ZDNet UK 26/10/2001: "Home Office admits data retention plans"

[InfoSec News <isn () c4i org>]

Forwarded from: Jei <jei () cc hut fi>

---------- Forwarded message ----------
Date: Sat, 27 Oct 2001 10:53:01 +0100
From: Caspar Bowden <cb () fipr org>
Reply-To: ukcrypto () chiark greenend org uk
To: 'Ukcrypto' <ukcrypto () chiark greenend org uk>
Subject: ZDNet UK 26/10/2001: "Home Office admits data retention plans"

Guy Kewnyey seems to havenailed what 
http://www.vnunet.com/News/1126471 
And
http://globalarchive.ft.com/globalarchive/article.html?id=011026001374&q
uery=data+retention#docAnchor011026001374

..have missed
--
Caspar Bowden?????????????????????????? www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)20 7354 2333 


http://news.zdnet.co.uk/story/0,,t269-s2096285,00.html 
Home Office admits data retention plans
18:25 Friday 26th October 2001 
Guy Kewney   

A voluntary code of practice governing how ISPs store data for law
enforcement agencies could be replaced with sweeping powers for the Home
Secretary 

The Home Office has admitted that it plans to reserve extra powers to
force ISPs to retain data about customers if its current "voluntary code
of practice" proves inadequate to deal with terrorists. 

New legislation is proposed, probably for late November, to deal with
the terrorist threat. Officially, the Home Office insists that the only
change for Internet users will be to "enable" data retention for longer
periods, and for purposes of law enforcement. 

However, civil servants have now admitted that if the system doesn't
work, the Home Secretary will be able to extend his powers, as
appropriate, without further primary legislation being needed to do so. 

Officially, the Government has not published any information on this.
This week, it held meetings with the CBI and with the Internet Service
Providers' Association (ISPA) as a result of which the ISPA was
authorised to publish the following information: 

"Contrary to previous reports and speculation, the Government explained
that it wanted to consult industry on proposals for a voluntary Code of
Practice," said the bulletin. This code of practice "will provide
greater clarity for service providers and law enforcement agencies
regarding the types of data currently held for legitimate business
purposes and the length of time such data may be retained for reasons of
national security within the scope of Data Protection law. The
Government confirmed that data retention would not be mandatory." 

The "previous reports and speculation" referred to by this bulletin
resulted from a leaked proposal from the National Criminal Intelligence
Service, asking the Government for hugely expanded surveillance powers.
The ISPA bulletin appears to be an official Government assurance that no
expanded powers will be sought. 

The Home Office admission doesn't directly contradict that assurance,
but it does raise the question of why officials are planning reserve
powers, and of why they didn't admit this right from the start. 

It also leaves wide open the question of what reserve power might be
deemed appropriate, and Home Office staff refused to discuss this,
saying that "the Home Secretary would have to ask Parliament for any
further powers." 

One source very close to the Government told ZDNet UK that, "it is
impossible to believe that the data currently being collected by ISPs is
of very great usefulness to law enforcement, since it is restricted by
European law." 

Currently, ISPs are not permitted to keep more than the minimum data
required for billing purposes -- which is, normally, the IP address of
the user and how long they are logged on for. It might also include the
IP address they are logged on to, and, for security purposes, data such
as the Radius security server log. 

Officially, the ISPA is very supportive of the Home Office initiative,
and the Home Office says that the information the industry has already
supplied has proved "very helpful" in surveillance of terrorists. 

This leads some experts to suggest that some of the ISPs may well have
gone beyond what European law entitles them to do. 

It's been pointed out that there is data which is stored on their
servers, but which can't legally be disclosed -- such as the contents of
mailboxes, which can be left with messages for weeks or months until
they are purged. "If they didn't actually provide the data, then one
might suggest that they failed to prevent access to it," said one email
expert. 

"There is almost certainly nothing sinister in the intentions of the
Home Office," said a consultant who advises the Government on IT
matters. "However, the Home Office is advised by a great many people,
and not all of them are primarily concerned with public privacy matters,
and they have their own agenda." 

The concern is that the Home Secretary may obtain powers, under the
proposed November anti-terrorism bill, which will enable him to simply
put forward a resolution at a later date which might extend the current
voluntary proposals. 

The extension could be literally anything, said an expert on
legislation. "It could call for data to be held longer than the 12
months which the Home Office is currently thinking of. It could call for
different types of data. And it could call for the voluntary code to be
made compulsory." 

The Home Secretary can obtain reserve powers in one of two ways. The
first allows him to put forward a resolution, which has to gain
Parliamentary approval within a month, or is lost. 

The other way allows him to gain automatic acceptance of the resolution
provided nobody objects within a month. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.