P. 1
RIP Extension Consultation

RIP Extension Consultation

|Views: 30|Likes:
Published by Owen Blacker
Access to Communications Data: Respecting Privacy and Protecting the Public from Crime

A consultation response from the volunteers at Stand.org.uk

In 2002, the British government published the "Regulation of Investigator Powers (Communications Data: Additional Public Authorities) Order", to an overwhelmingly-critical reaction.

The Home Office held a public consultation into a replacement order, the following year and this is the response from Stand.org.uk, which I co-wrote and edited.
Access to Communications Data: Respecting Privacy and Protecting the Public from Crime

A consultation response from the volunteers at Stand.org.uk

In 2002, the British government published the "Regulation of Investigator Powers (Communications Data: Additional Public Authorities) Order", to an overwhelmingly-critical reaction.

The Home Office held a public consultation into a replacement order, the following year and this is the response from Stand.org.uk, which I co-wrote and edited.

More info:

Published by: Owen Blacker on Apr 14, 2009
Copyright:Attribution Share Alike

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

02/29/2012

pdf

text

original

stand

Access to Communications Data
Respecting Privacy and Protecting the Public from Crime

A consultation response from the volunteers at Stand.org.uk

stand

Introduction
Stand is a voluntary group who seek to increase democratic involvement in the legislative process through the use of technology. In particular, we’re interested in using the Internet to place Parliament and government in touch with informed citizens who have strong opinions, and long-standing knowledge, on issues regarding the Internet, new technology and the ramifications of the digital revolution. Part of the rôle of Stand is to provide tools for concerned individuals of every political persuasion to provide their view directly, in ways and media convenient to our current democratic process. Another is to collate the concerns en masse that we receive from unaffiliated members of the public and seek to distil them in an aggregated form that might more easily be digested by the government’s already overstretched civil service. We were initially cautious when the government announced the consultation on extending the bodies that have access to communications data under the Regulation of Investigatory Powers Act 2000. We were rather disappointed that the government felt that the issue was not already appropriately covered by the RIP Act, especially given that was the stated intention of RIP when it was introduced. Given the widespread public alarm at the somewhat understated introduction of these measures last summer, however, we were pleased to see that the Home Office is living up to its promise to consult widely on these understandably contentious issues, rather than just trying to introduce them on the quiet, under the public’s radar. Many of the points raised in the consultation document show a much better understanding of the public’s fears in this area. We do feel, however, that some of the other points are still controversial and merit further discussion. We are also aware that some of the information about the agencies in question — particularly the volume of comms data they process and the relative number of investigations that have made use of comms data — is relatively obscure, despite being in the public domain. This is self-evidently not helpful to public debate, though we are grateful for the attempts the consultation’s authors have made to provide some elucidation in this area. We are more than happy for any of our comments in this report to be made publicly available, in any forum. We ask that, in any citation, they be attributed to Stand. This report is, as we have mentioned, a group effort, edited by Owen Blacker with a great deal of help from James Cronin, Cait Hurley, Manar Hussain, Malcolm Hutty, Tom Loosemore, Stefan Magdalinski, Danny O’Brien, Alaric Snell and Stuart Tily. This report is released under version 1.0 of the “Attribution-ShareAlike” licence, from Creative Commons. Readers wishing to see the full version of the licence should visit Creative Commons’ website at http://creativecommons.org/. Readers viewing a printed copy of this document should be aware that italicised and underlined text is hyperlinked in electronic copies and that further reading is available on these subjects. If no electronic version is at hand, a full copy should be available for download from our website at http://www.stand.org.uk/. Similarly, several terms used in this document may be unfamiliar to some readers. We have compiled a glossary of some of these terms, and explanatory notes about organisations to which frequent reference is made. References to the glossary, which can be found at the end of this document, are highlighted with dotted underlines on the appropriate terms. Readers unfamiliar with some of the background to this consultation may also find Annex B of the consultation paper of great interest, as it covers the legal framework surrounding RIP, including the “relevant public authorities”, some of whom already have access to comms data (and intercept data) under the current RIP régime and some of whom have such access outside the remit of RIP.

Page 2 of 27

stand

Table of Contents
Introduction...................................................................................... ............2 Table of Contents................................................................................... ........3 Public authorities and access to communications data..................................6 2a Additional public authorities............................................................................................7 2b Police bodies..................................................................................................... .................7 2c Emergency services.................................................................................................. .........7 2d […] Specialised offences or conduct.................................................................................8 Balancing privacy with protection of the public.............................................9 3a Necessity................................................................................................ ...........................9 In the interest of national security........................................................................................9 For the purpose of preventing or detecting crime or of preventing disorder.....................9 In the interests of the economic well-being of the UK (where there is a direct link with national security)..........................................................................................................9 In the interests of public safety.............................................................................................9 For the purpose of protecting public health.........................................................................9 For the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department.............................................9 For the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.............................................................................10 Further comments............................................................................................................ ....10 3b Proportionality...............................................................................................................10 3c Criteria......................................................................................................................... ....10 3d Safeguards....................................................................................................... ................11 Specifying clearly the persons designated to seek access to data......................................11 An accreditation scheme for certain individuals with access to comms data...................11 Compliance with a statutory code of practice.....................................................................11 Oversight by the Interception Commissioner......................................................................11 Sanctions for the abuse of powers to access comms data...................................................11 3e Getting the balance right................................................................................................12 3f The restricted access and double lock options................................................................12 3g Double lock on restricted access.....................................................................................13 Judicial authorisation................................................................................................. .........13 Prior approval by an independent third party...................................................................13 Requiring the police to make requests and conduct investigations on behalf of public authorities................................................................................................. ...................14 A certification scheme for public authorities with access to communications data.........14 3h The short list option........................................................................................................14

Page 3 of 27

stand
3i Implementing an access régime […]...............................................................................15 Striking the right balance.................................................................... .........16 4a A timely issue of growing importance...........................................................................16 4b Exploring more than one balance?................................................................................16 4c How can technology help us defend the law and protect privacy?...............................16 4d How do we maintain the balance?.................................................................................17 4e Privacy and publicity......................................................................................................17 Annexes A & B...................................................................................... ........18 Annexes C & D — A broader debate on privacy and intrusion.......................19 Annex E — Questions for a broader debate...................................................21 E1 Is there a contradiction between “my privacy” and “someone else’s privacy”?...........21 E2 What protection can the citizen expect to maintain a balance between their privacy and a safe society?.......................................................................................................21 E3 When, and how far, should public authorities be permitted to intrude into a person’s privacy to investigate crime?......................................................................................21 E4 How can LEAs secure public trust in their use of privacy-invasive techniques?.........21 E5 How can the public benefit in interfering with privacy rights be demonstrated?......22 E6 How can detrimental effects on privacy be addressed and mitigated?.......................22 E7 How can reassurance be provided publicly about the conduct of ongoing and proposed privacy-invasive activities?........................................................................22 E8 Should unlawful privacy violation be clearly acknowledged as a crime?..................22 Glossary..................................................................... .................................23 APIG 23 Article Six.......................................................................................................... ...................23 Article Eight..................................................................................................... ....................23 ATCSA 23 Common law.......................................................................................................... ..............23 Communications data.........................................................................................................24 CSP 24 Data retention and data preservation................................................................................24 DPA 24 Echelon 25 ECHR FIPR GTAC HRA25 IoCA LEAs ISP 26 25 26 25 25 25

Page 4 of 27

stand
NTAC PACE RDQ26 RIP Act SDEA SI 27 27 SPoC 26 26 26 26

Purpose creep................................................................................................................... ....26

UKAEAC 27 UK Crypto............................................................................................................................ .27

Page 5 of 27

stand
Public authorities and access to communications data
One of the points made in the preamble to Chapter Two is that many of the public authorities in last year’s Statutory Instrument already have access to comms data using existing statutory powers. The Home Office posits that the reason for the overwhelmingly-critical reaction the publication of the RIP (Comms Data: Additional Public Authorities) Order 2002 was that the public would have been more comfortable had they known that this was the case. We would suggest that the public is more concerned about their perception of what is being done in their name. When RIP was introduced, we were told it was a means to regulate all investigatory powers. Not least, given the explicit list of bodies enumerated in Schedule One, regarding sections 28 and 29 of the Act, we do not believe it was unreasonable to assume that this was exhaustive, that this was the full extent of the government’s desire to observe and collect data about us. Much of the concern about last summer’s Order, we believe, was due to the public’s discovery that this was not the case. We believe that the public was, understandably, very alarmed at the quantity of people entitled to find out this information about them. We believe the Home Office is wrong in its assertions that adding public authorities and bodies who already have statutory powers of access to the RIP régime would not extend or restrict any powers — quoting chapter two’s paragraph five on page ten — and that this is the salient point. We believe the public are intelligent enough to realise that the misleading statements about the initial scope of the RIP régime during its passage through Parliament contrast dramatically with the intention of last summer’s Order and that the powers that were not enumerated in RIP might well be considered, in part at least, unacceptable. It is our contention that many of these fears could be allayed, in part, by filtering such powers through a central body, such as NTAC, which would have the added advantage that there would then be a much smaller number of SPoCs with whom CSPs would have to work. Indeed, it was our understanding that this was the very purpose of NTAC to fill rôles such as this, where it would be inefficient and impractical for numerous organs of state to be required to employ individuals with sufficient knowledge and experience to be able to liaise with private sector bodies on matters technical. We appreciate the irony — so much of RIP was, badly, in our opinions, left to secondary legislation, but one of the few parts that’s in the primary legislation is one of the main issues we would suggest needs amendment. We are heartened to see APIG’s suggestions for such a process. Similarly, the Home Office has suggested that last summer’s Order was misunderstood and that it was never the intention to give all the listed bodies access to the whole range of data and metadata. Apparently, there was to be a second SI that would have limited the powers of each authority to being able to request only the data that would be relevant to their purpose. We would suggest that it would be better to allay the public’s fear and suspicions by conflating these two SIs into one Order, enumerating both who has powers under RIP and which powers each body possesses. The consultation document states (in paragraph six, chapter two), that the Home Office “[does] not anticipate implementation of Chapter II of Part I of RIPA leading to a dramatic increase in the number of requests for communications data, or a change in the profile of type of data being accessed” and goes on to state that “approximately 90 per cent of all requests for communications data are for subscriber information.” We suggest that explicit revocation of powers contained in other legislation and in common law would be a suitable means to demarcate which bodies have which powers. As it seems that new primary legislation might be required in order best to implement the provisions discussed in this consultation, we would like to suggest that such legislation should state that any powers not contained

stand
in that Bill, RIP or IoCA (as amended) are implicitly repealed. It is our belief that a single clause, sufficiently worded, could effect such a change and would lead to much greater transparency in our interception régime, helping citizens understand their Article Eight rights and the ways in which the State may lawfully interfere with them in the name of the public good.

2a

Additional public authorities
The consultation document mentions that there are three categories of additional authorities — police bodies, emergency services and “agencies or public authorities with functions to investigate specific and often specialised offences or conduct”. Whilst we will deal with each of these in turn, it is worthy of note that one of the issues that could do with being resolved here is the nature of law enforcement in the UK. A part of the public’s alarm at last summer’s proposals could well be down to a general and widespread lack of understanding at the number of bodies that enforce our legal system. There is certainly an argument for a wider public discussion about the nature of law enforcement in the UK, where much of the public might support returning such powers to the Police, using peripatetic experts in food standards or fraudulent trading, for example. Given that this is quite a radical suggestion, it might be more realistic simply to devolve the data-gathering rôles of these public bodies to Law Enforcement SPoCs (or, perhaps, NTAC). This would allow all these bodies, none of which handles a persuasive quantity of comms data, to benefit from the expertise and training given to existing SPoCs, rather than posing the risk that many agencies would perpetually have a slow trickle of cases every year, leaving their staff unable ever to become experienced or well-practiced in handling comms data. It cannot be in the public interest for officials who can only ever be inexperienced to be handling such sensitive data, when people are justifiably concerned about their privacy in the process.

2b

Police bodies
The SDEA is, presumably, an oversight from the purview of RIP. It is easy to understand that SDEA has a genuine need for comms data and, whilst it’s somewhat disconcerting that this body was evidently overlooked during the passage of RIP through Parliament, it is difficult to argue that this body has any less need for powers under RIP than the equivalent parts of the Metropolitan Police. The other police body mentioned by name is the UKAEAC. The consultation paper prefixes its description of the circumstances under which the UKAEAC requires comms data with the phrase “on the rare occasions when intruders may breach perimeter security controls and are arrested within nuclear establishments”. Given the same arguments can apply here as apply with the smaller public authorities we mentioned above and will expand upon below and that the more-controversial nature of the premises guarded by the UKAEAC, we do not feel the arguments for granting access to comms data under RIP are persuasive. There is a much greater potential for political abuse and interference with Article Eight rights of legitimate protesters — groups who are already concerned about abuse of the powers under RIP. As a result, it seems prudent to recommend that any access to comms data for the UKAEAC should be handled in association with the local police force, who already have such access. It does not seem unduly onerous to require that, in the event of a break-in to Dounreay, for example, the Northern Constabulary should handle all requests for comms data on behalf of the UKAEAC.

2c

Emergency services
The emergency services are the only bodies that have a demonstrable — and easily understood — need for mobile phone location data, one of the classes of comms data to which bodies are granted access under RIP. It is quite clear that interrupted 999 and 112 calls are a non–

Page 7 of 27

stand
privacy-invasive circumstance where location data could be provided by mobile phone service providers. We believe that location data should be excluded from all other RIP access requests as a matter of course, so that the provision of these data to the emergency services should be legally as exceptional as are the circumstances requiring it. Hoax calls are, arguably, a separate matter. The kinds of comms data required in the investigation of hoax calls are almost invariably subscriber data and not location data. Furthermore, as the consultation document mentions, “the police usually tackle hoax calls made to the ambulance services”. We understand that police forces are unlikely to consider hoax calling a priority, but we feel that the investigation of such abuse of our emergency services would more properly be handled by LEAs, rather than the emergency services themselves, and that it would be sensible, thus, to exclude the emergency services from accessing comms data in these circumstances. This would, similarly, help with the situation explained above, where comms-data–acquiring bodies are unable to become proficient and handling these data and the issues involved therewith.

2d

[…] Specialised offences or conduct
As we mentioned earlier, one of the main causes of the public’s outcry, when presented with last summer’s SI, was the long and extensive list of public authorities, each with responsibility for pursuing narrow classes of criminal behaviour. It is almost incomprehensible to much of the British public that quite so many bodies are involved in enforcing our laws but, as we described above, changing that would be a much larger issue. Requiring that all these bodies — from the Financial Services Authority to the Rural Payments Agency, from the Medical Devices Agency to the Royal Mail Group plc — go through an interceding body, presumably NTAC or something similar, does not strike us as an onerous obligation. Furthermore, such a constraint would well suit the public interest, both protecting our Article Eight rights and improving the efficiency of all these agencies in handling comms data, by allowing the greater experience of trained SPoCs to handle the acquisition and interpretation of this often-complex information.

Page 8 of 27

stand

Balancing privacy with protection of the public
3a Necessity
We welcome the Home Office’s assurance, in paragraph three of Chapter Three of the consultation paper, that “the Government does not intend to add any further purposes” to the list of reasons for which comms data may be accessed under section 22(2) of RIP. We are a little uncomfortable with some of the justifications already permissible — and raised these concerns during the passage of RIP. For the sake of completeness:

In the interest of national security
This can, on occasion, be interpreted as a relatively broad term, but that is not really an issue that could or should be addressed in this context. It is entirely right and proper that National Security concerns should be a justifiable reason for accessing comms data.

For the purpose of preventing or detecting crime or of preventing disorder
“Preventing disorder” seems particularly ambiguous to our mind. We would be more comfortable if these words were removed from RIP in any primary legislation that should pass through Parliament to amend RIP, the Terrorism Act 2000 or ATCSA. On a similar note, we feel that the reference to “crime” should instead be a reference to “serious crime”, a distinction that is well-defined elsewhere.

In the interests of the economic well-being of the UK (where there is a direct link with national security)
We are uncertain how this differs from the previous national security justification, unless it is to allow the kinds of rather dubious intelligence of which the US government was accused regarding the Airbus negotiations in the 1990s. In that instance, the CIA was accused of using the Echelon system to spy on the French company Airbus’s negotiations with Saudi Arabia, to the financial advantage of several US companies, which won the contracts in Airbus’s stead. We are concerned that such semi-legal — and certainly duplicitous — measures might be legitimised by RIP.

In the interests of public safety
Another rather vague term, in our view; we would rather any such data requests required judicial oversight — even if the case were to be held in camera —, so that the merits of any such case could properly be watched over.

For the purpose of protecting public health
Again, a relatively disconcerting justification; this is another instance where we believe judicial oversight should be considered imperative for the protection of subjects’ Article Eight rights.

For the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department
The idea that people’s telephone calls might be monitored over a parking ticket raises concerns in the minds of many members of the public. We believe that this reason should be restricted to the collection, or possibly also assessment, of taxes, duties, levies etc over a certain value.

Page 9 of 27

stand
For the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health
This clause is, presumably, designed to allow 999 and 112 operators to acquire location data for interrupted calls. As was discussed above, we feel this use of metadata should be dealt with separately from the other comms data acquisitions in RIP. Location data and emergency calls are suitably different from all other comms data accesses that they should be dealt with separately under law, in our opinion.

Further comments
We welcome the Home Office’s assurance in paragraph 25 of Annex B that “the Government does not intend to add any further purposes to this list”. Given the existing breadth of the list and the concerns we have just espoused thereupon, we would be particularly concerned if there were any attempt to add new purposes in the future.

3b

Proportionality
The proportionality requirements are very welcome. Our only comments regarding them echo remarks made by Professor Douwe Korff at Scrambling for Safety 6, hosted by FIPR and Privacy International at the LSE on May 14, 2003. One of the points Professor Korff examined at length was that the requirement, under EU laws and treaties, for proportionality, when a state interferes with the fundamental rights of any of its citizens, is a requirement to be considered in the individual case. It would not be acceptable for Parliament to argue for blanket data retention provisions, for example, in his legal opinion, as any measures such as this would have to be proportionate in the individual case, not just generically so. Indeed, this issue is mentioned in paragraph N of Annex C, the discussion of “Privacy concerns for a broader debate”: The collection of data about everyone, on the off chance they may become a suspect, is less productive and more intrusive than collecting data about suspects.

3c

Criteria
Overall, the combination of criteria seems to be one of the better parts of the legislation. We are still concerned, however at the breadth of the criterion “a public authority within the meaning of section 6(3) of the Human Rights Act”: 6(3) In this section “public authority” include: — (a) a court or tribunal, and (b) any person certain of whose functions are functions of a public nature, but does not include either House of Parliament or a person exercising functions in connection with proceedings in Parliament. 6(4) In subsection (3) “Parliament” does not include the House of Lords in its judicial capacity. 6(5) In relation to a particular act, a person is not a public authority by virtue only of subsection (3)(b) if the nature of the act is private. It would seem to us that this could potentially include a very wide range of individuals including, for example, any privatised utility — the very intention of the HRA, to our knowledge.

Page 10 of 27

stand 3d Safeguards
The safeguards under RIP were of some controversy during the Act’s passage. Some of them are well-intended and well-worded, others are pretty ineffectual and, in our opinion, inadequate.

Specifying clearly the persons designated to seek access to data
Whilst we believe the list of people currently designated to seek access to comms data under the RIP régime to be overlong and inadequately narrow to perform suitable protection of the civil liberties issues around data acquisition, the existence of a specific list in the primary legislation is reassuring. We are heartened by the consultation paper’s suggestion to define the newly-designated persons quite tightly; we still believe, however, that it would be a better idea to devolve these other public authorities powers to another body, such as NTAC.

An accreditation scheme for certain individuals with access to comms data
All individuals with access to comms data should be trained, vetted and accredited, as is (in part) the case with SPoCs now. We are disappointed that a requirement for such accreditation was not included in the primary legislation, but its inclusion in the secondary legislation should certainly be considered essential.

Compliance with a statutory code of practice
The existence of the code of practice is A Good Thing. That failure to comply with the code of practice is not subject to harsh penalties is, in our opinion, a serious oversight on the part of the Home Office during the Act’s passage. It is worthy of note, however, that the Draft Code of Practice was published over 18 months ago and seems to draw very little attention now. As it does not seem to be a priority, we venture that is likely to be considered toothless.

Oversight by the Interception Commissioner
There is widespread cynicism about Sir Swinton Thomas. Indeed, it was seriously posited at Scrambling for Safety 6 that he might not even exist. Given that he is the public servant charged with protecting our liberties and overseeing all the interception — both of communications data and surveillance data — undertaken by virtue of RIP, it is most disconcerting to see the evidence of a culture of opacity that seems apparent from his communications with Simon Davies of Privacy International (who have archived these communications online, at http://www.privacyinternational.org/countries/uk/surveillance/interceptioncomm.html). It is most alarming that the public profile of Sir Swinton is so obscure, making it impossible for people to gauge how well he performs his duties. Reading his recent report, one could argue that he seems to be a yes-man for the intelligence community; a cynic might suggest this is exactly the rôle he is meant to play. We are not overly confident that Sir Swinton Thomas provides adequate oversight for interception under RIP; much less do we believe that he would be able to do so here.

Sanctions for the abuse of powers to access comms data
It is widely considered the case that sanctions against civil servants tend to be quite weak, that the Civil Service “protects its own”. Chapter II of RIP appears to contain no mention of sanctions for the abuse of powers given thereby, something we consider to be very poor. As the consultation document suggests: “there is no explicit offence under RIPA to cover deliberate, criminally-motivated misuse of the access to communications data provisions. This is an issue that may need to be addressed to send a strong signal to those entrusted to use these powers that abuse of an individual’s privacy is unacceptable.” (Chapter Three, paragraph 18). We concur most whole-heartedly.

Page 11 of 27

stand
The main sanction for such abuse is under section 55 of the DPA. There is no mention of the scale of penalties suffered for contravening this section of the Act. We consider this a thoroughly insufficient deterrent.

3e

Getting the balance right
It is self-evident that the balance was incorrectly set, in last summer’s Order. The Home Office concluded (Chapter Three, paragraph 21): The original Orders were too permissive. They allowed a long list of additional public authorities access to the full range of communications data. While we are satisfied that all of the additional public authorities covered by the withdrawn Order have a legitimate need to access communications data, it is not clear that in every case access to all types of communications data is demonstrably proportionate. We believe this is a further reason for access to comms data for the additional bodies to be filtered through a secondary agency, such as NTAC. We are pleased to read that the Home Office has been exploring options for a more restrictive approach. We are particularly gratified to see the idea mooted of “prior scrutiny […] by an independent third party”, though we would like to remind the Home Office, in case they had forgotten, that “independent third parties” that perform “prior scrutiny” are more usually referred to as the judiciary, whose lack of rôle under RIP was a point of no little contention during the Act’s passage through Parliament. That the majority of additional authorities would only be able to access limited types of data —RDQs and service use — is also an encouraging point.

3f

The restricted access and double lock options
We remain unconvinced that restricting access for public authorities to the specific statutory purpose “to prevent and detect crime” is all that restrictive. We are still worried about the potential for abuse, particularly given the record of state officials with access to sensitive data about citizens having abused that power, as we discussed in our report on ID cards (available on our website at http://www.stand.org.uk/StandIdCardReport.doc). We are encouraged by the idea of more specific restrictions, such as the “to prevent and detect crime in relation to environmental health”, mentioned in paragraph 26 of Chapter Three. We believe, as we have already mentioned, that every enumerated body should have listed under which prior Acts they have power to gain access (though we’d rather these powers were repealed, as discussed earlier) and which classes of criminal investigations for which they are responsible and pursuant to which they have powers under RIP. As paragraph 28 explains, “tailoring the restriction to each public authority addresses directly the issue of proportionality of access”, at least in part (though the proportionality must, of course, be in the individual case, not generically so). We also believe that state employees should be explicitly reminded that torts are not acceptable grounds for access to comms data and that, should they use RIP powers to gain data access regarding a tort — either in person or as a class action — that they would be subject to criminal sanctions, the strength of which, as we stated previously, should be augmented. Paragraph 28 also raises the point that “any restriction could be reviewed if it became clear that a public authority was able to demonstrate to Parliament that their operational requirements had changed, justifying necessary and [generically] proportionate access to a previously restricted type of data.” We feel it important to insist, here, that any such change should explicitly require the positive assent of both Houses, unless a new Act were to be considered more appropriate.

Page 12 of 27

stand 3g Double lock on restricted access
Four potential additional safeguards are mentioned in the consultation paper:

Judicial authorisation
That Parliament “chose to impose executive warranting rather than judicial warranting for the most intrusive type of surveillance — interception of communications content — in both RIPA and its predecessor, the Interception of Communications Act 1985” (paragraph 32) was a matter of some great controversy at the time. We believe Parliament was mistaken in its view and that this issue should be reopened for a wider public debate. We are aware that “there appears to be consensus that granting access to […] telephone subscriber information […] would be an inappropriate and burdensome duty on the courts” (paragraph 33). We do not feel that providing judicial oversight of RDQs would be a good use of our court system. We do take issue with some of the points that are given in argument of this point in para 33, however. That “the introduction of judicial warranting of powers under Chapter II of Part I of RIPA would be inconsistent with the rest of the Act as agreed by Parliament” would hardly be an issue, in our opinion, should Parliament assent to such a change. The contention continues: “and which, as it stands, is compatible with [the] Human Rights Act 1998 and ECHR obligations”, a point which, of course, is yet to have been tested in the courts. Another such case is made in that PACE orders “provide for cost recovery only at the discretion of a Judge and no requirement to go via a SPoC, and so are not favoured by communications service providers”. This, of course, is something else that could always be rectified by subsequent action by Parliament. The consultation paper is astute in its observation that “there remains concern that access to communications data other than service user data should require prior approval from some form of judicial body”. Paragraph 34 continues: If any responsibility in this area were to be transferred to the judiciary, training would need to be provided, to ensure that judges understand the issues that surround it. This would comprise not just technical knowledge but also matters such as how and why communications data [are] useful, the resource implications of a requirement for communications data, and so on. We felt this bore repeating; we couldn’t have put it better ourselves.

Prior approval by an independent third party
In the view of the consultation paper, “the Office of the Interception of Communications Commissioner could fulfil this rôle”. We disagree completely. Aside from the issue of executive, rather than judicial approval, which we fear could conflict with Article Six rights; our views regarding the public profile of Sir Swinton Thomas and his efficacy in critical oversight of interception were expounded earlier. The consultation document itself, in the final part of para 37, suggests that such a rôle for Sir Swinton could provide “scope for confusion between the Commissioner’s rôles for statutory oversight and non-statutory prior approval”, as well as para 36’s mention of the need for additional resources that would be required. Furthermore, as we wrote above, we already have independent third parties who provide legal opinions and approval; we call them judges.

Page 13 of 27

stand
Requiring the police to make requests and conduct investigations on behalf of public authorities
The consultation authors seem to attempt to wax lyrical, in paragraph 38, about the potential problems in such a move, many of which we feel could certainly be alleviated by the use of NTAC in this rôle, a suggestion which, as we have already discussed, we would favour quite strongly. Further counterarguments, however, follow. That this might prove “a distraction from the core functions and responsibilities of the police, as set out in documents such as the national policing plan” is, frankly, a poor argument. An administrative and political problem such as this can be solved simply by Parliament expressing an opinion on the need to change such priorities, which could certainly be effected by any SI resulting from this consultation. Whether or not “the police lack the expertise to investigate properly many of the specialist crimes that fall to these public authorities” is another moot point — not least because all of the public authorities in question lack the expertise properly to acquire, process and interpret comms data. If training needs to be given somewhere, there’s little reason why members of our police forces could not be the beneficients. Equally, “the Police Reform Act 2002 specifically gives police powers to civilian investigators who will be better equipped to investigate certain, specialist forms of crime”, who we are certain would be more than happy to work with and under the auspices of the police or NTAC. Adding “a significant additional burden to police forces” is an issue for the Home Office to discuss with the Treasury. If these powers are essential to our way of life and maintenance of our society, we are confident the Treasury will not be reluctant to fund them, be they effected by public authorities, the police, NTAC or some other body completely. Finally, we feel that the Home Office is underestimating the ability of the British people to think laterally (especially should the tabloid media be on-side) when para 39 states that “requiring the police to conduct all investigations that involve communications data might therefore seem a disproportionate response to the concerns that have been expressed about other public authorities having access to [those] data.” On the same note, we are not necessarily suggesting that some LEA body should conduct the entirety of any such investigation, just that they are the people with the skills to acquire, process and interpret comms data, it would seem foolish to ignore this point.

A certification scheme for public authorities with access to communications data
We are strongly in favour of all the issues mentioned around training, accreditation and certification in paragraphs 40–42.

3h

The short list option
The consultation paper spends half a page rubbishing the idea that, perhaps, we should just not give these powers to the public authorities in question. Again, some of the arguments used verge on the facile. That Parliament might have “expressly given specific functions to these public authorities to investigate such crimes rather than the police” is a very poor argument. The point of a public consultation is to provoke public discussion of the issues and to feed the results of such a debate back into the law-making process. It seems naïve to exclude the option that Parliament might wish to change its mind on this issue, should the public seem to wish to have a wider debate about the enforcement of our laws. That “where public authorities excluded from the RIPA régime investigate serious crime, the police would have to become involved in the investigation” is again, to our minds, not necessarily a detrimental effect. Indeed, we are curious that the Home Office seems to be implying

Page 14 of 27

stand
that the police never become involved in such cases of serious crimes, something that suggests knowledge-sharing and skills pooling are rare events in our public services. “Taken to its logical conclusion, it could lead to calls for law enforcement and intelligence agencies to be restricted in this way, leaving noone able to investigate less serious crimes where communications data provides vital evidence [sic]”. Not only is this argument a case of reductio ad absurdum, but we are also quite confident in the ability of our legislators correctly to gauge the public mood in such a circumstance. Surely the Home Office does not wish to preclude that society might very well, at some hypothetical point in the future, genuinely wish to insist on such a change to the balance between privacy and law enforcement, between the individual and the state? If Parliament feels that, in our hypothesis here, such a shift would be ill advised, Parliament is quite capable of resisting calls to effect it. Another point raised here is that “to the extent public authorities not included within the RIPA régime were able to use other legislation to access communications data, it would undermine one of the main purposes of RIPA: the creation of a single ECHR–compliant regulatory régime for such access”. This suggestion, in our view, merely serves further to validate our suggestion that Parliament should authorise the explicit repeal of all powers to gather such data that are not enumerated in the primary or secondary legislation pursuant to RIP. In addition, this revisits our contention that part of the public’s alarm at last summer’s Order might have been due to the impression given, during RIP’s passage, that it was exhaustive — that no further powers would be sought.

3i

Implementing an access régime […]
The putative “short list” is catalogued in paragraph 46. The inclusion of emergency ambulance services, fire authorities and the coastguard within a RIP régime would not, of course, preclude their powers still being explicitly limited to where there is an immediate danger of serious harm or loss of life. The SDEA and the UKAEAC are, of course, LEAs that were not included in RIP. We are uncertain why, subject to our reservations in section two of this consultation response, the RIP definition of law enforcement agencies could not be broadened to include these two bodies, where appropriate. Para 47 states that “for these authorities, the purposes for which the data [are] required would be frustrated if any type of data were inaccessible or access subject to a double lock”. We do not consider that, except in cases of time-limited emergencies, some oversight from outside the bodies in question would be inappropriate. The inclusion of Postcomm, the Postal Services Commission, in the erratum note for paragraph 48’s wider list, reminds us, of course, that it is entirely possible for individual authorities to have their access limited by type and by medium. Postcomm’s access can, obviously, be limited to postal data in any SI, without any problematic or detrimental effects to the ability for the organisation to perform its statutory duties. The same is the case for all the other bodies in this list. We are concerned by the idea, from paragraph 50, that “a public authority that has consistently demonstrated to the Interception of Communications Commissioner and the public that it uses RIPA powers to access communications data appropriately might be released from a requirement for prior scrutiny for all or some of its requirements for data”. We feel that prior scrutiny is good for both the public and the public authority. It is not merely an administrative burden that can be relaxed, but an integral part of the authority's process Unless there is some very persuasive, demonstrable need for this prior scrutiny to be waived — something we feel should be quite rare and very much the exception, rather than the rule — we see no reason for including such powers in upcoming legislation.

Page 15 of 27

stand

Striking the right balance
4a A timely issue of growing importance
We welcome the Home Office’s recognition that issues of privacy and the collection of personal data is one of growing concern to the public. It is not a new issue, but is one whose sudden prominence has preceded many groups’ ability to form a constant view. This is a good thing. That the Home Office was able to reconsider, even at a relatively late stage, their own course of action shows that the issues contained can be fruitfully examined in public with a minimum of partisanship, and genuine choices can be made. It is a time of great opportunity for the present government to determine the landscape of how public policy will be made — not just for this Parliament, but for far into the future. And not just for law enforcement, but for all areas where the privacy and public order clash. Our notes on the suggested questions to frame this debate are contained in Annex E. We do have some other comments, however, on the general approach to this wider debate, and additional questions that might be added.

4b

Exploring more than one balance?
Co-operation with all sides at an earlier point helps, and indeed has helped, we believe, in the preparation of this document. The Home Office’s direct, individual and ongoing participation in online debates and with interested parties has helped clarify and widen the range of issues discussed. We’d like to take this further by encouraging future consultations to provide alternative scenarios, fleshed out by both proponents and opposers to the policy. It is easy to sit on the sidelines of policymaking and throw brickbats and spanners at the work of government. Similarly, it is simple for those in positions of power to publicise a false consensus by selectively choosing which opinions to include in the official debate. A document — or public deliberation process — that allowed all sides to present the advantages and disadvantages of alternate regimes would allow a more rounded viewpoint of this complex topic to emerge.

4c

How can technology help us defend the law and protect privacy?
The questions government faces in establishing new policy in this area have, of course, come about through changes wrought by new technologies. The temptation to ease the difficult task of law enforcement by employing new methods of data collection and analysis is clear. It is all the more noticeable, then, that the proposed checks and balances on this expansion have largely been restricted to legal instrument, not technological control. We would like some part of the future debate to acknowledge that technological approaches may also help defend privacy, especially if supported with suitably well-defined Codes of Practice and legislative backing. For instance, no consideration has been provided in any document we have seen from the Home Office of approaches such as Translucent Databases (http://www.wayner.org/books/td/) or other non-proprietary, general approaches for ensuring that personal data can be both kept private in the general, everyday case, but unlocked by law enforcement under specific conditions. We understand that policymakers will often seek to “rise above” individual technological approaches in order to provide more future flexibility. But we do feel that this is one (of a growing number of cases) where the problems cannot be adequately defined except through recourse to the technology that creates it. And that the best way of ensuring balance is to provide technological checks and balances to all sides.

Page 16 of 27

stand
We know that the Home Office has many resources to draw upon when determining how technology may help law enforcement. We believe the same attention should be paid to how technology may provide checks on that power.

4d

How do we maintain the balance?
One of the recurring “disconnects” during the debate between concerned groups and the Government on these issues was not of the current balance that can be struck, but how future administrations may disturb that balance. Much time has been spent by the Home Office to reassure worried groups that the current government has no intention of abusing the new powers it seeks. Many parties have responded poorly to this, not because they see the government as untrustworthy, but because they fear how these powers may be misused in the hands of less reputable agencies. In the broader debate, we would like to see this issue more pointedly addressed. In particular, in whatever regime is adopted, we would like every side to ask themselves the question “How would we know if this system was being abused? What signs would Parliament and the public observe if the balance shifted? What powers would they have to prevent an unwelcome shift? How could a more malicious agency seek to circumvent those controls?”

4e

Privacy and publicity
Finally, we feel that the Consultation is accurate in its description of many of the concerns on these issues are due to “the secrecy of surveillance”. We at Stand are very strong believers that open, public, transparent government is the solution to many of the ills which all sides fear from incorrect policy in this area. We wish to encourage all those who embark on this public debate to consider framing the question: “What is the minimum secrecy we can safely adopt in this area?”, and provide detailed explanations for their answer. Too often, the safe approach has been to maintain current or greater levels of secrecy in both the collection of data and the reasons for doing so. Even without public policy appreciably changing in this area, the explosion in the wealth and detail of personal data available to public bodies means that this topic has grown from an obscure adjunct to law enforcement to a vital issue for both the authorities and the public. The furore that led to this consultation is indicative of that change in the importance of all data collection. Whatever public debate follows this consultation needs to set itself the highest level of public exposure — and ensure the same for whoever takes on the weighty powers it considers.

Page 17 of 27

stand

Annexes A & B
Annex A is merely a list of experts and bodies that helped with the consultation document and bears no further comment. There are, however, a handful of points worthy of note within Annex B, regarding the legal framework. The subscriber information available under RIP includes “service users’ account information, including payment method” and “abstract personal records provided by subscriber to service provider (such as demographic information or sign-up data (to the extend that password or personalised service access information is not disclosed))” (paragraph 21). We are concerned that both these data are rather more privacy intrusive (and open to abuse) than the other pieces of information included there, which are mainly restricted to RDQ information and address details. In paragraph 27, it is stated that “the seniority of designated persons within an authority must be specified in an Order subsequent to one adding that authority to the RIPA régime”. We believe that, in the interests of clarity and transparency, it would make more sense to specify the two items together in the same SI. Paragraph 32 mentions that “although not a requirement under RIPA, the Home Office will insist that all notices should be channelled form relevant public authorities to CSPs via a Single Point of Contact (SPoC)”. We would very much welcome any measure in future primary legislation — which, as we have previously discussed, we feel is necessary in order to correct some of the less well-drafted parts of RIP — that would seek to establish the SPoC methodology in law and enshrine a requirement that public authorities should interact solely with SPoCs, where present within a CSP.

Page 18 of 27

stand

Annexes C & D — A broader debate on privacy and intrusion
We were particularly pleased to see the inclusion of these annexes in the consultation document. We are aware that much of the information in the following three annexes is the result of Simon Watkin’s discussions with the members of the UK Crypto mailing list, including more than one of the authors of this report. We believe the participation of Simon Watkin on the list is an exceptionally positive step and we hope that such interaction between the Civil Service and online communities and special interest groups, such as UK Crypto, is something that will be emulated across the board, in the formulation of public policy. As well as informing our public servants — as is evident from the inclusion of these annexes — this dialogue has similarly helped many of the list participants become better informed about the needs of the law enforcement and intelligence communities. One of the areas about which we have already expressed our concern is that of sanctions for abuse of powers by civil servants and public authorities. This issue has been mentioned frequently, in several disparate contexts, and is a perpetual concern of civil liberties groups. It is only because we are aware that these annexes are deliberately terse that the statement “examples exist where personal information has been disclosed, without respect for individual privacy” (annex C, subparagraph E) cannot be construed as glib understatement. Many people have expressed cynicism that such abuses are only ever punished with a slap on the wrist. Whether or not this is indeed the case, it must surely be incontestable that such abuses need demonstrably to be punished more severely. The issue raised in annex C’s subparagraph F primarily regards the matter of oversight. We are still troubled that the Home Office seems not to understand the concerns of many civil libertarians over the internal authorisation of privacy-invasive measures. It seems to us, as we have already mentioned, that the introduction of greater supervision is a simple, effective and, dare we say, obvious means of assuaging such fears. We do appreciate that LEAs have operational concerns in this area, however we are confident that the right balance can be found, protecting the privacy of our citizens without unduly hampering the operational capability of our public agencies. One of the ways in which this might be effected, as we have suggested throughout this report, would be for a central body, such as NTAC, to handle the acquisition, processing and interpretation of comms data for most of the agencies to which it is being proposed that the RIP régime should be extended. Purpose creep is another concern, as it is with any case where the state takes advantage of a technological advance. This isn’t to say, of course, that the state should not take such advantage — such a proposition would be just as ludicrous as suggesting that establishing a “Brave New World” would be the best way to ensure the security of our nation. The disquiet about function creep, however, is not unfounded. We are anxious that any expansion of the RIP régime to public authorities would be prevented from suffering further expansion with neither scrutiny from Parliament nor public consultation. This is exactly the reason why we have commented, elsewhere in this document, that any change to the list of agencies and bodies being granted powers under RIP — be they in replacement for statutory or Common law powers or otherwise — should require the positive assent of both Houses of Parliament. Similarly, any change to the list of purposes under which comms data may be sought should require rigorous scrutiny and consultation; indeed, we feel the list may already be too widely drawn. We look forward with interest to a judicial settlement of any controversy over these issues that may, once and for all, settle the provisions of the Regulation of Investigatory Powers Act 2000 with regard the Human Rights Act 1998 and the ECHR.

Page 19 of 27

stand
It is welcome to see that the Home Office is aware that the government, LEAs and the Civil Service “do not command the full trust of the public” — and it is the nature of the responsibilities of the Home Office that it might suffer the brunt of such distrust. Whilst this is, selfevidently, lamentable, it is only through demonstrable transparency of intent — as has been the case with this consultation exercise — that such a situation may be rectified. Item G in annex C puts one point quite eloquently, and we feel it bears repeating almost verbatim: Enabling a wide range of public authorities to undertake lawful invasion of privacy inevitably means less control over the use of these powers. Access to such powers should be graduated according to the degree of intrusion, and the courts […] should be involved in the authorisation of intrusive surveillance either for all intrusion or for that over and above a certain low level of intrusion. As we have stated more than once, we reject the idea that an organ of the Executive can efficiently perform such scrutiny. The dictionary tells us that the Judiciary is “the branch of government concerned with the legal system and the administration of justice”, compared with the Executive: “the branch of government that puts laws into effect”. The natural place for the independent scrutiny of the acts of executive agencies, such as the law enforcement community and the public authorities under consultation here, is in our courtrooms. We hope very much that this is, indeed, where this scrutiny will be effected. Another measure that will, perhaps, help with providing clear and transparent scrutiny would be the compulsory, post-facto notification to individuals whose data have been included in an investigation but against whom no charges have subsequently been laid. If members of the public receive a letter to inform them that they were involved in an investigation as a result of the wrong number they answered a few months ago, they are less likely to worry about Big Brother looking in on them behind their backs. The repeal of legacy legislation is another issue we have revisited throughout this response. It is our assertion that the only way to ensure full compliance with the provisions of the ECHR and to ensure the public are aware of precisely which agencies have which powers is to repeal all non-RIP powers providing for the acquisition of comms data (and interception data, for that matter). The explicit statement that any powers not enumerated in RIP (or, at most, PACE, in addition) are revoked would greatly aid the public’s understanding of the ways in which the state needs to infringe on our Article Eight rights. Most people understand and accept that such infringements are necessary for the public good — that we can’t catch drug dealers without following the pattern of their phone calls, for example — but fear arises from not understanding the régime that permits such undertakings. Greater clarity will, in our opinion, lead to greater public acceptance of the framework within which comms data (and interception data) are acquired. The remaining issues in annex C and those in annex D — the impact of data-sharing, the creation of something akin to the Central Database mooted for ID cards, CCTV, biometric profiling and the like — are all rather much out of scope for this consultation document. Many of them have been covered in our response to the Home Office’s ID card consultation, which can be downloaded from our website at http://www.stand.org.uk/StandIdCardReport.doc. Some of them have been covered much more eloquently elsewhere than we could manage in the time we have for this consultation exercise. We do not see the value in repeating these comments here.

Page 20 of 27

stand

Annex E — Questions for a broader debate
E1 Is there a contradiction between “my privacy” and “someone else’s privacy”?
Of course there is. It is quite difficult to get people to understand the importance of protecting citizens’ privacy rights when government ministers and tabloid newspapers encourage people to think in black and white. We are not alone in feeling that the rhetoric used in the public discussion of many political issues is not conducive to the calm, reasoned evaluation of how best to proceed. In a wholly unrelated example, it is difficult to persuade people of the importance of providing sanctuary for refugees when the tabloid newspapers are peddling xenophobic stories of the woes ‘caused’ by asylum seekers. When the Home Secretary couches his public discourse in terms of contempt for his opponents, referring to contrasting views as those of “intellectual pygmies”, it can only lead to a polarisation of the viewpoints that need to be considered.

E2 What protection can the citizen expect to maintain a balance between their privacy and a safe society?
There are many ways in which this compromise can be sought without excessive denigration of either position. We have covered several such suggestions, in the course of this document, but two bear repeating yet again. In our opinion, the two key ways in which some of the more privacy-invasive effects of even the most widely-drawn list can be offset, to some extent, are good quality oversight and post-facto notification. Obviously, however, we would like to see that any powers granted under the RIP régime be granted restrictively — only to the agencies that have both a need for comms data and sufficient volume of requests that they can become accomplished and efficient at acquiring, processing and interpreting comms data and, even then, only for specific, enumerated purposes. Again, the amendment of the primary legislation to permit a body such as NTAC to handle most agencies’ requirements for comms data might well help in this area.

E3 When, and how far, should public authorities be permitted to intrude into a person’s privacy to investigate crime?
This question cannot be answered with a simple response. This, and some of the other questions asked in this annex, is a matter that should be opened to a wider public discussion in a way that a government consultation paper cannot achieve.

E4 How can LEAs secure public trust in their use of privacy-invasive techniques?
Openness and oversight are both vitally important in obtaining the public’s trust and respect. The public need to be treated like adults by all parties in this debate — with respect shown to us in public debate, rather than contempt, spin and rhetoric. The more widely it is known how the RIP régime works and on what scale, the less people will fear that their private data are being sifted through by nameless, faceless mandarins, no matter how ridiculous these fears might seem.

Page 21 of 27

stand E5 How can the public benefit in interfering with privacy rights be demonstrated?
Transparent reporting of what kinds of data are being used in investigations, and to what end, would make a big difference in the public’s perception of interception and the use of comms data. Much of the information in Chapter Two of the consultation document was unknown even by some of the authors of this report, and we would consider ourselves the kinds of people who are somewhat fanatical about following these issues. That Richard Clayton had to spend no little time compiling the information for his presentation at Scrambling for Safety 6 shows that, whilst this information might be in the public domain, it is certainly not in the public consciousness.

E6

How can detrimental effects on privacy be addressed and mitigated?
This is, like point 3, a much larger issue than can satisfactorily be addressed in this consultation response. Some of the ways in which these detrimental effects may be mitigated have been mentioned in this report already, but this issue needs much wider discussion that we have room for here.

E7 How can reassurance be provided publicly about the conduct of ongoing and proposed privacy-invasive activities?
Openness of procedure and quality of oversight are the main ways in which this reassurance can be given. Our comments from point E4 apply equally here.

E8

Should unlawful privacy violation be clearly acknowledged as a crime?
Absolutely, we are firmly of the opinion that the current powers for criminal violation of privacy seem to be too limited. The enforcement of appropriately-harsh penalties for infringement of individuals’ privacy — be it by criminals or law enforcers — would go a great way towards allaying public fear of abuse of the powers under RIP. If malfeasance is seen to be punished, the public is more likely to accept that it only happens rarely; if it seems to be brushed under the carpet, the public is likely to assume that it happens all the time.

Page 22 of 27

stand

Glossary
A few terms used throughout this document, and organisations to which we frequently refer, are explained in a little more depth here. References to this glossary are highlighted throughout the document with dotted underlines on the appropriate terms, and crossreferences within this glossary are denoted in the same way. Readers unfamiliar with some of the background to this consultation may also find Annex B of the consultation paper of great interest, covering, as it does, the legal framework surrounding RIP, including the “relevant public authorities”, some of whom already have access to comms data (and intercept data) under the current RIP régime and some of whom have such access outside the remit of RIP.

APIG
The All-Party Parliamentary Internet Group, which, according to their website “exists to provide a discussion forum between new media industries and Parliamentarians for the mutual benefit of both parties. Accordingly, the group considers Internet issues as they affect society informing current Parliamentary debate through meetings, informal receptions and reports. The group is open to all Parliamentarians in both the House of Commons and House of Lords.” APIG held an inquiry into data retention and details of the evidence presented to this inquiry — and the resultant report — is available on their website, from the URI http://www.apig.org.uk/publications.htm. A list of all the MPs and Peers in APIG can be found at http://www.apig.org.uk/members.htm.

Article Six
Article Six of the ECHR guarantees the right to a fair trial. See ECHR, HRA.

Article Eight
Article Eight of the ECHR guarantees the right to privacy and family life. See ECHR, HRA.

ATCSA
The Anti-Terrorism, Crime and Security Act 2001 was passed in the wake of the events of September 11 of that year. Many new anti-terrorism powers were passed through Parliament in this piece of emergency legislation, most of which had been considered unnecessary in the preceding year’s Terrorism Act, but were now considered appropriate given the perceived change in threats after al-Qaeda’s attack on the USA and the threats levelled against the UK. Notably, ATCSA included a change in the data retention powers available to LEAs.

Common law
The jurisdictions in the UK are all Common law régimes. Rather than having a Penal Code, like much of Continental Europe, many of our laws descend from centuries of common practice rather than an explicit statement that something is proscribed. English courts can draw on mediæval judgements and subsequent cases in order to interpret justice, except where statute specifies something directly. Some of the powers under discussion in this consultation derive from Common law, rather than the express will of Parliament.

Page 23 of 27

stand
Communications data
This consultation deals solely with comms data, defined in section 21(4) of RIP as: (a) any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted; (b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person— (i) of any postal service or telecommunications service; or (ii) in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system; (c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

CSP
Communications service provider, generally a telephone company or an ISP.

Data retention and data preservation
These are two issues dealt with in more detail in another consultation, concurrent with this one, specifically in relation to ATCSA, entitled “Consultation paper on a code of practice for voluntary retention of communications data”. Put simply, data preservation is where CSPs keep hold of data that they would ordinarily keep for business purposes for longer than usual, at the request of LEAs, in specific cases where it is of interest to an ongoing investigation. Data retention, on the other hand, is where all data is kept for longer than necessary for the CSPs’ business purposes, just in case a subsequent investigation should find it useful.

DPA
The Data Protection Acts (1984, 1998) are the main pieces of UK legislation that protect our privacy rights, regulating the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

Page 24 of 27

stand
Echelon
To quote from an article by the investigative journalist Duncan Campbell, who studied the Echelon system for the European Parliament, “Echelon is a system used by the United States National Security Agency (NSA) to intercept and process international communications passing via communications satellites. It is one part of a global surveillance system that is now over 50 years old. Other parts of the same system intercept messages from the Internet, from undersea cables, from radio transmissions, from secret equipment installed inside embassies, or use orbiting satellites to monitor signals anywhere on the earth’s surface. The system includes stations run by Britain, Canada, Australia and New Zealand, in addition to those operated by the United States. Although some Australian and British stations do the same job as America’s Echelon sites, they are not necessarily called “Echelon” stations. But they all form part of the same integrated global network using the same equipment and methods to extract information and intelligence illicitly from millions of messages every day, all over the world.” Duncan’s website, http://duncan.gn.apc.org/, has more information and a Google search returns many relevant hits.

ECHR
The European Convention on Human Rights, enacted into UK law by the Human Rights Act 1997. See also Article Six, Article Eight, HRA.

FIPR
The Foundation for Information Policy Research (http://www.fipr.org/) is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. Along with Privacy International (website at http://www.privacyinternational.org/), FIPR hosted Scrambling for Safety 6 — a conference covering both this consultation exercise and the parallel ATCSA data retention consultation, at the LSE on May 14, 2003.

GTAC
See NTAC.

HRA
The Human Rights Act 1997, effectively the UK’s ratification of the ECHR. See also Article Six, Article Eight, HRA.

IoCA
The Interception of Communications Act 1985. The RIP Act was introduced, in part, because it was considered that some of the powers granted by IoCA would contravene our Article Eight rights (to “respect for private and family life”) under the ECHR and the HRA. In addition, given the year in which it was passed, IoCA provided no powers to access communications data regarding Internet use, for example.

Page 25 of 27

stand
LEAs
Law enforcement agencies, usually considered to be the various police forces and bodies such as Customs & Excise but, in some contexts, also the intelligence community, such as GCHQ, MI5 and MI6.

ISP
Internet service provider.

NTAC
The National Technical Assistance Centre, as envisaged by the RIP Act. During the process of RIP through Parliament, it was, for a while, to be known as the Government Technical Assistance Centre or GTAC.

PACE
The Police and Criminal Evidence Act 1984 provides for judicial orders to gather evidence — including comms data — in matters where it is reasonably believed that a serious arrestable offence has been committed.

Purpose creep
An eloquent example of the phenomenon of purpose creep (or “function creep”) could be the United States’ Social Security Number scheme. SSNs were originally created to number personal accounts for Social Security, tax collection and benefits payment — indeed the law creating the scheme required such ringfenced usage. Now, however, SSNs are used as a generic identifier, not only for citizens’ interactions with State and Federal agencies, but even for vastly more trivial purposes such as purchasing from some e-commerce websites or joining video rental libraries.

RDQ
Reverse directory enquiry look-up — determining a subscriber’s name and address data form their telephone number or IP address.

RIP Act
The Regulation of Investigatory Powers Act 2001; often abbreviated to RIP or RIPA.

SDEA
The Scottish Drug Enforcement Agency was established in April 2001, incorporating the Scottish Crime Squad, the Scottish Criminal Intelligence Office and the Scottish Technical Support Unit. Contrary to the implication of its name, the SDEA does not solely deal with narcotics-related crime, but also more generalised “serious and organised crime”. The consultation document mentions that the SDEA made over 55 000 requests for comms data, with all types of comms data aggregated together, in 2001–2.

Page 26 of 27

stand
SI
Statutory Instrument. Much of our legislation is handled not in “primary legislation” or fully-fledged Acts of Parliament, but by “secondary legislation” — Orders placed before Parliament, usually without much debate, which are effectively rubber-stamped into being. These are drafted by the appropriate Ministry, the same as Parliamentary Bills, but tend to be shorter and more focussed. Understandably, if all the government’s business had to be handled by full Acts of Parliament, with the lengthy procedures that would entail, government would grind to a halt. Secondary legislation — Statutory Instruments — allow simpler procedures to be followed for issues that are meant to be less controversial and are just a case of implementing and enacting powers that have already been granted to Secretaries of State in earlier Acts of Parliament. The “Regulation of Investigatory Powers (Communications Data: Additional Public Authorities) Order 2002” that provoked this consultation was a Statutory Instrument.

SPoC
Single Point of Contact; one or more individuals within a law enforcement agency (or other public body), who liaises with CSPs, trained in order to facilitate such liaison. Over the last year, CSPs and LEAs have cooperated to create a scheme whereby LEAs have created groups of personnel who handle all the data-access requests and who have undergone training in how best to process these requests. This scheme, which is considered very successful by all parties, means that both LEAs and CSPs can work together more efficiently and provide LEAs with the information they require, with the minimum of invasion into the privacy of the CSPs’ users, thereby protecting everybody’s interests.

UKAEAC
The United Kingdom Atomic Energy Authority is the third-largest non–Home Office police force, after the Ministry of Defence Police and the British Transport Police, protecting designated civil nuclear sites and special nuclear materials in storage and transit. The UKAEAC’s use of comms data is very low, in comparison with other LEAs. The UKAEAC have a website at http://www.ukaea.org.uk/ukaeac/.

UK Crypto
The UK Crypto mailing list is a discussion group about UK cryptography policy, comprised of people with a professional interest in the formulation and content of UK government policy on the provision, use and control of encryption products and services in the UK. It was formed in response to the 1996 announcement of UK policy on the provision of encryption services on telecommunications networks. Everyone with an interest in the subject of UK cryptographic policy and deployment is welcome to join the list; it is not restricted to the British or those resident in the UK. The membership, as such, is very varied, including lawyers, academics, doctors, consultants, software developers, representatives of CSPs (public and private) and the Civil Service and many other people with an interest in public policy in the area of cryptography and, more widely, the way in which the individual’s interaction with the state is affected by changes in the technological arena. More information about the list is available from its website, at http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto.

Page 27 of 27

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->