Thursday, 5 November 2009

New EU rules on Peer to Peer file sharing could turn the surveillance sleepwalk into a sprint ...

Those awfully clever Burghers at the European Commission have proposed changes to the data protection rules that prevent us from ever sleepwalking into a surveillance society again. Instead, the sleepwalk could turn into a sprint.

All this might come about because of the implications of a compromise agreement the European Parliament is about to nod through about a package of measures relating to telecommunications. Specifically, it appears that Member States are now expected to do things that will enable those nasty “illegal peer to peer” file sharers to be identified and dealt with.

I ought to declare an interest at this stage, as I was among the group of people who were involved in creating the original communications data retention rules back in the early 1990s. At that time, we tried to develop an easy way of distinguishing “call traffic” records, which were supposed to be retained for law enforcement purposes, and “content” records, which were really private as they revealed what was actually said, or communicated, between the various parties.

It is this rule that requires, say, a mobile network provider to retain records that reveal that “A” sent “B” a text message at a certain time, and that a certain cell site was used to transmit or receive the call. And it is this rule that requires that mobile network provider to delete the actual contents of the text as soon as it has been delivered. So no-one knows how poorly spelt our texts really are (other than the recipient).

Similarly, in an internet environment, it is this rule that requires an ISP to retain web activity logs that just relate to “communications data” and not the content of the communication. The Home Office helpfully explained this (in a Code of Practice on the Voluntary Retention of Communications Data back in March 2003) as information only up to the first slash of a web address. So, the ISP could be required to retain web activity logs reflecting that at a certain time someone clicked on the www.russianbabes.com website, but no further details. So, the ISP would not be allowed to keep details of just which Russian Babe that person had been chatting to. Yippee - their right to privacy had been respected.

And Parliament has formally approved this distinction between IP traffic and content data too - by the coming into force of the Retention of Communications Data (Code of Practice) Order 2003 (also known as SI 2003 No 3175). So, someone will have to get Parliament to change its mind through a potentially messy parliamentary procedure if the official view about what ISPs are to be allowed to retain is to change.

But, as I noted at the start of this blog entry, the European Commission is just about to require Member States to do things that will enable those nasty “illegal peer to peer” file sharers to be identified and dealt with. Surely that means that these data retention rules are going to have to be revisited. It appears that ISPs are to be expected to identify the naughty boys and girls when asked by the men in suits who protect the digital rights of people such as Elton John, Lilly Allen and James Blunt, etc. How else is an ISP expected to know which person has accessed a specific URL, if it is only permitted to retain information to the level of the domain server?

Presumably, the only way the new scheme can be made to work is for the ISP to be forced to keep logs of all the URLs visited by a user over a period, say, of a year.

And I would cringe if this information were ever to get into the wrong hands. We all had a good smirk when we learnt about the adult films that were apparently viewed by a former Home Secretary’s husband. How much wider could the smirk on our faces get if it were to be revealed that an internet account paid for by a politician had been used to access the really naughty pages of particularly embarrassing sites. Impossible? Don’t you believe it. There’s nothing like a juicy morsel like that to get the journalists waving their cheque books around.

And, given the consolidation going around the ISP community right now, what engineer might not be tempted to inflate his potential redundancy payment with records that might well be worth many times the amount his (soon to be) former employer might be planning to give him?

In his lecture to the Centre for Policy Studies on freedom and surveillance on 15 July, Damien Green MP the Shadow Minister for Immigration, spoke about fears that we are living in a policing-led state: “Police needs are driving policy in this area with no sense of balance between the legitimate demands of the police and the need to preserve the freedom and privacy of the citizen.”

He was worried about the way the Regulation of Investigatory Powers Act 2000 (an Act that sets out which public bodies can access communications data) was being used by authorities other than the police: “The use of what were meant as powers to be used against serious criminals and terrorists helps destroy confidence in public bodies. If we are all suspects, then none of us will help the authorities. That way lies the atomisation of society.”

And he finished his lecture with a warning: “The bigger the capacity to collect and share information, the greater danger there is to privacy, and therefore to freedom. It is time for the freedom fighters of the world to fight back against the controlling state."

So let’s see how the Tories respond to this apparent attack on privacy.

I may well return to this issue in a later blog.