties fear over mobile phone details-Records which map out users' whereabouts held indefinitely". Back

12   Iain Bourne of the Office of the Information Commissioner (letter to FIPR and Internet Service Providers Association 19/7/01). Back

13   The Telecommunications Data Protection Directive 1997, implemented in UK law as SI 2093 (1999), S.32. Back

14   Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2, S.22 This Chapter is not yet in force and the consultation on its Code of Practice closed on 2/11/01. Back

15   Lord Bassam letter to Lord Phillips 4/7/00. Back

16   Data Protection Act 1998 S.28 & 29. Back

17   Report of the Interception of Communications Commissioner for 2000 31/10/01 (published on Web 2/11/01). Back

18   Lords' Hansard, RIP Committee Stage, 19/6/00: Column 14-Amendment 50A, withdrawn after accepted in spirit. Back

19   Intelligence and Security Committee Interim Report 2000-2001 29/3/01 (published on Web 3/4/01). Back

20   FIPR response to the Home Office consultation paper (CM 4368 June 1999); "Unprecendented safeguards for Unprecedented Capabilities", Stanford conference on cyber crime and terrorism 7/12/99; "Four Fallacies"-Briefing for Lords' 2nd Reading Debate 25/5/00. Back

21   Roger Gaspar (NCIS) 21/8/00, ACPO, ACPO(S), HM Customs & Excise, Security Service, Secret Intelligence Service, and GCHQ, "Looking to the Future: Clarity on Communications Data Retention Law". Back

22   Tribune 26/10/2001, David Blunkett, Democracy must be vigorously defended : "...we do need-strictly in the case of a criminal investigation against suspected terrorists-to have access to more information than we have at present. That is why we are working with companies on a code of practice with the result that they will keep billing records for longer than at present, to allow access in relation to anti-terrorist activity." Back

23   E-mail(s) from mailto:Rachel.James@homeoffice.gsi.gov.uk 1/11/01 in reply to question from FIPR 27/10/01. Back