The Home Secretary Charles Clarke, like his other NuLabour ministerial collegue Chancellor of the Exchequer Gordon Brown, is busy trying to "be seen to be doing something", no matter how expensive or ineffective, at the European Union level, in response to the terrorist bombings in London on the 7th of July.
Apart from trying to impose mandatory fingerprinting on other European Union countries, even before he has done so to the United Kingdom, Charles Clarke is yet again policy laundering the long running Data Retention of communications data proposals.
Wasn't all this meant to have been sorted out by the leaders of the European Union after the Madrid bombs in March 2004 ?
The United Kingdom already has legislation which sovers Data Retention:- Antiterrorism Crime and Security Act 2001 Part 11 Retention of Communications Data
Eventually, nearly two years after passing this Act, the Home Office did come out with a Voluntary Scheme. and a Code of Practice (.pdf)
The UK "voluntary scheme" can be made mandatory simply by Order, without having to pass any further primary legislation, or to have any debate or amendments when the Statutory instrument is rubber stamped.
This was too technically difficult and expensive for most telecomms and ISP companies to comply with, a situiation which is even more so now, due to the increases in the volumes of data being sent over the networks.
It is doubtful if Charles Clarke will be presenting any detailed proposals to the other European Union ministers, only vague statements about 6 months, or 12 months or 3 years etc. with no reference to the practical difficulties which were acknowledged in the UK Code of Pratice. e.g. the requirement to store 1 years worth of log files for say web proxy servers, had to be reduced to only 4 days (and that is only to cover Bank Holiday weekends) - the volume of data is simply huge.
APPENDIX A DATA RETENTION: EXPANSION OF DATA CATEGORIES"SUBSCRIBER INFORMATION 12 months
(From end of subscription/last change)
Subscriber details relating to the person
e.g. Name, date of birth, installation and billing address, payment methods, account/credit card details
Contact information (information held about the subscriber but not verified by the CSP)
e.g. Telephone number, email address
Identity of services subscribed to (information determined by the communication service provider)
Customer reference/account number, list of services subscribed to
Telephony: telephone number(s), IMEI, IMSI(s)
Email: email address(es), IP at registration
Instant messaging: Internet Message Handle, IP at registration
ISP - dial-in: Log-in, CLI at registration (if kept)
ISP - always-on: Unique identifiers, MAC address (if kept), ADSL end points, IP tunnel addressTELEPHONY DATA 12 months
All numbers (or other identifiers e.g. name@bt) associated with call (e.g. physical/presentational/network
assigned CLI, DNI, IMSI, IMEI, exchange/divert numbers)
Date and time of start of call
Duration of call/date and time of end of call
Type of call (if available)
Location data at start and/or end of call, in form of lat/long reference.
Cell site data from time cell ceases to be used.
IMSI/MSISDN/IMEI mappings.
For GPRS & 3G, date and time of connection, IMSI, IP address assigned.
Mobile data exchanged with foreign operators; IMSI & MSISDN, sets of GSM triples, sets of 3G quintuples,"
GSM triples and 3G quintuples means access to the mobile phone encryption keys which protect your conversations from being snooped on , and which therefore belies the clams that "communications Data" is not thesame as "content". The only reason for demanding these encryption keys to be stored under a Data Retention scheme is to circumvent the more laborious and more accountable procedures for mobile telephone voice or data intecerpts.
"global titles of equipment communicating with or about the subscriber. SMS, EMS and MMS DATA 6 months Calling number, IMEI Called number, IMEI Date and time of sending Delivery receipt - if available Location data when messages sent and received, in form of lat/long reference."
No telecomms billing systems logfiles stores latitude and longitude, coordinates. This would cost extra for new software to be developed to convert from Cell IDs to lat/long.
"EMAIL DATA 6 months Log-on (authentication user name, date and time of log-in/log-off, IP address logged-in from) Sent email (authentication user name, from/to/cc email addresses, date and time sent) Received email (authentication user name, from/to email addresses, date and time received)ISP DATA 6 months
Log-on (authentication user name, date and time of log-in/log-off, IP address assigned)
Dial-up: CLI and number dialled
Always-on: ADSL end point/MAC address (If available)WEB ACTIVITY LOGS 4 days
Proxy server logs (date/time, IP address used, URL’s visited, services) The data types here will be restricted solely to Communications Data and exclude content of communication. This will mean that storage under this code can only take place to the level of
www.homeoffice.gov.uk/…….OTHER SERVICES Retention relative to service provided
Instant Message Type Services (log-on/off time) If available.COLLATERAL DATA Retention relative to data to which it is related
Data needed to interpret other communications data.for example -the mapping between cellmast identifiers and their location –translation of dialling (as supported by IN networks)Notes:
All times should include an indication of which time zone is being used
(Universal Co-ordinated Time is preferred).
An indication should also be given of the accuracy of the timing."
That link to a "Code of Practise" links to a document describing itself as "CONSULTATION PAPER
ON A CODE OF PRACTICE FOR VOLUNTARY RETENTION OF COMMUNICATIONS DATA", with a "draft" code of practise in Appendix A.
Is there a subsequence issued code of practise?
Furthermore and more interestingly, what are ISPs actually doing? Anyone know? Google comes up empty for me.
All good questions.
Since when are the commercial interests of the telcos and ISPs the same as the privacy and civil liberties interests of their customers ?
Why has there been no consultation with the general public over theses issues, only with industry "stake holders" ?