Data Retention: Email, Email Monitoring and ISPs

Following the recent news articles covering the issues of the government monitoring personal emails, storing personal data, and data retention,  numerous questions have arisen. This article attempts to answer these questions:

What powers does the UK government have to monitor emails at the moment?

Currently most of the powers for monitoring of data come from the Regulation of Interception Powers Act 2000 (RIPA). Which amongst, other things, allows for the interception of communications data.

RIPA requires that ISPs maintain the ability to allow for interception

The Anti-Terrorism, Crime and Security Act provides guidelines for data retention, though it is currently voluntary. The powers under this act have been condemned for overuse, even by the current government.

Do ISPs currently store data?

Yes, they do. There are two reasons for this.

Commercial reasons, obviously the more data they have about individual’s habits the better they can hone their service, and marketing.

Anti-Terrorism, Crime and Security Act. Currently the government has a voluntary code of practice, whereby the ISPs voluntarily collect the data

Who can currently authorize the monitoring of emails?

The authority to monitor emails and intercept communications comes from different people, depending on where the request comes from. For example, if MI5 or MI6 want to intercept communications need the permission of the Secretary of State (Home Secretary). The police, however, only require the permission of survelliance commissioner, under Section 36 of RIPA.

How are the emails intercepted?

Emails are currently intercepted via the ISP (Internet Service Provider). Technical details about this are not released. In the press the method of interception are referred to as “black boxes” at the ISP. In all probability these black boxes are an advanced a network tap/packet sniffer, which pulls out all of the required information for a given protocol. This data i  then probably stored/cached with the ISP and then sent to the government or maintained at the ISP for searching at the location. The latter model would be the more secure, so the government has probably gone for the former. The data is almost certainly indexed, which means that searches would be realtivley quick, seconds rather than days or months.

The ISPs are required under RIPA to provide the ability to maintain interception capability. This means that the government, when required, can monitor any person’s internet activity.

The police also have the powers to access personal computers directly, and covertly. This type of access would allow the monitoring of emails, as well as internet access, screen shots; even key strokes can be recorded.

What new laws are being created to monitor emails?

The government is not actually creating new laws, but rather a statutory instrument. This means that an act of parliament is not required

The statuary instrument, Data Retention (EC Directive) Regulations SI 2007/2199, issued in the UK is based on the EU directive 2006/24/EC which states, under Article 5, what data must be retained.

 EU directive 2006/24/EC, is a European directive the UK are required to transpose it into UK law.

6) What information will the government be collecting from the emails?

a. Currently the plans are to only collect the header information from the emails. i.e. The “To”, “From”, “BCC”, “Subject”, as well as information in the email about IP address it was sent from, how it was sent (Thunderbird, Outlook). This information is known as “traffic” data.

b. Article 5 of the EU directive states that content of the email should not be retained.

7) What is the difference between “traffic” and “communciations” data

a. Traffic” data is information about data that is being transmitted, e.g. IP addresses, phone numbers, to, from etc. This defined by RIPA and more information is available here

b. Communications” data is the actual body of the data package being sent.

c. Example. If an email was sent from Person A to Person B, the information about Person A, IP address, email address, subject of the email, and the email of Person B would be the “traffic” data. But the content of the actual email, the message, would be the “content”.

8 ) Will the government be reading the content of the email or header?

a. Currently the UK Government is only planning to store the “traffic” data, i.e. the header information. It should be emphasized that while only traffic data is stored both content and traffic can be intercepted and can be monitored

9) How long will the email data be retained for?

a. This email header information is to be detained for 12 months (1 year), minimum. But no more than 24 months (2 years).

b. This figure comes from the Data Retention (EC Directive) Regulations SI 2007/2199, which states that: [Email Traffic] data must be retained for a period of 12 months, in accordance with regulation 4(2). The data must be stored in accordance with the requirements in regulation 7.

10) Why did the government change the laws?

a. The government changed the laws for several different reasons, depending on your political perspective. Some of the documented reasons are below:

b. The EU Directive, in March 2006,  required nation states to have greater monitoring of email and internet traffic

c. Based on the EU Directive, the UK transposed this into UK law, via the statutory instrument 2007/2199

d. In December 2007 the UK government published a document entitled the Next Generation Telecoms Networks. This pointed out the failings of RIPA, because as networks have become more and more capable, it has been harder to monitor the communications traffic. The document states: “Under the Regulation of Investigatory Powers Act 2000,communications providers must allow lawful interception by police and intelligence services where reasonably practicable. This may become more difficult with NGNs. A phone call over the PSTN can be intercepted with a tap anywhere along the line dedicated to the call, but in an NGN, packets may travel along many different paths. However, there are points where traffic can be intercepted, and 21CN will allow lawful interception. The Home Office’s Interception Modernisation Programme aims to ensure that NGNs and other developments in communications do not impede lawful interception”

e. In short, the government feels it is losing control of the communications and want to able to tap into communications anywhere at anytime.

11) How much will this cost?

a. The current estimates for the Interception Modernisation Programme are estimated at £12 billion. But, as with all government projects, particularly IT projects, these figure can expect to increase radically. It will no doubt be closer to £20 billion before its finished

12) Has the government ever misused data it has collected before?

a. Yes, lots and regularly. In fact most databases appear to have been misused at sometime or another. Examples of data misuse are here.

13) Could the government lose the email data, or will it be secure?

a. It’s been reported on numerous occasions that the government has lost data many many times. Examples of data loss are here.

14) How much information can the government obtained from just the email addresses?

a. A lot. From the email subject, IP addresses, and email addresses the government will be able to generate a lot useful information. They will be able to build up who is talking to who, frequency of communication and link those to IP addresses.

b. Cross referencing the email addresses with searches on forums, social networking sites, and other databases will bring together greater information for the government to data mine.

c. The IP addresses alone can be used to great effect, and combined with entries in the search engine databases, i..e who has been searching for what, they can tell a lot about the user.

d. Finally, and perhaps most importantly, the email addresses, will build up a network of contacts for each person and so could be used for a fishing expedition.

e. The commonly held belief of a maximum “Six Degrees of separation” between any two pepople, which has been shown to be true on several occasions, could be used against any person using email. Based on the “6 degrees theory” it stands to reason that any person in the UK is linked to a “terrorist” by, at most, 6 other people. With the onset of huge social networking sites, mass emails, and bookmarking sites, its likely that many people will receive an email or be connected to a terrorist within a couple of steps. I.e. a perfectly innocent person may be just 1 step away from somebody involved with an extremist group. This would give the police the power to intercept the innocent individuals email, both content and traffic data as they are “linked” to the terrorsist.

15) How can I avoid my emails being read?

a. The technology to be put in place (or already in place). Allows the government to retain data on email traffic, but monitor email content as and when required. This cannot be stopped, but security can be put in place.

b. You can’t hide your email address nor can this be encrypted, it has to be sent in plain text (it’s the nature of the internet). But you can try using multiple email accounts, one for work friends, one for network friends, one for purchases, etc. Doing this makes it harder to link your different groups together; but not impossible

c. Encrypt your email content. You cannot encrypt the email traffic, but you can encrypt the content.

d. Use none-decrypt subject titles: The subject title will be an important part of the traffic data, but if you are use none-descript ones e.g “Test1” “Test2”, then this will make it harder to understand what you are talking about. Remove the “Re” or “Fw” from the subject title, this again limits the information available from monitoring the subject title

e. Change your IP address: Currently all the tools available to the public, e.g. Tor, only hide your IP address for web browsing not for email. Therefore your true IP address will still be recorded when you use your email. But, by hiding your IP address in web browsing it is harder to link your web browsing to your emailing.




Data Retention: Article 29 Working Party

Within the EU there is a body with the catchy title of “Working Party on the Protection of Individuals
with regard to the Processing of Personal Data”, this group produces guidelines and policy in relation to personal data on every thing from the police to direct sales.

Despite a name that just rolls off the tongue, the Working Party are often known simply as “Article 29 Working Party“,  this is because they were formed under Article 29 of the even more catchy “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Article 29 states that:

  1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, hereinafter referred to as ‘the Working Party’, is hereby set up.
    It shall have advisory status and act independently.
  2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.
    Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.
  3. The Working Party shall take decisions by a simple majority of the representatives of the supervisory authorities.
  4. The Working Party shall elect its chairman. The chairman’s term of office shall be two years. His appointment shall be renewable.
  5. The Working Party’s secretariat shall be provided by the Commission.
  6. The Working Party shall adopt its own rules of procedure.
  7. The Working Party shall consider items placed on its agenda by its chairman, either on his own initiative or at the request of a representative of the supervisory authorities or at the Commission’s request.

Even back in 1997, just a few years after the Article 29 WP, was set up it published a report identifying the problems of companies collecting large amounts of data about EU citizens.

The report  entitled,  Anonymity on the Internet, stated that:

Over the past 25 years it has become apparent that one of the greatest threats to this fundamental
right to privacy is the ability for organisations to accumulate large amounts of information about
individuals, in a digital form which lends itself to high-speed (and now very low-cost) manipulation,
alteration and communication to others. Concerns about this development and the potential misuse
of such personal data has led all European Member States (and now the Community with directive
95/46/EC) to adopt specific data protection laws which set down a framework of rules governing
the processing of personal information.

Over the past decade  with the development of the data protection laws within the EU and its member states, Article 29 WP has continued to push for  better privacy and protection for inidivuals.

In 2008 Article 29 WP started to push the search engines to reduce the amount of data they retain from EU citizens, with a push for the data to be stored no longer than 6 months.  Google has reduced its data retention to 18 months, Microsoft is considering 6 months,  and Yahoo! has stated it will go as low as 3 months.

Data Retention: Microsoft

In Decemeber 2008 Microsoft stated that it was considering changing its data retention policy in relation to its search engine, Live.

Microsoft are suggesting that they may reduce it to just 6 months, based on guildines (but not laws) put out by the EU.

But, the catch is that Microsoft will only do this if Google do, even though Yahoo! has already stated that it will reduce it to 3 months for some data and 6 months, at most, for the rest of the data.

Google have only recently been haggled down from 24 months to 18 months and so are unlikely to do this.

The EU has a body which issues guidelines on this, commonly known as “Article 29, Working Party”. Those guidelines should be turned into legislation, forcing the search engines to comply, rather than asking them nicely and negotiating with them.

Data Retention: Yahoo

In Decemeber 2008 Yahoo! announced a new policy on data retention, which as far as privacy goes, is far better than Google’s data retention policy.

Yahoo will now truncate the IP address, providing a degree of anonymity, in relation to searches, cookies, and advert logs. Most of these logs will now be deleted within 3 months, though all the data will now be deleted in 6 months.

Surveillance Society Cost UK

According to a report by the Tax Payers Alliance the cost of surveillance in the UK is set to cost £20 billion, or £800 per family.

Though the vast majority of this is the cost of ID cards in the UK

Telegraph Article

Data Retention – US

The FBI and US Congress have been pushing for ISP data retention laws, similar to those in Europe where the ISP service providers are required, by law to store information about theirs users.

FBI Director Robert Mueller told a House of Representatives committee that Internet service providers should be required to keep records of users’ activities for two years. Two years is the current EU law

Democratic Congressman. John Conyers, said that any proposed data retention legislation submitted by the FBI “would be most welcome.”

Original Article

Six Degrees of Seperation

Following on from the age old story of “six degrees of separation”, a detailed study involving 30 billion instant messages has been conducted by Microsoft.

The research showed that people are linked by, on average 6.8 people – so its closer to 7 than 6. This is not original research and similar studies – but on a much smaller scale have been conducted before. In 2001 a similar study was conducted with 48,000 emails messages. Other experiments have also been conducted using letter writing. Several examples of this are in Wiki

While this study may be interesting, it will not doubt provide added  concern for those who are  already concerned about the Governments ever increasing databases of their populations.

With every person in the UK being linked to every other person in the UK by an average of 6.8 people, it means that we are just 6.8 emails, text messages, or address books away from a “terrorist”. What if your connection is just 5 hops from a terrorist sympathizer or 4.0 hops from a terrorist fund raiser? Does that mean you get picked up? What if you a chemist who is 3 hops away from a terrorist, because of where you live, and then your bio is : lives near a terrorist, went to school with a terrorist,  has a degree in Chemistry and therefore understands explosives – what action will the agency be taking then?

With the 7/7 Investigation collecting upto 10% of the phone calls of the UK Muslim population (though it could be a lot less) , surely its easy to find lots of false leads and patterns – all pointing to innocent people? In fact we know this happens the numerous examples of mistaken Identity occurring over and over again.

Also – is Microsoft building a database of who talks to who, how often, and when?

Note: The BBC incorrectly reported this research to be about text messages, not instant messages