UK INTERNET USERS PRIVACY LETTER to the ISPs:
<A Letter to be sent to the UK ISPs>
We encourage Internet users with UK Internet Service Providers to send the following letter (suitably modified as necessary) to their Internet Service Provider to obtain information related to privacy of communications of Internet users and their accounts. Apart from encouraging the letter to be sent to UK ISPs, we also encourage users to send it to academic institutions and companies who provide Internet usage to their employees.
We also encourage UK Internet users to notify us of any communications received in response to this letter with a view to publication through this web page. Our aim is to find more about the policies of around 300 UK ISPs.
Cyber-Rights & Cyber-Liberties (UK) will also try to send this letter to UK ISPs through ISPA, LINX, and through personal contacts and will encourage them to respond.
Nicholas Bohm and Yaman Akdeniz
27 November, 1998
Cyber-Rights & Cyber-Liberties (UK) Privacy Letter
[Finalised following extensive discussion within the cyber-rights-UK Mailing List in November 1998.]
I have had an Internet account with you since [INSERT DATE - TO BE FILLED BY THE USER], and I am writing to raise a concern with you about the confidentiality of Internet communications and Internet users data.
I have read of proposed "good practice guidelines" (formerly known as a memorandum of understanding) between UK Internet Service Providers and the Association of Chief Police Officers (see for example, "Police tighten the Net," The Guardian, Online Section, 17 September, 1998 and "Personal privacy versus crime fighting on the electronic frontier," Computing, 07 October 1998). This is apparently designed to enable ISPs to be released in certain circumstances from the restrictions on disclosure of personal data imposed by the UK Data Protection laws. My understanding is that the proposed guidelines follow from the initiatives of a recently formed body, "The Association of Chief Police Officers, Internet Service Providers & Government Forum", which held three seminars during October 1998 entitled "Policing the Internet: Working together to address issues and allay concerns".
I wanted to let you, my Internet Service Provider, know that I regard all traffic data and related information as confidential including the following:
"the content, origin, destination and timing of my electronic mail messages (sent and received), including the details of any newsgroups to which I subscribe and the details of messages received from or posted to them. Moreover, information about websites visited, FTP activities and IRC usage by myself or any members of my family through my account through the connection you provide and details of login and connection times."
[THE NEXT SENTENCE WOULD DEPEND ON THE USERS CIRCUMSTANCES, e.g. anyone who communicates with a lawyer by email, or may do so, can reasonably include the following sentence]
I should also mention that a number of the messages sent and received are not only confidential but are also potentially the subject of legal professional privilege.
Therefore, I would regard the release of the information I have described as a serious breach of confidence and actionable as such and also in contract and also, where applicable, under the Data Protection Act 1984. Short of what is judicially authorised, I have the strongest objection to private bargains being made for the release of confidential information (whether under the so called "good practice guidelines" or otherwise). Such guidelines have no legal force under current UK law, and as my Internet Service Provider, you are not bound to provide any sort of information if you are not provided with judicial authority.
In fact, it should be your duty to safeguard my right to private communications, which is explicitly protected by international agreements such as the European Convention on Human Rights. Please also note that the recently enacted Human Rights Act 1998 incorporates the European Convention on Human Rights into UK law and will provide a further ground for action against infringement of my privacy rights.
To clear any doubts about the excellent services that you provide, I would like you to answer the following specific questions related to the content of this letter:
(1) Does your organisation take part in the Association of Chief Police Officers, Internet Service Providers & Government Forum or has it been aware of such discussions ?
(2) Has your organisation been approached by the above forum to take part into such discussions and what has been the response ?
(3) What is your organisation's policy on such requests from the law enforcement agencies? If there is a written policy, please let me have a copy. Will the proposed good practice guidelines (previously known as the Memorandum of Understanding) affect your current policy ?
(4) What sort of monitoring or backup systems are used and for how long do you keep personal data (as explained above) ? Is [insert name of the ISP] capable of actively monitoring all IP traffic from a particular user and if this is done for what purposes ?
(5) Are you registered with the Data Protection Registrar, and if so for what purposes can you disclose data and to whom ?
(6) Do you have any objection to publication of your replies? If so, please give the reasons for your objection.
I very much hope that you will be able to confirm that you will respect the confidentiality of the information I have described.
[PLEASE FEEL FREE TO MODIFY OR DELETE THE FOLLOWING PARAGRAPH]
I have a high regard for the quality of your service, especially your user support, and have recommended you to others who have been equally pleased with the results. I hope that your approach to customer confidentiality will be just as commendable and I hope to hear from you soon.
[SIGNED BY THE USER]