12 February 1999. Thanks to Duncan Campbell.

See other Campbell reports:


Tapping away at security

Europe demands Internet control

Revealed: secret plan to tap all mobile phones

Police deny illegal email access claim

Analysis: Personal privacy versus crime fighting on the electronic frontier

Police bend rule on email access

[UK] Computing, 17 December 1998

Tapping away at security

The EU and the US are planning to tap global communications, reports Duncan Campbell.

Thirty miles south of Washington DC, the FBI's centre for agent training lies in secluded woodlands bordering the Potomac river. Here, in the autumn of 1993, agents from the law enforcement and security agencies of the European Union countries, Canada, Australia and the US met to plan a global system for telecommunications surveillance that will allow agents across the world to listen in to communications of every type.

To realise these plans, the Internet will have to be redesigned to make instant access tapping a primary requirement - at huge cost and to the detriment of users' security and confidentiality.

The agents' primary concern in 1993 was to set up national and international facilities to tap telephones, and to compel privately owned telecommunications carriers to give them the access they wanted.

Within a year, the US had passed a law, the Communications Assistance to Law Enforcement Act (CALEA), requiring network operators to make an estimated $500 million of changes to their networks to facilitate instant, long-distance, remote control interception. Under CALEA, these changes will have to be completed in the US by 30 June 2000.

In in January 1995, the European Council of Ministers secretly passed a resolution levying 34 requirements on network operators. The recent leak of documents called Enfopol 98 from an official 'police collaboration' group has revealed the unprecedented scale of the planned new tapping laws (Computing, 10 December [below]). Under the new laws, Internet service providers (ISPs) will have to provide 'interception interfaces' on their premises, which only security-cleared staff will have access to. Staff with knowledge of the interception arrangements will have to be vetted by MI5.

In the US, the Federal Communications Commission (FCC) earlier this month asked for public comments on new proposals from the FBI for access to the 'full content of customer communications from carriers using packet switching' - in other words, the Internet.

For Europeans, the interception requirements will eventually form part of the new EU convention on mutual legal assistance. The convention is likely to be agreed by the EU Council next year. Thereafter, member states will not be allowed to change the terms of the convention, although it will have to be ratified by each parliament and passed into national law. In Britain, this will mean a new Interception of Communications Act, containing specific provisions for tapping the Internet.

But unless the government consults ISPs over their plans, industry sources fear the result could be chaotic. 'ISPs have to operate within a sensible framework to give their customers the services they want,' said Richard Woods, spokesman for UUNet UK. 'If the plans mooted in Brussels go ahead, there is a very serious risk they will impede the development of business and social activity worldwide.'

As a licensed telecommunications network operator as well as an ISP, Internet Network Services has already had to comply with the special security regulations and agree to provide the interception facilities required by the Home Office and Security Service. 'Our anxiety is that any government agency anywhere could have general access across the network,' said Internet Network Services managing director Tim Challenor. 'We want to see sufficient circumstantial evidence to apply for authorities to tap logical or physical connections. I don't see why (the new arrangements) should be different.'

A major problem, he feels, is that police and security agents are intimidated by the complexity of the Internet, and the scale and sophistication of its potential use. Their answer to the technical problem of sifting through gigabytes per second of TCP/IP packets and sorting out the ones they want is the classic police response - we'll take the lot.

This could mean that major ISPs might have to install and operate large pipes to copy some, most or all their network traffic to what the EU calls 'law enforcement interception facilities'. Another solution being canvassed is to allow government officials to have their own offices inside ISPs, to which unidentified security officials would come and operate their own data collection and manipulation arrangements from with the ISP's own network centres.

Few in the industry find that an attractive approach.


DC Note: And also this article on ENFOPOL, which is online


Computing, 10 December 1998

Europe demands Internet control

By Duncan Campbell

A network of European and communications tapping centres will be installed to provide law enforcement agencies with 'real-time, full-time' access to the Internet and other new communications systems. According to leaked European Union documents, Internet service providers (ISPs) will be required to install and operate 'interception interfaces' in their premises in order to operate the systems. These will be contained in secure areas, and be accessed and operated only by security-cleared members of staff. The so-called interfaces will have to operate internationally, so that law enforcement agencies in one country can monitor users in another by remote control. ISPs will be required to provide sufficient bandwidth to securely relay targeted communications from their networks to whichever remote interception facility wants to listen in.

The leaked documents, called Enfopol 98, set out 54 detailed interception and security requirements to be imposed on ISPs and network operators. Under the regulations, ISPs will be compelled - once interception is authorised - to provide direct access within minutes or hours of a request being made. Once the tap is running, ISPs must instantly download not merely any Internet data being sent to or from the 'intercepted person', but all available personal particulars including credit-card numbers used to pay for the account, PIN codes, passwords and log-on identities, and encryption algorithms and keys. The Home Office last week said that the Enfopol 98 plan, which was first drawn up in September by Austrian officials, was 'over the top'. It said that a more sensible revision would be completed by German officials for EU ministers to see.

Since then, Computing has obtained a leaked copy of the German revision. In this version, the security regulations to be imposed on ISPs have not been dropped, but have been put in a separate papers which would not be reviewed by ministers.

The [UK] Observer, Sunday 6 December 1998

Revealed: secret plan to tap all mobile phones

Duncan Campbell

PLANS FOR an international network of centres able to tap mobile phones anywhere in Europe have been prepared by European law enforcement agencies.

Confidential European Union documents leaked in Germany and obtained by the Observer outline plans for instantaccess centres across Europe, equipped to tap every type of communications system, including mobile phones, the Internet, fax machines, pagers and interactive cable television services.

Under the plan, Enfopol 98, European tele-communications companies will be required to build tapping connections into their systems. Each EU country's 'interception Interface' must be capable of allowing member states to tap communications throughout the EU.

The US, Canada and Australia are likely to participate in the network, giving the FBI and other non-European security agencies access to communications in Europe.

Enfopol 98 will be put into operation as part of the new European Convention on Mutual Legal Assistance, which Ministers including Home Secretary Jack Straw and Home Office Minister Kate Hoey discussed at the EU Justice and Home Affairs Council in Brussels last week.

Final details of the convention are likely to be agreed by the council early next year. By 2000, member states' parliaments would have to ratify it as part of national law.

The leaked document was published last week by Telepolis, a German Internet magazine.

A draft resolution to be sent to Ministers after the convention is in force specifies 54 requirements for interception laws. When the resolution reaches the council many technical details will have been hidden. According to the latest leaked Enfopol 98 document, distributed last month, they will appear in a 'technical handbook' on interception and in 'accompanying papers'.

By making new laws in this way, Ministers have evaded public scrutiny and even awareness of their plans. 'National parliaments, as well as the European Parliament and its citizens, are being excluded from the development of legislation that has the most profound implications for civil liberties,' said Tony Bunyan, director of the European civil liberties monitoring organisation, Statewatch.

Under the Enfopol plan, interception interfaces in telephone exchanges and Internet centres must provide 'real time, fulltime' access. Security, regulations say 'interception interfaces' must be located in 'barrier areas with controlled access'. Staff would need security clearances and have to comply with 'national security regulations', it being illegal to reveal how many people were tapped or how monitoring was done.

Several tapping centres could listen in at once: 'network operators [should) make provision for implementing a number of simultaneous intercepts.'

Communications services are increasingly using cryptography (codes) to protect the privacy of communications. If they do, Enfopol says the codes must be broken and the information supplied in or legible form. 'The downloading of cryptographic key material should be immediate,' it says, so that 'an efficient, economic and and current operation is guaranteed. To make the new tapping system simple and fast to operate, a secret expert group has been developing a 'tag' system that can identify individuals wherever they are.

Called the' 'International User Requirements for Interception' IUR), the data to he passed from country to country include) not only names, addresses and phone numbers, but credit card numbers, PIN codes, email addresses, and computer log. on identities and passwords.

Tapping centres will have to be sent information not only about ordinary phone calls, 'Development of these laws will have the most profound implications for civil liberties' but also about conference calls, redirected calls, unanswered calls and even when phones are switched on. Mobile phones phones will be used to track a target's movements. 'Law enforcement agencies require the most accurate geographical location known to the network for mobile subscribers.

The 40-page document admits the new system 'raises many questions regarding national sovereignty, and that the 'interception interfaces will place heavy costs on companies. But it makes no reference to civil liberties and human rights.

The document 'turns civil rights into worthy platitudes', Austrian Green MEP Johannes Voggen-huber said last week.

In Britain, preliminary drafts of the agreement have not been seen by the House of Commons but have been reviewed by the House of Lords committee on the European Community, which has asked for changes to protect individual privacy.

Last February, the committee told the Government: 'The citizen is unlikely to have confidence in any procedure shrouded in secrecy. The existence and framework of International mutual assistance involving interception of telecommunications . . . . should be clear and transparent to all.'

Computing, 19 October 1998

Police deny illegal email access claim

Seminar hears of illegally-gathered evidence

POLICE computer crime fighters deny that they exploit legal loopholes to gain access to personal email data, writes Dan Sabbagh.

Detective Chief Superintendent Keith Akerman, head of the Association of Chief Police Officers (ACPO) computer crime group, said: ‘We’re not interested in circumventing the law. The police certainly don’t want unrestricted access to email.’ Akerman acknowledged that the police would like all ISPs to store indivdual emails for access by police during their investigations.

His comments came in reponse to claims earlier this month that a consultation group of police and ISPs plan to beef up private arrangements, allowing police easier access to personal email, usage logs and customer information. But at a seminar attended by police and Internet service providers (ISPs) last Friday, examples of illegally-gathered evidence were cited.

Barrister Nick Lockett, who addressed the seminar, said: ‘Legal problems arise because courts accept computer evidence too uncritically, and ISPs often accept police authority too readily.’ Key prosecution evidence in a case to be heard next year, based on intercepted email communication, was not obtained legally with a warrant from the home secretary, Lockett said.

The seminar was the second in a series, organised by ACPO and ISPs, which aims to foster mutual understanding and co-operation, and to forge an agreement between police and ISPs standardising the personal information ISPs will hold on email users. These follow a series of five private meetings between police and ISPs.

Computing, 07 October 1998

Analysis: Personal privacy versus crime fighting on the electronic  frontier

The police have been looking to strike deals with Internet service providers to gain greater access to emails which they say would help tackle crime on the Internet. But new developments could come to the rescue of those ISPs who feel they are being railroaded into co-operating with the police. Duncan Campbell reports

A POLICE-LED lobby group is attempting to strengthen private arrangements to give the police better access to email and Internet information. The arrangements are based on existing methods of getting telephone call information, other than content. But police hopes of informal deals with key Internet service providers (ISPs) may run into difficulty as new laws protecting personal privacy come into force.

Both the new Data Protection Act and an EU directive on protecting privacy in telecommunications will be law by the end of this month. More fundamentally, the Human Rights Bill ­ which for the first time in British history provides a constitutional right to privacy ­ is expected to receive the Royal assent at the same time.

While the Human Rights Act will give judges and magistrates the authority to weigh personal rights to privacy against the need to detect and investigate crime, informal arrangements between the police and Internet companies could bypass these new protections.

The Home Office also recently revealed that an amendment to extend the law that covers telephone tapping to include email is likely in the near future. The government has also agreed to revise sections of the Police and Criminal Evidence Act (PACE), and to drop a requirement for all computer evidence to be supported by certificates declaring that the computers concerned were working correctly when the evidence was taken.

These issues will be discussed this week at Policing the Internet, a government-funded seminar organised by a new body, the ACPO (Association of Chief Police Officers) ISP, and Government Forum. The seminar will be held at the Department of Trade and Industry offices tomorrow, with an identical meeting to take place in Manchester later this month. The aim of the seminars, which follow a year of private meetings between police officers, MI5, civil servants and ISPs, is to establish a ‘memorandum of understanding between the Industry and Law Enforcement agencies describing what information may be provided and under what circumstances’. The seminars are already controversial. ISP negotiators say that no formal agreements will be signed and that there will merely be a joint police-ISP ‘guide to best practice’ in handling crime on the net.

But minutes of the ACPO-ISP meetings reveal that police and MI5 representatives have been asking ISPs to co-operate in ways which could bypass existing and future laws. At a meeting in June, the police and government officials asked for ‘all email sent in the last week to be recorded as a matter of routine’. Another ‘desirable facility’, they said, was ‘the ability to turn on logging of all incoming email for a customer account’.

The head of the ACPO Computer Crime Group, Detective Chief Superintendent Keith Akerman, denies that his objective is to develop a ‘new or cosy relationship with ISPs to acquire extra access to material’. But Akerman, who attended the June meeting, said he wanted more than a week’s stored email. He would prefer to see three months’ recorded storage of email traffic, together with lists of mails sent and received, and logs of users’ web browsing activities.

ISPs who informally agree to store such information on users could then be required to hand over emails in response to a court order. Stored messages would not qualify as ‘intercepted’ messages under the Interception of Communications Act.

According to Detective Sergeant Frank Butler, head of Merseyside Police Computer Investigation Unit, information has already been handed over by ISPs in this fashion. Sgt Butler said at the first ACPO-ISP seminar last month that stored email could be legally obtained by getting a court order under special procedures in Schedule 1 of the Police and Criminal Evidence Act (Pace).

Under current law, a Home Secretary’s warrant would only be needed if the ISP was also a licensed public telecommunications provider. If an (unlicensed) ISP agreed to hand over stored email even without a court order, the only law they might breach would be the Data Protection Act. However, if the email was then used in evidence in court, the defence could argue it had been obtained unfairly.

ISP representatives from Demon, ISPA and BT have told the police and MI5 that they do not have the storage required, but the ISPs’ worries primarily concern ‘costs and legal protection’, the Scotland Yard meeting minutes reveal. Facilities such as email logging would cost little to run but would have ‘a significant one-off development cost’. ISPs wanted to know if the police would pay for such systems to be installed.

These talks extend arrangements that the police have in place with telephone companies.  Since 1990, police forces across the UK have developed procedures for getting quantities of private telecommunications data without warrants or court orders. BT receives and processes about a thousand police requests for information a week, mostly for details of subscribers’ names and addresses rather than for the numbers they have called. BT recently installed an automated computer interface to cope with the demand. The traffic in personal call information is already so large that two British software companies have produced special software to automatically process call data for intelligence purposes.

These systems ­ i2’s iTel and Harlequin’s CaseCall ­ are used by every British police force. The Harlequin analysis system has already been extended to email logs. In a 1996 investigation of child pornography, Durham Police used Harlequin software to analyse more than 4,000 email messages. Access arrangements for telephone call information have extended to cover ISP and email data.

They depend on section 28(3) of the 1984 Data Protection Act, which allows data users to disclose personal computer data ‘in any case in which the disclosure is for… the prevention or detection of crime… the apprehension or prosecution of offenders, or… the assessment or collection of any tax or duty’. The standard form now agreed by the ACPO-ISP group (see illustration) asks for an internet user’s name, address and account number, typically based on an email address, web page, or Internet address observed on some occasion. The police officer requesting the information certifies that data is ‘required for the prevention or detection of crime or for the apprehension or prosecution of offenders, and that failure to disclose the data would be likely to prejudice these matters’.

But the form has several potential loopholes. There is space for police to request ‘other’ information that could include email logs and email content. The current police-ISP forms can be authorised by ranks as low as inspector.

Although the Data Protection Act requires both the police and telecoms or internet providers to keep records of disclosures, the subject is not entitled to find out that disclosure has taken place. The problem for many in the ISP industry is a lingering atmosphere of coercion, in which refusal by ISPs to collaborate in the ‘partnership process’ can lead to financially punitive consequences.

Two years ago, a letter from Metropolitan Police Clubs and Vice unit to ISPs asking for a list of usenet groups to be closed down contained the threat: ‘We trust that with your co- operation and self-regulation it will not be necessary for us to move to an enforcement policy.’ One senior ISP manager, who has followed the police-ISP negotiations, said: ‘The ISP industry is being privately pressurised into revealing information that others would not reveal as a matter of course.’

Cheshire ISP Warren Dashwood, of Telinco Internet, says that when Scotland Yard paid a visit to his offices with a search warrant, there was no alternative but to co-operate. If not, equipment would have been seized and ‘we would have been shut down for three months’.

While few object to police investigations into child porn, more controversial subjects will become the cause of police computer raids as email and Internet access becomes more popular.

According to ACPO’s Good Practice Guide for Computer Based Evidence ­ most of which the police still insist on keeping secret ­ ‘the recovery of evidence from computers is becoming a part of everyday police work. The advancement of technology presents new challenges for law enforcement.’

Peter Sommer, a computer forensics research fellow at the London School of Economics and defence legal specialist, said: ‘A mood of public alarm together with a poorly-developed forensic science is the most dangerous combination imaginable for miscarriages of justice. ‘Those factors have led to some of the gravest judicial errors in our history.’

Computing, 30 September 1998

Police bend rule on email access

Mandelson backs state email snooping as police lay down the law at secret meetings, reports Duncan Campbell

POLICE officers have routinely obtained access to information about Internet users without court orders, and intercepted email without Home Secretary’s tapping warrants.

These revelations ­ made during a law enforcement seminar officially closed to the press ­ confirmed that private policing practices can vary from public statements by senior police officers.

Last Sunday Detective Chief Superintendent Keith Akerman, chairman of the Association of Chief Police Officers (ACPO) Computer Crime Group, assured readers of a Sunday newspaper that ‘applications to intercept email require a warrant signed by the Home Secretary under the Interception of Communications Act’.

However, at the seminar, fellow officers had revealed how email had been intercepted ‘without’ a warrant.

The seminar in Edinburgh was the first meeting of the recently-formed ACPO, Internet service provider (ISP) and Government Forum, a body comprising leading government, police, academic and industrial figures.

Delegates were told new policing methods have been developed to meet the challenge of criminals exploiting the Internet.

Police officers revealed that main control on email is the use of special forms which certify that ISPs passing information to police are not in contravention of the Data Protection Act.

But the forms are unchecked by the courts and only require the signature of a police officer ranked no higher than inspector.

Although an ISP is not obliged to comply, an implied risk of non co-operation can mean raids, seizure of equipment, and even prosecution.

Many ISPs have insufficient access to legal advice to know whether or not co-operation would be legal.

Over the last few years, most police forces have used forms they have printed themselves to gain evidence from ISPs. ‘We’ve done this on numerous occasions,’ said Tony Neate of the ACPO Computer Crime Group.

Detective Sergeant Nigel Jones, of Kent police, said the goal of the seminars was to identify ‘what information can lawfully and reasonably be provided to law enforcement agencies’.

The meeting was also told that police forces are considering forming a National Computer Crime Unit to co-ordinate policing the net.