[governance] BBC: May setting out plans to monitor internet use in UK

Roland Perry roland at internetpolicyagency.com
Fri Jun 15 06:25:40 EDT 2012 

In message 
<CAHuaJtNWPjEjxxPFeYcPkwV64Cr8ruKfdctAfgPNo6H0ObsPjQ at mail.gmail.com>, at 
01:28:29 on Fri, 15 Jun 2012, Fouad Bajwa <fouadbajwa at gmail.com> writes
>This is happening almost everywhere in some form.
>
>There is DPI being done in my region for quite some time now. In the
>US, they have data centres built to store huge amounts of such
>information for years.
>
>Many would twist this information in directions of IG etc but this is
>something that is pragmatically happening and is a law related issue.
>I think they do a lot of this in the EU

You are quite correct. The data *gathering* powers are just the same as 
enshrined in the EU's Data Retention Directive.

The only substantive changes in this new UK law is a review of who can 
demand *disclosure* (it's actually fewer public authorities than before, 
not more) and a much more sophisticated way to draw a line between 
"content" (what you did) and "traffic data" (where you did it).

The 12yr-old law that this will replace says (in effect) that the 
"where" data is restricted to just the IP address of the server, but not 
(in, for example, the case of a web server) which web page.

This compromise was something I negotiated with the lawmakers at the 
time, because there was deep concern from Civil Society about the 
intrusiveness of the "where", and being too detailed in the case of a 
url. It even had a name: "Big Browser" (an allusion to "Big Brother").

eg: it is argued that the url:

   http://lists.igcaucus.org/arc/governance/2012-06/msg00315.html

is indistinguishable from content, because it shows exactly what the 
person has looked at. Obtaining specific content that a person has 
looked at (by analogy with wiretapping) requires invoking a much 
stricter regime of interception warrants.

However, if we say that all we are prepared to have disclosed as traffic 
data is "the IGCaucus site", that approximates in most cases to "the url 
as far as the first single forward slash", viz:

    http://lists.igcaucus.org

And I went and briefed officials and ministers, with rfcs describing 
URLs and URIs under my arm, and the conclusion was that you can't write 
something as technology specific as "up to the first single forward 
slash" in an Act of Parliament, so "the server"[1] (and in practice it's 
most likely to be "identified by" its IP address) was the proxy that was 
used.

This new law seems to be saying that the degree of disclosure (how far 
up the url is allowed) will now be defined on a case-by-case basis, 
while still respecting privacy to the full extent of the ECHR.

In the case of my example, perhaps:

    http://lists.igcaucus.org/arc/governance/2012-06/

would be deemed appropriate (in other words the "where" is the June 2012 
archive, but no indication of which individual message was retrieved 
from the archive).

I'm sure there will be a long debate about how well or badly people 
expect this to work. If anyone feels like sponsoring me to work on this 
further, I'd be happy to quote.

[1] Strictly, "the apparatus", see the last sentence of 21(6):
     http://www.legislation.gov.uk/ukpga/2000/23/section/21
-- 
Roland Perry

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list