The Metropolitan Police Service appears to be trying to get hold of email correspondence between Members of Parliament, without first getting a warrant.
Points of Order
4.11 pm
[...]
2 Feb 2009 : Column 591
David Davis (Haltemprice and Howden) (Con): Further to that point of order, Mr. Speaker. I seek further clarification because my hon. Friend the Member for Ashford (Damian Green) has been approached by the Metropolitan police and asked for access to e-mails between him and me as Front Benchers of Her Majesty's loyal Opposition. Has the Serjeant at Arms been notified of this, and does it come under your ruling that such requests will require a warrant and will be referred to you for your personal decision?
Mr. Speaker: Is the right hon. Gentleman saying that, since the occasion on which the office of the hon. Member for Ashford (Damian Green) was searched, approaches have been made to the right hon. Gentleman and the hon. Gentleman to release certain information?
David Davis: That is exactly correct. I understand that a request has been made for electronic communications--e-mails--between me and my hon. Friend, presumably relating to the time when he worked under me on the Front Bench of the loyal Opposition.
Mr. Speaker: I thank the right hon. Gentleman for bringing this matter to my attention. This is news to me, and I will investigate whether the proper protocol and the procedures that I have laid down for situations without a warrant have been gone through. I will report back to the right hon. Gentleman and, indeed, the House.
Have the Metropolitan Police Service already been given access to the Communications Traffic Data logfiles regarding this , and other email correspondence by these two MPs , by the Parliamentary IT systems people, or by their upstream Internet Service Provider Colt Telecom and/or their anti-spam and anti-virus rmail subcontractor Message Labs ?
Have the Metropolitan Police been trawling through all of the Communications Traffic Data of MPs and their constituents and others, since they are allowed to self authorise themselves to do this, and do not require any "warrant signed by the Home Secretary", let alone a search warrant signed by an independent Judge, in order to do this ?
Will the Speaker of the House of Commons and MPs as whole finally make clear, to the public and to the police, the extent and limits of the supposed protection of Parliamentary Privilege, with regard to the contents of landline telephone conversations , mobile telephone conversations, SMS text messages, facsimile transmissions, emails, instant message chats etc.?
Will they do the same for the collection and access to any Communications Traffic Data, relating to any of the above, or similar, methods of electronic communication ?
Remember the point of Parliamentary Privilege and of the Wilson Doctrine, is to allow Members of Parliament to conduct their democratic duties properly, and to scrutinise and challenge the Executive branch of Government, .This certainly requires that communications between MPs and their Constituents, or communications between themselves and other MPs, which may well be critical of or politically embarrassing to the Government or the Police or any of the other tentacles of the State or any other powerful lobbies and interests outside of Parliament, must be protected from being snooped on.
The Police or intelligence agencies or any other public bodies simply must not be allowed
trawl through Parliamentary emails without a warrant.
There is no point in Parliamentary Privilege applying to just to direct correspondence between an MP and a constituent, or other member of the public, if it does not also protect any later quotation or forwarding of some or all of the original correspondence, especially the identifying Communications Traffic Data, which may very well be enough to betray the identity or location of a whistleblower or complainant.
If members of the public feel inhibited from corresponding freely and confidentially with Members of Parliament, because of disproportionate or political snooping by the Government or the supposedly politically neutral police or intelligence agencies, or foreign government or criminals, then we no longer live in a free, democratic society, and the terrorists will have won.
A couple of technical suggestions:
- Members of Parliament should publish, and use, their own PGP Public Encryption keys to help to protect the confidentiality of their electronic correspondence with their constituents, and with whistleblowers.
- The Parliamentary email systems should be re-configured to allow the use of the standard STARTLS opportunistic email encryption to and from, other email systems which support it.
Please note that if you are using PGP (or for that matter perhaps GnuPG) to encrypt emails, remember than your email subject line will not be encrypted.
Some email logging/tracking systems not only log who the email is from and to, but also the subject line (believe me I have seen such logging taking place - I expect in the UK that is legal?), therefore it is best to use a "subject neural" (e.g. Request or inquiry) or a random subject line (e.g. Dead poets society meeting) that bears no relation to what you are emailing your MP about. I was going to suggest use no subject line, but some emails may not like this[?].
It may be hard for your MP to understand, why your email has a confusing email subject linebut explain to them why.
Also dear MPs if you reply (however briefly) and include your Constituents original email (as is the default for most email systems) in your reply, please please remember to encrypt your reply back otherwise, of course, your Constituents original email will be in Plaintext for anyone to see.
http://en.wikipedia.org/wiki/Plaintext
In any event do any MPs use PGP and make available their Public PGP key for their Constituents to use?
@ David - agreed. The Subject Line of an email may well be logged as Communications Traffic Data, which only requires a middle ranked Police officer e.g. Inspector / Superintendent, to self authorise access to. Access to the bulk contents of an email would require a Chief, or Deputy Chief, Constable and the Home Secretary (or a senior Home Office official) to sign a warrant or certificate under RIPA.
A good question, at a guess no MPs (House of Commons) and neither do any Peers (House of Lords), MEPs (European Parliament), MSPs (Scottish Parliament), AMs (Welsh Assembly, MLAs (Northern Ireland Lefislative Assembly) nor Members of the Greater London Assembly, do so either.
If you search a PGP Keyserver for anything ending in "parliament.uk", you only find an expired key for "HoC Secretary williamsca@parliament.uk"
The suggestion to take some email precautions has been made to the Conservative David Davis. e.g. Hints and Tips for Whistleblowers etc.
The Liberal Democrats seem to be re-vamping their web sites and backroom IT under Lynne Featherstone, so perhaps they may be the first.
What is your public PGP encryption key then David ?
wtwu, thanks for searching PGP keysevers, I should have done that myself before I raised the question.
"self authorise access" is prime example of doublespeak isn't it.
Why don't they just write; they can do what the hell they want and you (i.e. UK subjects) can't do anything about it. So there...
Judging by:
http://www.pgp.com/insight/newsroom/press_releases/earl_of_erroll_joins_pgp_business_advisory_board.html
If the Earl of Erroll (Merlin Hay) doesn't have a PGP public encryption key, he may not be earning his "consultancy fees" very well ;)
http://en.wikipedia.org/wiki/Merlin_Hay,_24th_Earl_of_Erroll
wtwu I do have a public PGP encryption key (in fact several), however I won't post it here as that would lead to one of my corresponding email addresses being published on this blog.
I note the public key for this excellent and much read blog is available at:
http://p10.hostingprod.com/@spyblog.org.uk/cgi-bin/spyblog-pgp-keys.pl
(valid until 30th April 2009)
ref:
http://www.pgp.com/insight/newsroom/press_releases/earl_of_erroll_joins_pgp_business_advisory_board.html
Press Release: Earl of Erroll Joins PGP Corporation's Business Advisory Board
Renowned Independent Crossbench Peer joins PGP Corporation's Business Advisory Board
London and Menlo Park, CA / 08 July, 2008 - PGP Corporation, a global leader in enterprise data protection, today announced that the Earl of Erroll, the House of Lords most prominent information security expert has joined The PGP Business Advisory Board. Working alongside other international experts on cyber security, emerging technologies, computer forensics, and Internet crime, such as Richard Clarke and Howard Schmidt, the Earl of Erroll will provide specific expertise to help PGP Corporation address executive and technology user requirements in diverse markets and industries.
"The House of Lords has been instrumental in driving personal internet security in the United Kingdom," said Phil Dunkelberger, president and CEO of PGP Corporation. "The Earl of Erroll has been central to this and we are very pleased to have him involved with PGP Corporation.
"It is an honour to join PGP Corporation's board," said the Earl of Erroll. "As the defacto standard for encryption, PGP Corporation offers a unique proposition to the market place. I am excited to work with the company to continue developing its offering further."
Lord Erroll plays an active role in Parliament in several ICT groups, especially those looking at regulatory issues involving Communications, the Internet, Personal Identity and Government Data Sharing.
He sits on the council of PITCOM (Parliamentary Information Technology Committee), is President of E-RA (the E-business Regulatory Alliance) and also sits on other bodies such as the Information Systems Security Association (ISSA) and the Nominet (UK) Ltd Policy Advisory Boards. In 2007 he sat on the Science & Technology Select Committee's sub-committee on Personal Internet Safety.
Also ref:
http://www.pgp.com/about_pgp_corporation/boards/bab.html
"Sir Merlin Hay, Earl of Erroll
Lord Erroll has worked in IT most of his life as well as spending 22 years in the Territorial Army, and is a professional public speaker. He is also one of the Hereditary Peers who was elected to stay in the House of Lords, where he takes a particular interest in Information and Communication Technology (ICT), countryside and the environment, the Constitution, and Scottish matters. Within Parliament, he plays an active role in several ICT groups, especially those looking at regulatory issues involving communications, the Internet, personal identity and government data sharing. Lord Erroll sits on the council of the Parliamentary Information Technology Committee and the board of the European Information Group. He is secretary of the All-Party Communications Group, the vice-chairman of the All-Party Group on Entrepreneurship, and treasurer of the All-Party Group on Risk and Adventure in Society. He is president of the E-business Regulatory Alliance and also sits on other bodies such as the Information Systems Security Association (ISSA) and the Nominet (UK) Ltd. policy advisory boards."
@ David - remember that the doubly disgraced former Labour Cabinet Minister David Blunkett joined the board of Canadian corporate and government cryptography supplier Entrust for a while, so he should have been briefed on the technology by now.
The Earl of Errol is certainly one of the few people in Parliament who understand the technical issues.
Technically, you do not actually have to associate a PGP Key with a real or valid email address, or even with an email address which you, in fact, control.
You can have different email addresses, or email address aliases, for sending and receiving email.
You could create a pseudonymous email address, or email address alias pointing to one of your regular email addresses, and a corresponding PGP public encryption key, which you only ever use for filling in blog comment form email details, or even just this blog's comment form.
Other readers of these comments are reminded that simply encrypting your email correspondence with your MP or a journalist etc. does nothing to hide the fact that your email address was in contact with another one, at a certain time, on a certain date, and sent a measurable amount of data (perhaps suspiciously about the same length as a whistleblower document), from being recorded in Communications Traffic Data logfiles.
These which will subjected to Mandatory Data Retention from mid March this year, and possibly much more, depending on the forthcoming Communications Data Bill.
wtwu
>Technically, you do not actually have to associate a PGP Key with a real or valid email address, or even with an email address which you, in fact, control.
Very true. Thanks for the tip.
In emails, attachment file names are also not encrypted...so readers DO remember to encrypt any attachments...also beware....
Example:
A file called:
Number_10_Briefing_Background_26Feb2009.pdf.pgp
if that was the attachment that you added to your whistle-blower email to your MP
Its name would be captured and logged.
So I tend to put the "identifiable stripped" pdf doc (as per guidelines in this blog someplace) in a winrar file with a meaningless filename, like oak_trees_at_risk_list.rar
Then I pgp encrypt that rar file;
oak_trees_at_risk_list.rar.pgp
and that is the file I attach. Hence the proper filename is encrypted, since to even get a view of the proper filename, first the winrar file must be decrypted, so it can be opened to yield the Number_10_Briefing_Background_26Feb2009.pdf inside.
Hope this helps and makes sense to readers.
@ David - I shall update the Hints and Tips for Whistleblowers etc at http://ht4w.co.uk with your tips about not using meaningful email Subject lines and Attachment File Names, even if you are using PGP or other strong encryption, in whistleblower or other confidential communications.
PGP does actually do some file compression, so using RAR or ZIP or TAR similar is actually more useful for combining several files into one single archive file, than for anything else.
Compressing already compressed or already encrypted files can, in some cases, make the resulting files slightly larger than the originals (the compression dictionaries cannot pick out common file patterns as often as they do with plaintext)