Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Vetting turnaround

The Independent Safeguarding Authority was set up following the recommendations of the Bichard report into the circumstances surrounding the murder of two young girls by Ian Huntley, a school caretaker, at Soham in Cambridgeshire. The murder was a shocking event and was quite rightly reviled but the outcome in the form of the ISA was the creation of a draconian new quango with the power to bar persons from contact with young people or vulnerable adults.

Of course there should be protection and there should be barring. Anyone convicted of a sexual or violent offence should be barred from working with vulnerable groups. That has been in place for many years. Part of the Bichard response was to bring together various bar lists into a single place - no problem with that.

The problem was that the new legislation required that all adults working with young persons or vulnerable adults on a frequent basis had to submit to CRB checks and ISA registration. Without the registration, employment or activity was not permitted. The issue was predominantly around the definition of the term ‘frequent’. Initially this was taken as meaning regular contact with children - monthly for example. The definition caught a number of groups who had not previously required clearance - authors visiting schools, parents taking part in the running of sports clubs etc. There was a backlash which was initially rejected - the protection of children comes above all else ….. On the one hand that seems reasonable but on the other hand the implications were that somewhere in the region of 11 Million people would need to achieve ISA clearance and registration in order to carry out activities - both employed and voluntary. It is the voluntary that causes problems (those undertaking employment expect to be checked and that successful checking will form part of the employment contract) - many perceived the checks as requiring them to prove that they were not paedophiles before being able to help out with clubs, societies etc.

There is a fundamental assumption in English law that a person is innocent until proved guilty beyond all reasonable doubt. In this case there was an assumption that if a person could not present an ISA registration then they must have something to hide and might well be a paedophile. This, of course, is wrong but that was the perception. A group of well known authors (Philip Pulman and others) objected and made it clear that they would cease to visit schools if they were forced to submit to checks. Parents found themselves being told that they would have to register in order to transport their own and other children to sports events.

Now, the Education Secretary (Ed. Balls) has announced a climb down - the definition of frequent is to be taken down to contact with the same group of children on a weekly basis rather than monthly. It is estimated that this will reduce the number of registrations by 2 Million - dropping from 11 to 9 Million. OK, a step in the right direction - but bear in mind that the number of barred individuals is only likely to be in the order of 20,000 to 40,000 - at worst case scenario just 0.4% of all those checked.

Now protection of children is right and proper but when you set 40,000 against 9 Million there does seem to be something of an over zealous approach. The figure of 20,000 barred individuals represents the current pattern (just 0.2%), however this could rise to 40,000 under the new vetting regime. Why the difference - well the ISA will take evidence of suspected activity rather than proven (in a court) when deciding to bar an individual. If there is suspicion that an individual may have engaged in activities but there is insufficient evidence to bring a prosecution to court then this may be disclosed to the ISA and may result in a decision to bar. The ISA (chair, Sir Roger Singleton, speaking on BBC Radio 4 ‘Today’ programme - 14th December) will give an individual the opportunity to dispute a bar decision but the Crusher does think there may well be a problem here. Unfortunately, many teachers are falsely accused of activities which might lead to barring and therefore to dismissal. When accusations are made they must be investigated although this can take far too long and can result in severe stress leading to deterioration in health and dissillusionment with working in the education environment. The result is that perfectly good and innocent teachers are forced out of their job. When the investigation clears the teacher it may be too late - but it may also be the case that the accusation remains on the teachers record and may be disclosed in a future ISA request. If that is then used to bar the individual from working this would be a gross abuse of process.

The Crusher is of the opinion that this may well happen - there are already examples where a employee has been rejected because a CRB search revealed a record retained within the national DNA database recording samples taken when the person was arrested on a suspected charge and retained even though there was no further charge or conviction. The person was innocent of any charge yet remains at the mercy of a retained sample. Somehow The Crusher suspects this will happen in the ISA process.

The reason for all of this bureaucracy is ‘the protection of the children.’ The Soham case is often quoted to justify the means -yet an investigation of the actual circumstances of that case suggests that the new vetting system would not have been able to prevent the act - the victims came to know the murderer through a third party who would have passed checks and registration.

The Crusher is all in favour of checks, vetting and barring in order to prevent those convicted of relevant offences from working with children or vulnerable adults. But this has to be done in the context of a proportionate and relevant response. Even with the changes announced by Ed. Balls this week there does not yet appear to be a willingness to implement an appropriate control.

However, there was some additional glimmer of hope. Recent reports have shown some circumstances where schools have introduced procedures that go far beyond the legislation - requiring all adults coming on to a school site to be in possession of CRB checks, including parents - and local authorities have prevented parents from accompanying their children in play parks stating that children could only be accompanied by CRB cleared adults. Ed. Balls has now made it clear that there have been gross over-reactions and these should be reviewed. sadly this seems to be all too common a situation - headteachers and others react and respond to their perceptions of legislation and regulation without fully investigating or understanding the actuality of the requirement. Health and safety seems to be another area liable to similar mis-construction. The reason is always the same, ‘for the protection of the children’. By over-reacting we are denying much that is good and right - to the detriment of the children.

But - there is an election in the offing. Will the incoming Governement have the Balls to repeal and re-draft the legislation.

Data retention - still some unhappy states

The Data Retention Directive was introduced into European law back in 2006 - with a requirement that member states transpose the first phase by September 2007 and the second phase by March 2009 (where the State took advantage of a derogation in rellation to IP based traffic).

Interestingly, both Belgium and The Netherlands advised the European Commission of their intention to take advantage of the derogation in relation to IP. That still meant that they were expected to transpose in relation to fixed line and mobile telephone traffic by September 2007 but that had opted, like the UK, to leave IP based retention until the later date.

A group of Belgian organisations have now raised a petition to protest the local transposition of the Directive. In August, the Belgian Minister of Justice proposed a retention period of 2 years (the maximum within the range of the Directive - 6 months to 2 years) . The UK settled on 12 months - interestingly the Belgian Data Protection Supervisor felt that the 2 year period was too long and disproportionate and should be reduced to 12 months. The Belgian petitioners felt that there was not sufficient evidence to justify the retention of traffic data which they felt was not a solution to security issues.

Just to the north, the Netherlands government is also engaged in discussion. A few wees ago, government agencies held meetings with ISPs to provide some clarification of terms within the new Data Retention Act - EDRI-News reports that after the meeting there was still confusion as to what was required and for how long. As currently implemented, both telcos and ISPs are required to retain data for 12 months but discussion in the upper house of the Netherlands parliament (Senate) has suggested that the Minister may be prepared to reduce the ISP requirement to just 6 months (as was suggested in the UK, bearing in mind the low level of requests of user data in relation to IP based traffic).

A full description of the Netherlands law (2008) can be found at the site for Agentschap Telecom, the Dutch telecoms regulator.

There has also been discussion in the Netherlands about the possibility of centralised retention of traffic data. ‘Bits of Freedom’ in the Netherlands reports that some 3 Million requests for traffic data were served by the Netherlands police in 2008 - on a population of some 16 Million. That is a very high figure when compared against the reported request rate in the UK - Surveillance Commissioner reported 0.5 Million requests in 2007 against a population of some 60 Million. If the UK rate were the same as the Dutch then that figure would be in the order of some 11 Million requests!

Clearly there remains considerable concern and disquiet across Europe.

The Directive provides for review of the retention policies in 2010. Clearly there is likely to be a lot to be discussed.

Hadopi - three strikes and …. it’s out!

The French farce continues.

After passage through a singularly empty French assembly, then return to a more populous house, the Hadopi law (Haute Autorité pour la Diffusion des Oeuvres et la Protection des droits sur Internet - Higher Authority for the Distribution of Works and the Protection of Copyright on the Internet) has now received a further setback.

The superior court in France, the French Consititutional Court, has now ruled that access to Internet services can only be denied on the authority of a judge. The court has recognised the view in the European Parliament that Internet access is a basis human right - as also now recognied by Ofcom in the UK. The introduction of the bill to create the Hadopi in France was contentious - in France and elsewhere. Supported by President Nicolas Sarkozy the bill would have created a new agency with the power to disconnect users on third notification of file sharing infringement. The agency would also place the users on a blocklist to prevent them from simply migrating to another provider. This cannot now happen - any process to remove a user access must now go before a court and a judge - with the user able to defend his position in court.

The UK Government has already indicated that it does not favour the 3 strikes approach - again echoing the view that broadband access is now seen as a basic human right.

It’s back to the drawing board for the rights owners. Perhaps these actions might just focus their minds to consider some new business models. But then ‘les cochons peuvent voler’ as they might say in France.

Article 8 again ….. and the UK loses another case!

A few months ago we heard the outcomes of the case of ‘Marper and S v United Kingdom’ brought before the European Court of Human Rights. Now, you may remember this one - something of a landmark. The court opined that the storage of DNA profiles in England was contrary to the privacy requirements enshrined under Article 8 of the European Convention on Human Rights.

Just in case you had missed the Article, it states:

ARTICLE 8
1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The problem for the UK, and for England in particular, was that the claimants in the case were innocent persons who had not been charged or convicted of any offence. It was, said the Court, an infringment of their privacy for their DNA records to be retained within a national criminal database. Now, interestingly Scotland applies the law in a different way to England (of course!) and the Scottish model was approved by the European Court. The Conservatives have given a commitment to implementing the Scottish model when (not if!) then win the next election. We’ll hold them to that. The Government in London has now announced a revision of rules to apply in England - rules that have all the sublety of a two fingered salute to Europe - and has indicated that it will change the rules to allow law enforcement to retain data for 6 or 12 years. No intention there to remove the data as required by the Europen court.

But - along comes another case and again the Courts find that the actions of law enforcement in the UK go against the requirements of Article 8. Andrew Wood had his photograph taken by police surveillance units when (perfectly legitimately) he attended the AGM of a company in which he had shares. The police photographs were stored on file and were potentially available for use in investigation of other acts. The Appeal Court has now rules (2 to 1) in the case and has instructed the Metropolitan Police to destroy copies of photographs of Mr Wood.

The implications here are interesting. The police must now destroy Mr Wood’s images - but must also now look to identifying, removing and destroying images of other perfectly law abiding persons who happened to come in front of their surveillance photographers - perhaps at football matches, demonstrations etc. Taking photographs is a legitimate practice the court held - but the police should identify those who were of good character and should destroy the images. The implication of that opinion by Lord Justice Dyson is that images should only be retained of those who are nicked - and they will be photographed at the police station anyway so facial recognition should be able to locate, and identify them in surveillance image databases. Anyone else should then deleted.

Naturally the police were not too happy and may now consider an appeal to the House of Lords (note - there was one dissenting opinion in which Lord Justice Laws argued that the police were ‘operating within the margin of operational discretion in keeping the photos’.

The Crusher senses the wind of change blowing - the surveillance society created under New Labour is unravelling before the courts. With an increasingly lame duck administration and an imminent election (which the PM has tacitly recognised that Labour will lose) we may be seeing a few steps back from the oppressive nature of surveillance. Where next - data retention and the Communications Data Bill?

Not so centralised database ……

So, after all the speculation, the Home Office have now published the consultation paper on ‘Protecting the Public in a Changing Communications Environment’ and it now makes clear that the idea of a single centralised database containing records of all telephone calls, Internet login/logout, email, web access etc. has been kicked into touch. Page 25 of the paper makes clear, ‘The Government has no plans to create a centralised database to store all communications data.’

However, it is also clear that this would be the preferred option, ‘This approach would have several advantages. It would be the option most likely to come close to maintaining the historic capability of public authorities in their use of communications data. It would be the most effective at delivering fast and efficient access in support of the law enforcement and intelligence agencies and emergency services; the least challenging technically to implement; and the cheapest to build and run.’ But, Government is clearly aware of the sensitive politics of any implementation in this manner and has accepted that this wqould be a step too far and a massive intrusion into privacy. Richard Thomas, Information Commissioner, had made it quite clear that a single centralised database would be seen as an infringement of data privacy legislation and this advice seems to have been taken on board, ‘The Government recognises the privacy implications in holding all communications data from the UK from a 12-month period in a single store. The Government therefore does not propose to pursue this approach.’

So, the remaining option is to require communications service providers (CSPs) to retain data themselves and to release to national security and law enforcement authorities on receipt of the appropriate (RIPA) authority. That is similar to the current provision and the requirements of the Data Retention Regulations. However, the proposed plans go further than the requirements of the European Data Retention Directive (DRD) - law enforcement agencies have advised government that they require access to a broader range of data than that required under DRD. “We also need to ensure that UK companies collect and store additional types of communications data about their own services, which are not included under the EU Data Retention Directive. This includes data that communication service providers do not generate or process about their services.”

So what would this additional data retention requirement include. Web access for certain - but again, not the content, only the access to the server (to the domain rather to internal pages), volume of data transferred (download/upload), access to third party services.

Ah, this last is interesting. Acccess to third party services. Government is clearly aware of the limitations of the DRD and is now looking to close loopholes. DRD does not include web access and does not include access to services that are not hosted in the UK. Now, we know that a large number of users use webmail and that the major services (Hotmail, Gmail etc.) are hosted in the US. There is no provision under DRD for retention of any data relating to mail sent via these services - nor for any retention of data sent via other means including social networking sites, game sites, forums etc. Govt. now wants to close this loophole, ‘This would include third party data relating to internet-based services and communications services provided from outside the UK.’

Now that leaves some interesting questions. If CSPs are to be required to retain data relating to access to systems and servers outside of their network (and outside of the UK and EU) then they are going to have to collect the data by analysing the traffic flow on their own network. In practice this means deep packet inspection (DPI) of ALL traffic. DPI imposes some overheads - in order to undertake analysis and extraction of data without impacting on user experience will require real-time inspection with substantial processing demands. That is expensive. Well, at least the Govt. recognise this as the potential costs are estimated in the consultation as £2 Billion (yes, that’s right, 2 BILLION pounds).

The technical limitations are not the only concern. For CSPs to effectively read each and every packet will require substantial changes to current legislation. In effect, what will be required will be the electronic equivalent of opening mail, checking the contents and storing data. It is illegal to intercept the post, it is illegal to intercept traffic in a communications environment. Clearly the intention of the Government is to change the legal position to allow CSPs to analyse traffic and to retain data.

At present, there may be some inspection going on at CSP level in order to identify traffic types and to prioritise traffic flow - packet shaping. This is used to control use of high volume services such as peer to peer transfer. What is currently done is relatively simple compared to what may be required - traffic packets are checked to see what the type of data is and automatically routed or controlled as a result. The plan is for data to be read and then recorded and retained - and for the data to be retained for 12 months.

Now we can see an advantage for the Govt. in making CSPs retain the data. If there is a leak of data then it will be the CSPs at fault and not the Govt. Govt. agencies (national security, law enforcement etc.) will only become involved when they request data to be transferred from the CSP store.

The single centralised database has become a decentralised, distributed store of data. Once you set those up, the next step is to look to see how they could all be linked. We know that the Govt. views the single database as being the best option (and the cheapest). What they are going to do is to plan a distributed store that may circumvent privacy concerns, will be more expensive but will still store the same information. And that is going to be far more than is currently retained.

Privacy watchdogs will just be sharpening their claws - they will need them.

May we live in interesting times ……!

The next week (week beginning 27th April 2009) appears to have the makings of a rather interesting time. Perhaps the ancient Chinese proverb was indeed close to the truth.

Later this week we expect the Home Office to publish details of the Intercept Modernisation Programme and the Communications Data Bill. Readers will remember that the Bill was originally trailed in the Government’s Draft Legislative Programme published in summer 2008 but was quietly dropped from the Queen’s Speech later in the year for ‘ additional public consultation.’

Well, it seems that time for consultation is here and we now expect the Home Office to publish the consultation document and details of the Intercept Modernisation Programme (IMP). The Daily Telegraph today (Saturday 25th April) printed a front page story to indicate that the consultation will resurrect the ideas of a single centralised database to hold details of all telephone calls, emails, web access etc. The Telegraph reports (in print - it does not appear on their web site - why not?) that the Information Commissioner has reiterated his opposition to the database, indicating that he considers this to be a major intrusion into privacy.

The Government, of course, appear to be trotting out the same old story - we need to monitor web access, email etc. in order to track terrorists and serious organised crime. And, if recent performance is anything to go by, also those sending their children to school and those ‘allowing’ their dogs to foul the pavement.

There are fundamental issues of privacy and rights of the individual at stake here. The current authoritarian and nanny obsessed government simply cannot be allowed to rail-road this legislation through. Remember the sentient words of Benjamin Franlink in 1775, ‘Those who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.’

What we need is a little real risk assessment and some real truths - not the one-sided ‘business case’ that we have seen with other consultations. This is a fundamental issue of rights and the ability of the Government to spy on its own citizens. Levels of control as are being suggested have only existed in the most heinous totalitarian regimes - we cannot sleep walk into allowing a British government to overturn centuries of hard won reforms for a short term gain. As Franklin suggests, the cost to the people is just too great.

DNA retention - Sir Alec speaks out

An interesting piece on BBC Radio 4 today - 15th April. Martha Kearney interviewed Professor Sir Alec Jefferies on the ‘World at One’ about the Home Office response to the recent S and Marper judgement in the European Court of Human Rights.

Now that judgement was unequivocal - in a judgement delivered unanimously (17-0) the judges of the ECHR held that the retention of the applicants fingerprints, cellular samples and DNA profiles was in violation of Article 8 of the European Convention on Human Rights (Article 8 deals with the right to privacy). The full judgement makes interesting reading and is recommended.

Now, Sir Alec Jefferies should know a thing or two. He developed the DNA fingerprint technique whilst working at the University of Leicester in the early 1980s. It is interesting that he is very concerned about the expansion of the UK DNA database and, in particular, its inclusion and retention of data relating to innocent persons (ie those not convicted of any crime). Today he condemned the Govt. for branding innocent people as criminals by not destroying their DNA profiles.

The Home Office recognise that the UK database is the largest of its kind in the world - to quote their own website: ‘The UK’s database is the largest of any country: 5.2% of the UK population is on the database compared with 0.5% in the USA. The database has expanded significantly over the last five years. By the end of 2005 over 3.4 million DNA profiles were held on the database – the profiles of the majority of the known active offender population.’.

The Home Office goes on to note that other police forces are keen to emulate the crime solving success of the database. OK, so the database can help to solve crime. But it contains the records of people unconnected with any crime and may serve to stigmatise those. Anecdotal evidence suggests that the database contains disproportionate records of certain groups within the population - it has been suggested that the database contains the DNA profiles of some 40% of the black youth population of the UK.

It was the retention of data relating to innocent persons and the disproprortionate nature of data in the database that attracted the dismay of the European judicial process. Today the Home Office told the BBC that it was their intention to bring forward an amendment to the Policing and Crime Bill to allow them to retain DNA and that the new regulations would be subject to full public consultation. An interesting response from the Home Office and somewhat at odds to the response to the ECHR judgement shown on their website, ‘The Government recognises the importance of the Judgment and will publish its response and timeline to the Court’s findings as soon as possible.’ Bringing forward regulations to allow the retention of DNA data hardly seems to recognise the important and significant comments made in the judgement, in fact, it flies in the face of the judgement and suggests that the Government intend to plough ahead and to ignore the advice of learned judges in Strasbourg.

The ECHR judgement indicated that retention was blanket and indiscriminate - and there are suggestions that there may be up to 800,000 records of people who have no criminal conviction. The BBC reported that the Govt. had suggested that it would be prepared to remove profiles from the database but would retain the original DNA samples - this matches up with the suggested changes to the Police and Crime Bill.

Removing the DNA profiles of innocent people is what the judgement indicates. Retaining the original DNA samples makes a mockery of the judgement - it is simply easy to re-profile the samples at a later date and to re-populate the database. Quite simply this is sticking two fingers up to the ECHR.

The Home Office and law enforcement agencies and officials must realise and must be made to realise that nothing short of complete removal and destruction of all records and samples relating to those not convicted or charged with any offence will do. The data relating to innocent persons must be removed from the database and there must not be work arounds or variations to allow DNA to be retained. Retaining DNA is an infringement of individual privacy and there must be no process to allow retention where there is no crime.

This is all about proportionality. The risk of crime and the demands of crime detection do not override the risks of damage to those concepts that we hold dear - the right of a democratic approach where a person is held to be innocent unless proven guilty beyond all reasonable doubt and where individual privacy is respected.

This Government steps out against the ECHR at its own peril. The population can and are seeing the results.

[Note: The Police and Criminal Evidence Act (PACE) and the PACE Code of Practice 'D' set out the manner of collection of fingerprints, DNA samples etc. It is important to note that fingerprints or DNA samples taken on a 'speculative' basis must be destroyed unless the subject has given permission for the data to be retained. Once permission is granted it cannot be revoked. It would be sensible to refuse permission for data to be retained.]