U.K. slows plan for sweeping electronic surveillance

LONDON – The British government is slowing down a proposal that would give law enforcement sweeping power to collect electronic data as a measure to prevent terrorism.

The proposal, in the Communications Data Bill, would allow the government to collect data on phone calls and other electronic communication. The government planned to put the proposal in Parliament’s upcoming legislative agenda, but opted instead on Wednesday to conduct a consultation next year due to concerns about intrusive monitoring of private citizens.

“It’s a sensitive issue, and there needs to be a proper public debate,” a Home Office spokesman said last week. Home Secretary Jacqui Smith said on Wednesday the legislation is needed because of the difficulty in collecting evidence against terrorists.

“These are not like other criminal investigations,” Smith said during a speech at the Institute for Public Policy Research. Law enforcement “put a very high premium on pre-emptive intelligence because we are trying to stop a criminal act and not investigate one which has already taken place.”

Critics contend that allowing the government to create a “super database” that logs e-mails, phone calls and Web sites visits raises privacy concerns as well as potential security problems over how the data would be stored.

Smith denied the government seeks a super database. “There are no plans for an enormous database which will contain the content of your e-mails, the texts that you send or the chats you have on the phone or online.” But collecting data such as the location and identity of someone making a phone call “is vital to fighting terrorism and combating serious crime,” she said.

The government has not made a draft of the Communications Data Bill publicly available. However, it is modeled in part on European Union Directive 2006/24/EC, which requires that communication providers retain a vast array of data including IP (Internet Protocol) address, physical address and user ID used for communications such as e-mail.

The actual content of the communication should not be retained, but data around how it was sent and when should be retained for at least six months and up to two years, the directive says. The directive was propelled in part by the July, 2005 terrorist attacks in London. E.U. countries were required to comply in part with the directive by September 2007, but can delay the Internet access and e-mail monitoring until March 2009.

The Open Rights Group, a nongovernmental group that monitors Internet-related privacy and legal issues, said it supported the government’s decision for a consultation. “Creating this database would drastically alter the relationship between the citizen and the state, handing national security and law enforcement agencies immense power to invade the private lives of ordinary people,” wrote Becky Hogge, the group’s executive director.

At least one senior Microsoft executive doubts how helpful collecting Internet communications would be for law enforcement. Hackers have a variety of techniques that could undermine a user’s PC and make it appear a victim is involved in a scheme when they’re not.

E-mails can be spoofed and computers can be infected with malicious software, wrote Jerry Fishenden, Microsoft’s U.K. National Technology Officer. For example, a Web feature called “pre-fetch” lets one Web site command a person’s browser to pull up another Web site in the background, a feature that speeds browsing.

But pre-fetch works without the knowledge of a user, Fishenden wrote. A blog entry could trigger a bomb-making Web site to be called up in the background, which would then be logged by the ISP (Internet Service Provider). “Legitimately you would know nothing about it, but try telling that to someone knocking on your door at four o’clock in the morning waving a printout from the ISP showing you regularly frequent ‘known terrorist Web sites’,” Fishenden wrote.



Related Download
2016 Cisco Annual Security Report Sponsor: CompuCom
2016 Cisco Annual Security Report
Download The Cisco 2016 Annual Security Report for a closer look at how security professionals should respond to threats.
Register Now