Founder and Director: Yaman
Akdeniz , LL.B, MA
E-mail: firstname.lastname@example.org Tel: +44 (0) 7798 865116 - Fax: +44 (0) 7092199011
Mail Correspondence Address: Cyberlaw Research Unit, Centre For Criminal Justice Studies, University of Leeds, Leeds LS2 9JT, UK.
Who Watches the Watchmen: Part III -
ISP Capabilities for the Provision of Personal Information to the Police
By Cyber-Rights & Cyber-Liberties (UK)
Cyber-Rights & Cyber-Liberties (UK) © February 1999
Please Cite as: Cyber-Rights & Cyber-Liberties (UK), "Who Watches the Watchmen: Part III - ISP Capabilities for the Provision of Personal Information to the Police," February 1999, at http://www.cyber-rights.org/privacy/watchmen-iii.htm
Table of Contents
Who Watches the Watchmen: Part III - ISP Capabilities for the Provision of Personal Information to the Police
Cyber-Rights & Cyber-Liberties (UK) recently developed a privacy letter to be sent to all UK ISPs which raises concerns about users private communications and access to such communications by the police.
While this exercise between the users and ISPs is continuing (see further <http://www.cyber-rights.org/privacy/letter.htm>) with the results being published on our web site, this new report provides further information about dealings between ISPA and the police.
Cyber-Rights & Cyber-Liberties (UK) has discovered that the Internet Service Providers Association ("ISPA") last year gave a secret briefing to the Association of Chief Police Officers ("ACPO") about the ISP industry capabilities for the provision of information to the police about their customers. This new Cyber-Rights & Cyber-Liberties (UK) report therefore brings into
the open what your ISP can do for the police with your Internet account.
In November 1998, Cyber-Rights & Cyber-Liberties (UK) developed a "privacy letter" to be sent by a subscriber to an ISP addressing concerns over privacy of communications through a UK ISP. The letter has been drafted from the consumers point of view and raises important issues in relation to ISP privacy policies.
The privacy letter was partly developed as a response to the Association of Chief Police Officers, the Internet Service Providers and the Government Forums initiatives in relation to developing "good practice guidelines" between Law Enforcement Agencies and the Internet Service Providers Industry describing what information can lawfully and reasonably be provided to Law Enforcement Agencies, and under what circumstances such information can be provided, and the procedures to be followed in such cases.
So far, the Forum has produced no documents in relation to its meetings and denied that there is anything secretive going on between ACPO and the ISPs.
Moreover, the views of civil liberties organisations and, more importantly, the views of the users have been excluded from the Forum as no such representation is provided within the Forum: it is partly as a result of this exclusion that the Forums initiatives and work, if unchecked, could lead to extensive infringements of the rights of individual Internet users and consumers within in the UK.
Privacy Letter Developed
For this purpose and fearing the worst, it is time to act now rather than later. Therefore, Cyber-Rights & Cyber-Liberties (UK) drafted the "privacy letter" which states that, "it should be the duty of the Internet Service Providers to safeguard the fundamental rights and freedoms of the Internet users to private communications, and in particular their right to privacy with respect to the processing of personal data which is explicitly protected by international agreements such as the European Convention on Human Rights."
To date the work of the Forum seems to have been focused on developing and harmonising a form of request for information by the police to an ISP. The form, which might seem to some addressees to have the appearance of a warrant, is designed to satisfy the ISP that in the circumstances of the particular case the ISP is not prevented by the restrictions in the Data Protection Act 1984 from providing information to the police. Despite its appearance, the form and its associated "good practice guidelines", has no legal basis for imposing any obligation on an ISP to provide any form of disclosure to the police. However, there is a real risk for ISPs of being misled by such a form and one purpose of our "privacy letter" is to draw attention to such risks. We are also concerned that the Forum completely neglect the matter of the protection granted by the law to the safeguarding of confidential information.
The privacy letter also brings the recently enacted Human Rights Act 1998 to the attention of the ISPs as the 1998 Act incorporates the European Convention on Human Rights into UK law and will provide a further ground for action against infringement of privacy rights. We believe the use of the privacy letter by the consumers will be an important contribution to the whole process by covering the consumers angle, and publication of the results may bring a more balanced approach and openness to the whole process which has been secretive and therefore faced with suspicion.
One of the questions in the "privacy letter" asks what sort of monitoring or backup systems are used by the ISPs and for how long do they keep personal data and whether they are capable of actively monitoring all IP traffic from a particular user and, if this is done, for what purposes.
Although Cyber-Rights & Cyber-Liberties (UK) did receive a letter in response to the "privacy letter" initiative from the ACPO/ISPs Forum in December 1998, that letter (see http://www.cyber-rights.org/privacy/response.htm) did not answer our questions in relation to what can be accessed through a UK ISP in relation to customer accounts, even though identifying the information that can be provided from a technical perspective is one of the tasks of the ACPO Forum.
Now, we are able to shed light on these issues, and we believe it is our duty to inform the public in the absence of an informed discussion from the ACPO/ISPs Government Forum.
ISP Capabilities for the Provision of Information
In February 1998, ISPA produced a report entitled ISPA: Industry Capabilities for the Provision of Information. This ISPA report was written in response to a request for advice at the first meeting of the Association of Chief Police Officers ("ACPO") with ISPs on 7 November, 1997 and it seeks to advise the ACPO as to the type of information stored, and the time that information is kept, for a given customer account of a UK ISP, provided any request for information was supported by "appropriate documentation."
The report is believed to reflect current ISP capabilities, as it was circulated for comments to the ISPA members, but it should be noted that ISPA only represents part of the ISP industry within the UK. Their report nevertheless shows what the ISPs can provide to the police in relation to customer accounts and personal information.
According to the ISPA report, "the type of information stored, and the time that information is kept will vary from ISP to ISP" and identifies three categories for the provision of information:
the minimum (where all ISPs might reasonably be expected to provide such information); typical (where most ISPs should be able to provide the information identified); possible (information that either may be available, or could be provided if additional resource is made available).
The ISPA report states that "the main types of information held or accessible relate to how the customer uses the Internet. The key types are customer, personal, and account data, email activities, use of web sites, newsgroup activity, and Internet Relay Chat (IRC)."
When Cyber-Rights & Cyber-Liberties (UK) developed the "privacy letter" we referred to all traffic data and related information as confidential including the following:
"the content, origin, destination and timing of my electronic mail messages (sent and received), including the details of any newsgroups to which I subscribe and the details of messages received from or posted to them. Moreover, information about websites visited, FTP activities and IRC usage by myself or any members of my family through my account through the connection you provide and details of login and connection times."
The response provided from ISPA and ACPO/ISP/Government Forum of December 1998 never referred to the possibility of provision of personal data and to our concerns. However, the unpublished ISPA report refers to the type of data that we would consider as confidential and personal data. The Cyber-Rights & Cyber-Liberties (UK) report will now examine in turn the ISP capabilities for provision of information capabilities as categorised by the ISPA report.
Under the "minimum information category", the ISPA report shows that all ISPs should be able to provide customer details including name (most recent advised), address (most recent advised), payment records for the current financial year including credit card details or bank details for standing order, DDM or from payment by cheque.
Under the "typical information category", the ISPA report shows that ISPs should usually be able to provide customer details including name (most recent advised and previous), address (most recent advised and previous), payment records (credit card details or, bank details for standing order, DDM or from payment by cheque), telephone number (most recent advised), signature (on contract). (Here and below we have emphasised the additional information.)
Under the "possible category", the ISPA report shows that ISPs can provide customer details including name (current and all previous), address (current and all previous), payment records (credit card details or, bank details for standing order, DDM or from payment by cheque for the current financial year), telephone number (most recent advised), signature (on contract), and identification verification (on contract).
Under the "minimum information category", the ISPs can provide the current names of e-mail accounts held at an ISP, content of received e-mails (those not yet downloaded to customer) and the current aliases of e-mail accounts.
Under the "typical information category", the ISPs can provide the current (and previous within financial year) names of e-mail accounts held at an ISP, content of received e-mails (those not yet downloaded to customer and potentially e-mail received within previous 24 hrs if on system backup), and the current aliases of e-mail accounts.
Under the "possible category", the ISPs can provide the current (and all previous) names of e-mail accounts held at an ISP, content of received e-mails (those not yet downloaded to customer and all content following authorised Police request to track. ISPs can also provide the current aliases of e-mail accounts.
Under the "minimum information category", the ISPs can provide the current address of web site hosted by ISP, the current content of hosted web site and the last updated date of the hosted web site.
Under the "typical information category", the ISPs can provide the address of a web site hosted by the ISP (current and closed within current financial year), content of those hosted web sites (current and records from previous system backups), the last update time of the hosted web site (last update and updates in current month), number of hits on hosted web site (during previous 24 hrs), and address of host system used by visitors to hosted web site (during previous 24 hrs).
Under the "possible category", the ISPs can provide the address of a web site hosted by the ISP (current and all closed), content of those hosted web sites (current and records from previous system backups). In addition all content following authorised Police request to track. Furthermore, the last update time of the hosted web site (last update and updates in last three months), number of hits on hosted web site (during previous 48 hrs), and all following authorised Police request to track. Furthermore, address of host systems used by visitors to hosted web site (during previous 48 hrs) and all following authorised Police request to track. Also a new entry is the address of all web Sites accessed by the customer following authorised Police request to track.
Newsgroups and Internet Relay Chat
No information is automatically stored by all ISPs with regards to newsgroups and Internet Relay Chat ("IRC") activities under the minimum information category.
Under the "typical information category", the ISPs can usually provide information in relation to which newsgroups posted to (during previous 24 hrs) and content of postings (during previous 24 hrs) for postings via the ISPs own News server.
Under the "typical information category", no information is automatically stored by all ISPs as far as the Internet Relay Chat ("IRC") is concerned.
Under the "possible category", the ISPs can provide information in relation to which newsgroups read by the customer (all following authorised Police request to track), which newsgroups posted to by the customer (all following authorised Police request to track), and the content of postings (all following authorised Police request to track).
Under the "possible category", ISPs can provide the police with information in relation to IRC activity and specifically which channels are accessed by the customer (all following authorised Police request to track), and the content of messages sent/received (all following authorised Police request to track).
Therefore, all sorts of account and customer monitoring is possible by the ISPs even though not all ISPs have the technical capability. It is also not clear all through the ISPA document what is meant by "authorised police request". No legal powers currently exist that could oblige an ISP to collect future information for the police, and new legislation would be needed. It is the position of Cyber-Rights & Cyber-Liberties (UK) that no authorisation less than a "judicial warrant" is acceptable for such monitoring of customer accounts and for the provision of personal information. Such "warrants" should be issued by a judge to ensure proper protection for "special procedure" material such as legally privileged communications or journalistic communications. Such warrants should be clearly defined for a certain period of time rather than for an unlimited period of time.
When ACPO/ISPs Government Forum responded to the Cyber-Rights & Cyber-Liberties (UK) "privacy letter" in December 1998, they stated that "the information that might be released by this procedure is not intended to be the contents of e-mails or messages despite what you read in the press." The Forum insisted that our concerns were based on misinformation disseminated by the media; but the leaked ISPA document shows that e-mail communications can be monitored by the ISPs and that e-mail related information, including content of e-mail messages, can be provided to the police upon request. At the time, we regretted that the Forum remained unwilling to say what information is within the scope of the procedure they are discussing. We replied at the time and we still believe that "the public should know what it is that law enforcement is seeking from ISPs." The leaked report shows that our concerns were fully justified, and that secrecy, rather than "media disinformation" was at work.
The ISPA report to ACPO is concerned that "there are occasions and circumstances which can make it impossible to provide the information described above, or if such information is provided, it can prove to be unreliable." Therefore, the ISPA report identifies some problem areas.
These include free trial software distributed on the cover disks of computer magazines (mainly) and the ISPA report is worried that such accounts can be set up using fake customer information, thus allowing anonymous use of the Internet.
Anonymity enables users to prevent surveillance and monitoring of their activities on the Internet not only from commercial companies but also from government intrusion. In Britain, the Safety Net Proposals (which resulted with the formation of the Internet Watch Foundation), endorsed by the UK Government, sees anonymity on the Internet as a danger, proposing that:
"... [A]nonymous servers that operate in the UK [should] record details of identity and make this available to the Police, when needed, under Section 28 (3) of the Data Protection Act (which deals with the disclosure of information for the purpose of prevention of crime)."
A key aspect of the Safety-Net approach is making users take responsibility for material they post on the Internet; stressing the importance of being able to trace the originators of child pornography and other illegal material. For this purpose, the Safety-Net document proposed that the Internet Service Providers should not provide their users with anonymous accounts. ISPs must ensure that they know who all their customers are. This approach is in contrast with European Union initiatives. The benefits of anonymity on-line were recognised at the recent "Global Information Networks, Ministerial Conference," in Bonn, in July 1997. At the Bonn Ministerial Conference, the Ministers declared that:
"Ministers recognise the principle that where the user can choose to remain anonymous off-line, that choice should also be available on-line. Ministers urge industry to implement technical means for ensuring privacy and protecting personal data on the Global Information Networks, such as anonymous browsing, e-mail and payment facilities."
An express right to privacy in UK law will be granted for the first time under the Human Rights Act 1998. Article 8 of the European Convention on Human Rights demands "respect for ...private and family life...home and ...correspondence", and this undoubtedly requires a greater recognition of the value of privacy than has hitherto been forthcoming from English judges or Parliament. In particular, it will be noted that Article 8 expressly protects "correspondence", and this has been applied by the European Court of Human Rights to curtail unregulated police access to telephone conversations as well as other forms of electronic surveillance.
Another problem area identified by the ISPA report involves the most heavily used feature of the Internet, electronic mail. The ISPA report states that e-mail addresses can be faked trivially, so that the identification of the sender of email to an ISP can be unreliable (also newsgroup postings are identified by e-mail addresses, that can be faked trivially). In relation to the possibility of forged e-mail usage the ISPA report states that:
"Some ISPs record the IP address of the originating system, which can assist in identification. In some cases, customers my use email accounts hosted other than by that customers ISP, e.g. the use of a hotmail email address. Information on the use of such email accounts can only be provided by specialist monitoring equipment, which would not generally be available, and only ever be used on request."
Is this a hint that ISPs are ready to do the job if the police equip them for the purpose?
Another address-related problem is the hosted web address. The ISPA report states that web sites can be compromised, so the provider of the content on any web site may not be the owner of the web space.
ISPA considerations on how to intercept
In considering how to intercept information, the following should be considered according to the leaked ISPA document.
There are very few ways to reliably monitor e-mail. All would require the active co-operation of the relevant ISP, where specialist monitoring equipment would be installed. Most ISPs would not normally have such equipment.
Possible to track what is sent by packet snooping at the senders ISP (i.e. point of connection to the Internet).
SMTP - Packet snooping at the receivers ISP.
IMAP or POP3 - Packet snooping or through the receivers ISP taking an additional copy of the e-mail.
As with e-mail, there are very few ways to reliably monitor news. All would require the active co-operation of the relevant ISP, where specialist monitoring equipment would be installed. Most ISPs would not normally have such equipment.
Getting a record from the header of the message of the IP address used at the point of origination of the message. These headers can be misleading.
Packet snooping and/or log analysis.
Proxy servers (web and news) have the impact of obscuring the destination and/or origination of the session. To be effective, monitoring needs to take place at this server.
All of the monitoring will be based upon IP addresses. This requires the ISP to be able to track, predict and/or allocate specific IP addresses to customers who need to be monitored. This capability may not always be available to ISPs: (1) Depending on the technologies used by the ISP; (2) Depending on the ISPs ownership and involvement with the technologies used (i.e. parts of their operation may involve outsourcing to third parties).
ISP Technical Capabilities
According to the ISPA report, "most ISPs will have the technical capability to intercept traffic if required." However, the report continues to state that "all ISPs are operating in a fast growth industry where technical expertise is scarce, and existing demands on qualified personnel are already high. Some smaller ISPs may not be capable of implementing packet snooping, and most ISPs will not have the necessary equipment available."
When Cyber-Rights & Cyber-Liberties (UK) developed the "privacy letter" which asks six legitimate questions (which in our view should be answered by all ISPs in this country), we stated that "this view does not derive from any press coverage, and that it is not based on any misinformation."
Our report shows that we together with the online users have legitimate concerns in relation to privacy issues involving the Internet Service Providers.
It should be noted that the Association of Chief Police Officers, although an influential body close to the Home Office, has no statutory basis. Therefore, ACPO has no accountability to the public at large. Moreover, ISPA a trade body interested in protecting its own interests rather than the consumer interests, is also not accountable to the public.
However, consumers have a legitimate interest and right to know about the policies of their ISPs. Furthermore, procedures can only be properly designed within a legal context and we are concerned to ensure that the legal context takes due account of individual rights and liberties. Such procedures are a matter of legitimate public interest, especially to users of the services of ISPs.
Transparency, openness and accountability are important features of a healthy society. We believe it is now time for the Government through the Parliament to intervene in the activities of the ACPO/ISPs, Government Forum and clarify these matters including the laws in relation to interception of communications and the relevant procedures. We believe this should be a heavily regulated area so that such police requests do not become "fishing expeditions" leading into a Big Brother State!