[ISN] UK Police Pressure ISPs For E-mail Without Court Order

From: mea culpa (jerichoat_private)
Date: Sat Sep 19 1998 - 10:03:54 PDT

  • Next message: mea culpa: "[ISN] Parts of the New York Times site still down after HFG attack"

    Forwarded From: ama-gi ISPI <offshoreat_private>
    
    ISPI Clips 4.50
    News & Info from the Institute for the Study of Privacy Issues (ISPI)
    Saturday September 19, 1998
    This From: The Guardian On line, September 17, 1998
    http://online.guardian.co.uk
    
    Police Tighten The Net
    http://online.guardian.co.uk/theweb/905960359-privacy.html
    
    By Duncan Campbell
    
            The police, MI5 and the Home Office are trying to push
            through a scheme to pressure other service providers to
            hand over private e-mail information without the court order
            that is required for telephone calls and the mail. Are the
            police taking liberties with our privacy?
    
    TWO WEEKS AGO in the dim hours before dawn, 30 police entered one of
    Britain's biggest Internet companies, and seized computers and computer
    logs. It was Britain's largest-ever Internet raid - and although it was
    part of the well-publicised Operation Cathedral investigation of the
    international "Wonderland" child porn ring, the raid has gone unreported,
    until now. 
    
    But the inclusion of one of the biggest ISPs (Internet service providers) 
    in Britain in a major child porn raid has sent a timely, clear and
    frightening message to industry insiders. The "Wonderland" raids,
    organised by Britain's National Criminal Intelligence Service (NCIS), took
    place just days before a police, MI5 and industry discussion group is due
    to meet to agree "law enforcement" access to private information about the
    Net and its users. 
    
    This afternoon in London, an informal group convened by Acpo, the
    Association of Chief Police Officers, is holding a press conference to
    announce its plans to introduce a private "memorandum of understanding" 
    about police access to e-mail users’ identities, activities and messages. 
    Over the next three weeks, senior police officers and key industry figures
    will host three seminars in Edinburgh, Manchester and London to be
    addressed by police, industry and prosecution computer specialists. The
    seminars are being run by a group called the "Acpo, ISP and Government
    Forum". The press, public, lawyers and defence computer legal specialists
    are excluded. 
    
    "The ISP industry is being privately pressurised into revealing
    information that others would not reveal as a matter of course," says one
    senior ISP manager who has followed the police-ISP negotiations. 
    
    If the ISP industry were to go along with the current police position,
    then ISPs will soon be routinely sent electronic forms under the Data
    Protection Act, certifying that the police needed the information
    requested for the prevention or detection of crime. The forms were first
    introduced in 1994, but had to be extensively revised after being shown to
    the office of the Data Protection Registrar, Elizabeth France. 
    
    According to her office, the section of the Act being used "was intended
    as an exceptional measure and not as a routine tool . . . it should not be
    seen as an easier approach than a court order." 
    
    "We say it time and time again "information can only be released on a case
    by case basis. Fishing expeditions are not allowed", France said this week
    ‹ although they may have happened in the past. 
    
    "It is important that [e-mail] has the same level of protection for
    individuals as for any other communications ‹ mail and telephone calls". 
    
    Although the proposed Data Protection Act forms certify that the
    information is required for a specific case, they also say that
    information passed "may be used for any other investigation". The forms
    have to be countersigned, but do not require the signature of a rank
    higher than an inspector. 
    
    If successful, the Acpo initiative would mean that the contents of e-mail,
    unlike ordinary mail or telephone conversations, could when requested in
    this way be intercepted and read without a warrant from the Home
    Secretary. 
    
    It would also mean that it could be produced as evidence in court, unlike
    normal mail intercepts or phone taps. Police sources say, however, that
    they would not expect access to e-mail as it was being sent (as opposed to
    stored e-mail) unless they had a normal phone-tap warrant. But the Home
    Office is currently reviewing the Interception of Communications Act. Home
    Secretary Jack Straw revealed during this month’s emergency debate on
    terrorism that a review of the Act, including necessary technological
    changes, has been under way since July. It is understood that this
    includes reviewing whether or not e-mail should be treated the same way as
    ordinary mail. 
    
    The problem for ISPs is not that they object to court orders or police
    search warrants being used when they are asked for evidence of serious
    Net-related crime, but that the threat of disruptive police raids is being
    quietly used to obtain more extensive information, without legal powers or
    adequate justification. 
    
    "We've had any number of cases when police have come and asked 'tell us
    about all your subscribers who are living in Warwickshire' ", says one
    member of the Acpo-ISP group. The problems are that the information may
    not exist, may not be obtainable, or, if it did exist, would be illegal to
    hand over. 
    
    The worry for legal specialists is that public concern about paedophile
    activities in particular could result in ill-advised police-industry
    agreements sidestepping privacy laws and good practice. 
    
    "A mood of public alarm taken together with a poorly developed forensic
    science is the most dangerous combination imaginable for miscarriages of
    justice," says Peter Sommer, a computer forensics research fellow at the
    London School of Economics and defence legal specialist. "Those factors
    have historically led to some of the gravest judicial errors in our
    history." 
    
    This month's raid on the ISP may be a case in point. The company maintains
    that the police went for the wrong target, based on a misunderstanding
    about how its part of the Net was engineered and whether or not its
    employees would have known what specific users were doing. 
    
    Since "computer forensics is in its infancy", says Sommer, the right way
    forward is to legislate and to introduce codes of practice such as are
    already in use under the Police and Criminal Evidence Act. "We need to
    regularise law enforcement access to and use of computer-derived evidence. 
    The result will be all the stronger for having been the result of
    democratic scrutiny, rather than cosy discussions between a police lobby
    group and a few ISPs." 
    
    Police officers face serious problems investigating Net-based crime, given
    the diversity of size, sophistication and outlook among ISPs. Even if Acpo
    does obtain a "memorandum of understanding" signed by key industry bodies,
    this would not be binding on any company providing services. Many on the
    ISP side say privately that the description is inappropriate. They have
    asked Acpo to reconstitute the proposed "agreement" as a "guide to best
    practice" in providing information to the police. 
    
    Further problems were highlighted at a meeting between police, Home
    Office, MI5 and industry specialists held at Scotland Yard three months
    ago to discuss what information ISPs could and should make available. The
    police and government side asked for "all e-mail sent in the last week to
    be recorded as a matter of routine". Another "desirable facility" was "the
    ability to turn on logging of all incoming e-mail for a customer account". 
    
    But the ISP representatives explained that these records were not normally
    kept at many ISPs and that creating them for routine police or MI5 use
    would be costly. The ISPs were however "happy to do work that has little
    or no cost implication and is clearly legal". 
    
    Detective Chief Superintendent Keith Akerman of Hampshire Police, chairman
    of the Acpo computer crimes group, told Computing magazine: "We want to
    ensure the criminal doesn't take best advantage of the Internet, without
    government using the sledgehammer of regulation." 
    
    Acpo was unwilling this week to release any drafts of the proposed
    memorandum of understanding, or to provide copies of the form that Acpo
    has already drafted to be used by police forces seeking Net information.
    The form is based on a system now widely used to get lists of telephone
    numbers called from BT and other telecoms providers without Home Secretary
    warrants or court orders, which was revealed in OnLine in September last
    year. 
    
    Apart from suspicion in some parts of the industry and reluctance in
    others, the Acpo and government initiative to access e-mail information
    also faces the problem that a new EU directive on communications privacy
    comes into force in less than two months. The directive says that: "Member
    States shall ensure via national regulations the confidentiality of
    communications by means of public telecommunications network and publicly
    available telecommunications services. In particular, they shall prohibit
    listening, tapping, storage or other kinds of interception or surveillance
    of communications, by other than users, without the consent of the users
    concerned, except when legally authorised." 
    
    "There's not much left for a 'memorandum of understanding' to cover," says
    LSE's Sommer. He suspects that, with the directive, a new Data Protection
    Act and a Home Office review of the interception of communications act due
    in the next three months, the "cosy agreements" between Acpo and ISPs may
    be as futile to the police as they are aggravating to Net civil liberties
    and privacy campaigners. 
    
    
    
    
    TWO YEARS OF POLICING THE NET
    
    2 August 1996
    Following a rash of child porn investigations, the Metropolitan Police
    invite Internet service providers (ISPs) to a seminar at New Scotland Yard
    to discuss how to deal with obscene material on Net newsgroups.
    
    9 August 1996
    Letter from Metropolitan Police Clubs and Vice unit to ISPs circulates
    veiled threat: "We trust that with your co-operation and self regulation it
    will not be necessary for us to move to an enforcement policy." A list of
    200 sex-related newsgroups was appended to the letter. Worried ISPs quickly
    start ad hoc meetings with police to try and agree a modus vivendi.
    
    September 1996
    Internet Watch Foundation launched with government backing to consider
    curbs on Net content, with particular reference to child pornography.
    
    October 1996
    National Criminal Intelligence Service (NCIS) launches Project Trawler to
    study the extent of criminal use of the Net,and the methods law enforcement
    officials should use.
    
    May 1997
    NCIS announces results from Project Trawler, and requests urgent action to
    introduce laws enabling police to intercept and monitor e-mails. No action
    is taken because of the election.
    
    May 1998
    Acpo (Association of Chief Police Officers) and major ISPs plan seminars to
    promote informal agreements for police access to e-mail and Net
    information.
    
    18 June 1998
    Meeting at New Scotland Yard between Home Office, MI5, police, BT and ISP
    representatives discusses law enforcement requirements for Net information,
    including stored e-mail and logs of Web usage.
    
    2 September 1998
    Police raids on 11 sites in Britain, including one major ISP, seize child
    porn material connected with a US Web site called "Wonderland"; 30 others
    arrested in 12 other countries.
    
    22 Sept 1998
    First Acpo seminar in Edinburgh aims to win industry acceptance of
    "memorandum of understanding" allowing automated access to ISP information.
    [Duncan Campbell is a freelance journalist and not the Guardian's crime
    correspondent of the same name]
    
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:53 PDT