Article 8 again ….. and the UK loses another case!

A few months ago we heard the outcomes of the case of ‘Marper and S v United Kingdom’ brought before the European Court of Human Rights. Now, you may remember this one - something of a landmark. The court opined that the storage of DNA profiles in England was contrary to the privacy requirements enshrined under Article 8 of the European Convention on Human Rights.

Just in case you had missed the Article, it states:

ARTICLE 8
1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The problem for the UK, and for England in particular, was that the claimants in the case were innocent persons who had not been charged or convicted of any offence. It was, said the Court, an infringment of their privacy for their DNA records to be retained within a national criminal database. Now, interestingly Scotland applies the law in a different way to England (of course!) and the Scottish model was approved by the European Court. The Conservatives have given a commitment to implementing the Scottish model when (not if!) then win the next election. We’ll hold them to that. The Government in London has now announced a revision of rules to apply in England - rules that have all the sublety of a two fingered salute to Europe - and has indicated that it will change the rules to allow law enforcement to retain data for 6 or 12 years. No intention there to remove the data as required by the Europen court.

But - along comes another case and again the Courts find that the actions of law enforcement in the UK go against the requirements of Article 8. Andrew Wood had his photograph taken by police surveillance units when (perfectly legitimately) he attended the AGM of a company in which he had shares. The police photographs were stored on file and were potentially available for use in investigation of other acts. The Appeal Court has now rules (2 to 1) in the case and has instructed the Metropolitan Police to destroy copies of photographs of Mr Wood.

The implications here are interesting. The police must now destroy Mr Wood’s images - but must also now look to identifying, removing and destroying images of other perfectly law abiding persons who happened to come in front of their surveillance photographers - perhaps at football matches, demonstrations etc. Taking photographs is a legitimate practice the court held - but the police should identify those who were of good character and should destroy the images. The implication of that opinion by Lord Justice Dyson is that images should only be retained of those who are nicked - and they will be photographed at the police station anyway so facial recognition should be able to locate, and identify them in surveillance image databases. Anyone else should then deleted.

Naturally the police were not too happy and may now consider an appeal to the House of Lords (note - there was one dissenting opinion in which Lord Justice Laws argued that the police were ‘operating within the margin of operational discretion in keeping the photos’.

The Crusher senses the wind of change blowing - the surveillance society created under New Labour is unravelling before the courts. With an increasingly lame duck administration and an imminent election (which the PM has tacitly recognised that Labour will lose) we may be seeing a few steps back from the oppressive nature of surveillance. Where next - data retention and the Communications Data Bill?

French farce

A few postings ago we reported on the vote in the French Senate that introduced the ‘Hadopi’ law, providing for the 3-strikes and you’re out principle to be adopted by rights owners seeking the disconnection of persistent file sharers. After the initial vote in a sparsely attended house, the law passed on to the National Assembly where a rather larger house voted it down. Now it seems that the French authorities have adopted the European approach - if at first you don’t get the result you want, ask them to vote again until they give the right result!

The law was returned to the National Assembly for another attempt and this time it seems that there was a rather fuller attendance. Perhaps some ‘persuassion’ by the French equivalent of the Whips? There is clear intention by the French Government to push the law through and in advance of voting in the European Parliament on the Telecom Reform package.

A large number of amendments to the Bill made it impossible to proceed through the voting process by 5th May and the Bill must now return for further debate. It is seen as likely that this will be by mid-May so it is quite possible that President Sarkozy will see the new legislation in force by the end of the month. This will allow the setting up of a new agency (the HADOPI) which will deal with copyright infringement notices submitted by rights owners and will decide whether to warn or to disconnect users and place them on a list of blocked persons.

Quite clearly this will not be a popular piece of legislation. Civil rights campaigners will be campaigning and asserting that the law will be an infringement of the rights of the citizen. But the campaigners will have some powerful allies. MEPs voting in the European Parliament in Brussels and Strasbourg have indicated that they view internet access as a fundamental service and have voted down 3-strikes approaches.

When the Telecom Package came up for 2nd reading in the European Parliament, MEPs voted 407 to 57 for initial amendment 138 rejecting the Trautman report and reverting to the initial text which provided that only judicial authorities would be able to make decisions on cutting off users. The reversion to judicial authorities means that users accused of infringement would be able to submit a defence and to appeal any decision. It would seem that the HADOPI proposed in France would not be accepted as a judicial body and would not be acceptable under the European package.

Going further, it is interesting to read comments by Commissioner Redding responding to questions in Brussels: “The fourth element I would like to underline is the recognition of the right to Internet access. The new rules recognise explicitly that Internet access is a fundamental right such as the freedom of expression and the freedom to access information. The rules therefore provide that any measures taken regarding access to, or use of, services and applications must respect the fundamental rights and freedoms of natural persons, including the right to privacy, freedom of expression and access to information and education as well as due process?”

Now that makes the Commissioners view quite clear. Internet access is a fundamental right and any rules must respect fundamental rights and freedoms. That will make it difficult to impose any 3-strikes approach without their being a judicial process. Even then, there must be compelling reason to act - and, I suspect, copyright infringment will not be there as the most compelling reason. Perhaps use of the internet to download paedophilic content might be there.

So, how will this impact on the UK. There is discussion in Govt. and we are awaiting the final version of Stephen Carter’s ‘Digital Britain’ report. Trails suggest that that may include details of a Digital Rights Agency - amongst other things. The report is now unlikely to arrive before mid-June - it will not be published in the run-up to local and European elections at the beginning of June - and will probably be after voting in the European Parliament. Any agency that is then set up will have to accommodate the European Telecoms Package - so we are unlikely to see any 3-strikes here. Unlikely anyway as Govt. Ministers have now indicated that this is not favoured by Govt.

Not so centralised database ……

So, after all the speculation, the Home Office have now published the consultation paper on ‘Protecting the Public in a Changing Communications Environment’ and it now makes clear that the idea of a single centralised database containing records of all telephone calls, Internet login/logout, email, web access etc. has been kicked into touch. Page 25 of the paper makes clear, ‘The Government has no plans to create a centralised database to store all communications data.’

However, it is also clear that this would be the preferred option, ‘This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.’ But, Government is clearly aware of the sensitive politics of any implementation in this manner and has accepted that this wqould be a step too far and a massive intrusion into privacy. Richard Thomas, Information Commissioner, had made it quite clear that a single centralised database would be seen as an infringement of data privacy legislation and this advice seems to have been taken on board, ‘The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.’

So, the remaining option is to require communications service providers (CSPs) to retain data themselves and to release to national security and law enforcement authorities on receipt of the appropriate (RIPA) authority. That is similar to the current provision and the requirements of the Data Retention Regulations. However, the proposed plans go further than the requirements of the European Data Retention Directive (DRD) - law enforcement agencies have advised government that they require access to a broader range of data than that required under DRD. “We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.”

So what would this additional data retention requirement include. Web access for certain - but again, not the content, only the access to the server (to the domain rather to internal pages), volume of data transferred (download/upload), access to third party services.

Ah, this last is interesting. Acccess to third party services. Government is clearly aware of the limitations of the DRD and is now looking to close loopholes. DRD does not include web access and does not include access to services that are not hosted in the UK. Now, we know that a large number of users use webmail and that the major services (Hotmail, Gmail etc.) are hosted in the US. There is no provision under DRD for retention of any data relating to mail sent via these services - nor for any retention of data sent via other means including social networking sites, game sites, forums etc. Govt. now wants to close this loophole, ‘This would include third party data relating to internet-based services and communications services provided from outside the UK.’

Now that leaves some interesting questions. If CSPs are to be required to retain data relating to access to systems and servers outside of their network (and outside of the UK and EU) then they are going to have to collect the data by analysing the traffic flow on their own network. In practice this means deep packet inspection (DPI) of ALL traffic. DPI imposes some overheads - in order to undertake analysis and extraction of data without impacting on user experience will require real-time inspection with substantial processing demands. That is expensive. Well, at least the Govt. recognise this as the potential costs are estimated in the consultation as £2 Billion (yes, that’s right, 2 BILLION pounds).

The technical limitations are not the only concern. For CSPs to effectively read each and every packet will require substantial changes to current legislation. In effect, what will be required will be the electronic equivalent of opening mail, checking the contents and storing data. It is illegal to intercept the post, it is illegal to intercept traffic in a communications environment. Clearly the intention of the Government is to change the legal position to allow CSPs to analyse traffic and to retain data.

At present, there may be some inspection going on at CSP level in order to identify traffic types and to prioritise traffic flow - packet shaping. This is used to control use of high volume services such as peer to peer transfer. What is currently done is relatively simple compared to what may be required - traffic packets are checked to see what the type of data is and automatically routed or controlled as a result. The plan is for data to be read and then recorded and retained - and for the data to be retained for 12 months.

Now we can see an advantage for the Govt. in making CSPs retain the data. If there is a leak of data then it will be the CSPs at fault and not the Govt. Govt. agencies (national security, law enforcement etc.) will only become involved when they request data to be transferred from the CSP store.

The single centralised database has become a decentralised, distributed store of data. Once you set those up, the next step is to look to see how they could all be linked. We know that the Govt. views the single database as being the best option (and the cheapest). What they are going to do is to plan a distributed store that may circumvent privacy concerns, will be more expensive but will still store the same information. And that is going to be far more than is currently retained.

Privacy watchdogs will just be sharpening their claws - they will need them.