This page includes the following letters:

  1. Initial CR&CL(UK) privacy letter, final version 27 November, 1998

  2. A Response from ISPA and ACPO/ISP/Government Forum, 02 December, 1998

  3. CR&CL(UK) Response to ISPA and ACPO/ISP/Government Forum, 03 December, 1998

 

Cyber-Rights & Cyber-Liberties (UK) Privacy Letter

27 November 1998

Dear Sirs,

I have had an Internet account with you since [INSERT DATE - TO BE FILLED BY THE USER], and I am writing to raise a concern with you about the confidentiality of Internet communications and Internet users data.

I have read of proposed "good practice guidelines" (formerly known as a memorandum of understanding) between UK Internet Service Providers and the Association of Chief Police Officers (see for example, "Police tighten the Net," The Guardian, Online Section, 17 September, 1998 and "Personal privacy versus crime fighting on the electronic frontier," Computing, 07 October 1998). This is apparently designed to enable ISPs to be released in certain circumstances from the restrictions on disclosure of personal data imposed by the UK Data Protection laws. My understanding is that the proposed guidelines follow from the initiatives of a recently formed body, "The Association of Chief Police Officers, Internet Service Providers & Government Forum", which held three seminars during October 1998 entitled "Policing the Internet: Working together to address issues and allay concerns".

I wanted to let you, my Internet Service Provider, know that I regard all traffic data and related information as confidential including the following:

"the content, origin, destination and timing of my electronic mail messages (sent and received), including the details of any newsgroups to which I subscribe and the details of messages received from or posted to them. Moreover, information about websites visited, FTP activities and IRC usage by myself or any members of my family through my account through the connection you provide and details of login and connection times."

[THE NEXT SENTENCE WOULD DEPEND ON THE USERS CIRCUMSTANCES, e.g. anyone who communicates with a lawyer by email, or may do so, can reasonably include the following sentence]

I should also mention that a number of the messages sent and received are not only confidential but are also potentially the subject of legal professional privilege.

Therefore, I would regard the release of the information I have described as a serious breach of confidence and actionable as such and also in contract and also, where applicable, under the Data Protection Act 1984. Short of what is judicially authorised, I have the strongest objection to private bargains being made for the release of confidential information (whether under the so called "good practice guidelines" or otherwise). Such guidelines have no legal force under current UK law, and as my Internet Service Provider, you are not bound to provide any sort of information if you are not provided with judicial authority.

In fact, it should be your duty to safeguard my right to private communications, which is explicitly protected by international agreements such as the European Convention on Human Rights. Please also note that the recently enacted Human Rights Act 1998 incorporates the European Convention on Human Rights into UK law and will provide a further ground for action against infringement of my privacy rights.

To clear any doubts about the excellent services that you provide, I would like you to answer the following specific questions related to the content of this letter:

(1) Does your organisation take part in the Association of Chief Police Officers, Internet Service Providers & Government Forum or has it been aware of such discussions ?

(2) Has your organisation been approached by the above forum to take part into such discussions and what has been the response ?

(3) What is your organisation's policy on such requests from the law enforcement agencies? If there is a written policy, please let me have a copy. Will the proposed good practice guidelines (previously known as the Memorandum of Understanding) affect your current policy ?

(4) What sort of monitoring or backup systems are used and for how long do you keep personal data (as explained above) ? Is [insert name of the ISP] capable of actively monitoring all IP traffic from a particular user and if this is done for what purposes ?

(5) Are you registered with the Data Protection Registrar, and if so for what purposes can you disclose data and to whom ?

(6) Do you have any objection to publication of your replies? If so, please give the reasons for your objection.

I very much hope that you will be able to confirm that you will respect the confidentiality of the information I have described.

[PLEASE FEEL FREE TO MODIFY OR DELETE THE FOLLOWING PARAGRAPH]

I have a high regard for the quality of your service, especially your user support, and have recommended you to others who have been equally pleased with the results. I hope that your approach to customer confidentiality will be just as commendable and I hope to hear from you soon.

Yours faithfully,

[SIGNED BY THE USER]

A Response from ISPA and ACPO/ISP/Government Forum

Yaman Akdeniz
c/o Centre For Criminal Justice Studies,
University of Leeds,
Leeds LS2 9JT,
UK
By email

2nd December 1998

Dear Sir,

I am writing in response to your letter as published at www.cyber-rights.org/privacy/letter.htm. I am the currently nominated ISP press spokesperson for the ACPO/ISP meetings.

Your letter and your letter writing campaign seems to be based on inaccurate press articles, allow me to put the record straight –

1. ACPO and industry representatives have been discussing a procedure through which police requests for information will be made to ISPs.

2. This work is not concluded yet.

3. The information that might be released by this procedure is not intended to be the contents of emails or messages despite what you read in the press.

4. The main purpose of the procedure is to uphold the privacy of individuals by seeking to ensure that data is not requested or released except in accordance with the specific provisions of the Data Protection Act that allow for that release.

5. The completion of the relevant form by law enforcement agencies will be a necessary but not sufficient condition for the release of information. In other words there will still be occasions where ISPs may refuse to release information unless and until they are presented with a warrant or court order.

In short this procedure is to ensure that 50 odd police forces and 200+ ISPs and the individuals that work for them remain within the law, the complete opposite of the implication in the second paragraph of your letter.

It seems to me, from talking to the many journalists that have phoned me recently, that the misinformation about this matter may be being spread deliberately and I thank you for your opportunity to clear the matter up. I trust you will now cease your letter writing campaign.

There are some very real issues about how the law relating to the use of the Internet should develop, exactly what legal protection emails or other information should have is clearly part of this debate. Do not confuse your legitimate concerns over these issues with ISPs and policemen and women trying to carry out their jobs in accordance with the laws that exist today.

Yours Sincerely

Tim Pearson

Member of the Council of ISPA

ps For background information I have attached the trerms of reference of the ACPO/ISP/Government forum.

ACPO/ISP/Government Forum

Terms of Reference

Overall Aim:

To develop and maintain a working relationship between the Internet Service Providers Industry and Law Enforcement Agencies in the UK, such that criminal investigations are carried out lawfully, quickly and efficiently while protecting the confidentiality of legitimate communications and with minimum impact on the business of the Industry.

Objective:

To develop good practice guidelines between Law Enforcement Agencies and the Internet Service Providers Industry describing what information can lawfully and reasonably be provided to Law Enforcement Agencies, under what circumstances it can be provided, and the procedures to be followed.

Tasks:

  • Identify and review the legal requirements to be met to provide the information
  • Identify the information that can be provided from a technical perspective.
  • To research and identify areas of legal uncertainty relating to the use of information from the Internet as evidence and to make recommendations to resolve any ambiguities.
  • Develop an accepted procedure for requesting and providing information
  • Put in place procedures to pay for resources used
  • Co-ordinate and demonstrate leadership towards similar activities internationally

CR&CL(UK) Response to ISPA and ACPO/ISP/Government Forum

03 December, 1998

To: Mr. Tim Pearson, Member of the Council of ISPA
ISP press spokesperson for the ACPO/ISP meetings

Dear Mr. Pearson,

Thank you for your letter dated 02 December, 1998 concerning the privacy letter developed by Cyber-Rights & Cyber-Liberties (UK) at http:// www.cyber-rights.org/privacy/letter.htm. We welcome your willingness to respond.

We propose to respond to your points by quoting and commenting on them:

"Your letter and your letter writing campaign seems to be based on inaccurate press articles, allow me to put the record straight."

Our privacy letter asks six legitimate questions which in our view should be answered by all ISPs in this country. This view does not depend on the press coverage, and indeed your reply reinforces our view, for reasons I explain below.

We cannot altogether sympathise with your difficulty in getting accurate press coverage, as this must follow from the undesirable secrecy in which you have tried to conduct your work. Perhaps you should consider holding open meetings in the future and producing full transcripts of all past meetings. Furthermore, procedures can only be properly designed within a legal context and we are concerned to ensure that the legal context takes due account of individual rights and liberties.

"ACPO and industry representatives have been discussing a procedure through which police requests for information will be made to ISPs."

Such procedures are a matter of legitimate public interest, especially to users of the services of ISPs. The discussions should have been public, and users’ interests should have been represented. Even the ISPs have limited representation, since we understand that ISPA represents only some 70 out of about 300. This reinforces the need for public awareness.

"This work is not concluded yet."

That is why we are anxious to ensure that there is wider debate now rather than later.

"The information that might be released by this procedure is not intended to be the contents of emails or messages despite what you read in the press."

It is regrettable that you remain unwilling to say what information is within the scope of the procedure you are discussing, and that your form of reply is wholly negative. The public should know what it is that law enforcement is seeking from ISPs.

And as you know from our privacy letter, it is much more than the contents of emails that we say is confidential.

"The main purpose of the procedure is to uphold the privacy of individuals by seeking to ensure that data is not requested or released except in accordance with the specific provisions of the Data Protection Act that allow for that release."

We firmly support your objective of ensuring compliance with Data Protection Law. As your next point acknowledges, that is not by itself enough.

"The completion of the relevant form by law enforcement agencies will be a necessary but not sufficient condition for the release of information. In other words there will still be occasions where ISPs may refuse to release information unless and until they are presented with a warrant or court order."

The procedure you are working on may be sufficient to release an ISP from the prohibitions of the Data Protection Act. It plainly cannot release the ISP from liability for breach of confidence (nor can it release the law enforcement agency concerned from the risk of liability for interfering with contractual relations between the ISP and its customer by procuring a breach of confidence).

An ISP is in fact generally bound to refuse to release confidential information without judicial authority. There may be a small number of special cases where an ISP is entitled to release otherwise confidential information: these are far from easy for an ISP or the police to identify. If the Forum believes it can define these cases, and can establish a procedure for determining what evidence would justify an ISP in accepting that such a case had been made out, with the Forum’s work conducted in an open way, that might be a valuable function. But given the difficulties and risks involved, such a debate might very well conclude that judicial authority was the only proper way to proceed.

In this connection I am sure that the significance of the recent incorporation into domestic UK law of Article 10 of the European Convention on Human Rights cannot have escaped you.

"In short this procedure is to ensure that 50 odd police forces and 200+ ISPs and the individuals that work for them remain within the law, the complete opposite of the implication in the second paragraph of your letter."

The procedure would be more like to achieve that commendable result if it had taken place in public with representation of a wider range of interests. That might have avoided your having entirely overlooked the law of breach of confidence as reinforced by the Human Rights Act 1998.

"It seems to me, from talking to the many journalists that have phoned me recently, that the misinformation about this matter may be being spread deliberately and I thank you for your opportunity to clear the matter up."

We are certainly keen not to spread misinformation, and are glad to publish your letter. The delay since 10th November when we were first in touch with you may have been unavoidable, but it was your delay and not ours.

"I trust you will now cease your letter writing campaign."

Our letter has been published for the use of ISP customers, and it is up to them to decide whether your response has allayed their concerns. Our comments may suggest to you that considerable concerns remain. If ISP customers share that view, they will no doubt continue to press for answers to their letters. If this is a campaign (your choice of word, not ours), it is their campaign.

The letter is not directed against a single ISP or an ISP trade association, or indeed against the ACPO/ISP Forum. It raises important questions that are of legitimate interest to consumers, and consumers have a right to know about the policies of their ISPs.

"There are some very real issues about how the law relating to the use of the Internet should develop, exactly what legal protection emails or other information should have is clearly part of this debate."

We agree: debate it in public. In the absence of such an open debate it is healthy and proper for concerned people to make their points as loudly as possible.

"Do not confuse your legitimate concerns over these issues with ISPs and policemen and women trying to carry out their jobs in accordance with the laws that exist today."

ISPs are of course not trying to do the same job as members of law enforcement agencies, and it would be very unwise to give the impression that ISPs are being recruited to help do the work of law enforcement. Both groups must stay within the law as they do their important work; important not just to them but to all of us. Attempts to co-operate in secret have risked overlooking important legal issues, and gaining bad publicity which we hope is undeserved.

Thank you for providing the Forum’s Terms of reference, a most important document. What is most striking about it is the complete absence of any concept of the accountability of the ISPs to their customers or of the Forum to the public.

In summary we are grateful for your letter, and have found it useful up to a point; but it has carefully not answered any of the questions that we asked in our privacy letter with respect to individual ISP policies. We think those answers are valuable to all concerned, and we intend to publish all responses through our pages together with this letter.

Yours sincerely,

Signed

Mr Yaman Akdeniz, Director
Prof. Clive Walker, Deputy Director
Mr Nicholas Bohm, E-Commerce Policy Adviser
Dr. Brian Gladman, Crypto Policy Co-ordinator

Cyber-Rights & Cyber-Liberties (UK) - http://www.cyber-rights.org

 

Individual ISP Responses are available here


Back to the Privacy Letter Pages by Cyber-Rights & Cyber-Liberties (UK)