Thursday, February 12, 2009

From data retention to local authority spying

The Telegraph is reporting that the UK government is implementing the EU data retention directive (EU Directive 2006/24/EC) in such a way as to facilitate further spying by local authorities. Now let's just read paragraph 1 of article 1 of the directive (scroll down to the third page of the pdf version):
"1. This Directive aims to harmonise Member States’ provisions
concerning the obligations of the providers of publicly available
electronic communications services or of public communications
networks with respect to the retention of certain data which are
generated or processed by them, in order to ensure that the data
are available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in
its national law."
A Home Office minister rolled out the old soundbites about fighting terrorism again (though not the "war on terror" now we're in post Bush ObamaWorld). But what exactly is it about routine local authority access to communications data that serves the "purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law"? And has the government not learned anything at all from the routine controversial use of the Regulation of Investigatory Powers Act by certain councils to spy on local residents?

Thanks to HJ Affleck via the FIPR list for the pointer to the Telegraph article.

PS Just worth noting the kinds of data we're talking about here - all phone-calls, email and internet traffic - from article 5 of the directive:
"1. Member States shall ensure that the following categories of
data are retained under this Directive:

(a) data necessary to trace and identify the source of a
communication...

(b) data necessary to identify the destination of a
communication...

(c) data necessary to identify the date, time and duration of a
communication...

(d) data necessary to identify the type of communication...

(e) data necessary to identify users’ communication equipment
or what purports to be their equipment...

(f) data necessary to identify the location of mobile communication
equipment"
Update: Having now read the draft regulations I expect the Telegraph writer is concerned about
"Access to retained data

7. Access to data retained in accordance with these Regulations may be obtained only—

(a) in specific cases, and
(b) in circumstances in which disclosure of the data is permitted or required by law."
The government is also going with a 12 month retention period rather than the significantly shorter periods suggested by ISPs and civil rights organisations.
"The retention period

5. The data specified in the Schedule to these Regulations must be retained by the public communications provider for a period of 12 months from the date of the communication in question."
Update: Councils have had the facility to spy under RIPA for years. So the Telegraph is conflating several things in this story and not particularly accurately. I was a bit quick to jump on the "criticise the idiots in government" bandwagon again. The regulations are not good from a data retention perspective. Period. The council spying thing was a bit of a red herring here.

No comments: