Escolar Documentos
Profissional Documentos
Cultura Documentos
Copyright
Table Of Contents
..........................................................................................................................................
1. Introduction .............................................................................................................. 4
1.1 Methodology ....................................................................................................... 5
2. Data Protection and Communications: .................................................................. 6
2.1 Nature of the problem ....................................................................................... 6
2.1.2 What is Personal Data? .................................................................................. 7
2.1.3 What is data protection? ................................................................................ 8
2.1.4 Why do we need data protection? ................................................................. 9
2.2 Data Protection Legislation: ........................................................................... 11
2.2.1 EU Data Protection Principles ..................................................................... 12
2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC):
.................................................................................................................................. 15
2.2.2.1 Security Measures .................................................................................. 16
2.2.2.2 Confidentiality of Communications ......................................................... 17
2.2.2.3 Caller and Called Line Identification .......................................................... 19
2.2.2.5 Emergency and Nuisance Calls..................................................................... 21
2.3 United States and privacy of communication ................................................ 25
2.3.1 Privacy of Communication Laws In The United States ........................ 26
2.3.1.1 The Telecommunications Act 1996....................................................... 26
2.3.1.2 The Location of Privacy Protection Act of 2001 ................................. 27
2.3.1.3 Spyware Control and Privacy Protection Act 2001 ............................ 28
3. Law enforcement and privacy of communications ............................................. 30
3.1 Why Lawful Interception? .............................................................................. 32
3.3 What is intercepted under lawful Interception? ........................................... 38
3.4.1 Lawful Interception Laws in the United Kingdom .................................... 39
3.4.2 Lawful Interception in the United States .................................................... 42
3.4.3 Lawful Interception in Australia ................................................................. 45
3.5 Lawful Interception requirements of Communications service providers . 47
3.7 Data Retention...................................................................................................... 53
3.7.1 Impact of Data Retention Laws on Communications Service Providers
.............................................................................................................................. 57
3.8 Conclusion ........................................................................................................ 59
4 Information security and communications........................................................... 61
4.1 What is information security? ........................................................................ 61
4.1.1 Why Information Security? ......................................................................... 62
5 Concluding ............................................................................................................... 68
Bibliography ............................................................................................................... 72
1. Introduction
Within the last 10 years the manner in which telecommunications is used has changed
vastly since the introduction of liberalisation and competition measures.
Liberalisation has led to more players in the telecommunications arena in all areas of
the sector.
Indeed the mobile phone market is an example of the shift in the major provision of
telecommunications services from former state owned institutions to private
organisations, while the Internet has spawned new service providers to the
communications industry such as Internet Service Providers.
The introduction of these services and enterprises has led to the amendment and
introduction of new legislation to regulate the manner by which these
communications service providers operate. The objective of a number of these
legislations is to protect the privacy and maintain the confidentiality of the
subscribers communication and information when they use these systems to
communicate.
While it is to be noted that privacy of communications legislations are to ensure that
privacy and confidentiality of communications is maintained, it is to be observed that
telecommunication systems are used by criminals and terrorists to transmit
information about their activities. In certain instances these communications may be
the only source for proving that individuals are involved in activities that are criminal
or which threaten national security.
For instance in an investigation on insider dealing, almost the entire case rested on the
date and time of telephone calls made between various defendants. Telephone records
were obtained from business and home telephone numbers with the brokerage firm
providing details of incoming and outgoing calls to clients1.
The next phase of the essay will look at legislation relating to lawful interception and
data retention with a view to look at circumstances when the balance of maintaining
privacy of communications data on the part of the communications provider interacts
with the need for lawful enforcement agencies requirements relating to data retention
and lawful interception.
The third phase will look at the issue of information security highlighting the effects
data protection and data retention legislations have on how communications service
See Tackling Insider Dealing p13 Home office Consultation Paper: Access To Communications Data
Respecting Privacy and Protecting the Public From Crime March 2003
2
Communications service provider in this essay includes Telecommunications Operators, Telephone
Service Providers, Internet service providers, Mobile Phone Operators, Communications Network
Operators
providers implement information security measures when dealing with data retention
and lawful interception.
The final phase of the essay will consist of conclusions and recommendations.
From a geographic perspective while telecommunications issues are a global
phenomenon, this essay will focus mainly on how these concepts influence
communications service providers in Europe and the United States.
The problem is that technology makes it much easier to infringe upon the rights of
individuals especially with regards to their personal data. Numerous organisations4
have identified this situation and have for years been championing the call for greater
awareness to make sure that the individuals fundamental human rights are not
infringed.
It is a well-known fact that convergence of these technologies makes it easier for
marketing companies to process data to profile people. Like wise it can be argued that
it is also possible for criminals to easily gather information about others in their quest
to forge identities5 in their quest to commit crimes.
In recognition of the risks that can accrue to an individual, privacy laws have been
enacted to define what constitutes legal and illegal activity when it comes to the
protection of an individuals data whilst it is being transmitted over
telecommunication streams.
For example electronic privacy information centre www.epic.org and Electronic Frontier Foundation
www.eff.org
5
See Internet fraud watch www.fraud.org and Internet fraud centre www1.ifccfbi.gov
6
Data Protection Act 1998
7
Person entitled to hold data about individuals
8
Section 1(1) Data Protection Act 1998
It must be stated here that personal data does not just relate to text, but can also relate
to a CCTV9 image10.
2.1.3 What is data protection?
Data protection involves the implementation of administrative, technical or physical
measures to guard against unauthorised access to such data.
It stems from legislative requirements such as the European Convention for the
Protection of Human Rights and Freedoms11 and has with the advancement in
automated processing of data been influenced by new legislations such as Directive
1995/46/E.C on the protection of individuals with regard to the processing of
personal data and on the free movement of such data hereinafter referred to as the
Data Protection Directive12 to the privacy and electronic commerce directive13. It
involves the protection of personal data, which covers both facts and opinions about
an individual.
An instance of privacy legislation can be illustrated with the European Convention on
Human rights, which provides for the right of respect to private and family life14. It
further provides that there shall be no interference by a public authority with the
exercise of this right except such as in accordance with the law and as is necessary in
a democratic society in the interests of national security, public safety or the economic
Data Protection Act identifies data as information that is processed by means of equipment operating
automatically in response to instructions given for that purpose and is recorded with the intention that it
should be processed by means of such equipment.
10
See also CCTV Looking out for you Home office publication November 1994
11
Article 8 (1) Convention for the Protection of Human Rights and Fundamental Freedoms as
Amended by Protocol No 11
12
Directive 1995/46/E.C.[1995] 0.J. L281/31
13
Directive 2002/58/E.C OJ L 201/37
14
Article 8 (1) European Convention On Human Rights
well being of the country, for the prevention of disorder or crime, for the protection of
health or morals or for the protection of the rights and freedoms of others15.
15
16
an offence for a person, knowingly or recklessly, without the consent of the data
controller, to obtain personal data17.
To buttress this point further an individual named Alistair Fraser, trading as Solent
Credit Control18, recently pleaded guilty to offences of unlawfully obtaining and
selling personal information in breach of the Data Protection Act 1998. Mr Fraser had
obtained the personal information of certain individuals by deception from the
Department for Works and Pensions. He then sold the information to third parties. He
was found guilty and fined. A feature of this case is the fact that it was brought to
court by the Information Commissioner, thus showing that the Commissioner is
prepared to use enforcement powers to combat and discover agencies that illegally
obtain and sell personal information19.
In the United States organisations that breach the provisions of data protection
legislations relating to privacy of information are severely punished on conviction as
can be illustrated where recently in United States of America (for the Federal Trade
Commission) v. Hershey Foods Corporation20: In this case, Mrs. Fields Cookies and
Hershey Foods Corporation each agreed to settle Federal Trade Commission charges
that their Web sites violated the Children's Online Privacy Protection Act (COPPA)21
Rule by collecting personal information from children without first obtaining the
proper parental consent. Mrs. Fields are to pay civil penalties of $100,000 while
Hershey will pay civil penalties of $85,000. The separate settlements also bar the
companies from violating the Rule in the future and represent the biggest COPPA
penalties awarded to date. The COPPA Rule applies to operators of commercial Web
17
10
sites and online services directed to children under the age of 13 and to general
audience Web sites and online services that knowingly collect personal information
from children under 13. Amongst other things, the Rule requires that Web site
operators obtain verifiable consent from a parent or guardian before they collect
personal information from children22.
2.2 Data Protection Legislation:
In this section I will be analysing the various legislations relating to data protection
taking into account data protection in the European Union and the United States with
a view to looking at the different ways in which they have been implemented.
Following that an analysis of the impact they have on telecommunications will be
carried out.
National data protection laws have developed as electronic commerce has boomed.
Indeed, with more coverage being given in the media relating to infringement of
privacy, it is no wonder that countries have been more active in ensuring people know
what their rights are in relation to these issues and also that data controllers23 ensure
data under their custody is processed in line with data protection legislations.
The European Union has developed a Framework for Data protection; this can be seen
in the Data Protection Directive and the Privacy and Electronic Communications
Directive24.
In the United States data protection legislations generally target discrete information
processing activities with the most important legislative protections for information
22
11
Personal data shall be processed fairly and lawfully26 (see below for more on
lawful processing)
Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes27.
25
See Resolving Conflicting International Data Privacy Rules in Cyberspace Joel R Reidenberg May
52 STANFORD Law. Review. 1315 (2000)
26
Article 6(1a) Data Protection Directive 95/46/EC
12
Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed28.
Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes30.
While the above constitute the basic tenets of data protection, it must be mentioned
that there are other issues that must be observed in protecting data when it is being
processed. Article 7 of the Directive stipulates what constitutes lawful processing of
data and it specifies that personal data may be processed only where:
the data subject has unambiguously given his consent33, for sensitive data
which includes information relating to race, political opinions, religious or
philosophical belief, health or sex life, trade union membership, there must be
explicit consent34
27
Article 6(1b)
Article 6(1c)
29
Article 6(1d)
30
Article 6(1e)
31
Article 12
32
Article 17
33
Article 7 (a) Data Protection Directive 95/46/EC
34
Article 8(1)
28
13
processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller or in a
third party to whom the data are disclosed38
These principles indicate that the data may only be used in accordance with the
purpose for which it has been obtained from the data subject. This would thus
mean that the use of the data for example, where it is collected for the opening of
an online banking account, the data collected should be used solely for what it
was originally intended. The data supplied should not be allowed to be used by
the same company to market different products to the data subject or indeed sell
35
Article 7 (b)
Article 7 (c)
37
Article 7 (d)
38
Article 7 (e)
39
Article 7 (f)
40
Article 1(1) states In accordance with this Directive, Member States shall protect the fundamental
rights and freedoms of natural persons, and in particular their right to privacy, with respect to the
processing of personal data.
36
14
the information to a third party organisation without the consent of the data
subject. It is only after receiving consent that one can market other products to the
person in question
2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC)41:
This directive repeals the Telecommunications Data Protection Directive (97/66/EC)
and lays certain obligations on telecommunications companies and service providers.
The main aim of this directive is to harmonise the provisions of Member States laws
in relation to electronic communications to ensure an equivalent level of protection of
fundamental rights and freedoms, particularly the right to privacy, processing of
personal data in the electronic communication sector and to ensure the free movement
of such data and of electronic communication equipment and services in the
community42. One of the new developments of this Directive is that it extends
controls on unsolicited direct marketing to all forms of electronic communications
including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile
telephones.
15
An analysis of the salient points reveals the following in the Directives aims in
ensuring fundamental human rights and freedoms particularly the right to privacy for
subscribers of electronic communications:
While the Directive does not detail the technical measures Member States are to
adhere to in order to ensure they are complying with the provisions of this Article, it
must be pointed out that countries provide legislation on what measures to take in the
event that information security is breached or what actions to take on individuals who
breach systems. For instance, in the United Kingdom, section 1 of the Computer
Misuse Act46 makes unauthorised access to systems an offence. Also the OECD has
provided guidelines to how communication service providers can implement
information security on their networks47. Other measures that may be used to ensure
45
16
information security measures are adequate include adopting standards such as ISO
17799 Code of practice for information security management48 and ISO 15408
common criteria for information technology security.49 Adopting or following these
guides can provide for appropriate security on communication networks.
48
see www.bsi.org.uk
http://csrc.nist.gov/cc/ccv20/ccv2list.htm
50
Article 5 (1)
49
17
are used in the processing of data, the data subject shall be informed why this is being
carried out. The data subject has a right to refuse such processing51.
There has been a great debate relating to the use of cookies52and the fact that they can
invade the rights of users communications. The Directive in recognising this fact and
in an attempt to curb their intrusion on subscribers communications provides in article
5 (3) that they can only be used if the subscriber or user is made aware in clear and
comprehensive terms about how information gathered will be processed. The problem
however with this legislation is the fact that cookies operate in the background
without giving off any warnings that they are operating making them hard to detect.
This makes it difficult to identify organisations that flaunt this law. Also since there
are no sanctions placed on organisations that breach such confidentiality of
communications requirements, this aspect of the article cannot be said to be adequate
in the fight to keep communications confidential
51
Article 5 (2)
Cookies are programs that are used to track users preferences when they visit a website. They can be
stored on ones hard drive without the users consent or knowledge.
52
18
53
Article 8
19
provide the same sort of offerings to their subscribers or where they do not have the
same levels of data protection laws as The European Economic Area54.
54
Guidelines for Customer Line Identification Displays Services and other related Services over
Electronic communications networks available at
www.oftel.go.uk/ind_groups/cli_group/docs/guidelines0902.pdf
55
See European Guidelines for Calling line Identification available at
www.europa.eu.int/ispo/infosec/telcompolicy/en/guidelines.pdf
56
The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on
11th December 2003.
57
See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of
Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EUforum/20011127/EU-forum-locationdata.pdf
20
girls phone to her uncle (later convicted for her murder) were in fact being made by
her uncle from one location58.
The directive in recognising the importance of location data provides that location
data can be processed only if it is made anonymous or with the consent of the
subscriber for a value added service but only for the duration that is necessary for the
processing59. The subscriber must also be given the possibility to temporarily refuse
such processing of location data information60.
It is to be noted however that the directive does not state that technology should be
used to enforce the requirement to keep location data private and confidential given
the fact that it can be used to track an individuals movements
58
See bbc.news.co.uk/2/low/technology/2593653.stm
Article 9 Directive on Privacy and Electronic Communications
60
Article 9(2)
59
21
The process of carrying out the above is that it will entitle providers of electronic
communications services to provide access to the calling line identification data and
also the location data without the knowledge or consent of the calling party
constituting the nuisance.
The advantage of this legislation is that it caters for and takes into account the
possibility of abuse of the privilege of calling line privacy.
It also takes into account the fact that there will be situations where being able to
locate a person in distress in due time may be the difference between life and death
and in such situations the right to privacy will be overlooked.
2.2.2.6 SPAM
Unsolicited mail (also known as Spam) has become a major problem it causes loss of
work productivity in wasted time in deleting them and also is an invasion of privacy.
The directive in recognising the harmful effects of Spam provides that there shall be
no automated communication using electronic mail or faxes for the purpose of direct
marketing without the consent of the data owner61. The purpose of the directive in
relation to SPAM is to make sure that EU member states strengthen data protection
measures in relation to SPAM. The EU legislation supports the opt-in62 rather than the
opt-out63approach.
The problem with this piece of legislation however is the fact that due to the nature of
the Internet it may be difficult to prosecute those that habitually send such unsolicited
61
22
mail. Not only because it is possible for those that send such unsolicited mail utilising
the Internet to take advantage of the ease with which one can set up an Internet
infrastructure for a temporary period of time before shutting it down and setting up a
similar site when they have suspicions that they are being investigated or if they are
indeed shut down. But also because it is a well known fact that many of the top 50
Spammers originate from America such that while the legislation may direct
marketers in Europe, those that send unsolicited mail from America will be out of the
jurisdiction of the legislation. Indeed in response to this provision, the Direct
Marketing Association64 has raised concerns that this could penalise small companies
that rely heavily on direct marketing but not protect the consumer from spam email
that originates outside of the EU.
64
/www.the-dma.org/
The amount of data that can be transmitted in a fixed amount of time. For digital devices, the
bandwidth is usually expressed in bits per second(bps) or bytes per second. For analog devices, the
bandwidth is expressed in cycles per second, or Hertz (Hz).
65
23
email. They have also need to include in their acceptable use policies statements that
SPAM will not be tolerated and that subscribers who send SPAM may have their
service terminated. All these measures add to the cost of providing services to
subscribers which in turn can eat into profit margins.
66
24
Note national security and cost issues will be looked at in further detail in this essay in
discussions relating to data retention and lawful interception of communications.
25
71
26
It consists of a number of provisions that are similar to the European Directive on the
processing of personal data and protection of privacy.
Among such provisions is the requirement for telecommunications companies to
ensure the confidentiality of customer proprietary network information. In ensuring
that this is carried out, the Act prohibits the carrier using subscriber information that
has been provided by another carrier for its own marketing purposes76.
The Act also provides that telecommunications carriers that receive customer
information can only use, disclose or permit access to that information in the
provision of the telecommunications service from which the information was
obtained.
76
27
The provisions of this act portray an understanding by those responsible for enacting
this legislation of the abuse and detriment to the customer in the event that location
data is used for purposes other than those for which the customer provided the data.
This is illustrated where the Act prohibits providers of location-based services or
applications from releasing customers location information for purposes beyond
those for which the customer provides express authorisation79and ensure the integrity
and security of location data.
Information that has been collected should be kept confidential except where
disclosure is required by law enforcement agencies granted permission under a court
order to view it.
79
80
Proposed Legislation: S197 Spyware Control and Privacy Protection Act of 2001 A bill to provide
for the disclosure of the collection of information through computer software, and for other purposes.
Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate
committee: Senate Commerce, Science, and Transportation
28
29
the laws and they are investigated, nothing stops them from relaunching under a new
name and carrying on the same scam.
It must be mentioned here that even though these legislations have been enacted, there
is still ignorance among data users in relation to what their rights are and when these
have been infringed, according to a UK report only 42% of the public are aware of
their rights under data protection laws81
A way to ensure people are aware of the provisions of data protection legislations
would be the development and dissemination of awareness campaigns that highlight
the importance and effects of these laws.
81
See Information Commissioner Annual Report and accounts for the year ending 31 March 2002,
HC913
30
Laws such as The RIP (Maintenance of Interception Capability) Order 2002 in the
UK and The Communications Assistance for Law Enforcement Agencies Act82
hereinafter referred to as CALEA in the United States are examples of legislations
that force communications service providers to assist law enforcement agencies in
their endeavours to combat such activity.
This aspect of the essay will look at how these laws interact with privacy legislation
showing how they act as a counterbalance to ensure that people do not misuse their
rights to privacy by conducting criminal activity.
Mention has been made in this essay of instances where circumstances such as the
need to combat criminal activity and safeguard national security may lead to data
subjects rights to privacy of communications being overridden. Actions that make up
the activities in combating crime or detecting activities that may be a threat to national
security include law enforcement agencies intercepting communications as well as
sifting through communications data that may have been retained by communications
service providers.
This section looks at the issue of lawful interception and data retention with a view to
dispel concerns that they are an infringement on privacy rights and to show that the
concepts go hand in hand with data privacy in the provision of electronic
communication services it will also look at the impact these concepts have on
communications service providers.
82
47 U.S.C 1001-1010
31
Lawful interception is the terminology used to describe the means by which law
enforcement agencies are authorised to intercept telecommunication sessions as
prescribed by law.
The advancement of technology has led to the need for law enforcement agencies to
curb criminal and terrorist activities. The problem has always been the fact that
criminals have always been able keep a step ahead of the law in their clandestine
activities. The convergence of communications systems has led to easier, faster and
cheaper means of communicating, this in turn has allowed criminals and terrorists to
be able to take advantage of these systems to communicate with each other or to use
the systems to carry out illegal activities.
The convergence of voice, data and Internet technologies has led to a new type of
communications network. Prior to convergence one mainly dealt with the circuit
switched84 fixed line telephone networks in relation to lawful interception. However
with the explosion of the Internet has come the packet switched network85which is
being touted as the replacement of the circuit switched network now that convergence
has occurred.
83
32
Recent legislations have been enacted in order for lawful interceptions to be carried
out on systems utilising these new communications technologies. In the UK, The
Regulation of Investigatory Powers Act 2000 replaced the Interception of
Communications Act 1985 to take account of technological advances in
communications and to cater for the growing use of the Internet and electronic mail.
Interception of communications can take place in a number of ways:
Pen registers and trap and trace devices: A pen register records only the
numbers of outgoing telephone calls. While a trap and trace device is used to
capture the numbers of incoming telephone calls86.
Standard Telephones:
Standard telephone systems are susceptible to wiretaps. There are many
locations where a wiretap can be placed. For example, microphones in many
older telephones handsets can be replaced with one that can also transmit to a
remote receiver. Taps can also be placed at the telephone boxes in the
basements of buildings, on the lines outside the house, or on the telephone
pole junction boxes near the target of the surveillance. A once common
technique used by police forces was to remotely monitor calls by having lines
86
Trap and trace devices are one of the methods used by authorities in the United States to intercept
communications
33
run from a telephone company central office where the local switching
equipment is located to a monitoring station in a government office.
Wireless Communications
The use of wireless telephones has become extremely common. There are also
millions of cellular telephones in use. In developing countries, wireless
communications such as cellular and satellite-based telephones are also
popular as a means to avoid laying new telephone lines in areas that were
previously undeveloped. However, they are easily intercepted and should not
be thought of as giving greater protection from eaves dropping than fixed line
phones.
Cordless telephone communications are especially easy to intercept. Many of
the older models broadcast just above the top range of the AM radio band and
conversations can be easily overheard with any AM radio and can be
intercepted with an inexpensive radio scanner purchased at most electronics
stores for under $100.00 in the United States. The range of interception can
extend to nearly one mile.
Cellular phones have the same problems as cordless. They also broadcast over
airwaves like a radio. Inexpensive scanners are available on the market that
can intercept conversations. In addition, some cellular phones can be
programmed to act as scanners to intercept other calls. There is also equipment
available to law enforcement, which can track and monitor cellular
conversations as they move around a city.
Unencrypted Wireless networks are also prone to scanning and intercept
vulnerabilities and can actually be scanned using a Pringles tin87 as an aerial
87
34
Sniffing is the act of using a device to analyse network traffic relating to communication and
computer systems
89
Joseph Fried, Police Filch Faxes to Snare a Gambling Ring, NYT , June 3, 1990 at 33.
90
Eaves Dropping detecting David Bansar 1995
91
Section 9(1) Telecommunications Act 1984 defines public communication system as that so defined
by the Secretary of State as that authorised by licence via Section 8 of that Act
92
Any telecommunications system which not being a public telecommunication system is a system to
which is attached directly or indirectly to a public telecommunications system and there is apparatus
comprised of the system located in the United Kingdom for making the attachment to the public
communication system Section 2 (1b) RIPA 2000
93
Section 1 (1) Regulation of Investigatory Powers Act 2000
94
R V Effick 1984 Crim LR832, 99
35
In this case the European Court of Appeal ruled that interception of telephone calls
made on an internal system operated by the police was an infringement of Article 8 of
the European Convention on Human Rights which provides amongst other rights the
right of respect to ones privacy of correspondence. The only way this right may be
interfered with is when it is performed by public authorities is in accordance with the
law96.
In the United Kingdom, the Regulation of Investigatory powers Act 2000 also covers
interception of private telecommunication systems97.
The 2003 Telecommunications Act also makes it an offence for one to disclose the
content of messages or information concerning the use made of services provided98
However it is to be noted that there are certain circumstances where interception of
communications will not be illegal, such situations are typically when law
enforcement agencies are given the permission by a higher authority to intercept
certain data communications.
95
36
100
37
while those for serious crime are valid for a further three months following each
subsequent renewal103.
In the United States, The Federal electronic surveillance statutes104 provide that a
high-level Department of Justice official specifically approve the use of any of these
types of electronic surveillance prior to an Assistant United States Attorney obtaining
a court order authorising interception.
In Australia, warrants for lawful interception are granted by judges or nominated
members of the Administrative Appeals Tribunal105
While it is important to maintain the principles and powers of lawful interception, the
challenge of doing so correctly is tempered by the need to ensure that in carrying it
out human rights and data protection legislations are not infringed.
While the main issue for lawful Interception of communications on public telephone
systems is to identify criminal and terrorist activity, one needs to know exactly what
data can be lawfully intercepted.
3.3 What is intercepted under lawful Interception?
Generally speaking when the right is granted to intercept a communication it will
involve the intercepting of communications data, which embraces the who, when
and where in relation to a communications transmission106.
Communications data in turn can be broken down into the following categories:
Traffic data: This contains information that identifies who the subscriber
contacted, their location as well as that of the person they have contacted and
what time the contact was made.
103
38
Service data: This identifies services used by the subscriber and how long they
were used.
Subscriber data: This identifies the user of the service their name address and
telephone number107
RIPA provides for, and regulates the use of investigative powers, by public
authorities109. It updates the law on the interception of communications previously
provided by The Interception of Communications Act 1985 and the Police Act 1997.
It now enables state authorities to intercept communications in line with technological
changes such as the growth of the Internet.
Under the RIPA, the Police, Inland Revenue Customs and Excise and the security
services may acquire access to communications data via the warrant; however this
may be extended to other local authorities by order of the secretary of state thus
allowing such authorities to lawfully intercept communications data.110
It is to be noted however that even though the Act allows for authorities to intercept
data, this does not mean that they can share any information i.e. information derived
107
39
from a lawful intercept warrant used by the police cannot then be shared with the
Inland Revenue.
The Lawful Business Practices Regulations allow for the lawful interception of
communications in the course of its transmission by means of a telecommunications
system with or by consent of the system controller under the following conditions.
Monitoring quality control and staff training (but not for marketing or market
research)112
It is to be noted that such interceptions are authorised only if the controller of the
telecommunications system has made all reasonable efforts to inform potential users
that such interceptions may be made.
The importance of this legislation is that it reduces the privacy rights of those that use
private telecommunication systems
111
40
The police are empowered to obtain evidence in criminal investigations once they
have obtained an order through the consent of a circuit judge. This is illustrated with
the NTL115 case where the high court confirmed the rights of the police to require a
telecommunications provider (NTL) to take steps to intercept e-mails addressed to its
customers. It is to be noted that this right was not exercised by powers under RIPA,
rather they were as defined by the Police and Criminal Evidence Act 1984 (PACE)
which allows a police constable to obtain access to excluded material or special
procedure material for the purposes of a criminal investigation.116
Many are concerned that authorities enabled to access communications data under
RIPA might abuse such powers. In an attempt to reduce authorities abusing such
powers, safeguards have been introduced
These include:
115
41
In the United States, wiretap laws, and procedures used by state courts and law
enforcement agencies to implement those laws, are subject to two important
constraints: first, the Fourth Amendment to the United States Constitution, as
incorporated in and made applicable to the states by the Fourteenth Amendment; and
second, the restrictions of the ECPA.
These constraints were codified and made more specific in Title III of the Omnibus
Crime Control and Safe Streets Act of 1969. This Act establishes the substantive and
procedural requirements for federal interception orders and pre-empted less restrictive
state requirements.119 In 1986, Congress updated those requirements by means of the
ECPA, which addressed newer communications technologies such as mobile
telephones and electronic mail. This law provides the statutory framework that
governs the real-time electronic surveillance of the contents of communications.
118
Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986).
Omnibus Crime Control and Safe Streets Act of 1969, Pub. L. No. 90-351, 82 Stat. 197
(1968)(codified at 18 U.S.C. 2510-2521 (2000)), reprinted in USCCAN 1968 237.
119
42
The ECPA broadly prohibits the interceptions of wire, oral and electronic
communications, except where those interceptions comply with the ECPA
requirements.120
These requirements are to ensure that law enforcement officers in their attempts to
gather evidence of crimes through communications systems comply with statutes that
protect individual privacy. Where interceptions will are made by law enforcement
agencies, the ECPA specifies the authorisation levels of officials who may apply for
an order, the crimes or categories of crimes in connection with which an order may be
sought, the probable cause showing that the applicant must make, and the findings
and minimisation requirements that the order must contain.121 These are stringent
procedures violations of which may result in the imposition of civil liability actions
on lawful enforcement officials.
For accountability purposes, the ECPA also requires state and federal courts issuing
interception orders to make detailed reports concerning those orders to the
Administrative Office of the United States Courts.122These reports are a means of
ensuring that there is an audit trail of orders that have been granted.
120
18 U.S.C. 2511.
Id. 2516-2518.
122
Id. 2519. Pen registers and trap-and-trade devices also are subject to federal statutory constraint.
Id. 3121-27.
121
43
In order to ensure privacy is not infringed, state authorised interceptions may only be
carried out by the investigative or law enforcement officers having responsibility for
the investigation of the offence to which the application is made. An exception to this
rule is that private contractors may be permitted to conduct interceptions, so long as
the contractors personnel are under the supervision of an investigative or law
enforcement officer authorised to conduct the interception.123
It has to be mentioned however that while there is an argument that the statutory
authority to hire contractors for surveillance duty frees professional law enforcement
personnel from the drudgery of staffing monitoring stations, it complicates the task of
ensuring that persons who conduct surveillance are experienced and properly trained
in the intricacies of executing an electronic surveillance order124. It also creates
opportunity for the infringement of privacy in the sense that contractors may not have
the same duty of care that law enforcement officers have when dealing with
intercepted data. Also it creates an opportunity to dismiss the accuracy and integrity
of the analysis of the data.
123
Id. 2518(5).
Focus Paper of Charles H. Kennedy Presented at 2002 Enforcing Privacy Rights symposium
125
The USA PATRIOT Act is not a stand-alone Act. It amends over 15 Federal Statutes visit:
www.llrx.com/features/libraryrecords.htm
124
44
The Patriot Act however goes a step further than the ECPA in relation to Interception
in that grants law enforcement agencies the power to access ISP networks without a
warrant to track activities.
Section 216 of the Act significantly increases law enforcement authority to use trap
and trace and pen register devices.
There is no doubt that national security interests must be safe guarded, however this
Act does go beyond the scope of previous legislations that safeguard personal
information from government intrusion. Indeed the fact that it allows law enforcement
agencies to access communications data without a warrant raises an eyebrow as to
whether we have seen the right to privacy of communications being revoked in the
United States. Under ECPA certain procedures needed to be followed under the
PATRIOT Act, a warrant is not required to track activities and government
departments can share data. This is state of affairs is defiantly an encroachment on
rights to privacy of communications.
45
The Act has two main objectives, first of which is to provide users of the Australian
telecommunications services with privacy and the other contrasting albeit legal aspect
of allowing for certain lawful interception under the auspices of a warrant where
certain listed offences are deemed necessary to investigate,
After a message has been delivered to the intended recipient (i.e. has completed its
passage over the telecommunications system) law enforcement agencies can lawfully
access the content of the message with a search or seizure warrant. Such a warrant
may cover the recipient's equipment (e.g. computer containing downloaded email) or
the service provider's equipment when a copy of the message remains on their
equipment.
46
Certain safegauards to ensure interception is not abused have been placed into the Act
this can be illustrated where the Australian police and National crime authority are to
mainatain a record of intercepted messages
3.5 Lawful Interception requirements of Communications service providers
Co-operation is required between law enforcement agencies and communication
providers. The dilemma for the communications service providers however is the
balance between customer confidentiality and the assistance in the curbing and
detection of criminal activity.
In providing this assistance to agencies that have been granted the right to intercept
communications, the communications service providers role begins with its obligation
to maintain an intercept capability as may be required by the Secretary of State126this
is further backed up by the RIP (Maintenance of Interception Capability) Order 2002
which lays interception obligations upon communications service providers who
provide a public telecommunications service to more than 10,000 persons in any one
or more parts of the United Kingdom127.
126
127
47
128
48
other such that there can be no disputes in relation to the intercepted data. This
would for instance mean that where permission is granted to intercept
communications of intercepted data carried out on the first of September 2003
between 12:45pm and 1:15pm should not be mistaken and distinguished from
unrelated data intercepted on September between 1:16pm and 1:55pm. In
other words the data that has been intercepted and the communications
transmitted with it should be unmistakably linked.
Ensure filtering to provide only the traffic data associated with the warranted
telecommunications identifier where reasonable134There is no doubt that this
provision recognises the fact that there must be accuracy and integrity of the
communications that are to undergo surveillance as such in attempting to
131
The handover interface is the physical and logical interface across which the interception measures
are requested from network operator/access provider/service provider, and the results of the
interception is delivered from the network operator/access provider/service provider to a law
enforcement monitoring facility
132
Article 2(8)
133
For more information on standards relating to interception see www.opemtap.org.documents/es201671.pdf
134
Article 2(9)
49
minimise errors it provides for the requirement that the data to be intercepted
should be separated from any other data not associated with the
communication under surveillance.
Ensure that the person on whose application the interception warrant was
issued is able to remove any electronic protection applied by the ISP to the
intercepted communication and the related communications data135; In
recognising the fact that data can be eavesdropped on while it is being
transmitted, it is not unusual in order to ensure the confidentiality of the data
while it is being transmitted to secure it with encryption. Where the decryption
key is available to the CSP this provision obliges it to use the key to decrypt
the communications into legible form for the law enforcement agency to
decipher the communications.
Ensure that the reliability of the interception capability is at least equal to the
reliability of the public telecommunications service carrying the
communication, which is being intercepted136. This provision recognises the
fact that complications may arise where one system is not functioning as well
as the other. Such a scenario may lead to a situation where data is corrupted by
the less reliable system which has the potential of making the datas integrity
being disputed as such the provision requires both the system used for
intercepting the communications and that which transmitted the
communications to be working to the same efficiency levels.
135
136
Article2 (10)
Article 2(12)
50
137
138
51
disclose the physical location of the subscriber, except to the extent that the
telephone number can determine location139.
139
140
52
141
53
Legislations have with the advent of the September 11 attacks also been enacted as a
recognition of the importance in retaining communications data for analysis in
identifying suspicious traits. This has spurned the issue of data retention, which
involves the storing of communications data such that it can be retrieved at a later
date by law enforcement, intelligence and security agencies. Data retention differs
from lawful interception, which involves the capture in real time of communications
content.
Indeed in the UK the Anti-terrorism, Crime and Security Act 2001 (ATCS) was
passed almost immediately after the September attacks in the United States. Part 11 of
the Act sets out requirements for retention of communications data.
Section 103 of the Act allows the secretary of state to issue a code of practice to
communications providers on the retention of communications data they have
obtained or which is in their possession142. It is to be noted however that there is no
provision given relating to the maximum period of time within which data must be
retained. However in response to a EU questionnaire on data retention143, the UK
stated that currently the time periods under consideration vary according to the data
type. Usually the period ranges from a minimum 6 months to a maximum of twelve
for retained data.
It must be stated that one of the conflicts relating to retention of data is the issue of its
legality especially where human rights are concerned. The retention of data by
communications service providers for periods longer than is required for business
may contravene issues in respect of privacy as provided for by Article 8 of the
142
54
European Convention on Human Rights. Also to be noted is the fact that one of the
data protection principles provides that data that has been processed should not be
retained longer than is necessary for the reason that it has been processed.144
Indeed some communications service providers fearful that a data regime is adopted
would make the courts treat them as public authorities and so they as well as any
requesting authority would be open to action under the Human Rights Act. However
in his evidence Dr Walden stated that this was a small risk, going on to say that if the
ATCS Act was not human rights compliant then it would not be unlawful for the
Communication Service provider to comply with it145.
The All Party Internet Group in its critical report called for the code of practice to be
made mandatory so that ISPs would be protected from legal action under the Human
Rights Act and the Data Protection Act when complying with measures in the code of
practice146.
Appendix A of the Consultation Paper on a Code of Practice for Voluntary Retention
of Communications Data provides the time periods deemed necessary by the
Secretary of State for communications service providers to retain communications
data for national security purposes147. The retention of such data in the normal course
of business by communications data may be retained for either longer or shorter time
frames. This obviously leads to a scenario of dual data retention regimes. Where these
data retention regimes are used in conjunction of each other, then in order for them
not to be in contravention of the data retention principle of the Data Protection Act,
then when the shorter of the two time frames expires data may only be retained for the
144
55
purpose of the longer period. For example if the first period to expire relates to
national security then after its expiry the remaining period of retention can only be for
business purposes and on expiry of that period the data must be made anonymous or
be deleted.
The question then is what sort of data is to be retained? A good staring point for this is
the ATCS which provides that the secretary of state issues a code of practice relating
to data held or obtained by communications providers148. This would suggest that it is
data that is obtained during the normal course of business operations, which is
communications data. RIPAs definition breaks communications data into three
different categories mainly traffic data, use made of service and other information
relating to the subscriber.149 An analysis of this definition shows that the following
types of data will need to be retained:
Subscriber information
Consisting amongst other things of the subscribers name, date of birth, billing
address, telephone number and email address, IP address at registration
Telephony data
Including amongst other data all numbers associated with the call, date, time start
duration and end of the call, for GPRS150 and 3G date and time of connection of
the call
This includes calling and called number IMEI154, date and time of sending
Email Data
148
56
This consists amongst other data of the logon user name date and time of
logon/logoff , information relating to email sent such as the authentication name
date and time sent
ISP Data
This will include user login name and the IP address assigned CLI155 and number
dialled
To include proxy server logs IP Address used and URLs that have been visited
note this will not include the content of the communication
Other Services
This will if available consist of the logon and log off times of Instant message
type services
Collateral Data
This will normally involve data required to interpret other communications data156
57
how they operate. This will require them to assess amongst other things the detailed
requirements of the code of practice, the manner in which policies such as data
protection, collection, archiving and security are to be implemented and also the
manner in which processes for handling requests for the disclosure of data subject
information are to be handled157. After this analysis is performed, technical measures
in relation to their operations will need to be adapted to ensure that the retention of
such data can in fact be carried out.
The communications service providers technical solutions to cater for data retention
will invariably consist of ensuring their systems are capable of archiving such data
this will involve ensuring systems have the capacity to store such data for the
stipulated time periods as warranted by the code of practice. They will also need to
ensure that they have appropriate systems tools to assist in the retrieval of data when a
request comes in. This also involves the formatting of data to ensure it can be
interpreted by the requesting agency. Coupled with this will be the need to ensure that
data cannot be compromised, this will encapsulate implementing information security
and quality assurance measures.
As has previously been mentioned, the cost to the communication service provider in
retaining data can be extremely huge. It has been identified that the high cost of the
requirement by communications service providers to retain data may lead to a barrier
of entry to would be participants to the market, which may in turn harm competition
along with making the subscriber being made to offset the costs by being asked to pay
157
See page 11 White Paper on Data Retention for Regulatory Compliance 2002 Cartesian Group
58
higher service charges158. It has thus been suggested that governments should assist in
covering the costs of mandatory data retention infrastructures and also bear some
costs where requests are made for access to retained data159.
3.8 Conclusion
In summarising this section of the essay, it can be seen that lawful interception does
not go against the principles of data protection legislations. Rather it can be said that it
provides the check that is needed to fight criminals who abuse the privileges granted
by communications privacy rights in their attempts to use it as a clock to carry out
serious criminal or terrorist activity.
158
See Common Industry Statement on Storage of Traffic Data for Law Enforcement Purposes page 8
4th June 2003. Available at
www.statewatch.org/news/2003/jun/CommonIndustryPositionondataretention.pdf
159
see reference at page 9
160
Statutory Instrument 2002 No. 1931 The Regulation of Investigatory Powers (Maintenance of
Interception Capability) Order 2002
59
There is no doubt that the rise in criminal activity has led to amendments in
legislation to cater for new methods of communicating. The legislations are attempts
to close the gap between the sophistication of criminal activity using communication
systems and the law in being able to provide legislation to close any loopholes due to
a lack of appropriate legislation in these areas.
While these laws are aimed at ensuring law enforcement, agencies must operate
within the perimeters of the law when they intercept communications, indeed in the
United states sanctions in the form of civil liabilities can accrue to those that do not
adhere to procedures.
It can thus be said that there are certain instances when the privacy of an individual
whose actions go against national security laws or who has committed or is in the
process of committing a serious crime may have their data accessed without the
communications service provider being made liable for not keeping such data
confidential. It should by now be realised by all individuals that with the manner in
which computers are used to either commit crime or used to transmit messages that
provide information on how or when a crime is to take place time, that law
enforcement agencies will at some point have to gain access to such data so that they
can either prevent the crime from taking place or use the data to prove that certain
individuals are responsible for criminal activity. This cannot be said to be a
60
However legislation such as the PATRIOT Act does send a warning that the right to
privacy of communications as we know it may be over. Also such legislation can
indeed be a catalyst for other legislations being enacted which place the right to
privacy of the individual on a lower level than the right of the state to monitor
communications for signs of criminal or terrorist activity.
One of the basic misconceptions about information security is that it is all about
technology. This conception can be no further from the truth. Indeed while technology
enhances security it only forms part of a wider process. Other factors such as
appropriately skilled resources; policies and procedures, assessments, training and
161
61
educational awareness along with management and legal requirements form the full
process of deploying appropriate security measures162.
It can be seen from the previous sections of this essay that implementation of
information security measures are a critical factor in reducing the risks of personal
data being compromised. Information security assists in ensuring the integrity of
exchange of communications data between systems of the CSP and those of agencies
granted permission to intercept the communications. Both the Data Protection and the
Privacy and Electronic Communications Directives contain articles that provide that
adequate security measures should be implemented.
162
See Thomas J.Smedinghoff: Developing U.S Legal Standard for Cybersecurity pages 4-11 may
2003 available at www.bmck.com/ecommerce/articles-s.htm
163
In the truest sense of the word, "hacking" involves actions taken by a dedicated programming expert
who believes in sharing his expertise and experiences with other hackers. A hacker does not believe in
62
With the rise in the spate of attacks on communications networks, a number of issues
came to light. The first was that many of these attacks were targeted at commercial
enterprises that were rich in customer information, and secondly that many of these
attacks were successful because corporations did not have effective security measures
to either alert when these attacks were occurring and also because they had not
implemented appropriate security measures to stop these attacks from being
successful.
63
communications service provider owes to its subscribers in protecting their data and
secondly the duties it owes to law enforcement agencies in their quest to tackle crime.
164
Section 5 (1) Privacy and Electronic Communications (EC Directive) Regulations 2003
Section 5 (4) Privacy and Electronic Communications (EC Directive) Regulations 2003
166
Part 2 section 9 (a & b) Data Protection Act 1998 Sch 1
165
64
167
169
65
users whose data have been compromised due to service providers not implementing
security measures?
In the United Kingdom, data protection offences are dealt with by the Information
Commissioner170 whose powers enable him to prosecute those that breach principles
of the Data Protection Act171. It is to be noted however that while there is no specific
offence in relation to not implementing adequate security measures, the Information
Commissioner may where he is satisfied that data protection principles have been
contravened serve an enforcement notice requiring compliance172. A subscriber whose
information has been breached due to lack of adequate security measures, may lay an
official complaint to the information commissioner who will look at each event be on
the merits. Punishments for contravention tend to vary from the serving of the above
mentioned enforcement notices, a 5000 fine or an unlimited fine173.
The second aspect of security communications service providers have to cater for
relates to retention of data. As has been mentioned in earlier sections of this essay,
communications service providers have an obligation to maintain data retention
capabilities174 thus mandating the retention of the traffic and location data of all
communications taking place over mobile phones, SMS, landline telephones, faxes, emails, chat rooms, the Internet, or any other electronic communication device.
Communications service providers will need to ensure that systems on which retained
data is held also have adequate security measures placed on them. Measures taken
170
The information commissioner is an independent officer who is appointed directly by Her Majesty
the Queen and reports directly to parliament
171
Powers and duties of the commissioner, Chapter 7 Data Protection Act 1998 Legal Guidance. see:
www.informationcommissioner.gov.uk/cms/DocumentUploads/Data%20Protection%20Act%201998%
20Legal%20Guidance.pdf
172
Section 40 (1) Data Protection Act 1998
173
Enquires made to the information commissioners office in relation to sanctions imposed for breach
of security measures call +44 1625 545 700
174
Article 15(1) Directive 2002/58/EC
66
will need to ensure that the data maintains its confidentiality, integrity and
availability. Adequate measures in technical terms will need to include ensuring the
data is stored on systems that have restricted access along with logging175 facilities
which identify who accessed data, what times they accessed such data and whether
any modifications were made to the data during the time the user of the system logged
on. This is obviously a paramount requirement due to the fact that the evidence that
may be given in relation to the data may lead to the aversion of a criminal or terrorist
activity or indeed the acquittal or conviction for an alleged offence.
For successful implementation of lawful intercept systems, appropriate security
measures need to be implemented to ensure access control and authentication at the
hand-over interface. The methods for achieving this can be seen in standards such as
the ETSI standard for lawful interception176. The access control and authentication
issues are extremely important as it has been identified by the 2003 FBI computer
crime survey177of 488 respondents, 77% stated that the likely source of attack on
proprietary information was disgruntled employees.
It can thus be seen that communications service providers are being influenced on
how they adopt information security measures by legislation not only for the
protection of subscriber personal data but also in the maintaining if systems that may
provide information to law enforcement agencies in the fight against crime and
terrorist activities.
175
See also Part 2 section 13 of The Regulation of Investigatory Powers (Maintenance of Interception
Capability) Order 2002
176
67
5 Concluding
As is evident in the body of this essay, the issue of privacy is a fundamental social
principle. Ensuring that there is an appropriate legal framework to ensure privacy is
not infringed upon and when it is that the legislation is able to provide the vehicle for
appropriate sanctions is paramount.
The first is the privacy of subscriber/client information and the second being the
provision of assistance to law enforcement agencies in their fight against crime.
This is where the balance between privacy of the individual and the combat of
criminal activity are linked.
In order to ensure that law enforcement agencies do not abuse their power when they
are granted access to communications data, there is no doubt that safeguards need to
be implemented in the form of procedures that are duly followed to the letter along
with a monitoring and audit of the usage of such privileges granted to law
enforcement agencies.
While it can be stated that data retention legislation is a reaction to events that
occurred on Sept 11th 2001, legislation relating to the processing of personal data and
lawful interception have been enacted or amended recently as a reaction to changes in
68
technology. For instance the new privacy and electronic communications directive
now includes provisions relating to location data.
In order for the above mentioned legislations to have bite, they need to ensure
communications service providers adopt a more rigorous approach to maintaining
privacy of communications and personal data. One of such ways would in my view be
to ensure that technologies that can be used to enforce these laws are adopted
immediately by communications service providers. This can be effected by regulatory
bodies making it mandatory for them to provide certificates of compliance on an
annual basis stating that they (CSPs) have adopted latest technologies as specified by
these bodies. Where organisations do not provide certificates on due dates, sanctions
must be imposed for non compliance which should include both a monetary fine
along with publication on the regulators site of the names of providers that are in
breach.
In order to ensure that the certificates are genuine regulatory bodies must have the
power to randomly select certified communications service providers to ensure that
information provided is accurate.
While on the one hand the effect of such measures on communication service
providers would be that they purchase, maintain and update these technologies, it will
provide a means of showing that are capable of meeting the requirements of their
clients in relation to maintaining privacy of communications. Such a measure will
also provide easier means of detecting when a service provider is not meeting its
obligations.
69
It must be mentioned that as electronic commerce grows, technologies that will enable
criminals to subvert communications networks either in the form of gaining
unauthorised access to networks, using false or stolen identities to pay for goods and
or services and also to commit terrorist activities will become more widespread . With
this in mind it is apparent that more robust authentication and screening technologies
which are able to filter communications using artificial intelligence screening
capabilities will be required to be developed and utilised by communications
providers. With this state of activity it can be seen that there is the possibility that the
role of the communication service provider over the next decade will shift from that
of providing a communications services to one where it is being used as the first point
of contact to thwart criminal and terrorist activities conducted via communications
networks.
Also to ensure healthy competition in the communications service provider
environment, governments need to come up with a policy on subsidising the costs of
retaining data.
As a last thought I believe that a harmonised legal framework on minimum
information security must be adopted and be legally binding on communications
service providers. While the Data Protection Directive and the Privacy of
Communications Directive have made mention of the fact that information security
measures must be implemented, there needs to be a separate information security
legislation which specifically outlines the minimum requirements that should be put
into practice by organisations that handle personal data. This framework will
undoubtedly need to be of global dimension and universally accepted by all countries
otherwise criminals and hackers will look to attack systems belonging to those with
the least effective measures which in turn may impact other environments worldwide.
70
The adopted information security legislation should have wordings similar to the
Gramm-Leach-Bliley Act in the United States along with implementation of technical
measures as identified by both ISO 15408 and ISO 17799. The effect of this on
communication service providers is that it will also mean that they deploy more
resources in the way of staffing, training and technology to ensure information
security meets these minimum requirements.
These recommendations along with better awareness campaigns will allow the general
public understand fully the issues surrounding the need for lawful interception and
retention of private information especially when there is a need to thwart criminal
activity and remove threats to national security. It will also help to dispel the fear that
there is an erosion of rights to privacy.
71
Bibliography:
Access to Communications Data: Respecting privacy and protecting the public from
crime, Consultation Paper March 2003
American Civil Liberties Union 1998 Big Brother in the Wires: Wiretapping in the
Digital Age, March 1998. Available at
www.aclu.org/issues/cyber/wiretap_brother.html
Akdeniz Y 2001, The Case against RIP at www.sourceuk.net/indexf.html?01546
Bohm et al, 2000 Electronic Commerce: Who Carries the Risk of Fraud? The
Journal of Information, Law and Technology (JILT). www.elj.warwick.ac.uk/jilt/003/bohm.html
Bro & Hengesbaugh 2001, Implementing the U.S.-EU Data Privacy Safe Harbor
available at www.bmck.com/ecommerce/articles-p.htm
Bygrave L 2002, Data Protection Law: Approaching its rationale, logic and limits
Carter D L & Katz A J 1997, Computer Crime: An Emerging Challenge for Law
Enforcement.
Cartesian Group 2002, Data Retention for regulatory Compliance
CCTV Looking out for you Home office publication November 1994
CSI/FBI Computer crime and security survey 2003
Cyber-Rights & Cyber-Liberties (UK), "Who Watches the Watchmen: Part III - ISP
Capabilities for the Provision of Personal Information to the Police," February 1999,
at http://www.cyber-rights.org/privacy/watchmen-iii.htm
Economist Intelligence Unit 200: Private Investigations: Data Privacy and the
challenge to business available at www.ebusinessforum.com/upload/privacy.pdf
72
Eisner R S 2002, Ignorance Isn't Bliss: What you need to know about EU data privacy
law, Legal Research Centre
Elliot C 1999, The legality of the interception of electronic communications: a
concise survey of the principal legal issues and instruments under international,
European and national law
Goemans C 2002, Law enforcement and data privacy: difficulties to accommodate
Hoofnagle C J 2002, Consumer Privacy In the E-Commerce Marketplace, Third
Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2
Policy leadership on cyber security questioned: Cyber crime Law Report Vol 3 No 8
2003
Electronic Privacy Information Centre and Privacy International 2002, Privacy and
Human Rights, An international survey of privacy laws and developments available at
www.privacyinternational.org/survey/phr2003/
Rathmell A 2002, Regulating Security: Telecoms Regulation and Information
Security
Joint Economic Committee United States Congress 2002 Security in the information
age: New Challenges, New Strategies
Pascual A E 2001, Location data is as sensitive as content data available at
www.it.kth.se/~aep/publications/EU-forum/ 20011127/EU-forum-locationdata.pdf
OFTEL 2002, Guidelines on the essential requirements for network security and
integrity and criteria for restriction of access to the network available at
www.ofcom.org.uk/.../acts/sacot/resp2002/essential_requirements_for_network_secur
ity_and_integrity.htm Reed & Angel 2000, Computer law
73
74