[ISN] ZDNet UK 26/10/2001: "Home Office admits data retention plans"

From: InfoSec News (isnat_private)
Date: Thu Nov 01 2001 - 02:09:04 PST

  • Next message: InfoSec News: "[ISN] Full Featured DVDs Now Including Virii?"

    Forwarded from: Jei <jeiat_private>
    ---------- Forwarded message ----------
    Date: Sat, 27 Oct 2001 10:53:01 +0100
    From: Caspar Bowden <cbat_private>
    Reply-To: ukcryptoat_private
    To: 'Ukcrypto' <ukcryptoat_private>
    Subject: ZDNet UK 26/10/2001: "Home Office admits data retention plans"
    Guy Kewnyey seems to havenailed what 
    ..have missed
    Caspar Bowden                           www.fipr.org
    Director, Foundation for Information Policy Research
    Tel: +44(0)20 7354 2333 
    Home Office admits data retention plans
    18:25 Friday 26th October 2001 
    Guy Kewney   
    A voluntary code of practice governing how ISPs store data for law
    enforcement agencies could be replaced with sweeping powers for the Home
    The Home Office has admitted that it plans to reserve extra powers to
    force ISPs to retain data about customers if its current "voluntary code
    of practice" proves inadequate to deal with terrorists. 
    New legislation is proposed, probably for late November, to deal with
    the terrorist threat. Officially, the Home Office insists that the only
    change for Internet users will be to "enable" data retention for longer
    periods, and for purposes of law enforcement. 
    However, civil servants have now admitted that if the system doesn't
    work, the Home Secretary will be able to extend his powers, as
    appropriate, without further primary legislation being needed to do so. 
    Officially, the Government has not published any information on this.
    This week, it held meetings with the CBI and with the Internet Service
    Providers' Association (ISPA) as a result of which the ISPA was
    authorised to publish the following information: 
    "Contrary to previous reports and speculation, the Government explained
    that it wanted to consult industry on proposals for a voluntary Code of
    Practice," said the bulletin. This code of practice "will provide
    greater clarity for service providers and law enforcement agencies
    regarding the types of data currently held for legitimate business
    purposes and the length of time such data may be retained for reasons of
    national security within the scope of Data Protection law. The
    Government confirmed that data retention would not be mandatory." 
    The "previous reports and speculation" referred to by this bulletin
    resulted from a leaked proposal from the National Criminal Intelligence
    Service, asking the Government for hugely expanded surveillance powers.
    The ISPA bulletin appears to be an official Government assurance that no
    expanded powers will be sought. 
    The Home Office admission doesn't directly contradict that assurance,
    but it does raise the question of why officials are planning reserve
    powers, and of why they didn't admit this right from the start. 
    It also leaves wide open the question of what reserve power might be
    deemed appropriate, and Home Office staff refused to discuss this,
    saying that "the Home Secretary would have to ask Parliament for any
    further powers." 
    One source very close to the Government told ZDNet UK that, "it is
    impossible to believe that the data currently being collected by ISPs is
    of very great usefulness to law enforcement, since it is restricted by
    European law." 
    Currently, ISPs are not permitted to keep more than the minimum data
    required for billing purposes -- which is, normally, the IP address of
    the user and how long they are logged on for. It might also include the
    IP address they are logged on to, and, for security purposes, data such
    as the Radius security server log. 
    Officially, the ISPA is very supportive of the Home Office initiative,
    and the Home Office says that the information the industry has already
    supplied has proved "very helpful" in surveillance of terrorists. 
    This leads some experts to suggest that some of the ISPs may well have
    gone beyond what European law entitles them to do. 
    It's been pointed out that there is data which is stored on their
    servers, but which can't legally be disclosed -- such as the contents of
    mailboxes, which can be left with messages for weeks or months until
    they are purged. "If they didn't actually provide the data, then one
    might suggest that they failed to prevent access to it," said one email
    "There is almost certainly nothing sinister in the intentions of the
    Home Office," said a consultant who advises the Government on IT
    matters. "However, the Home Office is advised by a great many people,
    and not all of them are primarily concerned with public privacy matters,
    and they have their own agenda." 
    The concern is that the Home Secretary may obtain powers, under the
    proposed November anti-terrorism bill, which will enable him to simply
    put forward a resolution at a later date which might extend the current
    voluntary proposals. 
    The extension could be literally anything, said an expert on
    legislation. "It could call for data to be held longer than the 12
    months which the Home Office is currently thinking of. It could call for
    different types of data. And it could call for the voluntary code to be
    made compulsory." 
    The Home Secretary can obtain reserve powers in one of two ways. The
    first allows him to put forward a resolution, which has to gain
    Parliamentary approval within a month, or is lost. 
    The other way allows him to gain automatic acceptance of the resolution
    provided nobody objects within a month. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 04:32:27 PST