The Home Office has published its summary of the responses to the public consultation Regulation of Investigatory Powers Act 2000: Consolidating orders and codes of practice (1.7Mb .pdf) which ran from April to July.
The Regulation of Investigatory Powers Act 2000: consolidating orders and codes of practice - responses to the consultation (269Kb .pdf) says that:
The 222 respondents comprised:
- 104 local authorities;
- 9 local authority associations;
- 10 law enforcement bodies;
- 9 other public authorities;
- 6 legal reform or scrutiny bodies;
- 5 communications service providers;
- 3 training organisations;
- 2 housing agencies;
- 2 oversight commissioners (the Chief Surveillance Commissioner and the Interception of Communications Commissioner);
- 68 members of the public (of whom 27 had experience of working with RIPA); and
- 4 other NGOs with interests in the prosecution of offenders, waste management, computing and children's rights.
Spy Blog raised the following issues in response to this public consultation, with little success:
1) Mandatory use of strong Encryption should be explicit in the Regulations and Codes of Practice
2) Automatic Number Plate Recognition data needs to be brought within the RIPA framework
3) Sub-division of "Communications Data" to now include a separate Location Based Services data category
4) All Local Authorities should have their Intrusive Surveillance and Covert Human Intelligence Source powers removed. Access to Subscriber Details should continue, but no LA access to Location Based Services data.
5) The abuse of Children as Covert Human Intelligence Sources
1) Mandatory use of strong Encryption should be explicit in the Regulations and Codes of Practice
page 12
- there should be a mandatory requirement for all RIPA applications, authorisations and material obtained to be encrypted; and
page 13
It would be impractical to require all material obtained through the use of RIPA to be encrypted. However, it is perfectly reasonable for members of the public to want reassurance that all appropriate steps are taken to protect material obtained through the use of techniques under RIPA. All relevant public authorities have in place a variety of security measures, including physical security measures, security procedures, staff vetting and training, to ensure that material is protected from improper disclosure.
Note the "bait and switch" weasel words " impractical to require all material obtained". It would obviously be difficult, but not impossible, given the Government's huge purchasing power in the security snooping and surveillance equipment market place, to require all the original source raw data collection from intrusive and directed surveillance e.g. video and audio recordings before they have been analysed or transcribed or passed on to other agencies, to be strongly encrypted, but that is not what we asked them to do.
There is no excuse for the surveillance requests and orders and the subsequent collated and analysed reports to ever be stored or sent in transit without strong encryption. The doubt as to whether this might, or might not happen in any particular case, undermines public trust and confidence in the whole RIPA system.
There seems to have been no progress at all in the the RIPA regulations and Codes of Practice since the last Public Consultation, back in 2006, with regard to the Mandatory use of strong Encryption, to protect RIPA requests, authorisations and the
disclosed data.
Since then, there have been various Poynter, Hannigan, Butler etc.. Reviews of the Handling of sensitive Documents and personal data by Government departments and other public authorities, following the scandalous accidental losses and thefts of removable media like CD and DVD disks, USB memory devices, laptop and desktop
computers, handheld personal digital assistants, Smart Mobile Phones and old fashioned paper documents left on trains etc., involving millions of records and,in some cases highly sensitive Top Secret information.
Since these "extremely serious" failures continue to happen regardless, surely the RIPA regulations and Codes of Practice should explicitly spell out that all RIPA requests, authorisations and the end product of Communications Data or Intercept Data etc.
should all be protected in transit and on portable devices or media with Government approved strong Encryption, without exception ?
Surely RIPA Part III demands for other people's Cryptographic De-Cryption Keys and / or the Plain Text of data or communications which are protected by Cryptography, should never be allowed to be stored or transmitted by a Public Authority, unless it is also strongly encrypted ?
2) Automatic Number Plate Recognition data needs to be brought within the RIPA framework
There is only one mention of ANPR in the document:
page 14
7. Do the revised Codes of Practice provide sufficient clarity on when it is necessary and proportionate to use techniques regulated in RIPA?
[...]
24.5% (54 respondents) replied that the draft revised codes did provide the requisite clarity through better guidance on necessity, proportionality and what constituted private information. Roughly the same proportion (53 further views) supported this approach as far as it went but wanted to see additional examples in specific areas such as noise monitoring, outsourcing, test purchasing, use of CCTV/ANPR, trading standards 'house of horrors' operations and the difference between public authority 'core' (outward-facing) and 'ordinary' (internal) functions
[...]
Public authorities can access the retained logfiles containing the time, date and location of landline or mobile phone calls or internet connections, something which comes under RIPA.
However, the equally intrusive logging of time, date and location of a person's motor vehicle via Automatic Number Plate Recognition, can yield similar privacy intrusive information about a person's private life, but it is not currently regulated by RIPA
A private vehicle is considered, as a result of European Court of Human Rights case law, to be like a person's private home, something which is reflected in the levels of authorisation required to plant intrusive surveillance equipment such as sound, video recording or transmission devices.
This also applies to location tracking devices planted on or in a vehicle, but not to ANPR systems which can provide similar vehicle journey time, date and location data.
The use of such ANPR data is equally capable of being abused by criminals or by over zealous petty officials, and needs clear legal rules or mandatory Codes of Practice.
There is no real problem with ANPR used on the roadside, where the Police immediately stop and investigate a suspect vehicle and its occupants.
Where there is a huge, unacceptable problem is with the disproportionate Mass Surveillance data being scooped up from Local Authority and Congestion Charge and other CCTV camera systems, into the National ANPR Database.
Do *not* allow secret Data Mining of this vast ANPR database, without transparent, credible, independent oversight, to protect the vast majority of innocent people's vehicle movement patterns from abuse by "faceless bureaucrats" and corrupt insiders.
According to both the current and previous Chief Surveillance Commissioners' annual reports. All the former senior Judges who now serve as Surveillance Commissioners recognise that ANPR is not being subjected to proper RIPA oversight, as it should be,
Please bring ANPR Data within the RIPA authorisation and audit
framework.
3) Sub-division of "Communications Data" to now include a separate Location Based Services data category
There is another, parallel public consultation, the responses to which the Government has not yet responded:
Protecting the Public in a Changing Communications Environment (676 Kb .pdf), to which Spy Blog has also responded, with similar arguments about the need for specific authorisation of Location Based Services data.
Again, the Government response does not specifically mention this, but they do actually use the term "location data", so perhaps there might be some progress later when the actual Statutory Instruments and Codes of Practice are published.
page 6
The Home Office accepts the case provided in respect of the Department of the Environment in Northern Ireland for access to the least intrusive types of communications data, but not traffic or location data.
[...]
page 12
6. Are the Government's other proposed changes in the Consolidating Orders
appropriate?[...]
- adding techniques such as traffic (location) data or intrusive surveillance (covert surveillance in private residences and vehicles) - neither of which they are currently permitted to use under RIPA;
page 16
8. Additional responses offered
[...]
5.5% (12) believed the current system should be changed in favour of some measure of judicial authorisation (two of these for handling access to traffic (location) data, one for surveillance of legally privileged communications). One opposed judicial authorisation.
[...]
Currently access to Communications Data is split into two categories; either access to the whole lot, or access to just Subscriber Details.
Technology has moved on since 2000, and it would be sensible to split out another category, namely Mobile Phone or Mobile Computer device Location Based Services data.
It is not necessary for say, the Fire and Rescue Service or Ambulance Service, to have the power to demand "Friendship Trees" of the pattern of people's mobile phone calls and SMS messages to and from friends and family contacts etc., but there are situations
where the increasingly accurate Location Based Service data would be useful in responding, in real time, to an emergency, or in evaluating whether a 999 / 112 emergency call is likely to be a hoax call or not etc.
There is no need for such non-Police or non-Intelligence Agency Public Authorities to have access to the full set of data which a Communications Data request to a Communications Service Provider could generate, but simple Subscriber Details "registered name and address" data about a pre-paid mobile phone would probably be
meaningless.
Access to Location Based Services Data is much more intrusive than simple Subscriber Details, so it should *not* be self-authorised, and must be approved ideally by a Magistrate, but at least by a RIPA Surveillance Commissioner or Interception of Communications Commissioner.
The RIPA Commissioners should supervise and audit and publish statistics on the use of Location Based Services by the Public Authorities in that category.
4) All Local Authorities should have their Intrusive Surveillance and Covert Human Intelligence Source powers removed. Access to Subscriber Details should continue, but no LA access to Location Based Services data.
Quite a lot of the document devoted to Local Authorities, and over 100 of them seem to have submitted responses.
page 10
4. Should the rank at which local authorities authorise the use of covert investigatory
techniques be raised to senior executive?
makes it clear that the majority of the respondents and even the Home Office themselves do not think that raising the level of authorisation for the use of RIPA powers within Local Authorities will make much difference.
However that is exactly what is being touted as the the main "soundbite" by the the mainstream media and by Home Office media manipulation machine.
Local Authorities, including their Trading Standards and Environmental Health departments must have their powers under RIPA and under any other legislation curbed:
If and when an investigation by a Local Authority department proceeds from looking at a minor crime to a something which seems likely to involve Serious Organised Crime, as per the definition under RIPA i.e. likely to attract a prison sentence of more than 3
years, for a first time offender, upon conviction, then Local Authorities are out of their depth on their own and should either involve the local Police or other more experienced RIPA authorities in a joint investigation.
These more experienced and better trained RIPA authorities should be the ones who apply for permission to use Intrusive Surveillance or Covert Human Intelligence Sources etc.
Local Authority Trading Standards and Environmental Heath Departments etc., should continue to have access to Communications Data subscriber information i.e. "reverse telephone directory" look ups, but they should not have access to other Communications Traffic data, and neither should they have access to the proposed new category of Location Based Services data.
5) The abuse of Children as Covert Human Intelligence Sources
page 13
The Home Office agrees that extra protections are required in the case of juvenile or vulnerable covert human intelligence sources, but does not propose to change the higher level of scrutiny and authorisation that must be made in these cases and is set out in Statutory Instrument 2000 No.2793 (the Regulation of Investigatory Powers (Juveniles) Order 2000) and in theCode of Practice on Covert Human Intelligence Sources.
How can the Home Office agree that "extra protections are required", but they do not propose to make any changes to the legislation of codes of practice ??
It is time that the various pronouncements about the Government's policy commitments to the Protection of Children actually filtered through into the dubious area of RIPA.
There is plenty of evidence that Local Authorities are now employing Covert Surveillance Technology, such as hidden microphones, hidden video cameras etc. where Children i.e.people under the age of 18, are used as "mystery shoppers" to pro-actively investigate or shopkeepers who might be illegally selling age prohibited items like alcohol, cigarettes, knives etc. to Children.
The RIPA Codes of Practice do not provide any extra guidance when Children are used as Confidential Human Intelligence Sources, something which is out of step with United nations, European Union and UK Government policies regarding the special protections needed by Children, when they get caught up in the law enforcement and criminal justice systems, even as potential prosecution witnesses.
Obviously there are Children, especially those involved in street gang culture, who may well be Serious Organised Criminals, or who may be exploited such criminals who are their relatives or friends, so there may well be some potential CHIS who are under the age of 18.
This a very different issue from the use of adult CHIS to investigate possible abuse of Children.
The Home Office needs to issue some very clear guidance on the use or abuse of Children as CHIS, even in relatively "low risk" situations like those of Local Authority Trading Standards "mystery shoppers".
There needs to be a very clear Home Office policy on Financial Payments to under age CHIS, something which is already a difficult area in regard to adult ones.
The recruitment of Children as political or environmental or "community tension monitoring" or MI5 /Local Police "Rich Picture" Junior Spies by well meaning Local Authorities or by the Home Office or by other Whitehall departments must be outlawed.
e.g.
http://www.telegraph.co.uk/news/uknews/2689996/Children-aged-eight-enlisted-as-council-snoopers.html
There is also the misleading response from the Government which affects the Wilson Doctrine
page 3
- ensure that the constituency business of MPs is treated in the same way as other confidential material (following the report of Sir Christopher Rose into the bugging of conversations at HMP Woodhill between Babar Ahmad and Sadiq Khan MP).
page 15
The proposal that MPs' communications on constituency business should be treated in the same way as other confidential material did not elicit specific comment among the respondents who indicated they supported the Home Office's proposals set out in the consultation paper. Only one respondent registered opposition for the reason given above. We shall therefore put the proposal before Parliament
This does not seem to promise any action on Confidential journalistic material, which is mentioned in the consultation document.
It also ignores the fact that Sir Michael Rose found no breach of RIPA, since the authorisations for the bugging in prison were under the Police Act 1997
when i access the site web page, the current home page does not appear - an older version (prior latest article with only 9 comments) appears as the main page. This has been happening for several days - so i didn't, for example, see the latest (10th) comment re the upcoming "headcount" or your latest article. i am a brit acros the pond and have been subject to harassment for years (though innocent) so i dont know if this is a problem only i have or whether others - including those accessing this site from other links are in effect being cut off
your website's latest items in a way that makes it look as if noone has been posting after a certain date.
I am a Christian and you are in my prayers and I want you to know that I thank God for your website.
@ anon - if you use the main
http://SpyBlog.org.uk
url, then you should find the latest version of this website.
You might also find it convenient to subscribe to the syndication feeds via say Bloglines or other feed aggregators.
RSS 2.0 - full articles
or
Atom - headlines
Where Spy Blog is censored e.g. by corporate "censorware" software with all the default categories ticked, or in China or Iran etc. it is usually access to the whole site, rather than individual pages which are affected.
I found an ethical work around NOT involving hacking - that was how I managed to post my message. I didn't post the method I used because in the past when my phone, for example, was illegally blocked when trying to wish a close relative a happybirthday, and I found an ethical way to do it and mentioned it or wrote it, the ethical work-around sinisterly disappeared. I wrote my note to warn you and your uses what was happening just in case it wasnt just happening to me. You or your a user might want to check at a later date whether accessing the site from other weblinks is accidentally or otherwise giving the effect of censorship. I have also had problems with other sites. Once again thank you.
I found an ethical work around NOT involving hacking - that was how I managed to post my message. I didn't post the method I used because in the past when my phone, for example, was illegally blocked when trying to wish a close relative a happybirthday, and I found an ethical way to do it and mentioned it or wrote it, the ethical work-around sinisterly disappeared. I wrote my note to warn you and your uses what was happening just in case it wasnt just happening to me. You or your a user might want to check at a later date whether accessing the site from other weblinks is accidentally or otherwise giving the effect of censorship. I have also had problems with other sites. and surpise surpise I have had problems posting this comment. Once again thank you.
@ anon - perhaps the Tor onion routing project might be of some help, if you are being censored.
However, it is just as likely to be internet connectivity problems, or browser cache problems etc. as anything else i.e. cockup rather than conspiracy.
I found an ethical work around NOT involving hacking - that was how I managed to post my message. I didn't post the method I used because in the past when my phone, for example, was illegally blocked when trying to wish a close relative a happybirthday, and I found an ethical way to do it and mentioned it or wrote it, the ethical work-around sinisterly disappeared. I wrote my note to warn you and your uses what was happening just in case it wasnt just happening to me. You or your a user might want to check at a later date whether accessing the site from other weblinks is accidentally or otherwise giving the effect of censorship. I have also had problems with other sites. and surpise surpise I have had problems posting this comment. also the lock disaapeared when in this secure zone, as happened to me on another site one time paying a bill.The censorship thing also happened to me in 2006 and 7 when a conference involving firms censoring was in the news. i have never worked or done anything needing a security clearance and know that what is happening to me is psywar and by unithical persons working for whoknows whom and unethically doing psywar.spyblog users dont need to hear anymore of individual circs so I wont comment further about myself. Once again thank you.