Why this new law is actually unnecessary and illegal

16 Feb 2008 10:34 (Edited: 16 Feb 2008 10:34)

Building In Big Brother

This material is extracted from an annual publication produced by the US Electronic Privacy Information Center (EPIC) and Privacy International. Now in its sixth edition, the Privacy & Human Rights Report has become the most comprehensive global analysis in the field. It outlines legal protections for privacy, and summarises important issues and events relating to privacy and surveillance. This summary provides a context to better understand the implementation of restrictions on free speech in the electronic realm.
Legal and Technical Standards for Surveillance:

In the past fifteen years, the United States government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. This campaign had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.1

Law enforcement agencies have traditionally worked closely with telecommunications companies to formulate arrangements that would make phone systems “wiretap friendly.” These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception. Because most telecommunications operators were either monopolies or operated by government telecommunications agencies, this process was generally hidden from public view.

Following deregulation and new entries into telecommunications in the United States in the early 1990s, law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the United States Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.2 The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. In 1999, at the request of the Federal Bureau of Investigation, an order was issued under CALEA requiring carriers to make available the physical location of the antenna tower that a mobile phone uses to connect at the beginning and end of a call.3

In the United Kingdom the Regulation of Investigatory Powers Act 2000 requires that telecommunications operators maintain a “reasonable interception capability” in their systems and be able to provide on notice certain “traffic data.”4 It also imposes on obligation on third parties to hand over encryption keys. These requirements were recently clarified in the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002.

In the Netherlands, a new Telecommunications Act was approved in December 1998 that required that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.5 The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. In New Zealand, the Telecommunications (Residual Powers) Act 1987 requires network operators to assist in the operation of a call data warrant (equivalent to the United States trap and trace or pen register warrant). 6 An obligation to assist in the operation of a full interception warrant is now also being considered in New Zealand. The Telecommunications (Interception Capabilities) Bill currently being drafted by the Government would require all Internet Service Providers and telephone companies to upgrade their systems so that they are able to assist the police and intelligence agencies intercept communications. It would also require a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.7

In January 2002, a new Law on the surveillance of mail and telecommunications entered into force in Switzerland, requiring ISPs to take all necessary measures to allow for interception.8 In contrast, the Austrian Federal Constitutional Court held, in a decision9 in February 2003, that the law compelling telecommunications service providers to implement wiretapping measures at their own expense is unconstitutional.10 Most recently, Poland and New Zealand have been reported as proposing and adopting new laws requiring ISPs to monitor and record communications transactions.

International cooperation played a significant role in the development of these standards.In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the “International Law Enforcement Telecommunications Seminar” (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the European Union. At these meetings, an international technical standard for surveillance, based on the FBI’s CALEA demands, was adopted as the “International Requirements for Interception.” In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.11 Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the European Union and the United States offered a Memorandum of Understanding (MOU) for other countries to sign to commit to the standards. Several countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union (ITU) and the European Telecommunication Standardisation Institute (ETSI), were then successfully approached to adopt the standards.

The ILETS group continued to meet. Several committees were formed and developed a more detailed standard extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the Internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a 42-page document called ENFOPOL 98 (the European Union designation for documents created by the European Union Police Cooperation Working Group).12

In 1998….(a) new document, now called ENFOPOL 19, expanded the type of surveillance to include “IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address.”13
Internet Surveillance: Black Boxes and Key Loggers

A related development has been the use of “black boxes” on ISP networks to monitor user traffic. The actual workings of these black boxes are unknown to the public. What little information has been made public reveals that many of the systems are based on “packet sniffers” typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where it can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for key words, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high-speed connections.

In some countries, there have been laws or decrees enacted to require the systems to build in these boxes. Russia was the first country where this requirement was made public, and according to Russian computer experts, the United States government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require ISPs to install surveillance devices and high-speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant. 14 ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB’s demand to install the system, the local FSB and Ministry of Communication attempted to have its license revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements.

Following the Russian lead, in September 1999, Ukrainian President Leonid Kuchma proposed requiring that ISPs install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited several the large ISPs who were reported to have installed the boxes.

In the Netherlands, following the passage of the 1998 Telecommunications Act (see above), the Dutch Forensics Institute15 developed a “black-box” for ISPs to install on their networks. The black box would be under control of the ISP and turned on after receiving a court order. The box would look at authentication traffic of the person to wiretap and divert the person’s traffic to law enforcement if the person is online. Due to the inability of ISPs to adopt the requirements of the law, however, its implementation has been delayed.

In China, a system know as the “Great Firewall” routes all international connections through proxy servers at official gateways, where Ministry for Public Security (MPS) officials identify individual users and content, define rights, and carefully monitor network traffic into and out of the country. At a 2001 security industry conference, the government announced an ambitious successor project known as “Golden Shield.” Rather than relying solely on a national intranet, separated from the global Internet by a massive firewall, China will now build surveillance intelligence into the network, allowing it to “see,” “hear” and “think.”16 Content-filtration will shift from the national level to millions of digital information and communications devices in public places and people’s homes.17 The technology behind Golden Shield is incredibly complex and is based on research developed largely by Western technology firms, including Nortel Networks, Sun Microsystems and others. The Golden Shield efforts do not signal an abandonment of other avenues of access and content control. For example, details are only beginning to emerge about a new “black box” device, derived from technology previously used in airline cockpit data recorders, and broadly similar to the Carnivore system. Chinese Internet police would use the black box technology to monitor dissidents and collect evidence on illegal activities.18

New methods of surveillance, and in particular those capable of circumventing encryption, are also being developed. One such technological device is a “key logger” system. A key logger system records the keystrokes an individual enters on a computer’s keyboard. Keystroke loggers can be employed to capture every key pressed on a computer keyboard, including information that is typed and then deleted. Such devices can be manually placed by law enforcement agents on a suspect’s computer, or installed “remotely” by placing a virus on the suspect’s computer that will disclose private encryption keys.

The question of such surreptitious police decryption methods arose in the case of United States v Scarfo.19 There, the FBI manually installed a key logger device on the defendant’s computer in order to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the United States FBI confirmed the existence of a similar technique called “Magic Lantern.”20 This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target’s computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. The new Danish Anti-Terrorism law, enacted in June 2002, appears to give law enforcement the power to secretly install this kind of snooping software on the computers of criminal suspects.21
Retention of Traffic and Location Data

On May 30, 2002, the European Parliament voted on the new European Union Electronic Communications and Privacy Directive.22 In a remarkable reversal of their original opposition to data retention, the members voted to allow each European Union government to enact laws to retain the traffic and location data of all people using mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication devices, to communicate. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing European Union countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers’ communications data.23 The data that can be retained includes all data generated by the conveyance of communications on an electronic communications network (“traffic data”) as well as the data indicating the geographic position of a mobile phone user (“location data”).24 The contents of communications are not covered by the data retention measures. These requirements can be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization.

Although this data retention provision is supposed to constitute an exception to the general regime of data protection established by the directive, the ability of governments to compel Internet service providers and telecommunications companies to store all data about all of their subscribers can hardly be construed as an exception to be narrowly interpreted. The practical result is that all users of new communications technologies are now considered worthy of scrutiny and surveillance in a generalized and preventive fashion for periods of time that States’ legislatures or governments have the discretion to determine. Furthermore, because of the cross-border nature of Internet communications, this Directive is likely to have negative repercussions for citizens of other countries. There is a significant risk that non-European Union law enforcement agencies will seek data held in Europe that it can not obtain at home, either because it was not retained or because their national law would not permit this kind of access.

During the debates on the Directive, many members of the European Parliament, and the European Union privacy commissioners consistently opposed data retention, arguing that, these policies are in contravention of data protection practices of deletion of data once it is no longer required for the purpose for which it was collected; and also in contravention of proportionality principles in accordance with constitutional laws and jurisprudence. Similarly, the Global Internet Liberty Campaign, a coalition of 60 civil liberties groups organized a campaign and drafted an open letter to oppose data retention. The letter was sent to all European Parliament members and heads of European Union institutions after more than 16,000 individuals from 73 countries endorsed it in less than a week. The letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law.

While a few other countries have already established data retention schemes (Belgium, Denmark, France, Spain, Switzerland and the United Kingdom) the implementation phase of the Directive’s data retention provision may be bumpy in other Member States. Already in the United Kingdom, after a review by a parliamentary committee, significant questions have been raised regarding the legality, invasiveness, and the financial burdens involved in data retention.25 The Directive may be seen as being in conflict with the constitutions of some European Union countries, with respect to fundamental rights such as the presumption of innocence, the right to privacy, the secrecy of communications, or freedom of expression.26 In Finland, because of concerns regarding freedom of speech and privacy, content retention requirements have been reduced to three weeks at most, and for Internet traffic data no retention is required.27

Meanwhile, the situation is uncertain in Austria, Germany, Greece, Italy, Luxembourg, Portugal, and Sweden as they consider or question the means through which they can establish retention policies.28 In Ireland, proposals from the Department of Justice have been poorly received from the industry, the Data Protection Commissioner, the Department of Communications, and the Marine and Natural Resources.29 Industry associations in several countries30 and the International Chamber of Commerce have all announced their concerns with general retention laws.31 In all, nine states have established laws so far; while ten out of fifteen EU governments favor a “harmonizing” EU measure.32
Footnotes

1 See David Banisar & Simon Davies, “The Code War,” Index on Censorship, January 1998.

2 See EPIC, Wiretap, available at [ link ]

3 Third Report and Order adopted by the Federal Communications Commission, In the Matter of Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, FCC 99-230 (1999) (the “Order”). The Order was released on August 31, 1999. A summary of the Order was published in the Federal Register on September 24, 1999. See 64 Fed. Reg. 51710.

4 Regulation of Investigatory Powers Act 2000, sections 12 (1) and 22 (4) respectively, available at [ link ]

5 Telecommunications Act 1998. Rules pertaining to Telecommunications (Telecommunications Act), December 1998.

6 Telecommunications (Residual Powers) Act 1987, section 10D.

7 “Interception Capability - Government Decisions,” New Zealand Government Executive Press Release, March 21, 2002, available at [ link ]

8 Loi fédérale sur la surveillance de la correspondance postale et des télécommunications, [ link ] and the respective new decree [ link ]

9 [ link ]

10 See for more details [ link ]

11 Council Resolution of 17 January 1995 on the lawful interception of telecommunications, Official Journal of the European Communities November 4, 1996, available at [ link ]

12 ENFOPOL 98, September 1998, available at [ link ] (in German). See also Duncan Campbell, “Special Investigation: ILETS and the ENFOPOL 98 Affair,” Heise Online, April 29, 1999, available athttp://www.heise.de/tp/english/special/enfo/6398/1.html.

13 Draft Council Resolution on the Lawful Interception of Telecommunications in Relation to New Technologies ENFOPOL 19, March 15, 1999.

14 “Russia Prepares To Police Internet,” The Moscow Times, July 29, 1998. More information in English and Russian is available from the Moscow Libertarium Forum [ link ]

15 See Dutch Forensics Institute Homepage [ link ]

16 G. Walton, China’s Golden Shield: Corporations and the Development of Surveillance Technology in the People’s Republic of China 9 (Rights and Democracy, 2001) available at [ link ]

17 B. Rappert, “Assessing the Technologies of Political Control” (1999) 36(6) J. of Peace Research741. The Golden Shield Project contemplates automated voice recognition through digital signal processing, distributed, network video surveillance, and content-filtration of the Internet.

18 See, e.g., L. Weijun,”China Plans to Build Internet Monitoring System,” China News Daily, March 20, 2001 [ link ]

19 United States v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001). See generally EPIC’s Scarfo web page [ link ]

20 Elinor Mills Abreu, “FBI Confirms ‘Magic Lantern’ Project Exists,” Reuters, December 12, 2001.

21 Law No. 378, June 6, 2002.

22 Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector [ link ]

23 Art. 15 (1), id.

24 Art. 2 (b) and (c), id.

25 All Party Parliamentary Internet Group, Communications Data: Report of an Inquiry by the All Party Internet Group, January 2003 [ link ]

26 This is, e.g., the case in Spain where the recent law allowing data retention for a year (the “LSSICE”) has been challenged as being in direct opposition to the Spanish Constitution. See generally, EPIC’s LSSI web page [ link ]

27 EFFi, “Finland rewrote the Internet censorship law,” Press Release, February 16, 2003.

28 “Answers to a questionnaire on traffic data retention,” Council of the European Union, November, 20, 2002 [ link ]

29 Karlin Lillington, “Departments at Odds on Data Retention Bill,” The Irish Times, June 27, 2003.

30 European Competitive Telecommunications Association (ECTA”), “ECTA Statement on Data Retention in the EU,” Update June 2003; see generally [ link ]

31 EICTA, ETNO, EuroISPA, ICC, Intug, and UNICE, “Common Industry Statement on Storage of Traffic Data for Law Enforcement Purposes,” June 4, 2003 [ link ]

32 Statewatch, “Majority of Governments Introducing Data Retention of Communications,” January 2003, available at [ link ]

Copies of the Privacy & Human Rights Report can be ordered through www.epic.org The publication is also available online at [ link ]

List of my blog entries

• stolen evidence... what to do if you get a letter from virgin or the BPI (06 Jun 2008)
• To buy or not to buy? (23 Feb 2008)
• Attempted post on the BBC news talkback system (12 Feb 2008)
• DRM can and will never work, so stop wasting all our time (12 Feb 2008)
• Why it is wrong for states to block access to websites (11 Feb 2008)
• Why Should You Use Linux? (31 Jan 2008)
• Disclaimer (24 Jan 2008)
• Thoughts on dvd protection systems (24 Jan 2008)
• it's too true (14 Jan 2008)

User comments

• by danmax @ 18 Feb 2008 21:19

  I often wonder why I can never get rid of key loggers on my computer. I've used many software, and free downloads, but after they do what they state they do, thhhere is aways key loggerss left behind. I guess you have to do a wipe on your hard drive every once in a while and reload all your programs. Furthermore, every time the Government starts a progham for the good, it always turns out to be some kind of monster. Thats what I see in Building Big Brother

• by varnull @ 27 Apr 2008 19:02

  
  
  
  The new Britain...

Post your comment

In order to post your comments here, you need be logged in to our system. Simply follow this link in order to login and to post your comments here.