Individual ISP Responses to the Privacy Letter
I am writing to raise a concern with you about the confidentiality of Internet communications and Internet users data.
I have read of proposed "good practice guidelines" (formerly known as a memorandum of understanding) between UK Internet Service Providers and the Association of Chief Police Officers (see for example, "Police tighten the Net," The Guardian, Online Section, 17 September, 1998 and "Personal privacy versus crime fighting on the electronic frontier," Computing, 07 October 1998). This is apparently designed to enable ISPs to be released in certain circumstances from the restrictions on disclosure of personal data imposed by the UK Data Protection laws. My understanding is that the proposed guidelines follow from the initiatives of a recently formed body, "The Association of Chief Police Officers, Internet Service Providers & Government Forum", which held three seminars during October 1998 entitled "Policing the Internet: Working together to address issues and allay concerns".
I wanted to let you, my Internet Service Provider, know that I regard all traffic data and related information as confidential including the following:
"the content, origin, destination and timing of my electronic mail messages (sent and received), including the details of any newsgroups to which I subscribe and the details of messages received from or posted to them. Moreover, information about websites visited, FTP activities and IRC usage or any other network activity of any nature by myself or any members of my company through my account through the connection you provide and details of login and connection times."
I should also mention that a number of the messages sent and received are not only confidential but are also potentially the subject of legal professional privilege.
Therefore, I would regard the release of the information I have described as a serious breach of confidence and actionable as such and also in contract and also, where applicable, under the Data Protection Act 1984. Short of what is judicially authorised, I have the strongest objection to private bargains being made for the release of confidential information (whether under the so called "good practice guidelines" or otherwise). Such guidelines have no legal force under current UK law, and as my Internet Service Provider, you are not bound to provide any sort of information if you are not provided with judicial authority.
In fact, it should be your duty to safeguard my right to private communications, which is explicitly protected by international agreements such as the European Convention on Human Rights. Please also note that the current Human Rights Bill introduced in the House of Lords will incorporate the European Convention on Human Rights into UK law and will provide a further ground for action against infringement of my privacy rights.
To clear any doubts about the services that you provide, I would like you to answer the following specific questions related to the content of this letter:
(1) Does your organisation take part in the Association of Chief Police Officers, Internet Service Providers & Government Forum or has it been aware of such discussions ?
(2) Has your organisation been approached by the above forum to take part into such discussions and what has been the response ?
(3) What is your organisations policy on such requests from the law enforcement agencies? If there is a written policy, please let me have a copy. Will the proposed good practice guidelines (previously known as the Memorandum of Understanding) affect your current policy ?
(4) What sort of monitoring or backup systems are used and for how long do you keep personal data (as explained above) ? Is INS capable of actively monitoring all IP traffic from a particular user and if this is done for what purposes ?
(5) Are you registered with the Data Protection Registrar, and if so for what purposes can you disclose data and to whom ?
(6) Do you have any objection to publication of your replies? If so, please give the reasons for your objection.
I very much hope that you will be able to confirm that you will respect the confidentiality of the information I have described.
|Dear Ben (Ben Laurie
Thank you for your message, the content of which I empathise with wholeheartedly. Please rest assured that the nature of all information carried by our network is regarded by us as strictly confidential and the sole property and responsibility of its originator.
The only circumstance under which we would willingly provide access to information on our networks would be one where the law dictated that we must, and even then we would seek to strictly limit network access to the minimum required by law. I sincerely hope that this serves to reassure you of our best attentions at all times.
The following response
was provided to
|This response by edNET has been provided
to David Hansen (firstname.lastname@example.org)
Date sent: Mon,
21 Dec 1998 19:04:44 +0000 (GMT)
We understand your concern for your privacy, and would like to set your mind at ease by answering your questions to the best of our ability.
(1) We do not take part in the Association of Chief Police Officers, Internet Service Providers & Government Forum.
(2) We have not been apporached to take part in the above Forum.
(3) We do not have a written policy on requests from law enforcement agencies. We would not disclose any information unless we were presented with a warrant.
(4) We do keep backup copies of all our data, and the data you outlined would be stored. Such backups are on a weeks rotation, so at any given time we have information on the last seven days. We do have (as do all ISPs) have to capability to monitor all IP traffic that passes through our network. This is sometimes done, but only for the purpose of debugging should a problem arise.
(5) We are registered with the Data Protection Registrar, as it is a legal requirement. We do not disclose personal information to anyone.
(6) There is no objection to the publication of this reply, conditional to permission being granted from us on a per use basis, in order that we can ensure the context in which we are being quoted. [Permission was obtained by Mr Hansen for the publication of the EdNet response].
If you have any further questions, please don't hesitate to contact us.