Forwarded From: ama-gi ISPI <offshoreat_private> ISPI Clips 4.50 News & Info from the Institute for the Study of Privacy Issues (ISPI) Saturday September 19, 1998 This From: The Guardian On line, September 17, 1998 http://online.guardian.co.uk Police Tighten The Net http://online.guardian.co.uk/theweb/905960359-privacy.html By Duncan Campbell The police, MI5 and the Home Office are trying to push through a scheme to pressure other service providers to hand over private e-mail information without the court order that is required for telephone calls and the mail. Are the police taking liberties with our privacy? TWO WEEKS AGO in the dim hours before dawn, 30 police entered one of Britain's biggest Internet companies, and seized computers and computer logs. It was Britain's largest-ever Internet raid - and although it was part of the well-publicised Operation Cathedral investigation of the international "Wonderland" child porn ring, the raid has gone unreported, until now. But the inclusion of one of the biggest ISPs (Internet service providers) in Britain in a major child porn raid has sent a timely, clear and frightening message to industry insiders. The "Wonderland" raids, organised by Britain's National Criminal Intelligence Service (NCIS), took place just days before a police, MI5 and industry discussion group is due to meet to agree "law enforcement" access to private information about the Net and its users. This afternoon in London, an informal group convened by Acpo, the Association of Chief Police Officers, is holding a press conference to announce its plans to introduce a private "memorandum of understanding" about police access to e-mail users’ identities, activities and messages. Over the next three weeks, senior police officers and key industry figures will host three seminars in Edinburgh, Manchester and London to be addressed by police, industry and prosecution computer specialists. The seminars are being run by a group called the "Acpo, ISP and Government Forum". The press, public, lawyers and defence computer legal specialists are excluded. "The ISP industry is being privately pressurised into revealing information that others would not reveal as a matter of course," says one senior ISP manager who has followed the police-ISP negotiations. If the ISP industry were to go along with the current police position, then ISPs will soon be routinely sent electronic forms under the Data Protection Act, certifying that the police needed the information requested for the prevention or detection of crime. The forms were first introduced in 1994, but had to be extensively revised after being shown to the office of the Data Protection Registrar, Elizabeth France. According to her office, the section of the Act being used "was intended as an exceptional measure and not as a routine tool . . . it should not be seen as an easier approach than a court order." "We say it time and time again "information can only be released on a case by case basis. Fishing expeditions are not allowed", France said this week ‹ although they may have happened in the past. "It is important that [e-mail] has the same level of protection for individuals as for any other communications ‹ mail and telephone calls". Although the proposed Data Protection Act forms certify that the information is required for a specific case, they also say that information passed "may be used for any other investigation". The forms have to be countersigned, but do not require the signature of a rank higher than an inspector. If successful, the Acpo initiative would mean that the contents of e-mail, unlike ordinary mail or telephone conversations, could when requested in this way be intercepted and read without a warrant from the Home Secretary. It would also mean that it could be produced as evidence in court, unlike normal mail intercepts or phone taps. Police sources say, however, that they would not expect access to e-mail as it was being sent (as opposed to stored e-mail) unless they had a normal phone-tap warrant. But the Home Office is currently reviewing the Interception of Communications Act. Home Secretary Jack Straw revealed during this month’s emergency debate on terrorism that a review of the Act, including necessary technological changes, has been under way since July. It is understood that this includes reviewing whether or not e-mail should be treated the same way as ordinary mail. The problem for ISPs is not that they object to court orders or police search warrants being used when they are asked for evidence of serious Net-related crime, but that the threat of disruptive police raids is being quietly used to obtain more extensive information, without legal powers or adequate justification. "We've had any number of cases when police have come and asked 'tell us about all your subscribers who are living in Warwickshire' ", says one member of the Acpo-ISP group. The problems are that the information may not exist, may not be obtainable, or, if it did exist, would be illegal to hand over. The worry for legal specialists is that public concern about paedophile activities in particular could result in ill-advised police-industry agreements sidestepping privacy laws and good practice. "A mood of public alarm taken together with a poorly developed forensic science is the most dangerous combination imaginable for miscarriages of justice," says Peter Sommer, a computer forensics research fellow at the London School of Economics and defence legal specialist. "Those factors have historically led to some of the gravest judicial errors in our history." This month's raid on the ISP may be a case in point. The company maintains that the police went for the wrong target, based on a misunderstanding about how its part of the Net was engineered and whether or not its employees would have known what specific users were doing. Since "computer forensics is in its infancy", says Sommer, the right way forward is to legislate and to introduce codes of practice such as are already in use under the Police and Criminal Evidence Act. "We need to regularise law enforcement access to and use of computer-derived evidence. The result will be all the stronger for having been the result of democratic scrutiny, rather than cosy discussions between a police lobby group and a few ISPs." Police officers face serious problems investigating Net-based crime, given the diversity of size, sophistication and outlook among ISPs. Even if Acpo does obtain a "memorandum of understanding" signed by key industry bodies, this would not be binding on any company providing services. Many on the ISP side say privately that the description is inappropriate. They have asked Acpo to reconstitute the proposed "agreement" as a "guide to best practice" in providing information to the police. Further problems were highlighted at a meeting between police, Home Office, MI5 and industry specialists held at Scotland Yard three months ago to discuss what information ISPs could and should make available. The police and government side asked for "all e-mail sent in the last week to be recorded as a matter of routine". Another "desirable facility" was "the ability to turn on logging of all incoming e-mail for a customer account". But the ISP representatives explained that these records were not normally kept at many ISPs and that creating them for routine police or MI5 use would be costly. The ISPs were however "happy to do work that has little or no cost implication and is clearly legal". Detective Chief Superintendent Keith Akerman of Hampshire Police, chairman of the Acpo computer crimes group, told Computing magazine: "We want to ensure the criminal doesn't take best advantage of the Internet, without government using the sledgehammer of regulation." Acpo was unwilling this week to release any drafts of the proposed memorandum of understanding, or to provide copies of the form that Acpo has already drafted to be used by police forces seeking Net information. The form is based on a system now widely used to get lists of telephone numbers called from BT and other telecoms providers without Home Secretary warrants or court orders, which was revealed in OnLine in September last year. Apart from suspicion in some parts of the industry and reluctance in others, the Acpo and government initiative to access e-mail information also faces the problem that a new EU directive on communications privacy comes into force in less than two months. The directive says that: "Member States shall ensure via national regulations the confidentiality of communications by means of public telecommunications network and publicly available telecommunications services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, by other than users, without the consent of the users concerned, except when legally authorised." "There's not much left for a 'memorandum of understanding' to cover," says LSE's Sommer. He suspects that, with the directive, a new Data Protection Act and a Home Office review of the interception of communications act due in the next three months, the "cosy agreements" between Acpo and ISPs may be as futile to the police as they are aggravating to Net civil liberties and privacy campaigners. TWO YEARS OF POLICING THE NET 2 August 1996 Following a rash of child porn investigations, the Metropolitan Police invite Internet service providers (ISPs) to a seminar at New Scotland Yard to discuss how to deal with obscene material on Net newsgroups. 9 August 1996 Letter from Metropolitan Police Clubs and Vice unit to ISPs circulates veiled threat: "We trust that with your co-operation and self regulation it will not be necessary for us to move to an enforcement policy." A list of 200 sex-related newsgroups was appended to the letter. Worried ISPs quickly start ad hoc meetings with police to try and agree a modus vivendi. September 1996 Internet Watch Foundation launched with government backing to consider curbs on Net content, with particular reference to child pornography. October 1996 National Criminal Intelligence Service (NCIS) launches Project Trawler to study the extent of criminal use of the Net,and the methods law enforcement officials should use. May 1997 NCIS announces results from Project Trawler, and requests urgent action to introduce laws enabling police to intercept and monitor e-mails. No action is taken because of the election. May 1998 Acpo (Association of Chief Police Officers) and major ISPs plan seminars to promote informal agreements for police access to e-mail and Net information. 18 June 1998 Meeting at New Scotland Yard between Home Office, MI5, police, BT and ISP representatives discusses law enforcement requirements for Net information, including stored e-mail and logs of Web usage. 2 September 1998 Police raids on 11 sites in Britain, including one major ISP, seize child porn material connected with a US Web site called "Wonderland"; 30 others arrested in 12 other countries. 22 Sept 1998 First Acpo seminar in Edinburgh aims to win industry acceptance of "memorandum of understanding" allowing automated access to ISP information. [Duncan Campbell is a freelance journalist and not the Guardian's crime correspondent of the same name] -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:53 PDT