Forwarded From: ama-gi ISPI <offshore@email.msn.com>
ISPI Clips 4.50
News & Info from the Institute for the Study of Privacy Issues (ISPI)
Saturday September 19, 1998
This From: The Guardian On line, September 17, 1998
http://online.guardian.co.uk
Police Tighten The Net
http://online.guardian.co.uk/theweb/905960359-privacy.html
By Duncan Campbell
The police, MI5 and the Home Office are trying to push
through a scheme to pressure other service providers to
hand over private e-mail information without the court order
that is required for telephone calls and the mail. Are the
police taking liberties with our privacy?
TWO WEEKS AGO in the dim hours before dawn, 30 police entered one of
Britain's biggest Internet companies, and seized computers and computer
logs. It was Britain's largest-ever Internet raid - and although it was
part of the well-publicised Operation Cathedral investigation of the
international "Wonderland" child porn ring, the raid has gone unreported,
until now.
But the inclusion of one of the biggest ISPs (Internet service providers)
in Britain in a major child porn raid has sent a timely, clear and
frightening message to industry insiders. The "Wonderland" raids,
organised by Britain's National Criminal Intelligence Service (NCIS), took
place just days before a police, MI5 and industry discussion group is due
to meet to agree "law enforcement" access to private information about the
Net and its users.
This afternoon in London, an informal group convened by Acpo, the
Association of Chief Police Officers, is holding a press conference to
announce its plans to introduce a private "memorandum of understanding"
about police access to e-mail users’ identities, activities and messages.
Over the next three weeks, senior police officers and key industry figures
will host three seminars in Edinburgh, Manchester and London to be
addressed by police, industry and prosecution computer specialists. The
seminars are being run by a group called the "Acpo, ISP and Government
Forum". The press, public, lawyers and defence computer legal specialists
are excluded.
"The ISP industry is being privately pressurised into revealing
information that others would not reveal as a matter of course," says one
senior ISP manager who has followed the police-ISP negotiations.
If the ISP industry were to go along with the current police position,
then ISPs will soon be routinely sent electronic forms under the Data
Protection Act, certifying that the police needed the information
requested for the prevention or detection of crime. The forms were first
introduced in 1994, but had to be extensively revised after being shown to
the office of the Data Protection Registrar, Elizabeth France.
According to her office, the section of the Act being used "was intended
as an exceptional measure and not as a routine tool . . . it should not be
seen as an easier approach than a court order."
"We say it time and time again "information can only be released on a case
by case basis. Fishing expeditions are not allowed", France said this week
‹ although they may have happened in the past.
"It is important that [e-mail] has the same level of protection for
individuals as for any other communications ‹ mail and telephone calls".
Although the proposed Data Protection Act forms certify that the
information is required for a specific case, they also say that
information passed "may be used for any other investigation". The forms
have to be countersigned, but do not require the signature of a rank
higher than an inspector.
If successful, the Acpo initiative would mean that the contents of e-mail,
unlike ordinary mail or telephone conversations, could when requested in
this way be intercepted and read without a warrant from the Home
Secretary.
It would also mean that it could be produced as evidence in court, unlike
normal mail intercepts or phone taps. Police sources say, however, that
they would not expect access to e-mail as it was being sent (as opposed to
stored e-mail) unless they had a normal phone-tap warrant. But the Home
Office is currently reviewing the Interception of Communications Act. Home
Secretary Jack Straw revealed during this month’s emergency debate on
terrorism that a review of the Act, including necessary technological
changes, has been under way since July. It is understood that this
includes reviewing whether or not e-mail should be treated the same way as
ordinary mail.
The problem for ISPs is not that they object to court orders or police
search warrants being used when they are asked for evidence of serious
Net-related crime, but that the threat of disruptive police raids is being
quietly used to obtain more extensive information, without legal powers or
adequate justification.
"We've had any number of cases when police have come and asked 'tell us
about all your subscribers who are living in Warwickshire' ", says one
member of the Acpo-ISP group. The problems are that the information may
not exist, may not be obtainable, or, if it did exist, would be illegal to
hand over.
The worry for legal specialists is that public concern about paedophile
activities in particular could result in ill-advised police-industry
agreements sidestepping privacy laws and good practice.
"A mood of public alarm taken together with a poorly developed forensic
science is the most dangerous combination imaginable for miscarriages of
justice," says Peter Sommer, a computer forensics research fellow at the
London School of Economics and defence legal specialist. "Those factors
have historically led to some of the gravest judicial errors in our
history."
This month's raid on the ISP may be a case in point. The company maintains
that the police went for the wrong target, based on a misunderstanding
about how its part of the Net was engineered and whether or not its
employees would have known what specific users were doing.
Since "computer forensics is in its infancy", says Sommer, the right way
forward is to legislate and to introduce codes of practice such as are
already in use under the Police and Criminal Evidence Act. "We need to
regularise law enforcement access to and use of computer-derived evidence.
The result will be all the stronger for having been the result of
democratic scrutiny, rather than cosy discussions between a police lobby
group and a few ISPs."
Police officers face serious problems investigating Net-based crime, given
the diversity of size, sophistication and outlook among ISPs. Even if Acpo
does obtain a "memorandum of understanding" signed by key industry bodies,
this would not be binding on any company providing services. Many on the
ISP side say privately that the description is inappropriate. They have
asked Acpo to reconstitute the proposed "agreement" as a "guide to best
practice" in providing information to the police.
Further problems were highlighted at a meeting between police, Home
Office, MI5 and industry specialists held at Scotland Yard three months
ago to discuss what information ISPs could and should make available. The
police and government side asked for "all e-mail sent in the last week to
be recorded as a matter of routine". Another "desirable facility" was "the
ability to turn on logging of all incoming e-mail for a customer account".
But the ISP representatives explained that these records were not normally
kept at many ISPs and that creating them for routine police or MI5 use
would be costly. The ISPs were however "happy to do work that has little
or no cost implication and is clearly legal".
Detective Chief Superintendent Keith Akerman of Hampshire Police, chairman
of the Acpo computer crimes group, told Computing magazine: "We want to
ensure the criminal doesn't take best advantage of the Internet, without
government using the sledgehammer of regulation."
Acpo was unwilling this week to release any drafts of the proposed
memorandum of understanding, or to provide copies of the form that Acpo
has already drafted to be used by police forces seeking Net information.
The form is based on a system now widely used to get lists of telephone
numbers called from BT and other telecoms providers without Home Secretary
warrants or court orders, which was revealed in OnLine in September last
year.
Apart from suspicion in some parts of the industry and reluctance in
others, the Acpo and government initiative to access e-mail information
also faces the problem that a new EU directive on communications privacy
comes into force in less than two months. The directive says that: "Member
States shall ensure via national regulations the confidentiality of
communications by means of public telecommunications network and publicly
available telecommunications services. In particular, they shall prohibit
listening, tapping, storage or other kinds of interception or surveillance
of communications, by other than users, without the consent of the users
concerned, except when legally authorised."
"There's not much left for a 'memorandum of understanding' to cover," says
LSE's Sommer. He suspects that, with the directive, a new Data Protection
Act and a Home Office review of the interception of communications act due
in the next three months, the "cosy agreements" between Acpo and ISPs may
be as futile to the police as they are aggravating to Net civil liberties
and privacy campaigners.
TWO YEARS OF POLICING THE NET
2 August 1996
Following a rash of child porn investigations, the Metropolitan Police
invite Internet service providers (ISPs) to a seminar at New Scotland Yard
to discuss how to deal with obscene material on Net newsgroups.
9 August 1996
Letter from Metropolitan Police Clubs and Vice unit to ISPs circulates
veiled threat: "We trust that with your co-operation and self regulation it
will not be necessary for us to move to an enforcement policy." A list of
200 sex-related newsgroups was appended to the letter. Worried ISPs quickly
start ad hoc meetings with police to try and agree a modus vivendi.
September 1996
Internet Watch Foundation launched with government backing to consider
curbs on Net content, with particular reference to child pornography.
October 1996
National Criminal Intelligence Service (NCIS) launches Project Trawler to
study the extent of criminal use of the Net,and the methods law enforcement
officials should use.
May 1997
NCIS announces results from Project Trawler, and requests urgent action to
introduce laws enabling police to intercept and monitor e-mails. No action
is taken because of the election.
May 1998
Acpo (Association of Chief Police Officers) and major ISPs plan seminars to
promote informal agreements for police access to e-mail and Net
information.
18 June 1998
Meeting at New Scotland Yard between Home Office, MI5, police, BT and ISP
representatives discusses law enforcement requirements for Net information,
including stored e-mail and logs of Web usage.
2 September 1998
Police raids on 11 sites in Britain, including one major ISP, seize child
porn material connected with a US Web site called "Wonderland"; 30 others
arrested in 12 other countries.
22 Sept 1998
First Acpo seminar in Edinburgh aims to win industry acceptance of
"memorandum of understanding" allowing automated access to ISP information.
[Duncan Campbell is a freelance journalist and not the Guardian's crime
correspondent of the same name]
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Sep 20 10:45:05 1998