MIRROR PAGES IN BRITAIN and AMERICA and AUSTRALIA.

The police, MI5 and the Home Office are trying to push through a scheme to pressure other service providers to hand over private e-mail information without the court order that is required for telephone calls and the mail. Are the police taking liberties with our privacy? Duncan Campbell reports

[From online Guardian, 17 September 1998]

Police tighten the Net

This afternoon in London, an informal group convened by Acpo, the Association of Chief Police Officers, is holding a press conference to announce its plans to introduce a private "memorandum of understanding" about police access to e-mail users' identities, activities and messages. Over the next three weeks, senior police officers and key industry figures will host three seminars in Edinburgh, Manchester and London to be addressed by police, industry and prosecution computer specialists. The seminars are being run by a group called the "Acpo, ISP and Government Forum". The press, public, lawyers and defence computer legal specialists are excluded.

"The ISP industry is being privately pressurised into revealing information that others would not reveal as a matter of course," says one senior ISP manager who has followed the police-ISP negotiations.

"We say it time and time again information can only be released on a case by case basis. Fishing expeditions are not allowed", France said this week although they may have happened in the past. "It is important that [e-mail] has the same level of protection for individuals as for any other communications mail & telephone calls".

It would also mean that it could be produced as evidence in court, unlike normal mail intercepts or phone taps. Police sources say, however, that they would not expect access to e-mail as it was being sent, as opposed to stored e-mail, unless they had a normal phone-tap warrant. But the Home Office is currently reviewing the Interception of Communications Act. Home Secretary Jack Straw revealed during this month's emergency debate on terrorism that a review of the Act, including necessary technological changes, has been under way since July. It is understood that this includes reviewing whether or not e-mail should be treated the same way as ordinary mail.

The problem for ISPs is not that they object to court orders or police search warrants being used when they are asked for evidence of serious Net-related crime, but that the threat of disruptive police raids is being quietly used to obtain more extensive information, without legal powers or adequate justification.

"We've had any number of cases when police have come and asked 'tell us about all your subscribers who are living in Warwickshire' ", says one member of the Acpo-ISP group. The problems are that the information may not exist, may not be obtainable, or, if it did exist, would be illegal to hand over.

"A mood of public alarm taken together with a poorly developed forensic science is the most dangerous combination imaginable for miscarriages of justice," says Peter Sommer, a computer forensics research fellow at the London School of Economics and defence legal specialist. "Those factors have historically led to some of the gravest judicial errors in our history."

Police officers face serious problems investigating Net-based crime, given the diversity of size, sophistication and outlook among ISPs. Even if Acpo does obtain a "memorandum of understanding" signed by key industry bodies, this would not be binding on any company providing services. Many on the ISP side say privately that the description is inappropriate. They have asked Acpo to reconstitute the proposed "agreement" as a "guide to best practice" in providing information to the police. Further problems were highlighted at a meeting between police, Home Office, MI5 and industry specialists held at Scotland Yard three months ago to discuss what information ISPs could and should make available. The police and government side asked for "all e-mail sent in the last week to be recorded as a matter of routine". Another "desirable facility" was "the ability to turn on logging of all incoming e-mail for a customer account".

But the ISP representatives explained that these records were not normally kept at many ISPs and that creating them for routine police or MI5 use would be costly. The ISPs were however "happy to do work that has little or no cost implication and is clearly legal". Detective Chief Superintendent Keith Akerman of Hampshire Police, chairman of the Acpo computer crimes group, told Computing magazine: "We want to ensure the criminal doesn't take best advantage of the Internet, without government using the sledgehammer of regulation."

Acpo was unwilling this week to release any drafts of the proposed memorandum of understanding, or to provide copies of the form that Acpo has already drafted to be used by police forces seeking Net information. The form is based on a system now widely used to get lists of telephone numbers called from BT and other telecoms providers without Home Secretary warrants or court orders, which was revealed in OnLine in September last year.

Apart from suspicion in some parts of the industry and reluctance in others, the Acpo and government initiative to access e-mail information also faces the problem that a new EU directive on communications privacy comes into force in less than two months. The directive says that: "Member States shall ensure via national regulations the confidentiality of communications by means of public telecommunications network and publicly available telecommunications services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, by other than users, without the consent of the users concerned, except when legally authorised."

[See http://europa.eu.int/eur-lex/en/lif/dat/en_397L0066.html; It also states: "Article 15 Implementation of the Directive 1. Member States shall bring into force the laws, regulations and administrative provisions necessary for them to comply with this Directive not later than 24 October 1998. By way of derogation from the first subparagraph, Member States shall bring into force the laws, regulations and administrative provisions necessary for them to comply with Article 5 of this Directive not later than 24 October 2000" see further note on this].

"There's not much left for a 'memorandum of understanding' to cover," says LSE's Sommer. He suspects that, with the directive, a new Data Protection Act and a Home Office review of the interception of communications act due in the next three months, the "cosy agreements" between Acpo and ISPs may be as futile to the police as they are aggravating to Net civil liberties and privacy campaigners.

TWO YEARS OF POLICING THE NET

• 2 August 1996
  Following a rash of child porn investigations, the Metropolitan Police invite Internet service providers (ISPs) to a seminar at New Scotland Yard to discuss how to deal with obscene material on Net newsgroups.

• 9 August 1996
  Letter from Metropolitan Police Clubs and Vice unit to ISPs circulates veiled threat: "We trust that with your co-operation and self regulation it will not be necessary for us to move to an enforcement policy." A list of 200 sex-related newsgroups was appended to the letter. Worried ISPs quickly start ad hoc meetings with police to try and agree a modus vivendi.

• September 1996
  Internet Watch Foundation launched with government backing to consider curbs on Net content, with particular reference to child pornography.

• October 1996
  National Criminal Intelligence Service (NCIS) launches Project Trawler to study the extent of criminal use of the Net,and the methods law enforcement officials should use.

• May 1997
  NCIS announces results from Project Trawler, and requests urgent action to introduce laws enabling police to intercept and monitor e-mails. No action is taken because of the election.

• May 1998
  Acpo (Association of Chief Police Officers) and major ISPs plan seminars to promote informal agreements for police access to e-mail and Net information.

• 18 June 1998
  Meeting at New Scotland Yard between Home Office, MI5, police, BT and ISP representatives discusses law enforcement requirements for Net information, including stored e-mail and logs of Web usage.

• 2 September 1998
  Police raids on 11 sites in Britain, including one major ISP, seize child porn material connected with a US Web site called "Wonderland"; 30 others arrested in 12 other countries.

• 12 Sept 1998
  First Acpo seminar in Edinburgh aims to win industry acceptance of "memorandum of understanding" allowing automated access to ISP information.

        

On 17 Sep 1998, In{199809172136.WAA00867@odin.mimir.com}, Pete Bentley writes:
:
: Interestingly, the printed version of Online only said "a major UK
: ISP" rather than naming Demon.  I asked about that on another mailing
: list (a UK ISP gossip/industry watch one) and [.......] replied that
: "As far as I'm aware no raid took place, and no service machines were 
: removed.  I believe several ISP's were approached by the police (with 
: the correct documentation) and assisted with their enquiries".
:
On Fri 18 Sep 1998, in{001e01bde2e6$4f0ab860$8dfff3c1@Alan.kable.co.uk},
Alan Burkitt-Gray writes:
|
| The printed Guardian's main section yesterday has as its first item
| in its Corrections column a paragraph saying that no one was arrested 
| [and also identifying Demon].
|
On 18 Sep, In{4.0.1.19980918133612.00df0f00@pop.gn.apc.org}, Duncan Campbell  writes:
#
# Police and email : Guardian and C4N
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# I produced the Channel 4 News item on Wednesday night as well as 
# writing the report for Guardian Online ... since some wondered 
# (but C4N forgot the credit).  Regarding the raid on Demon Internet,
# this has been confirmed on the record
# by the National Crime Squad, who say however that the Demon employee
# concerned was questioned but was not arrested.   This information was
# provided too late for the Online Guardian paper deadline - a day 
# before the main paper - but appears (as has been noted) on the web 
# site and as a correction carried in the main paper on Thursday 
# morning. The National Crime Squad also state that they removed two 
# computers together with other material from Demon's offices. 
# 
On 20 Sep 1998, In{memo.19980920172027.316A@itconsult.co.uk}, Matthew Richardson writes:
+
+ In the demon.service newsgroup, two senior representatives 
+ from Demon have emphatically denied that ANY raids have taken place 
+ on their premises.
+
FURTHER NOTE ON THE E.U. DIRECTIVE.
In{s60777d8.023@Tecsun.Demon.Co.Uk}, Dave Howe writes:
|Hmm. all sounds very nice, until you reach this bit....
|
|(12) Whereas this Directive, similarly to what is provided for by Article 3 of 
|Directive 95/46/EC, does not address issues of protection of fundamental 
|rights and freedoms related to activities which are not governed by Community 
|law; whereas it is for Member States to take such measures as they consider 
|necessary for the protection of public security, defence, State security 
|(including
|the economic well-being of the State when the activities relate to State 
|security 
|matters) and the enforcement of criminal law; whereas this Directive shall not 
|affect the ability of Member States to carry out lawful interception of t
|elecommunications, for any of these purposes;
|
|Article 1 Object and scope
|
|3. This Directive shall not apply to the activities which fall outside the 
|scope of Community law, such as those provided for by Titles V and 
|VI of the Treaty on European Union, and in any case to activities concerning 
|public security, defence, State security (including the economic well-being 
|of the State when the activities relate to State security matters) and the 
|activities of the State in areas of criminal law.

Data Protection Act s28(3) form
Agreed by ACPO and the ISP industry

Introduction

REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35

Please provide the data concerning the following subject [note3]:

Please provide the following information:

Name and address
Account name or number
Other (specify): [note 4]
Offence being investigated:

Reason that the information is necessary [note 5]:

I certify that completing the above section would itself prejudice the prevention or detection of crime [note 6].

_ _ _ pages of further information [note 7] are attached.

I certify that the data is required for the prevention or detection of crime or for the apprehension or prosecution of offenders, and that failure to disclose the data would be likely to prejudice these matters.

The requested data are required for case reference [note 8] but may be used for any other investigation for which the above declaration applies.

I understand that if any information on this form is omitted or wrong I may be committing an offence under section 5(6) of the Data Protection Act.

Signed: Date: Name and number:Rank

Authorised: Date: Name and number:Rank:

This application must be authorised by a person who is senior to the requesting officer, and of a rank no lower than Inspector. See note 9.

NOTES:

REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35

Note 2: this space is reserved for the information provider.

Note 3: give here the identifying information that you have available. It will be assumed that you want information on all accounts matching that information.

• If specifying an IP address, you must attach an explanation why an IP address is being specified.

• If specifying a URL, a printout of the page should be attached to the request (if possible) to enable the ISP to confirm the URL is correct.

Note 5: give here enough information that the recipient can make a decision whether to disclose in accordance with your declaration.

Note 6: if this applies, tick the box to the left and leave the previous section blank.

Note 7: tick this if you have attached any information mentioned in these notes, or any other material that the ISP may find useful for processing the request. Show how many pages have been attached, number those pages, and place the case reference (see note 8) on each page.

Note 8: Note 8: give here a case number, file number, case name, or any other reference that identifies the investigation being made. It is not necessary to specify the details of the case or any other names.

Note 9: the authorising officer must be senior to the requesting officer and of the rank of Inspector or above. You must give full details of both officers.

GUIDANCE ON USE OF THE FORM

REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35

Section 28(3) of the Data Protection Act gives ISPs the authority to release personal data to the police provided that certain criteria are met; in addition, the Data Protection Registrar has placed further interpretations on the Act. Failure to meet these criteria could mean that the ISP, the requesting officer, or both are committing a criminal offence. For these reasons the form must be completed properly and the wording must not be changed.

Note 1 The form should be addressed to the ISP as a company, and not to a specific person or department. The form would normally be sent with a covering letter or fax, and that can of course be addressed more specifically.

Note 2 This space is reserved for the ISP to use. If you have contacted the ISP ahead of time they may provide you with a reference to place there. Otherwise leave it blank. If you contact the ISP again about this request you should quote that reference.

Note 3 There tend to be two kinds of request:

1. A "real world" datum - such as a name, address, or telephone number - is known and the requesting officer has reason to believe the subject has an account with the ISP and wishes to identify that account.
   • + If a name is given, the ISP will search for accounts held in that name. Unless the name is an unusual one, other information such as an address or telephone number will probably be necessary. Section 28(3) may not be used for "trawling" ISP records, and the ISP should refuse to give details if more than about four unrelated accounts match the data given.

   • + If an address or telephone number is given, the ISP will search for accounts where the customer's records include that address or telephone number. Officers should be aware that not all ISPs are able to search by address or by telephone number.

2. A "cyberspace" datum - such as email address, account name, or web page URL - is known and the requesting officer is attempting to identify the person behind that identifier.
   • + If an email address is given, the ISP will provide details of the account that has that address. In general an email address looks like fred@xxx.com and will always include an @ sign. An email address will sometimes have the format Fred Bloggs where there is a "comment" associated with the address. This comment is created by the person sending the email and so need bear no resemblance to the actual account holder's name. Therefore the complete email address should always be quoted. It is easy to forge email addresses in many contexts, and therefore the complete message or posting that is being used as a source of information - including any header lines - should be attached to the request.

   • + If an IP address is given an explanation of why this is provided must be attached. If the date and time that the address was used is known, this should be included as well. Some ISPs allocate IP addresses from a central pool, and so the address alone does not identify an account because it would have been used by many different accounts.

   • + If a web URL is provided the ISP will provide details of the account operating the relevant web site or part of the site. A URL is the "address" of a web page, and typically looks like http://www.xxx.com/abc/def.html - it will be displayed by a web browser when viewing the page. Whenever possible a printout of the page should be included with the form to allow the ISP to confirm that the correct page is being viewed.

Note 4 If other information is required, it should be specified here and an explanation of why it is needed should be attached to the form. It is not acceptable to request "all information known about the account". Not all ISPs may not be able to provide certain kinds of information conveniently or even at all, and some data may only be held for a certain length of time. If in doubt, the specifics of the situation should be discussed informally with the ISP before making the request; it may be possible to identify some item of data that meets the Police requirement while being convenient for the ISP to provide.

Note 5 Give here enough information that the recipient can make an decision whether to disclose in accordance with your declaration. This information must relate to the specific case that is being investigated, and a clear explanation must be given as to why you need this information and why you will be hindered if it is not provided.

Note 6 There are some rare situations where such an explanation would itself prejudice the case (for example, where you have evidence pointing at an unknown member of the ISP's staff) and in these cases you can tick this and leave the previous section blank.

Note 7 The requesting officer should attach any relevant items mentioned in this guidance, and any other material that the ISP might find useful for processing the request. The attachments should be numbered and carry the case reference given on the form (see note 8). The ISP can only make use of material attached in this way when determining whether or not to respond to the request. If any information is attached, the box on the form must be ticked and the number of pages given.

Note 8 The requesting officer should specify the case number, file number, case name, or any other reference that identifies the investigation being made. It is possible that the ISP will need to contact the Force making the request months or even years later, and it is essential that the specific case can be identified without needing to contact the original requesting officer. Individual Police forces will have their own policies for this identifier, and it need not be meaningful to the ISP (except that it should be clear when several requests relate to the same investigation).

The Data Protection Act only allows release of information where both the information is required for one of the purposes listed and failure to disclose the data would be likely to prejudice the matter. This form must not be used where the only purpose is to confirm known facts, for general intelligence, or for administrative reasons.

Note 9 The ISP is only permitted to reveal personal data if they are reasonably convinced that the two conditions mentioned above are true, and the Data Protection Registrar has issued guidance concerning statements from Police officers. To protect both the ISPs and the requesting officer from inadvertently breaching the Act, it has been agreed that the ISP will refuse this request if

• o the form has not been signed by both requesting officer and authorising officer and their full details given, or

• o the authorising officer is not of a rank senior to that of the requesting officer, or

• o the authorising officer is below the rank of Inspector.

         

In article{kOeiTXAXYoA2EAU2@turnpike.com}, Richard Clayton: 
:In article{36028010.6D309F68@algroup.co.uk}, Ben Laurie:
::Duncan Campbell wrote:
:::
:::The Data Protection Act only allows release of information where 
:::both the information is required for one of the purposes listed 
:::and failure to disclose the data would be likely to prejudice the 
:::matter.
::
::What are "the purposes listed"? I can't find any list.
:
:I believe that this is meant to refer to the list in the DPA itself 
:[viz 28(3) at present, 29(3) when the new Act comes into force]
:Taking the new Act's wording only,to keep the size down---
:
:"29 (3) Personal data are exempt from the non-disclosure provisions in
:"any case in which- 
:" 
:"  (a)  the disclosure is for any of the purposes mentioned in
:"       subsection (1), and 
:"  (b)  the application of those provisions in relation to the
:"       disclosure would be likely to prejudice any of the matters 
:"       mentioned in that subsection. 
:
:so now you need to look at 29(1)---
:
:"29 (1) Personal data processed for any of the following purposes- 
:"  
:"  (a)  the prevention or detection of crime, 
:"  (b)  the apprehension or prosecution of offenders, or 
:"  (c)  the assessment or collection of any tax or duty or of any 
:"       imposition of a similar nature, 
:"
:"       are exempt from the first data protection principle (except to 
:"       the extent to which it requires compliance with the conditions 
:"       in Schedules 2 and 3) and section 7 in any case to the extent to 
:"       which the application of those provisions to the data would be 
:"       likely to prejudice any of the matters mentioned in this 
:"       subsection. 
:
:If you want to look at Schedules 2&3 and Section 7 try...
http://www.hmso.gov.uk/acts/acts1998/19980029.htm

   

In{34829EB7874@lucs-01.novell.leeds.ac.uk},  Yaman Akdeniz writes:
:
:| in the recent past, in that this form has had significant recent
:| input from the Data Protection Registrar's Office. I'm posting it to
:| the list for the sake of discussion and comment.
:
:In the light of what has been said so far and with all the denials 
:that there was no such agreement between ACPO and ISPs, I must 
:congratulate you for posting this here on the list and I will make 
: 
:| Data  Protection  Act  s28(3)  form
:| Agreed by ACPO and the ISP industry
:| ===================================
:| I certify that the data is required for the prevention or detection
:| of crime or for the apprehension or prosecution of offenders, and
:| that failure to disclose the data would be likely to prejudice these
:| matters.
:
:A House of Lords decision would suggest otherwise in the sense that
:the power of the Secretary of State to issue a warrant under section
:2(2)(b) of the 1985 Interception of Communications Act "for the
:purpose of preventing or detecting serious crime" does not extend to
:the collection of evidence with a view to the prosecution of
:offenders (see R. v. Preston [1994] 2 A.C. 130)
:So it is unclear to me in which circumstances under section 28 of the 
:DPA the police officers can get access to data. I see no reason why 
:this should not be the case under the DPA. Any further comments ?
:
:| The requested data are required for case reference [note 8] but may
:| be used for any other investigation for which the above declaration
:| applies.
:
:I think this is too far away and it would create enable the police to 
:keep the obtained data for unnecessary periods of time and maybe also 
:to create databases. I cannot see this being acceptable.
:
:| This application must be authorised by a person who is senior to the
:|requesting officer, and of a rank no lower than Inspector. See note9
:
:This would enable easy authorisation and of course the ISPs would 
:comply. Again this is in my view unacceptable.
:
:| Note 5: give here enough information that the recipient can make a
:| decision whether to disclose in accordance with your declaration.
:
:What happens if an ISP decides not to comply?
:[.........]
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Yaman Akdeniz lawya@leeds.ac.uk
:Cyber-Rights & Cyber-Liberties (UK) at: http://www.cyber-rights.org
:read the new CR&CL (UK) Report, Who Watches the Watchmen, Part:II
:Accountability & Effective Self-Regulation in the Information Age,
:August 1998 at http://www.cyber-rights.org/watchmen-ii.htm
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     

In{3.0.5.32.19980918173655.00a1be40@mail.netkonect.co.uk}, Nicholas Bohm writes:
=
= It may well be that proper use of the proposed form will avoid 
= breach by the ISP and police of the Data Protection Act.  But 
= that is only part of the story.
=
= I suggest that all holders of accounts with an ISP should check the
= contractual terms to see whether these terms permit any disclosure of
= the kind contemplated.  Unless there are express terms to that effect,
= the account holder should inform the ISP that they regard the content,
= origin, destination and timing of their messages as confidential (and 
= in the case of practising lawyers, also in some cases subject to legal
= professional privilege).  (List members may be able to suggest similar
= terms to apply to information about the account holder's access to 
= websites.)  They should inform the ISP that they will hold the ISP 
= liable for any breach of confidence involved in an unauthorised 
= disclosure, whether or not permitted under the Data Protection Act, 
= unless made pursuant to a warrant or subpoena or other order of a 
= court of competent jurisdction.  They should request acknowledgement
= and confirmation from the ISP.
=
= Just to make the point explicit, the fact that a disclosure may not 
= be a breach of the DPA does not relieve the ISP from liability for 
= a breach of confidence, actionable in damages.  The ISP may be able 
= to rely on the maxim that there is no confidence in iniquity, but 
= only if what the ISP discloses in fact reveals iniquity (which the 
= ISP would have to check for itself if it wants to be sure this defence
= is available). I suggest that this list could conveniently gather
= information about responses to this procedure, with a view to 
= identifying ISPs who are either willing or reluctant to respect 
= their account holders' confidences.
=
=	Regards,
=
=		Nicholas Bohm

    

FOR IMMEDIATE RELEASE 		PRESS RELEASE 18 September 1998

CIVIL LIBERTIES ORGANISATIONS CONDEMN TALKS BETWEEN INTERNET PROVIDERS
AND POLICE

Three of Britain's leading Internet related civil liberties
organisations today condemned the ongoing collaborative talks between
Internet Service Providers (ISPs) and the UK police.

In a joint press statement Internet Freedom, Cyber Rights & Cyber
Liberties, and the Campaign Against Censorship of the Internet in
Britain, unanimously condemned secret talks between the Association of
Chief Police Officers (ACPO) and representatives for Internet Service
Providers (ISPs) which aim to reach a "memorandum of understanding" to
give the police access to private data held by ISPs, as reported in
the Guardian Online this week.

There are to be three further seminars held by "ACPO, ISPs, and
Government Forum" which do not include user representatives or civil
liberties organisations as speakers.

The plans are for an agreement to allow the police access to email
messages transmitted by any of Britain's eight million Internet users
along with detailed web usage logs about sites that users had visited.
If reached, the agreement would exploit a so-called loophole in the
existing Data Protection and Interception of Communications Acts which
allows the police to routinely access private information without the
signature of any rank higher than inspector. Currently the tapping of
telephone communications requires the written consent of the Home
Secretary and unlike email is not admissable as evidence in court.

The planned agreement would be in violation of Article 8(1) of the
European Convention on Human Rights which will be incorporated to the
English Legal System with the Human Rights Bill, stating:

'Everyone has the right to respect for his private and family life,
his home and his correspondence'

There can only be interference by a public authority with the exercise
of this right when it is 'necessary in a democratic society in the
interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder of crime,
for the protection of health or morals, or for the protection of the
rights and freedoms of others.'

Chris Ellison, spokesman for Internet Freedom, added:

"The proposed 'memorandum of understanding' is the product of two
years of collaborative talks between industry bodies and the police.
Fuelled by panics around child pornography on the Net, industry
representatives have got themselves into a situation where they are
under pressure to disclose information without legal obligation or
justification. There is no alternative but to break off these talks
immediately."

Yaman Akdeniz of Cyber-Rights & Cyber-Liberties (UK) stated that:

"ISPs have a duty to protect the fundamental rights and freedoms of
their users, and in particular their right to privacy with respect to
the processing of personal data. ACPO might have found a loophole
under weak UK laws about electronic surveillance but should not in any
case be allowed to amass evidence without showing probable and
specific cause either to the ISP or to a judge.

We are disheartened at learning yet again about influential but
unaccountable bodies such as ACPO and the Internet Watch Foundation
(IWF) taking decisions on regulatory issues involving the Internet,
behind close doors. It is the duty of the government to take decisions
on these matters and to open these closed doors to the public.
Transparency and accountability are important features of a healthy
society. If there is a legal loophole which allows speculative police
intrusion, then the government should close that loophole
immediately."

Malcolm Hutty, of Campaign Against Censorship of the Internet in
Britain stated that:

"If Internet Service Providers intercept their customers email and
pass it on to the police, people will be too scared to use the
Internet for any sensitive communications. The police must not exploit
loopholes in the Interception of Communications Act to invade personal
privacy without any democratic accountability. A legal challenge for
breach of the European Convention on Human Rights is almost
inevitable."

For further comment call Chris Ellison on +44 (0) 956 129 518


Internet Freedom
http://www.netfreedom.org/
BM CAM, London WC1N 3XX, UK.
campaign@netfreedom.org

Cyber Rights & Cyber Liberties (UK)
http://www.cyber-rights.org
Centre For Criminal Justice Studies, University of Leeds, LS2 9JT.
lawya@cyber-rights.org   

Campaign Against Censorship of the Internet in Britain
http://www.liberty.org.uk/cacib
60 Albert Court, Prince Consort Road, London SW7 2BE.
cacib@liberty.org.uk






ORIGINAL REPORT by Dan Sabbaugh (in August'98)

In message{80256687.005A58BE.00@vnulonnotes03.vnu.co.uk}, Daniel_Sabbagh writes:

It'd be good if you credit the orginal story (seeing as I wrote it...) in
your archive on the topic. It appeared on 5th August and helped Duncan
Campbell get going for his excellent Guardian piece.
You can link to it or reproduce it, as long as you 
credit the periodical, Computing,
and the publisher, VNU Business Publications.

Here is a URL for it.

 Police eye up email data
 ========================
 Internet service providers in talks with officers POLICE forces are close to an 
 agreement with Internet  services providers (ISPs) allowing them access to  personal 
 data and email  messages.

 The police are hoping to reach a ?memorandum of understanding? with ISPs, following 
 a series  of  seminars with the IT industry in September and  October last year.
 It is understood that the agreement could enable  officers across the country to read 
 an individual?s  emails and to discover which web sites the person had  viewed.
 Sources involved in the discussions say that a  statement could be published at the 
 beginning of 1999.  Discussions were initiated by the computer crimes subcommittee 
 of the Association of Chief Police  Officers.

 Detective chief superintendent Keith Akerman of  Hampshire Police, the chairman of the 
 sub-committee,  said: ?We want to ensure the criminal doesn?t take best  advantage of 
 the Internet, without government using  the sledgehammer of regulation.?
 Akerman declined to comment on the content of the  discussions.
 One ISP representative involved in the talks described  the discussions as ?very friendly?, 
 and denied there  were any implications for civil liberties.

 ISP objections have largely centred on the cost of the  proposals.
 The agreement will also aim to clarify the legal status of  using email as evidence.
 One proposal could mean that email sent within the UK  and obtained by the police 
 would not fall under  telephone tapping legislation. This would allow the information 
 to be used as evidence in court. Telephone  taps are not admissible in court under UK law.

 The move represents a reversal of earlier agreements which assumed that emails fell under 
 telephone tapping legislation.

 ? Report by Dan Sabbagh.
        First appeared in COMPUTING, 05 August 1998 



On 2th Sept, In{36048a81.36512024@news.virgin.net},  Mark Pawelek writes:

TechWeb report
http://www.techweb.com/wire/story/TWB19980918S0006

British Police, ISPs Cooperate On Crime
(09/18/98; 2:07 p.m. ET)
By Andrew Craig, TechWeb

British police on Friday dismissed as "rubbish" claims by several civil-liberties 
organizations in the United Kingdom that they are working with ISPs to get access 
to Internet users' private information. The Association of Chief Police Officers 
launched Wednesday a series of seminars involving the police, ISPs, and key industry 
figures that will run for the next three weeks. The police said the talks were
intended to give ISPs a better understanding of police requirements for investigating 
illegal activity that uses the Internet. But civil-liberties groups said in a statement 
Friday they "unanimously condemned secret talks" between the parties. The groups said 
the meetings were being held to create an agreement that would give the police access 
to e-mail messages transmitted by any of Britain's 8 million Internet users, along with 
detailed Web usage logs about sites users had visited.

Proposals for a "memorandum of understanding" between the police and British ISPs has 
been fueled by panic about child pornography on the Internet, according to Chris Ellison, 
a spokesman for civil-rights group Internet Freedom. "Industry representatives have got 
themselves into a situation where they are under pressure to disclose information
without legal obligation or justification," he said. "There is no alternative but to break 
off these talks immediately." The police association denied it was creating new rules. 
Instead, it just wants guidelines for implementing existing data-protection laws.
"There has been no attempt by police to get extra access [to Internet user data]," said 
a spokesman for the police association. "To say this is a secretive scheme to give police 
access to information about any Internet user is rubbish."

At least one industry representative believes increased police cooperation with ISPs is 
a good development. "ISPs have always felt we were being told 'You must not move illegal 
content' -- or host it or forward it -- but we were not in a position to say what illegal
content is," said Laurence Blackall, chairman of the British ISP Association. In addition 
to child pornography, the seminar addressed police concerns about Internet gambling, 
although the police declined to offer any further details about the discussions. The 
seminars were triggered by "the growth of the ISP industry and growing concern that
crime is being facilitated by the Internet," the police spokesman added.

ISPs have a duty to protect the fundamental rights and freedoms of their users, 
according to Yaman Akdeniz of Cyber-Rights & Cyber-Liberties, a British civil-rights 
group. Although the police may have found a loophole in weak British laws governing 
electronic surveillance, they "should not, in any case, be allowed to amass evidence 
without showing probable and specific cause either to the ISP or to a judge," said Akdeniz 
in a statement. If ISPs sign the police memorandum, they could be asked to provide
police with information needed for criminal investigations under Britain's Data Protection 
Act, by filling in electronic forms issued by the police, according to a report in British 
newspaper The Guardian.

In article{3604911e.38204929@news.virgin.net} he also wrote:

I am curious as to what my ISP makes of all this - so I wrote an email
to them. I hope that they don't find it too sarastic.

Why don't we all email our ISPs about this?
++++++++++++++++++++++++++++++++++++++++
Dear Sir,

The following news story (below) arrived in my inbox from a news list
which I am on. I would like you to answer a number of important
questions for me.

1) I would like to know why Virgin is holding secret talks with the
police if the substance of those talks is non-controversial?
2) Is it the case that the police are able or will be able to get
"access to e-mail messages transmitted" or "detailed Web usage logs
about sites users had visited"?

3) Have the police actually asked Virgin to provide information about
email or web usage logs without first submitting a court order?
4) If the answer to the previous paragraph is yes then how did Virgin respond?
5) If the answer to paragraph 3 (above) is no they how are the police
able to investigate child pornography?

6) I have made this inquiry because I note that Virgin is a member of
the Internet Watch Foundation (IWF) and that the IWF's job is to
remove "potentially illegal material" from the Internet. I agree that
illegal material should be removed from the Internet but I find the
concept of "potentially illegal material" to be bizarre. Until there
has been a criminal conviction how can a piece of media be said to be
illegal?

If "potentially illegal material" is being removed then I assume that
potential crimes must be committed. In these circumstances I imagine
that Virgin will be cooperating with the police to catch potential
criminals. As everyone is a potential criminal - this has grave
consequences for privacy.

{insert the text of the original news story here}



A response received from Virgin Net to Justin Guest.
Organization:   	Virgin Net
Subject:        	Internet Privacy

Sean

I have been passed your e-mail regarding Internet Privacy by Anne Cush, as
I have recently dealt with other such enquiries.

Firstly, let me assure that as far as Virgin Net are concerned we have no
plans to hand over information simply upon demand.  As it stands, I have
to say, the first I heard about this was the recent Independent article,
which I believe this is based upon. I deal with abuse on Virgin Net's
service and work closely on a number of issues with a variety of
enforcement bodies, as I am sure you would agree any responsible ISP
should be doing.  However, you may see that the article says the 'details'
are being worked out by ACPO and ISPA (Internet Service Providers
Association) an organisation which, you may or may not know, Virgin Net is
a not member of.

Our position at present is that the police must demonstrate a reason for
us to hand over any information about any of our users (usually via some
legal mechanism).  I do not think that this will change very quickly, as
the privacy of our users in using the Internet is as important to Virgin
Net as it is to you. There are also a host of other technical, legal and 
political issues that must be overcome before a system where the police can 
simply access someone's e-mail and other information about their use of the 
Net can be put into place, the least of these not being the Data Protection 
Act and also Privacy laws that currently exist.

In terms of the word potentially, because of the way the Obscene
Publications Act is worded and enforced, an image cannot be deemed
illegal until a court has judged it so.  However there are 'guidelines' as
to what would fall under certain headings, i.e., is the image prosecutable
(for example pedophiliac images).  The IWF, as far as I am aware is simple
an advisory body, sitting between the ISP industry and the police, giving
trusted advice.  They, we feel, are in a position to judge what may well
bring a criminal conviction if a case were to be brought before a UK
court.  I am sure you would agree that if the IWF were to advise us of
material that may contravene the obscene publications act then it must be
of a serious nature, and as a responsible family oriented ISP, we will
trust this advice and act upon it.  (I would also add that if we were not
to act on it we could be breaking the law ourselves.)

I hope this has helped, if you have any further questions on this
matter, please contact me direct.

Regards

Justin Guest