|Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.|
18 September 1998
Date: Fri, 18 Sep 1998 14:04:51 +0100 To: ukcrypto[at]maillist.ox.ac.uk From: Duncan Campbell <duncan[at]gn.apc.org> Subject: Re: Police surveillance (Long) Police and email : Guardian and C4N I produced the Channel 4 News item on Wednesday night as well as writing the report for Guardian Online ... since some wondered (but C4N forgot the credit). Regarding the raid on Demon Internet, this has been confirmed on the record by the National Crime Squad, who say however that the Demon employee concerned was questioned but was not arrested. This information was provided too late for the Online Guardian paper deadline - a day before the main paper - but appears (as has been noted) on the web site and as a correction carried in the main paper on Thursday morning. The National Crime Squad also state that they removed two computers together with other material from Demon's offices. Comments welcome. Duncan
Date: Fri, 18 Sep 1998 14:03:33 +0100 To: ukcrypto[at]maillist.ox.ac.uk From: Duncan Campbell <duncan[at]gn.apc.org> Subject: Data Protection Act s28(3) form "agreed by ACPO and the ISP industry" The document following is the proposed form which was seen being discussed on Channel 4 News on Wednesday and which the police wish to standardise for obtaining data from ISPs without a court order or warrant. It is different to the forms which they have been using in the recent past, in that this form has had significant recent input from the Data Protection Registrar's Office. I'm posting it to the list for the sake of discussion and comment. Duncan Campbell Data Protection Act s28(3) form Agreed by ACPO and the ISP industry Introduction ACPO and the ISP industry have been working together to produce a standardised form for requests for data under section 28(3) of the Data Protection Act 1984. This note is divided into four parts: 1. This introduction. 2. The form itself. This has been cast as an HTML form, which will look a little different from the printed form that will also be distributed. 3. The short-form notes to be printed on the back of the form. 4. The long-form guidance material to be provided to police forces and ISPs. --------------------------------------------------------------------------- REQUEST FOR DISCLOSURE OF PERSONAL DATA Under section 28(3) of the Data Protection Act 1984 c.35 To: [note 1] ISP reference: [note 2] Please provide the data concerning the following subject [note3]: Please provide the following information: Name and address Account name or number Other (specify): [note 4] Offence being investigated: Reason that the information is necessary [note 5]: I certify that completing the above section would itself prejudice the prevention or detection of crime [note 6]. __ pages of further information [note 7] are attached. I certify that the data is required for the prevention or detection of crime or for the apprehension or prosecution of offenders, and that failure to disclose the data would be likely to prejudice these matters. The requested data are required for case reference [note 8] but may be used for any other investigation for which the above declaration applies. I understand that if any information on this form is omitted or wrong I may be committing an offence under section 5(6) of the Data Protection Act. Signed: Date: Name and number:Rank Authorised: Date: Name and number:Rank: This application must be authorised by a person who is senior to the requesting officer, and of a rank no lower than Inspector. See note 9. --------------------------------------------------------------------------- NOTES REQUEST FOR DISCLOSURE OF PERSONAL DATA Under section 28(3) of the Data Protection Act 1984 c.35 REQUEST FOR DISCLOSURE OF PERSONAL DATA Under section 28(3) of the Data Protection Act 1984 c.35 Note 1: give the company name here, and any particular contact name on the covering letter or fax. Note 2: this space is reserved for the information provider. Note 3: give here the identifying information that you have available. It will be assumed that you want information on all accounts matching that information. * If specifying an IP address, you must attach an explanation why an IP address is being specified. * If specifying a URL, a printout of the page should be attached to the request (if possible) to enable the ISP to confirm the URL is correct. Note 4: state here what specific information is being requested and why. Do not ask for "all information known about the account" or something similar. If in doubt, discuss the matter with the ISP's contact before making the request. Note 5: give here enough information that the recipient can make a decision whether to disclose in accordance with your declaration. Note 6: if this applies, tick the box to the left and leave the previous section blank. Note 7: tick this if you have attached any information mentioned in these notes, or any other material that the ISP may find useful for processing the request. Show how many pages have been attached, number those pages, and place the case reference (see note 8) on each page. Note 8: give here a case number, file number, case name, or any other reference that identifies the investigation being made. It is not necessary to specify the details of the case or any other names. Note 9: the authorising officer must be senior to the requesting officer and of the rank of Inspector or above. You must give full details of both officers. --------------------------------------------------------------------------- GUIDANCE ON USE OF THE FORM REQUEST FOR DISCLOSURE OF PERSONAL DATA Under section 28(3) of the Data Protection Act 1984 c.35 This form has been designed by a committee representing both Police forces and Internet Service Providers and meeting under the auspices of ACPO. This committee aimed to produce a single form that would be recognised by all ISPs and contained precisely the information they needed. Police forces are therefore requested to use the form exactly as provided except of course for replacing the Force name, logo, and details with their own and possibly modifying the notes on the back to refer to their specific procedures. Use of this form will allow ISPs to streamline the handling of requests for personal data. Section 28(3) of the Data Protection Act gives ISPs the authority to release personal data to the police provided that certain criteria are met; in addition, the Data Protection Registrar has placed further interpretations on the Act. Failure to meet these criteria could mean that the ISP, the requesting officer, or both are committing a criminal offence. For these reasons the form must be completed properly and the wording must not be changed. Note 1 The form should be addressed to the ISP as a company, and not to a specific person or department. The form would normally be sent with a covering letter or fax, and that can of course be addressed more specifically. Note 2 This space is reserved for the ISP to use. If you have contacted the ISP ahead of time they may provide you with a reference to place there. Otherwise leave it blank. If you contact the ISP again about this request you should quote that reference. Note 3 There tend to be two kinds of request: 1. A "real world" datum - such as a name, address, or telephone number - is known and the requesting officer has reason to believe the subject has an account with the ISP and wishes to identify that account. + If a name is given, the ISP will search for accounts held in that name. Unless the name is an unusual one, other information such as an address or telephone number will probably be necessary. Section 28(3) may not be used for "trawling" ISP records, and the ISP should refuse to give details if more than about four unrelated accounts match the data given. + If an address or telephone number is given, the ISP will search for accounts where the customer's records include that address or telephone number. Officers should be aware that not all ISPs are able to search by address or by telephone number. 2. A "cyberspace" datum - such as email address, account name, or web page URL - is known and the requesting officer is attempting to identify the person behind that identifier. + If an email address is given, the ISP will provide details of the account that has that address. In general an email address looks like fred[at]xxx.com and will always include an [at] sign. An email address will sometimes have the format Fred Bloggs <fred[at]xxx.com> where there is a "comment" associated with the address. This comment is created by the person sending the email and so need bear no resemblance to the actual account holder's name. Therefore the complete email address should always be quoted. It is easy to forge email addresses in many contexts, and therefore the complete message or posting that is being used as a source of information - including any header lines - should be attached to the request. + If an IP address is given an explanation of why this is provided must be attached. If the date and time that the address was used is known, this should be included as well. Some ISPs allocate IP addresses from a central pool, and so the address alone does not identify an account because it would have been used by many different accounts. + If a web URL is provided the ISP will provide details of the account operating the relevant web site or part of the site. A URL is the "address" of a web page, and typically looks like http://www.xxx.com/abc/def.html - it will be displayed by a web browser when viewing the page. Whenever possible a printout of the page should be included with the form to allow the ISP to confirm that the correct page is being viewed. Some web sites use a technique called "frames", where two or more pages are displayed on the screen at the same time. When this happens the URL displayed by the browser will be that of one of the pages and does not identify the other pages (which could be part of a different site). In this case the actions taken to reach the page should be described and a printout must be attached, annotated to indicate which specific page is of interest. Note 4 If other information is required, it should be specified here and an explanation of why it is needed should be attached to the form. It is not acceptable to request "all information known about the account". Not all ISPs may not be able to provide certain kinds of information conveniently or even at all, and some data may only be held for a certain length of time. If in doubt, the specifics of the situation should be discussed informally with the ISP before making the request; it may be possible to identify some item of data that meets the Police requirement while being convenient for the ISP to provide. Note 5 Give here enough information that the recipient can make an decision whether to disclose in accordance with your declaration. This information must relate to the specific case that is being investigated, and a clear explanation must be given as to why you need this information and why you will be hindered if it is not provided. Note 6 There are some rare situations where such an explanation would itself prejudice the case (for example, where you have evidence pointing at an unknown member of the ISP's staff) and in these cases you can tick this and leave the previous section blank. Note 7 The requesting officer should attach any relevant items mentioned in this guidance, and any other material that the ISP might find useful for processing the request. The attachments should be numbered and carry the case reference given on the form (see note 8). The ISP can only make use of material attached in this way when determining whether or not to respond to the request. If any information is attached, the box on the form must be ticked and the number of pages given. Note 8 The requesting officer should specify the case number, file number, case name, or any other reference that identifies the investigation being made. It is possible that the ISP will need to contact the Force making the request months or even years later, and it is essential that the specific case can be identified without needing to contact the original requesting officer. Individual Police forces will have their own policies for this identifier, and it need not be meaningful to the ISP (except that it should be clear when several requests relate to the same investigation). The Data Protection Act only allows release of information where both the information is required for one of the purposes listed and failure to disclose the data would be likely to prejudice the matter. This form must not be used where the only purpose is to confirm known facts, for general intelligence, or for administrative reasons. Note 9 The ISP is only permitted to reveal personal data if they are reasonably convinced that the two conditions mentioned above are true, and the Data Protection Registrar has issued guidance concerning statements from Police officers. To protect both the ISPs and the requesting officer from inadvertently breaching the Act, it has been agreed that the ISP will refuse this request if o the form has not been signed by both requesting officer and authorising officer and their full details given, or o the authorising officer is not of a rank senior to that of the requesting officer, or o the authorising officer is below the rank of Inspector. The requesting and authorising officers should be aware that they are each making a statement that the two conditions are true, and that obtaining personal data under false pretences may be a criminal offence.