Last year, the Guardian published an order under Section 215 of the PATRIOT Act made to Verizon, which made clear that the NSA was collecting details of phone calls made by American citizens not on a targeted basis, but in bulk.
We have a simple question – is the same happening here?
Appearing before the Home Affairs Select Committee on Tuesday, our Director raised this issue and revealed that BT had refused to deny that it hands over data in bulk:
“Late last night I received a letter from British Telecom refusing to deny that they are handing over information in bulk on thousands or millions of British citizens and that mirrors a refusal to deny the same situation in a parliamentary answer received by Mr Davis.”
“My concerns is that there is the activity going on under the Telecommunications Act that is unsupervised and that is why BT cannot publicly refuse that they are handing over information in bulk.”
If GCHQ or any other agency is obtaining mobile phone data through the Dishfire programme without a RIPA notice, that is circumventing British law.
The statements made have sought to only address questions about content being accessed, not metadata. This confusion should be urgently addressed.
Under UK law, if an agency or police force want access to details of who you have texted, where you were when you sent or received a text or the dates and times of your text massages they can obtain it from your phone company. The Regulation of Investigatory Powers Act (RIPA) provides for this. Such powers relate to obtaining communications (or meta) data and not content. Acquiring content requires a warrant from a Secretary of State.
Yesterday’s Sunday Times carried an alarming story on its front page about the mobile phone data of 27 million EE customers being sold to IpsosMori, and in turn onto third parties including the Met Police.
The paper would clearly have not published without a sufficiently high standard of evidence and the Met police’s reaction – to suddenly announce it was abandoning the plans, despite high-level meetings in recent weeks – suggests a nerve has been touched.
The paper’s evidence is clearly damming. “Documents to promote the data reveal that it includes “gender, age, postcode, websites visited, time of day text is sent [and] location of customer when call is made”. They state that people’s mobile phone use and location can be tracked in real time with records of movements, calls and texts also available for the previous six months.”
We have already made Freedom of Information Act requests for these documents, and urge IpsosMori to publish them urgently to allay public concerns.
Everything Everywhere needs to come clean on what data it is releasing, and why it is storing this data where there is no business purpose.
Today’s Daily Mail carries a suitably sensational story courtesy of the Government’s new advisor on childhood.
According to the piece, “Claire Perry said that in a world where youngsters are surrounded by online dangers, parents should challenge the ‘bizarre’ idea that their children have the right to keep their messages private.” In other words (as the paper’s headline suggests) if you’re a parent, you should “Snoop on your child’s texts”.
We’re not entirely sure how a Conservative MP and a newspaper usually committed to reducing state interference in our lives are able to square away issuing parenting diktats, but more concerning is the total lack of any evidence to support these claims.
The Information Commissioner’s Office (ICO) has today served monetary penalties totaling £440,000 on two owners of a marketing company which has plagued the public with millions of unlawful spam texts over the past three years.
This is the first time that the ICO has used its power to issue a monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations (PECR) since these powers were approved in January 2012.
The investigation under the Data Protection Act into the pair continues, however the only penalties available under that legislation are fines.
Fining these two individuals may sound a serious step, but given they have deliberately sought to exploit people they should be facing jail, not fines that may well end up never being paid. The Government continues to dither about introducing a custodial sentence for breaching the Data Protection Act, despite it already being on the statute book, and this is unacceptable.
People need to know that unlawfully using or trading personal information, whether that being to access private information for gain or to target people with unwanted spam messages will be taken very seriously and a prison sentence is the best deterrent available. We risk a situation where the fines levied by the Information Commissioner become a cost of doing business for the most serious abusers of our personal data.
This action is welcomed, but until the courts can properly punish people with a prison sentence, our privacy will not be as well protected as it should be.
Last month we detailed how one of the key statistics being relied upon by campaigners calling for ‘default blocking’ of some internet content was based upon one very dubious survey in a single school.
This kind of deliberately misleading scaremongering undermines the discussion about how best to protect children, and now it’s clear that commercial pressures are also leading to dodgy stats being pushed into the debate.
This week, the Advertising Standards Authority has rebuked Carphone Warehouse for it’s marketing of a service we’ve previously been very critical of, Bemilo. The service hit the headlines for it’s feature that allowed parents to read the text messages of children, prompted by our warning that parenting is not spying.
July 16, 2012
Posted in CCDP, Civil Liberties, Communications Data Bill, Data Protection, Databases, Mastering the Internet, Mobile Phones, Police, Privacy, Surveillance
In his latest report Sir Paul Kennedy, the Interception of Communications Commissioner details how two members of the public were arrested by police and wrongly accused of crimes because officials wrote down the wrong numbers.
Two police forces were given the wrong information by a communications service provider (CSP) which led to two people being wrongly detained and accused of crimes last year. The case is currently under investigation, but highlights acutely the risks of error in accessing communications data. Equally, it is surprising that communications data was used to detain two people without any other corroborating evidence.
The report also found one official at a council was self-authorising requests for information by acting as applicant, authorising the application and then collecting the data while 52 requests in two local authorities were not approved by someone of sufficient seniority.
There are clearly serious problems with the authorisation process that allows hundreds of errors to go undetected in almost 900 cases. Furthermore,at a time when the Government is planning to massively increase the amount of data communications service providers must keep on their customers it highlights the stark gaps in safeguards and the weakness of authorisation processes that almost never require court approval.
The report fails to offer any evidence on the effectiveness of the 494,078 requests although it is fair to say that the 11% fall in data requests has not lead to a significant increase in the crime rate, or a fall in the clean-up rate.
As the Communications Data Bill is scrutinised, the very least the public deserve is a credible justification of why we should all be treated as suspects. This report does nothing to reassure anyone about the effectiveness of safeguards or the need for further surveillance, but does highlight the real threat to privacy increased data retention poses.
According to press reports, the Metropolitan police intend to retain indefinitely information recorded from a mobile phone, without judicial authorisation. This will be irrespective of whether an individual is charged or convicted.
Following the ruling in S and Marper v UK  the legal status of indefinitely retaining personal information was made quite clear, and following the passage of the Protection of Freedoms Act it is the case that DNA cannot be retained indefinitely
Trials are now live in 16 London boroughs, and we have written to the ICO to urge them to investigate the Data Protection Law implications of such technology being employed by the police and whether indefinite retention is, as we believe, an infringement of the law.
The courts have clearly said indefinitely retaining personal information is not acceptable and it appears the Met are flagrantly disregarding the law.
Where someone is not convicted of a crime it is absolutely wrong for the police to hang onto the contents of their phone.