6 April 1999. Thanks to WK.

The Sunday Times (UK), 4 April 1999

Internet law will protect criminals

Police say that when new European laws are implemented this summer it will be almost impossible to catch high-tech criminals who use the Internet and mobile phones to plan crimes.

The European telephone directive will make it illegal for telephone companies and Internet Service Providers (ISPs) to keep records of a customer's use of the Net and his mobile phone unless the information is needed for billing.

With the proliferation of free Net accounts and pre-paid mobile phones this would mean tracking consumers' use of such services would be illegal because no bills are involved. A criminal could contest any intelligence the police gained, arguing that it was a breach of the Data Protection Act 1998.

Keith Akerman is head of the computer crime unit at the Association of Chief Police Officers (Acpo). He believes that if fully ratified in Britain, the new laws would hamper police attempts to combat criminals by analysing their use of the Net and cellphones. He is planning, through Acpo, to raise the issue with the Home Office before the new laws come into effect.

"The new laws would have a huge impact on intelligence gathering," he says. "They are far from helpful for both the police and the person being asked to pass over information.  There are many areas of doubt in the new act that will require clarification.

"If the law is fully ratified it will be very regrettable indeed. I don't want to be seen giving out advice to criminals, but anyone looking at the new law - if it is ratified - will be given a pretty clear idea of how to plan and execute crimes without the police being able to do much to stop them."

At the moment police can take advantage of Section 28 of the Data Protection Act to ask an ISP or mobile-phone operator to pass on details about a suspect. With an inspector's signature on a standard form, officers can find out what Net sites and newsgroups a suspect has visited.

If any of the suspect's recent e-mail or newsgroup postings are still stored by the ISP, these can also be read. However, police normally obtain a warrant first.

The same form can be used to ask a mobile-phone operator to supply details of people a suspect has called and from where.  This can prove where a person was at the time of a crime and whether he has called people he claims not to know.

Police forces across the country have come to rely on such details and are worried the new laws will close down a useful source of information. They are also concerned because the new proposals are confusing even the experts.

Phil Jones, a telecommunications expert at the Data Protection Registrar, says: "The new rules are tricky because they make a distinction between traffic data and billing data, yet don't clarify what this means.

"It can be very difficult to separate billing and traffic data because sometimes they can be seen as related. What is certainly true is that telecommunications companies will not be able to keep records as they have done without having good reasons to justify it.

"For example, if I am using a pre-paid mobile phone, then what reason could the telephone operator possibly have for logging the calls I make and from where?

"Similarly, with the Net, if I am not being charged for my browsing time by my ISP, what right would they have to store information on sites I have visited? They would not have any legitimate reason to track where I had been and what I had looked at.

"The only way I can see mobile-phone operators or, more likely, ISPs keeping data about users that the police could later request is if they attach conditions to their free services. An ISP could say, for example, that in return for free Net access it will collect data about customers' browsing patterns for marketing purposes.

"However, they would have to make it clear to customers what data will be held about them and the fact that the police could legitimately request to see that information. They would almost certainly need to get customers to sign a consent form."

Jones admits that the high priority attached to online privacy means that most ISPs would be unwilling to act as the police's eyes and ears. Their customers would see them as snoops.

The police and security forces are also concerned about encryption technology that makes it hard for them to decode intercepted messages. They had been urging the Department of Trade and Industry to push through measures that would have required Net users to store with a third party the keys that are used to decode e-mail. This company could then be called on to decipher messages.

The proposed measures were seen as too draconian. The DTI is now proposing two new offences in measures that will almost certainly be put before the Commons later this year. These will make it illegal not to show deciphered messages to a police officer with a warrant and will punish anyone who tips off somebody else that police have asked for a key to decode their messages.

The consultation period on the DTI's e-commerce bill ended on Thursday. Critics are angry that the government dropped its unpopular "key escrow" policy but then gave only three weeks, instead of the normal eight, to allow interested parties to comment on new proposals.

The DTI claims the short consultation period was essential if the e-commerce bill is to be read in the Commons before the end of the year. Critics, however, have accused the government of trying to rush through a "broken back" piece of legislation without properly consulting computer users.